Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005."— Presentation transcript:

1 1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005

2 2 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

3 3 Introduction Computationally limited device Potentially malicious, but much more computationally powerful device Outsource its computation Device Helper

4 4 Introduction Device Helper Intelligent failures Input Advertised functionality Knowledge

5 5 Introduction Device Helper Unintelligent failures Malicious Bug Input

6 6 Introduction Device Helper Face a real challenge Output Do most computations for an honest device Check Without telling it anything about what it is actually doing Input

7 7 Introduction  Definition of security for outsourced computation. Efficiency Checkability  Securely outsource variable-exponent, variable- base modular exponentiation.  Securely outsource a CCA2-secure variant of Cramer-Shoup encryption.

8 8 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

9 9 Definition Cryptographic algorithm Alg T U A trusted Component. Sees the input to Alg. Not very computationally intensive. T can make oracle queries to the second component U. An untrusted component. Carry out computation-intensive tasks.

10 10 Definition Alg T U Query Output Input Output Input

11 11 Definition  T securely outsource some work to U.  (T, U) thereby form an outsource-secure implementation of a cryptographic algorithm Alg, if Alg = T U. T is given oracle access to a malicious U’ that records all of its computation over time and, every time it is invoked, tries to act maliciously.

12 12 Definition  The input to Alg can be separated in two logical groups: Protected inputs  Inputs that should remain hidden from the untrusted software U’ at all time. (For example, keys and messages.) Unprotected inputs  Inputs that U’ is entitled to know if it is to be of any help in running Alg. (Alg is a time-stamping scheme, then U’ may need to know the current time.)  Similarly, Alg has protected and unprotected outputs. U’ is entitled to find out, and those that it is not.

13 13 Definition Model the adversary A as consisting of two parts: E and U’ E Adversarial environment T U’ Query Adversarial software Submits adversarially Chosen inputs X X

14 14 Definition Model the adversary A as consisting of two parts: E and U’ E Adversarial environment T Query Adversarial software U’ Some of the protected inputs to Alg For example, E gets to see all of its own adversarial inputs to Alg. If U’ was able to see some values chosen by E, then E and U’ can agree on a joint strategy causing U’ to stop working upon receiving some predefined message from E. AP

15 15 Definition  Inputs to Alg By logical divisions  Secret: information only available to T. A secret key or a plaintext.  Protected: information only available to T and E. A public key or a ciphertext.  Unprotected: information available to T, E and U’. The further categorized based on whether the inputs were generated  Honestly  Adversarially

16 16 Definition Honestly, secret inputs, HS Honestly, protected inputs, HP Honestly, unprotected inputs, HU Adversarial, protected inputs, AP Adversarial, unprotected inputs, AU AP Input AU HUHU HUHU HP HS

17 17 Definition Secret outputs, S Protected outputs, P Unprotected outputs, U Output S S P P U U

18 18 Definition Alg 5 3 Output S S P P U U AP Input AU HUHU HUHU HP HS

19 19 Definition  Definition 1: Algorithm with outsource-IO Generated by honest partyGenerated by the environment E Output S S P P U U AP Input AU HUHU HUHU HP HS

20 20 Definition Definition of outsource-security prevent T Query U’ U’ can learn about the secret or protected inputs to T U from being T’s oracle instead U. Simulator S 2 When told that T U (x) was invoked, simulates the view of U’ without access to the secret or protected inputs of x. This property ensure that U’ cannot intellgently choose to fail.

21 21 Definition Definition of outsource-security prevent T Query U’ E Gain any knowledge Written by E Simulator S 1 When told that T U’ (x) was invoked, simulates the view of E without access to the secret inputs of x. S S P P U U HS

22 22 Definition  Definition 2 : Outsource-security Let Alg(˙,˙,˙,˙,˙) be an algorithm wit outsource-IO. A pair of algorithms (T, U) is said to be an outsource-secure implementation of an algorithm Alg if: Correctness  T U is a correct implementation of Alg.

23 23 Definition  Definition 2 : Outsource-security Security  For all probabilistic polynomial-time adversaries A = (E, U’).  There exist probabilistic expected polynomial-time simulators (S 1, S 2 ) s.t. that the following pairs of random variables are computationally indistinguishable.  Let us say that the honestly-generated inputs are chosen by a process I.

24 24 Definition  Definition 2 : Outsource-security Security – pair one : EVIEW real ~ EVIEW ideal (The external adversary, E, learns nothing.) The view that the adversarial environment E obtains by participating in the following REAL process:

25 25 Definition istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i T Query U’ ustat e i-1 ustat e i-1 tstate i-1 tstate i-1 ustat e i ustat e i tstate i tstate i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi EVIEW real x HP i x HP i x HS i x HS i x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i

26 26 Definition estate i estate i (0) The value of its estate i variable as a way of remembering what it did next time it is invoked. (1)Previously generated honest inputs (x HS j i, x HP j i, x HU j i ) to give to T U’ (Note : E can specify the index j i of these inputs, but not their values) (2) The adversarial protected input x AP i (3) The adversarial unprotected input x AU i (4) The Boolean variable stop i that determines whether round i is the last round in this process.

27 27 Definition  Definition 2 : Outsource-security The IDEAL process:

28 28 istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i x HP i x HP i x HS i x HS i astat e i-1 astat e i-1 astat e i astat e i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i ustat e i-1 ustat e i-1 yPiyPi yPiyPi yUiyUi yUiyUi x HU j i x HU j i x HP j i x HP j i x AP i x AP i x AU i x AU i sstate i-1 sstate i-1 ustat e i ustat e i sstate i sstate i YPiYPi YPiYPi YUiYUi YUiYUi replace i zPizPi zPizPi zUizUi zUizUi YPiYPi YPiYPi YUiYUi YUiYUi yPiyPi yPiyPi yUiyUi yUiyUi EVIEW ideal Shielded from the secret input x HS i, but given the non-secret outputs that Alg produces, decides to either output the values (y P i, y U i ) or replace them with some values (Y P i, Y U i )

29 29 Definition  Definition 2 : Outsource-security Security – pair two : UVIEW real ~ UVIEW ideal (The untrusted software, U’, learns nothing.) The view that the untrusted software U’ obtains by participating in the REAL process described in part one. UVIEW real = ustate i if stop i = TRUE.

30 30 Definition istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i T Query U’ ustat e i-1 ustat e i-1 tstate i-1 tstate i-1 ustat e i ustat e i tstate i tstate i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi UVIEW real x HP i x HP i x HS i x HS i x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i

31 31 Definition  Definition 2 : Outsource-security The IDEAL process:

32 32 istate i-1 istate i-1 1k1k 1k1k istate i istate i x HU i x HU i x HP i x HP i x HS i x HS i estate i-1 estate i-1 1k1k 1k1k estate i estate i jiji jiji stop i x AP i x AP i x AU i x AU i x HP i x HP i x HS i x HS i astat e i-1 astat e i-1 astat e i astat e i ySiySi ySiySi yPiyPi yPiyPi yUiyUi yUiyUi x HU j i x HU j i x HP j i x HP j i x HS j i x HS j i x AP i x AP i x AU i x AU i ustat e i-1 ustat e i-1 x HU j i x HU j i x AU i x AU i sstate i-1 sstate i-1 ustat e i ustat e i sstate i sstate i UVIEW ideal y P i-1 y P i-1 y U i-1 y U i-1 Equipped with only the unprotected inputs (x HU i, x AU i ), queries U’

33 33 Definition Output Input H Input H Input A Input A

34 34 Definition  Remark 3 The states of all algorithms, i.e., I, E, U’, T, S 1, S 2, in the security experiments above are initialized to empty.  Remark 4 For any outsource-secure implementation, the adversarial, unprotected input x AU must be empty.  Remark 5 No security guarantee is implied in the event that the environment E and the software U’ are able to communicate without passing message through T.

35 35 Definition  Definition 6 : α-efficient, secure outsourcing A pair of algorithm (T, U) are an α-efficient implementation of an algorithm Alg if  They are an outsource-secure implementation of Alg.  For all inputs x, the running time of T ≦ an α- multiplicative factor of the running time of Alg(x).  The notion considers only T’s computational load compared to that of Alg.

36 36 Definition  Definition 7 : β-checkable, secure outsourcing A pair of algorithm (T, U) are an β-checkable implementation of an algorithm Alg if  They are an outsource-secure implementation of Alg.  For all inputs x, if U’ deviates from its advertised functionality during the execution of T U’ (x), T will detect the error with probability ≧ β.

37 37 Definition  Definition 8: (α,β)-outsource-security A pair of algorithm (T, U) are an (α,β)-outsource- security implementation of an algorithm Alg if they are both α-efficient and β-checkable.

38 38 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

39 39 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

40 40 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

Download ppt "1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Operating System Security

Operating System Security
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Similar presentations

Ads by Google