13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Security-Preserving Operations on Big...

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

Security-Preserving Operations on Big Data

Algorithms for Big Data, Frankfurt, September, 2014

Marc Fischlin

Alexander May

Arno Mittelbach

Arno Mittelbach| September 2014 | Security-Preserving Operations on Big Data| 2

Big Data


Big Data

Drawings by Giorgia Azzurra Marson


Big Data


What about security?


Big Data


What about operations?


Security-Preserving Operations on Big DataIn a Nutshell

Secure Outsourcing of Data and Functionality

Privacy

Integrity & Authenticity


The overall plan

GeneralSolution

Specialized, Efficient

Solutions

fully homomorphic encryption,code obfuscation,…

Deterministic Encryption,Specialized Signature Schemes,…


Solutions


The Map Reduce Framework

Programming model to process large datasets in parallel

ER

GE

BN

ISData

Interim SortingReduce-PhaseMap-Phase

(key, value)(key, List(value))


Map Reduce Framework: Goals

Security (privacy and authenticity)e.g. via deterministic encryption

How to work with low entropy in data packets How to handle integrity and authenticity

Homomorphic Signatures, Aggregate Signatures

Develop specialized crypto primitives for typical Map/Reduce cases.



Programming Model to process large datasets in parallel

ER

GE

BN

ISData

Interim StorageReduce-PhaseMap-Phase



IND-CPA Public-Key Encryption

Encryptionsk,b

sk,bpk

m0,m1

cb

b

• Encryption process must be randomized.• Given c0, c1, are they encryptions of the same message m?




ER

GE

BN

ISData




Deterministic Public-Key Encryption

Randomized PKE

m m m m

E E E Epk

c1 c2 c3 c4

Deterministic PKE

m m m m

E E E Epk

c c c c

How to define security?


DPKE is cannot be IND-CPA secure

Deterministic PKE

m m m m

E E E Epk

c c c c

Encryptionsk,b

sk,bpk

m0,m1

cb

b

Solution: If messages contain entropy, then encryptions are indistinguishable


DPKE security

Deterministic PKE

m m m m

E E E Epk

c c c c

Encryptionsk,b

sk,b

pk

m0,m1

cb

b

• Vectors of same length• Each value has min-entropy

No communication

Challenge: Current schemes require that every plaintext has high min-entropy

conditioned on all previous.




ER

GE

BN

ISData




The overall plan

GeneralSolution


Solutions

fully homomorphic encryption,code obfuscation,…

Deterministic Encryption,Specialized Signature Schemes,…

GeneralSolution


Code Obfuscation: The Software Engineering View

Obfuscation is a heuristic that makes reverse engineering hard.


Provable Security

Thm: If assumption X holds then construction O is secure.

The Obfuscation Scheme

A well understood problem is difficult: e.g. Factoring

No adversary can win a well specified game.


?

VBB – Obfuscation (Virtual Black-Box)

For every there exists a

Indistinguishable output

An adversary can only do so much as one that only has oracle

access.


VBB – Obfuscation: security proof



Proof existence:e.g. give construction

Proof that existencecontradicts assumption

Obfuscator O

?


What if VBB-Obfuscation exists?

Secure communication

k k

Encrypt Decrypt

k

m c m

Secret keys


What if VBB-Obfuscation exists?

Secure communication

Encrypt Decrypt

k

m c m

k

kpk


What about big data?


Obfuscation for Big Data

Secure Outsourcing of Data and Functionality


• m <- Decrypt(k,c)• Perform operation on m• Output result

Ciphertext c

result


?

VBB – Obfuscation (Virtual Black-Box)



An adversary can only do so much as one that only has oracle

access.

Solves all (or at least many of) our problems

VBB Obfuscation does not exist

[BGIRSVY01]


VBB Obfuscation does not exist[BGIRSVY01]

All Functions[BGIRSVY01]


[Garg, Gentry, Halevi, Raykova, Sahai, Waters 2013]Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits

Indistinguishability Obfuscation exists for all functions.


Indistinguishability Obfuscation (iO)

For any two programs that implement the same function, their obfuscations look identical.

? ?


So what?


Indistinguishability Obfuscator Indistinguishability Obfuscator

Best Obfuscator for P2

Ind. Obfuscation (iO) is best possible Obfuscation

P1 P2

P1 or P2?


iO for Big Data

iO is somewhat weird but incredibly useful!How to use iO?What can we do with iO?


How to use Ind. Obfuscation (iO)

A pseudorandom generator PRG: {0,1}n -> {0,1}2n is a function such that noefficient adversary can distinguish PRG(s) for a random s in {0,1}n

from a random t in {0,1}2n

Sample t in {0,1}2nSample s in {0,1}n

tPRG(s)

?



A pseudorandom generator PRG: {0,1}n -> {0,1}2n is a function such that no efficient adversary can distinguish PRG(s) for a random s in {0,1}n from a random t in {0,1}2n

return “Hello World!“

x

P1

if PRG(x) = t return “Hello World!“return “Hello World!“

x

P2 [t]

Sample s in {0,1}n t <- PRG(s)

?



return “Hello World!“

x

P1


x

P2 [t]

Sample s in {0,1}n t <- PRG(s)


x

P3 [t]

Sample t in {0,1}2n

if PRG(x) = t return “secret msg“return “Hello World!“

x

P4 [t]

Sample t in {0,1}2n

if PRG(x) = t return “secret msg“return “Hello World!“

P5 [t]

Sample s in {0,1}n

t <- PRG(s)

?


Indistinguishability Obfuscationpreliminary results

Positive Results

• Functional Encryption [GGHRSW13]• Multi-party Key-Exchange [BZ13]• Two round secure MPC [GGHR13]• Universal Hardcore Functions [BM14a]• Correlation Secure Hash Functions [BM14a]• Leakage Resilient PKE [BM14b]• Deterministic Public-Key Encryption [BM14c]

Negative Results

• No UCE1 and UCE2 [BFM14a]• No Multi-bit Output Point Function Obfuscation with AI [BM14b]• No Random Oracle Transformations [BFM14b]

[BFM14a]: CRYPTO 2014[BM14a]: ASIACRYPT 2014[BM14b]: ASIACRYPT 2014[BM14c]: in submission[BFM14c]: in submission shortly


References

• Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P. Vadhan, Ke Yang: On the (Im)possibility of Obfuscating Programs. CRYPTO 2001: 1-18

• Dan Boneh and Mark Zhandry. Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 480–499. Springer, August 2014.

• Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In 54th FOCS, pages 40–49. IEEE Computer Society Press, October 2013.

• Sanjam Garg, Craig Gentry, Shai Halevi, and Mariana Raykova. Two-round secure MPC from indistinguishability obfuscation. In Yehuda Lindell, editor, TCC 2014, volume 8349 of LNCS, pages 74–94. Springer, February 2014.

• Christina Brzuska, Pooya Farshim, and Arno Mittelbach. Indistinguishability obfuscation and UCEs: The case of computationally unpredictable sources. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 188–205. Springer, August 2014.

• Christina Brzuska and Arno Mittelbach. Indistinguishability obfuscation versus multibit point obfuscation with auxiliary input. In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, LNCS, pages ??–??, Kaohsiung, Taiwan, December 7–11, 2014. Springer, Berlin, Germany

• Christina Brzuska and Arno Mittelbach. Using indistinguishability obfuscation via uces. In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, LNCS, pages ??–??, Kaohsiung, Taiwan, December 7–11, 2014. Springer, Berlin, Germany.

• Christina Brzuska and Arno Mittelbach. Deterministic Public-Key Encryption from Indistinguishability Obfuscation and Point Obfuscation. Preprint

• Christina Brzuska, Pooya Farshim, and Arno Mittelbach. Random Oracle Uninstantiability from Indistinguishability Obfuscation. Preprint

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Security-Preserving Operations on Big...

Documents

Transcript of 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Security-Preserving Operations on Big...