background on security. definition of security 1.attacker’s knowledge/capability – the attacker...
TRANSCRIPT
![Page 1: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/1.jpg)
Background on security
![Page 2: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/2.jpg)
Definition of security
1. Attacker’s knowledge/capability– The attacker observes a set of encrypted values only – Ciphertext-only
attack (COA)• Suitable for most real life applications
– The attacker can generate the encrypted values of any plaintext of his choice – chosen-plaintext attack (CPA)• Baseline for public key cryptosystem. The attacker can use the public key to
generate as many as he wants
2. Attacker’s goal– To derive information about the plaintext, any information is fine –
semantic security• E.g., knowing one’s salary > 50k/month but not exact value may be a security
concern
– (A malicious data mining service provider) To return a wrong answer to the user - integrity
![Page 3: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/3.jpg)
Some facts
• There isn’t really a formal method to prove the security against COA– People prefer provable security
• There is always a brute-force attack w.r.t. CPA– Try all the keys and find the one that matches all
plaintext-ciphertext pairs.– Security under CPA means the attack is a (proven)
hard problem
![Page 4: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/4.jpg)
Views from crypto
• We do not know what the attacker knows– Better prepare for the worst• Require provable semantic security under a strong
attack model (at least CPA)
![Page 5: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/5.jpg)
Semantic security
• Definition: no information about the plaintext (except the size) is leaked to the attacker
• An proven equivalent definition – indistinguishability (IND)– Given two encrypted values, the attacker cannot
distinguish them• Remark: Semantic security under CPA is often
written as IND-CPA
![Page 6: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/6.jpg)
Security game
• IND-XXX can be modeled as a game– The attacker generates two messages m0 and m1
and send them to the key owner– The key owner randomly chooses 1 message and
encrypts it, c = E(mi)– With c, the attacker guesses which plain message c
corresponds to – Secure if Pr(guess correct) <= 0.5 + ε
• Where ε is a negligible value, often in the form of 1/xk
– Note: x is a constant, k is key length
![Page 7: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/7.jpg)
Security vs performance
• In general (but not proven), a more secure scheme is more expensive
• Fact 1: Non-deterministic encryption must be required for semantic security– Deterministic encryption
• E(x1) = E(x2) iff x1 = x2
• One-to-one mapping• Onto function most of the time
– Simple attack• The attacker generates g0 = E(m0), g1 = E(m1)
• If gi = c, answer i• Pr(guess correct) = 100%
1
2
3
a
b
c
d
1
2
3
![Page 8: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/8.jpg)
Security vs performance
• Non-deterministic encryption– One-to-many mapping
• Problem:– Ciphertext is longer– Storage cost and processing
cost are thus higher
1
2
3
a
b
c
d
e
f
g
h
1
2
3
![Page 9: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/9.jpg)
Example
• RSA is a deterministic function– Public key: <e, n>, private key <d, n>– E(x) = xe mod n– D(y) = yd mod n
• RSA is not semantic secure
![Page 10: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/10.jpg)
RSA with padding• When the industry refer to RSA, is it actually RSA with padding
– The padding scheme is optimal asymmetric encryption padding (OAEP)– Proven IND-CCA2 (a high security definition)
• Example of simpler padding– Encryption:
• Input: m• Generate random r• Let c = r xor m• Ciphertext: c||E(r)
– Decryption• y = c||E(r)• Recover r from D(E(r))• Decrypted message: m = c xor r
This padding doubles the size of an encrypted value
![Page 11: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/11.jpg)
Secure database (SDB) problem
DB
Service provider (SP)Data Owner (DO)
Query Query
AnswerAnswer
DBDatabase should be encrypted
Compute query on encrypted data
Return an encrypted answer
![Page 12: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/12.jpg)
(In)-feasibility of IND in SDB problem
• Security game:– The attacker generates two queries q0 and q1 and
send them to the DO– The DO randomly chooses 1 query and executes it
with SP– The (encrypted) result r is observed by the
attacker– With r, the attacker guesses which query r
corresponds to
![Page 13: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/13.jpg)
Attacker’s strategy
• Pick q0 = “SELECT count(*)”
• Pick q1 = “SELECT *”
• If r is just an encrypted value, it is q0
• If r is a table, it is q1
• To prevent the above attack, at least make the query results indistinguishable by its size each query result is at least Ω(n)where n is number of tuples
• Decryption cost by DO is then Ω(n) - not better than computing the query using a linear scan
![Page 14: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/14.jpg)
• Selection processing requires the SP to observe whether an encrypted tuple satisfies the query condition or not
Remark: Fully homormophic encryption with IND-CPA in SDB
Discussion paper: Shiyuan Wang, Divyakant Agrawal, and Amr El Abbadi. Is homomorphic encryption the holy grail for database queries on encrypted data? Technical report, Department of Computer Science, UCSB 2012
Cannot jump to an encrypted address
All operations in terms of circuit can be supported(AND, OR, NOT)All input and output are encrypted
![Page 15: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/15.jpg)
Implication of knowing the result of a branch operation
Unknown process
Jump to a
Jump to b
Plain data:10, 20, 21,
22, 23
Plain data:24, 27, 28,
29, 40
Knowledge of plaintext from CPA
![Page 16: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/16.jpg)
Implication of knowing the result of a branch operation
Unknown process
Jump to a
Jump to b
Plain data:10, 20, 21,
22, 23
Plain data:24, 27, 28,
29, 40
E(c)
Pick a = 50, b = 7
Attacker answer: c = a
Attack:
![Page 17: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/17.jpg)
Re-writing the query may help
• If (x>10) { y = 20;} else { y = 100;}
r = cmp_grt(x, 10) // return 1 if x > 10, 0 otherwise
y = 20 + 80 * r
Cannot solve all problems!
![Page 18: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/18.jpg)
Leakage of knowing branch result in practice
• Assume now we allow the SP to observe the branch (i.e., comparison) results, what kind of information is leaked?– Locality of data
Result of cmp(Y, E(q1))
E(t1)
E(t3)
E(t5)
E(t7)
E(t10)
Result of cmp(Y, E(q2))
E(t1)
E(t3)
E(t9)
E(t13)
Derived knowledge – COA:1. q2 q1
2. q2 t1[Y], t3[Y] q1
3. t5[Y] t1[Y], t3[Y] t9[Y]
So, we just protect the exact values in our scheme.And the use of index may make sense
![Page 19: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/19.jpg)
Another way to prove IND (in SMC)
• Proof by simulation• Background– Each party received several messages from the
other party– Can they use these information to observe
anything about the other party?Alice:
Secret x = 3Bob:
Secret y = 7
Result: x+y = 10
Secure sum
![Page 20: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/20.jpg)
Simulation
• Say Bob is the attacker now• Is there any difference on the messages Bob
received if Alice provides different input?– Indistinguishable
Alice:Secret x = 3
Bob:Secret y = 7
Result: x+y = 10
Secure sum
![Page 21: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/21.jpg)
Secure Sum
Alice:Secret x = 3
Bob:Secret y = 7
Result: x+y = 10
Generate r1 = 70
Public parameter: n=100
Send m1 = r1+x mod n= 73
Send m2 = r2+y+m1 mod n= 30 Generate r2 = 50
Alice:Secret a = 60
Bob:Secret b = 50
Keep r2 as share
Keep m2-r1 as share
![Page 22: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/22.jpg)
Bob’s view
Bob:Secret y = 7
Result: x+y = 10
Public parameter: n=100
Send m1 = r1+x mod n= 73Simulation:For any value of xGenerate r1’ = m1 – x mod nThe message m1 can be generated
Simulation succeeds. This protocol is secure w.r.t. IND.
![Page 23: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/23.jpg)
A not secure example
Key agreement protocol
Public parameters:p, g
Bob
Observed: YA, XB
How to derive XA?
Note: since it must be a specific XA so that YA = gXA
Simulation fails.
Note: This protocol is not for protecting parties’ input from the other party
![Page 24: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/24.jpg)
Relaxed security definition
• Also the approach of our paper• Bounded leakage of protocols– Can be proven by the simulations
• Used a lot by Chris Clifton from Purdue University
Jaideep Vaidya and Chris Clifton, Secure Set Intersection Cardinality with Application to Association Rule Mining, JCS 13(4), 2005.Jaideep Vaidya and Chris Clifton, Privacy-Preserving K-Means Clustering over Vertically Partitioned Data, SIGKDD, 2003.Murat Kantarcioglu and Chris Clifton, Privacy Preserving Data Mining of Association Rules on Horizontally Partitioned Data, TKDE 16(9), 2004.
![Page 25: Background on security. Definition of security 1.Attacker’s knowledge/capability – The attacker observes a set of encrypted values only – Ciphertext-only](https://reader035.vdocument.in/reader035/viewer/2022081513/56649ee95503460f94bfaeb0/html5/thumbnails/25.jpg)
Proof of relaxed definition
• Attacker’s knowledge– Its own input– Messages in the protocol– Leaked knowledge
• If the above is enough to simulate the execution of the protocol, there is not other information leak
• Then, argue the leaked knowledge is not very harmful