Cryptographic Solutions for Data Integrity in the Cloud

Similar documents
Improved Security for Linearly Homomorphic Signatures: A Generic Framework

Improved Security for Linearly Homomorphic Signatures: A Generic Framework

1 Number Theory Basics

ECS 189A Final Cryptography Spring 2011

Authentication. Chapter Message Authentication

Protean Signature Schemes

Katz, Lindell Introduction to Modern Cryptrography

II. Digital signatures

Evaluating 2-DNF Formulas on Ciphertexts

Computing on Authenticated Data for Adjustable Predicates

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

John Hancock enters the 21th century Digital signature schemes. Table of contents

Lecture 1: Introduction to Public key cryptography

Notes for Lecture 17

Digital Signatures. Adam O Neill based on

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

5199/IOC5063 Theory of Cryptology, 2014 Fall

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467: Cryptography and Computer Security

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Cryptographical Security in the Quantum Random Oracle Model

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Introduction to Modern Cryptography Lecture 11

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Fully Homomorphic Encryption from LWE

Efficient Identity-based Encryption Without Random Oracles

Exam Security January 19, :30 11:30

On Homomorphic Encryption and Secure Computation

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

March 19: Zero-Knowledge (cont.) and Signatures

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Public Key Encryption for the Forgetful

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

5.4 ElGamal - definition

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Hash-based signatures & Hash-and-sign without collision-resistance

Short Signatures Without Random Oracles

1 Cryptographic hash functions

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lattice Based Crypto: Answering Questions You Don't Understand

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

How to Use Linear Homomorphic Signature in Network Coding

Introduction to Cryptography. Lecture 8

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Lecture 18: Message Authentication Codes & Digital Signa

Hash-based Signatures. Andreas Hülsing

Digital signature schemes

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Solution of Exercise Sheet 7

1 Basic Number Theory

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

Security II: Cryptography exercises

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Homomorphic Signatures for Polynomial Functions

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

1 Cryptographic hash functions

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures

Lecture 11: Key Agreement

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Foundations of Network and Computer Security

A survey on quantum-secure cryptographic systems

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture 17: Constructions of Public-Key Encryption

Gentry IBE Paper Reading

Essam Ghadafi CT-RSA 2016

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture V : Public Key Cryptography

Leftovers from Lecture 3

Data-Mining on GBytes of

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Classical hardness of the Learning with Errors problem

Post-quantum security models for authenticated encryption

Foundations of Cryptography

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Public-Key Cryptosystems CHAPTER 4

Week : Public Key Cryptosystem and Digital Signatures

Towards Append-Only Authenticated Dictionaries. Vivek Bhupatiraju, CS-PRIMES 2017

Fully Homomorphic Encryption over the Integers

Question: Total Points: Score:

Anonymous Signatures Made Easy

Applied cryptography

Comparing With RSA. 1 ucl Crypto Group

Transcription:

Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012

Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy.

Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. The Cloud pk

Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k

Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2 c i = encryption of ith score.. Kevin c k sk

Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? sk

Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? c sk c = encryption of mean

Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? Validity: c decrypts to the correct mean. c sk c = encryption of mean Security: no adversary can obtain any info about scores. Length efficiency: c is short. Privacy: decrypted mean reveals nothing else about data.

Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity.

Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity.

Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk

Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k σ 1 = signature on ( grades, 91, Adam )

Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... pk Kevin 84 σ k σ 1 = signature on ( grades, 91, Adam )

Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk signed grades Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? pk σ 1 = signature on ( grades, 91, Adam )

Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk signed grades Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ 1 = signature on ( grades, 91, Adam ) σ = signature on ( grades, 87.3, mean )

Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean )

Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly.

Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean.

Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean. 3 Length efficiency: σ is short.

Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean. 3 Length efficiency: σ is short. 4 Privacy: σ reveals nothing about data other than the mean.

Trivial Solution: Verify the Whole Database sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ = {all scores and all signatures} Bob authenticates database, then computes mean himself.

Trivial Solution: Verify the Whole Database sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ = {all scores and all signatures} Bob authenticates database, then computes mean himself. Does not have length efficiency and privacy properties: σ is as big as entire database. Bob learns the whole database

Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject

Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject Correctness: Verify accepts if m = f (m 1,..., m k ). Security goal: no adversary can authenticate (m, f ) for m f (m 1,..., m k ). Privacy goal: if f (m 1,..., m k ) = f ( ˆm 1,..., ˆm k ) = m, no one can tell which data set σ was derived from.

Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject Correctness: Verify accepts if m = f (m 1,..., m k ). Security goal: no adversary can authenticate (m, f ) for m f (m 1,..., m k ). Privacy goal: if f (m 1,..., m k ) = f ( ˆm 1,..., ˆm k ) = m, no one can tell which data set σ was derived from. Linearly homomorphic signatures: messages m i are vectors. functions f are linear combinations.

Applications What are homomorphic signatures good for? f Linear functions Application Mean Fourier transform Network coding Regression models (time series data)

Applications What are homomorphic signatures good for? f Linear functions Subsets Application Mean Fourier transform Network coding Regression models (time series data) Message redaction

Applications What are homomorphic signatures good for? f Linear functions Subsets Polynomials Application Mean Fourier transform Network coding Regression models (time series data) Message redaction Standard deviation & higher moments Regression models (general data)

Applications What are homomorphic signatures good for? f Linear functions Subsets Polynomials Arbitrary circuits Application Mean Fourier transform Network coding Regression models (time series data) Message redaction Standard deviation & higher moments Regression models (general data) Non-linear estimators and regression Data mining (decision trees, SVM, etc.)

Application: Least Squares Fits

Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values.

Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M 0 1800 1900 2000

Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000

Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values.

Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values.

Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values. For time series x values, c is linear function of y values.

Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values. For time series x values, c is linear function of y values. Census bureau stores signed population counts on server using linearly homomorphic signature. Server can authenticate coefficients of least-squares fit.

State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear functions Subsets Polynomials Arbitrary circuits

State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear [GM82], [B88], [P99], functions others Subsets Polynomials Arbitrary circuits [BGN05], [GHV10] (quadratic) [G09], [DGHV10], [BV11],[BGV12],[B12]

State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear [GM82], [B88], [P99], [KFM04], [CJL06], functions others [ZKMH07], [BFKW09], [GKKR10], [BF11a], [F12] Subsets [JMSW02], [ABC+12], others Polynomials [BGN05], [GHV10] [BF11b] (quadratic) (bounded degree) Arbitrary circuits [G09], [DGHV10], [BV11],[BGV12],[B12]

Recent Advances in Homomorphic Signatures

New Results [F12] Improved security for linearly homomorphic signatures: 1 Security based on harder problems. 2 Systems resistant to a stronger adversary. Achieved via a generic construction from existing (ordinary) signatures satisfying certain properties. Single framework gives many homomorphic schemes. Users can choose based on security/efficiency tradeoffs.

Security Based on Hard Problems Security paradigm: Show that any adversary that can forge a signature can be used to solve a computational problem believed to be hard. E.g.: Factoring: given N = pq, find p, q. RSA: given (N, x, e), find x 1/e mod N. Strong RSA: given (N, x), find some (e, x 1/e mod N).

Security Based on Hard Problems Security paradigm: Show that any adversary that can forge a signature can be used to solve a computational problem believed to be hard. E.g.: Factoring: given N = pq, find p, q. RSA: given (N, x, e), find x 1/e mod N. Strong RSA: given (N, x), find some (e, x 1/e mod N). Hierarchy of problems: solving (1) solving (2) solving (3). (converse not known to be true or false) Top of hierarchy: stronger security guarantees. Bottom of hierarchy: more efficient constructions.

Contribution 1: Constructions from Harder Problems Previous constructions of linearly homomorphic signatures: [GKKR10]: Based on RSA, requires ideal hash function (indistinguishable from random). [CFW11]: Based on Strong RSA, uses real world hash function (collision-resistant).

Contribution 1: Constructions from Harder Problems Previous constructions of linearly homomorphic signatures: [GKKR10]: Based on RSA, requires ideal hash function (indistinguishable from random). [CFW11]: Based on Strong RSA, uses real world hash function (collision-resistant). Our construction: [F12]: Based on RSA, uses real world hash function. Similar results using hierarchy of Diffie-Hellman problems.

Contrubution 2: Stronger Adversary Security model for homomorphic signatures:

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. Adversary sk

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. pk Adversary sk

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. pk file F = {m 1,..., m k } Adversary sk

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k Adversary

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k repeat Adversary

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ).

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once.

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file.

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk tuple (F, i, m i ) sig σ F i forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file.

Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk tuple (F, i, m i ) sig σ F i forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file. Our new schemes are secure against the stronger adversary.

Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w).

Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w.

Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w. New idea: Tie together signature on F and hash of v: for public x and real-world hash function η, ( Sign(v) = x 1/η(F ), H hom (v) 1/η(F )).

Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w. New idea: Tie together signature on F and hash of v: for public x and real-world hash function η, ( Sign(v) = x 1/η(F ), H hom (v) 1/η(F )). This example derived from [GHR99] signatures; mechanism also applies to [BB04],[W05],[HW09],[LW10],...

Thank you! Questions? Job Offers? Comments?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback