1 Joint Research Workshop of Institute of Mathematics for Industry, Kyushu University, and MEXT Collaborative Workshop of Mathematics and Mathematical Sciences with Various Sciences and Industrial Technologies 2012 Cryptographic Technologies suitable for Cloud Computing Main Conference Room 111, Institute of Mathematics for Industry Kyushu University 2012/10/5 (Fri) Program and Abstracts Organized by Kirill MOROZOV and Tsuyoshi TAKAGI Supported by Institute of Mathematics for Industry Kyushu University
"Cryptographic Technologies suitable for Cloud Computing" Workshop Program October 5, 13:30-20:00 13:30 13:40 Opening by MEXT and IMI 13:40 14:40 Plenary Talk Secure Multiparty Computation almost without Verifiable Secret Sharing Yvo Desmedt (University College London) 14:40 14:50 Break 14:50 16:35 Invited Talks I 14:50 15:25 Inner Product Encryption on Dual Pairing Vector Spaces Katsuyuki Takashima (Mitsubishi) 15:25 16:00 The Homomorphic Encryption based on Ideal Lattices and its Applications Masaya Yasuda (Fujitsu) 16:00 16:35 Cryptographic Key Storage in the Cloud Go Yamamoto (NTT) 16:35 16:50 Break 16:50 18:00 Invited Talks II 16:50 17:25 Unforgeability of Re-Encryption Keys against Collusion Attack in Proxy Re-Encryption Ryotaro Hayashi (Toshiba R&D Center) 17:25 18:00 Cryptography to Realize Secure Cloud Masayuki Yoshino (Hitachi Yokohama Laboratories) 18:00 18:10 Closing of the public sessions 18:10 20:00 Discussion (internal) 2
Cryptographic Technologies suitable for Cloud Computing ワークショップ 開 催 に 寄 せて ワークショップ 運 営 責 任 者 九 州 大 学 マス フォア インダストリ 研 究 所 高 木 剛 モロゾフ キリル 本 ワークショップは 2012 年 10 月 5 日 に 九 州 大 学 MI 研 究 所 において 本 グローバル COE プログラムの 主 催 と 文 部 科 学 省 数 学 数 理 科 学 と 諸 科 学 産 業 との 連 携 研 究 ワー クショップの 共 催 として 開 催 された 昨 年 度 に 文 科 省 連 携 ワークショップの 共 催 で 開 催 された"Secret Sharing and Cloud Computing"に 引 き 続 いて クラウドコンピューティ ングで 利 用 される 暗 号 技 術 をテーマとしている 今 年 度 のワークショップでは 参 加 者 は 26 名 となり 現 状 のクラウドサービスの 安 全 性 問 題 と 暗 号 技 術 を 利 用 した 解 決 策 など が 議 論 された 今 回 のワークショップでは Yvo Desmedt 教 授 (テキサス 大 学 )による 効 率 的 な 秘 密 分 散 計 算 (マルチパーティ 計 算 )に 関 する 基 調 講 演 の 後 に 高 島 克 幸 ( 三 菱 電 機 ) 安 田 雅 哉 ( 富 士 通 研 究 所 ) 山 本 剛 (NTT 研 究 所 ) 林 良 太 郎 ( 東 芝 研 究 開 発 センター) 吉 野 雅 之 ( 日 立 製 作 所 横 浜 研 究 所 )から 最 新 の 暗 号 技 術 に 関 する 発 表 およ び 活 発 な 質 疑 応 答 が 行 われた 特 に 内 積 述 語 暗 号 自 己 訂 正 暗 号 技 術 ( 完 全 ) 準 同 型 暗 号 検 索 可 能 対 称 暗 号 プロキシ 再 暗 号 化 などの 暗 号 化 プロトコルとそれらの 安 全 性 に 関 する 数 学 モデルや 効 率 的 な 実 装 方 法 に 関 して 意 見 交 換 が 行 われた 暗 号 技 術 を 用 いた 安 全 なクラウドコンピューティングによる 医 療 データや 個 人 情 報 等 の 保 護 なども 話 題 に 上 り 今 後 の 暗 号 技 術 の 更 なる 応 用 発 展 も 期 待 される 3
Workshop Cryptographic Technologies suitable for Cloud Computing 2012 October 5, 2012, Kyushu University, Ito Campus Secure Multiparty Computation almost without Verifiable Secret Sharing Yvo DESMEDT University of Texas at Dallas, USA Today several organizations, including the US Government use clouds to store important data. Guaranteeing at the same time reliability and privacy is a major challenge. The need for privacy is obvious (although often ignored). The need for reliability has been illustrated, for example, when the internet was deliberately disconnected in Egypt (January 2011) and with the accidental destruction of the cell phone network in the Tohoku area during the March 2011 earthquake. To address the aforementioned concerns, fully homomorphic encryption is often championed. Unfortunately, its state of the art is too slow to allow to use it in any reasonable application. A better alternative is secure multiparty computation. Although secure multiparty computation has been deployed in very limited applications, it is still relatively slow. A concern is the need to use Verifiable Secret Sharing (VSS) extensively. In our approach we avoid the need for each shareholder to have to rerun the full VSS protocol after each local computation. 4
Workshop Cryptographic Technologies suitable for Cloud Computing 2012 October 5, 2012, Kyushu University, Ito Campus Inner Product Encryption on Dual Pairing Vector Spaces Katsuyuki TAKASHIMA Mitsubishi Electric, Japan In this talk, I survey some recent results of joint work with Tatsuaki Okamoto [3, 2, 4, 5, 6, 7, 9], where we have introduced a new concept on bilinear pairing groups, dual pairing vector spaces (DPVS), and constructed a new type of encryption schemes, inner product encryption (IPE). (For a forthcoming result, unbounded IPE, refer to [8].) The notion of functional encryption (FE) is a generalized (fine-grained) notion of encryption that covers identity-based encryption (IBE), hidden-vector encryption (HVE) and attribute-based encryption (ABE). A secret key in a FE scheme corresponds to parameter v, and a sender associates a ciphertext with parameter x. Ciphertext ct x associated with parameter x can be decrypted by secret key sk v corresponding to v if and only if a relation R(v, x) holds. A stronger security notion for FE, attribute-hiding, than the basic security requirement, payload-hiding, was defined in [1]. Roughly speaking, attribute-hiding requires that a ciphertext conceal the associated parameter as well as the plaintext, while payload-hiding only requires that a ciphertext conceal the plaintext. Katz, Sahai and Waters [1] presented a concrete construction of attribute-hiding FE for a class of predicates called inner product predicates, which represents a wide class of predicates that includes an equality test (for IBE and HVE), disjunctions or conjunctions of equality tests, and, more generally, arbitrary CNF or DNF formulas. Currently, the widest class of predicates supported by attribute-hiding FE is inner product predicates. FE for inner product predicates is called inner product encryption (IPE). Informally, parameters of inner product predicates are expressed as vector x (for a ciphertext) and v (for a secret key), where R( v, x) holdsiff v x = 0. (Here, v x denotes the standard inner product.) The attribute-hiding security achieved in [2, 3, 4] is more limited or weaker than that achieved in [1, 7]. The former is called weakly-attribute-hiding, and the latter fully-attribute-hiding. Although the IPE scheme [1] achieved fully-attribute-hiding, it is selectively secure under non-standard assumptions. Subsequently, several attribute-hiding IPE schemes have been proposed [2, 3, 4, 5, 10], for aiming at an IPE scheme with better security, e.g., adaptive security, fully-attribute-hiding and weaker (standard) assumptions. This research direction culminated in our adaptively secure and fully-attribute-hiding IPE scheme under the decisional linear (DLIN) assumption [7], which is constructed on DPVS. The basic scheme in [7] has a variant with shorter public and secret keys based on the technique in [5]. A hierarchical IPE (HIPE) scheme can be realized that is also adaptively secure and fully attribute-hiding under the same assumption. Moreover, in [9], we propose an efficient (H)IPE scheme, which achieves selectively fully-attribute-hiding security in the standard model almost tightly reduced from the DLIN assumption, and whose ciphertext is almost the shortest among the existing (weakly/fully) attribute-hiding (H)IPE schemes. Specifically, a ciphertext consists of 5
n + 4 elements of G and 1 element of G T for a prime-order symmetric bilinear group (G, G T ), where n is the dimension of x and v. We [9] also present a variant of the (basic) (H)IPE scheme that enjoys shorter public and secret keys with preserving the security. Table 1. Comparison of our IPE schemes on DPVS in [3, 2, 4, 7, 9], where n, ν, G and G T represent dimension of vectors x and v, the maximum number of key-queries of an adversary (i.e., a polynomial in security parameter λ), size of an element of G and that of G T, respectively. AH, PK, SK, CT, DSP, and eddh stand for attribute-hiding, (master) public key, secret key, ciphertext, decisional subspace problem [3], and extended decisional Diffie-Hellman [2], respectively. OT09 [3] LOS + 10 [2] OT10 [4] OT12 [7] (basic) adaptive & fully-ah OT12 [7] (variant) adaptive & fully-ah OT13 [9] (basic) selective & fully-ah OT13 [9] (variant) selective & fully-ah Security selective & adaptive & adaptive & weakly-ah weakly-ah weakly-ah Order of G prime prime prime prime prime prime prime Assump. 2 variants of DSP n-eddh DLIN DLIN DLIN DLIN DLIN Reduction factor 2 ν +1 ν +1 3ν +2 3ν +2 2 2 PK size O(n 2 ) G O(n 2 ) G O(n 2 ) G O(n 2 ) G O(n) G O(n 2 ) G O(n) G SK size (n + 3) G (2n + 3) G (3n + 2) G (4n + 2) G 11 G (n + 4) G 6 G CT size (n +3) G (2n +3) G (3n +2) G (4n +2) G (5n +1) G (n +4) G (n +4) G + G T + G T + G T + G T + G T + G T + G T References [1] J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In EUROCRYPT 2008, pages 146 162, 2008. [2] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In EUROCRYPT 2010, pages 62 91, 2010. Full version is available at http://eprint.iacr.org/2010/110. [3] T. Okamoto and K. Takashima. Hierarchical predicate encryption for inner-products. In ASI- ACRYPT 2009, pages 214 231, 2009. [4] T. Okamoto and K. Takashima. Fully secure functional encryption with general relations from the decisional linear assumption. In CRYPTO 2010, pages 191 208, 2010. Full version is available at http://eprint.iacr.org/2010/563. [5] T. Okamoto and K. Takashima. Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption. In CANS 2011, pages 138 159, 2011. Full version is available at http://eprint.iacr.org/2011/648. [6] T. Okamoto and K. Takashima. Some key techniques on pairing vector spaces. In AFRICACRYPT 2011, pages 380 382, 2011. [7] T. Okamoto and K. Takashima. Adaptively attribute-hiding (hierarchical) inner product encryption. In EUROCRYPT 2012, pages 591 608, 2012. Full version is available at http: //eprint.iacr.org/2011/543. [8] T. Okamoto and K. Takashima. Fully secure unbounded inner-product and attribute-based encryption. In ASIACRYPT 2012, 2012. To appear. [9] T. Okamoto and K. Takashima. Efficient (hierarchical) inner-product encryption tightly reduced from the decisional linear assumption. IEICE Trans. Fundamentals, vol.e96-a, no.1, Jan. 2013, 2013. To appear. [10] J. H. Park. Inner-product encryption under standard assumptions. Des. Codes Cryptography, 58(3):235 257, 2011. 6
Workshop Cryptographic Technologies suitable for Cloud Computing 2012 October 5, 2012, Kyushu University, Ito Campus The Homomorphic Encryption based on Ideal Lattices and its Applications Masaya YASUDA FUJITSU LABORATORIES LTD. 1-1, Kamikodanaka 4-chome, Nakahara-ku, Kawasaki, 211-8588, Japan yasuda.masaya@jp.fujitsu.com A homomorphic encryption is a public key encryption which can support operations on encrypted data. There are many previously known homomorphic encryption schemes which can only support either addition or multiplication on encrypted data (for example, Paillier [7] or RSA [8]). The first construction of a homomorphic encryption supporting both addition and multiplication on encrypted data was the BGN scheme [2], which is based on pairings over elliptic curves. However, the BGN scheme can handle a number of additions but one multiplication on encrypted data. In 2009, Gentry first proposed a concrete construction of fully homomorphic encryption (FHE) which can allow us to compute an arbitrary function on encrypted data. After the Gentry s breakthrough work on FHE, it becomes popular to research on applications with FHE, mainly including cloud computing. At present, there are three main variants of the FHE schemes, namely, one based on ideal lattices [4, 5] which was first proposed by Gentry, one based on integers [3], and finally one based on ring learning with errors (ring-lwe) [1]. The construction of these FHE schemes starts from a somewhat homomorphic encryption (SHE) scheme. SHE schemes only can support both limited addition and multiplication on encrypted data but have the advantage of much faster processing performance and more compact than FHE schemes. Now it is also coming to attention to research on applications with SHE schemes (see [6] for example). I here consider to apply the SHE schemes in the cloud. The application I consider is to sum purchase history data collected from different companies. Since purchase history data are sensitive information related to sales, each company would not like to reveal them to the other companies. On the other hand, each company would like to know the sum result of whole purchase history data for its own sales. The application scenario is the following (see [9] for details): Each company encrypts its own purchase history data with a homomorphic encryption and only sends the encrypted data to the cloud. The cloud sums the purchase history data collected from different companies on encrypted data and only sends the encrypted sum result to trusted server with the secret key. The trusted server decrypts the encrypted sum result and sends the sum result to companies. With this scenario, each company can obtain the sum result of whole purchase history data without revealing its own data to the other companies and even the cloud. For this application scenario, I here consider to use the SHE scheme based on ideal lattices since it is easier to implement this scheme (except complicated key generation) among variants of the SHE schemes. In this talk, I will first describe the construction of an extended version of the SHE scheme implemented by Gentry and Halevi [5]. I will also give a demonstration of the above application with the extended version of the SHE scheme. 7
References [1] Z. Brakerski and V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, In Foundations of Computer Science - FOCS 2011, 97-106, 2011. [2] D. Boneh, E. -J. Goh and K. Nissim, Evaluating 2-DNF formulas on ciphertexts, In Theory of Cryptography - TCC 2005, Springer LNCS 3378, 325-341, 2005. [3] M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan, Fully homomorphic encryption over the integers, In Advances in Cryptology - EUROCRYPT 2010, Springer LNCS 6110, 24-43, 2010. [4] C. Gentry, Fully homomorphic encryption using ideal lattices, In Symposium on Theory of Computing - STOC 2009, ACM, 169-178, 2009. [5] C. Gentry and S. Halevi, Implementing Gentry s fully-homomorphic encryption scheme, In Advances in Cryptology - EUROCRYPT 2011, Springer LNCS 6632, 129-148, 2011. [6] K. Lauter, M. Naehrig and V. Vaikuntanathan, Can homomorphic encryption be practical?, In ACM workshop on Cloud computing security workshop - CCSW 2011, 113-124, 2011. [7] P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, In Advances in Cryptology - EUROCRYPT 1999, Springer LNCS 1592, 223-238, 1999. [8] R. Rivest, A. Shamir and L. Adelman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM 21, 120-126, 1978. [9] M. Yasuda, J. Yajima, T. Shimoyama and Jun Kogure, Secret totalization of purchase histories of companies in cloud, SCIS 2012, 2012. 8
Workshop Cryptographic Technologies suitable for Cloud Computing 2012 October 5, 2012, Kyushu University, Ito Campus Cryptographic Key Storage in the Cloud Go YAMAMOTO Secure Platform Laboratories, NTT, Japan 1. Technology Services that pass private or highly confidential information to servers on the cloud or other online environments for further processing have begun to spread in recent years and are now becoming commonplace. This trend has been accompanied by new security issues as anxiety over data leaks and unauthorized use of data increase. In response to this situation, a variety of encryption techniques have come to be tried to protect data and prevent information leaks, but in using existing encryption techniques, users themselves must perform prudent key management (for both storage and distribution). Users are also required to store and manage decryption keys on their own terminals or smart cards, which means that the occurrence of an accident during the course of key management increases the risk of information leaks. We would like to talk about a new technology for secure key-storage services in the cloud. It makes easier for users to use a cipher and to prevent unauthorized use of encrypted data. The heart of the new technology is self-correcting mechanism that can correct erroneous or bogus computations. It realizes secure outsourcing of decryption, where data of decryption keys does not leak from the cloud and data of the documents does not leak from user s terminals. 2. Mechanism and Features 2.1. Self-corrector. A self-corrector for a function f is an efficient algorithm that computes f correctly using any untrusted black-box that computes f correctly only with a certain probability. A simple discussion shows that a self-corrector with certain precision should hide instances of computation from the black-boxes. The design of self-correctors for non-verifiable functions, typically decryption functions of public-key cryptographies, is to investigate. We present a design method for self-correctors that works even when the black-box returns correct output with probability of less than 1/2. 2.2. Safe and flexible management of decryption keys. In conventional encryption systems, a decryption key will be read into a user s terminal to decrypt encrypted data. This approach, however, requires that all users manage decryption keys. The new scheme, in contrast, manages decryption keys on the cloud itself without loading decryption keys into user terminals. The user is consequently released from management of decryption keys and is able to control the use of encrypted data in a simple and accurate manner. For example, this cloud cryptographic scheme enables a certain user to pass encrypted data to persons A, B, and C and to later make settings that allow only persons A and B to read that data and to then make another setting that prohibits person A from reading that data again. In other words, the scheme enables the creator of encrypted data to control who is to be allowed to decrypt that data so that the 9
unauthorized use of data can be prevented even after the encrypted data has been distributed. 3. Mathematics Ensuring that computers operate correctly is a central topic of computer engineering. A self-corrector for a function f is an efficient machine that computes f correctly using any untrusted black-box, which is an external probabilistic machine that is supposed to compute f but may return wrong or faulty outputs. Self-correctors can be used even when the black-box itself does not know which one of its outputs is correct, unlike with other methods in which the black-boxes prove the correctness of the outputs. If f is verifiable, then we have a trivial self-corrector for f. The main interest in designing self-correctors is for non-verifiable functions. Typical examples of non-verifiable functions are the decryption functions of publickey cryptography. For example, let Dec y be the decryption function of ElGamal encryption for public key y. A smart card M 1 is supposed to keep the corresponding private key s inside to compute Dec y, but M 1 outputs random values with a certain probability. The correct answers from M 1 must be determined, but according to the decisional Diffie-Hellman assumption, the outputs from M 1 cannot be verified directly. If untrusted black-box M returns correct output with a probability of more than 1, 2 self-correctors are constructed by running M many times and by using the value of the majority of the outputs. Let M be an untrusted black-box that outputs correct results k with probability p. Using the Chernoff bound, by running M times and by 2(p 1/2) 2 using the value of the majority of the outputs, the correct result with probability of at least 1 2 k is obtained. However, in the real world computing, M can output correct answers with a probability much less than 1. Let M 2 2 be a smart card that computes Dec y with probability 1. M 100 2 decrypts the input with another public key y with probability 99. The correct 100 answers from M 2 then must be chosen for Dec y. In this situation, the majority method and the random-self-reduction are not applicable for choosing the correct answer. For the random-self-reducible function f, there can be another function f that shares the same random-self-reduction. For example, let Dec y be the decryption function for a homomorphic public-key cryptosystem whose plain text resides in G, a group of prime order. It implies some random-self-reductions are bad because there exists some untrusted black-boxes that are not self-correctable by the majority method. We present how to design cryptographic self-correctors in such situations for nonverifiable functions. The heart of our new design is a definition of good self-reduction to construct self-correctors. 10
Workshop Cryptographic Technologies suitable for Cloud Computing 2012 October 5, 2012, Kyushu University, Ito Campus Unforgeability of Re-Encryption Keys against Collusion Attack in Proxy Re-Encryption Ryotaro HAYASHI Corporate Research and Development Center, Toshiba Corporation, Japan Proxy re-encryption allows a proxy to convert a ciphertext encrypted for Alice (delegator) into a ciphertext for Bob (delegatee) by using a re-encryption key generated by Alice. Recently, as cloud computing emerges, PRE gains much more attention as one of the key security components to provide secure cloud services, such as secure file sharing service. In proxy re-encryption, non-transferability is a desirable property that colluding proxies and delegatees cannot re-delegate decryption rights to a malicious user. However, it seems to be very difficult to directly construct a non-transferable PRE scheme albeit such attempts as in previous works. In this talk, we discuss the non-transferability and introduce a relaxed notion of the non-transferability, the unforgeability of re-encryption keys against collusion attack (UFReKey-CA), as one approach toward the non-transferability. We then show concrete constructions of proxy re-encryption schemes that meet replayable-cca security and UFReKey-CA. Although the proposed schemes are partial solutions to nontransferable PRE, we believe that the results are significant steps toward the nontransferability. 11
Workshop Cryptographic Technologies suitable for Cloud Computing 2012 October 5, 2012, Kyushu University, Ito Campus Cryptography to Realize Secure Cloud Masayuki Yoshino Yokohama Research Laboratory, Hitachi Ltd., Japan (joint work with Hisayoshi Sato) Progress in networking technology and an increase in the demand for computing resources have prompted many organizations to outsource their computer environments. This has resulted in a new computing model, commonly referred as cloud infrastructure [1], that can be roughly categorized as private or public. In a private cloud, the infrastructure is managed and owned by the user and located on-premise: access to user data is under its control. In a public cloud, the infrastructure is owned and managed by a service provider and is located off-premise. This means that user data is outside of control and can be potentially granted by untrusted parties. This presentation reports security issues of the public cloud, and gives application scenarios of the public cloud using cryptography. Unlike the private cloud mainly caring adversaries outside, the public cloud needs additional security properties for both root privilege owners (public cloud providers) and malicious neighbors (other legal users on the same cloud) [2]. In order to providing privacy to data on the cloud and availability to functionality of the cloud, privacypreserved processing techniques using cryptography are expected to be one of the most suitable approaches. In the cloud users share with physical computer resources, they therefore are not able to occupy the machine resources: available computing resources for the users are restricted. As a consequence, the privacy-preserved processing techniques require not only theoretical security but also practical efficiency. Providing limited (but practical) functionality to the public cloud may be currently the key point. In the case that the public cloud is used as a private storage [3], it had better employ the techniques of auditing all data and searching arbitrary data in manner of secure and efficient means. On the one hand, proof of data possession techniques might be suitable for the audit although there are technical issues for efficiency. On the other hand, symmetric searchable encryption schemes are certainly applicable for the search. The schemes give a search privilege of some encrypted keyword to service providers, and the efficiency is practical enough to realize the private storage at a moderate cost. References [1] NIST Special Publication 800-145. The NIST Definition of Cloud Computing, 2011: http://csrc.nist.gov/publications/pubssps.html [2] Security Guidance for Critical Areas of Focus in Cloud Computing, Version 3.0, 2011: https://cloudsecurityalliance.org/research/security-guidance/ [3] Seny Kamara and Kristin Lauter, Cryptographic Cloud Storage. Financial Cryptography Workshops, 136-149, Springer, Lecture Notes in Computer Science, 6054, 2010. 12