Successfully reported this slideshow.
Upcoming SlideShare
×

# Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis

2,866 views

Published on

Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis

Published in: Technology
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

### Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis

1. 1. Proxy Cryptography Revisited Anca-Andreea Ivan , Yevgeniy Dodis New York University NDSS 2003 PDSG NYU 1
2. 2. Outline of the talk  Introduction – What and Why?  Related work  Unidirectional (UPF ) vs. Bidirectional (BPF)  Encryption UPF  Encryption BPF  Signature UPF & BPF  Conclusions PDSG NYU 2
3. 3. Introduction  Problem:  Allow Bob to decrypt ciphertext or sign messages on behalf of Alice, without knowing the secret key of Alice.  Solution:  Third party (Escrow) helps Bob  Proxy functions  Our goal:  Formalize and clarify the notion proxy functions  Construct simple schemes satisfying the formal definitions PDSG NYU 3
4. 4. Scenario: Key Escrow User Escrow (ISP) PDSG NYU FBI I have a warrant to monitor email for one week. 4
5. 5. Scenario: Key Escrow User Escrow (ISP) PDSG NYU FBI I have a warrant to monitor email for one week. 5
6. 6. Related work  Atomic proxy functions [BlSt98]  Mobile agents proxy signatures [KBKL01,LKK01]  Proxy signature is different from original signature  Two-party signatures [BeSa02,MR01a,MR01b,NKDM03]  Interactive protocols  Two-party encryption [Mac03]  Interactive protocols  Threshold cryptography [Des89,…] PDSG NYU 6
7. 7. Blaze/Strauss scheme – closer look [BlSt98]  Informal definition for encryption/signature proxy functions  Try to modify existing cryptographic primitives to satisfy the definitions  Result:  Weak security guarantees  Semi-formal implementations  El-Gamal encryption  Modified Fiat-Shamir signatures PDSG NYU [IvDo03]  Starting with the problem at hand, create formal model and definitions  Design simple, possibly new schemes that satisfy the definitions  Result:  Strong, formal security guarantees  Encryption and signatures (…)  Unidirectional and bidirectional 7
8. 8. Unidirectional proxy function (UPF) Key distribution Alice PDSG NYU Escrow Bob 8
9. 9. Bidirectional proxy function (BPF) Key distribution Alice PDSG NYU Escrow Bob 9
10. 10. Definition of UPF Encryption Key distribution Alice Escrow Bob UDec UEnc PDSG NYU c’=p(c) c=UEnc(m) m=f(c’) 10
11. 11. Encryption UPF - Security  Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.”  Unidirectional proxy functions CCA:  CCA secure against Bob when helped by Escrow: “The only way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).”  CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c) .”  Similarly, PDSG NYU we can define CPA and OW security. 11
12. 12. Generic Encryption UPF EK1,EK2 Key distribution DK1 DK1,DK2 Alice DK1,DK2 D2 D1 E2 Escrow DK1 c=E1(E2(m)) DK2 Bob DK2 E1 PDSG NYU c’=D1(c) m=D2(c’) 12
13. 13. Specialized UPF Encryption El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) Key distribution EK=e d1 DK=d=d1*d2 Alice d=d1 * d2 m=cd mod n Bob Escrow d1 c d2 c’=cd1 mod n d2 m=c’d2 mod n c=me mod n PDSG NYU 13
14. 14. Definition of BPF Encryption Key distribution Alice m=BDec(c) Escrow c c’=∏(c) Bob m=BDec(c’) c=BEnc(m) PDSG NYU 14
15. 15. Encryption BPF - Security  BPF Alice  Bob = UPF Alice  Bob + UPF Bob  Alice  Bidirectional proxy functions CCA:  CCA secure against Alice when helped by Escrow  CCA secure against Escrow when helped by Alice  CCA secure against Bob when helped by Escrow  CCA secure against Escrow when helped by Bob  Similarly, PDSG NYU we can define CPA and OW security. 15
16. 16. Generic Encryption BPF Key distribution EK1,EK2,EK3 DK1,DK2 DK2,DK3 Alice DK1,DK2 D1 D2 E1 E2 PDSG NYU DK3,DK1 Escrow DK2,DK3 D2 E3 Bob DK3,DK1 D3 D1 E3 E1 16
17. 17. Specialized Encryption BPF El-Gamal (CPA) EK1=gx1,EK2=gx2 DK1=x1 Alice Key distribution DK2=x2 x2-x1 Bob Escrow x2-x1 x1 x2 c’ m=c/grx1 c c’=(gr,mgrx1gr(x2-x1)) m=c’/grx2 c=(gr,mgrx1) PDSG NYU 17
18. 18. Signatures  Signatures schemes are similar to encryption schemes.  Signatures UPF  S’ = ( UniGen , UniSig , UniVer , PSig , FSig )  Generic UPF (UF-CMA)  Specialized UPF – RSA-Hash  Signatures BPF  S’ = ( BiGen , BiSig , BiVer , Π )  Generic Signatures BPF PDSG NYU 18
19. 19. Conclusions  Start from the problem formulated in [BlSt98]  Created formal model and security definitions  Designed simple schemes  Encryption & Signatures; UPF/BPF; Generic and Specialized  Future work:  Generic schemes have a factor of two slowdown compared to classic schemes.  Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup).  Better scalability to multi-user setting.  Natural asymmetric proxy functions. PDSG NYU 19
20. 20. Thank you. http://www.cs.nyu.edu/ivan/papers.htm PDSG NYU 20
21. 21. Scenario 1: President Vice-president 1 PDSG NYU I am going away for one week. Please cooperate. Vice-president 2 21
22. 22. Unidirectional vs. Bidirectional     Scenario 1: Can the vice-presidents have “meaningful” keys? Scenario 2: Can the FBI have a “meaningful” key? A “meaningful” key is a key that can be used by itself for signature/encryption. Unidirectional:  “Meaningful” KU  KF , KP s.t. both KF and KP have no meaning on their own.  FBI and Proxy should not be able to attack the User without cooperation.  Bidirectional:  “Meaningful” KU , KF  KP s.t. only KP has no “meaning”  FBI and Proxy should not be able to attack the User without cooperation.  User and Proxy should not be able to attack the FBI without cooperation. PDSG NYU 22
23. 23. Encryption proxy functions Bidirectional c1=EncU(m1) U(DKU): m1=DecU(c1) m2=DecU(c’2) Unidirectional c1=EncU(m1) U(DKU): m1=DecU(c1) F(DKF): m1=DecF(c’1) m2=DecF(c2) PDSG NYU c2=EncF(m2) P(K’P): c’1= f(c1) F(K’F): m1=g(c’1) P(K”P): c2’= f(c2) P(KPP): c’12= Π PP(c12)) P(K ): c’ = Π (c U(K”U): m2=g(c’2) c2=EncF(m2) F(DKF): m2=DecF(c2) 23
24. 24. Signature proxy functions Bidirectional T=VerU(s1) Unidirectional U(SKU): s1=SigU(m1) s’2=SigU(m2) T=VerU(s1) U(SKU): s1=SigU(m1) F(SKF): s’1=SigF(m1) s2=SigF(m2) PDSG NYU T=VerF(s2) P(K’P): s1= f(s’1) F(K’F): s’1=g(m1) P(K”P): s2= f(s’2) P(KPP): ss12= Π PP(s’12)) P(K ): = Π (s’ U(K”U): s’2=g(m2) T=VerF(s2) F(DKF): s2=SigF(m2) 24
25. 25. Specialized Encryption UPF El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) RSA: E = ( Gen, Enc(m) = me mod n, Dec(c) = cd mod n )  Idea: split the secret key into two shares.  ( EKU , DKU )  Gen  EKU = e ; DKU = d = d1 * d2 ; KP = d1 KF = d2 DKU=d1 * d2  UEnc( m ) = Enc(m ) = me mod n  UDec( c ) = Dec( c ) = ce mod n  f( c ) = cd2 mod n = c’ ; p( c’ ) = cd1 mod n  f( p( Enc( m ) ) ) = m KP=d1 KF =d2  RSA-UPF is unidirectionally OW secure.  Open problem: design scheme for Cramer-Shoup (CCA)  PDSG NYU 25
26. 26. Generic Encryption BPF  Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F. DK1,DK2       E = ( Gen , Enc , Dec ) BiGen: ( EK1,DK1, EK2,DK2, EK3,DK3)  Gen ; DKU = ( DK1,DK2 ) ; DKF = ( DK2,DK3 ) ; KP = ( DK1,DK3 ) BiEnc(m) = Enc1( Enc2( m ) ) = c BiDec(c) = Dec2( Dec1 ( c ) ) = m Π( c ) = Enc3( Dec1(c ) ) = c’ E’ is PDSG bidirectionally NYU secure. DK1,DK3 CCA2 secure if E is CCA2 DK3,DK2 26
27. 27. Specialized Encryption BPF  El-Gamal (CPA):  E = ( Gen, Enc(m) = ( gr , grx m ), Dec(c)= grxm/(gr)x )  ( EKU = gx1, DKU = x1 )  Gen ; ( EKF = gx2 ,DKF = x2 )  Gen ;  KP = DKF – DKU = x2-x1  BiEncU( m ) = EncU(m ) = ( gr , grx1 m )  BiDecU( c ) = DecU( c ) = grx1m/(gr)x1  ΠP( BiEncU( m ) ) = ( gr , grx1 m gr(x2-x1) ) = (gr , grx2m)  BiDecF( ΠP( BiEncU( m ) ) ) = m  El-Gamal-BPF is bidirectionally CPA secure.  Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys. PDSG NYU 27