1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

Slides:



Advertisements
Similar presentations
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Advertisements

Operating System Security
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Security Definitions in Computational Cryptography
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Session 4 Asymmetric ciphers.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Oblivious Transfer based on the McEliece Assumptions
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
How to play ANY mental game
Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.
Ragesh Jaiswal Indian Institute of Technology Delhi Threshold Direct Product Theorems: a survey.
Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.
Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,
Chapter 31 Cryptography And Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Alternative Wide Block Encryption For Discussion Only.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Chapter 8 Testing. Principles of Object-Oriented Testing Å Object-oriented systems are built out of two or more interrelated objects Å Determining the.
UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department
Attribute-Based Encryption With Verifiable Outsourced Decryption.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Introduction to Operating Systems Prepared by: Dhason Operating Systems.
Chapter 21 Asynchronous Network Computing with Process Failures By Sindhu Karthikeyan.
多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date: Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,
Primality Testing. Introduction The primality test provides the probability of whether or not a large number is prime. Several theorems including Fermat’s.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
SSE-2 Step1: keygen(1 k ):s {0,1} k,output K=s Step2:Buildindex(K,D): 建立 table T, p=word bit+max bit R 假設 w 1 出現在 D 1,D 3 T[π s (w 1 ||1)]=D 1 T[π s (w.
The Federal Information Processing Standards (FIPS) Encryption Suite Sean Smith COSC
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Certificateless signature revisited
Cryptography Lecture 11.
Presentation transcript:

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005

2 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

3 Introduction Computationally limited device Potentially malicious, but much more computationally powerful device Outsource its computation Device Helper

4 Introduction Device Helper Intelligent failures Input Advertised functionality Knowledge

5 Introduction Device Helper Unintelligent failures Malicious Bug Input

6 Introduction Device Helper Face a real challenge Output Do most computations for an honest device Check Without telling it anything about what it is actually doing Input

7 Introduction  Definition of security for outsourced computation. Efficiency Checkability  Securely outsource variable-exponent, variable- base modular exponentiation.  Securely outsource a CCA2-secure variant of Cramer-Shoup encryption.

8 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

9 Definition Cryptographic algorithm Alg T U A trusted Component. Sees the input to Alg. Not very computationally intensive. T can make oracle queries to the second component U. An untrusted component. Carry out computation-intensive tasks.

10 Definition Alg T U Query Output Input Output Input

11 Definition  T securely outsource some work to U.  (T, U) thereby form an outsource-secure implementation of a cryptographic algorithm Alg, if Alg = T U. T is given oracle access to a malicious U’ that records all of its computation over time and, every time it is invoked, tries to act maliciously.

12 Definition  The input to Alg can be separated in two logical groups: Protected inputs  Inputs that should remain hidden from the untrusted software U’ at all time. (For example, keys and messages.) Unprotected inputs  Inputs that U’ is entitled to know if it is to be of any help in running Alg. (Alg is a time-stamping scheme, then U’ may need to know the current time.)  Similarly, Alg has protected and unprotected outputs. U’ is entitled to find out, and those that it is not.

13 Definition Model the adversary A as consisting of two parts: E and U’ E Adversarial environment T U’ Query Adversarial software Submits adversarially Chosen inputs X X

14 Definition Model the adversary A as consisting of two parts: E and U’ E Adversarial environment T Query Adversarial software U’ Some of the protected inputs to Alg For example, E gets to see all of its own adversarial inputs to Alg. If U’ was able to see some values chosen by E, then E and U’ can agree on a joint strategy causing U’ to stop working upon receiving some predefined message from E. AP

15 Definition  Inputs to Alg By logical divisions  Secret: information only available to T. A secret key or a plaintext.  Protected: information only available to T and E. A public key or a ciphertext.  Unprotected: information available to T, E and U’. The further categorized based on whether the inputs were generated  Honestly  Adversarially

16 Definition Honestly, secret inputs, HS Honestly, protected inputs, HP Honestly, unprotected inputs, HU Adversarial, protected inputs, AP Adversarial, unprotected inputs, AU AP Input AU HUHU HUHU HP HS

17 Definition Secret outputs, S Protected outputs, P Unprotected outputs, U Output S S P P U U

18 Definition Alg 5 3 Output S S P P U U AP Input AU HUHU HUHU HP HS

19 Definition  Definition 1: Algorithm with outsource-IO Generated by honest partyGenerated by the environment E Output S S P P U U AP Input AU HUHU HUHU HP HS

20 Definition Definition of outsource-security prevent T Query U’ U’ can learn about the secret or protected inputs to T U from being T’s oracle instead U. Simulator S 2 When told that T U (x) was invoked, simulates the view of U’ without access to the secret or protected inputs of x. This property ensure that U’ cannot intellgently choose to fail.

21 Definition Definition of outsource-security prevent T Query U’ E Gain any knowledge Written by E Simulator S 1 When told that T U’ (x) was invoked, simulates the view of E without access to the secret inputs of x. S S P P U U HS

22 Definition  Definition 2 : Outsource-security Let Alg(˙,˙,˙,˙,˙) be an algorithm wit outsource-IO. A pair of algorithms (T, U) is said to be an outsource-secure implementation of an algorithm Alg if: Correctness  T U is a correct implementation of Alg.

23 Definition  Definition 2 : Outsource-security Security  For all probabilistic polynomial-time adversaries A = (E, U’).  There exist probabilistic expected polynomial-time simulators (S 1, S 2 ) s.t. that the following pairs of random variables are computationally indistinguishable.  Let us say that the honestly-generated inputs are chosen by a process I.

24 Definition  Definition 2 : Outsource-security Security – pair one : EVIEW real ~ EVIEW ideal (The external adversary, E, learns nothing.) The view that the adversarial environment E obtains by participating in the following REAL process:

25 Definition istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i T Query U’ ustat e i-1 ustat e i-1 tstate i-1 tstate i-1 ustat e i ustat e i tstate i tstate i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi EVIEW real x HP i x HP i x HS i x HS i x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i

26 Definition estate i estate i (0) The value of its estate i variable as a way of remembering what it did next time it is invoked. (1)Previously generated honest inputs (x HS j i, x HP j i, x HU j i ) to give to T U’ (Note : E can specify the index j i of these inputs, but not their values) (2) The adversarial protected input x AP i (3) The adversarial unprotected input x AU i (4) The Boolean variable stop i that determines whether round i is the last round in this process.

27 Definition  Definition 2 : Outsource-security The IDEAL process:

28 istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i x HP i x HP i x HS i x HS i astat e i-1 astat e i-1 astat e i astat e i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i ustat e i-1 ustat e i-1 yPiyPi yPiyPi yUiyUi yUiyUi x HU j i x HU j i x HP j i x HP j i x AP i x AP i x AU i x AU i sstate i-1 sstate i-1 ustat e i ustat e i sstate i sstate i YPiYPi YPiYPi YUiYUi YUiYUi replace i zPizPi zPizPi zUizUi zUizUi YPiYPi YPiYPi YUiYUi YUiYUi yPiyPi yPiyPi yUiyUi yUiyUi EVIEW ideal Shielded from the secret input x HS i, but given the non-secret outputs that Alg produces, decides to either output the values (y P i, y U i ) or replace them with some values (Y P i, Y U i )

29 Definition  Definition 2 : Outsource-security Security – pair two : UVIEW real ~ UVIEW ideal (The untrusted software, U’, learns nothing.) The view that the untrusted software U’ obtains by participating in the REAL process described in part one. UVIEW real = ustate i if stop i = TRUE.

30 Definition istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i T Query U’ ustat e i-1 ustat e i-1 tstate i-1 tstate i-1 ustat e i ustat e i tstate i tstate i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi UVIEW real x HP i x HP i x HS i x HS i x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i

31 Definition  Definition 2 : Outsource-security The IDEAL process:

32 istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i x HP i x HP i x HS i x HS i astat e i-1 astat e i-1 astat e i astat e i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i ustat e i-1 ustat e i-1 x HU j i x HU j i x AU i x AU i sstate i-1 sstate i-1 ustat e i ustat e i sstate i sstate i UVIEW ideal y P i-1 y P i-1 y U i-1 y U i-1 Equipped with only the unprotected inputs (x HU i, x AU i ), queries U’

33 Definition Output Input H Input H Input A Input A

34 Definition  Remark 3 The states of all algorithms, i.e., I, E, U’, T, S 1, S 2, in the security experiments above are initialized to empty.  Remark 4 For any outsource-secure implementation, the adversarial, unprotected input x AU must be empty.  Remark 5 No security guarantee is implied in the event that the environment E and the software U’ are able to communicate without passing message through T.

35 Definition  Definition 6 : α-efficient, secure outsourcing A pair of algorithm (T, U) are an α-efficient implementation of an algorithm Alg if  They are an outsource-secure implementation of Alg.  For all inputs x, the running time of T ≦ an α- multiplicative factor of the running time of Alg(x).  The notion considers only T’s computational load compared to that of Alg.

36 Definition  Definition 7 : β-checkable, secure outsourcing A pair of algorithm (T, U) are an β-checkable implementation of an algorithm Alg if  They are an outsource-secure implementation of Alg.  For all inputs x, if U’ deviates from its advertised functionality during the execution of T U’ (x), T will detect the error with probability ≧ β.

37 Definition  Definition 8: (α,β)-outsource-security A pair of algorithm (T, U) are an (α,β)-outsource- security implementation of an algorithm Alg if they are both α-efficient and β-checkable.

38 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

39 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

40 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion