1 / 27

Proxy Cryptography Revisited

Proxy Cryptography Revisited. Anca-Andreea Ivan , Yevgeniy Dodis New York University NDSS 2003. Outline of the talk. Introduction – What and Why? Related work Unidirectional (UPF ) vs. Bidirectional (BPF) Encryption UPF Encryption BPF Signature UPF & BPF Conclusions. Introduction.

kineta
Download Presentation

Proxy Cryptography Revisited

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proxy Cryptography Revisited Anca-Andreea Ivan , Yevgeniy Dodis New York University NDSS 2003

  2. Outline of the talk • Introduction – What and Why? • Related work • Unidirectional (UPF ) vs. Bidirectional (BPF) • Encryption UPF • Encryption BPF • Signature UPF & BPF • Conclusions

  3. Introduction • Problem: • Allow Bob to decrypt ciphertext or sign messages on behalf of Alice, without knowing the secret key of Alice. • Solution: • Third party (Escrow) helps Bob • Proxy functions • Our goal: • Formalize and clarify the notion proxy functions • Construct simple schemes satisfying the formal definitions

  4. User Escrow (ISP) FBI Scenario: Key Escrow I have a warrant to monitor email for one week.

  5. User Escrow (ISP) I have a warrant to monitor email for one week. FBI Scenario: Key Escrow

  6. Related work • Atomic proxy functions [BlSt98] • Mobile agents proxy signatures [KBKL01,LKK01] • Proxy signature is different from original signature • Two-party signatures [BeSa02,MR01a,MR01b,NKDM03] • Interactive protocols • Two-party encryption [Mac03] • Interactive protocols • Threshold cryptography [Des89,…]

  7. [BlSt98] Informal definition for encryption/signature proxy functions Try to modify existing cryptographic primitives to satisfy the definitions Result: Weak security guarantees Semi-formal implementations El-Gamal encryption Modified Fiat-Shamir signatures [IvDo03] Starting with the problem at hand, create formal model and definitions Design simple, possibly new schemes that satisfy the definitions Result: Strong, formal security guarantees Encryption and signatures (…) Unidirectional and bidirectional Blaze/Strauss scheme – closer look

  8. Key distribution Bob Alice Escrow Unidirectional proxy function (UPF)

  9. Key distribution Bob Alice Escrow Bidirectional proxy function (BPF)

  10. Key distribution Bob Alice Escrow UDec m=f(c’) c’=p(c) UEnc c=UEnc(m) Definition of UPF Encryption

  11. Encryption UPF - Security • Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.” • Unidirectional proxy functions CCA: • CCA secure against Bob when helped by Escrow: “The only way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).” • CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c) .” • Similarly, we can define CPA and OW security.

  12. EK1,EK2 Key distribution DK1 DK2 DK1,DK2 Escrow Bob Alice DK1,DK2 DK1 DK2 c=E1(E2(m)) D2 D1 m=D2(c’) c’=D1(c) E2 E1 Generic Encryption UPF

  13. Key distribution EK=e Bob d1 d2 DK=d=d1*d2 Escrow Alice d=d1*d2 d1 d2 m=cd mod n c c’=cd1 mod n m=c’d2 mod n c=me mod n Specialized UPF EncryptionEl-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)

  14. Key distribution Bob Escrow Alice m=BDec(c’) m=BDec(c) c’=(c) c c=BEnc(m) Definition of BPF Encryption

  15. Encryption BPF - Security • BPF Alice  Bob = UPF Alice  Bob + UPF Bob  Alice • Bidirectional proxy functions CCA: • CCA secure against Alice when helped by Escrow • CCA secure against Escrow when helped by Alice • CCA secure against Bob when helped by Escrow • CCA secure against Escrow when helped by Bob • Similarly, we can define CPA and OW security.

  16. EK1,EK2,EK3 Key distribution DK1,DK2 DK2,DK3 DK3,DK1 Alice Bob Escrow DK1,DK2 DK3,DK1 D1 D2 D3 D1 D2 E3 E1 E3 E1 E2 Generic Encryption BPF DK2,DK3

  17. EK1=gx1,EK2=gx2 Key distribution DK2=x2 DK1=x1 x2-x1 Alice Bob Escrow x1 x2 c’ m=c/grx1 m=c’/grx2 c’=(gr,mgrx1gr(x2-x1)) c c=(gr,mgrx1) Specialized Encryption BPFEl-Gamal (CPA) x2-x1

  18. Signatures • Signatures schemes are similar to encryption schemes. • Signatures UPF • S’ = ( UniGen , UniSig , UniVer , PSig , FSig ) • Generic UPF (UF-CMA) • Specialized UPF – RSA-Hash • Signatures BPF • S’ = ( BiGen , BiSig , BiVer , ) • Generic Signatures BPF

  19. Conclusions • Start from the problem formulated in [BlSt98] • Created formal model and security definitions • Designed simple schemes • Encryption & Signatures; UPF/BPF; Generic and Specialized • Future work: • Generic schemes have a factor of two slowdown compared to classic schemes. • Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup). • Better scalability to multi-user setting. • Natural asymmetric proxy functions.

  20. Thank you. http://www.cs.nyu.edu/ivan/papers.htm

  21. Scenario 1: President Vice-president 1 Vice-president 2 I am going away for one week. Please cooperate.

  22. Unidirectional vs. Bidirectional • Scenario 1: Can the vice-presidents have “meaningful” keys? • Scenario 2: Can the FBI have a “meaningful” key? • A “meaningful” key is a key that can be used by itself for signature/encryption. • Unidirectional: • “Meaningful” KU KF , KP s.t. both KF and KP have no meaning on their own. • FBI and Proxy should not be able to attack the User without cooperation. • Bidirectional: • “Meaningful” KU , KF KP s.t. only KP has no “meaning” • FBI and Proxy should not be able to attack the User without cooperation. • User and Proxy should not be able to attack the FBI without cooperation.

  23. U(DKU): m1=DecU(c1) U(DKU): m1=DecU(c1) m2=DecU(c’2) P(K’P): c’1= f(c1) F(K’F): m1=g(c’1) P(KP): c’2= P (c2) P(KP): c’1= P (c1) P(K”P): c2’= f(c2) U(K”U): m2=g(c’2) F(DKF): m1=DecF(c’1) F(DKF): m2=DecF(c2) m2=DecF(c2) Encryption proxy functions c1=EncU(m1) c1=EncU(m1) c2=EncF(m2) c2=EncF(m2)

  24. T=VerU(s1) T=VerU(s1) P(K’P): s1= f(s’1) P(KP): s2= P (s’2) P(KP): s1= P (s’1) P(K”P): s2= f(s’2) T=VerF(s2) T=VerF(s2) Signature proxy functions U(SKU): s1=SigU(m1) U(SKU): s1=SigU(m1) s’2=SigU(m2) F(K’F): s’1=g(m1) U(K”U): s’2=g(m2) F(SKF): s’1=SigF(m1) F(DKF): s2=SigF(m2) s2=SigF(m2)

  25. Specialized Encryption UPFEl-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) • RSA: E = ( Gen, Enc(m) = me mod n, Dec(c) = cd mod n ) • Idea: split the secret key into two shares. • ( EKU , DKU )  Gen • EKU = e ; DKU = d = d1 * d2 ; KP = d1 KF = d2 • UEnc( m ) = Enc(m ) = me mod n • UDec( c ) = Dec( c ) = ce mod n • f( c ) = cd2 mod n = c’ ; p( c’ ) = cd1 mod n • f( p( Enc( m ) ) ) = m • RSA-UPF is unidirectionally OW secure. • Open problem: design scheme for Cramer-Shoup (CCA) DKU=d1 * d2 KP=d1 KF =d2

  26. DK1,DK2 DK1,DK3 DK3,DK2 Generic Encryption BPF • Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F. • E = ( Gen , Enc , Dec ) • BiGen: ( EK1,DK1, EK2,DK2, EK3,DK3)  Gen ; DKU = ( DK1,DK2 ) ; DKF = ( DK2,DK3 ) ; KP = ( DK1,DK3 ) • BiEnc(m) = Enc1( Enc2( m ) ) = c • BiDec(c) = Dec2( Dec1 ( c ) ) = m • ( c ) = Enc3( Dec1(c ) ) = c’ • E’ is bidirectionally CCA2 secure if E is CCA2 secure.

  27. Specialized Encryption BPF • El-Gamal (CPA): • E = ( Gen, Enc(m) = ( gr , grx m), Dec(c)= grxm/(gr)x ) • ( EKU = gx1, DKU = x1 )  Gen ; ( EKF = gx2 ,DKF = x2 )  Gen ; • KP = DKF – DKU = x2-x1 • BiEncU( m ) = EncU(m ) = ( gr , grx1 m) • BiDecU( c ) = DecU( c ) = grx1m/(gr)x1 • P( BiEncU( m ) ) = ( gr , grx1 m gr(x2-x1)) = (gr , grx2m) • BiDecF( P( BiEncU( m ) ) ) = m • El-Gamal-BPF is bidirectionally CPA secure. • Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys.

More Related