LUT based Secure Cloud Computing - an ... - IEEE Xplore

Download PDF
2 downloads 33473 Views 193KB Size Report
Comment
As FPGA uses look-up table as its main computation component, it is a suitable hardware platform for the proposed secure cloud computing scheme. So we use.
LUT based Secure Cloud Computing - an Implementation using FPGAs Lei Xu∗ , Pham Dang Khoa∗ , Seung Hun Kim∗† , Won Woo Ro† , and Weidong Shi∗ ∗ Department

of Computer Science University of Houston, Houston, Texas Email: [email protected], [email protected], [email protected] † School

of Electrical and Electronic Engineering, Yonsei University, Seoul, Republic of Korea Email: [email protected], [email protected] Abstract—Cloud computing is widely deployed to handle challenges such as big data processing and storage. Due to the outsourcing and sharing feature of cloud computing, security is one of the main concerns that hinders the end users to shift their businesses to the cloud. A lot of cryptographic techniques have been proposed to alleviate the data security issues in cloud computing, but most of these works focus on solving a specific security problem such as data sharing, comparison, searching, etc. At the same time, little efforts have been done on program security and formalization of the security requirements in the context of cloud computing. We propose a formal definition of the security of cloud computing, which captures the essence of the security requirements of both data and program. Analysis of some existing technologies under the proposed definition shows the effectiveness of the definition. We also give a simple look-up table based solution for secure cloud computing which satisfies the given definition. As FPGA uses look-up table as its main computation component, it is a suitable hardware platform for the proposed secure cloud computing scheme. So we use FPGAs to implement the proposed solution for k-means clustering algorithm, which shows the effectiveness of the proposed solution.

I.

I NTRODUCTION

Cloud computing is turning from a concept to a mature technology that are accepted by more and more users. It is widely deployed for storage, online cooperation application, and big data analytics. Security has been considered as one of the critical concerns that hinder public cloud to be widely used. For simple cloud service such as data storage, the user can keep control of outsourced data by encrypting the data before uploading to the cloud, and there are already some successful products such as Dropbox, Skydrive, and Google Drive. But in order to fully leverage the computation, storage, and communication capacities of the public cloud for more complex tasks, the user usually needs to put full trust in the cloud service providers, as general encryption will make the computation impossible. For example, some popular cloud services, i.e., Amazon’s SimpleDB [1] and Saleforce’s Sales Cloud [2], all need the user to provide plain data to the cloud. A lot of work have been done to address this security concern. Some encryption schemes with special properties are developed to support certain processing operations such as searching [3]–[5], DNF evaluation [6], and comparison [7]– [9]. Fully homomorphic encryption (FHE, [10]) is believed c 978-1-4799-5944-0/14/$31.00 2014 IEEE

to be one such promising solution suitable for almost every scenario because it supports arbitrary operations on ciphertexts. Although this technique has high theoretical value, the extra computation and storage overhead is unacceptable in practice. Besides protecting the data, people also work on protection of the programs that are used to process the data, such as oblivious RAM [11], [12]. However, these efforts are targeted at solving specific problems. It is desirable to have a general definition of cloud computing security. This definition can be used to evaluate different schemes and guide the designing work. To provide a general and formal definition of cloud computing security, we take lessons from the security definition of encryption scheme [13]. Specifically, we design a game based definition for cloud computing security, which considers the security of both the data and the program. For a given scheme, a game is defined and the attacker is asked to guess a bit value. If the attacker can guess correctly with non-negligible advantage over 1/2, the scheme is not secure. Otherwise the scheme is vulnerable to attacks. We also design a look-up table based solution for secure cloud computing which is proved to be secure under our definition. As FPGA uses look-up table as its main computation component, we also implement the proposed solution for k-means clustering using FPGA. Our contribution in this paper includes: • We propose a formal model of cloud computing and provide a formal security definition based on the model; • We design a scheme for secure cloud computing which is proved to be secure with the proposed definition; • We implement the proposed scheme for K-means clustering using FPGA for concept verification. The remainder of this paper is organized as follows: In Section II we shortly review some related techniques. In Section III we provide the detailed description of the formal security definition of cloud computing. In Section IV we propose a table based security solution for cloud computing which can be proved to be secure. Section VI discusses related work and we conclude in Section VII. II.

BACKGROUND

In this section we shortly review the technique of security formalization and definition. It is hard to give a formal

definition to security. On one hand, different people may have different interpretation of meaning of security. On the other hand, it is almost impossible to predict the capability of the attacker and a new attack method may cause previous secure scheme becoming unsecure. In [13] the authors introduced a formal framework for security definition of encryption scheme. The basic idea is to use cipher-text indistinguishability to describe the security property. Giving the attacker two plain-texts and one ciphertexts, if the attacker cannot recognize which plain-text is related to the cipher-text, then the scheme is secure. In the attacking process, the attacker can make different queries for encryption/decryption, and there is no assumptions on what type of information that the attacker can learn in this process. Different level of security such as CPA, CCA, and CCA2 can be defined by allowing different type of queries that an attacker can make [14]. In order to prove an encryption scheme is secure under this framework, proof by contradiction is used: if an attacker can distinguish the cipher-text, this capability can be used to solve some well known hard problems such as integer factorization. In this way the security property of encryption schemes is clearly stated. III.

S ECURITY M ODEL AND D EFINITION OF C LOUD C OMPUTING

In this section we discuss the model and security definition of cloud computing. A. Security Threats in Cloud Computing The key concept of cloud computing is virtualization and resources sharing. These features make the system more complicated than personal computers and more vulnerable to different security attacks. For example, malicious administrator of the infrastructure may leak users’ data [15], a malicious user may try to cross the boundary and access other users data illegally [16]. It is impossible to exhaustion all the potential attacks and very hard to predict what kind of information an attacker can gain by observing certain things. Because all of these reasons, it is desirable to have an formal definition of secure cloud computing. B. Abstract Model of Cloud Computing When talking about cloud computing, two entities are involved: the data and the program used to process the data. For a general formal definition, we need to consider both of them. The procedure of outsourcing computation to cloud can be abstracted to the following six functions: System setup. Given the security parameter k, basic parameters and probabilistic polynomial time computable functions fi (i = 1, 2, 3, 4) are chosen. For different computation tasks, different fi s are chosen. All these parameters and functions are published. Key generation. Given the security parameter k, the user generates a key pair (pk, sk). If pk = sk, the user will keep them secret, otherwise the user will publish pk. Data transformation. For data d ∈ {0, 1}∗ that the user wants to utilize cloud computing to process, the user transform d to cd by calculating cd ← f1 (d, pk, sk).

cd is sent to cloud to process. Logic generation. Any program can be treated as a logic and represented as a binary string. For the logic  ∈ {0, 1}∗ that the user wants to use for data processing, he/she calculates c ← f2 (, d, pk, sk). The transformed logic c is also sent to cloud. Data evaluation. After receiving the transformed cd and c , the cloud use the published function f3 () to calculate the result  f3 (c , cd ) pk = sk, cr = f3 (c , cd , pk) pk = sk. The result cr is returned to the user. Result transformation. The user extracts the final result from cr by calculating r ← f4 (cr , pk, sk). In the context of cloud computing, only the Data evaluation is carried out by the cloud. For a reasonable solution, the cost on the user side should be less than than Eval(, d), otherwise the user does not need to outsource the computation. C. Security Definition The security property of a cloud computing scheme is defined through a game between the challenger and the adversary. Game Setup. Given the security parameter k, the challenger runs System Setup and Key generation procedure to generate key pari (pk, sk) and functions fi (), i = 1, 2, 3, 4. fi ()s are published. If pk = sk, pk is also published. Query Phase 1. The adversary picks poly1 (k) data and logic pairs and sends to challenger. For each pair (d, ), the challenger returns transformed pairs (cd , c ) to the adversary. The adversary can observe the output of f3 (c , cd ) and Eval(, d). The adversary can also try to use different input for the logic /c , or to use different logic for the data d/cd . Challenge. The adversary picks two (data, logic) pairs, which are represented as two strings s1 and s2 (s1 = s2 and |s1 | = |s2 |). These two strings are sent to the challenger. The challenger picks a random bit b, extracts data and logic from sb , and runs f2 , f3 to transformed the pair to (Db , Lb ) for the adversary. Query Phase 2. The adversary may perform poly2 (k) queries like in the Query Phase 1. The only requirement is that the string representation of d and  should be different from s1 and s2 . Guess. At this step, the adversary is asked to generate a bit b . If b = b then adversary wins, otherwise the adversary fails. Definition 1 (Secure cloud computing): If the adversary cannot win the above game with an non-negligible advantage, the cloud computing scheme is secure. Formally, if | Pr[b = b ] − 1/2| < 1/poly(k), then scheme achieves the security goal. This definition captures the basic institutions of the security requirements of cloud computing. First, very little restrictions

T3

Output

T6

Input 2 Input

T1 T5

T7

Output

T2

Input 1

T4

Input 3

Fig. 1.

An example of LUT which has 3 inputs and one output.

are put on the capabilities of the adversary. The adversary knows the transformed logic running in the cloud, and can make his/her own logic/data based on the observation. Furthermore, we make no assumptions on the types of analysis that the adversary can do. Second, the game winning probability describes the amount of information learned by the adversary. If the adversary can learn enough information from the computation process on the cloud side, he/she can win the game with high probability. We give two examples to show the effectiveness of the definition. 1) For a secure cloud computing scheme, an adversary cannot learn useful information of the transformed data, logic, and result. As if he/she can extract some useful information, it is easy to find out the correct b and win the game with noneligible probability; 2) For a secure cloud computing scheme, an adversary cannot run his own data with other’s transformed logic and get meaningful result. Otherwise the adversary can distinguish different transformed logics and win the game with noneligible probability. IV.

L OOKUP TABLE BASED S ECURE C LOUD C OMPUTING

In this section we present a lookup table (LUT) based solution for cloud computing that can satisfy the security definition given in Section III. A. Converting the Function to LUT based Logic First we show that every function that can be evaluated by a computer can be converted to a LUT based scheme. For a LUT, the indices of the table elements work as input and the element values are outputs of the LUT. It is easy to see that primitive recursive functions (the constant function, successor function, and the projection function) [17] can be converted to LUTs straightforwardly. The composition of these primitive functions can be achieved by compositions of LUT composition. These two features guarantee that every partial recursive function has an equivalent LUT representation. Further more, according to the Church-Turing thesis, the computation capability of Turing machine is equal to partial recursive function. So all functions can be evaluated by a computer can be represented using LUTs. To convert a function with domain D to LUT representation, a straightforward way is to enumerate all the possible input values and store corresponding result values in the table. The input values are used as indices of the table. Figure 1 gives an example of a LUT which equivalent to a function with three inputs. Each element of the LUT can be a vector to support multiple outputs. However, converting a function logic with relatively large input domain will generate a huge

Fig. 2. An example of connecting multiple LUTs to form a whole function. In this example, T1 receives the input and generates two outputs. T7 has three inputs from T4 , T5 , and T6 . Output of T7 is also the output of the whole logic.

LUT. To overcome this deficiency, we propose to decompose the original function to smaller atomic functions and convert each atomic function to a LUT. These LUTs are connected to form the whole function. Figure 2 depicts the way to connect multiple LUTs to form a complete function. B. LUT Protection The plain LUT based logic is not secure under the given security definition. As an adversary can use the LUT based logic to process his/her own data and gets meaningful result, the adversary can always distinguish different data/function pairs and win the game with noneligible advantage. So it is necessary to add extra protections to the plain table based logic to achieve secure cloud computing. In order to protect the LUT based logic, we apply encryption to the LUTs. Different encryption schemes can be applied and here we use AES [18]. For a given LUT, the owner of the LUT based logic picks an AES key and encrypts each table element. For the elements with same value, it is essential to generate different cipher-texts. Otherwise the adversary may distinguish different LUTs by observing the positions with same value. To achieve this goal, we use CTR mode for AES [19]. Specifically, an identical counter value is generated for each LUT element by combining the table index and the element indices. If the LUT element is a vector consisting of multiple values, these values are encrypted separately. When multiple LUTs are connected and each LUT is encrypted with different key, we must make sure that the output of one LUT can be used as input to the other LUT. The basic idea is to relocate each element of the LUT receiving data from other LUTs. Without lose of generality, suppose the outputs of L1 are given to L2 as inputs, and these two LUTs are both one-dimension. k1 and k2 are used to protect L1 and k2 (i) respectively. For an element of L1 with original value vout , the (i) (i) encrypted value is denoted as Ek1 (vout ), and Ek2 (L2 (vout )) is (i) (i) saved with index Ek1 (vout ) in LUT L2 . Here L2 (vout ) means the result of applying the atomic function corresponding to L2 (i) to vout . The first LUT receiving data from the user can be constructed in the similar way. Suppose the user uses key k to encrypt value v and the first LUT is L0 where k0 is used to protect its elements. Then the index of element Ek0 (L0 (v)) in L0 is set to Ek (v). The block size of AES is 128 bits and the size of the LUT element is usually much smaller than that. With CTR mode, first the counter is encrypted and the result is 128 bits. t bits of the result is kept and XORed with the element to get the final result, where t is the bit size of the element. So the size of the element and corresponding cipher-text are the same.

Although different keys are used for different LUTs, the user only needs to save the first and the last keys: the first key is used to encrypt the input and the last key is used to decrypt the result. C. Security Properties In this section we show that if an adversary A can attack the LUT based secure cloud computing scheme, it can be used to construct another adversary A that can attack the underling AES encryption scheme. The challenger first runs the setup algorithm to generate a series of AES keys for LUT protection. These keys are kept secret. First query phase. When A makes queries of chosen bit string s which represents a data and logic pair, A sends s to the challenger and gives the result to A. Challenge. A runs A to picks two bit strings s0 , s1 and sends to the challenger. The challenger picks a random bit b and constructs encrypted LUTs and data according to sb . Note that the encrypted LUTs and data are consist of a serious of ciphertexts. These cipher-texts are given to A. The goal of adversary A is to guess b. Second query phase. Like in the first query phase, A make queries and A responds by returning encrypted LUTs and data.

Algorithm 1 Basic version of data clustering with k-means Input: Data set C contains n data points, and the number of clusters k Output: Data sets C1 , . . . , Ck Picks k points from the data set, denoted as c1 , . . . , ck repeat c1 ← c1 , . . . , ck ← ck p for all data point p in the data set do find i such that dis(p, ci ) = minj=1,...,k dis(p, cj ) put data point p into set Ci end for for all set Ci (i = 1, . . . , k) do ci ← UpdateCenter (Ci ) end for until c1 = c1 , . . . , ck = ck return C1 , . . . , Ck

I I I LUT6

. . .

Guess. At this step, A outputs a bit b and A uses this b as its output. Note that if A wins the game with non-negligible probability, that means A can distinguish whether the cipher-text given in the challenge step is for s0 or s1 with non-negligible probability, which is contradict to the security property of AES with CTR mode. So the LUT based cloud computing scheme is secure under the definition. V.

I MPLEMENTATION

In this section we discuss the implementation of the table based secure cloud computing solution. The k-means MapReduce application was chosen to be implemented on LUT-based table as a sample for our novel concept. K-means clustering [20], [21] is used to find a set of k centers in real d-dimension space Rd which have the minimal mean distance from each of n given points in Rd to the nearest center, as described in the Algorithm 1. This k-means clustering can be mapped to the MapReduce framework [22]. The Map() module is used to find the closest center of each data point while the Reduce() module is in charge of center updating. We first give a generic architecture for n × n table implementation with FPGA’s basic LUT element, and then we provide a whole system implementation architecture of the kmeans clustering with MapReduce framework where several tables work together will be presented. A. LUT-based Table Due to the limitation of basic LUT inputs in current FPGA platforms, we need to separate the n × n table implementation into multiple LUTs. In the general case, the LUT element has L inputs. Therefore, if we want to implement a 1-bit output n × n table, LUTs should be allocated as a binary tree with

O X 64

LUT6

I LUT6

. . .

X 16

LUT6 O

Fig. 3. An example of 8-bit output 8 × 8 LUT-based table. 6-input LUTs are being used to implement a 1-bit output 8 × 8 table, called a 1-output slice. In order to receive the 8-bit output table, we need to use 8 instances of 1-output slice.

the order m. The value of order m is selected to satisfy the condition L × m < 2 × n ≤ L × (m + 1). The consumed resource is calculated as the equation (

m−1 

2i×L ) × 22×n−m×L + 1.

i=0

In our implementation, we are using the Xilinx’s Zynq 7000 platform which has 6-input LUTs to implement a 8-bit output 8 × 8 table. The relationship between the number of LUT’s inputs, the size of table and the order of the LUT’s tree is rewritten as 6 × m < 2 × 8 ≤ 6 × (m + 1), and the value of m is 2. Each 6-bit combination will be used to choose the output of the table. The number of used LUT per 1-bit output 8 × 8 table, 1 named as a 1-output slice, will be calculated as below ( i=0 2i×6 ) × 24 + 1 = 1041 LUTs. Therefore if we want to implement 8-bit output 8 × 8 table, we need to use 1041 × 8 = 8328 LUTs. Figure 3 shows the implementation of 8-bit output 8 × 8 table.

TABLE I.

H ARDWARE RESOURCES FOR Map() AND Reduce(). Map() Reduce()

FF 27 21

Processor

FPGA data

LUT 16675 16816

request Memory

NIC

Point Point

Fig. 6. Distance estimation

Overall system architecture

Distance comparison

C. Security Analysis with Overall Architecture Center points

Fig. 4.

Temporary center

Closest center

Block diagram of the Map function.

B. K-means MapReduce Application The Map() module, as illustrated in Figure 4, will find out the closest center for each point. Distances between each point and all centers will be estimated, and those results will be compared together to choose the shortest distance. Therefore we can select the closest center for each point according to the shortest distance. In our Map() module, distance estimation and distance comparison blocks are implemented by 8-bit output 8×8 LUTbased tables. These tables contain results for all possibilities of inputs, such as combinations of point and center in the case of distance estimation block, so they can produce the correct result quickly according to a specific combination. Outputs of the Map() module are the pair of point and the closest center. Based on the closest center, the output will be categorized to its Reduce() module in order to update the center itself. Resource consumption of Map() module is stated in Table I. The Reduce() modules are used to recalculated and updated centers. Each center has its own Reduce() module. Points coupling with a specific center as its closest center will be sent to a dedicated Reduce() module to calculate their mean value. That mean value will replace the current center as a new one, and join the set of centers for further processes. 8-bit output 8 × 8 LUT-based tables are used to implement the addition and the division blocks. Because the counter block only shows how many points there are, we do not need to hide its calculation and a DSP core or any other logic implementation is good enough. Reduce() module is displayed in Figure 5. Moreover, Table I shows how many resources are used for the Reduce() module.

Point Addition

Division

Counter Fig. 5.

Block diagram of the Reduce function.

New center

Figure 6 shows a simplified architecture which uses proposed secure computing method 1 . As shown in the figure, the user’s request for the cloud service is transferred to the server processor via Network Interface Card (NIC). After the processor receives the request, input data which is needed for the FPGA operation is loaded on the main memory and transferred to the FPGA; also, the FPGA device is connected to the system bus. After the operation of FPGA, the output data is written in the main memory and transferred to disk or NIC according to user’s request. In this operation, the data is encapsulated and thus, the attacker is not able to get any meaningful information during the operation. In Figure 6, we can assume that the attacker can access the memory or system bus using some malicious methods. However, in the secure k-means clustering implementation, the attacker can only access the encrypted LUTs and input data. That is, the attacker can learn nothing about the underlying program from observing these information as he/she cannot distinguish these from random bit strings. The attacker cannot use the encrypted LUTs for his/her input neither, as without correct key the attacker can only receive meaningless results. VI.

R ELATED W ORK

One research area of secure cloud computing is to utilize cryptographic tools to provide secure outsourced computation. Some research efforts focus on specialized applications such as outsourced databases [23]. Others attempt to enable search on cipher-text (e.g., [3]–[5]). By now, the most powerful tool in terms of cryptographic protection is fully homomorphic encryption [10] that support arbitrary operations on ciphertext. Many of these approaches have significant theoretical contributions. However, it is ofetn infeasible to apply them in the real world because they either support limited application scenarios or suffer from high computation/storage cost. There is a great need to create practical privacy preserving solutions for big data analytical applications such as those based on the parallel MapReduce programming model. Such a need has not been met by the existing solutions in the literature. Some works try to utilize hardware to achieve secure cloud computing [24], [25]. In the cloud computing, various studies that exploit the advantages of FPGA were performed. Mohanty and Mahapatra showed that the utilization of FPGA is a proper approach to enhance the security in the cloud computing. In addition, the trusted computing platform which is based on the FPGAs is proposed and applied to enhance the security for a medical application [26]. The study showed that applications that are operated with FPGAs have less attack surface than traditional software-based programs [27]. In one of the previous works, 1 Details of the system bus such as controllers and bridges are not shown in this figure for the simplicity.

a real implementation using FPGA for the cloud computing was shown as well [28]. While these prior works are mainly focused on a certain application, our research proposes general solution to enhance the security in cloud computing using FPGA. Another line of related research is FPGA security. A lot of research has been done to protect the FPGA bitstream itself (e.g., [29], [30]), but not the user’s data. There are also numerous studies on side channel attacks against FPGAs [31] and prevention techniques [32]. Other related work includes efforts to discover, prevent, and mitigate hardware side-channel exploits and Trojans (e.g., [33]). Our method is immune to the potential side channel attacks because we do not use any black box in the LUT based secure cloud computing.

[12]

[13] [14] [15] [16]

[17]

VII.

C ONCLUSION AND F UTURE W ORK

In this paper we propose a formal definition for the security property of cloud computing. This definition captures the essential security requirements in the context of cloud computing, which considers the security of both data and program. We also design a look-up table based solution for cloud computing, which satisfies this definition. As FPGA uses a look-up table as its main computation component, it is a good choice for the LUT based secure cloud computing. We implement k-means clustering using the proposed solution and FPGA. As a future work, we will apply our method to diverse applications and evaluate the feasibility of the proposed approach.

[18] [19]

[20] [21] [22]

[23]

R EFERENCES [1] [2] [3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

Amazon, “Amazon SimpleDB.” [Online]. Available: http://aws.amazon. com/simpledb/ Salesforce, “Salesforce Sales Cloud.” [Online]. Available: http: //www.salesforce.com/sales-cloud/ M. Bellare, A. Boldyreva, and A. O’Neill, “Deterministic and efficiently searchable encryption,” in Advances in Cryptology - CRYPTO 2007, ser. LNCS, A. Menezes, Ed., vol. 4622. Springer-Verlag, 2007. D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano, “Public key encryption with keyword search,” in Advances in Cryptology EUROCRYPT 2004, ser. LNCS, vol. 3027. Springer-Verlag, 2004, pp. 506–522. D. X. Song, D. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data,” in Proceedings of the IEEE Symposium on Security and Privacy, S&P 2000. IEEE Computer Society, 2000, pp. 44–55. D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-dnf formulas on ciphertexts,” in Second Theory of Cryptography Conference - TCC 2005, ser. LNCS, J. Kilian, Ed., vol. 3378. Springer-Verlag, 2005, pp. 325–341. R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order preserving encryption for numeric data,” in Proceedings of the 2004 ACM SIGMOD international conference on Management of data, SIGMOD 2004. ACM, 2004, pp. 563–574. A. Boldyreva, N. Chenette, Y. Lee, and A. O’Neill, “Order-preserving symmetric encryption,” in Advances in Cryptology - EUROCRYPT 2009, ser. LNCS, A. Joux, Ed., vol. 5479. Springer-Verlag, 2009, pp. 224–241. A. Boldyreva, N. Chenette, and A. O’Neill, “Order-preserving encryption revisited: Improved security analysis and alternative solutions,” in Advances in Cryptology - CRYPTO 2011, ser. LNCS, P. Rogaway, Ed., vol. 6841. Springer-Verlag, 2011, pp. 578–595. C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing - STOC 2009. ACM, 2009, pp. 169–178. O. Goldreich, “Towards a theory of software protection and simulation by oblivious rams,” in Proceedings of the 19th Annual ACM Symposium on Theory of Computing - STOC 1987, A. V. Aho, Ed. ACM, 1987, pp. 182–194.

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

M. Maas, E. Love, E. Stefanov, M. Tiwari, E. Shi, K. Asanovic, J. Kubiatowicz, and D. Song, “Phantom: practical oblivious computation in a secure processor,” in ACM Conference on Computer and Communications Security - CCS 2013, A.-R. Sadeghi, V. D. Gligor, and M. Yung, Eds. ACM, 2013, pp. 311–324. S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of Computer and Systems Sciences, vol. 28, pp. 270–299, 1984. O. Goldreich, Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press, 2007. B. Toxen, “The NSA and Snowden: Securing the all-seeing eye,” Communications of the ACM, vol. 57, pp. 44–51, 2014. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds,” in Proceedings of the 16th ACM conference on Computer and communications security - CCS 2009, S. Jha and A. Keromytis, Eds. ACM, 2009, pp. 199–212. S. Cooper, Computability Theory, ser. Mathematics Series. Chapman Hall/CRC, 2003. FIPS PUB 197: Advanced Encryption Standard, NIST Std., November 2001. M. Dworkin, NIST SP 800-38A Recommendation for Block Cipher Modes of Operation, National Institute of Standards and Technology Std., 2011. S. P.LLoyd, “Least square quantization in pcm,” IEEE Transactions on Information Theory, vol. 28, no. 2, pp. 129–137, 1982. E. Forgy, “Cluster analysis of multivariate data: efficiency vs interpretability of classifications,” Biometrics, vol. 21, pp. 768–769, 1965. J. Dean and S. Ghemawat, “Mapreduce: Simplified data processing on large clusters,” Communication of the ACM, vol. 51, no. 1, pp. 107–113, 2008. H. Hacig¨um¨us, B. R. Iyer, C. Li, and S. Mehrotra, “Executing sql over encrypted data in the database-service-provider model,” in Proceedings of the ACM International Conference on Management of Data SIGMOD 2002, M. J. Franklin, B. Moon, and A. Ailamaki, Eds. ACM, 2002, pp. 216–227. L. Xu, W. Shi, and T. Suh, “PFC: Privacy preserving FPGA cloud - a case study of MapReduce,” in 7th IEEE International Conference on Cloud Computing, 2014. L. Xu, H. Kim, W. Shi, T. Suh, and X. Wang, “Privacy preserving large scale dna read-mapping in mapreduce framework using fpga,” in 24th International Conference on Field Programmable Logic and Applications - FPL 2014, 2014. J. P. Mohanty and K. Mahapatra, “FPGA for reliance on cloud computing,” in ICEEDC 2013,International Conference on Electrical Electronics and Data Communication Engineering, Feb 2013, pp. 1–4. K. Eguro and R. Venkatesan, “FPGAs for trusted cloud computing,” in Field Programmable Logic and Applications (FPL), 2012 22nd International Conference on, Aug 2012, pp. 63–70. J. Yu, Y. Zhu, L. Xia, M. Qiu, Y. Fu, and G. Rong, “Grounding high efficiency cloud computing architecture: Hw-sw co-design and implementation of a stand-alone web server on fpga,” in Applications of Digital Information and Web Technologies (ICADIWT), 2011 Fourth International Conference on the, Aug 2011, pp. 124–129. A. B. Kahng, J. Lach, and W. H. Mangione-Smith, “Constraint-based watermarking techniques for design ip protection,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 20, no. 10, pp. 1236–1252, Oct 2001. M. Schmid, D. Ziener, and J. Teich, “Netlist-level IP protection by watermarking for lut-based FPGA s,” in International Conference on Field-Programmable Technology - FPT 2008, T. El-Ghazawi, Y.-W. Chang, J.-D. Huang, and P. Saha, Eds., Dec 2008, pp. 209–216. E. De Mulder, P. Buysschaert, S. Ors, P. Delmotte, B. Preneel, G. Vandenbosch, and I. Verbauwhede, “Electromagnetic analysis attack on an fpga implementation of an elliptic curve cryptosystem,” in The International Conference on Computer as a Tool - EUROCON 2005, vol. 2. IEEE, Nov 2005, pp. 1879–1882. A. Mokari, B. Ghavami, and H. Pedram, “SCAR-FPGA : A novel side-channel attack resistant FPGA,” in 5th Southern Conference on Programmable Logic - SPL 2009, April 2009, pp. 177–182. J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan, “A quantitative, experimental approach to measuring processor side-channel security,” Micro, IEEE, vol. 33, no. 3, pp. 68–77, 2013.