@brynosaurus

Blockchain Security for Health Data:Promises, Risks, and Future DevelopmentsBryan Ford, Associate Professor of Computer & Communications Sciences, EPFL

Where there’s data, there’s risk...

Interconnection compounds risk

Business

Partner A

Shared

Access

Partner B

Partner C “All of us!”“All of us!”

Cloud-based

Services

“You can

trust us!”

Data dependence compounds risk

OPM: 21.5 million sensitive

US government

personnel records

[Nextgov, 23-June-2015]

Data dependence compounds risk

Repeated hospital ransomware attacks

[Nextgov, 23-June-2015]

[WannaCry ransomware, May 2017]

RUAG Cyber-Espionage Case

RUAG: main weapon

manufacturer of Switzerland,

active notably in cyberdefense

(around 8,000 employees)

Case made public in May 2016

(infiltration started before Oct. 2014)

Total exfiltrated data: at least 23 GBytes

May-July 2017: Equifax Breach

One of three credit rating agencies in the US

● Exposed sensitive personal information about

143 million people (44% of US population)

The Fundamental Problem

In today’s IT systems, security is an afterthought

● Designs embody “weakest-link” security

Scaling to bigger systems → weaker security

● Greater chance of any “weak link” breaking

The DEDIS lab at EPFL: Mission

Design, build, and deploy secure privacy-preserving

Decentralized and Distributed Systems (DEDIS)

• Distributed: spread widely across the Internet & world

• Decentralized: independent partcipants, no central authority,

no single points of failure or compromise

Overarching theme: building decentralized systems

that distribute trust widely with strongest-link security

Weakest-Link

Security

Strongest-Link

Security

Turning Around the Security Game

Design IT systems so that making them bigger

makes their security increase instead of decrease

Weakest-link

security

Strongest-link

security

Scalable

Strongest-link

security

Decentralized Security Principles

Computer science theory, algorithms, crypto has

long known principles of decentralized security…

● Threshold cryptography,

Byzantine consensus

● Tolerate any one

(or several)

arbitrary failures

or compromises

Decentralized Security Principles

Computer science theory, algorithms, crypto has

long known principles of decentralized security…

● Threshold cryptography,

Byzantine consensus

● Tolerate any one

(or several)

arbitrary failures

or compromises

But never widely deployed, until…

Bitcoin (2008)

First successful decentralized cryptocurrency

Blockchain and eHealth: Outline

● What is a Blockchain?

● State-of-the-Art: Promise and Limitations

● Blockchain Research at EPFL

● Conclusion

Today’s Hot Decentralized Technology

(credit: Tony Arcieri)

How to track wealth

(or anything)?

Things

● Gold, beads, cash...

Ledgers

● Who owns what?

Alice 5 BTC

Bob 2 BTC

Charlie 3 BTC

...

Distributed Ledgers

Problem: we don't want to trust any designated,

centralized authority to maintain the ledger

Solution: “everyone” keeps a copy of the ledger!

– Everyone checks everyone else's changes to it

Alice 5 BTC

Bob 2 BTC

Charlie 3 BTC

...

Alice's copy

Alice 5 BTC

Bob 2 BTC

Charlie 3 BTC

...

Bob's copy

Alice 5 BTC

Bob 2 BTC

Charlie 3 BTC

...

Charlie's copy

Proof-of-Work in Public Blockchains

Public blockchains such as Bitcoin, Ethereum use

consensus by crypto-lottery

1) Miners print their own “lottery tickets”

by solving crypto-puzzle (proof-of-work)

2) Winner gets to add one block to blockchain;

typically gets reward: e.g., print new money

3) All miners gravitate to longest chain. Repeat.

Blockchain and eHealth: Outline

● What is a Blockchain?

● State-of-the-Art: Promise and Limitations

● Blockchain Research at EPFL

● Conclusion

Applications of Distributed Ledgers

Can represent a distributed electronic record of:

● Who owns how much currency? (Bitcoin)

● Who owns a name or a digital work of art?

● What are the terms of a contract? (Ethereum)

● When was a document written? (notaries)

But practical limitations currently constrain uses

● Slow, energy-inefficient, can’t keep secrets…

Broad Promise & Global Interest

Limitations of Today’s Blockchains

Public/permissionless (e.g., Bitcoin, Ethereum)

● Slow, weak consistency, low total throughput

● Limited privacy: leaky, can’t keep secrets

● User devices must be online, well-connected

● Mining is inefficient, insecure, re-centralizing

Private/permissioned (e.g., HyperLedger, R3, …)

● Weak security – single points of compromise

Dimensions of Information Security

We usually want three orthogonal properties:

1.Integrity: the system computes honestly,

remembers and results correctly

2.Availability: it’s there when you need it,

provides answers in reasonable amount of time

3.Privacy: it doesn’t leak confidential information

to anyone who isn’t supposed to have it

In general, blockchains tend to be

GOOD at #1, SO-SO at #2, and BAD at #3

The Blockchain Privacy Challenge

Blockchains protect the integrity of data by

giving everyone a copy for independent checking

● This works against privacy & confidentiality

● Current privacy provisions are leaky

● Solvable with proper use of encryption

– When combined, important to remember:

it’s the encryption, not the blockchain,

that protects privacy.

Drawbacks of Nakamoto Consensus

● Transaction delay

– Any transaction takes ~10 mins minimum in Bitcoin

● Weak consistency:

– You’re not really certain your

transaction is committed until

you wait ~1 hour or more

● Low throughput:

– Bitcoin: ~7 transactions/second

● Proof-of-work mining:

– Wastes huge amount of energy

Who Participates in Consensus?

Permissionless blockchains (Bitcoin, Ethereum):

“anyone” who invests in solving crypto-puzzles.

● Now practical only with ASICs and cheap power

● Re-centralization undermines trustworthiness

Environmental Costs

Proof-of-work = “scorched-earth” blockchains

● Tremendous energy waste,

now comparable to all of Ireland

●

Smart Contracts (e.g., Ethereum)

Insert arbitrary software into a blockchain

● Can programmatically supervise cryptocurrency

– e.g., automatically settle an insurance payment

(see AXA “fizzy” flight delay insurance)

Extremely powerful (and interesting), but risky

● One software bug → spectacular hacks

– DAO: $70M USD of

$150M USD contract

stolen in hours

(June 2016)

The “Universal Bug Bounty”

First successful hacker can steal a lot of money

Blockchain and eHealth: Outline

● What is a Blockchain?

● State-of-the-Art: Promise and Limitations

● Blockchain Research at EPFL

● Conclusion

DEDIS Blockchain Goals

Working to make tomorrow’s blockchains:

● Fast: responsive in seconds, not minutes/hours

● Scalable: support high transaction volumes

● Private: keeping confidential data secure

● Available: blockchain records usable offline

● Powerful: private analysis of encrypted data

DEDIS next-generation blockchain infrastructure

already available, in use by multiple partners

ByzCoin: Fast, Scalable Blockchains

DEDIS lab project presented in [USENIX Security ‘16]

● Permanent transacton commitment in seconds

● 700+ TPS demonstrated (100x Bitcoin, ~PayPal)

● Low-power verifcaton on light mobile devices

1 2 3

1 2 3 4 5

...

5-10 sec

BitcoinCothority

Miner

Witnesses

Key-Block

Micro-Block

depends on

6

Co-Signature

Horizontal “Scale-Out” Blockchains

OmniLedger: A Secure Scale-Out Ledger [preprint]

● Break large collective into smaller subgroups

● Builds on scalable bias-resistant randomness protocol

(IEEE S&P 2017)

● 6000 transactions/second: competitive with VISA

Transactions

Shard 1Shard 2

Shard 3

The Privacy Problem in Blockchains

In current blockchains, secrets (keys, passwords)

must be held “off-chain” by private parties

● Just a hash on-chain → document might be lost

● Encrypted on-chain → encrypted to whom?

– Decided at encryption, cannot be changed/revoked

Current blockchains

can’t manage secrets,

because they would

leak to all participants

● Weakest-link security again

DEDIS “Chain-Managed Secrets”

Allow blockchain to hold and manage secretsvia verifiable, transparent, dynamic access policies

– Example: decryption keys, access lists for documents

– Example: login credentials for access to services

● On-chain policies can determine how and when

secrets used, who should have access when

– Any access change immediately, atomically applied

– Tamper-proof log of all uses or attempted uses

● Can enforce data retention/deletion policies

Secure Digital Documents?

Significant interest in digital

degrees, awards, land titles, …

● Blockchain can provide a

hard-to-forge timestamp

But how do you verifya digital document?

● Current blockchains:

you must be online

● Doesn’t work if network down, too slow, costly

SkipChain: Traversable Blockchain

DEDIS work appearing in [USENIX Security ‘17]

● Enables offline or peer-to-peer cryptographic

verification and “time-travel” through all history

Time

Backward hash links, embedded in blocks at commit time

Collectively signed forward links, added later once target exists

B3

B2

B1

F1

F2

F3

Level

Chaniac: Secure Device Updates

(including Medical/IoT)

Medical devices increasingly networked, “IoT”

● Keeping their software up-to-date is critical

– Otherwise vulnerable to old threats: e.g., WannaCry

DEDIS “Chainiac” provides end-to-end secure

blockchain-based software distribution & update

UnLynx: Privacy-Conscious, Blockchain-Secured Medical Data Sharing

Functionality:• Allow queriers to query a set of

distributed databases

Requirements:• Data Providers data confidentiality• No single point of failure• Computation correctness• Privacy of data providers (DP) and

individuals storing their data in DPs

Threat model:• Queriers, servers may be compromised• Data providers honest-but-curious

SELECT AVG(cholesterol_rate)

FROM DP1, …, DPn

WHERE age in [40:50] AND ethnicity = Caucasian

GROUP BY gender

UnLynx: Security guarantees

Data are encrypted

during the whole

process.

Data are shufed to

break the link btw. DP

and data.

Oblivious noise additon on

query results ensures

diferental privacy.

Correctness of every

computaton can be

verifed with Zero-

Knowledge Proofs

(proof that the

computaton is correct

without disclosing the

secret values).

Entty misbehaving can

be identfed and

excluded.

As long as one of the

servers is honest, all

the other propertes

are guaranteed.

53

Blockchain and eHealth: Conclusion

● Blockchain technology holds great promise

– But current systems immature, many weaknesses

● EPFL is building next-generation blockchains

– Enhance performance, scalability, privacy,

availability, and powerful analysis capabilities

– Already applied to medical data applications