Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results

Transcription

1 Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results Dario Catalano Dario Fiore Luca Nizzardo University of Catania Italy IMDEA Software Institute Madrid, Spain IMDEA Software Institute Madrid, Spain CyberCamp 2015 Madrid

2 Classical Cryptography Solutions for secure communication A problem since very ancient time Setting: Communication of honest parties Adversary in the middle 2

3 New challenges not just a matter of protecting communication We need solutions to secure computation Our computing partner can become the adversary! There may be a malicious insider We share the same physical resources with other users (bad ones too!) information leaks through hardware Providers can be hacked (and that unfortunately happens) 3

4 Modern (advanced) cryptography We need solutions to secure computation Main security goals: Modern cryptography can provide solutions to these issues Privacy: outsourced data must remain hidden Integrity: outsourced data/computation must be correct This talk 4

5 Roadmap Ensuring integrity in cloud computing applications A solution via homomorphic signatures Homomorphic signatures: what they are New tool: Asymmetric Programmable Hash Functions New results: more efficient homomorphic signatures 5

6 Ensuring Integrity in Cloud Computing v 1,v 2,,v n v 1 v 2 y=f(v 1,v 2,,v n ) f y v n How can we ensure Bob that y is correct (and computed on Alice s data)? 6

7 An attempt using traditional crypto Can we use digital signatures? sk vk v 1,v 2,,v n v 1 v 2 y=f(v 1,v 2,,v n ) f y Sign(sk, v i ) v n v 1,v 2,,v n Check: y=f(v 1,v 2,,v n ) AND Ver(vk, vi, )=1 Integrity: the cloud cannot cheat anymore Efficiency: The cloud has to send the entire input data. The communication of this solution can become prohibitive 7

8 Using Homomorphic Digital Signatures sk vk v 1,v 2,,v n v 1 v 2 y=f(v 1,v 2,,v n ) f y Sign(sk, v i ) v n v 1,v 2,,v n Check Namely Ver(vk, f, y, )=1 Integrity: the cloud cannot cheat anymore Efficiency: Homomorphic signatures are succinct size of << size of n input values. 8

9 Roadmap Ensuring integrity in cloud computing applications A solution via homomorphic signatures Homomorphic signatures: what they are New tool: Asymmetric Programmable Hash Functions New results: more efficient homomorphic signatures 9

10 Homomorphic Signatures Given signatures on inputs, one can publicly compute signature on function s output KeyGen(1 λ,n) (sk, vk) // N=#messages in a dataset Sign(sk, Δ, i, m) σ Eval(f, σ 1,,σ n ) σ Ver(vk, Δ, f, m, σ) 0/1 Correctness (f linear functions): If σ 1, σ 2 valid for m 1, m 2, then for f(x 1,x 2 )=x 1 +x 2 and σ=eval(f, σ 1,σ 2 ) it holds: Ver(vk, Δ, f, m 1 +m 2, σ)=1 Security (informal): without sk, one cannot generate signatures on false results y f(m 1,,m n ) 10

11 Previous Work on Homomorphic Signatures Homomorphic signatures first proposed in [JMSW02] Linear functions: (initially motivated by Network Coding) [BFKW09, GKKR10, CFW11, AL11, BF11, CFW12, Freeman12, ALP12, CFGV13, ALP13, LPJY13, ] Beyond linear functions: [BF11,CFW14,GVW15] Random Oracle vs. Standard Model Security Computational efficiency is about the same, but Random oracle schemes: vk =O(1) Standard Model schemes: vk =O(N) where N= dataset A vk of size O(N) is not quite desirable (think of the outsourcing app.) 11

12 Efficiency of prior std-model Homomorphic Sig. Size of vk in prior work sk v 1,v 2,,v n v 1 v 1,v 2,,v n v 2 v n y=f(v 1,v 2,,v n ) v 1 v 2 v n f y vk Size of vk size of one dataset Bob stores less than the cloud, but still needs a lot of space 12

13 Understanding the limitations of prior schemes A common design pattern vk = h1 h2 hn for random hi Simulating the signature on index i requires specific randomness ri: hi is used to hide such randomness, e.g., hi=g ri h si In random oracle schemes, vk=h( ) and hi=h(i), and rely on programmability of random oracle H to embed ri on the fly. Our key idea: a new (standard-model) tool to replace/ mimic the random oracle H 13

14 This Work Introduce Asymmetric Programmable Hash Functions (APHFs) Similar to Programmable Hash Functions [HK08] APHFs Applications (generically built) Short standard-model signatures from bilinear maps (shorter PK) Linearly-Homomorphic Signatures (first scheme with sub-linear PK) APHFs Realizations 14

15 Efficiency of our std-model Homomorphic Sig. Prior work Ours sk v 1,v 2,,v n v 1 v 1,v 2,,v n v 2 v n y=f(v 1,v 2,,v n ) v 1 v 2 v n f y vk Size of vk Prior work: size of one dataset Our work: square root of size of one dataset 15

16 Roadmap Ensuring integrity in cloud computing applications A solution via homomorphic signatures Homomorphic signatures: what they are New tool: Asymmetric Programmable Hash Functions New results: more efficient homomorphic signatures 16

17 Hash Functions H: {0,1}* {0,1} n Important tool in cryptography Digital signatures, MACs, integrity, Provable Security (several security notions) Collision-resistance Single/Second Preimage resistance, one-wayness, etc. Random Oracle 17

18 Random Oracles [BR93] H behaves like an oracle Main properties Programmability: one can program H(x*)=y* H Random function: H(x) is random Great object! Tons of applications: signatures, NIZK, CCA encryption Heuristic assumption: random oracles do not exist in practice Can we get something close to a R.O.? as much useful in applications weak enough to have standard model realizations 18

19 Programmable Hash Functions [HK08] H k : X G, G a cyclic group KG() k; H k (x) G TrapGen(g,h) (k,td) k k TrapEval(td, x) (a x,b x ): H k (x)=g a x h b x (m,n)-programmability: x 1,,x m z 1,,z n Pr[ i a xi =0 AND j a zj 0]=1/poly x h b x g a x h b x Very useful abstraction, especially for partitioning proofs: CRHF, short standard-model signatures, IBE, 19

20 Towards random oracles Random oracles Programmability Random function PHF [HK08] Programmability?? While programmability is very powerful, certain proofs rely on the random property in several ways (e.g., they need entropy during the proof) 20

21 Our new tool: Asymmetric PHFs (APHFs) Similar to PHFs except that Secretly computable but publicly verifiable Programmable: there are trapdoor algorithms such that Pr[aX=0] is noticeable or programmable with pseudo-randomness: there are trapdoor algorithms such that g a x g r Note: these properties are mutually exclusive Yet different trapdoor modes are indistinguishable! 21

22 A step closer to random oracles Random oracles Programmability Random function APHF (this work) Programmability Pseudo-random albeit only secretly computable 22

23 Roadmap Ensuring integrity in cloud computing applications A solution via homomorphic signatures Homomorphic signatures: what they are New tool: Asymmetric Programmable Hash Functions New results: more efficient homomorphic signatures 23

24 Our main results 1. Generic construction APHFs w/pseudorandmness + Groups with bilinear maps Linearly-Homomorphic Signatures Hsqrt New homomorphic signature 2. An APHF realization called H sqrt By using H sqrt in the generic construction we obtain the first stdmodel homomorphic signature with a public key sub-linear in the maximum data set size: in all previous schemes vk =O(N)~32MB (for N=10 6 ) our solution allows for vk = O(N 1/2 ) ~100KB 24

25 Conclusion Homomorphic digital signatures can solve integrity in cloud computing scenarios Main contribution New tool: Asymmetric Programmable Hash Functions Definition Realizations New results: first homomorphic signature with sub-linear public key 25

26 Thanks!? D. Catalano, D. Fiore, L. Nizzardo. Programmable Hash Functions go Private: Constructions and Applications to (Homomorphic) Signatures with Shorter Public Keys. CRYPTO 2015 Full version available at