Advances in Securely Outsourcing Computation

Transcription

1 Advances in Securely Outsourcing Computation Xiaofeng Chen December, 2017

2 Agenda Cloud Computing Verifiable Computation Secure Outsourcing of Scientific Computations Secure Outsourcing of Cryptographic Operations Verifiable Database with Updates (VDB) Future Works

3 1. Cloud Computing Cloud computing realizes the long dream of computing as a service. The users with resource-constraint devices can enjoy the unlimited computing resources in a pay-per-use manner. On-demand self-service Ubiquitous network access Location independent resource pooling Rapid resource elasticity Usage-based pricing Outsourcing 3

4 Outsourcing paradigm You want to eat a fish = You need to be a fisherman (NEVER!) You travel by air = You buy a boing 737 (NEVER!) Cloud computing facilitates outsourcing computation. Outsourcing computation paradigm: the clients with resource-constraint devices can outsource the heavy computation workloads into the cloud server. require only one round of interaction between the client and the server. Outsourcing computation also suffers from some new security challenges. secrecy checkability efficiency 4

5 Outsourcing computation architecture 5

6 Security model Who is the adversary: the untrusted server(s) Honest but curious Lazy but honest One-malicious of two untrusted program Refereed delegation of computation Fully malicious (dishonest, curious, lazy )- strongest 6

7 How to achieve secrecy? Encryption (partial solution)+ blinding Blinding can preserve some inherent property of operations. It requires different logic division and blinding techniques. FHE is inefficient and not practical for real-world applications. 7

8 How to achieve checkability? How to verify the result of a malicious server? Some programming error Intentionally send a computational indistinguishable (random) result due to financial reasons 8

9 How to achieve checkability? Three kinds of checkability (verifiability): Inversion of one way function problems: F: given y=f(x), compute x, where f is a one-way function. Verification is trivial: verification is just compute f(x)=? y 9

10 How to achieve checkability? Three kinds of checkability (verifiability): Multiple (non-colluding) servers : given the test queries to (at least two) servers, verification is trivial and equals to check whether the two outputs are equal? f(x)_1 =? f(x)_2 (This is a probabilistic algorithm!) Note: This idea is a little similar to prisoner's dilemma in game theory. 10

11 Prisoner s Dilemma A B Case 1: A (Yes); B (Yes); Both are 30 years in prison Case 2: A (No); B (No); Both set free (Best choice) Case 3: One (Yes); The other (No); Yes: 10 years; No: 50 years in prison 11

12 How to achieve checkability? Three kinds of checkability (verifiability): One malicious server: verifiable computation The server needs to provide some auxiliary proof to support result verification ( It requires different kinds of knowledge proof techniques.) 12

13 How to achieve efficiency? Verification must be efficient The (non-interactive) proof verification is efficient (esp. the 3 rd case) Computational resources, storage resources, communication resources, etc. The verification requires less resources than the computation task itself! 13

14 Research status Theoretical community: scientific computation such as matrix multiplications (inversion), quadrature, linear equations (programming), sequence comparisons Cryptographic community: wallet with observers, bilinear pairing, modular exponentiations, OABE, OABS, inversion one-way function Verifiable computation: will be given later 14

15 2. Verifiable Computation A protocol between client and the untrusted server; C: a function and some input ; S: outputs and some proof; It mainly focus on the 3 rd case of outsourcing computations Though C is resources-constrained, it is allowed to perform one-time expensive setup phase (offline; pre-computation) 15

16 Formal definitions A verifiable computation scheme VC = (KeyGen, ProGen, Compute, Verify) consists of the four algorithms defined below. 1. KeyGen f, n PK, SK : Based on the security parameter n, the randomized key generation algorithm generates a public/secret key pair for the function f. The public key is provided to the server, while the client keeps the matching secret key private. 2. ProbGen SK x σ x, τ x The problem generation algorithm uses the secret key SK to encode the function input x as a public value σ x which is given to the server, and a secret value τ x which is kept private by the client. 3. Compute PK σ x σ y Using the client s public key for f and the encoded input, the server computes an encoded version of the function s output y = f x. 4. Verify SK τ x y Using the secret key SK and the secret decoding value τ x, the verification algorithm converts the worker s encoded output into the output of the function, e.g., y = f x or output indicating that σ y does not represent the valid output of f on x. 16

17 Security properties Correct: the value and proof generated by the honest server can be always verified successfully and accepted by the client. honest server results in valid result and proof Secure: a malicious server cannot convince a verifier to accept an invalid output dishonest server results in invalid result and proof Efficient: the verification should not be involved in plenty of expensive resources (computation, storage, communication) For real-world applications Three properties of ZKP: Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover. Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability. Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. 17

18 State-of-the-art research Gennaro et al. firstly introduce and formalize the notion of verifiable computing. Crypto 10 This work is suitable for any function (will be encoded by Boolean circuit) Theoretically, no more research work is needed (totally solved!). FHE is a building block! Inefficient for practical applications. 18

19 State-of-the-art research Specific problems require specific trick to design efficient schemes. VC for very large datasets Crypto 11 Memory delegation Crypto 11 VC for large polynomials and matrix computations CCS 12 VC for multi-function TCC 12 VC for quadratic polynomials CCS 13 Making argument systems for outsourced computation practical NDSS 12 Taking proof-based verified computation a few steps closer to practicality USENIX

20 3. Secure Outsourcing of Scientific Computations It has proved it is impossible to securely outsourcing an exponential computation while locally doing only polynomial computations [1]. It is meaningful only to consider outsourcing expensive polynomial computations. Matrix multiplication Matrix inversion Large-scale system of linear equations Matrix determinant Linear programming [1] M. Abadi, J. Feigenbaum, and J. Kilian. On hiding information from an oracle. Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC), pp ,1987. DOI: /

21 Secure outsourcing of large-scale Problem : linear equations systems To solve a large-scale system of linear equations Ax = b. due to the lack of computing resources, it is infeasible for C to carry out such expensive computation as O n ρ (2 < ρ 3) locally. outsource the computation workloads to S in pay-per-use manner. Goals : A, x, b should be privacy and protected. efficient 21

22 Secure outsourcing of large-scale linear equations systems Atallah s scheme [2] C selects a random matrix B and a random number j {1, 2,, n}. Replace the jth column of B by b, i.e. B = [B 1,, B j 1, b, B j+1,, B n ] C generates three matrices P 1, P 2, P 3 using the same method as before. C computes A = P 1 AP 1 2 and B = P 1 BP 1 3. S solve the linear system A X = B and obtains X = P 2 A 1 BP C computes X = P 2 XP 3 = A 1 B. The answer x is the jth column of X, i.e., x = X j. Note: This scheme uses the interactive matrix inversion as a building block! [2] M.J. Atallah, K.N. Pantazopoulos, J.R. Rice, and E.H. Spafford. Secure outsourcing of scientific computations. Advances in Computers. Vol. 54, pp ,2001. DOI: /s (01)80019-x. 3, 19, 20, 22, 23 22

23 Secure outsourcing of large-scale linear equations systems PK, SK = (n, (M, N, r)) I. compute: c = Ar + b d = Mc T = MAN II. compute: x = Ny r T, d y Ty = d We have: Ty = MAN N 1 x + r = MA x + r = Mc = d Advantages: One round in come-and-go manner. Since M, N are sparse matrices, the computation complexity is O n 2 locally. C can detect the misbehavior of S with the probability 1. 23

24 4. Secure Outsourcing of Cryptographic Operations By far, there are two kinds of secure and efficient numbertheoretic-based cryptographic systems. Integer-factorization-based system (RSA) Discrete-logarithm-based system (ElGamal, ECC) Require powerful but prohibitively expensive operations Exponentiation modulo a large integer (RSA, ECC) Bilinear pairings (ID-based encryption scheme, short signature scheme) Hence, we mainly focus on how to securely outsource such expensive cryptographic operations! 24

25 Secure outsourcing exponentiation Secure outsourcing of single modular exponentiation Problem: u a mod p Requirement: the inputs and outputs of outsourcing algorithm (u, a, u a ) should be protected. Secure outsourcing of simultaneous modular exponentiation Problem: u 1 a u 2 b mod p (chameleon hashing and trapdoor commitment) Requirement: the inputs and outputs of outsourcing algorithm (u 1, a, u 2, b, u 1 a u 2 b ) should be protected 25

26 Secure outsourcing of single modular exponentiation The first scheme proposed by Hohenberger et al. [3] Use random blinding factors to logically split the inputs into two random-looking pieces for two untrusted servers. Require one-time expensive computations for C in pre-processing phase. Our proposed scheme [4] Superior to [3] both in efficiency and checkability Main idea is similar to prisoner s dilemma [3] S. Hohenberger and A. Lysyanskaya. How to securely outsource cryptographic computations. Theory of Cryptography, LNCS 3378, pp , Springer, DOI: / _15. 4,5,7,30,34,35,36,38,40 [4] X. Chen, J. Li, J. Ma, Q. Tang and W. Lou. New algorithms for secure outsourcing of modular exponentiations. ESORICS, LNCS 7459, pp , Springer, DOI: / _31.3,33,35,38,39 26

27 Secure outsourcing of single Our proposed algorithm Exp: I. Setup: C create two blinding pairs (α, g α ), (β, g β ). Denote v = g α mod p and μ = g β mod p. II. Logical divisions: III. modular exponentiation v = g α u a = (vw) a = g aα w a = g β g γ w a mod p (w = u v mod p, γ = aα β mod q) u a = g β g γ w a = g β g γ w k+l = g β g γ w k w l mod p ( l = a k mod q ) Rand C obtain three pairs (t 1, g t 1), (t 2, g t 2),(t 3, g t 3). V. Check g t 2=S 1 t 2 t 1, g t 1 =S 2 t 2 t 1, g t 1 and S 1 γ t 3, g t 3 =S 2 γ t 3, g t 3 If yes, C can compute u a = μg γ w k w l If not, C outputs error! IV. Query t 2 t 1, g t 1 γ t 3, g t 3 l, w t 2 t 1, g t 1 γ t 3, g t 3 k, w g t 2, g γ, w l g t 2, g γ, w k S 1 S 2 Note: in the one-malicious model, the equation S 1 both S 1 amd S 2 produce the correct g γ! γ t 3, g t 3 =S 2 γ t 3, g t 3 implies 27

28 Comparison of the two algorithms Algorithm[3] Algorithm[4] MM 9 7 MInv Checkability Single modular exponentiation Algorithm[3] Algorithm[4] MM 9 10 MInv Checkability Simultaneous modular exponentiation 28

29 Our Recent Papers Xiaofeng Chen, Jin Li, Jianfeng Ma, Qiang Tang, Wenjing Lou, New Algorithms for Secure Outsourcing of Modular Exponentiations,IEEE Transactions on Parallel and Distributed Systems, 25(9), , Xiaofeng Chen, Jin Li, Xinyi Huang, Jingwei Li, Yang Xiang, Duncan Wong. Secure Outsourced Attribute-based Signatures. IEEE Transactions on Parallel and Distributed Systems, 25(12): , Xiaofeng Chen, Xinyi Huang, Jin Li, Jianfeng Ma, Wenjing Lou, and Duncan S. Wong, New Algorithms for Secure Outsourcing of Large-scale Systems of Linear Equations, IEEE Transactions on Information Forensics and Security, 10(1), 69-78, Xiaofeng Chen, Jin Li, Willy Susilo, Efficient Fair Conditional Payments for Outsourcing Computations, IEEE Transactions on Information Forensics and Security, 7(6), , Xiaofeng Chen, Willy Susilo, Jin Li, Duncan S Wong, Jianfeng Ma, Shaohua Tang, Qiang Tang, Efficient Algorithms for Secure Outsourcing of Bilinear Pairings, Theoretical Computer Science, 562: , Haixin Nie, Xiaofeng Chen, Jin Li, Joseph Liu, Wenjing Lou, Efficient and Verifiable Algorithm for Secure Outsourcing of Large-scale Linear Programming. AINA 2014: (Best Paper Award) Jin Li, Jingwei Li, Xiaofeng Chen, et al., Identity-based Encryption with Outsourced Revocation in Cloud Computing. IEEE Transactions on Computers, 64(2): ,

30 5. Verifiable Database (VDB) A special kind of verifiable computing (storage) Benabbas et al. proposed the notion of VDB Verifiable delegation of computation over large datasets (Crypto 11) x, v x x, v v Client Server 30

31 Static Database x ; v; Sig (v) x v, Sig (v) Client Server Sig (v) can not be forged!! 31

32 Dynamic Database (Updatable) x; v; Sig (v) Client x v, Sig (v) Server Problem: How to revoke the signature for previous data record? Paradox: If so, the client have to keep track of every change locally. Why outsourcing? If not, a malicious can utilize the previous (valid) database records and corresponding signatures to respond the current query of the client without being detected (Backward Substitution updates attack). 32

33 Verifiable Database with Updates How to design efficient VDB? Previous works requires either some non-constant size assumptions or expensive operations; q-strong Diffie-Hellman assumption re-shuffling procedures 33

34 Verifiable Database with Updates Why standard assumption is good? IF related ones: IF ; RSA; Strong-RSA; DL related ones: DL; CDH; DDH;» Bilinear pairings related ones 34

35 Benabbas-Gennaro-Vahlis Construction BGV construction is the first practical solution in the bilinear groups with composite order (Crypto 11); The solution is based on verifiable delegation of polynomials (subgroup membership assumption); It cannot support public verifiability; 35

36 Catalano-Fiore Construction The second practical construction (PKC 2013); It is based on a primitive called vector commitment; The specific constructions based on standard assumptions; Compare with BGV construction, it only uses the bilinear groups with prime order; It can support public verifiability The private key of client is not involved in the updating; Surprising it is empty! It is good or bad? 36

37 New Construction for VDB Our main contribution Catalano-Fiore Construction may suffer from the Forward Automatic Update (FAU) attack; Propose a new framework that is public verifiable and secure against FAU attack; Present a concrete construction based on Squ- CDH assumption (equals to CDH assumption) 37

38 The adversary (just as the real client) can update the database in a forward and automatic manner; Forward means that the updating is based on the latest database (new update!). We also defined Backward Substitute Update attack Automatic means that the updating can be performed at any time and any steps. V 1 FAU attack V L+1 V 0 V i V L 38

39 Why it suffers from FAU attack The secret key in Catalano-Fiore Construction is not involved in the updating. More precise, the secret key of client is empty. Why? In crypto 11 construction, secret key is used for updating and verification (thus private verifiability); Guess: no private key, verification is performed only using the public key? Thus support public verifiability. Anyone can update the database (especially the server)! 39

40 Paradox Using SK: cannot support public verifiability Not using SK: cannot resist FAU attack How to solve this paradox? SK must be used in update; Signature can be used but not enough (needs revoke?) 40

41 Our Main Idea Commitment binding technique: (After T times update ) it is difficult to forge a new BLS signature! Public key (last time) binding Public key (current) BLS signature Counter Database (current) Recursion definition for PK 41

42 Our Main Idea Commitment binding technique: (After T times update ) The definition for T = 0 (setup phase): This results in a general construction for VDB. 42

43 VDB with Incremental Updates The data record (plaintext) undergoes frequent while small (e.g., only some bits) modifications; The previous solution requires to re-compute and update the ciphertext from scratch each time; it is meaningful to seek for efficient constructions for VDB with incremental updates (Inc-VDB); re-computing and updating the ciphertext in both incremental algorithms, rather than from scratch. 43

44 Motivation File blocks Incremental cryptography m 1... m i... m n Encrypt c 1... c i... c n m 1... m' i... m n Encrypt c 1... c' i... c n m' 1... m' i... m' n Encrypt c' 1... c' i... c' n Distributed updates problem! 1. The existing incremental schemes could not solve the distributed updates problem. 2. The update algorithm of VDBs are not incremental, and the client needs to re-compute new updated token from scratch each time. 44

45 Our main contribution Introduce the notion of verifiable database with incremental updates (Inc-VDB). Propose a general Inc-VDB framework by incorporating the primitive of vector commitment and the encrypt-then-incremental MAC mode of encryption; Introduce a new property called accountability for VDB schemes. 45

46 Formal Definition of Inc-VDB Definition 4. A verifiable database scheme with incremental updates Inc VDB = (Setup, Query, Verify, Inc Update) consists of the four algorithms defined below. 1. Setup 1 k, DB : On input the security parameter k, the setup algorithm is run by the client to generate a secret key SK to be secretly stored by the client, and a public key SK that is distributed to all users (including the client itself) for verifying the proofs. 2. Query PK, x : On input an index x, the query algorithm is run by the server, and returns a pair τ = (v, π). 3. Verify(PK/SK, x, τ): The public/private verification algorithm outputs a value v if τ is correct with respect to x, and an error otherwise. 4. Inc Update(SK, x, v ): In the update algorithm, the client utilizes the secret key SK to compute a new token t x from the previous one in an incremental manner rather than computing it from scratch. Then, the client sends the pair t x, v to the server. If the token t x is valid, the server uses v to update the database record in index x, and t x to incrementally update the public key PK. 46

47 Our Main Idea 47

48 Server side efficiency: Our Main Idea The server only needs to compute π x once for the first query on index x. Incremental Signature: The client computes: Send to the server Private key of client The server compute: Private key of server 48

49 Public verifiability: Our Main Idea 1. The proof consists of the (BLS) signature of the client and opening of the vector commitment; 2. Both of them can be verified (only) with the public key; 3. The client needs not store the changes locally or revoke the signature 4. We can use a verifiable random function to achieve private verifiability. Reduce the client storage overhead: 1. The number of T x is dependent of q, it is highly undesirable when q becomes very large. 2. Apply vector commitment over commitments. 49

50 Our Recent Paper Xiaofeng Chen, Jin Li, Xinyi Huang, Jianfeng Ma, Wenjing Lou, New Publicly Verifiable Databases with Efficient Updates, IEEE Transactions on Dependable and Secure Computing, 12(5), , Xiaofeng Chen, Jin Li, Jian Weng, Jianfeng Ma, Wenjing Lou, Verifiable Computation over Large Database with Incremental Updates, ESORICS 2014, LNCS 8712, , IEEE Transactions on Computers, 65(10), ,

51 6. Future Works How do we achieve the CCA2 security for the inputs in outsourcing paradigm? Is it possible to find an efficient algorithm for securely outsourcing the cryptographic operations by only an untrusted server? How to construct efficient VDB schemes supporting all kinds of update operations? How to prove (not only detect ) the misbehavior of an untrusted server in the multiple results of outsourcing computations? 51

52 Thank you & questions? 52