CSC 5930/9010 Cloud S & P: Cloud Primitives

Similar documents
Searchable Encryption Using ORAM. Benny Pinkas

Lectures 6+7: Zero-Leakage Solutions

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Lecture 1: Perfect Security

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Secure Remote Storage Using Oblivious RAM

Encrypted Data Deduplication in Cloud Storage

Efficient Private Information Retrieval

Computer Security CS 526

FORWARD PRIVATE SEARCHABLE ENCRYPTION

Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)

1 A Tale of Two Lovers

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

from circuits to RAM programs in malicious-2pc

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Information Security CS526

Somewhat Homomorphic Encryption

CSC 5930/9010 Modern Cryptography: Cryptographic Hashing

Design and Implementation of the Ascend Secure Processor. Ling Ren, Christopher W. Fletcher, Albert Kwon, Marten van Dijk, Srinivas Devadas

Analysis of Partially and Fully Homomorphic Encryption

Usable PIR. Network Security and Applied. Cryptography Laboratory.

CS408 Cryptography & Internet Security

White-Box Cryptography State of the Art. Paul Gorissen

Secure Multiparty Computation

CSC 5930/9010 Modern Cryptography: Digital Signatures

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Protecting Private Data in the Cloud: A Path Oblivious RAM Protocol

2018: Problem Set 1

A Machine Learning Approach to Privacy-Preserving Data Mining Using Homomorphic Encryption

CSC 474/574 Information Systems Security

Outsourcing Secure Two-Party Computation as a Black Box

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Onion ORAM: Constant Bandwidth ORAM Using Additively Homomorphic Encryption Ling Ren

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

TSKT-ORAM: A Two-Server k-ary Tree Oblivious RAM without Homomorphic Encryption

Crypto for PRAM from io (via Succinct Garbled PRAM)

ISA 562: Information Security, Theory and Practice. Lecture 1

Outsourcing secure two-party computation as a black box

Notes for Lecture 14

An Overview of Secure Multiparty Computation

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Homomorphic Encryption

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Secure Multiparty Computation

Secure Multi-party Computation

Securely Outsourcing Garbled Circuit Evaluation

More crypto and security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Evaluating Private Information Retrieval on the Cloud

Data Encryption Standard (DES)

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Goals of Modern Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Lecture 07: Private-key Encryption. Private-key Encryption

Public Key Cryptography and RSA

CSE 127: Computer Security Cryptography. Kirill Levchenko

VERIFIABLE SYMMETRIC SEARCHABLE ENCRYPTION

Cryptography Lesson Plan

RSA. Public Key CryptoSystem

Practical Secure Two-Party Computation and Applications

Solutions. Location-Based Services (LBS) Problem Statement. PIR Overview. Spatial K-Anonymity

Study Guide for the Final Exam

Introduction to Cryptography Lecture 7

Computer Security 3/23/18

OneID An architectural overview

Using Fully Homomorphic Encryption for Statistical Analysis of Categorical, Ordinal and Numerical Data

BUILDING SECURE (CLOUD) APPLICATIONS USING INTEL S SGX

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced Allocations

CPSC 467: Cryptography and Computer Security

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Application to More Efficient Obfuscation

Applied Cryptography and Computer Security CSE 664 Spring 2018

Part VI. Public-key cryptography

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Overview. Public Key Algorithms I

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Non-interactive and Output Expressive Private Comparison from Homomorphic Encryption

Introduction to Cryptology. Lecture 2

Modes of Operation. Raj Jain. Washington University in St. Louis

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Parallel Algorithms for Accelerating Homomorphic Evaluation

CSC 5930/9010 Cloud S & P: Virtualization

CS 161 Computer Security

Introduction to Cryptography Lecture 7

Partition Based Perturbation for Privacy Preserving Distributed Data Mining

Network Security Technology Project

Privacy-Preserving Computation with Trusted Computing via Scramble-then-Compute

1-7 Attacks on Cryptosystems

Data-Oblivious Graph Algorithms for Secure Computation and Outsourcing

Attribute-based encryption with encryption and decryption outsourcing

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Transcription:

CSC 5930/9010 Cloud S & P: Cloud Primitives Professor Henry Carter Spring 2017

Methodology Section This is the most important technical portion of a research paper Methodology sections differ widely depending on the field of study Cryptography: protocol description System security: attack description Measurement paper: methodology and description of collected data This is where you must communicate your idea clearly and completely

Exercise: Read Methodology Sections Protocol design: Outsourcing Secure Two-Party Computation as a Black Box Data analysis work: The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers Survey paper: The State of Public Infrastructure-as-a-Service Cloud Security

Critical Components For novel research: Clear problem statements Settings and assumptions How the contribution works (this can be many things) For surveys Clear problem statement Settings and assumptions Categorized background knowledge

Methodology Assignment Due in 2 weeks 1 page minimum (IEEEtran format) Read other technical writing for style guidance Use we instead of I Avoid colloquial terms Only use bullets or numbering sparingly (and make sure to use good grammar within the bullets)

Recap Mobile apps process a significant amount of private information Mobile SMC has followed three approaches in parallel with desktop SMC Outsourced garbled circuits Outsourced triple generation Custom partially homomorphic encryption protocols Each technique demonstrates strengths and weaknesses, so future work and practical applications will likely use hybrid techniques

The general SMC model Garbled circuits, secret sharing protocols, and fully homomorphic encryption allow for arbitrary computation Represented as a circuit Multipurpose protocols not always efficient As seen in the biometric authentication protocol For simple functions, the overhead of general SMC is crippling e.g., database lookup

Problems with general SMC Significant setup costs Significant size expansion Typically require all parties to expend significant computational power FHE excluded Do not always allow for convenient repeated accesses Circuit representation of problems is not always efficient

Other Settings Encrypted data stores Hiding access patterns to online repositories Non-circuit represented computation

Database Retrieval A common cloud application is data storage Two types of privacy concerns exist: Access patterns Data privacy Special case protocols exist for hiding some or all of this information

Private Information Retrieval Given: a publicly available database stored on a server and a client seeking to access the data Goal: prevent the database from learning which element was accessed Server only knows the client did or did not access data Often simplified to a stored bitstring where the client queries a single bit Naïve approach: download the whole database Extreme communication cost!

Foundation: Security Types Information theoretic Statistically hidden information Computational security Hidden by a "hard problem" Can be broken as computers get faster

Examples Information theoretic encryption one-time pad Computational encryption RSA

Information coding Given a message written as a string of characters, substitute each character for a code word in the encoding Common in computing and communication Data compression Error correction We can use a combination of randomly selected code words to recover meaningful information

LDC Basics Locally Decodable Codes allow a decoder to recover a single bit in a message x by querying only a few bits in a received code word As long as a threshold number of bits are not corrupted, the decoder will recover the bit with high probability There are many combinations of queries that can all be combined to recover a single bit in x

LDC Example Message: 010 Encoded message: 00110011 Received message:00110111 Message query: 00110111 Bit recovery: 1 1 = 0

From LDC to PIR In a smooth LDC, the decoder can generate code word queries nearly randomly Since the queries look nearly random, the only way to determine which bit the decoder is querying is to see all of the queries Assuming the PIR servers do not communicate, the receiver queries a single bit from each server and combines the result to decode her choice bit in x Secure since no server sees all of the queries

From LDC to PIR Send bit x Send bit y

From LDC to PIR m x m y m x m y

Problems Inefficient Duplicate servers Encoding expands database size significantly Mostly theoretical in nature Ways to improve?

Computational PIR Many schemes perform the same actions based on computationally hard problems Can be done with a single server Typically much more efficient (although still requires larger than O(1) communication)

Example: quadratic residue A quadratic residue modulo m is any number a such that a = x 2 mod m for some x Computationally hard problem: given y and m, it is hard to tell if y is a quadratic residue mod m without knowing the factors of m We can use the properties of quadratic residues to retrieve a bit from a database privately

QR Properties Multiplying a QR by a QR is still a QR a 2 b 2 mod m = (ab) 2 mod m Multiplying a NQR with a QR gives a NQR Difficult to distinguish without factorization of modulus Given the factors of m, we can distinguish QRs from NQRs

Step 1: Database Setup Spread the message bits across a matrix 2 1 1 3 0 41 0 05 0 1 0

Step 2: Query Setup The client wishes to access entry i,j (ex. 1,0) Generate a vector of QRs mod m with a single NQR at position i = 1 2 3 4 425 mod 6 3

Step 3: Query Processing For every column, the server computes the entry-wise product, then multiplies the entries together: 2 1 1 32 3 0 4 41 0 054 25 mod 6 2 4 4 3 0 42 0 05 0 1 0 3 0 3 0

Step 3: Query Processing For every column, the server computes the entry-wise product, then multiplies the entries together: 2 4 4 3 0 42 0 05 0 3 0 8 12 0 2 0 0 mod 6 mod 6

Step 4: Data Recovery If entry j (ex. 0) is an NQR, then entry i,j = 1 Else, i,j = 0 2 0 0 mod 6

Step 5: Practice Put together a query for entry (2,2) using modulus 7 What are the QRs? NQRs?

PIR pros and cons Hides what the user is accessing (database only knows that the user got something) Requires data to be public Still costly in terms of communication (this is improving)

Encrypted Data Data is commonly stored in an encrypted version Recall that typical encryption is randomized How do we query over this data? What sorts of guarantees are possible?

Searchable Encryption Use deterministic "labels" to identify documents E.g., deterministically encrypted file names Data store can search labels to retrieve files Reveals access patterns!

Searchable Enc Illustrated Enc( journal ) WUCHVBEDJ. Enc( recipe ) AJVCGBEFD. Enc( spy_stuff ) SDKVMSNB. Enc( grades ) JUDHSXOIHE. Enc( formula ) AJSUDENFJX

Expansion Protocols Order-preserving encryption Leaks ordering information Prefix matching Allows for searching partial matched labels Keyword stores Use encrypted keywords to label documents for searching within encrypted files

Comparison PIR assumes the database will be public but hides accesses Searchable encryption hides the database but leaks access information Two very different problems in the same related area!

Can we hide both? Constructing a protocol for hiding both data AND access patters would significantly improve security An oblivious protocol for data access could be applicable outside of network protocols Secure processor isolation Oblivious RAM

ORAM Oblivious Random Access Memory hides the contents and access patterns of the data store Allows both read and write operations Indistinguishable to the data store Typically requires some storage by client

Path ORAM Based on a complete binary tree structure where leaves act as indices Reads an entire branch with every operation Maintains an index of block addresses to leaf indices and a small stash of blocks (like a cache)

Basic Components Data store The store is initialized to hold N blocks Leaves are indexed from 0 to 2 L -1 Each node is a bucket holding Z blocks (with approximately N buckets, this requires Z N blocks to be stored) Client The stash holds some blocks temporarily The index holds a mapping for each block such that block(x) = leaf(a)

Initializing the store

Read

Write

Security Guarantees Since each block is written to a new random path, subsequent accesses cannot be linked Since each block is re-encrypted with randomized encryption after every access, data is hidden and indistinguishable from previous data This hides whether a read or write occurred

Costs Client must perform the data processing ORAM provides only a store, not secure computation Client must maintain the index and stash The authors show this is typically very low

Path ORAM Performance

Applications allowed by ORAM Oblivious binary search tree Stateless ORAM Secure processors New approaches to SMC combining ORAM and traditional SMC operations

ORAM vs PIR ORAM hides data AND access ORAM can be applied to more general computation protocols ORAM requires more computation and storage on the client's side

Recap Many specialized cryptographic constructions have been developed for special-case cloud operations PIR hides access patters in a public database Searchable encryption hides the contents of a remote data store but leaks some information about access patters ORAM hides both data and access patters in a remote data store at the cost of maintaining client state and added computation

Next Time... Differential Privacy Remember, you need to read it BEFORE you come to class! Homework: Homework #3 (1 week) Methodology (2 weeks) 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback