Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis

  • 1,906 views
Uploaded on

Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis

Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,906
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Our work is closely related to two-party non-interactive one-round threshold cryptography.
  • It is not necessary to design schemes equivalent to “natural” one-party schemes. In fact, it is hard to modify existing schemes to make them accomplish this goal.
  • We do not focus on ket distribution.
  • We do not look into key distribution issues.
  • We do not look into key distribution issues.
  • IDEA belongs to Boyd.

Transcript

  • 1. Proxy Cryptography Revisited Anca-Andreea Ivan , Yevgeniy Dodis New York University NDSS 2003 PDSG NYU 1
  • 2. Outline of the talk  Introduction – What and Why?  Related work  Unidirectional (UPF ) vs. Bidirectional (BPF)  Encryption UPF  Encryption BPF  Signature UPF & BPF  Conclusions PDSG NYU 2
  • 3. Introduction  Problem:  Allow Bob to decrypt ciphertext or sign messages on behalf of Alice, without knowing the secret key of Alice.  Solution:  Third party (Escrow) helps Bob  Proxy functions  Our goal:  Formalize and clarify the notion proxy functions  Construct simple schemes satisfying the formal definitions PDSG NYU 3
  • 4. Scenario: Key Escrow User Escrow (ISP) PDSG NYU FBI I have a warrant to monitor email for one week. 4
  • 5. Scenario: Key Escrow User Escrow (ISP) PDSG NYU FBI I have a warrant to monitor email for one week. 5
  • 6. Related work  Atomic proxy functions [BlSt98]  Mobile agents proxy signatures [KBKL01,LKK01]  Proxy signature is different from original signature  Two-party signatures [BeSa02,MR01a,MR01b,NKDM03]  Interactive protocols  Two-party encryption [Mac03]  Interactive protocols  Threshold cryptography [Des89,…] PDSG NYU 6
  • 7. Blaze/Strauss scheme – closer look [BlSt98]  Informal definition for encryption/signature proxy functions  Try to modify existing cryptographic primitives to satisfy the definitions  Result:  Weak security guarantees  Semi-formal implementations  El-Gamal encryption  Modified Fiat-Shamir signatures PDSG NYU [IvDo03]  Starting with the problem at hand, create formal model and definitions  Design simple, possibly new schemes that satisfy the definitions  Result:  Strong, formal security guarantees  Encryption and signatures (…)  Unidirectional and bidirectional 7
  • 8. Unidirectional proxy function (UPF) Key distribution Alice PDSG NYU Escrow Bob 8
  • 9. Bidirectional proxy function (BPF) Key distribution Alice PDSG NYU Escrow Bob 9
  • 10. Definition of UPF Encryption Key distribution Alice Escrow Bob UDec UEnc PDSG NYU c’=p(c) c=UEnc(m) m=f(c’) 10
  • 11. Encryption UPF - Security  Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.”  Unidirectional proxy functions CCA:  CCA secure against Bob when helped by Escrow: “The only way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).”  CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c) .”  Similarly, PDSG NYU we can define CPA and OW security. 11
  • 12. Generic Encryption UPF EK1,EK2 Key distribution DK1 DK1,DK2 Alice DK1,DK2 D2 D1 E2 Escrow DK1 c=E1(E2(m)) DK2 Bob DK2 E1 PDSG NYU c’=D1(c) m=D2(c’) 12
  • 13. Specialized UPF Encryption El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) Key distribution EK=e d1 DK=d=d1*d2 Alice d=d1 * d2 m=cd mod n Bob Escrow d1 c d2 c’=cd1 mod n d2 m=c’d2 mod n c=me mod n PDSG NYU 13
  • 14. Definition of BPF Encryption Key distribution Alice m=BDec(c) Escrow c c’=∏(c) Bob m=BDec(c’) c=BEnc(m) PDSG NYU 14
  • 15. Encryption BPF - Security  BPF Alice  Bob = UPF Alice  Bob + UPF Bob  Alice  Bidirectional proxy functions CCA:  CCA secure against Alice when helped by Escrow  CCA secure against Escrow when helped by Alice  CCA secure against Bob when helped by Escrow  CCA secure against Escrow when helped by Bob  Similarly, PDSG NYU we can define CPA and OW security. 15
  • 16. Generic Encryption BPF Key distribution EK1,EK2,EK3 DK1,DK2 DK2,DK3 Alice DK1,DK2 D1 D2 E1 E2 PDSG NYU DK3,DK1 Escrow DK2,DK3 D2 E3 Bob DK3,DK1 D3 D1 E3 E1 16
  • 17. Specialized Encryption BPF El-Gamal (CPA) EK1=gx1,EK2=gx2 DK1=x1 Alice Key distribution DK2=x2 x2-x1 Bob Escrow x2-x1 x1 x2 c’ m=c/grx1 c c’=(gr,mgrx1gr(x2-x1)) m=c’/grx2 c=(gr,mgrx1) PDSG NYU 17
  • 18. Signatures  Signatures schemes are similar to encryption schemes.  Signatures UPF  S’ = ( UniGen , UniSig , UniVer , PSig , FSig )  Generic UPF (UF-CMA)  Specialized UPF – RSA-Hash  Signatures BPF  S’ = ( BiGen , BiSig , BiVer , Π )  Generic Signatures BPF PDSG NYU 18
  • 19. Conclusions  Start from the problem formulated in [BlSt98]  Created formal model and security definitions  Designed simple schemes  Encryption & Signatures; UPF/BPF; Generic and Specialized  Future work:  Generic schemes have a factor of two slowdown compared to classic schemes.  Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup).  Better scalability to multi-user setting.  Natural asymmetric proxy functions. PDSG NYU 19
  • 20. Thank you. http://www.cs.nyu.edu/ivan/papers.htm PDSG NYU 20
  • 21. Scenario 1: President Vice-president 1 PDSG NYU I am going away for one week. Please cooperate. Vice-president 2 21
  • 22. Unidirectional vs. Bidirectional     Scenario 1: Can the vice-presidents have “meaningful” keys? Scenario 2: Can the FBI have a “meaningful” key? A “meaningful” key is a key that can be used by itself for signature/encryption. Unidirectional:  “Meaningful” KU  KF , KP s.t. both KF and KP have no meaning on their own.  FBI and Proxy should not be able to attack the User without cooperation.  Bidirectional:  “Meaningful” KU , KF  KP s.t. only KP has no “meaning”  FBI and Proxy should not be able to attack the User without cooperation.  User and Proxy should not be able to attack the FBI without cooperation. PDSG NYU 22
  • 23. Encryption proxy functions Bidirectional c1=EncU(m1) U(DKU): m1=DecU(c1) m2=DecU(c’2) Unidirectional c1=EncU(m1) U(DKU): m1=DecU(c1) F(DKF): m1=DecF(c’1) m2=DecF(c2) PDSG NYU c2=EncF(m2) P(K’P): c’1= f(c1) F(K’F): m1=g(c’1) P(K”P): c2’= f(c2) P(KPP): c’12= Π PP(c12)) P(K ): c’ = Π (c U(K”U): m2=g(c’2) c2=EncF(m2) F(DKF): m2=DecF(c2) 23
  • 24. Signature proxy functions Bidirectional T=VerU(s1) Unidirectional U(SKU): s1=SigU(m1) s’2=SigU(m2) T=VerU(s1) U(SKU): s1=SigU(m1) F(SKF): s’1=SigF(m1) s2=SigF(m2) PDSG NYU T=VerF(s2) P(K’P): s1= f(s’1) F(K’F): s’1=g(m1) P(K”P): s2= f(s’2) P(KPP): ss12= Π PP(s’12)) P(K ): = Π (s’ U(K”U): s’2=g(m2) T=VerF(s2) F(DKF): s2=SigF(m2) 24
  • 25. Specialized Encryption UPF El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) RSA: E = ( Gen, Enc(m) = me mod n, Dec(c) = cd mod n )  Idea: split the secret key into two shares.  ( EKU , DKU )  Gen  EKU = e ; DKU = d = d1 * d2 ; KP = d1 KF = d2 DKU=d1 * d2  UEnc( m ) = Enc(m ) = me mod n  UDec( c ) = Dec( c ) = ce mod n  f( c ) = cd2 mod n = c’ ; p( c’ ) = cd1 mod n  f( p( Enc( m ) ) ) = m KP=d1 KF =d2  RSA-UPF is unidirectionally OW secure.  Open problem: design scheme for Cramer-Shoup (CCA)  PDSG NYU 25
  • 26. Generic Encryption BPF  Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F. DK1,DK2       E = ( Gen , Enc , Dec ) BiGen: ( EK1,DK1, EK2,DK2, EK3,DK3)  Gen ; DKU = ( DK1,DK2 ) ; DKF = ( DK2,DK3 ) ; KP = ( DK1,DK3 ) BiEnc(m) = Enc1( Enc2( m ) ) = c BiDec(c) = Dec2( Dec1 ( c ) ) = m Π( c ) = Enc3( Dec1(c ) ) = c’ E’ is PDSG bidirectionally NYU secure. DK1,DK3 CCA2 secure if E is CCA2 DK3,DK2 26
  • 27. Specialized Encryption BPF  El-Gamal (CPA):  E = ( Gen, Enc(m) = ( gr , grx m ), Dec(c)= grxm/(gr)x )  ( EKU = gx1, DKU = x1 )  Gen ; ( EKF = gx2 ,DKF = x2 )  Gen ;  KP = DKF – DKU = x2-x1  BiEncU( m ) = EncU(m ) = ( gr , grx1 m )  BiDecU( c ) = DecU( c ) = grx1m/(gr)x1  ΠP( BiEncU( m ) ) = ( gr , grx1 m gr(x2-x1) ) = (gr , grx2m)  BiDecF( ΠP( BiEncU( m ) ) ) = m  El-Gamal-BPF is bidirectionally CPA secure.  Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys. PDSG NYU 27