13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Security-Preserving Operations on Big...
-
Upload
leo-osborne -
Category
Documents
-
view
215 -
download
0
Transcript of 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Security-Preserving Operations on Big...
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1
Security-Preserving Operations on Big Data
Algorithms for Big Data, Frankfurt, September, 2014
Marc Fischlin
Alexander May
Arno Mittelbach
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 2
Big Data
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 3
Big Data
Drawings by Giorgia Azzurra Marson
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 4
Big Data
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 5
What about security?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 6
Big Data
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 7
What about operations?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 8
Security-Preserving Operations on Big DataIn a Nutshell
Secure Outsourcing of Data and Functionality
Privacy
Integrity & Authenticity
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 9
The overall plan
GeneralSolution
Specialized, Efficient
Solutions
fully homomorphic encryption,code obfuscation,…
Deterministic Encryption,Specialized Signature Schemes,…
Specialized, Efficient
Solutions
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 10
The Map Reduce Framework
Programming model to process large datasets in parallel
ER
GE
BN
ISData
Interim SortingReduce-PhaseMap-Phase
(key, value)(key, List(value))
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 11
Map Reduce Framework: Goals
Security (privacy and authenticity)e.g. via deterministic encryption
How to work with low entropy in data packets How to handle integrity and authenticity
Homomorphic Signatures, Aggregate Signatures
Develop specialized crypto primitives for typical Map/Reduce cases.
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 12
The Map Reduce Framework
Programming Model to process large datasets in parallel
ER
GE
BN
ISData
Interim StorageReduce-PhaseMap-Phase
(key, value)(key, List(value))
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 13
IND-CPA Public-Key Encryption
Encryptionsk,b
sk,bpk
m0,m1
cb
b
• Encryption process must be randomized.• Given c0, c1, are they encryptions of the same message m?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 14
The Map Reduce Framework
Programming Model to process large datasets in parallel
ER
GE
BN
ISData
Interim StorageReduce-PhaseMap-Phase
(key, value)(key, List(value))
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 15
Deterministic Public-Key Encryption
Randomized PKE
m m m m
E E E Epk
c1 c2 c3 c4
Deterministic PKE
m m m m
E E E Epk
c c c c
How to define security?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 16
DPKE is cannot be IND-CPA secure
Deterministic PKE
m m m m
E E E Epk
c c c c
Encryptionsk,b
sk,bpk
m0,m1
cb
b
Solution: If messages contain entropy, then encryptions are indistinguishable
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 17
DPKE security
Deterministic PKE
m m m m
E E E Epk
c c c c
Encryptionsk,b
sk,b
pk
m0,m1
cb
b
• Vectors of same length• Each value has min-entropy
No communication
Challenge: Current schemes require that every plaintext has high min-entropy
conditioned on all previous.
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 18
The Map Reduce Framework
Programming Model to process large datasets in parallel
ER
GE
BN
ISData
Interim StorageReduce-PhaseMap-Phase
(key, value)(key, List(value))
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 19
The overall plan
GeneralSolution
Specialized, Efficient
Solutions
fully homomorphic encryption,code obfuscation,…
Deterministic Encryption,Specialized Signature Schemes,…
GeneralSolution
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 20
Code Obfuscation: The Software Engineering View
Obfuscation is a heuristic that makes reverse engineering hard.
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 21
Provable Security
Thm: If assumption X holds then construction O is secure.
The Obfuscation Scheme
A well understood problem is difficult: e.g. Factoring
No adversary can win a well specified game.
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 22
?
VBB – Obfuscation (Virtual Black-Box)
For every there exists a
Indistinguishable output
An adversary can only do so much as one that only has oracle
access.
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 23
VBB – Obfuscation: security proof
For every there exists a
Indistinguishable output
Proof existence:e.g. give construction
Proof that existencecontradicts assumption
Obfuscator O
?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 24
What if VBB-Obfuscation exists?
Secure communication
k k
Encrypt Decrypt
k
m c m
Secret keys
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 25
What if VBB-Obfuscation exists?
Secure communication
Encrypt Decrypt
k
m c m
k
kpk
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 26
What about big data?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 27
Obfuscation for Big Data
Secure Outsourcing of Data and Functionality
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 28
• m <- Decrypt(k,c)• Perform operation on m• Output result
Ciphertext c
result
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 29
?
VBB – Obfuscation (Virtual Black-Box)
For every there exists a
Indistinguishable output
An adversary can only do so much as one that only has oracle
access.
Solves all (or at least many of) our problems
VBB Obfuscation does not exist
[BGIRSVY01]
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 30
VBB Obfuscation does not exist[BGIRSVY01]
All Functions[BGIRSVY01]
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 31
VBB Obfuscation does not exist[BGIRSVY01]
All Functions[BGIRSVY01]
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 32
VBB Obfuscation does not exist[BGIRSVY01]
All Functions[BGIRSVY01]
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 33
[Garg, Gentry, Halevi, Raykova, Sahai, Waters 2013]Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits
Indistinguishability Obfuscation exists for all functions.
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 34
Indistinguishability Obfuscation (iO)
For any two programs that implement the same function, their obfuscations look identical.
? ?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 35
So what?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 36
Indistinguishability Obfuscator Indistinguishability Obfuscator
Best Obfuscator for P2
Ind. Obfuscation (iO) is best possible Obfuscation
P1 P2
P1 or P2?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 37
iO for Big Data
iO is somewhat weird but incredibly useful!How to use iO?What can we do with iO?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 38
How to use Ind. Obfuscation (iO)
A pseudorandom generator PRG: {0,1}n -> {0,1}2n is a function such that noefficient adversary can distinguish PRG(s) for a random s in {0,1}n
from a random t in {0,1}2n
Sample t in {0,1}2nSample s in {0,1}n
tPRG(s)
?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 39
How to use Ind. Obfuscation (iO)
A pseudorandom generator PRG: {0,1}n -> {0,1}2n is a function such that no efficient adversary can distinguish PRG(s) for a random s in {0,1}n from a random t in {0,1}2n
return “Hello World!“
x
P1
if PRG(x) = t return “Hello World!“return “Hello World!“
x
P2 [t]
Sample s in {0,1}n t <- PRG(s)
?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 40
How to use Ind. Obfuscation (iO)
return “Hello World!“
x
P1
if PRG(x) = t return “Hello World!“return “Hello World!“
x
P2 [t]
Sample s in {0,1}n t <- PRG(s)
if PRG(x) = t return “Hello World!“return “Hello World!“
x
P3 [t]
Sample t in {0,1}2n
if PRG(x) = t return “secret msg“return “Hello World!“
x
P4 [t]
Sample t in {0,1}2n
if PRG(x) = t return “secret msg“return “Hello World!“
P5 [t]
Sample s in {0,1}n
t <- PRG(s)
?
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 41
Indistinguishability Obfuscationpreliminary results
Positive Results
• Functional Encryption [GGHRSW13]• Multi-party Key-Exchange [BZ13]• Two round secure MPC [GGHR13]• Universal Hardcore Functions [BM14a]• Correlation Secure Hash Functions [BM14a]• Leakage Resilient PKE [BM14b]• Deterministic Public-Key Encryption [BM14c]
Negative Results
• No UCE1 and UCE2 [BFM14a]• No Multi-bit Output Point Function Obfuscation with AI [BM14b]• No Random Oracle Transformations [BFM14b]
[BFM14a]: CRYPTO 2014[BM14a]: ASIACRYPT 2014[BM14b]: ASIACRYPT 2014[BM14c]: in submission[BFM14c]: in submission shortly
Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 42
References
• Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, Ke Yang: On the (Im)possibility of Obfuscating Programs. CRYPTO 2001: 1-18
• Dan Boneh and Mark Zhandry. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 480–499. Springer, August 2014.
• Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In 54th FOCS, pages 40–49. IEEE Computer Society Press, October 2013.
• Sanjam Garg, Craig Gentry, Shai Halevi, and Mariana Raykova. Two-round secure MPC from indistinguishability obfuscation. In Yehuda Lindell, editor, TCC 2014, volume 8349 of LNCS, pages 74–94. Springer, February 2014.
• Christina Brzuska, Pooya Farshim, and Arno Mittelbach. Indistinguishability obfuscation and UCEs: The case of computationally unpredictable sources. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 188–205. Springer, August 2014.
• Christina Brzuska and Arno Mittelbach. Indistinguishability obfuscation versus multibit point obfuscation with auxiliary input. In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, LNCS, pages ??–??, Kaohsiung, Taiwan, December 7–11, 2014. Springer, Berlin, Germany
• Christina Brzuska and Arno Mittelbach. Using indistinguishability obfuscation via uces. In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, LNCS, pages ??–??, Kaohsiung, Taiwan, December 7–11, 2014. Springer, Berlin, Germany.
• Christina Brzuska and Arno Mittelbach. Deterministic Public-Key Encryption from Indistinguishability Obfuscation and Point Obfuscation. Preprint
• Christina Brzuska, Pooya Farshim, and Arno Mittelbach. Random Oracle Uninstantiability from Indistinguishability Obfuscation. Preprint