Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005."— Presentation transcript:

1 1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005

2 2 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

3 3 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

4 4 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

5 5 Outsource-Secure Encryption Using One Untrusted Program

6 6

7 7

8 8 Output Input DecEnc Input Com The speed-up is for encryption only, not decryption.

9 9 Com  Com: Efficient, Statistically-Hiding Commitments  Commit Scheme Stage 1 – Commit stage  The Sender locks a message in a box, and sends the locked box to the receiver. Stage 2 – Dec-commit stage  The sender provides the receiver with the key to the box, thus enabling him to learn the original message.

10 10 Com  Use Halevi and Micali’s commitment scheme based on collision-free hash function. Practical and provably-secure commitment schemes from collision-free hashing. Crypto ’96, 1996. HF: {0, 1} O(k) → {0, 1} k  A family of universal hash function. MD: {0, 1} * → {0, 1} k  A collision-free hash function.

11 11 Com  Given any value m ∈ {0, 1} * and security parameter k. Compute s = MD(m). Pick h ∈ HF and x ∈ {0, 1} O(k) at random, so that h(x) = s. y = MD(x)  One can construct h by randomly selecting A and computing b = s – Ax modulo a prime set in HF. The commitment ψ C = (y, h) The decommitment ψ D = (x, m)

12 12 CCA2 and Outsource-security of T U Encryption  Theorem: T U is secure against adaptive chosen- ciphertext attack (CCA2) assuming the CCA2- security of Chamer-Shoup encryption and the security of the Halevi-Micali commitment scheme.

13 13 CCA2 and Outsource-security of T U Encryption  There exist a PPT adversary A Succeeds in adaptive chosen-ciphertext attacks against T U with probability ≧ ½ + 1/poly(k).  We build an adaptive adversary S Uses A to distinguish between original CS Enc with non-negligible probability.  Let O be the original CS challenge oracle.

14 14 CCA2 and Outsource-security of T U Encryption  Stage 1: Public Key O givens PK = (B, C, D) to S.  B = g 1 x 1 g 2 x 2, C = g 1 y 1 g 2 y 2, D = g 1 z. S selects a random element z’ ∈ Z q, compute D’ = g 1 z’, and sends PK’ = (B, C, D’) as input to A.

15 15 CCA2 and Outsource-security of T U Encryption  Stage 2: Decryption Queries A queries S to decrypt ciphertext  τ i = (u 1i, u 2i, e i, v i, ψ Ci ), ψ Di S checks (ψ Ci, ψ Di )  If it is valid, then decommit (β i || t i || x 1i || y 1i || z i ).  If not, S return “invalid” to A. S computes  κ i = H(u 1i, u 2i, e i, ψ Ci )  v i ’ = v i u 1i -(x1i+κiy1i) S sends the altered ciphertext τ i ’ = (u 1i, u 2i, e i, v i ’, ψ Ci ) to O.

16 16 CCA2 and Outsource-security of T U Encryption  Stage 2: Decryption Queries If O claims the τ i ’ is an invalid ciphertext, then S tell A that (τ i, ψ Di ) was invalid. o.w., O returns a value e i / u 1i z. If τ i was a proper ciphertext, then e i = u 1i z+z’+zi w i for some w i. Thus, the value O returned to S is actually u 1i z’+zi w i. Since, S knows u 1i z’+zi, it computes w i and returns the message mi = β i / w i to A.

17 17 CCA2 and Outsource-security of T U Encryption  Stage 3: Challenge Encryption After A completes its first set of decryption queries, it gives S two challenge message m 0, m 1 ∈ G with a tag t ∈ {0, 1} *. S wishes to send dependent challenge message to O. S sends challenge message w 0, w 1 with tag ψ C to O.  S selects random elements β ∈ G and x 1 ’,y 1 ’ ∈ Z q.  S compute w 0 = β / m 0, w 1 = β / m 1.  (ψ C, ψ D ) = Com(β || t || x 1 ’ || y 1 ’ || -z’), -z’ is the additive inverse of the value z’ from Stage 1.

18 18 CCA2 and Outsource-security of T U Encryption  Stage 3: Challenge Encryption O chooses one of the message w b at random and sends the corresponding ciphertext τ b = (u 1, u 2, e b, v b, ψ C ) to S. S computes  κ = H(u 1, u 2, e b, ψ C )  v b ’ = v b u 1 -(x 1 ’+κiy 2 ’) S sends the modified ciphertext ( τ b ’ = (u 1, u 2, e b, v b ’, ψ C ), ψ D ) to A.

19 19 CCA2 and Outsource-security of T U Encryption  Stage 3: Challenge Encryption Look closer at this ciphertext, we see that it is always a well- formed encryption of either m0 or m1 with tag ψ C under PK’. The key trick here is that although the value –z was selected in Stage 1, it remained hidden from A until Stage 3. Now, e b = u 1 z w b. Provided that the simulation in Stage 4 is perfect. S will succeed in distinguishing encryptions of (w 0, w 1 ) with the same success probability as A on (m 0, m 1 ).

20 20 CCA2 and Outsource-security of T U Encryption  Stage 4: More Decryption Queries S provides the challenge ciphertext ( τ b ’, ψ D ) to A. S must continue to answer decryption queries posed by A for any ciphertext that differs from ( τ b ’, ψ D ) in at least one bit. On queries of the form ( τ i = (u 1i, u 2i, e i, v i, ψ Ci ), ψ Di ) ≠ ( τ b ’, ψ D ) S and O just as in Stage 2. S uses O’s response to compute m i.

21 21 CCA2 and Outsource-security of T U Encryption  Stage 4: More Decryption Queries We have two possible cases:  Case 1: τ b ’ ≠ τ i O’s challenge ciphertext τ b is a deterministic function of τ b ’. When modifying A’s query, S obtains a ciphertext under PK that differs from τ b. S can successfully decrypt (τ i, ψ Di ) by making a query to O.  Case 2: τ b ’ = τ i and ψ D ≠ ψ Di This scenario is not possible.

22 22 CCA2 and Outsource-security of T U Encryption  Stage 5: Guess A guess which message m 0 or m 1, is encoded in the challenge ciphertext ( τ b ’, ψ D ). Upon receiving A’s guess m b’, S immediately sends to O a guess of w b’ as the encrypted contents of τ b. S and A succeed with exactly the same probability.

23 23 Outline  Introduction  Definition of Security  Outsource-Secure Exponentiation Using Two Untrusted Programs  Outsource-Secure Encryption Using One Untrusted Program  Conclusion

24 24 Conclusion  Model.  Multi-server-Aided under this model.  Braid group + Server-Aided.

Download ppt "1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005."

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
7. Asymmetric encryption-

7. Asymmetric encryption-
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Identity Based Encryption

Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google