Towards Mobile Cryptography

Authors: Tomas Sander

Christian F. Tschudin

Presented: Xiang Lin

Outline

Security problems of mobile agents

1. How can a mobile agent conceal a function it wants to have executed?2. How can a mobile agent remotely sign a document without disclosing the

user's private key?

Solution:

1. non-interactive EEF1) EEF via Composition Techniques2) EEF via Homomorphic Function

2. undetachable digital signature

Conclusion and Question

Mobile agentMobile agents are programs that - together with their data resources - can move in a computer network from host to host in order to go after their task.

Alice’s Home Platform

As a travel agent, she creates 3 agents for her:

1.Shopping agent 2.Jobseeker agent 3.Stock watch agent

1. Security problems of MA

But mobile agent hasn’t been widely used. why?

Security problem

Problem

malicious agent attacks host

malicious agent attacks other agent he meets

Agent should have signatureSignature verified by hostTechniques of protecting the execution environment again hostile mobile code

A public interface for agentHost enforces separation between agents

Solution

malicious host attacks agent

1. Security problems of MA (cont.)

Example:

Alice wants to fly from Auckland to San Francisco next Sunday. Alice sends out a shopping agent called Mobile Travel Agent to visit relative airline servers.

The Mobile Agent negotiates and gets the best offers and then returns this information back to Alice.

Alice decides to buy a ticket. The Mobile Travel Agents digitally signs an order and pays the best flight for Alice. malicious host attacks agent

Main possible attacks (not all) Main sub-problems (not all)

1. Agent could be brainwashed by a malicious host. So it forgets the best prices collected before.

2. a malicious host will spy the user’s private key when agent digitally sign the order.

3. a malicious host will steal the agent’s electronic money.

1.Can a mobile agent protect itself against tampering by a malicious host? (code and execution integrity)

2.Can a mobile agent remotely sign a document without disclosing the user's private key? (computing with secrets in public)

3.Can a mobile agent conceal the function it wants to have executed? (code privacy)

1. Security problems of MA (cont.)

Problem is serious but essential

Constraints for solution on MA security

Mobile agents should be allowed to execute on untrusted hosts but still have guarantees for their correct execution

Mobile agents should not require interactive protocols with their originator

Protection mechanisms should be provably secure

"It is impossible to prevent agent tampering unless trusted (and tamper-resistant) hardware ... is available."

D. Chess et al. IBM 1995

"It is FUNDAMENTALLY impossible to secure a MA from a malicious host. Therefore don't bother trying!" (summarized by L. Hurst)

Security Panel of Mobile Agents'97 Workshop

Assumptions:

Agent carries cleartext data, which can be read and changed

Agent carries cleartext functions, which can be manipulated

Agent carries cleartext message, which can be faked

Based on

REASON:

The host has full access to the agent’s code and data,

because the agent code has to be executed by the hosting system.

Some people say: impossible

1. Security problems of MA (cont.)

Our Approach

1. use encrypted data directly.*

2. execute encrypted functions directly too.

3. use undetachable signature technique.

* A new method via EEF has been developed in the article

Problem 1: Problem 1:

How cHow can a mobile agent an a mobile agent conceal the conceal the function “f”function “f” it wants it wants to have executed?to have executed?

Use non-interactive EEFUse non-interactive EEF

(Evaluation of Encrypted Function)(Evaluation of Encrypted Function)

Scenario

I has a function “f”,

i.e. evaluating

the price of ticket

I has an input “x”, i.e. flight fare.

I am willing to compute f(x) for

Alice

But I don’t want Bob to

learn anything about my “f”

That’s fine. I don’t want to know anything about “f”. I just want to give you my “x”. By the way, You don’t need to contact with your agent during computation if you can.

Alice’s Home Platform Bob’s Platform

1. EEF via Composition Techniques

2. EEF via Homomorphic Function

How can we realize the EEF?

1. EEF via Composition Techniques (Scheme) :

Alice’s Home Platform Bob’s Platform

(1)Alice randomly finds a rational function “s“ and then combine these two functions: E(f) := s o f . She writes a program P(E(f)) which implements E(f) on her home platform.

(2)Alice assigns an agent to carry the P(E(f))

(3)Agent visits Bob

P(E(f))

(4)Bob provides x, executes P(E(f)) at x and then store the result P(E(f))(x) in agent. Actually, Bob can see the cleartext of program. But he cannot understand it.

P(E(f))(x)

(5)Alice use inverse function S-1 : S-1 (E(f)(x)) and obtains f(x) when agent comes back.

Get f(x) Provid

e x

interact only 2 times

Limitation:

1. only proved for rational function

2. depends on the difficulty of decomposing

E(f) to s and f:

No polynomial time algorithm for decomposing multivariaterational functions has been proved.*

* See [18]

1. EEF via Composition Techniques (cont.) :

2. EEF via Homomorphic Function :

Alice’s Home Platform Bob’s Platform

(1)Alice encrypts the function “f”: E(f) by using homomorphic function. She then writes a program P(E(f)) which implements E(f) on her home platform.

(2)Alice assigns an agent to carry the P(E(f))

(3)Agent visits Bob

P(E(f))

(4)Bob provides x, executes P(E(f)) at x and then store the result P(E(f))(x) in agent. Actually, Bob can see the cleartext of program. But he cannot understand it.

P(E(f))(x)

(5)Alice decrypts P(E(f))(x) and obtains f(x) when agent comes back.

Get f(x) Provid

e x

interact only 2 times

Definition in Homomorphism

* is from James M. Adler, Wei Daiy, Richard L. Green z, C. Andrew Neff “Computational Details of the VoteHere Homomorphic Election System”

Homomorphic function: function meets homomorphic property.

*Homomorphic property:f(E(m1;m2)) = g(E(m1;E(m2)));

where f and g are functions depending on the cryptosystem used.

Important homomorphic properties on public-key systems: multiplicative property :

compute E(x*y) from E(x) and E(y) that does not reveal x and y mixed multiplicative property :

compute E(x*y) from E(x) and y that does not reveal x additive property :

compute E(x+y) from E(x) and E(y) and does not reveal x and y

PROPOSTION:If E: R → S (R,S rings) be an additively and mixed multiplicatively

homomorphic encryption scheme. Then we can implement non-interactive EEF for polynomials p

R[X1, … , Xs] with E.

Proof:

Let p be the polynomial ∑ ai1…is X1i1... X1

is;

1.Replace each coefficient ai1…is of p with E(ai1…is);

2.Evaluate each monomials of p on the input x1,…, xs;

Store in a list L := […,…,(x1i1…xs

is),…];

3.Use mixed multiplicatively homomorphic to get the list

M := […,…,E(ai1…is x1i1…xs

is),…];

4.Use additively homomorphic property to add up all the elements;

2. EEF via Homomorphic Function (cont.) :

DEFINITION:Let E: Z/NZ → R (R rings) be an additively homomorphic encryption

scheme.

Then we can implement non-interactive EEF* for polynomials p R[X1,

… , Xs] with E.

Weak the requirements:

(when any E meets the first requirement, it will meet the 2nd automatically if we use rings Z/NZ)

if rings Z/NZ is introduced in stead

one character of rings Z/NZ:

Every additively homomorphic encryption scheme on Z/NZ is also mixed-multiplicatively.

2. EEF via Homomorphic Function (cont.) :

* See [8] for real EEF example

Limitation:

1. only proved for rational function

2. depends on the difficulty of decrypting E(f)

3. information leakage: reveals a part of non-zero coefficients of the unencrypted function “p”

2. EEF via Composition Techniques (cont.) :

Problem 2: Problem 2:

How Can a mobile agent How Can a mobile agent remotely sign a document without remotely sign a document without disclosing the user's private key?disclosing the user's private key?

Use undetachable digital Use undetachable digital signature techniques signature techniques

Scenario

I want my mobile agent to sign the order on Bob’s site

using my private key.

I can spy the private key when Alice’s mobile agent sign the

order

Actually, it doesn’t matter. I can use EEF to

encrypt signature

function “s”.

But there is still a matter. I can use it to sign other documents, though I cannot understand it.

Alice’s Home Platform Bob’s Platform

Private key

1. The signature routine “s” has to be glued unremovably to the data it is supposed to sign

2. Also repeated execution of the mobile program should not disclose significant information about the signing routine.

Requirements for the solution

Goal: The mobile program carries a rational function f and wants to sign the output f (x) with a (private) signing function s.

Notation:

Digital signature of a message y: s(y)

Verification function (public): v

z is a valid signature of y () only if v(z) = y

Scheme:

Assume signing function s: rational function.

The signing mobile program for f consists of two parts:

P (f ) and P signed := P (s o f )

y is a correct output of f () only if v(P signed (x)) = y

Outline of undetachable signature method

Attacks to undetachable signature method

Left decomposition attack

– given h:= s o f and f, determine s

Interpolation attack I – the adversary is able to produce (z, v(z))– (z, v(z)) = (s(v(z)), v(z))– s is a low degree rational scheme– s is discoverable using interpolation techniques

Interpolation attack II – the adversary is able to produce (l, s(l))– s is a low degree rational scheme– s is discoverable using interpolation techniques

Inversion attack– if the adversary is able to find a pre-image x of n under f, i.e. f(x) = n, he can produce a valid signature for n using fsigned(x)

Improved Undetachable Signature Method

Definition: •s = (s1…sk) : Rk -> Rk a bijective function called bi-directional map

•v = (v1…vk) : Rk -> Rk the inverse function of s, i.e. s o v = v o s = idRk

•Let f : Rl - > Rt be the function whose output we want to be signed•G2,…Gk: Rt -> R public functions

•Use v2…vk as the public key for signature verification ( !!!! NO v1) Construction of the signed function

• Chose a random rational function r : Rl->R

• Build the map fsigned:Rl->Rk with components given by fsigned,I := si(r, G2o f, …Gko f), i = 1 … k

• Send (f, fsigned)

Execution - Get the result (y:=f(x), z:=fsigned(x))

Verification – Compute Gi(y) and vi(z) ,i = 2..k

z is a signature of y iff vi(z)=Gi(y) for all i

Explanation:

The key is that the adversary doesn’t know r and v1

1) Because the adversary doesn’t know r, the left decomposition attack to find si from the ith component of fsigned is even harder

2) Because the adversary doesn’t know v1 he cannot compute I/o pairs for the interpolation of si

3) Because the adversary doesn’t know r, he cannot compute i/o pairs for the interpolation of si (second interpolation attack)

4) Even if the adversary is able to invert f, the scheme is not broken: without r he cannot compute pre-images of (r, G2o f, …Gko f):Rl->Rk

Conclusions:

Analyze and concrete the security problem of mobile agent.

First achieve an approach (EEF) to effectively hide computations from a malicious host, though it is still limited in for polynomials and rational functions.

Also propose a method for digital signing by mobile agents without disclosing the private key.

Question & Outlook:

Can this technique actually be applied to arbitrary functions because EEF is limited only in polynomials and rational functions now?

Can we find the homomorphic function E(f) easily for practical use?