Cryptology ePrint Archive: Report 2015/949

Private Processing of Outsourced Network Functions: Feasibility and Constructions

Luca Melis and Hassan Jameel Asghar and Emiliano De Cristofaro and Mohamed Ali Kaafar

Abstract: With organizations increasingly willing to outsource their network functions (e.g., firewalls, traffic shapers and intrusion detection systems) to the cloud, aiming to reduce the cost and complexity of maintaining networking infrastructures, the industry including Cisco, Arista, Alcatel-Lucent and alike are offering network function virtualization (NFV)-based solutions. However, outsourcing network functions in its current setting implies that sensitive network policies, such as firewall rules, are revealed to the cloud provider. In this paper, we investigate the use of cryptographic primitives for processing outsourced network functions, so that the provider does not learn any sensitive information. We present a cryptographic treatment of privacy-preserving outsourcing of network functions, introducing security definitions as well as an abstract model of generic network functions, and then propose a few instantiations using partial homomorphic encryption and public-key encryption with keyword search. We show a proof-of-concept implementation of our constructions and show that network functions can be privately processed by an untrusted cloud provider in a few milliseconds.

Category / Keywords: applications / private network function virtualization, BGN cryptosystem, public key encryption with keyword search

Date: received 29 Sep 2015, last revised 7 Oct 2015

Contact author: hassan jameel at gmail com

Available format(s): PDF | BibTeX Citation

Note: Typo in the name of the third author.

Version: 20151008:005536 (All versions of this report)

Short URL: ia.cr/2015/949

Discussion forum: Show discussion | Start new discussion