IV.

CRYPTO TECHNIQUES in CLOUDS

Many variants of computational privacy problems are being formalized cryptographically and solutions are
being proposed. Success has been achieved in various degrees in many of them. We give a whirlwind tour of
those techniques here.
1
and discuss the challenges associated with each of these for adopting to Cloud
Computing.
A. ully !omomorphic "ncryption #!"$
%n addition to the &eygen' "ncrypt' (ecrypt methods of )ublic &ey "ncryption #)&"$ schemes' these schemes
provide an additional algorithm "valuate. Such algorithm allows com*putations over encrypted data' based on
mathematical property called homomorphism that performs basic operations li+e ad*dition and multiplication on
cipher te,t. -ecent brea+throughs in !" ./0 has got them wide attention and they are often thought to be
cryptographic holy grail. 1hey are currently highly inefficient and not practical .20.
3sing these schemes' in any of the Cloud deployment methods' a client encrypts the data using the )ublic
&ey and outsources it to a Cloud server for any computations. 1he server would perform computations over the
encrypted data using the "valuate method and the )ublic &ey and returns the results in encrypted form. 1he
client then decrypts the results locally using )rivate &ey.
!" schemes are two party #one client and server$ model. 4iao et all proposed protocols for Multi 3ser
systems .50' that are based on symmetric !omomorphic "ncryption scheme that could evaluate functions only
on polynomials. 1heir protocols are tightly coupled with their scheme. Such limitation to two party model' ma+e
them suitable for outsourcing intensive sci*entific computations but not for commercial Cloud applications yet.
Similar concern was raised by (i6+' 7uels in their con*tradictory paper .10. 1hey claim multi client
applications would be impossible due to additional functionality needed li+e access control' re*encryption etc.
We believe such additional functionality is purely application of !"
8
.
1hese schemes are safe only in semi*honest adversarial model where the Cloud service provider is assumed to
be honest in performing the computations but are curious to get more information than they are ought to +now. 9ut in
real world' we cannot assume any degree of honesty' some adversary compromising the Cloud platform itself might
turn the provider malicious to corrupt the data and:or computations. or this reason ;erifiability of computation is very
important' the current proposed techniques that suit in Cloud Computing setup are still nascent .<0 .=0.
!" schemes are malleable
>
by design. or this reason' they would be prone to adaptive chosen cipher te,t
#CCA8$ attac+' in which an attac+er gradually reveals the decryption +ey or plain te,t itself. 1his is also equivalent to'
informally' an adversary being able to distinguish the cipher te,t based on the message they encrypt. %n practice'
malleability is avoided using padding methods li+e ?A") or )&CS1
Also popular )&" schemes li+e -SA in their basic form are deterministic in nature. %t means encrypting the same
message any number of times would yield same cipher te,t. 1his would lea+ information to an adversary if the data
contains repeated patterns. %n practice' the encryption process is made proba*bilistic using padding methods. So the
choice of )&" schemes underlying !" schemes should be inherently probabilistic in nature' else their ability to
compute over encrypted data might be lost due to padding.
@ittle is +nown yet on how !" schemes can ensure opera*tional privacy. So far only evaluation of encrypted
polynomials is possible.A0. %f !" can guarantee operational privacy then it might contradict very important results on
program obfuscation .1B0. ew researchers even proved that achieving multi user computational privacy implies
program obfuscation .10. So it is open problem still if !" can guarantee generic operational privacy in Cloud setup.
9. Server aided Secure Multiparty Computation
Secure Multiparty Computation #SMC$ solves the problem of evaluating a function 6ointly by multiple parties on
their private inputs .110. %n their basic form these techniques have been developed for few distrustful parties to
evaluate a com*mon function over their private inputs. 1hese protocols are
highly interactive in nature. Also no assumptions are made on computational resources available with the
parties. All the parties would carryout same amount of wor+ which is contrary to Cloud Computing setting.
1o adapt these techniques for an asymmetric setting li+e Cloud Computing where the server has
massive amounts of computing power relative to the users' Server aided SMC techniques have been
proposed .180
undamentally SMC has been proposed to carry out the computations among untrusted parties. Where as in
Cloud Computing model trusted parties need to carry out computation in the presence of an untrusted server. "ven in
a multiuser scenario' the user trusts #with various degrees$ rest of the users e,cept for the server. or e,ample' %f
)atient !ealth -ecords processing is out sourced to a Cloud server' the patient would trust and share parts of the
information with (octors' %nsurance Companies' (rug -esearchers etc with various degrees but may not trust the
remote Cloud server itself where the processing is being carried out.
SMC also does not ma+e any assumptions on computing resources available with participants. 9ut
where as in Cloud Computing setup' server has massive computing power com*pared to the user.
SMC are highly interactive protocols that e,pect the users to be always online' where as in Cloud model this
e,pectation may not be reasonable. When 6ust two users are involved who donCt trust each other' these techniques
can be adapted for few applications in Cloud setup. 9ut when the number of users grow in SMC the protocol
interactions visually represent more of mesh but where as in Cloud Computing they represent a hub*spo+e model'
the hub being the server.
Also set of literature e,ists for achieving multi party com*putation using threshold homomorphic encryption .1>0'
.1/0 and also multi*+ey homomorphic encryption .120. 1hese tech*niques require few of the users to collaborate
interactively to decrypt the final result' which is not reasonable to assume especially in the Cloud Computing +ind of
setup.
So for the reasons stated above adapting SMC or its variants for Cloud Computing setup may not be
of much help. Also there is literature around realizing SMC protocols using !". %t would be interesting
though to see if !" can be realized using SMC.
C. unctional "ncryption
1raditional encryption schemes are all*or*nothing meaning either the cipher te,t can be decrypted in its entirety or
nothing can be done. 9ut often applications would need users to have access control over the data' that could reveal
parts of the data based on predefined privileges. %nterestingly below are few schemes that allow to do same
%dentity based encryption Attribute based encryption )redicate*based encryption
%n all of the above techniques' the data owner encrypts the data using public +ey and also predefines granular
access
privileges for the rest of the users to access it. 3sers would then get secret +eys from a trusted +ey server and
then decrypt parts of the encrypted data based on their assigned privileges. Such property is very important
when different levels of access control needs to be enforced on the encrypted data. 9ut by design they do not
provide ?utput )rivacy required in Cloud Computing set up.
Deneralization of the above techniques has been formal*ized as unctional "ncryption.150. Such generalization is
an important step towards a unified theory for computational privacy. %nterestingly its relations with !" has been
studied .1<0 and connections have been established. 1his gives us a hope that unctional encryption can be further
generalized with additional restrictions for output privacy.
(. %nstance hiding #%!$
%f a user wants to outsource the computation of a function for a particular input , #instance$. She transforms the input , to
an encrypted input y #thus hides it$ in such a way that the server cannot infer , from y and sends to the server. 1he server
computes the function on y and returns the result. 1he user then transforms the result f#y$ bac+ to the value of f#,$. 1hese
techniques are called %nstance !iding techniques .1=0 as they hide the actual inputs from the server. 1he functions that can
be evaluated this way are called encryptable functions.
ew protocols were also proposed to achieve operational privacy .1A0 using these techniques.
)rima acie these techniques loo+ they can be adapted for Cloud setting. 9ut it has been proved that not all
functions are encryptable' this means not many functions can be evaluated when the real input instances are hidden
from the server.
%f there arenCt many encryptable functions then the results loo+ contradicting with recent brea+throughs of
!" schemes. !" schemes aim to perform generically all functions by computing fundamental operations li+e
add' multi on trans*formed inputs. ?f course there is no formal analysis done on connections between both of
them.
". Superimposing encrypted data
Although not so popular' its been proposed that efficient encryption of data is possible using time*reversal
transforma*tions .8B0. urther using this technique' the possibilities of processing over encrypted data has been
e,plored using super imposing such encrypted data .810.
%nterestingly these techniques are inspired from principles of )hysics. Euoting verbatim from their
wor+
1he fact that two cipherte,ts can be superimposed while each retains its original pattern is
analogous to the superposition of waves
Fot much analysis is available on these techniques. We admit our own limited +nowledge in this area to do
thorough analysis. We mention this' so that the community may find it useful to +now an obscure technique.
. !ardware approaches
1amper )roof !ardware approaches have been proposed to process encrypted data. %n short' the devices have
the decryption +ey built in' all the inputs are fed to the device in encrypted form' the processing is done by decrypting
them and the results are re*encrypted again. ew approaches proposed could achieve operational privacy by running
en*crypted programs.880. ew techniques were even successful in evading few types of side channel attac+s.8>0
!ardwiring of the decryption +ey is ris+y proposition' compromise of the +ey through any side channel attac+s would
render the device useless and compromised for ever. "ven if re+eying was possible' it would be costly affair.
1he success of Cloud Computing can be attributed to optimum utilization of underlying hardware resources
using
;irtualization. Abstraction of a virtual machine gives the fle,ibility to run on programs on shared
resources. So adopting techniques that require specialized hardware would lose such abstraction and
fle,ibility.
Also manufacturing specialized hardware' would shoot up the prices thus defeating the purpose of
moving to Cloud. "ven if the additional cost is amortized over a period of time' its highly unreasonable to
assume the users decryption +ey to be residing in the datacenter of Cloud server for which user has no
control.
D. Specialized ?perations
a$ )ro,y re encryptionG techniques allows to translate a cipher te,t encrypted under one +ey to cipher
te,t encrypted under another +ey without every decrypting it' provided some additional information .8/0' .820.
1hese techniques are used in distributed secure storage.
b$ Searchable encryptionG techniques allows to perform search over encrypted data .850' .8<0. 1hese
techniques have been improved and implemented in M%1Cs cryptdb pro6ect .8=0.
c$ SE@*Aware encryptionG is a strategy rather than a technique in itself. %ts based on the fact that all SE@
Eueries are made up of well defined primitive operations li+e add' equality' order chec+ etc. So a collection of
encryption schemes that allow these operations have been engineered into an -(9MS application. 1his made
possible to e,ecute SE@*li+e queries on encrypted databases .8=0.
1hese specialized techniques cater to small subset of func*tionality that can achieved. inding
connections and realiza*tions of these specific techniques with much more generic techniques li+e !" or
" might give us insights into possible efficient solutions.