Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

Similar documents
Verifiable Delegation of Computation over Large Datasets

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Information Security Theory vs. Reality

Computing on Encrypted Data

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA

Separations in Circular Security for Arbitrary Length Key Cycles. Venkata Koppula! Kim Ramchen! Brent Waters

Privacy and Security in Cloud Computing

Secure Framework and Sparsity Structure of Linear Programming in Cloud Computing P.Shabana 1 *, P Praneel Kumar 2, K Jayachandra Reddy 3

PCPOR: Public and Constant-Cost Proofs of Retrievability in Cloud

Secure Data Management Scheme using One-Time Trapdoor on Cloud Storage Environment

SECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

Cryptography for the Cloud

Digital Signatures. Prof. Zeph Grunschlag

Some Security Challenges of Cloud Compu6ng. Kui Ren Associate Professor Department of Computer Science and Engineering SUNY at Buffalo

( ) FACTORING. x In this polynomial the only variable in common to all is x.

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

A Survey of Public Auditing for Secure Data Storage in Cloud Computing

Introduction to Cryptography CS 355

Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results

Enable Public Audit ability for Secure Cloud Storage

Improving data integrity on cloud storage services

Secure Conjunctive Keyword Search Over Encrypted Data

CLOUD Computing has been envisioned as the nextgeneration

Privacy, Security and Cloud

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve

preliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design.

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Secure Cloud Storage Hits Distributed String Equality Checking: More Efficient, Conceptually Simpler, and Provably Secure

Enabling Public Auditing for Secured Data Storage in Cloud Computing

Factoring Polynomials: Factoring by Grouping

K-NN CLASSIFICATION OVER SECURE ENCRYPTED RELATIONAL DATA IN OUTSOURCED ENVIRONMENT

A Secure Index Management Scheme for Providing Data Sharing in Cloud Storage

1 Message Authentication

Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud

Chapter 2 TSAS: Third-Party Storage Auditing Service

DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems

Efficient Multi-keyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption

Hosting Services on an Untrusted Cloud

A Survey of Cloud Storage Security Research. Mar Kheng Kok Nanyang Polytechnic

Keyword Search over Shared Cloud Data without Secure Channel or Authority

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Digital Signatures. What are Signature Schemes?

1.3 Polynomials and Factoring

Enabling Public Auditability, Dynamic Storage Security and Integrity Verification in Cloud Storage

Authentication and Encryption: How to order them? Motivation

PRIVACY-PRESERVING PUBLIC AUDITING FOR SECURE CLOUD STORAGE

CLOUD computing systems, in which the clients

Introduction. Digital Signature

Outsourcing the Decryption of ABE Ciphertexts

Recongurable Cryptography: A exible approach to long-term security

PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD COMPUTING

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

Security System in Cloud Computing for Medical Data Usage

Cryptanalysis of Cloud based computing

Time Optimal Network Marketing Systems for V.P.P.A.R.P.P.A.V.P.P.

Privacy Preserving Similarity Evaluation of Time Series Data

CryptoVerif Tutorial

Enforcing Role-Based Access Control for Secure Data Storage in the Cloud

Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records

Fully homomorphic encryption equating to cloud security: An approach

Privacy, Discovery, and Authentication for the Internet of Things

New Efficient Searchable Encryption Schemes from Bilinear Pairings

(67902) Topics in Theory and Complexity Nov 2, Lecture 7

ENABLING PUBLIC AUDITABILITY AND DATA DYNAMICS FOR STORAGE SECURITY IN CLOUD COMPUTING

EPiC: Efficient Privacy-Preserving Counting for MapReduce

Homomorphic Encryption Method Applied to Cloud Computing

3.6. Partial Fractions. Introduction. Prerequisites. Learning Outcomes

Index Terms Cloud Storage Services, data integrity, dependable distributed storage, data dynamics, Cloud Computing.

Lecture 2 August 29, 13:40 15:40

Outsourcing the Decryption of ABE Ciphertexts

Lecture 13: Message Authentication Codes

Private Inference Control For Aggregate Database Queries

Enabling Non-repudiable Data Possession Verification in Cloud Storage Systems

1 Domain Extension for MACs

Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records

How to Encrypt in the Mobile Cloud. Yuliang Zheng ( 鄭 玉 良 ) UNC Charlotte yzheng@uncc.edu

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Maple: Scalable Multi-Dimensional Range Search over Encrypted Cloud Data with Tree-based Index

Privacy-Preserving Public Auditing using TPA for Secure Cloud Storage

Associate Prof. Dr. Victor Onomza Waziri

Secure Index Management Scheme on Cloud Storage Environment

Paillier Threshold Encryption Toolbox

Efficient General-Adversary Multi-Party Computation

Ensuring Data Storage Security in Cloud Computing

VoteID 2011 Internet Voting System with Cast as Intended Verification

Data Storage Security in Cloud Computing

Comments on "public integrity auditing for dynamic data sharing with multi-user modification"

Towards Self-Repairing Replication-Based Storage Systems Using Untrusted Clouds

Loss Less and Privacy Preserved Data Retrieval in Cloud Environment using TRSE

SURVEY ON PRIVACY-PRESERVING PUBLIC AUDITING FOR SECURE CLOUD STORAGE

Efficient Remote Data Possession Checking In Critical Information Infrastructures Ensuring Data Storage Security In Cloud Computing

Distributed Attribute Based Encryption for Patient Health Record Security under Clouds

Definitions for Predicate Encryption

CS 758: Cryptography / Network Security

Advanced Cryptography

Making Argument Systems for Outsourced Computation Practical (Sometimes)

Lecture 15 - Digital Signatures

Efficient and Secure Dynamic Auditing Protocol for Integrity Verification In Cloud Storage

Function Private Functional Encryption and Property Preserving Encryption : New Definitions and Positive Results

Transcription:

Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh Safavi-Naini Institute for Security, Privacy and Information Assurance Department of Computer Science University of Calgary

Cloud Computing Weak Clients: Smart Phones; Netbooks Clouds: Amazon EC2; Google Compute Engine A Typical Model: The client has a computationally intensive function F The client gives F to the cloud To compute F (α), the client gives α to the cloud The cloud returns ρ = F (α) if it is honest The client must verify when the cloud is untrusted The verification should be much more efficient Solution: Gennaro, Gentry and Parno [GGP0]

Verifiable Computation (VC) Client (F ) Cloud (pk, sk) KeyGen( λ, F) (σ, τ) ProbGen(sk, α) pk σ (ρ, π) (ρ, π) Compute(pk, σ) {F(α), } Verify(sk, τ, ρ, π) Correctness: Verify(sk, τ, ρ, π) = F(α) Security: cannot forge ( ρ, π) s.t. Verify(sk, τ, ρ, π) / {F(α), } Efficiency: T ProbGen + T Verify = o(t F (α) )

Privacy The client has no reason to trust the cloud with the knowledge of its function F and input α Privacy is important when F or α is sensitive F contains financial data and α indicates the client s interest F contains medial data and α indicates the client s identity Input privacy: hide the input α from the cloud Function privacy: hide the function F from the cloud Our goal: VC with input privacy and function privacy

Multilinear Maps and Assumptions Postulated by Boneh and Silverberg [BS02] Candidate multilinear maps by [GGH3,CLT3] Multilinear map generator G Γ = (N, G,..., G k, e, g,..., g k ) G( λ, k) N = pq for λ-bit primes p q; G i = g i, order N (i [k]) e : G i G j G i+j, where e(gi a, gj b ) = gi+j ab (i + j k) e : G G G k : e(g a,..., ga k ) = ga a k k

Multilinear Maps and Assumptions (cont.) SDA: (Γ, u) c (Γ, u q ), where u G i ; MSDH: Pr[A(Γ, g, g s,..., gsn ) = (a, g s+a k )], where s Z N 3-Linear: k = 3, u 0, u, u 2, u 3 G, a 0, a, a 2, a 3 Z ( ) ( N ) u u 2 u 3 u 0 u u u a u a 2 2 u a 3 3 u a +a 2 +a 3 2 u 3 u 0 c 0 u a u a 2 2 u a 3 3 u a 0 0 3-MDDH: k = 3, a 0, a, a 2, a 3, b Z N (Γ, g a 0, ga, ga 2, ga 3, ga 0a a 2 a 3 3 ) c (Γ, g a 0, ga, ga 2, ga 3, gb 3 )

Our Results Polynomial Evaluation (k = 2 log(n + ) + ) Function: a high degree poly f (x) = n i=0 f ix n F q [x] Input: a field element α F q Assumptions: SDA, MSDH Result: a VC Scheme with input and function privacy Matrix Multiplication (k = 3) Function: a matrix M = (M ij ) F n n q Input: a vector x = (x,..., x n ) F n q Assumption: SDA, 3-Linear and 3-MDDH Result: a VC Scheme with input and function privacy Applications: Private information retrieval

An Encryption Scheme Based on SDA (pk, sk) Gen( λ, k) pick Γ = (N, G,..., G k, e, g,..., g k ) G( λ, k) pick u G, compute h = u q pk = (Γ, g, h); sk = p c Enc(pk, m): pick r Z N, compute c = g m hr m Dec(sk, c): compute m M s.t. c p = (g p )m Denoted as BGN k (recall [BGN05] for k = 2) M = poly(λ); C = G (G i ); SDA-based security Enc(α ), Enc(α 2 ) Enc(α + α 2 ) (multiplication) Enc(α ),..., Enc(α k ) Enc(α α k ) (pairing)

Computing on the Exponents Setting for polynomial evaluation f (x) = f 0 + f x + + f n x n ; α; k = log(n + ) Set up BGN k with pk = (Γ, g, h) and sk = p For l [k], σ l = Enc(α 2l ); σ = (σ,..., σ k ) s Z N and S = {g s2l : l [k]} From f (x) and σ to Enc(f (α)) 0 i n, i,..., i k {0, } s.t. i = k l= i l2 l f i α i = f i α i (α 2 ) i 2 (α 2 k ) i k e(σ i,..., σ i k k ) f i Enc(f (α)) = n i=0 Enc(f iα i ); = Enc(f i α i ); (σ i j j g when i j = 0)

Computing on the Exponents (cont.) From f (x), σ and S to Enc ( f (s) f (α)) s α ((2k + )-linear map) f (s) f (α) c(s) s α = n i i=0 j=0 f i+α j s i j From f (x), σ and S to π ij = Enc(f i+ α j s i j ) Compute Enc ( c(s) ) = n i i=0 j=0 π ij Setting for matrix multiplication M = (M ij ) is an n n matrix; x = (x,..., x n ) is a vector Set up BGN 3 with pk = (Γ, g, h) and sk = p For l [n], σ l = Enc(x l ); σ = (σ,..., σ n ) From M and Enc(x) to Enc(Mx) ρ i = n j= σm ij j = Enc( n j= M ijx j ) for every i [n]

Polynomial Evaluation (No Input Privacy) KeyGen( λ, f ): Pick Γ 2 = (N, G, G 2, e, g, g 2 ), s Z N, t = g f (s) ; public key pk = (Γ 2, g s,..., gsn, f ); secret key sk = s. ProbGen(sk, α): output σ = α, τ = ; Compute(pk, σ): compute c(x) such that f (x) f (α) = (x α)c(x); compute and output y = f (α) and π = g c(s) ; Verify(sk, τ, ρ, π):?e(tg y, g ) = e(g s α, π) Privacy: no privacy; Security: MSDH (k=2)

Polynomial Evaluation (Input Privacy) KeyGen( λ, f (x)): f (x) = f 0 + f x + + f n x n ; k= log(n+) Γ G( λ, 2k + ), s Z N, t = g f (s) ; u G, h = u q ; sk = (p, q, s, t), pk = (Γ, h, g s,..., gs2k, f ). ProbGen(sk, α): pick r l Z N and compute σ l = g α2l h r l for l [k] σ = (σ,..., σ k ), τ =. Compute(pk, σ): output ρ = Enc(f (α)), π = Enc(c(s)) Verify(sk, τ, ρ, π): compute y Z q such that ρ p = (g p k )y check if e ( t/g y, gp 2k) = e ( g s α, π p) Privacy: SDA; Security: MSDH (2k + )

Polynomial Evaluation (Input and Function Privacy) KeyGen( λ, f (x)): Γ, s Z N, t = g f (s) ; u G, h = u q ; v i Z N, γ i = g f i hv i ; sk = (p, q, s, t); pk = (Γ, h, g s,..., gs2k ; γ 0,..., γ n ). ProbGen(sk, x): σ = (σ,..., σ k ) and τ = ; r l Z N, σ l = g α2l h r l for every l [k] Compute(pk, σ): output ρ = Enc(f (α)) and π = Enc(c(s)) Verify(sk, τ, ρ, π): compute y Z q such that ρ p = (g p k+ )y check if e ( t/g y, gp 2k+) = e ( g s α, π p)

PRF with Closed-Form Efficiency A Construction Based on 3-Linear Assumption: Γ G( λ, 3); A j, B j, C j G, α i, β i, γ i Z N F K : [n] 2 G, (i, j) A α i j B β i j C γ i j Closed-Form Efficiency: Comp i = n j= F K (i, j) x j (i [n]) A = n i= Ax i i, B = n i= Bx i i, C = n i= Cx i i Comp i = A α i B β i C γ i for every i [n] Introduced by Benabbas, Gennaro and Vahlis [BGV]

Matrix Multiplication (Input Privacy) KeyGen( λ, M): Pick Γ, K and a Z N ; T ij = g p2 am ij F K (i, j) for (i, j) [n] 2 Pick u G, h = u q ; sk = (p, q, K, a); pk = (Γ, h, M, T ) ProbGen(sk, x): σ = (σ,..., σ n ), τ = (τ,..., τ n ) r j Z N, σ j = g x j hr j, τi = e( n j= F K (i, j) x j, g p 2 ) (i, j [n]) Compute(pk, σ): compute ρ i = n j= σm ij j and π i = n j= e(t ij, σ j ) for i [n] Verify(sk, τ, ρ, π): compute y i s.t. ρ p i = (g p )y i and verify if e(π i, g p ) = gp3 ay i 3 τ i output y = (y,..., y n ) if the 2nd equality holds for i [n] Privacy: SDA; Security: 3-Linear and 3-MDDH

Matrix Multiplication (Input and Function Privacy) KeyGen( λ, M): Γ, K and a Z N ; T ij = g p2 am ij F K (i, j); u G, h = u q v ij Z N, γ ij = g M ij hv ij sk = (p, q, K, a) and pk = (Γ, h, γ, T ) ProbGen(sk, x): output σ = (σ,..., σ n ), τ = (τ,..., τ n ) r j Z N, σ j = g x j hr j ; τi = e( n j= F K (i, j) x j, g p 2 ) ((i, j) [n]2 ) Compute(pk, σ): output ρ = (ρ,..., ρ n ), π = (π,..., π n ) ρ i = n j= e(γ ij, σ j ); π i = n j= e(t ij, σ j ) Verify(sk, τ, ρ, π): compute y i s.t. ρ p i = (g p 2 )y i and check if e(π i, g p ) = ηpy i τ i output y = (y,..., y n ) if the 2nd equality holds for i [n]

Applications: Private Information Retrieval Private information retrieval: [CGKS95,KO97] i C query S x = x x 2 x n x i answer PIR server computation is intensive outsourcing Solution : using the scheme for polynomial evaluation f (x) = f 0 + f x + + f n x n, where f (i) = D i for i [n] α = i for retrieving D i Solution 2: using the scheme for matrix multiplication D is considered as a matrix M = (M uv ), i (u, v) α = (α,..., α n ) is the vth unit vector (α v =, α v = 0)

Comparisions and Future Work [GGP0]: FHE, Boolean circuits [BF]: FHE, FEs that compute MACs (Hard to realize) [PRV2]: Attribute-hiding KP-ABE, Boolean formulas This work: FHE-free; no Boolean circuits or formulas Future work: multilinear map-based VC schemes with special properties such as public verification, public delegation, multi-function delegation

Thank you!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information