Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Similar documents
Computing on Encrypted Data

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

Keywords: Authentication, Third party audit, cloud storage, cloud service provider, Access control.

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA

Verifiable Delegation of Computation over Large Datasets

Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve

Paillier Threshold Encryption Toolbox

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud

Outsourcing the Decryption of ABE Ciphertexts

Categorical Heuristic for Attribute Based Encryption in the Cloud Server

Enforcing Role-Based Access Control for Secure Data Storage in the Cloud

Information Security Theory vs. Reality

Multi-Input Functional Encryption for Unbounded Arity Functions

Advanced Cryptography

CLOUD computing systems, in which the clients

Homomorphic encryption and emerging technologies COSC412

SECURITY ENHANCEMENT OF GROUP SHARING AND PUBLIC AUDITING FOR DATA STORAGE IN CLOUD

Anonymity and Time in Public-Key Encryption

Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Research Article Two-Cloud-Servers-Assisted Secure Outsourcing Multiparty Computation

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

A Fully Homomorphic Encryption Implementation on Cloud Computing

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Non-interactive and Reusable Non-malleable Commitment Schemes

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Associate Prof. Dr. Victor Onomza Waziri

Controlled Functional Encryption

Secure Deduplication of Encrypted Data without Additional Independent Servers

Data Sharing on Untrusted Storage with Attribute-Based Encryption

ZIDS - A Privacy-Preserving Intrusion Detection System using Secure Two-Party Computation Protocols

Role Based Encryption with Efficient Access Control in Cloud Storage

CS155. Cryptography Overview

Lecture 3: One-Way Encryption, RSA Example

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

Fine-Grained Access Control System based on Outsourced Attribute-based Encryption

Outsourcing the Decryption of ABE Ciphertexts

Chosen-Ciphertext Security from Identity-Based Encryption

Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries

Definitions for Predicate Encryption

How to Run Turing Machines on Encrypted Data

Introduction. Digital Signature

Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage

VoteID 2011 Internet Voting System with Cast as Intended Verification

Secure Data Exchange: A Marketplace in the Cloud

Privacy Patterns in Public Clouds

3-6 Toward Realizing Privacy-Preserving IP-Traceback

OOo Digital Signatures. Malte Timmermann Technical Architect Sun Microsystems GmbH

Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices

A Hierarchical Distributed Authority based Model for Security and Integrity in Cloud Computing

Chapter 23. Database Security. Security Issues. Database Security

Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results

Authentication and Encryption: How to order them? Motivation

Attributed-based Access Control for Multi-Authority Systems in Cloud Storage

To Provide Security & Integrity for Storage Services in Cloud Computing

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Privacy and Security in Cloud Computing

Secure Role-Based Access Control on Encrypted Data in Cloud Storage using Raspberry PI

Identity-based Encryption with Efficient Revocation

preliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design.

A PPENDIX G S IMPLIFIED DES

Secure Computation Martin Beck

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records

Scalable and secure sharing of data in cloud computing using attribute based encryption

Lecture 9 - Message Authentication Codes

Certificate Based Signature Schemes without Pairings or Random Oracles

Data defense in unpredictable Cloud Using Access Control and Access Time

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE

SELS: A Secure List Service *

Secure and Efficient Outsourcing of Sequence Comparisons

ScienceDirect. A Practical, Secure, and Verifiable Cloud Computing for Mobile Systems

Fully homomorphic encryption equating to cloud security: An approach

Chapter 23. Database Security. Security Issues. Database Security

Private Inference Control For Aggregate Database Queries

Overview of Public-Key Cryptography

Security Policy for Oracle Advanced Security Option Cryptographic Module

Secure Framework and Sparsity Structure of Linear Programming in Cloud Computing P.Shabana 1 *, P Praneel Kumar 2, K Jayachandra Reddy 3

Secure Cloud Storage Hits Distributed String Equality Checking: More Efficient, Conceptually Simpler, and Provably Secure

1 Signatures vs. MACs

Cryptography for the Cloud

Ensuring Data Storage Security in Cloud Computing

Whitewash: Securely Outsourcing Garbled Circuit Generation

Shared and Searchable Encrypted Data for Untrusted Servers

Exploring Privacy Preservation in Outsourced K-Nearest Neighbors with Multiple Data Owners

An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud

Security of Cloud Computing

Signature Schemes. CSG 252 Fall Riccardo Pucella

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records

Constant-Round Leakage-Resilient Zero-Knowledge Arguments of Knowledge for NP

On the Achievability of Simulation-Based Security for Functional Encryption

Properties of Secure Network Communication

Private Inference Control

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes

Transcription:

Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh

Problem Motivation

Problem Motivation

Problem Motivation

Problem Motivation

Problem Motivation

Problem Motivation

Table of Contents 1 Single-Client Verifiable Computation 2 3 4

Building Blocks Security Models Single-Client Verifiable Computation

Verifiable Computation Building Blocks Security Models Verifiable Computation Scheme Pre-processing: one-time stage in which client computes some auxiliary information associated with F Input Preparation: client prepares some auxiliary (public and private) information about x and sends public part σ x to S Output Computation: server computes a string σ y which encodes F (x) and returns it to the client Verification: from the value σ y, the client can compute the value F (x) and verify its correctness Gennaro, Gentry, Parno. Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers. Crypto 2010.

Requirements and Properties Building Blocks Security Models Efficiency: Input preperation and output verification must take less time than computing F from scratch Amortized notion of efficiency Privacy: Input and output privacy

Building Blocks Security Models Yao s Protocol for Two-party Computation Yao presented the first protocol for secure (two-party) computation A plain circuit is evaluated by setting values to its input gates for each gate: compute the value of the outgoing wire as a function of the wires going into the gate Secure computation no party should learn the values of any internal wires Yao s protocol compiler which takes a circuit and transforms it to a circuit which hides all information but the final output

An AND Gate Single-Client Verifiable Computation Building Blocks Security Models u v w 0 0 0 0 1 0 1 0 0 1 1 1

Building Blocks Security Models An AND Gate with Garbled Values u v w ku 0 kv 0 kw 0 ku 0 kv 1 kw 0 ku 1 kv 0 kw 0 ku 1 kv 1 kw 1 for each wire we choose two random labels ku, 0 ku 1 $ {0, 1} κ they represent the bit values 0 or 1

A Garbled AND Gate Building Blocks Security Models u v w ku 0 kv 0 E k 0 u (E k 0 v (kw 0 )) ku 0 kv 1 E k 0 u (E k 1 v (kw 0 )) ku 1 kv 0 E k 1 u (E k 0 v (kw 0 )) ku 1 kv 1 E k 1 u (E k 1 v (kw 1 )) The actual garbled gate is the permutation of the ciphertexts given k 0 u and k 1 v can only obtain k 0 w since rows are permuted, the party has no idea if it obtained a key for 0 or 1

Output Translation Building Blocks Security Models If the gate is an output gate, need to provide decryption of the output wire Keys known to the evaluator can decrypt only a single entry (random wire key) Output translation table: [(0, k 0 w ), (1, k 1 w )]

Building Blocks Security Models Repeated Evaluation of Garbled Circuit Yao s Garbled Circuit construction is not reusable Reusable garbled circuit scheme [GKPVZ13] Amortized efficiency notion: one expensive pre-processing and then we shall be able to outsource many evaluations for the same function Reusability by using FHE instead of revealing the key-labels associated with the input x, the client will encrypt those labels under the public key of a FHE scheme Rejection problem: if client detects malformed response then client terminates. Otherwise A learns an additional bit of information by sending another request

VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y )

VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) follow Yao s Garbled circuit construction compute for each gate the four ciphertexts PK is full set of ciphertexts; SK is full set of wire values 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y )

VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) run FHE KeyGen and pick wire values representing the binary expression of x encrypt the representation under the FHE public key client keeps FHE secret key private 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y )

VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) server constructs appropriate decryption circuit repeatedly homomorphically evaluate with σ x (basically decrypting our way through the ciphertexts) it outputs wire w i corresponding to y = F (x) and homomorphically encrypts it with the FHE public key 4 y Verify(SK, σ y )

VC Scheme Single-Client Verifiable Computation Building Blocks Security Models 1 (PK, SK) KeyGen(F, κ) 2 (σ x, τ x ) ProbGen(SK, x) 3 σ y Compute(PK, σ x ) 4 y Verify(SK, σ y ) use FHE secret key to decrypt σ y obtaining w i use secret key to map the wire values to an output y if decryption fails, output

Security Models Single-Client Verifiable Computation Building Blocks Security Models Verifiability scheme is secure if malicious server cannot convince the verification algorithm to accept an incorrect output A gets oracle access to generate the encoding of multiple problem instances A does not learn whether the output was accepted or not Privacy input privacy defined on a typical indistinguishability argument that guarantees that no information about the inputs is leaked

- Overview Additional properties: Public Delegability - anyone can outsource a computation Public Verifiability - anyone can verify a result Construction is based on the use of KP-ABE

Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.

Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.

Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.

Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.

Publicly Verifiable Outsourced Computation Parno, Raykova, Vaikuntanathan. How to delegate and verify in Public: Verifiable Computation from. TCC 2012.

ABE is a public key, functional encryption primitive ABE allows decryption of a ciphertext iff some policy formula is satisfied Variants of ABE schemes: Key-policy (KP-ABE) Ciphertext-policy (CP-ABE) Dual-policy (DP-ABE)

Key-policy

Key-policy

Key-policy

Key-policy

Key-policy

Key-policy

Key-policy

Key-policy

Key-policy

Overview Single-Client Verifiable Computation Notion of Revocable Enable revocation of misbehaving servers Enable servers to compute multiple functions Alderman, Janson, Cid, Crampton. Revocation in Publicly Verifiable Outsourced Computation. Inscrypt 2014.

Construction Details RPVC extends the Parno et al. scheme that uses KP-ABE in a black-box manner Restrict attention to Boolean functions closed under complement; in particular the complexity class NC 1 Functions can be built from common operations such as AND, OR, NOT, equality and comparison operators, arithmetic operators and regular expressions

Technical Details Single-Client Verifiable Computation Assume the existence of a revocable KP-ABE scheme for a class of functions F that is closed under complement Make use of a signature scheme and a one-way function g Universes of attributes acceptable by the ABE scheme: U ID comprises attributes representing entity identifiers U time comprises attributes representing time periods issued by the time source T U F be a universe of attribute labels representing functions U attr form characteristic tuples for input values to outsourced computations

Input Data as Attributes Define attribute universe U = {A 1, A 2, A 3 } Read input data as a binary string Select attributes corresponding to 1 s in the binary string Example: X = 101 X = {A 1, A 3 }

Policy Label Single-Client Verifiable Computation Add a conjunctive clause with an attribute label Labels let us query keys for multiple functions Labels give us oracle access for Security Games We also add the function attribute to the attribute set representing the input data x f

Construction Overview Setup two independant ABE schemes Client encrypts two random messages m 0 and m 1 Server must attempt to decrypt d 0 using a key for F and d 1 with a key for F. Only one decryption will succeed Well-formed response θ F (x), comprising recovered plaintexts (d b, d 1 b ), satisfies the following, where RK F,x = b: { (m b, ), if F (x) = 1 (d b, d 1 b ) = (, m 1 b ), if F (x) = 0 Flipping b $ {0, 1} enables us to hide the structure and leads to blind verification

Setup Single-Client Verifiable Computation (PP, MK) RPVC.Setup(1 κ ) U = U attr U ID U time U F (MPK 0 ABE, MSK 0 ABE ) ABE.Setup(1κ, U) (MPK 1 ABE, MPK 1 ABE ) ABE.Setup(1κ, U) PP = (MPK 0 ABE, MPK 1 ABE, L Reg, T) MSK = (MSK 0 ABE, MSK 1 ABE, L Rev)

Register Single-Client Verifiable Computation SK S RPVC.Register(S, MK, PP) (SK Sig, VK Sig ) Sig.KeyGen(1 κ ) SK S = SK Sig L Reg [S][0] = VK Sig

Certify Single-Client Verifiable Computation EK F,S RPVC.Certify(S, F, MK, PP) SKABE 0 ABE.KeyGen(S, F f, MSK ABE 0, MPK ABE 0 ) SKABE 1 ABE.KeyGen(S, F f, MSK ABE 1, MPK ABE 1 ) UKL 0 Rev,t ABE.KeyUpdate(L Rev, t, MSKABE 0, MPK ABE 0 ) UKL 1 Rev,t ABE.KeyUpdate(L Rev, t, MSKABE 1, MPK ABE 1 ) Output: EK F,S = (SKABE 0, SK ABE 1, UK L 0 Rev,t, UK L 1 Rev,t )

ProbGen Single-Client Verifiable Computation (σ F,x, VK F,x, RK F,x ) RPVC.ProbGen(x, PK F, PP) (m 0, m 1 ) $ M M and b $ {0, 1} c b ABE.Encrypt(m b, (x f ), t, MPKABE 0 ) c 1 b ABE.Encrypt(m 1 b, (x f ), t, MPKABE 1 ) Output: σ F,x = (c b, c 1 b ), VK F,x = (g(m b ), g(m 1 b ), L Reg )

Compute Single-Client Verifiable Computation θ F (x) RPVC.Compute(σ F,x, EK F,S, SK S, PP) d b ABE.Decrypt(c b, SKABE 0, MPK ABE 0, UK L 0 Rev,t ) d 1 b ABE.Decrypt(c 1 b, SKABE 1, MPK ABE 1, UK L 1 Rev,t ) γ Sig.Sign((d b, d 1 b, S), SK S ) Output: θ F (x) = (d b, d 1 b, S, γ)

BVerif Single-Client Verifiable Computation (RT F,x, τ θf (x) ) RPVC.BVerif(θ F (x), VK F,x, PP) Sig.Verify((d b, d 1 b, S), γ, VK Sig ) accept g(m b ) = g(d b ) then (RT F,x = d b, τ θf (x) = (accept, S)) g(m 1 b ) = g(d 1 b ) then (RT F,x = d 1 b, τ θf (x) = (accept, S))

Retrieve Single-Client Verifiable Computation ŷ RPVC.Retrieve(τ θf (x), RT F,x, VK F,x, RK F,x, PP) If τ θf (x) = (accept, S) g(rt F,x ) = g(m 0 ) then ŷ = 1 g(rt F,x ) = g(m 1 ) then ŷ = 0 If τ θf (x) = (reject, S) then ŷ =

Revoke Single-Client Verifiable Computation {EK F,S } or RPVC.Revoke(τ θf (x), MK, PP) If τ θf (x) = (reject, S) UKL 0 F,t+1 ABE.KeyUpdate(L Rev, t + 1, MSKABE 0, MPK ABE 0 ) UKL 1 F,t+1 ABE.KeyUpdate(L Rev, t + 1, MSKABE 1, MPK ABE 1 ) Update EK F,S = (SKABE 0, SK ABE 1, UK L 0 Rev,t+1, UK L 1 Rev,t+1 )

Overview Single-Client Verifiable Computation Multi-client Non-interactive Verifiable Computation [CKKC13] Publicly Verifiable Delegation of Large Polynomials and Matrix Computations, with Application [FG12] Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps [ZS13] Access Control in [AJCC15a] Memory Delegation [CKLR11] Hybrid [AJCC15b] Outsourcing Private RAM Computations [GHRW14]

Summary Single-Client Verifiable Computation Motivated the problem of Verifiable Computation Yao s Garbled Circuit construction provides one-time verifiability Publicly VC via Key-policy Revocation mechanism for PVC

Thank You Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information