pe-bpmn-editor_stereotypes
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
pe-bpmn-editor_stereotypes [2018/11/26 10:57] pullonen |
pe-bpmn-editor_stereotypes [2020/07/15 15:30] (current) pullonen [Encryption] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Stereotypes ====== | ====== Stereotypes ====== | ||
| + | Stereotypes are used to denote model elements that have something to do with some of the privacy enhancing technologies. The following summarizes the expected use of the stereotypes of the supported technologies and explains the overall logic behind the stereotypes. | ||
| - | PE-BPMN defines stereotypes for different tasks in privacy enhancing technologies so that they can be included in the BPMN model. The stereotypes are organized based on the taxonomy of privacy-enhancing technologies used to create PE-BPMN. | + | [[https://pleak.io/app/#/view/X1kBmgDLdgISeDh_Rgwf| This model illustrates a computation outsourcing scenario with different technologies]] |
| - | + | ||
| - | There are two message flow stereotypes: [[pe-bpmn-editor/communicationprotection|CommunicationProtection]] is a general goal stereotype and denotes any protected communication, whereas [[pe-bpmn-editor/securechannel|SecureChannel]] is a channel that protects confidentiality and integrity of the communication. Another concrete instantiation of [[pe-bpmn-editor/communicationprotection|CommunicationProtection]] could be something to mark anonymous communication. | + | |
| - | + | ||
| - | We have also added data object stereotypes to be able to type check the models. At the moment we | + | |
| - | support two stereotypes [[pe-bpmn-editor/pkpublic|PKPublic]] and [[pe-bpmn-editor/pkprivate|PKPrivate]] that can be used to define a key pair for public key | + | |
| - | cryptography. The group notation of stereotypes is used to denote which keys belong to one key pair. | + | |
| - | + | ||
| - | The rest of the stereotypes are task stereotypes and they are grouped based on the taxonomy. The respective menu appears when clicking a task in PE-BPMN editor. The goals that the task can have are data protection, data processing and entity authentication. Data protection has two possible targets: integrity and confidentiality protection. In data processing the targets are either privacy preserving or privacy adding computations. At the moment we have not implemented any stereotypes of the human-data interaction category. After choosing the goal it is possible to choose the concrete stereotype. Each stereotype opens a sidebar menu to specify the necessary parameters and roles of the inputs and outputs. For example, for [[pe-bpmn-editor/pkencrypt|PKEncrypt]] it is necessary to specify which input acts as the key and which as the plaintext. | + | |
| - | + | ||
| - | One important parameter is the group of the computations. Some tasks form natural groups and are not meaningful on their own. For example, secure multiparty computation needs to be carried out by multiple parties simultaneously. In our solution each participant has their own computation task (e.g. [[pe-bpmn-editor/sscomputation|SSComputation]] ) and these tasks form groups where the semantics is that the tasks actually collaboratively compute the required functionality. For example, if the stakeholders A and B both have a | + | |
| - | [[pe-bpmn-editor/sscomputation|SSComputation]] task of group C then these two tasks can only be executed in parallel and the outputs of both tasks depend on the inputs of both tasks. In practice this corresponds to the case where A and B execute some collaborative computation protocol. In some cases the computations of all participants are the same and therefore the tasks in the group have the same stereotype. This is true for all secret sharing based technologies, moreover, in most cases the number of tasks in a group should correspond to the number of shares that there are. In others, the participants have distinct roles and we also have created distinct stereotypes for these tasks. However, for a meaningful use, these stereotypes still need to be grouped to state which operations belong together. For example, in garbled circuits technique, one participant creates the circuit ( [[pe-bpmn-editor/gcgarble|GCGarble]] ) and the other uses the garbled circuit to actually get the outcome ( [[pe-bpmn-editor/gcevaluate|GCEvaluate]] ). In these cases the group should contain one of each separate task. The other such pairs are oblivious transfer (OT) and attestation of SGX technologies. | + | |
| - | + | ||
| - | Not all stereotypes can be added to all tasks, for example there has to be suitable number of inputs | + | |
| - | and outputs. For some stereotypes, it can be that there are special roles that the inputs or outputs have. | + | |
| - | For example, an encryption operation has two distinct inputs - the key and the plaintext - that can be | + | |
| - | identified on the model. For some stereotypes the only restriction is that there must be a certain number | + | |
| - | of inputs or outputs. Implemented restrictions for currently used stereotypes are covered on [[pe-bpmn-editor/restrictions|restrictions page]] and under each stereotype. There are listed the number of expected inputs and outputs as well as parameters. In case the inputs or outputs have special roles, then they are also named in the table and the user interface allows to fix which data object has the specified role. At the moment the main parameters that we consider are the group of the computation and the script. If the parameter is specified only as a group then it is expected that the group is formed of only tasks of that type. In other cases, the groups formed of multiple separate tasks also specify the other expected stereotypes that should belong to the group. | + | |
| ===== Technologies and their stereotypes ===== | ===== Technologies and their stereotypes ===== | ||
| ==== Encryption ==== | ==== Encryption ==== | ||
| Line 31: | Line 14: | ||
| We use [[pe-bpmn-editor_pkpublic|PKPublic]] stereotype to denote the public key that can be known to anyone and [[pe-bpmn-editor_pkprivate|PKPrivate]] to denote the private key that can only be known to parties that can decrypt. | We use [[pe-bpmn-editor_pkpublic|PKPublic]] stereotype to denote the public key that can be known to anyone and [[pe-bpmn-editor_pkprivate|PKPrivate]] to denote the private key that can only be known to parties that can decrypt. | ||
| + | |||
| + | For example consider [[https://pleak.io/app/#/view/BupEXriFLsPfVxBhJ1tr|this model]] where two parties encrypt their secret with the same public key and send the ciphertexts to a computing party. This party then performs some computations and forwards the encrypted result to the result party. Finally, the result party knows the private key and decrypts the result. | ||
| + | |||
| + | === Attribute based encryption === | ||
| + | Attribute based encryption is like public key encryption with several private keys and attributes added. The public key defines all possible attributes and the secret keys contain the attributes of the user. In every encryption operation the attributes that are allowed to decrypt the resulting ciphertext are fixed. | ||
| + | |||
| ==== Secure multiparty computation ==== | ==== Secure multiparty computation ==== | ||
| Secure multiparty computation (MPC) techniques are methods that allow participants to protect their data and process it in a distributed manner while maintaining the confidentiality of all the inputs. The only information that is revealed about the inputs is the desired output of the computation. Common methods to achieve secure computation use either secret sharing or garbled circuits as a basis. | Secure multiparty computation (MPC) techniques are methods that allow participants to protect their data and process it in a distributed manner while maintaining the confidentiality of all the inputs. The only information that is revealed about the inputs is the desired output of the computation. Common methods to achieve secure computation use either secret sharing or garbled circuits as a basis. | ||
| - | In Pleak we also consider a generic stereotype to denote secure multiparty computation - [[pe-bpmn-editor_mpc|MPC]]. This considers the most straightforward use of secure computation where all participants that have input data also somehow participate in the computation and all tasks with MPC stereotype and executing the same computation are run in parallel. In addition, we expect that all inputs and outputs are public but different parties may have different inputs and outputs. | + | In Pleak we also consider a generic stereotype to denote secure multiparty computation - [[pe-bpmn-editor_mpc|MPC]]. This considers the most straightforward use of secure computation where all participants that have input data also somehow participate in the computation and all tasks with MPC stereotype and executing the same computation are run in parallel. In addition, we expect that all inputs and outputs are public but different parties may have different inputs and outputs. |
| + | |||
| + | Using the generic MPC stereotype can give us very simple models, [[https://pleak.io/app/#/view/9888_hzOHoPM-tDJJXjH | for example]] is the conceptual model that is expanded in [[https://pleak.io/app/#/view/u2UaSnPGcAwB3yM9h6sG|here to show how it would look like when implemented with three party additive secret sharing.]] | ||
| === Secret sharing === | === Secret sharing === | ||
| [[pe-bpmn-editor_sssharing|SSSharing]] is used to create shares and fix the threshold. [[pe-bpmn-editor_sscomputation|SSComputation]] tasks are used to compute with secret shares. [[pe-bpmn-editor_ssreconstruction|SSReconstruction]] is used to restore the shared value. | [[pe-bpmn-editor_sssharing|SSSharing]] is used to create shares and fix the threshold. [[pe-bpmn-editor_sscomputation|SSComputation]] tasks are used to compute with secret shares. [[pe-bpmn-editor_ssreconstruction|SSReconstruction]] is used to restore the shared value. | ||
| + | |||
| + | For example, [[https://pleak.io/app/#/view/ZkEJp9MC-R0trS-8FZ6Z|this model]] shows a process where three parties each secret share their private input, then distribute the shares (each party sends one share of their secret to other parties) in order to compute with the shares. Note that each party inputs all their shares of the secrets to the computations and the computation tasks are grouped together. Finally the second party sends their output to the first party that reconstructs the computation outcome. The fact that only two parties is required comes from the threshold parameter of the secret sharing task. | ||
| == Additive secret sharing == | == Additive secret sharing == | ||
| [[pe-bpmn-editor_addsssharing|AddSSSharing]] is used to create additive shares. [[pe-bpmn-editor_addsscomputation|AddSSComputation]] tasks are used to compute with secret shares. [[pe-bpmn-editor_addssreconstruction|AddSSReconstruction]] is used to restore the shared value. | [[pe-bpmn-editor_addsssharing|AddSSSharing]] is used to create additive shares. [[pe-bpmn-editor_addsscomputation|AddSSComputation]] tasks are used to compute with secret shares. [[pe-bpmn-editor_addssreconstruction|AddSSReconstruction]] is used to restore the shared value. | ||
| + | |||
| + | [[https://pleak.io/app/#/view/u2UaSnPGcAwB3yM9h6sG|This is an example model for Sharemind platform using additive secret sharing.]] | ||
| == Function Secret sharing == | == Function Secret sharing == | ||
| Line 61: | Line 56: | ||
| In addition, we consider [[pe-bpmn-editor_sgxquoting|SGXQuoting]] to produce a signed confirmation of the enclave and [[pe-bpmn-editor_sgxquoteverification|SGXQuoteVerification]] that is a procedure run by the Intel service to verify the quote. These are a part of the attestation process and help to draw attention to the need of the additional Intel server if necessary. | In addition, we consider [[pe-bpmn-editor_sgxquoting|SGXQuoting]] to produce a signed confirmation of the enclave and [[pe-bpmn-editor_sgxquoteverification|SGXQuoteVerification]] that is a procedure run by the Intel service to verify the quote. These are a part of the attestation process and help to draw attention to the need of the additional Intel server if necessary. | ||
| + | |||
| + | An example where two parties give input to one SGX computation can be seen [[https://pleak.io/app/#/view/PVYP0FrTs2ThYfcgcLZB|here]]. It is also interesting because it shows how to combine SGXComputation with Encryption to give outputs that only other parties and not the SGX machine can access. A smaller example of similar usage is [[https://pleak.io/app/#/view/IYrBIt0hcGdZgDZGpUNV|here]] | ||
| ==== Networking ==== | ==== Networking ==== | ||
| At the moment we have two networking stereotypes that apply to message flows [[pe-bpmn-editor_securechannel|SecureChannel]] and [[pe-bpmn-editor_communicationprotection|CommunicationProtection]]. The latter is the general stereotype that denotes any form of PET applied to the transmission. However, the former is used for confidential communication channel (that also ensures integrity), e.g. what is achieved with TLS. | At the moment we have two networking stereotypes that apply to message flows [[pe-bpmn-editor_securechannel|SecureChannel]] and [[pe-bpmn-editor_communicationprotection|CommunicationProtection]]. The latter is the general stereotype that denotes any form of PET applied to the transmission. However, the former is used for confidential communication channel (that also ensures integrity), e.g. what is achieved with TLS. | ||
| Line 67: | Line 64: | ||
| ==== Differential privacy ==== | ==== Differential privacy ==== | ||
| The [[pe-bpmn-editor_differentialprivacy|DifferentialPrivacy]] stereotype can be used to denote tasks that deploy differential privacy as part of their computations. The stereotype allows to fix the parameters for differential privacy, however, at the moment these are not used by the analyzer. However, it will be interesting to consider these tasks when different analyzers are merged. | The [[pe-bpmn-editor_differentialprivacy|DifferentialPrivacy]] stereotype can be used to denote tasks that deploy differential privacy as part of their computations. The stereotype allows to fix the parameters for differential privacy, however, at the moment these are not used by the analyzer. However, it will be interesting to consider these tasks when different analyzers are merged. | ||
| + | |||
| + | [[pe-bpmn-editor_dimensionalityreduction|DimensionalityReduction]] stereotype was considered to cover the case when only parts (feature vectors) of the input picture data are used in the computation. However, this stereotype is deprecated. | ||
| + | |||
| + | ===== Logic Behind The Stereotypes ===== | ||
| + | |||
| + | |||
| + | PE-BPMN defines stereotypes for different tasks in privacy enhancing technologies so that they can be included in the BPMN model. The stereotypes are organized based on the taxonomy of privacy-enhancing technologies used to create PE-BPMN. | ||
| + | |||
| + | ==== Message flows ==== | ||
| + | |||
| + | There are two message flow stereotypes: [[pe-bpmn-editor/communicationprotection|CommunicationProtection]] is a general goal stereotype and denotes any protected communication, whereas [[pe-bpmn-editor/securechannel|SecureChannel]] is a channel that protects confidentiality and integrity of the communication. Another concrete instantiation of [[pe-bpmn-editor/communicationprotection|CommunicationProtection]] could be something to mark anonymous communication. | ||
| + | |||
| + | === Data objects === | ||
| + | |||
| + | We have also added data object stereotypes to be able to type check the models. At the moment we | ||
| + | support two stereotypes [[pe-bpmn-editor/pkpublic|PKPublic]] and [[pe-bpmn-editor/pkprivate|PKPrivate]] that can be used to define a key pair for public key | ||
| + | cryptography. The group notation of stereotypes is used to denote which keys belong to one key pair. | ||
| + | |||
| + | === Tasks === | ||
| + | |||
| + | The rest of the stereotypes are task stereotypes and they are grouped based on the taxonomy. Task stereotypes represent actions that are needed to use some privacy enhancing technology. The respective menu appears when clicking a task in PE-BPMN editor. The goals that the task can have are data protection, data processing and entity authentication. Data protection has two possible targets: integrity and confidentiality protection. In data processing the targets are either privacy preserving or privacy adding computations. At the moment we have not implemented any stereotypes of the human-data interaction category. After choosing the goal it is possible to choose the concrete stereotype. For example, if the goal is to protect confidentiality then the two actions needed are first to apply the protection (e.g. encrypt) and later in the process to remove the protection (e.g. decrypt). Each stereotype opens a sidebar menu to specify the necessary parameters and roles of the inputs and outputs (data objects connected to the task with data association). For example, for public key encryption stereotype [[pe-bpmn-editor/pkencrypt|PKEncrypt]] it is necessary to specify which input acts as the key and which as the plaintext. | ||
| + | |||
| + | == Stereotype groups == | ||
| + | One important parameter is the group of the computations. Some tasks form natural groups and are not meaningful on their own. For example, secure multiparty computation needs to be carried out by multiple parties simultaneously. In our solution each participant has their own computation task (e.g. [[pe-bpmn-editor/sscomputation|SSComputation]] ) and these tasks form groups where the semantics is that the tasks actually collaboratively compute the required functionality. For example, if the stakeholders A and B both have a | ||
| + | [[pe-bpmn-editor/sscomputation|SSComputation]] task of group C then these two tasks can only be executed in parallel and the outputs of both tasks depend on the inputs of both tasks. In practice this corresponds to the case where A and B execute some collaborative computation protocol. In some cases the computations of all participants are the same and therefore the tasks in the group have the same stereotype. This is true for all secret sharing based technologies, moreover, in most cases the number of tasks in a group should correspond to the number of shares that there are. In others, the participants have distinct roles and we also have created distinct stereotypes for these tasks. However, for a meaningful use, these stereotypes still need to be grouped to state which operations belong together. For example, in garbled circuits technique, one participant creates the circuit ( [[pe-bpmn-editor/gcgarble|GCGarble]] ) and the other uses the garbled circuit to actually get the outcome ( [[pe-bpmn-editor/gcevaluate|GCEvaluate]] ). In these cases the group should contain one of each separate task. The other such pairs are oblivious transfer (OT) and attestation of SGX technologies. | ||
| + | |||
| + | == Restrictions to adding stereotypes == | ||
| + | |||
| + | Not all stereotypes can be added to all tasks, for example there has to be suitable number of inputs | ||
| + | and outputs. For some stereotypes, it can be that there are special roles that the inputs or outputs have. | ||
| + | For example, an encryption operation has two distinct inputs - the key and the plaintext - that can be | ||
| + | identified on the model. For some stereotypes the only restriction is that there must be a certain number | ||
| + | of inputs or outputs. Implemented restrictions for currently used stereotypes are covered on [[pe-bpmn-editor/restrictions|restrictions page]] and under each stereotype. There are listed the number of expected inputs and outputs as well as parameters. In case the inputs or outputs have special roles, then they are also named in the table and the user interface allows to fix which data object has the specified role. At the moment the main parameters that we consider are the group of the computation and the script. If the parameter is specified only as a group then it is expected that the group is formed of only tasks of that type. In other cases, the groups formed of multiple separate tasks also specify the other expected stereotypes that should belong to the group. | ||
| + | |||
pe-bpmn-editor_stereotypes.1543222662.txt.gz · Last modified: 2019/10/01 13:53 (external edit)
Page Tools
