Post on 16-Dec-2015
PDSGNYU
1
Proxy Cryptography Revisited
Anca-Andreea Ivan , Yevgeniy Dodis
New York University
NDSS 2003
PDSGNYU
2
Outline of the talk
Introduction – What and Why? Related work Unidirectional (UPF ) vs. Bidirectional (BPF) Encryption UPF Encryption BPF Signature UPF & BPF Conclusions
PDSGNYU
3
Introduction
Problem: Allow Bob to decrypt ciphertext or sign messages on behalf
of Alice, without knowing the secret key of Alice. Solution:
Third party (Escrow) helps Bob Proxy functions
Our goal: Formalize and clarify the notion proxy functions Construct simple schemes satisfying the formal definitions
PDSGNYU
4
Scenario: Key Escrow
User
FBII have a warrant
to monitor email
for one week.
Escrow
(ISP)
PDSGNYU
5
Scenario: Key Escrow
User
FBII have a warrant
to monitor email
for one week.
Escrow
(ISP)
PDSGNYU
6
Related work
Atomic proxy functions [BlSt98] Mobile agents proxy signatures [KBKL01,LKK01]
Proxy signature is different from original signature Two-party signatures [BeSa02,MR01a,MR01b,NKDM03]
Interactive protocols Two-party encryption [Mac03]
Interactive protocols Threshold cryptography [Des89,…]
PDSGNYU
7
Blaze/Strauss scheme – closer look
[BlSt98] Informal definition for
encryption/signature proxy functions
Try to modify existing cryptographic primitives to satisfy the definitions
Result: Weak security guarantees Semi-formal implementations El-Gamal encryption Modified Fiat-Shamir
signatures
[IvDo03] Starting with the problem at hand,
create formal model and definitions
Design simple, possibly new schemes that satisfy the definitions
Result: Strong, formal security
guarantees Encryption and signatures (…) Unidirectional and
bidirectional
PDSGNYU
8
Unidirectional proxy function (UPF)
BobAlice
Key distribution
Escrow
PDSGNYU
9
Bidirectional proxy function (BPF)
BobAlice
Key distribution
Escrow
PDSGNYU
10
Definition of UPF Encryption
BobAlice
Key distribution
Escrow
UEnc
UDec
c=UEnc(m)c’=p(c) m=f(c’)
PDSGNYU
11
Encryption UPF - Security
Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.”
Unidirectional proxy functions CCA: CCA secure against Bob when helped by Escrow: “The only
way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).”
CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c) .”
Similarly, we can define CPA and OW security.
PDSGNYU
12
Generic Encryption UPF
DK2DK1
E2 E1
D2 D1c’=D1(c)
c=E1(E2(m))
Key distribution
BobAlice Escrow
DK1,DK2
EK1,EK2
DK1,DK2
m=D2(c’)
DK2DK1
PDSGNYU
13
BobAlice Escrow
Key distribution
Specialized UPF Encryption El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)
DK=d=d1*d2
d2d1
d2d1
c=me mod n
cc’=cd1 mod n m=c’d2 mod n
m=cd mod n
d=d1 * d2
EK=e
PDSGNYU
14
Definition of BPF Encryption
BobAlice
Key distribution
Escrow
c=BEnc(m)
m=BDec(c)c c’=(c)
m=BDec(c’)
PDSGNYU
15
Encryption BPF - Security
BPF Alice Bob = UPF Alice Bob +
UPF Bob Alice Bidirectional proxy functions CCA:
CCA secure against Alice when helped by Escrow CCA secure against Escrow when helped by Alice CCA secure against Bob when helped by Escrow CCA secure against Escrow when helped by Bob
Similarly, we can define CPA and OW security.
PDSGNYU
16
Generic Encryption BPF
DK2,DK3
DK2,DK3
BobAlice Escrow
Key distribution
DK1,DK2DK3,DK1
E1 E2
D2D1D2 E3 D3 D1
E3 E1
DK1,DK2 DK3,DK1
EK1,EK2,EK3
PDSGNYU
17
Specialized Encryption BPFEl-Gamal (CPA)
BobAlice
Key distribution
Escrow
x2-x1
DK1=x1DK2=x2
x2-x1
c=(gr,mgrx1)
m=c/grx1
c c’=(gr,mgrx1gr(x2-x1))c’ m=c’/grx2
x1 x2
EK1=gx1,EK2=gx2
PDSGNYU
18
Signatures
Signatures schemes are similar to encryption schemes.
Signatures UPF S’ = ( UniGen , UniSig , UniVer , PSig , FSig ) Generic UPF (UF-CMA) Specialized UPF – RSA-Hash
Signatures BPF S’ = ( BiGen , BiSig , BiVer , ) Generic Signatures BPF
PDSGNYU
19
Conclusions
Start from the problem formulated in [BlSt98] Created formal model and security definitions Designed simple schemes
Encryption & Signatures; UPF/BPF; Generic and Specialized Future work:
Generic schemes have a factor of two slowdown compared to classic schemes.
Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup).
Better scalability to multi-user setting. Natural asymmetric proxy functions.
PDSGNYU
20
Thank you.
http://www.cs.nyu.edu/ivan/papers.htm
PDSGNYU
21
Scenario 1:
I am going away
for one week. Please cooperate.
Vice-president 2Vice-president 1
President
PDSGNYU
22
Unidirectional vs. Bidirectional
Scenario 1: Can the vice-presidents have “meaningful” keys? Scenario 2: Can the FBI have a “meaningful” key? A “meaningful” key is a key that can be used by itself for
signature/encryption. Unidirectional:
“Meaningful” KU KF , KP s.t. both KF and KP have no meaning on their own. FBI and Proxy should not be able to attack the User without cooperation.
Bidirectional: “Meaningful” KU , KF KP s.t. only KP has no “meaning” FBI and Proxy should not be able to attack the User without cooperation. User and Proxy should not be able to attack the FBI without cooperation.
PDSGNYU
23
Encryption proxy functions
Bidirectional Unidirectional
c1=EncU(m1) U(DKU): m1=DecU(c1)
c2=EncF(m2)
m2=DecU(c’2)
P(KP): c’1= P (c1)
m2=DecF(c2)
c1=EncU(m1) U(DKU): m1=DecU(c1)
P(K’P): c’1= f(c1) F(K’F): m1=g(c’1)
c2=EncF(m2) F(DKF): m2=DecF(c2)
P(K”P): c2’= f(c2) U(K”U): m2=g(c’2)
P(KP): c’2= P (c2)
F(DKF): m1=DecF(c’1)
PDSGNYU
24
Signature proxy functions
Bidirectional Unidirectional
T=VerU(s1) U(SKU): s1=SigU(m1)s’2=SigU(m2)
s2=SigF(m2) T=VerF(s2)
T=VerU(s1) U(SKU): s1=SigU(m1)
P(K’P): s1= f(s’1) F(K’F): s’1=g(m1)
T=VerF(s2) F(DKF): s2=SigF(m2)
P(K”P): s2= f(s’2) U(K”U): s’2=g(m2)
F(SKF): s’1=SigF(m1)
P(KP): s1= P (s’1)P(KP): s2= P (s’2)
PDSGNYU
25
Specialized Encryption UPFEl-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)
RSA: E = ( Gen, Enc(m) = me mod n, Dec(c) = cd mod n ) Idea: split the secret key into two shares. ( EKU , DKU ) Gen EKU = e ; DKU = d = d1 * d2 ; KP = d1 KF = d2
UEnc( m ) = Enc(m ) = me mod n UDec( c ) = Dec( c ) = ce mod n f( c ) = cd2 mod n = c’ ; p( c’ ) = cd1 mod n f( p( Enc( m ) ) ) = m RSA-UPF is unidirectionally OW secure.
Open problem: design scheme for Cramer-Shoup (CCA)
DKU=d1 * d2
KP=d1 KF =d2
PDSGNYU
26
Generic Encryption BPF
Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F.
E = ( Gen , Enc , Dec ) BiGen:
( EK1,DK1, EK2,DK2, EK3,DK3) Gen ;
DKU = ( DK1,DK2 ) ; DKF = ( DK2,DK3 ) ;
KP = ( DK1,DK3 ) BiEnc(m) = Enc1( Enc2( m ) ) = c BiDec(c) = Dec2( Dec1 ( c ) ) = m ( c ) = Enc3( Dec1(c ) ) = c’
E’ is bidirectionally CCA2 secure if E is CCA2 secure.
DK1,DK2
DK3,DK2DK1,DK3
PDSGNYU
27
Specialized Encryption BPF
El-Gamal (CPA):
E = ( Gen, Enc(m) = ( gr , grx m ), Dec(c)= grxm/(gr)x )
( EKU = gx1, DKU = x1 ) Gen ; ( EKF = gx2 ,DKF = x2 ) Gen ;
KP = DKF – DKU = x2-x1
BiEncU( m ) = EncU(m ) = ( gr , grx1 m )
BiDecU( c ) = DecU( c ) = grx1m/(gr)x1
P( BiEncU( m ) ) = ( gr , grx1 m gr(x2-x1) ) = (gr , grx2m)
BiDecF( P( BiEncU( m ) ) ) = m
El-Gamal-BPF is bidirectionally CPA secure.
Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys.