UC Irvine

The importance of privacy has been growing steadily for over 25 years. Increasingly popularareas (such as IoT, cryptocurrencies and genomics) have attracted and fueled new types of privacy-focused attacks and exploits. This dissertation focuses on the lifecycle of secrets (or data) -- from initial entry to use, to present attacks and defenses that utilize emerging technologies. We start by presenting a side-channel attack that targets password entry. This attack uses thermal residues (that results from human fingertips touching the keyboard) to recover recently entered passwords on external keyboards. Then, we present a privacy-preserving CAPTCHA alternative that mimics the rate-limiting nature of CAPTCHAs. To skip CAPTCHAs, clients generate rate-proofs when the rate at which they have performed an action (e.g., visit a website, sign up for an email account) is below a server-supplied threshold. Rate-proofs, generated by client-side Trusted Execution Environments (TEEs), assure servers that clients are not acting in an abusive manner. We also propose a scalable data ownership framework in which clients with no accounts on a website can prove ownership of data collected from them. Although data ownership proofs are possible using traditional authentication methods (e.g., passwords), there is no accepted way of achieving this for acountless clients. This framework completes the missing piece of verifiable consumer requests which are used to exercise data rights (access/modify/delete) granted by recent data protection regulations such as GDPR and CCPA. A client-side TEE can be used to store a secret that can initiate these requests. The use of TEEs, as shown in these two work, allows us to secure and privacy-protect secrets/data after entry. Lastly, we present a cryptograpy-based solution for range queries in the genomics domain. This ensures the authenticity and integrity of the genome of the individual while minimizing the exposed data to testers. It uses a variety of techniques ranging from zero-knowledge range proofs and digital signatures to continual linking of elements inspired by literature on range queries on databases. We use the genomics domain to show how privacy can be achieved if there are no TEEs.