Homomorphic encryption (whiteboard)

Similar documents
Lecture 10, Zero Knowledge Proofs, Secure Computation

ZERO KNOWLEDGE PROOFS FOR EXACT COVER AND 0-1 KNAPSACK

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Attribute-based encryption with encryption and decryption outsourcing

Foundations of Cryptography CS Shweta Agrawal

Secure Multiparty Computation

Certificateless Public Key Cryptography

Notes for Lecture 24

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Remote Data Checking: Auditing the Preservation Status of Massive Data Sets on Untrusted Store

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Notes for Lecture 14

Zero-Knowledge Proofs of Knowledge

CSC 5930/9010 Modern Cryptography: Digital Signatures

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

More crypto and security

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Secure Multiparty Computation

Multi-Theorem Preprocessing NIZKs from Lattices

Lecture 9: Zero-Knowledge Proofs

Zero Knowledge Protocol

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Lecture 6: ZK Continued and Proofs of Knowledge

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Cryptographic protocols

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Advanced Topics in Cryptography

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

REMOVE KEY ESCROW FROM THE IDENTITY-BASED ENCRYPTION SYSTEM

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Cryptographic proof of custody for incentivized file-sharing

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

1 A Tale of Two Lovers

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

A Procedural Based Encryption Technique for Accessing Data on Cloud

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Improving data integrity on cloud storage services

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Zero-Knowledge Proof and Authentication Protocols

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

CS549: Cryptography and Network Security

Lecture 5: Zero Knowledge for all of NP

Attribute Based Encryption with Privacy Protection in Clouds

Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations

Enhancing Reliability and Scalability in Dynamic Group System Using Three Level Security Mechanisms

An Exploration of Group and Ring Signatures

Zero-Knowledge Proofs

Study Guide for the Final Exam

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Efficient Data Storage Security with Multiple Batch Auditing in Cloud Computing

Bitcoin, Security for Cloud & Big Data

STRUCTURED EMINENT DYNAMIC AUDITING FOR SECURE DATA STORAGE IN CLOUD COMPUTING

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Homomorphic Encryption

CPSC 467b: Cryptography and Computer Security

DATA INTEGRITY TECHNIQUES IN CLOUD: AN ANALYSIS

Implementation of IBE with Outsourced Revocation technique in Cloud Computing

Crypto for Cloud and Blockchain

CSC 5930/9010 Cloud S & P: Cloud Primitives

Outline Key Management CS 239 Computer Security February 9, 2004

AoT: Authentication and Access Control for the Entire IoT Device Life-Cycle

Publicly-verifiable proof of storage: a modular construction. Federico Giacon

Proofs of Storage SENY KAMARA MICROSOFT RESEARCH

Public-key Cryptography: Theory and Practice

Cryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

ENEE 459-C Computer Security. Security protocols (continued)

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

CS Computer Networks 1: Authentication

Kurose & Ross, Chapters (5 th ed.)

Delegating Auditing Task to TPA for Security in Cloud Computing

On the Security of a Certificateless Public-Key Encryption

DECENTRALIZED ATTRIBUTE-BASED ENCRYPTION AND DATA SHARING SCHEME IN CLOUD STORAGE

Research Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.

ENEE 459-C Computer Security. Security protocols

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Oblivious Signature-Based Envelope

Secure digital certificates with a blockchain protocol

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Attribute-Based Encryption. Allison Lewko, Microsoft Research

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

Key Escrow free Identity-based Cryptosystem

Better 2-round adaptive MPC

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Privacy Enhancing Technologies CSE 701 Fall 2017

A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Chapter 9: Key Management

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

DECENTRALIZED TRACEABLE ATTRIBUTE-BASED SIGNATURES

An IBE Scheme to Exchange Authenticated Secret Keys

Optimistic Fair Exchange in a Multi-User Setting

Transcription:

Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs of knowledge Short signatures Broadcast encryption Private information retrieval

Homomorphic encryption (whiteboard)

Proofs of Retrievability

Cloud storage Cloud Storage Provider Web server Storage server Pros: Low cost Easier management Enables sharing and access from anywhere Cons: Loose direct control Not enough guarantees on data availability Providers might fail Client

PORs: Proofs of Retrievability Client outsources a file F to a remote storage provider Client would like to ensure that her file F is retrievable The simple approach: client periodically downloads F; This is resource intensive! What about spot checking instead? Sample a few file blocks periodically If file is not stored locally, need verification mechanism (e.g., MACs for each file block) Probabilistic guarantees

Cloud Storage Provider Spot checking: preparation F B 1 B 4 B 7 MAC k [B 4 ] T 1 T 2 T 3 T 1 T 2 T 3 Client k

Spot checking: challenge response Cloud Storage Provider F B 1 B 4 B 7 T 1 T 2 T 3 Cons: it does not detect small corruption to the file Client k

Error correcting code Cloud Storage Provider F Parity blocks Corrects small corruption Client k

ECC + MAC Cloud Storage Provider F B 1 B 4 B 7 P 1 T 1 T 2 T 3 T 4 Parity blocks MACs over file and parity blocks Detect large corruption through spot checking Corrects small corruption through ECC Client k

Query aggregation Cloud Storage Provider F Parity blocks MACs over aggregation of blocks Challenge Response Client k

POR papers Proofs of Retrievability (PORs): Juels Kaliski 2007 Enables file recovery for small corruption and detection of large corruption Proofs of Data Possession (PDPs) Enables detection of large corruption of file Burns et al. 2007 Erway et al. 2009 Unlimited queries using homomorphic MACs: Shacham Waters, 2008; Ateniese, Kamara and Katz 2009 Fully general query aggregation in PORs Bowers, Juels and Oprea 2009; Dodis, Vadhan and Wichs 2009

Practical considerations Apply ECC to a large file (e.g., 4GB) is expensive One time operation Custom built code based on striping and Reed Solomon Encoding speed of up to 5 MB/sec (could be further optimized) Additional storage overhead due to ECC and pre computed MACs 10% (configurable) Challenge response based on spot checking Bandwidth and computationally efficient Challenge and response size on the order of up to 100 bytes Example Failure probability 10 6, 4GB file, 32 byte blocks 10% storage overhead Read 100 blocks in a challenge ( 3KB) Aggregation: linear combination of 100 blocks of size 32 bytes

Attribute based Encryption Predicate Encryption (with Hidden vector Encrytion)

Attribute Based Encryption Example: Encrypted files for untrusted storage User should only be able to access files if she has certain attributes/credentials Don t want to trust party to mediate access to files or keys Introduced by Sahai Waters 05

Key Policy vs. Ciphertext Policy Key policy: Message encrypted under set of attributes User keys associated with access structure over attributes Ciphertext policy: Message encrypted under access structure User keys associated with set of attributes

Key Policy ABE Algorithms: Setup > PK, SK Encrypt(PK, M, S) > CT KeyGen(SK, A) > TK A Query(TK A, CT) > M if S A, otherwise Goyal Pandey Sahai Waters 06, Ostrovsky Sahai Waters 07

Ciphertext Policy ABE Algorithms: Setup > PK, SK Encrypt(PK, M, A) > CT KeyGen(SK, S) > TK S Query(TK S, CT) > M if S A, otherwise Bethencourt Sahai Waters 07, Goyal Pandey Sahai Waters 08, Waters 08

Predicate Encryption Example: Mail server receives email encrypted under user s PK If email satisfies P, forward to pager If email satisfies P, discard Otherwise, forward to inbox Recipient gives server tokens TK P, TK P instead of full secret key SK

Predicate Encryption Algorithms: Setup > PK, SK Encrypt(PK, M, x) > CT KeyGen(SK, f) > TK f Query(TK f, CT) > M if f(x) = 1, otherwise Katz Sahai Waters 08: most expressive PE scheme

Hidden Vector Encryption HVE is PE with a specific class of predicates f Msgs associated with (x 1, x n ) Predicates defined by (a 1,,a n ) where a i s can be * ( don t care ) f (a1,,an) (x 1,,x n ) = 1 if a i = x i or a i = * for all i 0 otherwise HVE can be used to construct more sophisticated PE schemes

Predicate Encryption vs. ABE Predicate encryption similar to key policy ABE ABE hides message but does NOT hide attributes PE hides message AND attributes

Identity based encryption

Identity Based Encryption Public key encryption in which an individual's public key is their identity No need to look up someone's public key! No problems with untrusted keyservers No problems with fake public keys No setup required to communicate with a new person

Identity Based Encryption In a normal public key system, individuals generate their own public/secret key pair So in an IBE, if the public keys are fixed by the identity, how does one get the corresponding secret key? Trusted third party!

Identity Based Encryption Master setup: T runs MasterKeyGen(), gets (PK M, SK M ), and publishes PK M Individual setup: T runs KeyGen(SK M, ID A ), gets SK A, and gives SK A to A Encryption: Encrypt(ID A, PK M, m) = x Decryption: Decrypt(x, SK M ) = m The usual security definitions for public key encryption apply (given assumptions about T).

Identity Based Encryption Variants Hierarchical identity based encryption An individual can act as a trusted third party and distribute keys derived from their own secret End up with a hierarchy a tree of identities An individual can use their key to decrypt any message sent to any ID ultimately derived from their own, i.e. in their subtree Other identity based cryptography e.g. signatures

IBE References Boneh, Franklin Identity Based Encryption from the Weil Pairing (2001) Cocks An Identity Based Encryption Scheme Based on Quadratic Residues (2001) Gentry, Silverberg Hierarchical ID Based Cryptography (2002) Many others...(boneh/boyen 04, CHKP 10, Shamir 84,...)

Zero knowledge proofs Proofs of knowledge

Prelude: Commitment Allows Alice to commit to a value x to by giving c(x) to Bob Bob does not learn any information from c(x) When Alice has to reveal x, she cannot convince Bob that she committed to a different x

Zero Knowledge Proofs Prover P wants to convince verifier V that a statement is true...without giving V any of his secret information about the statement. So P and V engage in an interactive protocol. Basic idea: cut and choose P commits to two (or more) values that are a function of his input. V selects one, which P then reveals. The single value doesn't give V any information, but might let him catch P if he's cheating!

Zero Knowledge Proofs Properties Informal statement of properties no math! Completeness If the statement is true, and all parties are honest, then the verifier accepts. Soundness If the statement is false, then no matter what the prover says, the verifier won't accept. Zero knowledge The verifier learns nothing from the interaction with P in particular, he doesn't get any information he couldn't have computed on his own!

Zero Knowledge Proofs Example 3 coloring problem: Given a graph consisting of vertices connected by edges, is it possible to color each vertex such that no edge connects two vertices of the same color, using only three different colors? Suppose P and V have a graph, and P knows a 3 coloring of that graph. P wants to convince V that the graph is 3 colorable, without revealing any information about the coloring itself.

Zero Knowledge Proofs Example P randomly permutes the colors, and then sends a commitment to each vertex's color to V V picks a single edge P reveals the (permuted) colors of the endpoints of the edge. V checks: The commitment is valid The colors are different The colors are in the valid set of three If these don't hold, or if P doesn't follow protocol, V rejects

Zero Knowledge Proofs Example Completeness: If P knows a 3 coloring and follows the protocol, V will not reject Soundness: If P doesn't know a 3 coloring, he'll either have to break protocol in some way (which V would detect immediately), or hope V never picks an edge with two vertices the same color Chance he gets away with it is at most 1 1/ E Repeat! If you repeat the entire interaction 100 E times, the chance he can successfully cheat is at most (1 1/ E ) 100 E e 100

Zero Knowledge Proofs Example Zero knowledge: Since P permutes the colors at the beginning of each interaction, the colors revealed during one interaction are independent of the colors revealed during any other interaction At each step, V learns two different colors for a pair of adjacent vertices...but due to the color permutation, this is a random pair of colors uncorrelated to anything he's seen before...so he could have just picked two different random colors for those vertices himself, and gotten a statistically identical view to what P shows him!

Zero Knowledge Proofs Power Why did I pick 3 coloring as the example? 3 coloring is NP complete So any NP statement can be proven using an interactive zero knowledge proof! Actually, anything in PSPACE...

Zero Knowledge Proofs Efficiency You probably don't want to use the NP reduction to 3 coloring in practice. The NP reduction will decrease efficiency, and then you have to run the 3 coloring protocol k E times. Often it's better to look for a direct zeroknowledge proof of something. Graph isomorphism, etc.

Non Interactive Zero Knowledge Our protocols required interaction of the prover and the verifier. Can't we have something more akin to a mathematical proof, where the prover writes something down and then any verifier who reads it will be convinced? Surprisingly, yes! NIZK relies on a common random string known to all parties, outside the control of P If everyone trusts that the CRS is truly random, P can write down a NIZK In practice, NIZKs tend to be huge.

Proofs of Knowledge Remember the 3 coloring example... P wanted to show that the graph was 3 colorable. But he actually did a bit more than that P showed that not only was the graph 3 colorable, but he knew a 3 coloring. Related concept to ZK: Proof of knowledge P can show that he knows some value, without revealing anything about the value itself Useful for authentication!

ZK/POK References Goldwasser, Micali, Rackoff The Knowledge Complexity of Interactive Proof Systems (1989) Goldreich, Micali, Wigderson Proofs That Yield Nothing But Their Validity, or All Languages in NP Have Zero Knowledge Proof Systems (1991) Ben Or, et al Everything Provable Is Provable in Zero Knowledge (1988) Blum, Feldman, Micali Non Interactive Zero Knowledge and Its Applications (1988) Schnorr Efficient identification and signatures for smart cards (1989)

Short Signatures

Short Signatures Signatures that are short [BLS 01] 160 bits instead of 1024 bits for same security Based on elliptic curve cryptography Efficient and simple Signer SK a hash computation m one exponentiation g, g SK, e g, h, G =g a, H = h a Verifier e H(m) Sig = H(m) SK two bilinear map g SK applications e

References Implementations: C http://crypto.stanford.edu/pbc/ Time to sign: 15ms Time to verify: 20ms (but can batch) Comparable to RSA References: Short signatures from the Weil pairing Boneh et Al., 2001 Pairing Based Cryptographic Protocols: A Survey, Dutta et Al., 2004

Applications Network protocols: Packet size smaller than with RSA Integrity of data in outsourced storage

Broadcast encryption

Broadcast encryption Encrypting a message such that only a (arbitrary) subset of a group can decrypt it [Boneh et Al., 2005] Three parts: Setup(no. users) secret keys, PK Encrypt(subset, PK) (header, K) Send header with encryption Decrypt(header, i, SK i ) Yields K only if i is a member of the subset SK 1 SK 5 1 5 SK 2 SK 3 2 4 7 SK 7 SK 4 3 6 SK 6

Analysis [Boneh et Al, 2005]: O( n) ciphertext and public key size Implementation in C: http://crypto.stanford.edu/pbc/bce/ References: J. Horwitz, "A Survey of Broadcast Encryption, 2003 D. Boneh, C. Gentry, and B. Waters, Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys, 2005

Applications Access control File sharing in encrypted file systems Key distribution Encrypted mail to mailing lists Content protection (revoke compromised DVD players)

Private Information Retrieval (PIR)

PIR Retrieve item from a database without revealing to the database what item was retrieved Client I want block i. B i i PIR C result What is i??? DB Server B 1 B 2 B i processing using C B n

PIR (Cont d) Naïve solution: send all database O(n) bandwidth Current PIRs: (log n) 2 communication: [Lipmaa, 2004], [Gentry and Ramzan, 2005] Must touch all data blocks Implementation of best known PIR techniques: http://crypto.stanford.edu/pir library/

Applications Privacy in databases: query unknown to the DB server Privacy in search

There are others.. Blind signature schemes, Deniable encryption Proxy re encryption Key rolling Ecash CS proofs Threshold decryption Secure multi party computation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback