Polymorphic Encryption and Pseudonymisation of IP Network Flows

TL;DR

The paper introduces PEP3, a privacy-preserving system for IP flow data that uses polymorphic encryption and pseudonymisation, enabling secure, verifiable, and decentralized handling of IP addresses in large-scale networks.

Contribution

PEP3 is a novel system combining homomorphic encryption, pseudonymisation, and multi-party trust to securely store and process IP flow information without revealing sensitive data.

Findings

PEP3 prevents single points of trust or failure.

It enables verification of peer behavior without revealing IP addresses.

The system efficiently handles large IP flow datasets.

Abstract

We describe a system, PEP3, for storage and retrieval of IP flow information in which the IP addresses are replaced by pseudonyms. Every eligible party gets its own set of pseudonyms. A single entity, the transcryptor, that is composed of five independent peers, is responsible for the generation of, depseudonymisation of, and translation between different sets of pseudonyms. These operations can be performed by any three of the five peers, preventing a single point of trust or failure. Using homomorphic aspects of ElGamal encryption the peers perform their operations on encrypted and --potentially-- pseudonymised IP addresses only, thereby never learning the (pseudonymised) IP addresses handled by the parties. Moreover, using Schnorr type proofs, the behaviour of the peers can be verified, without revealing the (pseudonymised) IP addresses either. Hence the peers are central, but need not be fully trusted. The design of our system, while easily modified to other settings, is tuned to the sheer volume of data presented by IP flow information.