Back to search

IKTPLUSS-IKT og digital innovasjon

Cryptographic Tools for Cloud Security

Alternative title: Kryptografiske verktøy for sikkerhet i nettskyen

Awarded: NOK 10.3 mill.

Social networks, email services, and storage of photos or videos, are all typically implemented in the cloud today. This project worked on the development of secure and efficient cryptographic tools for protection of data stored in the cloud. We used modern cryptographic methods to obtain mathematical certainty about the security of different ways of securing data in the cloud. The project employed two postdoctoral researchers and one PhD student who focussed on different aspects of the problem and collaborated together to find new solutions. We also collaborated actively with several cryptography experts from outside Norway, particularly from Germany and United Kingdom. The project organised a workshop on secure cloud services and storage in Oslo in 2017 featuring talks from experts from seven different countries and attended by 35 international participants. The project produced 10 published papers with original research results, which have been presented at a variety of peer-reviewed conferences and journals, including two papers at Crypto, the very top cryptography conference. The security problems we were concerned with can be divided into two main areas: secure storage in the cloud and secure computation in the cloud and we have produced research results in both areas. In order to properly model the security properties particular to the cloud setting, we need to have a suitable model which reflects cloud architectures. Established cryptographic security models do not achieve this so we have designed a completely new security model for this purpose. The simplest solution to secure data before sending it to the cloud for storage is to apply encryption. Our project results have found a new formula relating the possible trade-offs between efficiency and security, thus allowing implementors to tune systems according to their priorities. We also extended this work to show that it still holds with a more general definition of security, covering more practical scenarios. A different problem with cloud storage is how to share data stored in the cloud securely. This sharing could be between colleagues and friends, or between your own devices (computer, tablet, phone and so on). We have developed a new key exchange protocol that does not require simultaneous interaction between users making it suitable for the cloud setting. We believe that this new design provides the right balance between high security and practicality. We also designed a version of this protocol to be secure even against quantum computers, a significant emerging threat to current security protocols. In related work we have developed a new method to achieve security proofs for key exchange. This provides the first known examples of practical key exchange protocols with a security proof tightly connected to widely known and accepted computational problems. We have examined how best to refresh encryption of data stored in an untrusted cloud server, using so-called updatable encryption. We have been able to improve on the previously best known schemes with new designs which are twice as efficient. We also improved on the security analysis of such schemes, by providing a stronger security model and proving the security of our new schemes in that model. When it comes to secure computation in the cloud, the ideal solution is to use homomorphic cryptography, which allows a server to perform computations on encrypted data. We have studied how to design symmetric encryption schemes which are best suited to homomorphic evaluation. Such ciphers promise much improved efficiency for homomorphic processing of data. We have designed improved methods to achieve this and performed practical experiments to show how well this can work in practice. We have also solved the problem of how to check that the computations performed by the cloud server were done properly, without simply trusting the server. Our approach uses zero knowledge protocols, to check that the decrypted results relate properly to the input data. We have developed new protocols which can achieve this while the data remains homomorphically encrypted.

- Increased national competence in cybersecurity through training and development of researchers and Master students engaged in project activities. - Increased national and international research collaboration through joint work between different Norwegian and German universities. - Potential for increased confidentiality and integrity of government and business data stored and processed in cloud servers through application of project results on cloud-focussed security models and cryptographic mechanisms. - Potential for enhanced privacy of user data in cloud storage through application of project results on data sharing and processing without requiring trust in servers.

Security of information is an essential aspect of business and government activity, whether it relates to protection of corporate knowledge, integrity of financial transactions, or reliable storage and transmission of data. Transition to cloud computing has required additional security measures in order to protect valuable data no longer under direct control of the data owner. The Snowden revelations of 2013 and 2014 have changed the IT security priorities and it is now understood that there is an urgent need for protection of personal, business, and government data against pervasive monitoring and infiltration. This project will study cryptographic tools to enable cloud security against powerful attackers. We will develop mechanisms to ensure that private data is stored as promised and to allow secure computations with private data, without relying on trust in the cloud provider. While our motivation is towards solving a practical problem with significant impact, we will work at a level of rigorous academic analysis. This means that the new cryptographic primitives, protocols and models which we will develop will lead to theoretical advances as well as practical outcomes. We will test new and existing mechanisms in prototype cloud environments to ensure that they are efficient and relevant for existing industry practice.

Funding scheme:

IKTPLUSS-IKT og digital innovasjon