In some sense PIR schemes can be considered to be a specialized prob- lem in cryptographic computing. It is the problem of performing secret string matching and string variable assignment while under the scrutiny
of untrusted observers. This section covers the more general concept of cryptographic computing.
Cryptographic computing is an area of cryptography that is in its in- fancy. It is a new, ambitious direction for the field. Originally cryptogra- phy sought to provide confidentiality for inert data. Cryptocomputing is concerned with performing useful computations on encrypted data with- out having to decrypt it, not just the secure transport and storage of encrypted data. This functionality is applicable to software piracy pro- tections schemes as well as secure mobile agents, viruses, worms, and so on.
In fact there is a very close relationship between piracy protection and secure mobile agent theory. They both adhere to the same premise that the underlying machine that is running the software is untrustworthy in some way. The most basic problem is observability: the underlying code can be scrutinized using debugging tools and hence the underlying algorithm can be learned and replicated elsewhere. This presents problems when a company wishes to deploy an unpatented algorithm that they wish to keep as a trade secret. It also poses a problem when a mobile agent is sent off to do work on a public network since the agent and the data it gathers is subject to the scrutiny of untrusted observers. The field of secure mobile agents is gaining in popularity, as evidenced by young workshops such as the IEEE International Conference on Mobile Agents (that had its sixth meeting last year). There has even been enough work in the area of cryptographic mobile agents to warrant general surveys on the subject [231].
However, the notion of performing useful computations in untrusted environments is at least as old as public key cryptography itself. In as early as 1978, around the time that the RSA algorithm was discovered, a sufficient mathematical framework for performing secure computations on an untrusted machine was proposed [100, 244]. Specifically, it was noted that the existence of an additive homomorphism over the ciphertexts of a public key encryption function E defined over an appropriate domain as well as the existence of a multiplicative homomorphism over the cipher- texts would be sufficient to enable general computations over encrypted data akin to that which can be performed by Turing machines. In other words, the primitive would consist of operations (E,⊕,⊗) such that for all plaintexts m1 and m2,
E(m1)⊗E(m2) = E(m1∗m2) (6.5)
The additive homomorphism is denoted by ⊕, and the multiplicative homomorphism is denoted by ⊗. Interestingly, it is a trivial exercise to identify a multiplicative homomorphism for the RSA function, but the existence of an additive homomorphism for RSA is unknown.
If these primitives were to exist then they could be used to implement a universal logic gate such as a NAND or NOR gate. The gate would not operate on plaintext bits, but instead it would operate on ciphertext bits. For instance, the NAND gate would take as input two ciphertexts that each encrypt a single bit and it would return a ciphertext corresponding to the logical NAND of the two input plaintext bits. This would occur without ever decrypting the input ciphertexts. It is well known that any combinatorial circuit can be synthesized based on a universal gate. It is also well known that any Turing machine can be efficiently simulated by a Boolean circuit [315].
The practical utility of such a primitive may be brought into question, since an encrypted bit would likely occupy 768 or more ciphertext bits in the machine, and each operation is likely to involve multiple modular exponentiations, for instance. However, it would certainly be possible to implement small circuits to perform simple yet useful computations on untrusted hosts.
It is safe to say that researchers have been investigating the existence of these primitives for more than 20 years. However, it is important to bear in mind that this is a quest for a general-purpose cryptographic computing machine, not a machine that needs to solve a particular problem. In the mid-1980s the open research community began investigating dedicated cryptographic computing algorithms.
One such cryptocomputing algorithm appeared in 1986 [2, 99]. The idea was to disguise an instance of a hard problem, such as the discrete- logarithm problem, and have an untrusted machine solve it. The approach allows Alice to hide information from Bob while getting Bob to do some useful work. Alice has y and wants to know the value x such that y =
gx mod p. Bob has a magic computer and has a good chance of being
able to solve the problem by brute force. Alice would like Bob to solve the problem for her, but does not want Bob to learnx.
Here is how the two of them can accomplish this. Alice chooses r < q
computes the discrete logarithm of this value using the base g and the modulus p. So, Bob computes v = x +r mod q and sends this value to Alice. Alice recovers x by computing x ≡ v −r ≡ x+r −r mod q. Bob has no way of knowing what the value of x is. Similar results have been shown for the quadratic residuosity problem and the primitive root problem [1, 2].
A problem that is closely related to computing with encrypted data is the problem of performing secure multiparty computation. The first example of this is the famous Millionaire problem: Alice and Bob each have an integer number and they want to know who holds the greater number without having to disclose the numbers to one another. This was first addressed by Andrew Yao [325] in 1982. The more general context is the following. Two or more parties want to determine some property about the pieces of information they hold while keeping them private. The main results in the domain were achieved by Andrew Yao [326] in 1986 for the two-party case.
In 1987 Goldreich et al showed how to securely implement any desired multiparty functionality [116]. The security is guaranteed, provided either a majority of the players are honest or all parties aresemi-honest. In other words, all parties send messages according to the protocol, but keep track of and share all intermediate results. Much attention has been paid to the important issue of minimizing the number of rounds of computation in this model. There is a wealth of literature regarding secure multiparty computations [14, 15, 16, 56, 57, 58, 105, 106, 107].
A working group, organized by DARPA, met in October 1996 to dis- cuss security issues regarding the execution of code on machines that are operated by untrusted parties. In 1997 a workshop was held on the sub- ject [80]. It was geared towards developing the semantics, structures, and security assumptions that form the basis for single-party secure computa- tion. It was concluded that numerous approaches lacked formal grounds for security, and that they typically relied on ad hoc or otherwise hidden security assumptions.
In 1997 Sander and Tschudin proposed a method to compute with en- crypted functions to overcome the problem of protecting mobile code from its host [250, 251]. Techniques were presented to achieve non-interactive computing with encrypted programs in certain cases and give a complete solution for this problem in certain instances. In particular they gave a protocol that allows non-interactive evaluation of encrypted polynomials over the ring of integers moduloN whereN is a smooth (that is, N has no
large prime factors). The results are based on the use of homomorphic en- cryption schemes and function composition techniques. In particular they utilize an additive scheme of Lipton and Sander [176] that is polynomial time indistinguishable under the assumption of the hardness of the Power Residue Hypothesis, which is a generalization of the Quadratic Residue Hypothesis to residues of higher degree.
It is argued that this primitive may be usable in mobile agents that need to remotely sign their output. The agents would thereby be able to create undetachable digital signatures. However, they remark that there are still outstanding technical obstacles that need to be overcome in order to achieve this goal. Research that is related to this was presented in Financial Crypto ’02 by Stern et al who gave a method for computing with encrypted rational numbers [103].
The first formal result regarding generalized cryptographic computing was presented in 1999 by Sander et al [252]. It was shown how in one round a protocol for secure evaluation of circuits can be performed in polynomial-time for N C1 circuits (Nick’s Class). The protocol involves
an input party sending encrypted input to a second party (a cryptocom- puter). The second party evaluates the circuit (or a known circuit over its additional private input) non-interactively, securely, and obliviously, and provides the output to the input party without learning it. This directly applies to protection against reverse engineering since under well- established intractability assumptions the reverse engineer provably learns nothing about the program that is being executed. An implementation is presented that is based on the quadratic residuosity problem. This im- proved on previous results that are specialized to the case ofN C1 circuits
and that require a constant number of communication rounds. The sce- nario also coincides with computing with encrypted data when the input is transformed into an output while remaining encrypted throughout the computation. The algorithm utilizes a probabilistic encryption method that is random self-reducible. The paper also gives a new provably se- cure public key scheme that allows the computation of the logical AND operation using encrypted data. This scheme is homomorphic over a semi- group (instead of a group) and thus also expands the range of algebraic structures that can be encrypted homomorphically.
The work on one-round secure computation has been ongoing [47]. Cachin et al investigate one-round secure computation between two dis- trusting parties as well: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is able to learn
the output. The protocol is limited to one message from Alice to Bob fol- lowed by one message from Bob to Alice. The solution has an advantage over the Sander et al cryptocomputer since it works for polynomial-depth circuits. However, for the purposes of generalized mobile agent comput- ing the solution has a drawback that it cannot iteratively receive inputs and compute values based on previously stored results. All of the inputs must be present at the time the computation commences. The authors propose a remedy to this based on symmetric cryptography but it has various inherent limitations. The solution nonetheless provides stronger evidence regarding the feasibility of executing mobile code in untrusted environments.
Non-Zero Sum Games and
Survivable Malware
Today, computer viruses, Trojans, and worms are summarily removed from computers when found. Even in the case of the One-half virus that is de- signed to make safe removal difficult, disinfection is still possible without damaging the host system. Antiviral programs seldom attempt to remove a virus unless they believe there are no harmful consequences for doing so. But what if the consequence extends beyond the infected computer in question? Put another way, what if the removal of a virus on one ma- chine will cause damage on another remotely located machine? If harmful consequences result from removing malware then the payoff for removal becomes a negative quantity in game theoretic terms. Of course, leaving the malware on the system may have a payoff that is even more negative. This begs the question as to whether or not there exist malware enforce- able games between the host and the malware that have a higher payoff for the host when the malware is allowed to remain after discovery.
The unspoken dream of every virus writer is to design a virus that cannot be safely removed even after discovery.1
It is this that would constitute a true digital disease. This chapter inves- tigates how various technologies can achieve this end when appropriately combined.
A dedicated attacker may have a rather serious goal in mind. For ex- ample, the attacker may want to factor someone’s RSA key, or compute a discrete logarithm. Attacks along these lines are presented in this chapter.
1Of course, this could be our own demented dream. Who really knows?
An attacker that is simply carrying out a prank may simply want to give people a hard time. Under these circumstances survivability among malware helps to ensure that the attack lasts even after the virus is dis- covered and antivirus software is deployed. Such attacks hinge on the fact that not everyone is going to apply antiviral solutions on time, and some might not get around to it at all.2 By distributing the bargaining chips that the virus has among several machines (for example, sensitive information that is damaging if disclosed), the virus can be made to be more survivable. In this situation, when Alice deletes the virus from her machine, the viruses that still reside on Bob and Carol’s machines may exact revenge by anonymously posting stolen data from Alice’s machine. The notion of distributing data among viruses and having them coordinate their attack efforts with each other is well known [332].