Security - Telenor
Security - Telenor
Security - Telenor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Figure 1 This figure illustrates<br />
the general principle of privacy<br />
homomorphisms. The<br />
plaintext is x, the encryption<br />
function E, decryption function<br />
D, and f is a function applied<br />
to plaintext data. The function<br />
f' is the counterpart of f, when<br />
applied to encrypted data<br />
40<br />
f<br />
x<br />
f(x)<br />
E<br />
D<br />
E(x)<br />
f`<br />
f`(E(x))=E(f(x))<br />
2. interact with its environment using either<br />
encrypted or plaintext messages, or a combination<br />
of both;<br />
3. sign certain data in complete confidentiality<br />
while executing on a potentially malicious<br />
host; and<br />
4. support encrypted Turing-universal computation.<br />
If one looks at these requirements, it should<br />
become clear that what is actually needed is the<br />
ability to apply operations to encrypted data. This<br />
problem was originally studied in the form of privacy<br />
homomorphisms for databases. The concept<br />
of privacy homomorphisms is a good idea, and<br />
addresses many of the requirements above as<br />
long as strong encryption is not a requirement.<br />
In spite of this, the concept could be central to<br />
solving the above problem. The few subsequent<br />
approaches in the field have to some degree<br />
based themselves on the privacy homomorphism<br />
concept, even if the resulting system is strictly<br />
speaking not a privacy homomorphism.<br />
5.2.1 Privacy Homomorphisms<br />
Let S and S' be non-empty sets with the same<br />
cardinality. A bijection E : S → S' is the encryption<br />
function, with its inverse D being the corresponding<br />
decryption function. Denote an algebraic<br />
system for cleartext operations by<br />
U = (S; f 1 , ..., f k ; p 1 , ..., p l , s 1 , ..., s m ),<br />
where the f i :S g i → S are functions with arity g i ,<br />
the p i are predicates with arity h i , and the s i are<br />
distinct constants in S. Denote U’s counterpart<br />
for operation with encrypted data by:<br />
C = (S'; f' 1 , ..., f' k ; p' 1 , ..., p' l ; s' 1 , ..., s' m ),<br />
where each f' i corresponds to f i , and each p' i corresponds<br />
to p i , and each s' i corresponds to s i .<br />
Thus f' i has arity g i and p' i has arity h i .<br />
A mapping E is called a privacy homomorphism<br />
if it satisfies the following conditions:<br />
1. For all f i and f' i :<br />
f’ i (a’ i , ..., a’ gi ) =<br />
E K (f i (D K (a’ 1 ), ..., D K (a’ gi ))),<br />
where a’ 1 , ..., a’ gi ∈ S’, and K is a symmetric<br />
encryption key.<br />
2. For all p i and p' i :<br />
p’ i (a’ 1 , ..., a’ gi ) if and only if<br />
p i (D K (a’ 1 ), ..., D K (a’ hi )).<br />
3. For all s i and s' i D K (s' i ) = s i .<br />
Although this is elegant, it has an inherent weakness,<br />
summarized in theorem 3.1 in [5]. In<br />
essence, it is impossible to have a secure encryption<br />
function E for an algebraic system like U<br />
when that system has a predicate p i inducing<br />
a total order on the constants s 1 , ..., s m , and it<br />
somehow is possible to determine the encrypted<br />
version of each constant. The following example<br />
is from the proof of the theorem in [5].<br />
EXAMPLE 5. Take a plaintext system where<br />
si =i∈ N for all 1 ≤i ≤m.<br />
Let one function be<br />
addition (written +), and one predicate be the<br />
relation less-than-or-equal-to (written ≤).<br />
The<br />
corresponding function applied to encrypted<br />
data is written +', and the corresponding predicate<br />
is written ≤'.<br />
If the cryptanalyst knows 1 and<br />
1', it is possible to decrypt any c' to c by doing a<br />
binary search using +', 1', and ≤'.<br />
5.2.2 Computing with<br />
Encrypted Functions<br />
The privacy homomorphism is revisited in work<br />
by Sander and Tschudin [7]. They mention two<br />
potential candidates for encrypted computation:<br />
1. polynomials encrypted with a particular type<br />
of privacy homomorphism; and<br />
2. rational function composition, where one<br />
rational function is used to encrypt another.<br />
Only the first scheme, called non-interactive<br />
evaluation of encrypted functions, is detailed in<br />
their work. Sander and Tschudin present a simple<br />
protocol demonstrating how it could work.<br />
The protocol is as follows:<br />
1. Alice encrypts f.<br />
2. Alice creates a program P(E(f)) which implements<br />
E(f).<br />
3. Alice sends P(E(f)) to Bob.<br />
Telektronikk 3.2000