1 / 24

How to securely outsource cryptographic computations

How to securely outsource cryptographic computations. Susan Hohenberger and Anna Lysyanskaya TCC2005. Outline. Introduction Definition of Security Outsource-Secure Exponentiation Using Two Untrusted Programs Outsource-Secure Encryption Using One Untrusted Program Conclusion. Outline.

allener
Télécharger la présentation

How to securely outsource cryptographic computations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005

  2. Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion

  3. Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion

  4. Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion

  5. Outsource-Secure Encryption Using One Untrusted Program

  6. Outsource-Secure Encryption Using One Untrusted Program

  7. Outsource-Secure Encryption Using One Untrusted Program

  8. Outsource-Secure Encryption Using One Untrusted Program Input Com Input Output Dec Enc The speed-up is for encryption only, not decryption.

  9. Com • Com: Efficient, Statistically-Hiding Commitments • Commit Scheme • Stage 1 – Commit stage • The Sender locks a message in a box, and sends the locked box to the receiver. • Stage 2 – Dec-commit stage • The sender provides the receiver with the key to the box, thus enabling him to learn the original message.

  10. Com • Use Halevi and Micali’s commitment scheme based on collision-free hash function. • Practical and provably-secure commitment schemes from collision-free hashing. Crypto ’96, 1996. • HF: {0, 1}O(k) → {0, 1}k • A family of universal hash function. • MD: {0, 1}* → {0, 1}k • A collision-free hash function.

  11. Com • Given any value m ∈ {0, 1}* and security parameter k. • Compute s = MD(m). • Pick h ∈ HF and x ∈ {0, 1}O(k) at random, so that h(x) = s. • y = MD(x) • One can construct h by randomly selecting A and computing b = s – Ax modulo a prime set in HF. • The commitment ψC = (y, h) • The decommitment ψD = (x, m)

  12. CCA2 and Outsource-security of TU Encryption • Theorem: TU is secure against adaptive chosen-ciphertext attack (CCA2) assuming the CCA2-security of Chamer-Shoup encryption and the security of the Halevi-Micali commitment scheme.

  13. CCA2 and Outsource-security of TU Encryption • There exist a PPT adversary A • Succeeds in adaptive chosen-ciphertext attacks against TUwith probability ≧ ½ + 1/poly(k). • We build an adaptive adversary S • Uses A to distinguish between original CS Enc with non-negligible probability. • Let O be the original CS challenge oracle.

  14. CCA2 and Outsource-security of TU Encryption • Stage 1: Public Key • O givens PK = (B, C, D) to S. • B = g1x1g2x2, C = g1y1g2y2, D = g1z. • S selects a random element z’ ∈ Zq, compute D’ = g1z’, and sends PK’ = (B, C, D’) as input to A.

  15. CCA2 and Outsource-security of TU Encryption • Stage 2: Decryption Queries • A queries S to decrypt ciphertext • τi = (u1i, u2i, ei, vi, ψCi), ψDi • S checks (ψCi, ψDi) • If it is valid, then decommit (βi || ti || x1i || y1i || zi). • If not, S return “invalid” to A. • S computes • κi = H(u1i, u2i, ei, ψCi) • vi’ = viu1i-(x1i+κiy1i) • S sends the altered ciphertext τi’ = (u1i, u2i, ei, vi’, ψCi) to O.

  16. CCA2 and Outsource-security of TU Encryption • Stage 2: Decryption Queries • If O claims the τi’ is an invalid ciphertext, then S tell A that (τi,ψDi) was invalid. • o.w., O returns a value ei / u1iz. • If τi was a proper ciphertext, then ei = u1iz+z’+ziwi for some wi. • Thus, the value O returned to S is actually u1iz’+ziwi. • Since, S knows u1iz’+zi, it computes wi and returns the message mi = βi / wi to A.

  17. CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • After A completes its first set of decryption queries, it gives S two challenge message m0, m1 ∈ G with a tag t ∈ {0, 1}*. • S wishes to send dependent challenge message to O. • S sends challenge message w0, w1 with tag ψC to O. • S selects random elements β∈G and x1’,y1’ ∈Zq. • S compute w0 = β / m0, w1 = β / m1. • (ψC, ψD) = Com(β || t || x1’ || y1’ || -z’), -z’ is the additive inverse of the value z’ from Stage 1.

  18. CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • O chooses one of the message wb at random and sends the corresponding ciphertext τb = (u1, u2, eb, vb, ψC) to S. • S computes • κ = H(u1, u2, eb, ψC) • vb’ = vbu1-(x1’+κiy2’) • S sends the modified ciphertext (τb’ = (u1, u2, eb, vb’, ψC) , ψD) to A.

  19. CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • Look closer at this ciphertext, we see that it is always a well-formed encryption of either m0 or m1 with tag ψC under PK’. • The key trick here is that although the value –z was selected in Stage 1, it remained hidden from A until Stage 3. • Now, eb = u1zwb. • Provided that the simulation in Stage 4 is perfect. • S will succeed in distinguishing encryptions of (w0, w1) with the same success probability as A on (m0, m1).

  20. CCA2 and Outsource-security of TU Encryption • Stage 4: More Decryption Queries • S provides the challenge ciphertext (τb’, ψD) to A. • S must continue to answer decryption queries posed by A for any ciphertext that differs from (τb’, ψD) in at least one bit. • On queries of the form (τi = (u1i, u2i, ei, vi, ψCi), ψDi) ≠ (τb’, ψD) • S and O just as in Stage 2. • S uses O’s response to compute mi.

  21. CCA2 and Outsource-security of TU Encryption • Stage 4: More Decryption Queries • We have two possible cases: • Case 1: τb’≠ τi • O’s challenge ciphertext τb is a deterministic function of τb’. • When modifying A’s query, S obtains a ciphertext under PK that differs from τb. • S can successfully decrypt (τi, ψDi) by making a query to O. • Case 2: τb’= τi and ψD ≠ ψDi • This scenario is not possible.

  22. CCA2 and Outsource-security of TU Encryption • Stage 5: Guess • A guess which message m0 or m1, is encoded in the challenge ciphertext (τb’, ψD). • Upon receiving A’s guess mb’, S immediately sends to O a guess of wb’ as the encrypted contents of τb. • S and A succeed with exactly the same probability.

  23. Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion

  24. Conclusion • Model. • Multi-server-Aided under this model. • Braid group + Server-Aided.

More Related