Presentation is loading. Please wait.

Presentation is loading. Please wait.

Background on security

Published byKelley Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "Background on security"— Presentation transcript:

1 Background on security

2 Definition of security
Attacker’s knowledge/capability The attacker observes a set of encrypted values only – Ciphertext-only attack (COA) Suitable for most real life applications The attacker can generate the encrypted values of any plaintext of his choice – chosen-plaintext attack (CPA) Baseline for public key cryptosystem. The attacker can use the public key to generate as many as he wants Attacker’s goal To derive information about the plaintext, any information is fine – semantic security E.g., knowing one’s salary > 50k/month but not exact value may be a security concern (A malicious data mining service provider) To return a wrong answer to the user - integrity

3 Some facts There isn’t really a formal method to prove the security against COA People prefer provable security There is always a brute-force attack w.r.t. CPA Try all the keys and find the one that matches all plaintext-ciphertext pairs. Security under CPA means the attack is a (proven) hard problem

4 Views from crypto We do not know what the attacker knows
Better prepare for the worst Require provable semantic security under a strong attack model (at least CPA)

5 Semantic security Definition: no information about the plaintext (except the size) is leaked to the attacker An proven equivalent definition – indistinguishability (IND) Given two encrypted values, the attacker cannot distinguish them Remark: Semantic security under CPA is often written as IND-CPA

6 Security game IND-XXX can be modeled as a game
The attacker generates two messages m0 and m1 and send them to the key owner The key owner randomly chooses 1 message and encrypts it, c = E(mi) With c, the attacker guesses which plain message c corresponds to Secure if Pr(guess correct) <= ε Where ε is a negligible value, often in the form of 1/xk Note: x is a constant, k is key length

7 Security vs performance
In general (but not proven), a more secure scheme is more expensive Fact 1: Non-deterministic encryption must be required for semantic security Deterministic encryption E(x1) = E(x2) iff x1 = x2 One-to-one mapping Onto function most of the time Simple attack The attacker generates g0 = E(m0), g1 = E(m1) If gi = c, answer i Pr(guess correct) = 100% 1 a 1 2 b 2 3 c 3 d

8 Security vs performance
Non-deterministic encryption One-to-many mapping Problem: Ciphertext is longer Storage cost and processing cost are thus higher 1 a 1 b c d 2 2 e f g 3 3 h

9 Example RSA is a deterministic function RSA is not semantic secure
Public key: <e, n>, private key <d, n> E(x) = xe mod n D(y) = yd mod n RSA is not semantic secure

10 RSA with padding When the industry refer to RSA, is it actually RSA with padding The padding scheme is optimal asymmetric encryption padding (OAEP) Proven IND-CCA2 (a high security definition) Example of simpler padding Encryption: Input: m Generate random r Let c = r xor m Ciphertext: c||E(r) Decryption y = c||E(r) Recover r from D(E(r)) Decrypted message: m = c xor r This padding doubles the size of an encrypted value

11 Secure database (SDB) problem
Data Owner (DO) Service provider (SP) DB DB Database should be encrypted Compute query on encrypted data Query Query Return an encrypted answer Answer Answer

12 (In)-feasibility of IND in SDB problem
Security game: The attacker generates two queries q0 and q1 and send them to the DO The DO randomly chooses 1 query and executes it with SP The (encrypted) result r is observed by the attacker With r, the attacker guesses which query r corresponds to

13 Attacker’s strategy Pick q0 = “SELECT count(*)” Pick q1 = “SELECT *”
If r is just an encrypted value, it is q0 If r is a table, it is q1 To prevent the above attack, at least make the query results indistinguishable by its size  each query result is at least Ω(n) where n is number of tuples Decryption cost by DO is then Ω(n) - not better than computing the query using a linear scan

14 Remark: Fully homormophic encryption with IND-CPA in SDB
Selection processing requires the SP to observe whether an encrypted tuple satisfies the query condition or not All operations in terms of circuit can be supported (AND, OR, NOT) All input and output are encrypted Cannot jump to an encrypted address Discussion paper: Shiyuan Wang, Divyakant Agrawal, and Amr El Abbadi. Is homomorphic encryption the holy grail for database queries on encrypted data? Technical report, Department of Computer Science, UCSB 2012

15 Implication of knowing the result of a branch operation
Unknown process Jump to b Jump to a Plain data: 10, 20, 21, 22, 23 Plain data: 24, 27, 28, 29, 40 Knowledge of plaintext from CPA

16 Implication of knowing the result of a branch operation
Attack: Pick a = 50, b = 7 Unknown process Attacker answer: c = a Jump to b Jump to a Plain data: 10, 20, 21, 22, 23 Plain data: 24, 27, 28, 29, 40 E(c)

17 Re-writing the query may help
If (x>10) { y = 20; } else { y = 100; } r = cmp_grt(x, 10) // return 1 if x > 10, 0 otherwise y = * r Cannot solve all problems!

18 Leakage of knowing branch result in practice
Assume now we allow the SP to observe the branch (i.e., comparison) results, what kind of information is leaked? Locality of data Derived knowledge – COA: 1. q2  q1 2. q2  t1[Y], t3[Y]  q1 3. t5[Y]  t1[Y], t3[Y] t9[Y] Result of cmp(Y, E(q1)) E(t1) E(t3) E(t5) E(t7) E(t10) Result of cmp(Y, E(q2)) E(t1) E(t3) E(t9) E(t13) So, we just protect the exact values in our scheme. And the use of index may make sense

19 Another way to prove IND (in SMC)
Proof by simulation Background Each party received several messages from the other party Can they use these information to observe anything about the other party? Alice: Secret x = 3 Bob: Secret y = 7 Secure sum Result: x+y = 10

20 Simulation Say Bob is the attacker now
Is there any difference on the messages Bob received if Alice provides different input? Indistinguishable Alice: Secret x = 3 Bob: Secret y = 7 Secure sum Result: x+y = 10

21 Secure Sum Public parameter: n=100 Alice: Secret x = 3 Bob:
Secret y = 7 Generate r1 = 70 Send m1 = r1+x mod n= 73 Generate r2 = 50 Send m2 = r2+y+m1 mod n= 30 Keep m2-r1 as share Alice: Secret a = 60 Bob: Secret b = 50 Keep r2 as share Result: x+y = 10

22 Bob’s view Public parameter: n=100 Bob: Secret y = 7 Simulation:
For any value of x Generate r1’ = m1 – x mod n The message m1 can be generated Send m1 = r1+x mod n= 73 Simulation succeeds. This protocol is secure w.r.t. IND. Result: x+y = 10

23 A not secure example Note: since it must be a specific XA so that YA = gXA Simulation fails. Observed: YA, XB How to derive XA? Bob Key agreement protocol Public parameters: p, g Note: This protocol is not for protecting parties’ input from the other party

24 Relaxed security definition
Also the approach of our paper Bounded leakage of protocols Can be proven by the simulations Used a lot by Chris Clifton from Purdue University Jaideep Vaidya and Chris Clifton, Secure Set Intersection Cardinality with Application to Association Rule Mining, JCS 13(4), 2005. Jaideep Vaidya and Chris Clifton, Privacy-Preserving K-Means Clustering over Vertically Partitioned Data, SIGKDD, 2003. Murat Kantarcioglu and Chris Clifton, Privacy Preserving Data Mining of Association Rules on Horizontally Partitioned Data, TKDE 16(9), 2004.

25 Proof of relaxed definition
Attacker’s knowledge Its own input Messages in the protocol Leaked knowledge If the above is enough to simulate the execution of the protocol, there is not other information leak Then, argue the leaked knowledge is not very harmful

Download ppt "Background on security"

Similar presentations

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google