Upload
bethanie-richards
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Cryptography for Cloud Storage Service
Kaoru Kurosawa Ibaraki University, Japan
CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia
Cloud Storage Service
• (or online storage service) • is now available on the commercial basis.
• Big Internet enterprises such as • Google, Amazon, Yahoo • are providing these services.
2
The Advantages are
• Companies need only pay for the storage they actually use• Companies do not need to install physical
storage devices in their own data center• Storage maintenance tasks, such as backup,
are offloaded to the responsibility of a service provider
3
In Japan
• After the big earthquake last year, many local governments are considering using cloud storage service to store their important data which includes the original copy of family registers.
4
But Potential Threats
• The number of people with access to the data who could be compromised
(bribed, or coerced) increases dramatically.• It is possible for other customers to access your data. Sometimes because of human error, faulty equipment, a bug or criminal intent.
5
In the store phase,
• A client stores encrypted files (or documents) on a server
Client Server
E(D1), , E(D⋯ N)
8
In the search phase,
• The client sends an encrypted keyword to the server
Client Server
E(keyword)
9
The server somehow returns
• The encrypted files E(D3), E(D6), E(D10)
which contains the keyword
Client Server
E(keyword)
E(D3), E(D6), E(D10)
10
So the client can
• retrieve some of the encrypted files• which contains a specific keyword,• keeping the keyword secret
Client Server
E(keyword)
E(D3), E(D6), E(D10)
11
By Passive Attack
• A malicious server breaks the privacy• She tries to find • the keyword and the documents
Client Server
E(keyword)
E(D3), E(D6), E(D10)
Malicious
12
By Active Attack• A malicious server breaks the reliability• She tries to forge/delete some files.• or replace E(D3) with another E(D100).
Client Server
E(keyword)
E(D3), E(D6), E(D10)E(D100)
Malicious
13
The security against passive attacks
has been studied by several researchers.
• Song, Wagner, Perrig• Goh• Bellovin and Cheswick• Chang and Mitzenmacher
14
Finally
• Curtmola, Garay, Kamara and Ostrovsky• showed a rigorous definition of security against passive attacks.• They also gave a scheme which satisfies their definition.
15
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
17
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
18
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
19
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
20
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
21
Outline of this talk
(1) Curtmola et al. ‘s scheme(2) Our UC-secure scheme(3) Our theoretical results
23
Curtmola et al.
keyword DocumentsAustin D3, D6, D10
Boston D8, D10
Washington D1, D4, D8
Showed a scheme such as follows.(It is secure against passive attacks.)
Consider the following “Index”
Index24
The client first constructs E(Index) • as follows.• He first chooses a pseudorandom permutation π.
E(Index) =
25
He next computes • π(Austin, 1), π(Austin, 2) and π(Austin, 3),• Writes the indexes (3, 6, 10) in these addresses
3
6
10
Address
π(Austin, 1)
π(Austin, 2)
π(Austin, 3) E(Index)
26
Do the same for each keyword
3
6
10
8
10
Address
π(Austin, 1)
π(Austin, 2)
π(Austin, 3)
π(Boston, 1)
π(Boston, 2)
E(Index)
27
In the search phase,
• The client sends
Client Server
t(Austin)=( π(Austin, 1), π(Austin, 2), π(Austin, 3) )
3
6
10
8
10
E(Index)
29
The server sees that the corresponding indexes are
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
3
6
10
8
10
E(Index)30
Hence the server can return
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), E(D6), E(D10)
3
6
10
8
10
E(Index)31
A naive approach is to add MAC to each E(Di)
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
The server returnsthese files together with their MACs 33
But a malicious server will
Client
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
Malicious
Replace some pair with another pair
E(D100), MAC(E(D100))
34
The client cannot detect this cheating
Client
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
Malicious
Because this is a valid pairof MAC
E(D100), MAC(E(D100))
35
The proposed scheme
Client
π(Austin, 1)
E(D3), Tag3=MAC(π(Austin, 1), E(D3))
We include π(Austin, 1) in the input of MAC
So the server returns
36
This method works
Client
π(Austin, 1)
E(D3), Tag3=MAC(π(Austin, 1), E(D3))
Because the MAC binds the query and the answer pair
37
More precisely,• The client writes such MAC values in E(Index), and stores it on the server
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
π(Austin, 1)
π(Austin, 2)
π(Austin, 3)
E(Index)
38
For a query π(Austin, 1)E(Index)
π(Austin, 1)
π(Austin, 1)
The server returns E(D3) andtag3=MAC( π(Austin, 1), E(D3) )
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
39
The client checks the validity of
π(Austin, 1)
tag3=MAC( π(Austin, 1), E(D3) )
E(D3)
The details are written in the paper.
40
Another Subtle Point
• If 3 appears many times in E(Index), • the adversary sees that• D3 includes more keywords than the other documents.
3
3, tag3=MAC( π(Austin, 1), E(D3) )
3
6, tag6=MAC( π(Austin, 2) , E(D6) )
3
10, tag10=MAC( π(Austin, 3) , E(D10) )
E(Index) =
41
Hence• the index i of each Di should appear
the same number of times.• Curtmola et al. didn’t show such a method.
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
E(Index) =
42
We solve this problem as follows
keyword DocumentsAustin D1, D2
Boston D3, D4
Washington D5
Suppose that there are 5 documentsand
Index
43
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
E(Index) is constructed by permuting them randomly by using a PRP π as follows.
46
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
In the search phase,the client sends π(0, Austin, *) to the server
47
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
The server returns the corresponding contents
48
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
Noweach i {1,2,3,4,5} appears once for each keyword∈
E(Index) 49
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (1) and (2)(4) Finally show a UC-secure scheme
51
The client next chooses
D={set of documents} = {D1, …, DN}W={set of keywords}
Enc K
And computes C= { E(D1), , E(D⋯ N) } I= E{ Index }
54
D={set of documents} = {D1, …, DN}W={set of keywords}
Enc K
Then the client sends C= { E(D1), , E(D⋯ N) } I= E{ Index }
55
In the search phase,
keyword
Trapdoor K
and computes t(keyword) =[π(0,Austin,1), …, π(0,Austin,1)]By using Trapdoor algorithm
The client chooses
56
and computes C(keyword)= { E(D3), E(D6), E(D10) } Tag
Search
The server receives t(keyword)
C= { E(D1), , E(D⋯ N) } I= E{ Index }
Ex. the keyword is included in D3, D6 and D10.58
Search t(keyword)
Then the server returns C(keyword)={ E(D3), E(D6), E(D10) } Tag
C= { E(D1), , E(D⋯ N) } I= E{ Index }
59
Then the client computes Verify algorithmon input
t(keyword)
C(keyword)={E(D3), E(D6), E(D10)}Tag
Verify
Accept / Reject
K
61
If Accept, the clients decrypts
C(keyword)={E(D3), E(D6), E(D10)}
DecK
and obtains the documents D3, D6, D10 which contain the keyword
62
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (1) and (2)(4) Finally show a UC-secure scheme
63
The security against active attacks
• Consists of privacy and reliability• We define privacy similarly to Curtmola et al.• That is,
64
In the store phase,
Client Server
E(D1), , E(D⋯ N), E(Index)
The server will learn |D1|, …, |DN| and |{keywords}|from what she received
65
In the search phase,
This means that the server knows the corresponding indexes {3, 6, 10}
For t(keyword)the server returns C(keyword).
t(keyword)
C(keyword)=( E(D3), E(D6), E(D10) )Tag
66
To summarize
The server learns• |D1|, …, |DN| and |{keywords}|• the indexes {3, 6, 10} which corresponds to a queried keyword
67
The Privacy definition
• requires that the server should not be able to learn any more information
68
The Privacy definition
• requires that the server should not be able to learn any more information• To formulate this, we consider a real game and a simulation game
69
In the Real Game
D = {D1, …, DN}W={set of keywords}
Distinguisher
C= { E(D1), , E(D⋯ N) } I= E{ Index }
Client
70
In the Simulation Game
D = {D1, …, DN}W={set of keywords}
Distinguisher
Somehow computes C= { E(D1), , E(D⋯ N) } I= E{ Index }
ClientSimulator
|D1|, …, |DN| and |{keywords}|
74
Next
keyword
Distinguisher
Somehow computes t(keyword)
ClientSimulator
The corresponding indexes {3, 6, 10}
75
Next
keyword
Distinguiher
Somehow computes t(keyword)
ClientSimulator
The corresponding indexes {3, 6, 10}
76
Definition of Privacy
• We say that a verifiable SSE satisfies privacy if• there exists a simulator such that• |Pr( b=1 in Real)- Pr( b=1 in Simulation)|• is negligible for any distinguisher.
78
The Def. of Curtmola et al.
• Requires that • for any distinguisher,• there exists a simulator such that• |Pr( b=1 in Real)- Pr( b=1 in Simulation)|• is negligible.
In this definition,the simulator depends on the distinguisher.
79
Our definition
• is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher.
80
Our definition
• is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher.• This small change is important when we prove the equivalence with the UC-security.
81
The client sends
The honest server returns
t(keyword)
C(keyword)={E(D3), E(D6), E(D10)}Tag
Next Reliability
82
The honest server returns
Client sends
t(keyword)
C(keyword)={E(D3), E(D6), E(D10)}Tag
We say that C(keyword)* is invalid for t(keyword) if C(keyword)* ≠ C(keyword)
83
We say that Server* wins
If she can return (C(keyword)*, Tag*) for some t(keyword) such that(1) C(keyword)* is invalid and (2) The client accepts (C(keyword)*, Tag*)
84
Definition of Reliability
We say that a verifiable SSE satisfies reliability if Pr(Server* wins) is negligiblefor any Server*, any D={set of documents},any W={set of keywords}and any queried keyword.
85
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (1) and (2)(4) Finally show a UC-secure scheme
86
In General
Even if a protocol π is secure,it may not be secure • if π is executed concurrently,
• Or if π is a part of a larger protocol
Client 1
Client 2
Server
87
Universal Composability (UC)
Is a framework which guarantees that • A protocol π is secure• Even if π is executed concurrently, and• Even if π is a part of a larger protocol
88
The notion of UC
• was introduced by Canetti.• He proved that UC-security is maintained under a general protocol composition.
89
In the UC framework
A Real world An Ideal worldA protocol π An Ideal Functionality Fπ
We consider a real world and an ideal world.In the ideal world, there exists an ideal functionality
A protocol π is UC-secure if the real world is indistinguishable from the ideal world.
90
In our case,the ideal world looks like this
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
dummyServer
92
First in the store phase
dummyClient
Ideal Functionality
FvSSE
Environment
Z
D={D1, …, DN} W={set of keywords}
93
The dummy client relays them to FvSSE
dummyClient
Ideal Functionality
FvSSE
Environment
Z
D={D1, …, DN} W={set of keywords}
D={D1, …, DN} W={set of keywords}
94
Our FvSSE sends
dummyClient
Ideal Functionality
FvSSE
Environment
Z
D={D1, …, DN} W={set of keywords}
D={D1, …, DN} W={set of keywords}
UC adversary
S
|D1|, …, |DN||{keywords}|
95
Next in the search phase
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
UC adversary
S
96
The dummy client relays it to FvSSE
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
97
Our FvSSE sends
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
The corresponding indexes {3,6,10}
98
The UC adversary S returns
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept or Reject
99
If S returns Reject,
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
100
Our FvSSE sends Reject to the dummy client
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
Reject
101
The dummy client relays it to Z
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
Reject
Reject
102
If S returns Accept,
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
103
Our FvSSE sends {D3,D6,D10}
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
{D3,D6,D10}
104
The dummy client relays them to Z
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
{D3,D6,D10}
{D3,D6,D10}
105
So Z receives {D3,D6,D10} correctlyor Reject
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept/Reject
{D3,D6,D10}/Reject
{D3,D6,D10}/Reject
106
This is an ideal world
Because(1) The dummy client receives {D3,D6,D10}
which contains the keyword correctly, or receives Reject(2) UC adversary S learns only |D1|, …, |DN|, |{keywords}| and
the indexes {3,6,10} for a queried keyword
107
Further S can corrupt
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
dummyServer
108
Also Z can interact with S freely
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
dummyServer
109
Z finally outputs 0 or 1
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
dummyServer
110
Client Server
Environment
Z
D={set of documents} W={set of keywords}
Then the client and the server runs the store phaseof a verifiable SSE protocol 112
Client Server
Environment
Z
keyword
The client and the server runs the search phaseof the verifiable SSE protocol 114
We say that
• A verifiable SSE protocol is UC-secure if for any adversary A, there exists a UC-adversary S such that• no environment Z can distinguish the real world from the ideal world.
119
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(4) Finally show a UC-secure scheme
120
Equivalence
(Theorem) A verifiable SSE protocol is UC-secure if and only if it satisfies our definition of privacy and reliability
Herewe consider static adversaries.
121
This means that
The security of a verifiable SSE protocolis maintained under a general protocol composition
if it satisfies our privacy and reliability
Client 1
Client 2Server
122
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally prove our scheme is UC-secure
123
We assume that
• The encryption algorithm E is CPA secure• MAC is unforgeable against chosen message
attack.
124
Proof of privacy
• Suppose that there are 5 documents, and 3 keywords.• We must show a simulator such that
126
ClientSimulator
|D1|, …, |D5| and |{keywords}|=3
In the store phase, Sim receives |D1|, …, |D5| and |{keywords}|=3
127
Then it must compute C= { E(D1), , E(D⋯ 5) } E(Index)
ClientSimulator
|D1|, …, |D5| and |{keywords}|=3
128
Our Sim computes C as C= { E(random), , E(random)⋯ } E(Index)
ClientSimulator
|D1|, …, |D5| and |{keywords}|=3
129
Next Sim constructs E(Index) as a random permutation of this table
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
131
In the 1st column,Sim finds {1,3,5,dummy,dummy}
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
134
Sim returns their addresses
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
135
In the 2nd column,Sim finds {2,4,dummy,dummy,dummy}
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
138
Sim returns their addresses
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
139
This is indistinguishable from the real game
t(keyword)= [π(12), π(14), π(16),π(17), π(18)]
ClientSimulator
{2,4}
141
Proof of reliability
• Suppose that there exists a server* who can forge
Client Server* C(keyword)*Tag*
143
Proof of reliability
• We show a forger A who can break MAC by chosen message attack
Client Server* C(keyword)*Tag*
144
• A runs Server* by playing the role of the client• A uses his MAC oracle to compute X
Client Server* C(keyword)*Tag*
MAC oracle
A
X
145
• We can show that A never queried C(keyword)* to the MAC oracle.
Client Server* C(keyword)*Tag*
MAC oracle
A
146
Preliminary version
• was presented at Financial Cryptography 2012• The paper is available from the homepage of
FC 2012
151