Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

Published byBruno Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran."— Presentation transcript:

1 1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran Tromer Slides credit: Vinod Vaikuntanathan (U. Toronto)

2 2 More on vulnerability exploitation

3 3 Case study: sudo format string vulnerability Report: http://www.sudo.ws/sudo/alerts/sudo_debug.htmlhttp://www.sudo.ws/sudo/alerts/sudo_debug.html

4 4 Case study: sudo format string vulnerability (cont.) Sourcecode: http://www.sudo.ws/sudo/download.htmlhttp://www.sudo.ws/sudo/download.html

5 5 Case study: sudo format string vulnerability (cont.) Sourcecode diff:

6 6 Case study: sudo format string vulnerability (cont.) Report: http://www.sudo.ws/sudo/alerts/sudo_debug.htmlhttp://www.sudo.ws/sudo/alerts/sudo_debug.html

7 7 Case study: MS06-040 buffer overrun Report: https://technet.microsoft.com/en-us/security/bulletin/ms06-040https://technet.microsoft.com/en-us/security/bulletin/ms06-040

8 8 Case study: MS06-040 buffer overrun (cont.) Report: https://technet.microsoft.com/en-us/security/bulletin/ms06-040https://technet.microsoft.com/en-us/security/bulletin/ms06-040

9 9 Case study: MS06-040 buffer overrun Report: https://technet.microsoft.com/en-us/security/bulletin/ms06-040https://technet.microsoft.com/en-us/security/bulletin/ms06-040

10 10 Understanding binary patches: BinDiff

11 11 Understanding binary patches: BinDiff (cont.)

12 12 Metasploit Framework Framework for vulnerability exploitation and penetration testing Capabilities –Library of exploit codes –Library of payloads (shells, VNC) –Victim fingerprinting –Opcode database (instruction addresses for various software versions) –Exploit encoding (avoiding special character, intrustion and intrusion detection systems) –Modular architecture, many add-ons –Powerful scriptable command-line interface –Convenient GUI and web interfaces

13 13 Metasploit Framework (cont.) http://www.metasploit.com/ Book: Kennedy, O’Gorman, Kearns, Aharoni, Metasplit: The Penetration Tester’s Guide (2011 edition) Numerous on-line tutorials –Example: https://www.youtube.com/watch?v=mrLaUaowt-whttps://www.youtube.com/watch?v=mrLaUaowt-w

14 14 Metasploit Framework: back to MS06-040 Demo: https://www.youtube.com/watch?v=mrLaUaowt-w

15 15 Fully Homomorphic Encryption Meanwhile, in theory-land…

16 The goal Delegate processing of data without giving away access to it 16 of 32

17 Example 1: Private Search Delegate PROCESSING of data without giving away ACCESS to it ► You: Encrypt the query, send to Google (Google does not know the key, cannot “see” the query) ► Google: Encrypted query → Encrypted results (You decrypt and recover the search results) 17 of 32

18 Example 2: Private Cloud Computing Delegate PROCESSING of data without giving away ACCESS to it (Input: x)(Program: P) Enc(x), P → Enc(P(x)) Encrypt x 18 of 32

19 Fully Homomorphic Encryption Encrypted x, Program P → Encrypted P(x) Definition: ( KeyGen, Enc, Dec, Eval ) (as in regular public/private-key encryption) – If c = Enc ( PK, x ) and c′ = Eval ( PK, c, P ),  Compactness: Length of c′ independent of size of P  Security = Semantic Security [GM82]  Correctness of Eval: For every input x, program P then Dec ( SK, c′ ) = P(x). 19 of 32

20 Fully Homomorphic Encryption Function f x Enc(x) Eval: f, Enc(x)  Enc(f(x)) homomorphic evaluation Knows nothing of x. [Rivest-Adleman-Dertouzos’78] 20 of 32

21 Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data 21 of 32

22 Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N 22 of 32

23 – BGN’05 & GHV’10: quadratic formulas Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data ► NON-COMPACT homomorphic encryption: – SYY’99 & MGH’08: c* grows exp. with degree/depth – IP’07 works for branching programs – Based on Yao garbled circuits 23 of 32

24 Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ►Full course last semester ►Today: an alternative construction [DGHV’10]: Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” – easier to understand, implement and improve 24 of 32

25 Constructing fully-homomoprhic encryption assuming hardness of approximate GCD 25 of 32

26 A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 2. Public-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 3. Public-key FULLY Homomorphic Encryption (under approx GCD + sparse subset sum) (a simple transformation) (borrows from Gentry’s techniques) 26

27 Secret-key Homomorphic Encryption  Secret key: a large n 2 -bit odd number p  To Encrypt a bit b: – pick a random “large” multiple of p, say q·p – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) “noise” (sec. param = n) 27

28 Secret-key Homomorphic Encryption  How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2 28

29 Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail) – Consider c = qp+2r+b ← Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r’ ≠ 2r+b r’ – lsb(r’) ≠ b 29

30 Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail)  Can perform “limited” number of hom. operations  What we have: “Somewhat Homomorphic” Encryption 30

31 Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 encryptions of 0 Δ – Wlog, assume that x 0 is the largest of them 31

32 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t )  To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (“small” even noise) + b 32

33 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval: Reduce mod x 0 after each operation  To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 33

34 A Roadmap  Secret-key “Somewhat” Homomorphic Encryption  Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption 34

35 How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if d << n. f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x 2 ·x 5 ·x d-2 Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or m terms 35

36 “Somewhat” HE“Bootstrappable” From “Somewhat” to “Fully” FHE = Can eval all fns. Theorem [Gentry’09]: Convert “bootstrappable” → FHE. Augmented Decryption ckt. Dec NAND c1c1 sk c2c2 36

37 Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? Complexity of the (aug.) Decryption Circuit (?) Can be made bootstrappable – Similar to Gentry’09 Caveat: Assume Hardness of “Sparse Subset Sum” (polynomials of degree < n) (degree ~ n 1.73 polynomial) 37

38 Security (of the “somewhat” homomorphic scheme) 38

39 The Approximate GCD Assumption q 1 p+r 1 p? p q 1 ← [0…Q] r 1 ← [-R…R] odd p ← [0…P] (q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R 39

40 p? p Assumption: no PPT adversary can guess the number p Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q 0 p+2r 0,{q i p+2r i }) Enc(b) =(qp+2r+b) = (proof of security) (q 1 p+r 1,…, q t p+r t ) 40

41 Progress in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11] – asymptotically: nearly linear-time* algorithms ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11] – practically: a few milliseconds for Enc, Dec [ LNV11,GHS11 ] *linear-time in the security parameter – Best Known [BGV11]: (leveled) FHE from worst-case hardness of n O(log n) -approx short vectors on lattices 41

42 Multi-key FHE Function f x1x1 c 1 = Enc(pk 1,x 1 ) x2x2 c 2 = Enc(pk 2,x 2 ) sk 1, pk 1 sk 2, pk 2 42

43 Multi-key FHE Function f x1x1 y = Eval(f,c 1,c 2 ) Dec(sk 1,sk 2 y)=f(x 1,x 2 ) Correctness: x2x2 sk 1, pk 1 sk 2, pk 2 Dec 43

44 Fully homomorphic encryption: discussion Assumptions –Mathematical –Adversarial model Applicability –Decryption? Keys? Alternative: multiparty computation –When interaction is free What about integrity? –Computationally-sound proofs, proof-carrying data 44

Download ppt "1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran."

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Lattice-Based Cryptography

Lattice-Based Cryptography
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google