Harpocrates: Privacy-Preserving and Immutable Audit Log for Sensitive Data Operations

TL;DR

Harpocrates is a novel audit log scheme that ensures privacy, immutability, and verifiability for sensitive data operations using blockchain and zero-knowledge proofs, addressing limitations of prior schemes.

Contribution

It introduces a privacy-preserving, immutable audit log scheme combining blockchain and cryptography to prevent sensitive data leakage while enabling public verification.

Findings

Achieves non-malleability and indistinguishability security properties.

Demonstrates high scalability and practical performance on Hyperledger Fabric.

Successfully deployed and evaluated on Amazon EC2 platform.

Abstract

The audit log is a crucial component to monitor fine-grained operations over sensitive data (e.g., personal, health) for security inspection and assurance. Since such data operations can be highly sensitive, it is vital to ensure that the audit log achieves not only validity and immutability, but also confidentiality against active threats to standard data regulations (e.g., HIPAA) compliance. Despite its critical needs, state-of-the-art privacy-preserving audit log schemes (e.g., Ghostor (NSDI '20), Calypso (VLDB '19)) do not fully obtain a high level of privacy, integrity, and immutability simultaneously, in which certain information (e.g., user identities) is still leaked in the log. In this paper, we propose Harpocrates, a new privacy-preserving and immutable audit log scheme. Harpocrates permits data store, share, and access operations to be recorded in the audit log without leaking sensitive information (e.g., data identifier, user identity), while permitting the validity of data operations to be publicly verifiable. Harpocrates makes use of blockchain techniques to achieve immutability and avoid a single point of failure, while cryptographic zero-knowledge proofs are harnessed for confidentiality and public verifiability. We analyze the security of our proposed technique and prove that it achieves non-malleability and indistinguishability. We fully implemented Harpocrates and evaluated its performance on a real blockchain system (i.e., Hyperledger Fabric) deployed on a commodity platform (i.e., Amazon EC2). Experimental results demonstrated that Harpocrates is highly scalable and achieves practical performance.