cryptography for cloud storage service

Cryptography for Cloud Storage Service

Kaoru Kurosawa Ibaraki University, Japan

CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia

Cloud Storage Service

• (or online storage service) • is now available on the commercial basis.

• Big Internet enterprises such as • Google, Amazon, Yahoo • are providing these services.

2

The Advantages are

• Companies need only pay for the storage they actually use• Companies do not need to install physical

storage devices in their own data center• Storage maintenance tasks, such as backup,

are offloaded to the responsibility of a service provider

3

In Japan

• After the big earthquake last year, many local governments are considering using cloud storage service to store their important data which includes the original copy of family registers.

4

But Potential Threats

• The number of people with access to the data who could be compromised

(bribed, or coerced) increases dramatically.• It is possible for other customers to access your data. Sometimes because of human error, faulty equipment, a bug or criminal intent.

5

In such systems

• The role of cryptography is crucial.

6

A Searchable Symmetric Encryption(SSE) scheme

• Consists of a store phase and a search phase

7

In the store phase,

• A client stores encrypted files (or documents) on a server

Client Server

E(D1), , E(D⋯ N)

8

In the search phase,

• The client sends an encrypted keyword to the server

Client Server

E(keyword)

9

The server somehow returns

• The encrypted files E(D3), E(D6), E(D10) which contains the keyword

Client Server

E(keyword)

E(D3), E(D6), E(D10)

10

So the client can

• retrieve some of the encrypted files• which contains a specific keyword,• keeping the keyword secret

Client Server

E(keyword)

E(D3), E(D6), E(D10)

11

By Passive Attack

• A malicious server breaks the privacy• She tries to find • the keyword and the documents

Client Server

E(keyword)

E(D3), E(D6), E(D10)

Malicious

12

By Active Attack• A malicious server breaks the reliability• She tries to forge/delete some files.• or replace E(D3) with another E(D100).

Client Server

E(keyword)

E(D3), E(D6), E(D10)E(D100)

Malicious

13

The security against passive attacks

has been studied by several researchers.

• Song, Wagner, Perrig• Goh• Bellovin and Cheswick• Chang and Mitzenmacher

14

Finally

• Curtmola, Garay, Kamara and Ostrovsky• showed a rigorous definition of security against passive attacks.• They also gave a scheme which satisfies their definition.

15

However

• The security against active attacks has not been considered so far.

16

In this talk

(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme

17

In this talk


18

In this talk


19

In this talk


20

In this talk


21

Overview

Privacy Curtmola et al.Reliability Our paperUC security Our paper

22

Outline of this talk

(1) Curtmola et al. ‘s scheme(2) Our UC-secure scheme(3) Our theoretical results

23

Curtmola et al.

keyword DocumentsAustin D3, D6, D10

Boston D8, D10

Washington D1, D4, D8

Showed a scheme such as follows.(It is secure against passive attacks.)

Consider the following “Index”

Index24

The client first constructs E(Index) • as follows.• He first chooses a pseudorandom permutation π.

E(Index) =

25

He next computes • π(Austin, 1), π(Austin, 2) and π(Austin, 3),• Writes the indexes (3, 6, 10) in these addresses

3

6

10

Address

π(Austin, 1)

π(Austin, 2)

π(Austin, 3) E(Index)

26

Do the same for each keyword

3

6

10

8

10

Address

π(Austin, 1)

π(Austin, 2)

π(Austin, 3)

π(Boston, 1)

π(Boston, 2)

E(Index)

27

In the store phase,

• The client stores

Client Server

E(D1), , E(D⋯ N), and E(Index)

28


• The client sends

Client Server

t(Austin)=( π(Austin, 1), π(Austin, 2), π(Austin, 3) )

3

6

10

8

10

E(Index)

29

The server sees that the corresponding indexes are

Client Server

π(Austin, 1), π(Austin, 2), π(Austin, 3)

3

6

10

8

10

E(Index)30

Hence the server can return

Client Server


E(D3), E(D6), E(D10)

3

6

10

8

10

E(Index)31

This scheme

• Is secure against passive attacks.• But it is not secure against active attacks.

32

A naive approach is to add MAC to each E(Di)

Client Server


E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))

The server returnsthese files together with their MACs 33

But a malicious server will

Client



Malicious

Replace some pair with another pair

E(D100), MAC(E(D100))

34

The client cannot detect this cheating

Client



Malicious

Because this is a valid pairof MAC

E(D100), MAC(E(D100))

35

The proposed scheme

Client

π(Austin, 1)

E(D3), Tag3=MAC(π(Austin, 1), E(D3))

We include π(Austin, 1) in the input of MAC

So the server returns

36

This method works

Client

π(Austin, 1)

E(D3), Tag3=MAC(π(Austin, 1), E(D3))

Because the MAC binds the query and the answer pair

37

More precisely,• The client writes such MAC values in E(Index), and stores it on the server

3, tag3=MAC( π(Austin, 1), E(D3) )

6, tag6=MAC( π(Austin, 2) , E(D6) )


π(Austin, 1)

π(Austin, 2)

π(Austin, 3)

E(Index)

38

For a query π(Austin, 1)E(Index)

π(Austin, 1)

π(Austin, 1)

The server returns E(D3) andtag3=MAC( π(Austin, 1), E(D3) )




39

The client checks the validity of

π(Austin, 1)

tag3=MAC( π(Austin, 1), E(D3) )

E(D3)

The details are written in the paper.

40

Another Subtle Point

• If 3 appears many times in E(Index), • the adversary sees that• D3 includes more keywords than the other documents.

3


3


3


E(Index) =

41

Hence• the index i of each Di should appear the same number of times.• Curtmola et al. didn’t show such a method.




E(Index) =

42

We solve this problem as follows

keyword DocumentsAustin D1, D2

Boston D3, D4

Washington D5

Suppose that there are 5 documentsand

Index

43

1,

2,

dummy,

dummy,

dummy,

Since Austin ∈{D1, D2}. we consider a list such that

44

1,

2,

dummy,

dummy,

dummy,

We consider another listwhich includes (3,4,5)

dummy,

dummy,

3

4

5

45

π(0, Austin, 1) 1

π(0, Austin, 2) 2

π(0, Austin, 3) dummy





π(1, Austin, 3) 3

π(1, Austin, 4) 4

π(1, Austin, 5) 5

address address

E(Index) is constructed by permuting them randomly by using a PRP π as follows.

46

π(0, Austin, 1) 1

π(0, Austin, 2) 2






π(1, Austin, 3) 3

π(1, Austin, 4) 4

π(1, Austin, 5) 5

address address

In the search phase,the client sends π(0, Austin, *) to the server

47

π(0, Austin, 1) 1

π(0, Austin, 2) 2






π(1, Austin, 3) 3

π(1, Austin, 4) 4

π(1, Austin, 5) 5

address address

The server returns the corresponding contents

48

π(0, Austin, 1) 1

π(0, Austin, 2) 2






π(1, Austin, 3) 3

π(1, Austin, 4) 4

π(1, Austin, 5) 5

address address

Noweach i {1,2,3,4,5} appears once for each keyword∈

E(Index) 49

Later

• We will prove that our scheme is UC-secure• Hence it is secure against active attacks.

50

Our theoretical results


51

A verifiable SSE

consists of 6 algorithms:

• KeyGen• Enc• Trapdoor• Search• Verify • Dec

52

In the store phase,

The client first generates a key K ← KeyGen(1k) and keeps it secret.

53

The client next chooses

D={set of documents} = {D1, …, DN}W={set of keywords}

Enc K

And computes C= { E(D1), , E(D⋯ N) } I= E{ Index }

54

D={set of documents} = {D1, …, DN}W={set of keywords}

Enc K

Then the client sends C= { E(D1), , E(D⋯ N) } I= E{ Index }

55


keyword

Trapdoor K

and computes t(keyword) =[π(0,Austin,1), …, π(0,Austin,1)]By using Trapdoor algorithm

The client chooses

56

keyword

Trapdoor K

Then the client sends t(keyword)

57

and computes C(keyword)= { E(D3), E(D6), E(D10) } Tag

Search

The server receives t(keyword)

C= { E(D1), , E(D⋯ N) } I= E{ Index }

Ex. the keyword is included in D3, D6 and D10.58

Search t(keyword)

Then the server returns C(keyword)={ E(D3), E(D6), E(D10) } Tag

C= { E(D1), , E(D⋯ N) } I= E{ Index }

59

ClientServer

t(keyword)

C(keyword)={E(D3), E(D6), E(D10)}Tag

60

Then the client computes Verify algorithmon input

t(keyword)


Verify

Accept / Reject

K

61

If Accept, the clients decrypts

C(keyword)={E(D3), E(D6), E(D10)}

DecK

and obtains the documents D3, D6, D10 which contain the keyword

62



63

The security against active attacks

• Consists of privacy and reliability• We define privacy similarly to Curtmola et al.• That is,

64

In the store phase,

Client Server

E(D1), , E(D⋯ N), E(Index)

The server will learn |D1|, …, |DN| and |{keywords}|from what she received

65


This means that the server knows the corresponding indexes {3, 6, 10}

For t(keyword)the server returns C(keyword).

t(keyword)

C(keyword)=( E(D3), E(D6), E(D10) )Tag

66

To summarize

The server learns• |D1|, …, |DN| and |{keywords}|• the indexes {3, 6, 10} which corresponds to a queried keyword

67

The Privacy definition

• requires that the server should not be able to learn any more information

68

The Privacy definition

• requires that the server should not be able to learn any more information• To formulate this, we consider a real game and a simulation game

69

In the Real Game

D = {D1, …, DN}W={set of keywords}

Distinguisher

C= { E(D1), , E(D⋯ N) } I= E{ Index }

Client

70

Next

keyword

Distinguisher

t(keyword)

Client

71

Next

keyword

Distinguisher

t(keyword)

Client

72

Finally

keyword

Distinguisher

t(keyword)

Client

b=0 or 1

73

In the Simulation Game

D = {D1, …, DN}W={set of keywords}

Distinguisher

Somehow computes C= { E(D1), , E(D⋯ N) } I= E{ Index }

ClientSimulator

|D1|, …, |DN| and |{keywords}|

74

Next

keyword

Distinguisher

Somehow computes t(keyword)

ClientSimulator

The corresponding indexes {3, 6, 10}

75

Next

keyword

Distinguiher

Somehow computes t(keyword)

ClientSimulator

The corresponding indexes {3, 6, 10}

76

Finally

keyword

Distinguisher

t(keyword)

ClientSimulator

{3, 6, 10}

b=0 or 1

77

Definition of Privacy

• We say that a verifiable SSE satisfies privacy if• there exists a simulator such that• |Pr( b=1 in Real)- Pr( b=1 in Simulation)|• is negligible for any distinguisher.

78

The Def. of Curtmola et al.

• Requires that • for any distinguisher,• there exists a simulator such that• |Pr( b=1 in Real)- Pr( b=1 in Simulation)|• is negligible.

In this definition,the simulator depends on the distinguisher.

79

Our definition

• is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher.

80

Our definition

• is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher.• This small change is important when we prove the equivalence with the UC-security.

81

The client sends

The honest server returns

t(keyword)


Next Reliability

82

The honest server returns

Client sends

t(keyword)


We say that C(keyword)* is invalid for t(keyword) if C(keyword)* ≠ C(keyword)

83

We say that Server* wins

If she can return (C(keyword)*, Tag*) for some t(keyword) such that(1) C(keyword)* is invalid and (2) The client accepts (C(keyword)*, Tag*)

84

Definition of Reliability

We say that a verifiable SSE satisfies reliability if Pr(Server* wins) is negligiblefor any Server*, any D={set of documents},any W={set of keywords}and any queried keyword.

85



86

In General

Even if a protocol π is secure,it may not be secure • if π is executed concurrently,

• Or if π is a part of a larger protocol

Client 1

Client 2

Server

87

Universal Composability (UC)

Is a framework which guarantees that • A protocol π is secure• Even if π is executed concurrently, and• Even if π is a part of a larger protocol

88

The notion of UC

• was introduced by Canetti.• He proved that UC-security is maintained under a general protocol composition.

89

In the UC framework

A Real world An Ideal worldA protocol π An Ideal Functionality Fπ

We consider a real world and an ideal world.In the ideal world, there exists an ideal functionality

A protocol π is UC-secure if the real world is indistinguishable from the ideal world.

90

We define

• An ideal functionality FvSSE of verifiable SSE as follows.

91

In our case,the ideal world looks like this

dummyClient

Ideal FunctionalityFvSSE

EnvironmentZ

UC adversaryS

dummyServer

92

First in the store phase

dummyClient


EnvironmentZ

D={D1, …, DN} W={set of keywords}

93

The dummy client relays them to FvSSE

dummyClient


EnvironmentZ



94

Our FvSSE sends

dummyClient


EnvironmentZ



UC adversaryS

|D1|, …, |DN||{keywords}|

95

Next in the search phase

dummyClient


EnvironmentZ

keyword

UC adversaryS

96

The dummy client relays it to FvSSE

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

97

Our FvSSE sends

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

The corresponding indexes {3,6,10}

98

The UC adversary S returns

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Accept or Reject

99

If S returns Reject,

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Reject

100

Our FvSSE sends Reject to the dummy client

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Reject

Reject

101

The dummy client relays it to Z

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Reject

Reject

Reject

102

If S returns Accept,

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Accept

103

Our FvSSE sends {D3,D6,D10}

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Accept

{D3,D6,D10}

104

The dummy client relays them to Z

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Accept

{D3,D6,D10}

{D3,D6,D10}

105

So Z receives {D3,D6,D10} correctlyor Reject

dummyClient


EnvironmentZ

keyword

keyword

UC adversaryS

{3,6,10} Accept/Reject

{D3,D6,D10}/Reject

{D3,D6,D10}/Reject

106

This is an ideal world

Because(1) The dummy client receives {D3,D6,D10} which contains the keyword correctly, or receives Reject(2) UC adversary S learns only |D1|, …, |DN|, |{keywords}| and the indexes {3,6,10} for a queried keyword

107

Further S can corrupt

dummyClient


EnvironmentZ

UC adversaryS

dummyServer

108

Also Z can interact with S freely

dummyClient


EnvironmentZ

UC adversaryS

dummyServer

109

Z finally outputs 0 or 1

dummyClient


EnvironmentZ

UC adversaryS

dummyServer

110

In the real world

Client Server

EnvironmentZ

D={set of documents} W={set of keywords}

111

Client Server

EnvironmentZ

D={set of documents} W={set of keywords}

Then the client and the server runs the store phaseof a verifiable SSE protocol 112

In the search phase

Client Server

EnvironmentZ

keyword

113

Client Server

EnvironmentZ

keyword

The client and the server runs the search phaseof the verifiable SSE protocol 114

The client sends his output to Z

Client Server

EnvironmentZ

keywordD3, D6, D10

115

An adversary A can corrupt

Client Server

EnvironmentZ

AdversaryA

116

Further Z can interact with A freely

Client Server

EnvironmentZ

AdversaryA

117

Z finally outputs 0 or 1

Client Server

EnvironmentZ

AdversaryA

118

We say that

• A verifiable SSE protocol is UC-secure if for any adversary A, there exists a UC-adversary S such that• no environment Z can distinguish the real world from the ideal world.

119



120

Equivalence

(Theorem) A verifiable SSE protocol is UC-secure if and only if it satisfies our definition of privacy and reliability

Herewe consider static adversaries.

121

This means that

The security of a verifiable SSE protocolis maintained under a general protocol composition

if it satisfies our privacy and reliability

Client 1

Client 2Server

122


(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally prove our scheme is UC-secure

123

We assume that

• The encryption algorithm E is CPA secure• MAC is unforgeable against chosen message

attack.

124

Theorem

• Our scheme satisfies privacy and reliability of our definition.

125

Proof of privacy

• Suppose that there are 5 documents, and 3 keywords.• We must show a simulator such that

126

ClientSimulator

|D1|, …, |D5| and |{keywords}|=3

In the store phase, Sim receives |D1|, …, |D5| and |{keywords}|=3

127

Then it must compute C= { E(D1), , E(D⋯ 5) } E(Index)

ClientSimulator


128

Our Sim computes C as C= { E(random), , E(random)⋯ } E(Index)

ClientSimulator


129

If E is secure,

• { E(D1), , E(D⋯ 5) } ≈ { E(random), , E(random) }⋯

130

Next Sim constructs E(Index) as a random permutation of this table

π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy

address address address

131

Since π is a PRP,

• This Index ≈ the real Index

132

In the search phase, suppose that

t(keyword)

ClientSimulator

{1,3,5}

133

In the 1st column,Sim finds {1,3,5,dummy,dummy}



134

Sim returns their addresses



135

That is,

t(keyword)= [π(1),π(3),π(5),π(6),π(7)]

ClientSimulator

{1,3,5}

136

Next suppose that

t(keyword)

ClientSimulator

{2,4}

137

In the 2nd column,Sim finds {2,4,dummy,dummy,dummy}



138

Sim returns their addresses



139

That is,

t(keyword)= [π(12), π(14), π(16),π(17), π(18)]

ClientSimulator

{2,4}

140

This is indistinguishable from the real game

t(keyword)= [π(12), π(14), π(16),π(17), π(18)]

ClientSimulator

{2,4}

141

Hence

• Our scheme satisfies privacy.

142

Proof of reliability

• Suppose that there exists a server* who can forge

Client Server* C(keyword)*Tag*

143

Proof of reliability

• We show a forger A who can break MAC by chosen message attack


144

• A runs Server* by playing the role of the client• A uses his MAC oracle to compute X


MAC oracle

AX

145

• We can show that A never queried C(keyword)* to the MAC oracle.


MAC oracle

A

146

• This means that A succeeds in breaking MAC


MAC oracle

A

147

Hence

• Our scheme satisfies reliability.

148

Corollary

• Our scheme is UC-secure.

149

Summary

Privacy Curtmola et al.Reliability Our paperUC security Our paper

150

Preliminary version

• was presented at Financial Cryptography 2012• The paper is available from the homepage of

FC 2012

151

Thank you !!

152