View
215
Download
0
Tags:
Embed Size (px)
Citation preview
1
How to securely outsource cryptographic computations
Susan Hohenberger and Anna Lysyanskaya
TCC2005
2
Outline
Introduction Definition of Security Outsource-Secure Exponentiation Using Two U
ntrusted Programs Outsource-Secure Encryption Using One Untru
sted Program Conclusion
5
Definition
Definition 8: (α,β)-outsource-security A pair of algorithm (T, U) are an (α,β)-outsource-se
curity implementation of an algorithm Alg if they are both α-efficient and β-checkable.
6
Outline
Introduction Definition of Security Outsource-Secure Exponentiation Using Two U
ntrusted Programs Outsource-Secure Encryption Using One Untru
sted Program Conclusion
7
Outsource-Secure Exponentiation Using Two Untrusted Programs
To compute a variable-exponent, variable-base exponentiation modulo a prime, by combining two pervious approaches to this problem: Preprocessing to speed-up offline exponentiations. Untrusted server-aided computation.
8
Outsource-Secure Exponentiation Using Two Untrusted Programs
Provide a technique for computing and checking the result of a modular exponentiation using two untrusted exponentiation boxes U’=(U1’, U2
’). U1’ and U2’ cannot communicate with each othe
r after deciding on an initial strategy. At most one of them can deviate from its advert
ised functionality on a non-negligible fraction of the input.
9
Outsource-Secure Exponentiation Using Two Untrusted Programs
This algorithm reveals no more information than the size of the input. the running time is reduced to O(lg n) multiplications for an
n-bit exponent. an asymptotic improvement over the 1.5n multiplications nee
ded to compute an exponentiation using square-and-multiply. an error in the output be detected with probability ½. (O(lg n / n), ½ ) – outsource – secure exponentiation implem
entation.
10
Outsource-Secure Exponentiation Using Two Untrusted Programs
EE
U1’U1’
U2’U2’
TT
In the two untrusted program model
Adversarialenvironment
Adversarial software written by E
The one-malicious version of this model.At most one the programs U1’,U2’ deviates from its adversarial functionality on a non-negligible fraction of the inputs, but we do
not know which one.
14
Rand 1, Rand 2
Rand 1, Rand 2: Algorithm for computing (b, gb mod p) pairs
Rand 1 is initialized by a prime p and a base g3, it must produce a random, independent pair (b, g3
b mod p). Rand 2 is initialized by a prime p and two bases
g1, g2, it must produce triplets (b, g1
b mod p, g2b mod p).
15
Rand 1, Rand 2
Naïve approach A trusted server to compute a table of random,
independent pairs Load it into T’s memory.
16
Rand 1, Rand 2
Preprocessing technique – Schnorr’s algorithm Input a small set of truly random (k, gk) pair, produc
es a long series of nearly random (r, gr) pair. The output of Schnorr’s algorithm is too dependent.
17
Rand 1, Rand 2 Preprocessing technique – EBPV generator
Taking a subset of truly random (k, gk) pairs and combining them with a random walk on expander on Cayley graphs to reduce the dependency of the pairs in the output sequence.
The EBPV generator, secure against adaptive adversaries, runs in time O(lg2 n) for an n-bit exponent.
The output distribution of the EBPV generator is statistically-close to the uniform distribution.
18
Exp
Exp : Outsource-Secure Exponentiation Modulo a Prime T out-source its exponentiation computations, by in
voking U1 and U2.
Let primes p and q are global parameters, Zp* has or
der q. Exp takes as input a∈Zq, u∈Zp
*, and outputs ua mod p.
19
Exp
U1’U1’
U2’U2’
TT Output
ua
Output
ua
Input
u
Input
u
Input
a
Input
aHS, HP, AP
HP, AP
S, P
Input
q
Input
qInput
p
Input
p Global parametersHU
Input
gp
Input
gp
No AU inputs.All S, P inputs are computationally blinded before sent to U1 or U2.
20
Exp
T runs Rand 1 twice to create two blinding pairs. and
Denote Goal: logically break u and a into random
looking pieces that can then be computed by U1 and U2.
, g , g
and , where bv g v g b
21
Exp
First, u is hidden by
T selects two blinding elements d∈Zq and f∈G at random.
Second, a is hidden by
, where and a a a b c aa uvw v w v v w w c a bvu
,
where and
b c c dc eb c a b d ev v w v v f h wfh w
vh e a df
w
22
Exp
T fixed two test queries per program by running Rand 1 to obtain
T queries U1 in random order as
T queries U2 in random order as
1 2 1 21 2 1 2, , , , , , ,t t r rt g t g r g r g
1 1 2 21 21 1 1 1
1 2, , , , , , , .r t r rd c t tU d w w U c f f U g g U g gr r
1 1 2 21 22 2 2 2
1 2, , , , , , , .r t r re c t tU e w w U c h h U g g U g gr r
23
Exp
Finally, T checks that the test queries to U1 and U2 both produce the correct outputs gt1 and gt2. If not, T outputs “ERROR” Otherwise, T multiplies the real outputs of U1 and U
2 with vb to compute ua as .
ab c c d e b c d w a a av f h w w v w v w vw u
24
Correctness and Security Theorem: In the one-malicious model, the above algorithms (T, (U1,
U2)) are an outsource-secure implementation of Exp, where the input (a, u) may be HS, HP or AP.
Correctness Straight-forward.
Security Let A = (E, U1’, U2’) be a PPT adversary that interacts with a PPT a
lgorithm T in the two untrusted program model. Part one: EVIEWreal ~ EVIEWideal (The external adversary, E learns
nothing.) Part two: UVIEWreal ~ UVIEWideal (The untrusted software, (U1, U2)
learns nothing.)
25
Correctness and Security
U1’U1’
U2’U2’
TTEE S2S1
S1
PPT simulator
S2
Make for random queries of the form (αj∈Zq, βj∈Zp*) to both U1’ and U2’.
S1 randomly tests two outputs from each program (i.e. βjαj).
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Input
Test
Output
Test
Output
TestOutput
Test
Output
TestOutput
Test
Output
TestOutput
Test
Output
Test
Output
Test
Output
TestOutput
Test
Output
TestOutput
Test
Output
TestOutput
Test
Output
Test
26
Correctness and Security
If an error is detected S1 saves the state
Outputs YPi = “ERROR”, YU
i = ψ, replacei = 1.
If no error is detected, S1 checks the remaining four outputs If all checks pass
S1 outputs YPi = ψ, YU
i = ψ, replacei = 0.
Otherwise S1 selects a random element r∈Zp
*
S1 outputs YPi = r, YU
i = ψ, replacei = 1.
27
Correctness and Security
The input distributions to (U1’, U2’) in the real and ideal experiments are computationally indistinguishable.
In the ideal experiment, the inputs are chosen uniformly at random.
28
Correctness and Security In real experiment,
each part of each query T makes to any one program is first independent re-randomized, where these re-randomization factors are either Truly random or Computationally indistinguishable from random
(assumption of the EBPV generator.)
1 1 2 21 21 1 1 1
1 2, , , , , , , .r t r rd c t tU d w w U c f f U g g U g gr r
1 1 2 21 22 2 2 2
1 2, , , , , , , .r t r re c t tU e w w U c h h U g g U g gr r
29
Correctness and Security Three possible scenarios to consider.
If (U1’, U2’) behave honestly in the ith round. EVIEW real
i~EVIEWideali
In the real experiment T(U1’, U2’) perfectly executes Exp. In the ideal experiment S1 chooses not to replace the ou
tput of Exp. If one of (U1’, U2’) give an incorrect output in the ith
round. Both T and S1 with ½ probability, resulting in an output
of “ERROR”
30
Correctness and Security Three possible scenarios to consider.
Otherwise (U1’, U2’) will actually succeed in corrupting the output
of Exp. In the real experiment, the four real outputs are
multiplied together along with a random value, thus a corrupted output of Exp, but random to E.
In the ideal experiment, S1 replace the output of Exp with a random value when an attempt to cheat by (U1’, U2’) would have gone undetected by T in the real experiment.
31
Correctness and Security
S2 is similar to S1.
S2 makes four random queries of the form (αj∈Zq, βj∈Zp*) to both U1’ and U2’.
In the real experiment, T always re-randomizes his inputs to (U1’, U2’) using six Rand 1 pairs.
In the ideal experiment, S2 always creates random independent queries for (U1’, U2’).
32
Correctness and Security
Even when one of (U1’, U2’) behaves dishonsetly in the ith round, EVIEW real
i~EVIEWideali
UVIEW reali~UVIEWideal
i
By hybrid argument EVIEW real~EVIEWideal
UVIEW real~UVIEWideal
33
Analysis
In the one-malicious model, the above algorithms (T, (U1, U2)) are an O(lg2 n / n)-efficient implementation of Exp. are a ½-checkable implementation of Exp. are an (O(lg2 n / n), ½)-outsource-secure
implementation of Exp.
34
Outline
Introduction Definition of Security Outsource-Secure Exponentiation Using Two U
ntrusted Programs Outsource-Secure Encryption Using One Untru
sted Program Conclusion