240 likes | 257 Views
The paper by Susan Hohenberger and Anna Lysyanskaya, presented at TCC2005, explores secure methods for outsourcing cryptographic computations. It covers secure exponentiation and encryption using untrusted programs, emphasizing the importance of outsource security. The text addresses commitment schemes, collision-free hash functions, and the practicality of cryptographic protocols. Additionally, it discusses the CCA2 and outsource security of TU encryption, outlining stages including public key exchange and decryption queries in an adaptive chosen-ciphertext attack scenario. This comprehensive study aims to enhance understanding and implementation of secure cryptographic outsourcing protocols.
E N D
How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outsource-Secure Encryption Using One Untrusted Program Input Com Input Output Dec Enc The speed-up is for encryption only, not decryption.
Com • Com: Efficient, Statistically-Hiding Commitments • Commit Scheme • Stage 1 – Commit stage • The Sender locks a message in a box, and sends the locked box to the receiver. • Stage 2 – Dec-commit stage • The sender provides the receiver with the key to the box, thus enabling him to learn the original message.
Com • Use Halevi and Micali’s commitment scheme based on collision-free hash function. • Practical and provably-secure commitment schemes from collision-free hashing. Crypto ’96, 1996. • HF: {0, 1}O(k) → {0, 1}k • A family of universal hash function. • MD: {0, 1}* → {0, 1}k • A collision-free hash function.
Com • Given any value m ∈ {0, 1}* and security parameter k. • Compute s = MD(m). • Pick h ∈ HF and x ∈ {0, 1}O(k) at random, so that h(x) = s. • y = MD(x) • One can construct h by randomly selecting A and computing b = s – Ax modulo a prime set in HF. • The commitment ψC = (y, h) • The decommitment ψD = (x, m)
CCA2 and Outsource-security of TU Encryption • Theorem: TU is secure against adaptive chosen-ciphertext attack (CCA2) assuming the CCA2-security of Chamer-Shoup encryption and the security of the Halevi-Micali commitment scheme.
CCA2 and Outsource-security of TU Encryption • There exist a PPT adversary A • Succeeds in adaptive chosen-ciphertext attacks against TUwith probability ≧ ½ + 1/poly(k). • We build an adaptive adversary S • Uses A to distinguish between original CS Enc with non-negligible probability. • Let O be the original CS challenge oracle.
CCA2 and Outsource-security of TU Encryption • Stage 1: Public Key • O givens PK = (B, C, D) to S. • B = g1x1g2x2, C = g1y1g2y2, D = g1z. • S selects a random element z’ ∈ Zq, compute D’ = g1z’, and sends PK’ = (B, C, D’) as input to A.
CCA2 and Outsource-security of TU Encryption • Stage 2: Decryption Queries • A queries S to decrypt ciphertext • τi = (u1i, u2i, ei, vi, ψCi), ψDi • S checks (ψCi, ψDi) • If it is valid, then decommit (βi || ti || x1i || y1i || zi). • If not, S return “invalid” to A. • S computes • κi = H(u1i, u2i, ei, ψCi) • vi’ = viu1i-(x1i+κiy1i) • S sends the altered ciphertext τi’ = (u1i, u2i, ei, vi’, ψCi) to O.
CCA2 and Outsource-security of TU Encryption • Stage 2: Decryption Queries • If O claims the τi’ is an invalid ciphertext, then S tell A that (τi,ψDi) was invalid. • o.w., O returns a value ei / u1iz. • If τi was a proper ciphertext, then ei = u1iz+z’+ziwi for some wi. • Thus, the value O returned to S is actually u1iz’+ziwi. • Since, S knows u1iz’+zi, it computes wi and returns the message mi = βi / wi to A.
CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • After A completes its first set of decryption queries, it gives S two challenge message m0, m1 ∈ G with a tag t ∈ {0, 1}*. • S wishes to send dependent challenge message to O. • S sends challenge message w0, w1 with tag ψC to O. • S selects random elements β∈G and x1’,y1’ ∈Zq. • S compute w0 = β / m0, w1 = β / m1. • (ψC, ψD) = Com(β || t || x1’ || y1’ || -z’), -z’ is the additive inverse of the value z’ from Stage 1.
CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • O chooses one of the message wb at random and sends the corresponding ciphertext τb = (u1, u2, eb, vb, ψC) to S. • S computes • κ = H(u1, u2, eb, ψC) • vb’ = vbu1-(x1’+κiy2’) • S sends the modified ciphertext (τb’ = (u1, u2, eb, vb’, ψC) , ψD) to A.
CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • Look closer at this ciphertext, we see that it is always a well-formed encryption of either m0 or m1 with tag ψC under PK’. • The key trick here is that although the value –z was selected in Stage 1, it remained hidden from A until Stage 3. • Now, eb = u1zwb. • Provided that the simulation in Stage 4 is perfect. • S will succeed in distinguishing encryptions of (w0, w1) with the same success probability as A on (m0, m1).
CCA2 and Outsource-security of TU Encryption • Stage 4: More Decryption Queries • S provides the challenge ciphertext (τb’, ψD) to A. • S must continue to answer decryption queries posed by A for any ciphertext that differs from (τb’, ψD) in at least one bit. • On queries of the form (τi = (u1i, u2i, ei, vi, ψCi), ψDi) ≠ (τb’, ψD) • S and O just as in Stage 2. • S uses O’s response to compute mi.
CCA2 and Outsource-security of TU Encryption • Stage 4: More Decryption Queries • We have two possible cases: • Case 1: τb’≠ τi • O’s challenge ciphertext τb is a deterministic function of τb’. • When modifying A’s query, S obtains a ciphertext under PK that differs from τb. • S can successfully decrypt (τi, ψDi) by making a query to O. • Case 2: τb’= τi and ψD ≠ ψDi • This scenario is not possible.
CCA2 and Outsource-security of TU Encryption • Stage 5: Guess • A guess which message m0 or m1, is encoded in the challenge ciphertext (τb’, ψD). • Upon receiving A’s guess mb’, S immediately sends to O a guess of wb’ as the encrypted contents of τb. • S and A succeed with exactly the same probability.
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Conclusion • Model. • Multi-server-Aided under this model. • Braid group + Server-Aided.