350 likes | 560 Views
How to securely outsource cryptographic computations. Susan Hohenberger and Anna Lysyanskaya TCC2005. Outline. Introduction Definition of Security Outsource-Secure Exponentiation Using Two Untrusted Programs Outsource-Secure Encryption Using One Untrusted Program Conclusion. Alg.
E N D
How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Alg Definition HS S HP Output Input P HU 5 3 U AP AU
Definition Input H Input A Output
Definition • Definition 8: (α,β)-outsource-security • A pair of algorithm (T, U) are an (α,β)-outsource-security implementation of an algorithm Alg if they are both α-efficient and β-checkable.
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outsource-Secure Exponentiation Using Two Untrusted Programs • To compute a variable-exponent, variable-base exponentiation modulo a prime, by combining two pervious approaches to this problem: • Preprocessing to speed-up offline exponentiations. • Untrusted server-aided computation.
Outsource-Secure Exponentiation Using Two Untrusted Programs • Provide a technique for computing and checking the result of a modular exponentiation using two untrusted exponentiation boxesU’=(U1’, U2’). • U1’ and U2’ cannot communicate with each other after deciding on an initial strategy. • At most one of them can deviate from its advertised functionality on a non-negligible fraction of the input.
Outsource-Secure Exponentiation Using Two Untrusted Programs • This algorithm • reveals no more information than the size of the input. • the running time is reduced to O(lg n) multiplications for an n-bit exponent. • an asymptotic improvement over the 1.5n multiplications needed to compute an exponentiation using square-and-multiply. • an error in the output be detected with probability ½. • (O(lg n / n), ½ ) – outsource – secure exponentiation implementation.
Outsource-Secure Exponentiation Using Two Untrusted Programs The one-malicious version of this model. At most one the programs U1’,U2’ deviates from its adversarial functionality on a non-negligible fraction of the inputs, but we do not know which one. In the two untrusted program model Adversarial software written by E Adversarial environment
Outsource-Secure Exponentiation Using Two Untrusted Programs
Outsource-Secure Exponentiation Using Two Untrusted Programs
Outsource-Secure Exponentiation Using Two Untrusted Programs
Rand 1, Rand 2 • Rand 1, Rand 2: Algorithm for computing (b, gb mod p) pairs • Rand 1 is initialized by a prime p and a base g3, it must produce a random, independent pair (b, g3b mod p). • Rand 2 is initialized by a prime p and two bases g1, g2, it must produce triplets (b, g1b mod p, g2b mod p).
Rand 1, Rand 2 • Naïve approach • A trusted server to compute a table of random, independent pairs • Load it into T’s memory.
Rand 1, Rand 2 • Preprocessing technique – Schnorr’s algorithm • Input a small set of truly random (k, gk) pair, produces a long series of nearly random (r, gr) pair. • The output of Schnorr’s algorithm is too dependent.
Rand 1, Rand 2 • Preprocessing technique – EBPV generator • Taking a subset of truly random (k, gk) pairs and combining them with a random walk on expander on Cayley graphs to reduce the dependency of the pairs in the output sequence. • The EBPV generator, secure against adaptive adversaries, runs in time O(lg2n) for an n-bit exponent. • The output distribution of the EBPV generator is statistically-close to the uniform distribution.
Exp • Exp : Outsource-Secure Exponentiation Modulo a Prime • T out-source its exponentiation computations, by invoking U1 and U2. • Let primes p and q are global parameters, Zp* has order q. • Exp takes as input a∈Zq, u∈Zp*, and outputs ua mod p.
Exp Input gp Input p Input q Global parameters HU Input a HS, HP, AP Output ua S, P Input u HP, AP No AU inputs. All S, P inputs are computationally blinded before sent to U1 or U2.
Exp • T runs Rand 1 twice to create two blinding pairs. and • Denote • Goal: logically break u and a into random looking pieces that can then be computed by U1 and U2.
Exp • First, u is hidden by • T selects two blinding elements d∈Zq and f∈G at random. • Second, a is hidden by
Exp • T fixed two test queries per program by running Rand 1 to obtain • T queries U1 in random order as • T queries U2 in random order as
Exp • Finally, T checks that the test queries to U1 and U2 both produce the correct outputs gt1 and gt2. • If not, T outputs “ERROR” • Otherwise, T multiplies the real outputs of U1 and U2 with vb to compute ua as
Correctness and Security • Theorem: In the one-malicious model, the above algorithms (T, (U1, U2)) are an outsource-secure implementation of Exp, where the input (a, u) may be HS, HP or AP. • Correctness • Straight-forward. • Security • Let A = (E, U1’, U2’) be a PPT adversary that interacts with a PPT algorithm T in the two untrusted program model. • Part one: EVIEWreal ~ EVIEWideal (The external adversary, E learns nothing.) • Part two: UVIEWreal ~ UVIEWideal (The untrusted software, (U1, U2) learns nothing.)
Output Test Output Test Output Test Output Test Output Test Output Test Output Test Output Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Input Test Correctness and Security Make for random queries of the form (αj∈Zq, βj∈Zp*) to both U1’ and U2’. S1 randomly tests two outputs from each program (i.e. βjαj). PPT simulator
Correctness and Security • If an error is detected • S1 saves the state • Outputs YPi = “ERROR”, YUi = ψ, replacei = 1. • If no error is detected, S1checks the remaining four outputs • If all checks pass • S1 outputs YPi = ψ, YUi = ψ, replacei = 0. • Otherwise • S1 selects a random element r∈Zp* • S1 outputs YPi = r, YUi = ψ, replacei = 1.
Correctness and Security • The input distributions to (U1’, U2’) in the real and ideal experiments are computationally indistinguishable. • In the ideal experiment, the inputs are chosen uniformly at random.
Correctness and Security • In real experiment, each part of each query T makes to any one program is first independent re-randomized, where these re-randomization factors are either • Truly random or • Computationally indistinguishable from random (assumption of the EBPV generator.)
Correctness and Security • Three possible scenarios to consider. • If (U1’, U2’) behave honestly in the ith round. • EVIEW reali~EVIEWideali • In the real experiment T(U1’, U2’) perfectly executes Exp. • In the ideal experiment S1 chooses not to replace the output of Exp. • If one of (U1’, U2’) give an incorrect output in the ith round. • Both T and S1 with ½ probability, resulting in an output of “ERROR”
Correctness and Security • Three possible scenarios to consider. • Otherwise • (U1’, U2’) will actually succeed in corrupting the output of Exp. • In the real experiment, the four real outputs are multiplied together along with a random value, thus a corrupted output of Exp, but random to E. • In the ideal experiment, S1 replace the output of Exp with a random value when an attempt to cheat by (U1’, U2’) would have gone undetected by T in the real experiment.
Correctness and Security • S2 is similar to S1. • S2 makes four random queries of the form (αj∈Zq, βj∈Zp*) to both U1’ and U2’. • In the real experiment, T always re-randomizes his inputs to (U1’, U2’) using six Rand 1 pairs. • In the ideal experiment, S2 always creates random independent queries for (U1’, U2’).
Correctness and Security • Even when one of (U1’, U2’) behaves dishonsetly in the ith round, • EVIEW reali~EVIEWideali • UVIEW reali~UVIEWideali • By hybrid argument • EVIEW real~EVIEWideal • UVIEW real~UVIEWideal
Analysis • In the one-malicious model, the above algorithms (T, (U1, U2)) • are an O(lg2n / n)-efficient implementation of Exp. • are a ½-checkable implementation of Exp. • are an (O(lg2n / n), ½)-outsource-secure implementation of Exp.
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion
Outline • Introduction • Definition of Security • Outsource-Secure Exponentiation Using Two Untrusted Programs • Outsource-Secure Encryption Using One Untrusted Program • Conclusion