Towards mobile cryptography
Download
1 / 27

Towards Mobile Cryptography - PowerPoint PPT Presentation


Towards Mobile Cryptography. Thomas Sander and Christian Tschudin International Computer Science Institute Berkeley, California. Mobile Code. Mobile computing: Applications have to handle extended off-line periods Mobile agents – carry request to server, execute, return results.

Related searches for Towards Mobile Cryptography

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Towards Mobile Cryptography

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Towards Mobile Cryptography

Thomas Sander and Christian Tschudin

International Computer Science Institute

Berkeley, California


Mobile Code

  • Mobile computing:

    • Applications have to handle extended off-line periods

    • Mobile agents – carry request to server, execute, return results


Mobile Code

  • Active networks:

    • A packet carries info telling the network how to process the data in the packet

    • The custom communication architecture pays for the overhead (e.g. data filtering)

    • Shift info processing from end nodes to internal nodes


Mobile Code

  • E-commerce:

    • New products, new providers, new customers join the system at any time

    • The mobile agent can keep up with the changes but needs to operate securely


Security Problems

  • Hosts have to be protected from malicious agents

  • The mobile agent’s code and data is at the full mercy of the executing host


Security Problems

  • Clear text data can be read and changed

  • Clear text programs can be changed

  • Clear text messages (e.g. to the originator) can be faked


Security Problems

  • Can a mobile agent protect itself against tampering by a malicious host? (code and execution integrity)

  • Can a mobile agent remotely sign a document without disclosing user’s private key? (computing with secrets in public)

  • Can a mobile agent conceal the program it wants to have executed? (code privacy)


Constraints

  • Mobile agents should be allowed to execute on untrusted hosts but still have guarantees for their correct execution

  • Mobile agents should not require interactive protocols with their originator

  • Protection mechanisms should be provably secure


Mobile Cryptography

  • The secure execution environment usually includes the computing base that provides the physical storage and execution environment

  • We want to extract the computing base from the secure premises


The Linking Problem

Execute y = P(x)

Compute the signature z = S(y)

Output the pair (y,z)

  • An adversary separates the signing routine and signs arbitrary documents

  • How can cryptographic primitives be irremovably attached to the data to which they are supposed to be applied?


The Linking Problem – Idea

  • The output of function f has to be signed using function s

  • Compute h = s o f on the originating host

  • Send h to be evaluated remotely

  • The key is the difficulty of decomposing h into s and f


Non-Interactive Evaluation of Encrypted Functions

Alice encrypts f => E(f)

Alice creates the program P(E(f)) which implements E(f)

Alice sends P(E(f)) to Bob

Bob executes P(E(f)) on x

Bob sends to Alice P(E(f))(x)

Alice decrypts P(E(f))(x) and obtains f(x)

Computing with Encrypted Functions


Evaluation w/ Encrypted Functions via Homomorphic Functions

Definition: Let R and S be rings. We call an (encryption) function E : R -> S

Additively homomorphic if there’s an efficient algorithm PLUS to compute E(x+y) from E(x) and E(y) and does not reveal x and y

Mixed multiplicatively homomorphic if there’s an efficient algorithm MIXED-MULT to compute E(x*y) from E(x) and y that does not reveal x

Proposition: Let E : R -> S be the function defined above. We can implement non-interactive EEF for polynomials pR[X1, … Xn] with E

Computing with Encrypted Functions


Evaluation w/ Encrypted Functions via Homomorphic Functions

Let p be the polynomial  ai1…is X1i1, … Xnis

Alice creates P(X) that implements p like this:

Each coefficient ai1…is of p is replaced by E(ai1…is)

The monomials of p are evaluated on the input x1, …, xs and stored in a list L := […, E(x1i1, …, xsis), …]

The list M := […, E(ai1…is x1i1, …, xsis), …] is produced by calling MIXED-MULT for elements of L and coefficients E(ai1…is)

The elements of M are added up using PLUS

Computing with Encrypted Functions


Evaluation w/ Encrypted Functions via Homomorphic Functions

Alice sends the program P to Bob

Bob runs P on its private input x1…xs and obtains P(x1…xs)

Bob sends the result P(x1…xs) = E(p(x)) back to Alice

Alice applies E-1 and obtains p(x)

Computing with Encrypted Functions


Z/NZ Cryptosystems

Computing with Encrypted Functions

HORROR


EEF via Composition Techniques

Assume f is the computation function and s is a rational function that Alice is able to invert efficiently

Let E(f) := s o f

The protocol goes as previously described

Decomposition problem: Given the function h that is known to be decomposable, find f such that exists s with h = s o f

Composition Based Approaches


Undetachable signatures

s = function used by Alice to sign an arbitrary message m

m = the result of a function f applied to some data x

v = function that Alice publishes to let others verify the validity of a signature

(z is a valid signature of m if v(z) = m)

Composition Based Approaches


Undetachable signatures

fsigned = s o f

Send (f, fsigned) and get (f(x), z:=fsigned(x))

Applying v to z a user can check that f(x) is valid

Composition Based Approaches


Undetachable signatures - attacks

Left decomposition attack – given h:= s o f and f, determine s

Interpolation attack I – the adversary is able to produce (z, v(z))

(z, v(z)) = (s(v(z)), v(z))

s is a low degree rational scheme (otherwise s o f is hard to calculate on dense sets)

s is discoverable using interpolation techniques

Composition Based Approaches


Undetachable signatures - attacks

Interpolation attack II – the adversary is able to produce (l, s(l))

s is a low degree rational scheme (otherwise s o f is hard to calculate on dense sets)

s is discoverable using interpolation techniques

Inversion attack – if the adversary is able to find a pre-image x of n under f, i.e. f(x) = n, he can produce a valid signature for n using fsigned(x)

Composition Based Approaches


Undetachable signatures – better approach

s = (s1…sk) : Rk -> Rk a bijective function called bi-directional map

v = (v1…vk) : Rk -> Rk the inverse function of s, i.e. s o v = v o s = idRk

Let f : Rl - > Rt be the function whose output we want to be signed

G2,…Gk: Rt -> R public functions

Composition Based Approaches


Undetachable signatures – better approach

Public key – the public key for signature verification is v2…vk ( !!!! NO v1)

Construction of the signed program

Chose a random rational function r : Rl->R

Build the map fsigned:Rl->Rk with components given by fsigned,I := si(r, G2o f, …Gko f), i = 1 … k

Send (f, fsigned)

Composition Based Approaches


Undetachable signatures – better approach

Execution - Get the result (y:=f(x), z:=fsigned(x))

Verification – Compute Gi(y) and vi(z) ,i = 2..k

z is a signature of y iff vi(z)=Gi(y) for all i

Composition Based Approaches


Undetachable signatures – explanations

The key is that the adversary doesn’t know r and v1

Because the adversary doesn’t know r, the left decomposition attack to find si from the ith component of fsigned is even harder

Because the adversary doesn’t know v1 he cannot compute I/o pairs for the interpolation of si

Composition Based Approaches


Undetachable signatures – explanations

Because the adversary doesn’t know r, he cannot compute i/o pairs for the interpolation of si (second interpolation attack)

Even if the adversary is able to invert f, the scheme is not broken: without r he cannot compute pre-images of (r, G2o f, …Gko f):Rl->Rk

Composition Based Approaches


Conclusions


ad
  • Login