Cryptographic Technologies suitable for Cloud Computing. Program and Abstracts

(1)

Joint Research Workshop of Institute of Mathematics for Industry, Kyushu University, and MEXT Collaborative Workshop of Mathematics and Mathematical Sciences

with Various Sciences and Industrial Technologies 2012

Cryptographic Technologies suitable for Cloud Computing

Main Conference Room 111, Institute of Mathematics for Industry Kyushu University

2012/10/5 (Fri)

Program and Abstracts

Organized by Kirill MOROZOV and Tsuyoshi TAKAGI

Supported by

Institute of Mathematics for Industry

Kyushu University 1

(2)

"Cryptographic Technologies

suitable for Cloud Computing"

Workshop Program

October 5, 13:30 - 20:00

13:30 – 13:40 Opening by MEXT and IMI 13:40 – 14:40 Plenary Talk

“Secure Multiparty Computation almost without Verifiable Secret Sharing”

Yvo Desmedt (University College London) 14:40 – 14:50 Break

14:50 – 16:35 Invited Talks I

14:50 – 15:25 “Inner Product Encryption on Dual Pairing Vector Spaces” Katsuyuki Takashima (Mitsubishi)

15:25 – 16:00 “The Homomorphic Encryption based on Ideal Lattices and its Applications”

Masaya Yasuda (Fujitsu)

16:00 – 16:35 “Cryptographic Key Storage in the Cloud” Go Yamamoto (NTT)

16:35 – 16:50 Break

16:50 – 18:00 Invited Talks II

16:50 – 17:25 “Unforgeability of Re-Encryption Keys against Collusion Attack in Proxy Re-Encryption”

Ryotaro Hayashi (Toshiba R&D Center) 17:25 – 18:00 “Cryptography to Realize Secure Cloud”

Masayuki Yoshino (Hitachi Yokohama Laboratories) 18:00 – 18:10 Closing of the public sessions

(3)

「

Cryptographic Technologies suitable for Cloud Computing

」

ワークショップ開催に寄せて

ワークショップ運営責任者九州大学マス・フォア・インダストリ研究所高木剛モロゾフキリル本ワークショップは、2012年10月5日に九州大学MI研究所において、本グローバル COEプログラムの主催と文部科学省数学・数理科学と諸科学・産業との連携研究ワークショップの共催として開催された。昨年度に文科省連携ワークショップの共催で開催された"Secret Sharing and Cloud Computing"に引き続いて、クラウドコンピューティングで利用される暗号技術をテーマとしている。今年度のワークショップでは参加者は 26 名となり、現状のクラウドサービスの安全性問題と暗号技術を利用した解決策などが議論された。今回のワークショップでは、Yvo Desmedt教授（テキサス大学）による効率的な秘密分散計算（マルチパーティ計算）に関する基調講演の後に、高島克幸（三菱電機）、安田雅哉（富士通研究所）、山本剛（NTT研究所）、林良太郎（東芝研究開発センター）、吉野雅之（日立製作所横浜研究所）から最新の暗号技術に関する発表および活発な質疑応答が行われた。特に、内積述語暗号、自己訂正暗号技術、（完全）準同型暗号、検索可能対称暗号、プロキシ再暗号化などの暗号化プロトコルとそれらの安全性に関する数学モデルや効率的な実装方法に関して意見交換が行われた。暗号技術を用いた安全なクラウドコンピューティングによる医療データや個人情報等の保護なども話題に上り、今後の暗号技術の更なる応用発展も期待される。

(4)

Workshop ”Cryptographic Technologies suitable for Cloud Computing” 2012

October 5, 2012, Kyushu University, Ito Campus

Secure Multiparty Computation almost without

Verifiable Secret Sharing

Yvo DESMEDT

University of Texas at Dallas, USA

Today several organizations, including the US Government use clouds to store im-portant data. Guaranteeing at the same time reliability and privacy is a major chal-lenge. The need for privacy is obvious (although often ignored). The need for reliability has been illustrated, for example, when the internet was deliberately disconnected in Egypt (January 2011) and with the accidental destruction of the cell phone network in the Tohoku area during the March 2011 earthquake. To address the aforemen-tioned concerns, fully homomorphic encryption is often championed. Unfortunately, its state of the art is too slow to allow to use it in any reasonable application. A better alternative is secure multiparty computation.

Although secure multiparty computation has been deployed in very limited appli-cations, it is still relatively slow. A concern is the need to use Verifiable Secret Sharing (VSS) extensively. In our approach we avoid the need for each shareholder to have to rerun the full VSS protocol after each local computation.

(5)

Workshop “Cryptographic Technologies suitable for Cloud Computing” 2012 October 5, 2012, Kyushu University, Ito Campus

Inner Product Encryption

on Dual Pairing Vector Spaces

Katsuyuki TAKASHIMA

Mitsubishi Electric, Japan

In this talk, I survey some recent results of joint work with Tatsuaki Okamoto [3, 2, 4, 5, 6, 7, 9], where we have introduced a new concept on bilinear pairing groups,dual pairing vector spaces (DPVS), and constructed a new type of encryption schemes, inner product encryption (IPE). (For a forthcoming result, unboundedIPE, refer to [8].)

The notion offunctional encryption(FE) is a generalized (ﬁne-grained) notion of en-cryption that covers identity-based enen-cryption (IBE), hidden-vector enen-cryption (HVE) and attribute-based encryption (ABE). A secret key in a FE scheme corresponds to parameter v, and a sender associates a ciphertext with parameter x. Ciphertext ct_x associated with parameter x can be decrypted by secret key sk_v corresponding to v if and only if a relation R(v, x) holds.

A stronger security notion for FE,attribute-hiding, than the basic security require-ment, payload-hiding, was deﬁned in [1]. Roughly speaking, attribute-hiding requires that a ciphertext conceal the associated parameter as well as the plaintext, while payload-hiding only requires that a ciphertext conceal the plaintext.

Katz, Sahai and Waters [1] presented a concrete construction of attribute-hiding FE for a class of predicates called inner product predicates, which represents a wide class of predicates that includes an equality test (for IBE and HVE), disjunctions or conjunctions of equality tests, and, more generally, arbitrary CNF or DNF formulas. Currently, the widest class of predicates supported by attribute-hiding FE is inner product predicates. FE for inner product predicates is called inner product encryption (IPE). Informally, parameters of inner product predicates are expressed as vector x (for a ciphertext) andv (for a secret key), where R(v, x) holds iﬀv·x= 0. (Here,v·x denotes the standard inner product.)

The attribute-hiding security achieved in [2, 3, 4] is more limited or weaker than that achieved in [1, 7]. The former is called weakly-attribute-hiding, and the latter fully-attribute-hiding.

Although the IPE scheme [1] achieved fully-attribute-hiding, it isselectively secure under non-standard assumptions. Subsequently, several attribute-hiding IPE schemes have been proposed [2, 3, 4, 5, 10], for aiming at an IPE scheme with better security, e.g., adaptive security, fully-attribute-hiding and weaker (standard) assumptions. This research direction culminated in our adaptively secure and fully-attribute-hiding IPE scheme under the decisional linear (DLIN) assumption [7], which is constructed on DPVS. The basic scheme in [7] has a variant with shorter public and secret keys based on the technique in [5]. A hierarchical IPE (HIPE) scheme can be realized that is also adaptively secure and fully attribute-hiding under the same assumption.

Moreover, in [9], we propose an eﬃcient (H)IPE scheme, which achieves selectively fully-attribute-hiding security in the standard model almost tightly reduced from the DLIN assumption, and whose ciphertext is almost the shortest among the existing (weakly/fully) attribute-hiding (H)IPE schemes. Speciﬁcally, a ciphertext consists of

(6)

n+ 4 elements of G and 1 element of G_T for a prime-order symmetric bilinear group (G,G_T), where n is the dimension of x and v. We [9] also present a variant of the (basic) (H)IPE scheme that enjoys shorter public and secret keys with preserving the security.

Table 1. _{Comparison of our IPE schemes on DPVS in [3, 2, 4, 7, 9], where} n, ν, |G| and |G_T| represent dimension of vectors x and v, the maximum number of key-queries of an adversary (i.e., a polynomial in security parameter λ), size of an element ofGand that ofG_T, respectively. AH, PK, SK, CT, DSP, and eDDH stand for attribute-hiding, (master) public key, secret key, ciphertext, decisional subspace problem [3], and extended decisional Diﬃe-Hellman [2], respectively.

OT09 [3] LOS+10 [2] OT10 [4] OT12 [7] (basic) OT12 [7] (variant) OT13 [9] (basic) OT13 [9] (variant) Security selective &

weakly-AH adaptive & weakly-AH adaptive & weakly-AH adaptive & fully-AH adaptive & fully-AH selective & fully-AH selective & fully-AH

Order of G prime prime prime prime prime prime prime

Assump. 2 variants

of DSP n-eDDH DLIN DLIN DLIN DLIN DLIN

Reduction factor 2 ν+ 1 ν+ 1 3ν+ 2 3ν+ 2 2 2 PK size O(n2)|G| O(n2)|G| O(n2)|G| O(n2)|G| O(n)|G| O(n2)|G| O(n)|G| SK size (n+ 3)|G| (2n+ 3)|G| (3n+ 2)|G| (4n+ 2)|G| 11|G| (n+ 4)|G| 6|G| CT size (n+ 3)|G| +|G_T| (2n+ 3)|G| +|G_T| (3n+ 2)|G| +|G_T| (4n+ 2)|G| +|G_T| (5n+ 1)|G| +|G_T| (n+ 4)|G| +|G_T| (n+ 4)|G| +|G_T| References

[1] J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. InEUROCRYPT 2008, pages 146–162, 2008.

[2] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters. Fully secure functional encryp-tion: Attribute-based encryption and (hierarchical) inner product encryption. InEUROCRYPT 2010, pages 62–91, 2010. Full version is available athttp://eprint.iacr.org/2010/110. [3] T. Okamoto and K. Takashima. Hierarchical predicate encryption for inner-products. In

ASI-ACRYPT 2009, pages 214–231, 2009.

[4] T. Okamoto and K. Takashima. Fully secure functional encryption with general relations from the decisional linear assumption. InCRYPTO 2010, pages 191–208, 2010. Full version is available athttp://eprint.iacr.org/2010/563.

[5] T. Okamoto and K. Takashima. Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption. In CANS 2011, pages 138–159, 2011. Full version is available athttp://eprint.iacr.org/2011/648.

[6] T. Okamoto and K. Takashima. Some key techniques on pairing vector spaces. InAFRICACRYPT 2011, pages 380–382, 2011.

[7] T. Okamoto and K. Takashima. Adaptively attribute-hiding (hierarchical) inner product en-cryption. In EUROCRYPT 2012, pages 591–608, 2012. Full version is available at http:

//eprint.iacr.org/2011/543.

[8] T. Okamoto and K. Takashima. Fully secure unbounded inner-product and attribute-based en-cryption. InASIACRYPT 2012, 2012. To appear.

[9] T. Okamoto and K. Takashima. Eﬃcient (hierarchical) inner-product encryption tightly reduced from the decisional linear assumption.IEICE Trans. Fundamentals, vol.E96-A, no.1, Jan. 2013, 2013. To appear.

[10] J. H. Park. Inner-product encryption under standard assumptions. Des. Codes Cryptography, 58(3):235–257, 2011.

(7)

The Homomorphic Encryption based on Ideal

Lattices and its Applications

Masaya YASUDA

FUJITSU LABORATORIES LTD.

1-1, Kamikodanaka 4-chome, Nakahara-ku, Kawasaki, 211-8588, Japan

[email protected]

A homomorphic encryption is a public key encryption which can support opera-tions on encrypted data. There are many previously known homomorphic encryption schemes which can only support either addition or multiplication on encrypted data (for example, Paillier [7] or RSA [8]). The first construction of a homomorphic en-cryption supporting both addition and multiplication on encrypted data was the BGN scheme [2], which is based on pairings over elliptic curves. However, the BGN scheme can handle a number of additions but one multiplication on encrypted data. In 2009, Gentry first proposed a concrete construction of fully homomorphic encryption (FHE) which can allow us to compute an arbitrary function on encrypted data. After the Gen-try’s breakthrough work on FHE, it becomes popular to research on applications with FHE, mainly including cloud computing. At present, there are three main variants of the FHE schemes, namely, one based on ideal lattices [4, 5] which was first proposed by Gentry, one based on integers [3], and finally one based on ring learning with er-rors (ring-LWE) [1]. The construction of these FHE schemes starts from a somewhat homomorphic encryption (SHE) scheme. SHE schemes only can support both limited addition and multiplication on encrypted data but have the advantage of much faster processing performance and more compact than FHE schemes. Now it is also coming to attention to research on applications with SHE schemes (see [6] for example).

I here consider to apply the SHE schemes in the cloud. The application I consider is to sum purchase history data collected from different companies. Since purchase history data are sensitive information related to sales, each company would not like to reveal them to the other companies. On the other hand, each company would like to know the sum result of whole purchase history data for its own sales. The application scenario is the following (see [9] for details): Each company encrypts its own purchase history data with a homomorphic encryption and only sends the encrypted data to the cloud. The cloud sums the purchase history data collected from different companies on encrypted data and only sends the encrypted sum result to trusted server with the secret key. The trusted server decrypts the encrypted sum result and sends the sum result to companies. With this scenario, each company can obtain the sum result of whole purchase history data without revealing its own data to the other companies and even the cloud. For this application scenario, I here consider to use the SHE scheme based on ideal lattices since it is easier to implement this scheme (except complicated key generation) among variants of the SHE schemes. In this talk, I will first describe the construction of an extended version of the SHE scheme implemented by Gentry and Halevi [5]. I will also give a demonstration of the above application with the extended version of the SHE scheme.

(8)

References

[1] Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE”, InFoundations of Computer Science - FOCS 2011, 97-106, 2011.

[2] D. Boneh, E. -J. Goh and K. Nissim, “Evaluating 2-DNF formulas on ciphertexts”, InTheory of Cryptography - TCC 2005, Springer LNCS 3378, 325-341, 2005.

[3] M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan, “Fully homomorphic encryption over the integers”, InAdvances in Cryptology - EUROCRYPT 2010, Springer LNCS 6110, 24-43, 2010. [4] C. Gentry, “Fully homomorphic encryption using ideal lattices”, In Symposium on Theory of

Computing - STOC 2009, ACM, 169-178, 2009.

[5] C. Gentry and S. Halevi, “Implementing Gentry’s fully-homomorphic encryption scheme”, In

Advances in Cryptology - EUROCRYPT 2011, Springer LNCS 6632, 129-148, 2011.

[6] K. Lauter, M. Naehrig and V. Vaikuntanathan, “Can homomorphic encryption be practical ?”, InACM workshop on Cloud computing security workshop - CCSW 2011, 113-124, 2011.

[7] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes”, InAdvances in Cryptology - EUROCRYPT 1999, Springer LNCS 1592, 223-238, 1999.

[8] R. Rivest, A. Shamir and L. Adelman, “A method for obtaining digital signatures and public-key cryptosystems”, Communications of the ACM 21, 120-126, 1978.

[9] M. Yasuda, J. Yajima, T. Shimoyama and Jun Kogure, “Secret totalization of purchase histories of companies in cloud”, SCIS 2012, 2012.

(9)

Cryptographic Key Storage in the Cloud

Go YAMAMOTO

Secure Platform Laboratories, NTT, Japan

1. Technology

Services that pass private or highly confidential information to servers on the cloud or other online environments for further processing have begun to spread in recent years and are now becoming commonplace. This trend has been accompanied by new security issues as anxiety over data leaks and unauthorized use of data increase.

In response to this situation, a variety of encryption techniques have come to be tried to protect data and prevent information leaks, but in using existing encryption techniques, users themselves must perform prudent key management (for both storage and distribution). Users are also required to store and manage decryption keys on their own terminals or smart cards, which means that the occurrence of an accident during the course of key management increases the risk of information leaks.

We would like to talk about a new technology for secure key-storage services in the cloud. It makes easier for users to use a cipher and to prevent unauthorized use of encrypted data. The heart of the new technology is self-correcting mechanism that can correct erroneous or bogus computations. It realizes secure outsourcing of decryption, where data of decryption keys does not leak from the cloud and data of the documents does not leak from user’s terminals.

2. Mechanism and Features

2.1. Self-corrector. A self-corrector for a function f is an efficient algorithm that computes f correctly using any untrusted black-box that computes f correctly only with a certain probability. A simple discussion shows that a self-corrector with certain precision should hide instances of computation from the black-boxes.

The design of self-correctors for non-verifiable functions, typically decryption func-tions of public-key cryptographies, is to investigate. We present a design method for self-correctors that works even when the black-box returns correct output with proba-bility of less than 1/2.

2.2. Safe and flexible management of decryption keys. In conventional encryp-tion systems, a decrypencryp-tion key will be read into a user’s terminal to decrypt encrypted data. This approach, however, requires that all users manage decryption keys. The new scheme, in contrast, manages decryption keys on the cloud itself without loading decryption keys into user terminals. The user is consequently released from manage-ment of decryption keys and is able to control the use of encrypted data in a simple and accurate manner.

For example, this cloud cryptographic scheme enables a certain user to pass en-crypted data to persons A, B, and C and to later make settings that allow only persons A and B to read that data and to then make another setting that prohibits per-son A from reading that data again. In other words, the scheme enables the creator of encrypted data to control who is to be allowed to decrypt that data so that the

(10)

unauthorized use of data can be prevented even after the encrypted data has been distributed.

3. Mathematics

Ensuring that computers operate correctly is a central topic of computer engineer-ing. A self-corrector for a functionf is an efficient machine that computes f correctly using any untrusted black-box, which is an external probabilistic machine that is sup-posed to compute f but may return wrong or faulty outputs. Self-correctors can be used even when the black-box itself does not know which one of its outputs is correct, unlike with other methods in which the black-boxes prove the correctness of the out-puts. Iff is verifiable, then we have a trivial self-corrector for f. The main interest in designing self-correctors is for non-verifiable functions.

Typical examples of non-verifiable functions are the decryption functions of public-key cryptography. For example, let Decy be the decryption function of ElGamal

en-cryption for public key y. A smart card M1 is supposed to keep the corresponding

private key s inside to compute Decy, but M1 outputs random values with a certain

probability. The correct answers from M1 must be determined, but according to the

decisional Diffie-Hellman assumption, the outputs fromM1 cannot be verified directly.

If untrusted black-boxM returns correct output with a probability of more than 1₂, self-correctors are constructed by runningM many times and by using the value of the majority of the outputs. Let M be an untrusted black-box that outputs correct results with probability p. Using the Chernoff bound, by running M _2(p₋k_1/2)2 times and by

using the value of the majority of the outputs, the correct result with probability of at least 1−2−k _{is obtained.}

However, in the real world computing, M can output correct answers with a prob-ability much less than 1₂. Let M2 be a smart card that computesDecy with probability

1

100. M2 decrypts the input with another public keyy

0_{with probability} 99

100. The correct

answers fromM2 then must be chosen forDecy. In this situation, the majority method

and the random-self-reduction are not applicable for choosing the correct answer. For the random-self-reducible function f, there can be another function f0 that shares the same random-self-reduction. For example, let Decy be the decryption function for a

homomorphic public-key cryptosystem whose plain text resides inG, a group of prime order. It implies some random-self-reductions are “bad” because there exists some untrusted black-boxes that are not self-correctable by the majority method.

We present how to design cryptographic self-correctors in such situations for non-verifiable functions. The heart of our new design is a definition of “good self-reduction” to construct self-correctors.

(11)

October 5, 2012, Kyushu University, Ito Campus

Unforgeability of Re-Encryption Keys against

Collusion Attack in Proxy Re-Encryption

Ryotaro HAYASHI

Corporate Research and Development Center, Toshiba Corporation, Japan

Proxy re-encryption allows a proxy to convert a ciphertext encrypted for Alice (del-egator) into a ciphertext for Bob (delegatee) by using a re-encryption key generated by Alice. Recently, as cloud computing emerges, PRE gains much more attention as one of the key security components to provide secure cloud services, such as secure ﬁle sharing service.

In proxy re-encryption, non-transferability is a desirable property that colluding proxies and delegatees cannot re-delegate decryption rights to a malicious user. How-ever, it seems to be very diﬃcult to directly construct a non-transferable PRE scheme albeit such attempts as in previous works.

In this talk, we discuss the non-transferability and introduce a relaxed notion of the non-transferability, the unforgeability of re-encryption keys against collusion at-tack (UFReKey-CA), as one approach toward the non-transferability. We then show concrete constructions of proxy re-encryption schemes that meet replayable-CCA se-curity and UFReKey-CA. Although the proposed schemes are partial solutions to transferable PRE, we believe that the results are signiﬁcant steps toward the non-transferability.

(12)

Cryptography to Realize Secure Cloud

Masayuki Yoshino

Yokohama Research Laboratory, Hitachi Ltd., Japan (joint work with Hisayoshi Sato)

Progress in networking technology and an increase in the demand for computing re-sources have prompted many organizations to outsource their computer environments. This has resulted in a new computing model, commonly referred as cloud infrastructure [1], that can be roughly categorized as private or public. In a private cloud, the in-frastructure is managed and owned by the user and located on-premise: access to user data is under its control. In a public cloud, the infrastructure is owned and managed by a service provider and is located off-premise. This means that user data is outside of control and can be potentially granted by untrusted parties. This presentation reports security issues of the public cloud, and gives application scenarios of the public cloud using cryptography.

Unlike the private cloud mainly caring adversaries outside, the public cloud needs additional security properties for both root privilege owners (public cloud providers) and malicious neighbors (other legal users on the same cloud) [2]. In order to providing privacy to data on the cloud and availability to functionality of the cloud, privacy-preserved processing techniques using cryptography are expected to be one of the most suitable approaches. In the cloud users share with physical computer resources, they therefore are not able to occupy the machine resources: available computing resources for the users are restricted. As a consequence, the privacy-preserved processing tech-niques require not only theoretical security but also practical efficiency.

Providing limited (but practical) functionality to the public cloud may be currently the key point. In the case that the public cloud is used as a private storage [3], it had better employ the techniques of auditing all data and searching arbitrary data in manner of secure and efficient means. On the one hand, proof of data possession tech-niques might be suitable for the audit although there are technical issues for efficiency. On the other hand, symmetric searchable encryption schemes are certainly applicable for the search. The schemes give a search privilege of some encrypted keyword to ser-vice providers, and the efficiency is practical enough to realize the private storage at a moderate cost.

References

[1] NIST Special Publication 800-145. The NIST Definition of Cloud Computing, 2011:

http://csrc.nist.gov/publications/PubsSPs.html

[2] Security Guidance for Critical Areas of Focus in Cloud Computing, Version 3.0, 2011:

https://cloudsecurityalliance.org/research/security-guidance/

[3] Seny Kamara and Kristin Lauter, Cryptographic Cloud Storage. Financial Cryptography Work-shops, 136-149, Springer, Lecture Notes in Computer Science, 6054, 2010.