Loading in 5 sec....

Towards Mobile CryptographyPowerPoint Presentation

Towards Mobile Cryptography

- 374 Views
- Updated On :
- Presentation posted in: Computers / Electronics

Towards Mobile Cryptography. Thomas Sander and Christian Tschudin International Computer Science Institute Berkeley, California. Mobile Code. Mobile computing: Applications have to handle extended off-line periods Mobile agents – carry request to server, execute, return results.

Towards Mobile Cryptography

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Towards Mobile Cryptography

Thomas Sander and Christian Tschudin

International Computer Science Institute

Berkeley, California

- Mobile computing:
- Applications have to handle extended off-line periods
- Mobile agents – carry request to server, execute, return results

- Active networks:
- A packet carries info telling the network how to process the data in the packet
- The custom communication architecture pays for the overhead (e.g. data filtering)
- Shift info processing from end nodes to internal nodes

- E-commerce:
- New products, new providers, new customers join the system at any time
- The mobile agent can keep up with the changes but needs to operate securely

- Hosts have to be protected from malicious agents
- The mobile agent’s code and data is at the full mercy of the executing host

- Clear text data can be read and changed
- Clear text programs can be changed
- Clear text messages (e.g. to the originator) can be faked

- Can a mobile agent protect itself against tampering by a malicious host? (code and execution integrity)
- Can a mobile agent remotely sign a document without disclosing user’s private key? (computing with secrets in public)
- Can a mobile agent conceal the program it wants to have executed? (code privacy)

- Mobile agents should be allowed to execute on untrusted hosts but still have guarantees for their correct execution
- Mobile agents should not require interactive protocols with their originator
- Protection mechanisms should be provably secure

- The secure execution environment usually includes the computing base that provides the physical storage and execution environment
- We want to extract the computing base from the secure premises

Execute y = P(x)

Compute the signature z = S(y)

Output the pair (y,z)

- An adversary separates the signing routine and signs arbitrary documents
- How can cryptographic primitives be irremovably attached to the data to which they are supposed to be applied?

- The output of function f has to be signed using function s
- Compute h = s o f on the originating host
- Send h to be evaluated remotely
- The key is the difficulty of decomposing h into s and f

Non-Interactive Evaluation of Encrypted Functions

Alice encrypts f => E(f)

Alice creates the program P(E(f)) which implements E(f)

Alice sends P(E(f)) to Bob

Bob executes P(E(f)) on x

Bob sends to Alice P(E(f))(x)

Alice decrypts P(E(f))(x) and obtains f(x)

Evaluation w/ Encrypted Functions via Homomorphic Functions

Definition: Let R and S be rings. We call an (encryption) function E : R -> S

Additively homomorphic if there’s an efficient algorithm PLUS to compute E(x+y) from E(x) and E(y) and does not reveal x and y

Mixed multiplicatively homomorphic if there’s an efficient algorithm MIXED-MULT to compute E(x*y) from E(x) and y that does not reveal x

Proposition: Let E : R -> S be the function defined above. We can implement non-interactive EEF for polynomials pR[X1, … Xn] with E

Evaluation w/ Encrypted Functions via Homomorphic Functions

Let p be the polynomial ai1…is X1i1, … Xnis

Alice creates P(X) that implements p like this:

Each coefficient ai1…is of p is replaced by E(ai1…is)

The monomials of p are evaluated on the input x1, …, xs and stored in a list L := […, E(x1i1, …, xsis), …]

The list M := […, E(ai1…is x1i1, …, xsis), …] is produced by calling MIXED-MULT for elements of L and coefficients E(ai1…is)

The elements of M are added up using PLUS

Evaluation w/ Encrypted Functions via Homomorphic Functions

Alice sends the program P to Bob

Bob runs P on its private input x1…xs and obtains P(x1…xs)

Bob sends the result P(x1…xs) = E(p(x)) back to Alice

Alice applies E-1 and obtains p(x)

Z/NZ Cryptosystems

HORROR

EEF via Composition Techniques

Assume f is the computation function and s is a rational function that Alice is able to invert efficiently

Let E(f) := s o f

The protocol goes as previously described

Decomposition problem: Given the function h that is known to be decomposable, find f such that exists s with h = s o f

Undetachable signatures

s = function used by Alice to sign an arbitrary message m

m = the result of a function f applied to some data x

v = function that Alice publishes to let others verify the validity of a signature

(z is a valid signature of m if v(z) = m)

Undetachable signatures

fsigned = s o f

Send (f, fsigned) and get (f(x), z:=fsigned(x))

Applying v to z a user can check that f(x) is valid

Undetachable signatures - attacks

Left decomposition attack – given h:= s o f and f, determine s

Interpolation attack I – the adversary is able to produce (z, v(z))

(z, v(z)) = (s(v(z)), v(z))

s is a low degree rational scheme (otherwise s o f is hard to calculate on dense sets)

s is discoverable using interpolation techniques

Undetachable signatures - attacks

Interpolation attack II – the adversary is able to produce (l, s(l))

s is a low degree rational scheme (otherwise s o f is hard to calculate on dense sets)

s is discoverable using interpolation techniques

Inversion attack – if the adversary is able to find a pre-image x of n under f, i.e. f(x) = n, he can produce a valid signature for n using fsigned(x)

Undetachable signatures – better approach

s = (s1…sk) : Rk -> Rk a bijective function called bi-directional map

v = (v1…vk) : Rk -> Rk the inverse function of s, i.e. s o v = v o s = idRk

Let f : Rl - > Rt be the function whose output we want to be signed

G2,…Gk: Rt -> R public functions

Undetachable signatures – better approach

Public key – the public key for signature verification is v2…vk ( !!!! NO v1)

Construction of the signed program

Chose a random rational function r : Rl->R

Build the map fsigned:Rl->Rk with components given by fsigned,I := si(r, G2o f, …Gko f), i = 1 … k

Send (f, fsigned)

Undetachable signatures – better approach

Execution - Get the result (y:=f(x), z:=fsigned(x))

Verification – Compute Gi(y) and vi(z) ,i = 2..k

z is a signature of y iff vi(z)=Gi(y) for all i

Undetachable signatures – explanations

The key is that the adversary doesn’t know r and v1

Because the adversary doesn’t know r, the left decomposition attack to find si from the ith component of fsigned is even harder

Because the adversary doesn’t know v1 he cannot compute I/o pairs for the interpolation of si

Undetachable signatures – explanations

Because the adversary doesn’t know r, he cannot compute i/o pairs for the interpolation of si (second interpolation attack)

Even if the adversary is able to invert f, the scheme is not broken: without r he cannot compute pre-images of (r, G2o f, …Gko f):Rl->Rk