Information sharing represents a huge opportunity for research centers and companies to advance their knowledge in the topics they are involved by accessing to data owned by cooperative parties and sharing their data with them. Similarly, citizen information shared with service providers can increase the knowledge of the provider and improve user experience. Unfortunately, in several domains, information sharing is limited due to several privacy reasons. To encourage information sharing, there is a need for cooperative protocols that guarantee that no information apart from the protocol result is revealed. This would permit to include private information in the computation, and preserve industrial secrets and citizens' privacy, according to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
The goal of SANPEI is to provide and test innovative solutions that can be run in a wide range of devices, including mobile phones, and IoT devices, by i) proposing innovative privacy-preserving information sharing protocols; ii) balancing accuracy, efficiency and privacy; iii) moving computation to non-trusted third parties; iv) validating protocols in specific use-cases related to Internet of Things, Cybersecurity and Healthcare. Among them, SANPEI aims at providing privacy-preserving protocols for tracking and identification of citizen potentially exposed to the coronavirus, or any other future pandemic.
To reach his goals, SANPEI aims at proposing both generic solutions that can be applied in any field, and solutions tailored for specific scenarios. We here outline the activities of each WP.
- WP1. Protocols for secure and private information sharing (SPIS)
This WP has the goal to lay the foundation for the project. It is in charge to review the state of the art to identify existing solutions suitable for the project and propose innovative protocols. Appropriate data representations that facilitate the elaboration, especially for unstructured data, are identified. A novel idea proposed in the project is selective protection: by subdividing data into different parts, according to some privacy measure, we can protect each of them with different solutions with different levels of security (also non-protection) to reduce protocol complexity. An alternative idea is to use non-invertible transformations to map private data in a different domain that permits to identify close elements but preventing leakage information. Other approaches for SPIS can be based on PSI, PIR, blockchain, machine learning, secure computation, etc. WP1 also aims at improving the security of the information-sharing infrastructure. We provide lightweight software components to monitor network activities, run components of proposed privacy-preserving protocols, and provide interfaces to collaborative parties. We explore many different directions: i) Access control mechanism based on Attribute-Based Encryption (ABE) or the recently proposed Access Control Encryption (ACE) to satisfy access control policies; ii) privacy-preserving biometric algorithms to continuously authenticate users and citizens; iii) device attestation mechanisms to verify the integrity of single devices and/or group of devices.
- WP2. Use Case: Healthcare
The WP is devoted to identify interesting healthcare application scenarios and validate protocols proposed by WP1 in them. Moreover the WP develops specific protocols for the identified scenario. Privacy-preserving tracking of citizen for the identification of citizen potentially exposed to the coronavirus (or any other future pandemic) is a scenario which is addressed from the beginning of the project. Emulation environments is generated to simulate the scenarios outlined and test the protocols proposed.
- WP3. Use Case: Internet of Things
To reach a trade-off between accuracy, complexity, and privacy, custom-tailored algorithms are proposed in SANPEI. Improvement respect the state of the art can be obtained by optimizing privacy-preserving primitives, and input data representation. Moreover, to guarantee correct execution of privacy-preserving protocols, IoT devices must be secured. We approach different solutions such as node monitoring or collective attestation. Monitoring nodes of the network are in charge of security activities of the network, by embedding well-known defense components, such as IDS, firewalls, sandboxes, etc., but also components ad-hoc designed for the infrastructure. The best configuration for network protection must be identified to avoid overloading devices. Attestation can be used to validate devices' software configuration. We aim to provide new protocols benefitting of the heterogeneity of the network, involving both low power sensors, which can act only as prover, and powerful nodes, that can act both as prover and verifier. Protocols are validated in emulation environments and real (low power) devices.
- WP4. Use Case: Cybersecurity
SPIS can be used in cybersecurity to include data from other organizations in the analyses, to facilitate the identification of threats they are both exposed to. SPIS can also allow parties to delegate analysis of their data to other parties with a more computational resource or to take advantage of the services provided by other parties with a more advanced knowledge base. For this purpose, privacy-preserving distributed machine learning algorithms are approached. We underline that our department already has an emulation environment for cybersecurity analyses [TS+19] which can be used to test the proposed protocols.
* Expected impact of SANPEI *
The results obtained by the project contribute to advance the state of the art in SPIS, thanks to the innovative ideas, the PI expertise in the privacy-preserving field, and the complementary experience of the other participants. SANPEI is expected to close the gap between theoretical studies and real applications. SANPEI can be of interest to many potential users. Many companies can benefit from SPIS to enrich their knowledge with data owned by other parties, and therefore advance their results in research and products, while protecting private information owned by them.
[TS+19] FD Tanasache, M Sorella, S Bonomi, R Rapone, D Meacci 'Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems' ICDCN'19