240 likes | 255 Views
How to securely outsource cryptographic computations. Susan Hohenberger and Anna Lysyanskaya TCC2005. Outline. Introduction Definition of Security Outsource-Secure Exponentiation Using Two Untrusted Programs Outsource-Secure Encryption Using One Untrusted Program Conclusion. Outline.
E N D
How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outsource-Secure Encryption Using One Untrusted Program Input Com Input Output Dec Enc The speed-up is for encryption only, not decryption.
Com • Com: Efficient, Statistically-Hiding Commitments • Commit Scheme • Stage 1 – Commit stage • The Sender locks a message in a box, and sends the locked box to the receiver. • Stage 2 – Dec-commit stage • The sender provides the receiver with the key to the box, thus enabling him to learn the original message.
Com • Use Halevi and Micali’s commitment scheme based on collision-free hash function. • Practical and provably-secure commitment schemes from collision-free hashing. Crypto ’96, 1996. • HF: {0, 1}O(k) → {0, 1}k • A family of universal hash function. • MD: {0, 1}* → {0, 1}k • A collision-free hash function.
Com • Given any value m ∈ {0, 1}* and security parameter k. • Compute s = MD(m). • Pick h ∈ HF and x ∈ {0, 1}O(k) at random, so that h(x) = s. • y = MD(x) • One can construct h by randomly selecting A and computing b = s – Ax modulo a prime set in HF. • The commitment ψC = (y, h) • The decommitment ψD = (x, m)
CCA2 and Outsource-security of TU Encryption • Theorem: TU is secure against adaptive chosen-ciphertext attack (CCA2) assuming the CCA2-security of Chamer-Shoup encryption and the security of the Halevi-Micali commitment scheme.
CCA2 and Outsource-security of TU Encryption • There exist a PPT adversary A • Succeeds in adaptive chosen-ciphertext attacks against TUwith probability ≧ ½ + 1/poly(k). • We build an adaptive adversary S • Uses A to distinguish between original CS Enc with non-negligible probability. • Let O be the original CS challenge oracle.
CCA2 and Outsource-security of TU Encryption • Stage 1: Public Key • O givens PK = (B, C, D) to S. • B = g1x1g2x2, C = g1y1g2y2, D = g1z. • S selects a random element z’ ∈ Zq, compute D’ = g1z’, and sends PK’ = (B, C, D’) as input to A.
CCA2 and Outsource-security of TU Encryption • Stage 2: Decryption Queries • A queries S to decrypt ciphertext • τi = (u1i, u2i, ei, vi, ψCi), ψDi • S checks (ψCi, ψDi) • If it is valid, then decommit (βi || ti || x1i || y1i || zi). • If not, S return “invalid” to A. • S computes • κi = H(u1i, u2i, ei, ψCi) • vi’ = viu1i-(x1i+κiy1i) • S sends the altered ciphertext τi’ = (u1i, u2i, ei, vi’, ψCi) to O.
CCA2 and Outsource-security of TU Encryption • Stage 2: Decryption Queries • If O claims the τi’ is an invalid ciphertext, then S tell A that (τi,ψDi) was invalid. • o.w., O returns a value ei / u1iz. • If τi was a proper ciphertext, then ei = u1iz+z’+ziwi for some wi. • Thus, the value O returned to S is actually u1iz’+ziwi. • Since, S knows u1iz’+zi, it computes wi and returns the message mi = βi / wi to A.
CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • After A completes its first set of decryption queries, it gives S two challenge message m0, m1 ∈ G with a tag t ∈ {0, 1}*. • S wishes to send dependent challenge message to O. • S sends challenge message w0, w1 with tag ψC to O. • S selects random elements β∈G and x1’,y1’ ∈Zq. • S compute w0 = β / m0, w1 = β / m1. • (ψC, ψD) = Com(β || t || x1’ || y1’ || -z’), -z’ is the additive inverse of the value z’ from Stage 1.
CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • O chooses one of the message wb at random and sends the corresponding ciphertext τb = (u1, u2, eb, vb, ψC) to S. • S computes • κ = H(u1, u2, eb, ψC) • vb’ = vbu1-(x1’+κiy2’) • S sends the modified ciphertext (τb’ = (u1, u2, eb, vb’, ψC) , ψD) to A.
CCA2 and Outsource-security of TU Encryption • Stage 3: Challenge Encryption • Look closer at this ciphertext, we see that it is always a well-formed encryption of either m0 or m1 with tag ψC under PK’. • The key trick here is that although the value –z was selected in Stage 1, it remained hidden from A until Stage 3. • Now, eb = u1zwb. • Provided that the simulation in Stage 4 is perfect. • S will succeed in distinguishing encryptions of (w0, w1) with the same success probability as A on (m0, m1).
CCA2 and Outsource-security of TU Encryption • Stage 4: More Decryption Queries • S provides the challenge ciphertext (τb’, ψD) to A. • S must continue to answer decryption queries posed by A for any ciphertext that differs from (τb’, ψD) in at least one bit. • On queries of the form (τi = (u1i, u2i, ei, vi, ψCi), ψDi) ≠ (τb’, ψD) • S and O just as in Stage 2. • S uses O’s response to compute mi.
CCA2 and Outsource-security of TU Encryption • Stage 4: More Decryption Queries • We have two possible cases: • Case 1: τb’≠ τi • O’s challenge ciphertext τb is a deterministic function of τb’. • When modifying A’s query, S obtains a ciphertext under PK that differs from τb. • S can successfully decrypt (τi, ψDi) by making a query to O. • Case 2: τb’= τi and ψD ≠ ψDi • This scenario is not possible.
CCA2 and Outsource-security of TU Encryption • Stage 5: Guess • A guess which message m0 or m1, is encoded in the challenge ciphertext (τb’, ψD). • Upon receiving A’s guess mb’, S immediately sends to O a guess of wb’ as the encrypted contents of τb. • S and A succeed with exactly the same probability.
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Conclusion • Model. • Multi-server-Aided under this model. • Braid group + Server-Aided.