Algesheimer Et Al. - 2001 - Cryptographic Security for Mobile Code

8/7/2019 Algesheimer Et Al. - 2001 - Cryptographic Security for Mobile Code

1/10

Cryptographic Security for Mobile Code

Joy Algesheim er Christian Cachin Jan Cam enischIBM R esearchZurich Research LaboratoryCH-8803 Ruschlikon, Switzerland

{jmu,cca,jca,gka}@zurich.ibm.com

AbstractThis pap er addresses the protection of mobile code againstcheating and potentia lly maliciou s hosts. We poin t out thatthe recent approach based on computing with encryptedfunctions is limited to the case where on lj the code origi-nator learns the result of the computation and the h ost run-ning the code must not notice anjthing at all. We arguethat if the host is to receive some output of the computation,then securing mob ile code requires minima l trust in a thirdparty. Tamper-proof hardw are installed on each host hasbeen proposed fo r this purpose. In this paper we introducea new approach fo r securely executing ( fragments of) m o-bile code that relies on a min imally trusted third party. Thisparty is a generic indepe ndent entity, called the secure com-putation service, which pel forms some operat ions on behalfof the mobile application, but does not learn anything aboutthe encrypted computation. Because it is universal, the se-cure computation service needs to be only minimally trustedand can serve man y diflerent applications. We present aprotocol based on toolsfrom theoretical cpptography thatis quite practical fo r computing small functions.

1 IntroductionMobile code is an important programming paradigm forou r increasingly networ ked world. It provid es a flexible

way to structure cooperative comp utation in distributed sys-tems. Alread y today, the Internet is full of mobile codefragments, such as Java applets, which represent only thesimplest form of mobile co de.

Mobile agents are mobile code that acts autonomouslyon behalf of a user for con tinuous colle cting, filtering, andprocessing of information. They combine the benefits ofthe agent paradigm, such as reacting to a changing environ-ment and au tonom ous operation, with the features of remotecode execution; they operate in com puter networks and are

Gun ter Karj0th

capable of moving from server to server as necessary tofulfill their goals. Imp ortant applications include mob ilecomputing, where bandwidth is limited or users are dis-connected, data retrieval from large repositories, and con-figuration manage ment of software and networks. Todaysvision of mobile agents roaming the Internet may soon be-com e reality as the paradigm is incorporated in large-scaleapplications.

Although sound definitions of mobile computations arestill under debate (e.g., [ 13]), we assume here that mobilecode is a progra m that is produced by one entity, called theoriginator, and is subsequently transferred to a second en-tity, the host , imm ediately before it is executed by the host.In other words, no manual intervention (such as performingan installation or runnin g a setup routine) is required on be-half of the host; mob ile cod e come s ready to run. Moreover,mobile agents are capable of continued, autonomous oper-ation disconnected from the originator and migrate freelyto other hosts du ring their lifetime. Such agents have alsobeen called itinerant agents.Mobile Code Security. Two security problems arise inthe area of mobile code: (1) protecting the host from ma-licious code and (2) protecting the code from malicioushosts. Th e first problem has received considerable atten-tion because of the immine nt threat of comp uter viruses andTroja n horses-nothing but prom inent mem bers of the mo-bile agent family. Current solutions are to run mo bile codein a sandbox with fine-grained access control and to applycode signing for exploiting a trust relation with the codeproducer. W e address the second problem in this paper: pro-tecting the mobile applic ation. Solu tions for this are far lessdeveloped, but this problem needs to be solved for makingthe mobile agent metaphor useful in many contexts.

Mo bile code is exposed to various security threats: a ma-licious host may examine the code, try to learn the secretscarried by an agen t, and exploit this know ledge in its inter-action with the agent to gain an unfair advantage. A host

1081-6011/01$10.0002001 IEEE 2
mailto:jca,gka%[email protected]:jca,gka%[email protected]:jca,gka%[email protected]


2/10

might also try to manipulate the result of a computation.We d o not address denial-of-service attacks here, such askilling the agent. Our goal is to achieve secrecy fo r mobileapplicatio ns and integrity for their o utputs in the traditionalsense of information security.

Protecting mobile code was deemed im possible by som emobile code researchers until Sander and T schudin [22]re -alized that protocols from theoretical cryptography couldbe useful to execute mobile code in an encrypted fo rm onan untrusted host. However, most such protocols for so-called secure computation [ 16, l ] require several rounds ofinteraction and are therefore not ap plicable in our context.Sander and Tschudin concluded that only functions repre-sentable as polynomials can be computed securely i n thismanner. Subsequent work of Sander et al . extends this to allfunctions computable by circuits of logarithmic depth [ 2 3 ] .

Recently some of us together with Kilian have found aprotocol for computing all polynomial-time functions ef-ficiently [7], which solves the mobile code privacy prob-lem in this form. In particular, this protocol allows anypolynomial-size circuit to be evaluated secur ely in poly no-mial time using only one round of interaction.

However, this approach has a serious drawback: no in-formation about the encrypted compu tation must leak to thehost and only the originator may receive any outpu t. T hisrules out any active mobile code that performs some imm e-diate action on the host (like a mobile agent i n a shoppingscenario that accepts or rejects an offer of its host based ona secret strategy [27]). Th e impossibility of protecting a c-tive mobile code is demonstrated in Section 2 below; thebasic problem is that a malicious host can observe the out-put of the computation and simply run the code again witha different input.

Th e only existing defense for active mobile co de againsta malicious host uses trusted hardware. This has been pro-posed by Yee [27] and by Wilhelm et al. [2S] and entailsrunning mobile code exclusively inside tamper-proof hard-ware, encrypting it as soon as it leaves the trusted environ-ment. The implicit assumption one must make here is thatall users trust the manu facturer of the hardware. Such anassumption seems very strong and it is unclear whether thebenefits of the mobile code software paradig m justify thedeployment of an expensive hardware infrastructure (un-like the exam ple of a DV D player using tamp er-proof hard-ware, which primarily provides the function ality of playingvideo).

Our Contribution. In this paper, we introduce an archi-tecture fo r secure execution of active mobile code frag-ments that needs no additional client hardw are. Instead,we propose a generic secure com putation service that per-forms some cryptographic operations on behalf of the m o-bile code; i t guaran tees privacy as well as integrity of the

computation to the code originator and its host. M oreover,the compu tation servic e itself does not learn anythin g aboutthe computation; it must only be trusted not to collu de withthe originator or the host.

Our architecture builds on tools for secure computationfrom cryptolo gy and applies them in new ways. In par-ticular, we employ Yaos encrypted circuit constructionfor scrambling a circuit that computes the desired func-tion [26 ]. Such metho ds had been thought of theoretical in-terest only, but current technology ma kes them appear prac-tical fo r small tasks where mainta ining privacy justifies thisoverhead.

Th e generic nature of the proposed computation servicehas several benefits:

Its cost can be shared across many applications be-cause it is generic; nothing about its usage must beknown before deploying it .The trust placed in its integrity is universal and notbound to a particular service or to an application con-text; secure computation servers may be set u p and op-erated by in depend ent entities.It is based on software and com mod ity hardw are onlyand therefore much cheaper to build and operate thanany solution involving specialized hardware.

In many respects , the secure computation service resemblesother generic security services like a public-key infrastruc-ture (PKI) or an anonymous re-mailer. These services alsoenhanc e security and privacy where needed.Organization of the Paper. Section 2 introduces a lor-mal model for mobile computations, formulates the desiredsecurity properties, and reviews prior work for protectingmobile code. It is shown why the approach based on one-round secure computation is not suitable for securing ac-tive mobile code. Ou r architectu re is introduced in Sec-tion 3, and Section 4 illustrates two applications: a com-parison shopping agent and a generalized auction scheme.Conclusions are drawn in Section S.2 Protecting Mobile Agents

This section formalizes mobile agent computations andstates our desired security conditions. The formal modelis then used to argue why protecting active mobile agentspurely by software is impossible without further assump-tions.2.1 Model

The defining element of a mobile code computation isthat it proceeds autonomously and independently of the

3


3/10

originator. We model m obile agent computation as follows.Participants: There are an originator 0 an d e hosts

HI , .. . , H e , on which the mobile agent runs.Non-interactive communication: Each participant sends

and receives only a single message. We denote by mothe message that 0 sends to HI and by m, the mes-sage that H , sends to H3+1fo r j = 1 , .. .,1 - 1, an dby me the message that th e last host He returns to 0.

Computation: Let the state of the mobile agent be an el-ement of a se t X.Its initial state zo is determined by0. Let the input by H:, be an element of a se t y an dthe output to H3 an element of 2 (input and outputdomain s are the sam e at all hosts for s implicity). Th eagent computation on host H:, is represented by twofunctions

gj : X x y -+ X an d hj : X x y -+2that determine the new state xj = g j ( z j - 1 , y3 ) of theagent and the output z j = hj(xj-1, yj). 0 obtains thefinal state E = xe E X of the agent. The functions gian d hi are known to all parties.

A (non-interactive) secure mobile computing schemeconsists of 21 + 2 algorithms do,AI , . . .,de,& , . . . , B e ,an d V such that for all j = 1 , .. . , an d 5 0 E X,yj E Y ,and with

mo = A o ( ~ o )m3 = dJ ( m: , - l r 9,) f o r j = 1 , .. . , ez3 =B3(m3-l,y3)forj=1,...r!

= D(me)the following two con ditions holdCorrectness: = ge(ze-1, ye) an d zj = hj(zj-1,yj) fo rj = 1 , .. . , e , using

X y = gjs (. (92 (91( 2 0 1 YI), Y2 ) . . ) , Yjtf o r j = 1 , .. . , e - 1.

Privacy: The inputs, outputs , and the computations of allhosts remain hidderi from the originator and from allother hosts , except for what follows from their outputs:0 learns only 6 but nothin g else about any y j than whatfollows from xo and e , and similarly, H j learns onlyz j but nothing about z o an d y j ~fo r j < j than whatfollows from z j an d y j .

These requirements can be defined formally using thesimulation approach from cryptography [3, 18 , 14 , 81. Notethat in the definition of privacy, the inform ation that a host

H j learns about the input xj-1 to its part of the compu tationdepends on the com bination of the agent output z j and thehosts private inp ut yj .

For simplicity, the model assu mes that the order in whichthe agen t visits all hosts is fixed. It can be ex tended to allowfor the sequence to depend on zj by introd ucing a function7r : 2 -+ {1, . . . , e } and sending the mobile agent tofrom H j .

In the special case of mobile co de applicatio ns with asingle host H , the function g yields 0 s output e an d h givesH s output z .2.2 Software-only Solutions

Sander and Tschudin [22] were the first to realize thata software-only solution to protecting mobile code from amalicious host is indeed feasible for small program s usingcryptographic techniques. They proposed to use so-calledhomo morphic public-key encryption schemes that allow fornon-interactive addition or multiplication of two encryptedmessages by manipulating ciphertext only. In this way, thehost can compute any function g(.,y ) on a hidden input zthat is representable by a polyn omial (in the single-h ost sce-nario).

This approach was later improved by Sander et al. [23] tonon-interactive evaluation of all functions g(.,y) on a hid-den input z that can be represented by circuits of logarith-mic depth [23]. C achin et al. [7] further generalized this toarbitrary functions, provided they can be represented by apolynomial-size circuit; they also described how to realizesecure mob ile agent application s with multiple hosts in thisway.

However, all those solutions address only the secureevaluation of g j for updating the agents s tate and producingthe final result, but ignore how to realize h j for producingoutput at H j . More precisely, they are restricted to func-tions hj : y -+ 2 such that the output from the agent to thehost must not depend on anythin g else than its own input.

In fact, it is not hard to see that this is the best one canachieve under the given circumstances. Towards a contra-diction suppo se there exists an active agent that also outputssom e value to its host, for exam ple, in a shop ping agent ap-plication indicating whether or not to accept an offer. As-sum e for simplicity that the agen ts decision is solely basedon the price y j offered by Hj and that it will buy the cheap -est offer; the state of the agent is xj-1 = c indicating asecret threshold c chosen by the originator, below which itwill accept the offer. Becaus e of the comm unication con-straints in our model it must be that running algorithm f3jon mj-1 an d yj immediately yields z j . Then H j can deter-mine whether the agent is willing to accept yj or not, i .e .,whether y j < c. But n othing prevents a malicious host fromrunning B j again with some other yi and continuing in this

4


4/10

way until the agent has leaked c completely, applying sim-ple binary search.This shows that software-only protection for the privacy

of a mobile shop ping agent application is not possible. Infact, we can conclude the following.Proposition1. (Non- interact ive)secure mobile computingschemes do not exist. In particulal; any scheme in whichsome host is to learn injornintion that depends on th eagents current state cannot be secure.

As a conseq uence of this , we must extend our modelabov e in order to obtain privacy and integrity for active mo-bile agents . Allowing for comm unication between each hostand the originator would solve the problem as mentionedearlier; but it would destroy the benefits of the mobile agentparadigm where the originator may b e poorly connected ortemporarily off-line. The only alternative seems to extendthe model by at least one trusted element.

One such extension, proposed by Yee [27] and by Wil-helm et al. [25], uses trusted and tamper-proof hardwaremodules at every host, such as smart cards or cryptographiccoprocessors. Each one of these hardware modules pos-sesses a public key and mobile code can be executed se-curely using this infrastructure in the following way: Aftergenerating the mobile agent code, the originator encryptsit under the public key of HISmodule. Upon receivingsome encrypted mobile agent, a host Hj passes it along toits hardwa re module, together with Hjs input y j . The mod-ule decrypts the co de, executes i t on the inputs provided andencrypts the output again under the public key of the mod-ul e in H j + l . T h en it returns this encryption to the host, to-gether with z J , the output intended for Hj. The host sendsthe encrypted code and the encrypted data to the next hostin the sequence.

To guarantee privacy in the formal model discussedabove, each hardware m odule must be trusted to execute thecode properly and only once. Furthermore, all trusted mod-ules must be produced and initialized by a trusted, externalentity.

In the next section we introduce an alternative extensionthat is based on a minimally trusted party, the secure com-putation service.3 Generic Secure Computation Service

Suppose there exists a third party T that is on-line andconnected to all hosts running agent applications and is attheir disposal for securing agent computations. Is it possibleto realize such a secure mobile comp uting scheme in whichT itself does not gain any information about the computa-tion, no matter how i t behaves? All computations shouldproceed with minimal or no interaction. We give a positiveanswer below and describe a scheme with these properties

under assumptions that ( I ) T does not collude with the orig-inator against any host, and (2) T does not collude with anyhost against the originator or against any other host.

Our scheme is generic and not bound to any particularapplication. Hence the service of T may be offered as apublic service for secure mobile agent computation onthe Internet. The two trust assumptions seem reasonable forsuch a generic, independent entity. Clients who use this ser-vice in the role of 0 or H (e.g., for com parison shopping)do not have to fear that T has second thoughts trying toviolate their privacy (e.g., of custom er profiling and collect-ing marketing data). Moreover, T itself has an interest tomaintain its reputation as a security provider.

The schem e described below extends the comm unicationpattern of m obile agent computations by two messag es fromeach host toT and back. Figure 1 shows the communica t ionin traditional mobile agent com putation and i n our scheme.

O ur technique is based on encrypting a binary digital cir-cuit that realizes the part of the agent computation in whichprivacy must be maintained. Although, in principle, suchcircuits may model arbitrary computations, the associatedcosts are prohibitive for larger applications. But for smallparts of an agent application, like the com parison functionof the shopping agent, the overhead seem s reasonable.

We proceed by reviewing the encrypted circuit construc-tion for interactive secure protocols.3.1 Encrypted Circuit Construction

The encrypted circuit construction of Ya o [26] is an in-teractive protocol for secure function evaluation betweentwo parties. We describe i t for a binary function g ( . , .) an dparties Alice (with input z) and Bob (with input y). B obreceives the output z = g(x,y ) but learns nothing else andAlice learns nothing at all. We give an abstract version ofYaos construction describing only the properties necessaryhere (m ore details can be found in the literature [12 , 211).

Let (21 , . . . , z I L 2 ) ,( Y I , . . . , Y ~ ~ ) ,an d ( a , . . . , z n z )de -note the binary representations of z, y, and z , respectively,and let C denote a polynomial-sized binary circuit compu t-ing g. The essential com ponents of Yaos construction are( 1 ) an algorithm construct that Alice uses to construct anencrypted circuit, (2 ) a transfer protocol between Alice andBob, and (3) an algorithm evaluate allowing Bob to re -trieve g(z, y) . Mo re precisely, these procedures are as fol-lows.( I ) The probabilis tic algorithm construct(C) takes thecircuit as input and outputs the tuple

where C may be viewed as an encrypted version of th en , + nu-inpu t c i rcuit C ( . ,.) and where C ,IC, an d U

5


5/10

Figure 1. The communication flows of a traditional mobile agent (left) and using the generic securecomputation service (right).

corresponding to 2,g, an d z , respectively.In order to compute C(z,y) from the encryption C,Bob needs one key for each input bit: Li,b corre-sponds to input bit zi = b and Ki,b corresponds toinput bit yi = b. The keys Ui,o and U i,1 represen t theoutput bits of the encrypted circuit, i.e., if evaluationof the encrypted circuit produces Ui,b, then the outputbit z ; is set to b.Th e particular method in which C is encryp ted ensuresthat for every gate in the circuit, given two keys repre-senting its input bits, the key represe nting the resultingoutpu t bit can be readily com pute d, but no informationis revealed about which cle artext bit it represents.

(2 ) Alice and Bob enga ge in a protocol for oblivious trans-f e r [ I O ] or all-or-nothing-disclosure-of-secrets[6].This is an interactive two-party protocol for a senderwith input two messages mo and m l and a chooserwith input a bit IT . At the end, the chooser receivesm u but does not learn anything about m u e l , and thesender has no information about IT .More precisely, Alice acts as the sender of Ki,o an dKi,l, and Bo b obtains for every bit yi of his input thevalue K: = Ki,y,but learns nothing about K i , y ;e l .Atthe same time, Alice learns nothing about yi.In addition, Alice computes the keys representing 2 asLi = Li,zif o r i = 1 , .. . ,n, and sends

c ,L:, . . . ,L L = ,U

to Bob.(3 ) The algorithm evaluate(C,L i , . . . ,LLz,K i , . , . ,Kky)

takes as inputs the encrypted circuit, a representationof z, an d a representation of y by the respective keys.It outputs the keys V i , . . . ,U;: from which Bob canrecover z , and if Alice and Bob obey the protocol,then z = g(z, y).

The security of this construction can be proved in theappropriate formal models. Implementing the constructan d evaluate algorithms requires pseudo-random func-tions [15], which are realized in practice by block ciphers.Block ciphers are very fast cryptographic prim itives, even ifimplemented in software.3.2 Basic Scheme

We first show how to use the encrypted circuit construc-tion for realizing secure mobile code computation with asingle host. Th e extension to multiple hosts is considered inSection 3.3.

Assume T has published the public key of an encryp tionscheme. We denote the corresponding encryption and de-cryption operations by ET( . )an d &(.), respectively. As-sume further that all parties can com municate over secureauthenticated links, which could be realized by using stan-dard pu blic-key encryption and digital s ignatures.

The basic idea is that 0 constructs an encrypted circuitC com puti ng the two values and z . It sends C to H, butencrypts all keys i n K for T and does not include the keypairs in U which correspond to E (denoted by U,)so thatH will not learn anything about E . Next H selects from K:the encry pted keys representing y and invokes T to decryptthem in a single round of interaction. Then H evaluate s the

6


6/10

circuit and obtains z ; it also returns the keys in the circuitoutput representing E to 0,who can determine I from this.

We now give the details. Let C be the binary circuitcomputing ( I ,z ) = (g(x,y ) , h ( z ,y ) ) from the sam e inputswith n, +n, input bits 2 1 , . . . ,x,,=,y1, . . . ,yn , an d n,+nzoutput bits (1 , . . . ,I n , ,z1 , . . .,z n z , slightly modifying thenotation from the previous section. T he schem e proceeds infive steps.

:1.

2.

3.

4.

5 .

0 chooses a string id that uniquely identifies the com-putation, e.g., containing the name of 0 , a descrip-tion of g an d h, and a sequence counter. 0 invokesconstruct(C) and obtains (C,C, IC ,U)as above withU consisting of n, + n, key pairs in total. We let U ,denote the pairs in U with indices 1 , .. . , 71 , an d U,denote those with indices n, + 1, . . . ,n, + n,.F o r i = 1 , .. . ,ny and b E ( 0 , l} ,it computes

I ? i , b = ET(idllil/I


7/10

for each j > 1 an d i = 1 , .. . ,nz , and randomly per-mutes them before assigning them to V$' an d @;);call the list of such pairs V ( j ) .Then 0 sends

an d c(j)E ( j ) ~ ( j )f o r j= 2 , . . . , e, 3 - 1to H1 in a single messa ge. No te that nothing in thedata for stage j is linked to the identity of Hj an d sothe sequence in which the hosts are visited can be de-termined dynamically.

2. For j > 1,when Hj runs step 2 of the basic scheme,it has received V ( j )and U;( ' - ' ) , . . . , U;= ( ' - ' ) fromHj-1, who has before evaluated C(j-l).The host interprets each U;('-') as a symmetric keyto E , determines which one of the ciphertextsan d Vl i ) i t decrypts , and then decrypts the one thatmatches. This yields L ij ), an oblivious representationof the ith bit in the current state z j of the mobile agent.Tho se keys are then needed to evaluate C ( j ) .

3. W he n H j has obtained its output from evaluating C( j) ,i t forwards all data that it has received fro m HjPl ,to-gether with U ; " ) , . . . ,U ; = ( ' ) ,to Hj+l.At the end ofthe circle, He returns only the to 0 .

In order to make this scheme robust, the same measuresas describe d above should be taken. In particular, T mustensure that it decrypts ciphertexts containing a particularidentifier idl l j in at most one execution of s tep 3.3.4 Variation

In this section we present a different schem e in the samemodel for which robustness can be added at much lowercost.

The main difference is that the trusted party generatesthe encrypted circuit. Because i t is trusted to follow theprotocol one does not have to add a costly zero-knowledgeproof for correctness of the whole circuit. Therefore, theoperations of the other parties and the corresponding proofsensuring robustness become much simpler. T has to knowg an d h for constructing the circuit, but it may obtain a de-scription of C from 0 in the first protocol message.We use a three-party oblivious transfer protocol intro-duced by Naor et al. [ 191 in which the role of the chooser isseparated among the chooser and a third party, called the re-ceiver. Compared to the standard notion of oblivious trans-fer (see Section 3. l), the receiver gets the output message

m, specified by the chooser, who itself learns nothing. Thisso-called "proxy" oblivious transfer can be realized usingthree message flows: from chooser to receiver and from re-ceiver to sender and back.

The protocol needs also a one-round implementation ofstandard oblivious transfer betw een two parties , which canbe realized using the m ethods of Cachin et al . [7 ] or Sanderet al . [23].

Note that the resulting overall s tructure of this protocolis similar to the auction schem e of Naor et al. [191.

Protocol. As in the basic schem e the essential componen there is the encrypted circuit construction. The protocol isdescribed for the basic case of mobile code with a singlehost H.

Suppose 0 e mploys a public-key encryption schemewith encryption and decryption operations denoted byEo( . ) an d D O ( . ) ,respectively. 0 starts the computationas the chooser in nz parallel three-party oblivious transfers,one for each bit of z. It sends these hidden choices to H ,who acts as the receiver in the three-party oblivious trans-fers, together with C and Eo(.) .H forwards the appropri-ate data to T , who ac ts as the sender; it will send the keypairs C in the three-party oblivious transfer. Furthermore,H also prepares its input to ny parallel one-round oblivioustransfers (playing the role of the chooser), one for each hitof y. It sends these to T , together with the descriptions ofC an d Eo(.);T will send the key pairs K in the one-roun doblivious transfers.

T invokes construct(C) to obtain C and the key pairs C,IC , an d U . It replies to H with Eo(U,), C, U,, an d the f in a lflows i n all oblivious transfer protocols .

From this H can determine the keys L;, . . . ,L6= rep-resenting z and the keys K ; ,. . . ,KAY representing y.It runs evaluate(C,L' , , . . . ,L L z ,K f ,. . . ,KLy) to obtainU:,. . . , as above. Then it determines its outputz from . . ,U,!,+n, and from U,, an d i t forwardsU : , . . . ,U;=together with Eo(&) to 0. This enables 0 toobtain its output E .

.

Extension for Mobile Agents. We show how to extendthe protocol from a single host to f? hosts HI , . . . ,He. Theprotocol starts as before for the first host. However, thesteps for Hz, . . . ,He-1 are slightly different: three-partyoblivious transfer and encryption und er Eo are not needed.Instead, T encrypts the keys C(3) in the input of C ( J )andrepresenting the state z3-1of the mobile agent under theoutput keys in U ( J - ' ) from C ( J - ' ) as before in V ( 3 ) .T hekeys U ( 3 - l ) can be stored by T between step J - 1and stepj or they can be sent along with the protocol flow and aretraiismitted to T via H3-l an d H3 (in this case, they mustbe encrypted using ET(.)) .In addition, the last host obtains

8


8/10

I.r,encrypted with E o ( . )from T and forw ards this to 0 asbefore.

Discussion. Th e communication pattern is the same as inthe basic scheme: there is one message from 0 to H I ,onefrom each HJ-lto HJand one from HEto 0,plus one com-munication flow between each host and the trusted party.Robustness can be added as before by using non-malleablepublic-key encryption schemes and non-interactive zero-knowledge proofs. However, the result will be much morepractical because zero -know ledge proof s are not needed forthe potentially large encrypted circuit in our trust model-only for the relatively few steps pertaining to the oblivio ustransfers. Mor eover, the encry pted circuit construction canbe implem ented by a block cipher instead of public-key op -erations.

4 ApplicationsWe discuss two app lications of mobile agents that greatly

benefit from privacy suppor t for in mobile code: com pari-son shopping and a complex auction scheme.4.1 Comparison Shopping

A mobile agen t visits several vendor sites and com paresoffers-not jus t based on price, but also on other attributes.The originator wants to maintain the privacy of his pref-erences, but a vendor has an interest to learn the buyersstrategy as well as information about other ve ndors offers.For complex offers where the price is determined individ-ually for each customer based on its needs, such as in theinsurance market, the vendor wants to keep its method ofcalculating the price secret. All these requireme nts can befulfilled by the secure mo bile computing schem e.

An electronic negotiation between a buyer and a singlevendor can take place using the scheme for secure mobilecode that visits a single host. Typically, the vendo r actsas the originator and downloads an applet to the buyersbrowser (as is already quite common on the Internet). Theapplet is executed with the help of the trusted com putationservice by the buyer and the offer is displayed to the buyer.The vendor may obtain some information as well, but itwould have to spell out clearly in a privacy statemen t ac-comp anying the applet which information it obtains, suchthat it can be verified by an indepe ndent entity.A shoppin g agents that goes out and collects offers fromseveral vendors can be realized as well, but this requiresprior agreement on the data format of the offers. It seemstherefore restricted to highly structured areas where privacyis important.

4.2 Generalized AuctionsAuctio ns with generalized bidding strategie s present an

interesting application area for secure mob ile agents. Bid-ding agents can implem ent a complex strategy being a func-tion of time and other participants behavior, which givesthe bidder more flexibility compared to traditional single-param eter auction s based purely on price. Sandh olm andHuai [24] present a mobile agent system to conduct suchauctions.

Recently the German UMTS licenses were sold employ-ing a sealed-bid, multip le-roun d, multiple-lot auction . Itprovid es an interesting exam ple of a real-world genera lizedauction. Telecom operators could buy either two or threepackets of frequencies out of twelve available frequencypackets. In each roun d the bidders had to submit their bids,which had to be increased by a m inimum amount over theprevious bids. Th e winners for each frequency were an-nounced at the end of the round. The bidding stopped af-ter a round with no more new bids. Durin g each roundthe bidders were isolated and under close supervision bythe authorities to prevent coalitions. They had to en ter thebids into a computer system, which played the role of theauctioneer and computed the winner. Th e German UMT Sauction in August 2000 lasted for 173 rounds durin g almostthree weeks and raised about 99 billion D EM .

As the value of the lots is interrelated, a bidder is in-terested to define his bidding behavior as dynamically aspossible, for example making the valuation of a lot de -pend on oth er winning bids that he observed in the previousround s. If the bidders can expre ss their strategie s as a com-putable function, then one may construct a circuit to com-pute the auction function, i.e., the outcome of the auction,with the strategies as the private inputs of all participants.This would require an auction agent that visits each bidderonly once.

However, in the likely case that the bidders are unableto express their strategies ma thema tically, each roun d of theauction could also be performed securely by an auction ap-plet that visits each bidder once and returns to the auction-eer. There it outpu ts the winning bids or the end of the auc-tion if the bids did not exceed the minimum increment. Ifthe scheme for secure mobile computing is used, then thereis no single entity that sees all bids (lik e the auctio neer, itscomputer system, or its operators).

Gener alized auctions are comm on in electricity m arkets,equities trading, bandwidth au ctions, and transportation ex-changes, and bidders often have preferences over combina-tion of items.

9


9/10

4.3 Implementation Note card. The server provides comp uting power to the client,but should not learn anything ab out the secrets of the client.

Although encrypted circuits can be constructed for anarbitrary function and any mobile code application in the-ory, a practical implementation will only represent privacy-critical parts in this way and execute the remaining parts inthe form of conventional programs. Thu s, the circuits arerather small and processing them is realistic with currenttechnology. It seems feasible to include them as an add-onto an existing mo bile code platform, such as Aglets ( h t t p :/ /aglets.org) .

The comparison shopping agent, for example, couldcompu te most bookkeeping functions in unencrypted formand hide only its preferences and the best offer so far. Thesam e holds for the auction app lications. If the encryp ted cir-cuit construction is realized using AES with 128-bit keys,an encryption of a binary gate may be stored in 9 6 bytes,including 6 4 bits for redundancy. An encrypted circuit thatoutputs the maximum of two n-bit numbers using special-ized comp ariso n gates can be repr esented by far less than n,kilobytes and requires about lOOn block cipher operations.

5 DiscussionOur scheme for secure mobile agent com puting provides

an attractive alternative to using trusted hardware. Let uscompar e the trust assum ption i in these two approaches. Th eproposed schem e relies on the assum ption that T does notactively collude with any of the participants against anotherone. When using trusted hardware, which is also generic,all parties have to trust the hardware manufacturer i n th esame way.

There is however a small difference because the trustedhardware can observe all computations and may possiblyleak some information about this (covert channels couldeasily be realized and might go to a large government or-ganization). The on-line secure compu tation service in ourapproach does not learn anything about the computation,except that it takes place and has a certain size; there is noinformation that can be leaked.

Otherwise, the differences between the server-based ap-proach and trusted hardw are are clearly the speed advantageof secure hardware com pared to the encrypted circuit con-struction on the one hand, an d the high cost and low flexibil-ity of trusted hardware on the other hand. Secure hardwareis also more flexible for local agent com putations involvinguser interaction.Note that server-aided computations are quite commonfor other cryptographic applications and have been studiedextensively [2,4, 171; these are protocols in which a power-ful server performs som e computation on behalf of a clientdevice with limited processing capabilities such as a smart

References111 Martin Abadi and Joan Feigenbaum . Secure circuit

evaluation: A protocol based on hiding informationfrom an oracle. Journal of Crypto log j ,2: l -12, 1990.

[2] Martin Abadi, Joan Feigenbaum, and Joe Kilian. Onhiding information from an oracle. In Proc. 19thAnnual ACM Sjwposium on Theory of Coniputing( S T O C ) ,pages 195-203, 1987.

[3] Donald Bcaver. Secure multiparty protocols and zero-knowled ge proof systems tolerating a faulty minority.Journal of Cryprolog) ,4(2):75-122, 199 1 .

[4] Philippe BCguin and Jean-Jacq ues Quisquater. Fastserver-aided RSA signatures secure against active at-tacks. In Don Coppersm ith, editor, Advances in Cq'p-tology: C R Y P T 0 '95,vo lume 963 o f Lecture Notes inComp uter Science. Springer, 1995.

[SI Mihir Bellare and Phillip Rogaway. Random oraclesare practical: A paradig m for designing efficient pro-tocols. In Proc. 1st ACM Confe rence otz Com pute rand Comniuniccitions Security, 1993.

[6] Gilles Brassard, Claud e CrCpeau, and Je an-Ma rcRobert. Information-theoretic reductions among dis-closure problems. In Proc. 27th IEEE Symposiutn onFoutidutions of Comp uter Science (FOCS), 1986.

[7] Christian Cachin, Jan Cam enisch , Joe Kilian, and JoyMuller. One-r ound secure computation and secure au-tonom ous mobile agents . In Ugo Montanari, JosC P.Rolim, and Em o Welzl, editors , Proc. 27th Interna-tional Colloqu iuni on Auro mu tu, Lung iiages arid Pro-gramming ( ICALP) , volume 1853 of Lecture Notesin Computer Science, pages 5 12-523. Spring er, July2000.

[8] Ran Canetti . Security and composition of multi-party cryptographic protocols . Journal of Cryptology,13(1):143-202,2000.

[9] Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography. SIAM Journal on Conzpuring,30(2 ) :391-437 ,2000 .

[ l o] Shim on Even, Oded Goldre ich, and A. Lempel . Arandom ized protocol for s igning contracts . Comnzuni-cations of the ACM, 28:637-647, 1985.

10


10/10

[ 11 1 Amos Fiat and Adi Shamir. How to prove your-self: Practical solu tions to identification and signatureproblems. In Andrew M . Odlyzko, editor, Advancesin Cryptology: CRYPTO '86 , volume 263 of LectureNotes in Computer Science, pages 186-194. Springer,1987.

[121 Matthew K. Franklin. Complexity and Security of Dis-tributed Protocols. PhD thesis , Columbia University,1993.

[131 Alf onso Fuggetta, Gian Pietro Picco, and Giovanni Vi-gna. Understanding co de mobility. IEEE Transactionson Software Engineering, 24(5):342-361, May 1998.

Secure multi-party computation.I [141 Oded Goldreich.Manuscript, 1998. (Version 1.1).

[ 151 Oded Goldr eich, Shafi Goldwa sser, and Silvio Micali.How to construct random functions. Journal of theA C M , 33(4):792-807, Octob er 1986.

[16] Oded Goldreich, Silvio Micali, and Avi Wigderson.How to play any mental gam e or a completen ess the-orem for protocols with honest majority. In Proc.19th Annual ACM Symposium on Theory of Comput-ing (STOC ) ,pages 2 18-229, 1987.

[ 171 C hae Hoon L im and Pi1 Joong Lee. Security and per-form ance of server-aided RSA computation protocols.In Don Coppersmith, editor, Advances in Cryptology:CRYPTO '95, volume 963 of Lecture Notes in Cotn-puter Science. Springer, 1995.

[ 181 Silvio Micali and Phillip Rogaway. Secur e comp uta-tion. In Joan Feigen baum , editor, Advances in Cryp-tology: CRYPTO '91 , volume 57 6 of Lecture Notes inComputer Science, pages 392-404. Springer, 1992.

[I91 M oni Naor, Benny Pinkas, and Reub en Sumner. Pri-vacy preserving auctions and mechanism design. InProc. 1st ACM Conference on Electronic Com merce,1999.

[20] Moni Naor and Omer Reingold. Number-theoreticconstructionsof efficient pseudo-rando m functio ns. InProc. 38th IEEE Symposium on Foundations of Com-puter Science ( F O C S ) ,1997.

[21] Phillip Rogaway. The Round Complexio of SecureProtocols. PhD thesis, Labo ratory for Computer Sci-ence, MIT, April 199 1.

[22] Tomas Sander and Christian E Tschudin. Protectingmob ile agents against malicious hosts. In G . Vigna,editor, Mobile Ag ents and S ecurity, volume 1419 ofLecture Notes in Computer Science, 1998.

[23] T omas Sander, Adam Young, and Moti Yung. Non-interactive CryptoComputing for N C ' . In Proc. 40thIEEE Symposium on Foundutions of Computer Sci-ence (FOC S) , 1999.

[24] Tuomas Sandholm and Qianbo Huai . Nomad: Mo-bile agent system for an internet-based auction house.IEE E Internet C omputing ,4(2 ) :80-8 6 ,2000 .

[25] Uwe G . Wilhelm, Sebastian Staamann, and LeventeButtyBn. Introduciiig trusted third parties to the mobileagent paradigm . In Jan Vitek and Christian D. Jensen,editors , Secure Internet Programming, volume 1603of Lecture Notes in Computer Science, pages 469-489. Springer, 1999.

[26] Andrew C. Yao. Ho w to generate and exchange se-crets. In Proc. 27th IEE E Symposium on Foundationsof Conipiiter Science ( FO CS ),pages 162-167, 1986.

[27] Ben net Yee. A sanctuary for mob ile agents. In JanVitek and Christian D. Jensen, editors , Secure InternetProgramming, volume 1603 of Lecture Notes in Com-puter Science, pages 26 1-273. Sprin ger, 1999.

11

Algesheimer Et Al. - 2001 - Cryptographic Security for Mobile Code

Documents

Transcript of Algesheimer Et Al. - 2001 - Cryptographic Security for Mobile Code