Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005."— Presentation transcript:

1 1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005

2 2 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

3 3 Definition Alg 5 3 Output S S P P U U AP Input AU HUHU HUHU HP HS

4 4 Definition Output Input H Input H Input A Input A

5 5 Definition  Definition 8: (α,β)-outsource-security A pair of algorithm (T, U) are an (α,β)-outsource- security implementation of an algorithm Alg if they are both α-efficient and β-checkable.

6 6 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

7 7 Outsource-Secure Exponentiation Using Two Untrusted Programs  To compute a variable-exponent, variable-base exponentiation modulo a prime, by combining two pervious approaches to this problem: Preprocessing to speed-up offline exponentiations. Untrusted server-aided computation.

8 8 Outsource-Secure Exponentiation Using Two Untrusted Programs  Provide a technique for computing and checking the result of a modular exponentiation using two untrusted exponentiation boxes U’=(U 1 ’, U 2 ’).  U 1 ’ and U 2 ’ cannot communicate with each other after deciding on an initial strategy.  At most one of them can deviate from its advertised functionality on a non-negligible fraction of the input.

9 9 Outsource-Secure Exponentiation Using Two Untrusted Programs  This algorithm reveals no more information than the size of the input. the running time is reduced to O(lg n) multiplications for an n-bit exponent. an asymptotic improvement over the 1.5n multiplications needed to compute an exponentiation using square-and- multiply. an error in the output be detected with probability ½. (O(lg n / n), ½ ) – outsource – secure exponentiation implementation.

10 10 Outsource-Secure Exponentiation Using Two Untrusted Programs In the two untrusted program model Adversarial environment Adversarial software written by E The one-malicious version of this model. At most one the programs U 1 ’,U 2 ’ deviates from its adversarial functionality on a non- negligible fraction of the inputs, but we do not know which one.

11 11 Outsource-Secure Exponentiation Using Two Untrusted Programs

12 12 Outsource-Secure Exponentiation Using Two Untrusted Programs

13 13 Outsource-Secure Exponentiation Using Two Untrusted Programs

14 14 Rand 1, Rand 2  Rand 1, Rand 2: Algorithm for computing (b, g b mod p) pairs  Rand 1 is initialized by a prime p and a base g 3, it must produce a random, independent pair (b, g 3 b mod p).  Rand 2 is initialized by a prime p and two bases g 1, g 2, it must produce triplets (b, g 1 b mod p, g 2 b mod p).

15 15 Rand 1, Rand 2  Naïve approach A trusted server to compute a table of random, independent pairs Load it into T’s memory.

16 16 Rand 1, Rand 2  Preprocessing technique – Schnorr’s algorithm Input a small set of truly random (k, g k ) pair, produces a long series of nearly random (r, g r ) pair. The output of Schnorr’s algorithm is too dependent.

17 17 Rand 1, Rand 2  Preprocessing technique – EBPV generator Taking a subset of truly random (k, g k ) pairs and combining them with a random walk on expander on Cayley graphs to reduce the dependency of the pairs in the output sequence. The EBPV generator, secure against adaptive adversaries, runs in time O(lg 2 n) for an n-bit exponent. The output distribution of the EBPV generator is statistically-close to the uniform distribution.

18 18 Exp  Exp : Outsource-Secure Exponentiation Modulo a Prime T out-source its exponentiation computations, by invoking U 1 and U 2. Let primes p and q are global parameters, Z p * has order q. Exp takes as input a ∈ Z q, u ∈ Z p *, and outputs u a mod p.

19 19 Exp Output u a Output u a Input u Input u Input a Input a HS, HP, AP HP, AP S, P Input q Input q Input p Input p Global parameters HU Input gp Input gp No AU inputs. All S, P inputs are computationally blinded before sent to U 1 or U 2.

20 20 Exp  T runs Rand 1 twice to create two blinding pairs. and  Denote  Goal: logically break u and a into random looking pieces that can then be computed by U 1 and U 2.

21 21 Exp  First, u is hidden by  T selects two blinding elements d ∈ Z q and f ∈ G at random.  Second, a is hidden by

22 22 Exp  T fixed two test queries per program by running Rand 1 to obtain  T queries U 1 in random order as  T queries U 2 in random order as

23 23 Exp  Finally, T checks that the test queries to U 1 and U 2 both produce the correct outputs g t 1 and g t 2. If not, T outputs “ERROR” Otherwise, T multiplies the real outputs of U 1 and U 2 with v b to compute u a as

24 24 Correctness and Security  Theorem: In the one-malicious model, the above algorithms (T, (U 1, U 2 )) are an outsource-secure implementation of Exp, where the input (a, u) may be HS, HP or AP.  Correctness Straight-forward.  Security Let A = (E, U 1 ’, U 2 ’) be a PPT adversary that interacts with a PPT algorithm T in the two untrusted program model. Part one: EVIEW real ~ EVIEW ideal (The external adversary, E learns nothing.) Part two: UVIEW real ~ UVIEW ideal (The untrusted software, (U 1, U 2 ) learns nothing.)

25 25 Correctness and Security PPT simulator Make for random queries of the form (α j ∈ Z q, β j ∈ Z p * ) to both U 1 ’ and U 2 ’. S1 randomly tests two outputs from each program (i.e. β j α j ). Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test

26 26 Correctness and Security  If an error is detected S 1 saves the state Outputs Y P i = “ERROR”, Y U i = ψ, replace i = 1.  If no error is detected, S 1 checks the remaining four outputs If all checks pass  S 1 outputs Y P i = ψ, Y U i = ψ, replace i = 0. Otherwise  S 1 selects a random element r ∈ Z p *  S 1 outputs Y P i = r, Y U i = ψ, replace i = 1.

27 27 Correctness and Security  The input distributions to (U 1 ’, U 2 ’) in the real and ideal experiments are computationally indistinguishable.  In the ideal experiment, the inputs are chosen uniformly at random.

28 28 Correctness and Security  In real experiment, each part of each query T makes to any one program is first independent re-randomized, where these re-randomization factors are either Truly random or Computationally indistinguishable from random (assumption of the EBPV generator.)

29 29 Correctness and Security  Three possible scenarios to consider. If (U 1 ’, U 2 ’) behave honestly in the i th round.  EVIEW real i ~EVIEW ideal i  In the real experiment T (U 1 ’, U 2 ’) perfectly executes Exp.  In the ideal experiment S 1 chooses not to replace the output of Exp. If one of (U 1 ’, U 2 ’) give an incorrect output in the i th round.  Both T and S 1 with ½ probability, resulting in an output of “ERROR”

30 30 Correctness and Security  Three possible scenarios to consider. Otherwise  (U 1 ’, U 2 ’) will actually succeed in corrupting the output of Exp.  In the real experiment, the four real outputs are multiplied together along with a random value, thus a corrupted output of Exp, but random to E.  In the ideal experiment, S 1 replace the output of Exp with a random value when an attempt to cheat by (U 1 ’, U 2 ’) would have gone undetected by T in the real experiment.

31 31 Correctness and Security  S 2 is similar to S 1.  S 2 makes four random queries of the form (α j ∈ Z q, β j ∈ Z p* ) to both U 1 ’ and U 2 ’.  In the real experiment, T always re-randomizes his inputs to (U 1 ’, U 2 ’) using six Rand 1 pairs.  In the ideal experiment, S 2 always creates random independent queries for (U 1 ’, U 2 ’).

32 32 Correctness and Security  Even when one of (U 1 ’, U 2 ’) behaves dishonsetly in the i th round, EVIEW real i ~EVIEW ideal i UVIEW real i ~UVIEW ideal i By hybrid argument  EVIEW real ~EVIEW ideal  UVIEW real ~UVIEW ideal

33 33 Analysis  In the one-malicious model, the above algorithms (T, (U 1, U 2 )) are an O(lg 2 n / n)-efficient implementation of Exp. are a ½-checkable implementation of Exp. are an (O(lg 2 n / n), ½)-outsource-secure implementation of Exp.

34 34 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

35 35 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

Download ppt "1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Computability and Complexity

Computability and Complexity
Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou

Agrawal-Kayal-Saxena Presented by: Xiaosi Zhou
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Probabilistic Algorithms Michael Sipser Presented by: Brian Lawnichak.

Probabilistic Algorithms Michael Sipser Presented by: Brian Lawnichak.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
7. Asymmetric encryption-

7. Asymmetric encryption-
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google