Presentation on theme: "PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003."— Presentation transcript:
PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003
PDSG NYU 2 Outline of the talk Introduction – What and Why? Related work Unidirectional (UPF ) vs. Bidirectional (BPF) Encryption UPF Encryption BPF Signature UPF & BPF Conclusions
PDSG NYU 3 Introduction Problem: Allow Bob to decrypt ciphertext or sign messages on behalf of Alice, without knowing the secret key of Alice. Solution: Third party (Escrow) helps Bob Proxy functions Our goal: Formalize and clarify the notion proxy functions Construct simple schemes satisfying the formal definitions
PDSG NYU 4 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)
PDSG NYU 5 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)
PDSG NYU 6 Related work Atomic proxy functions [BlSt98] Mobile agents proxy signatures [KBKL01,LKK01] Proxy signature is different from original signature Two-party signatures [BeSa02,MR01a,MR01b,NKDM03] Interactive protocols Two-party encryption [Mac03] Interactive protocols Threshold cryptography [Des89,…]
PDSG NYU 7 Blaze/Strauss scheme – closer look [BlSt98] Informal definition for encryption/signature proxy functions Try to modify existing cryptographic primitives to satisfy the definitions Result: Weak security guarantees Semi-formal implementations El-Gamal encryption Modified Fiat-Shamir signatures [IvDo03] Starting with the problem at hand, create formal model and definitions Design simple, possibly new schemes that satisfy the definitions Result: Strong, formal security guarantees Encryption and signatures (…) Unidirectional and bidirectional
PDSG NYU 8 Unidirectional proxy function (UPF) Bob Alice Key distribution Escrow
PDSG NYU 9 Bidirectional proxy function (BPF) Bob Alice Key distribution Escrow
PDSG NYU 10 Definition of UPF Encryption Bob Alice Key distribution Escrow UEnc UDec c=UEnc(m) c’=p(c) m=f(c’)
PDSG NYU 11 Encryption UPF - Security Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.” Unidirectional proxy functions CCA: CCA secure against Bob when helped by Escrow: “The only way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).” CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c).” Similarly, we can define CPA and OW security.
PDSG NYU 12 Generic Encryption UPF DK2DK1 E2E1 D2D1 c’=D1(c) c=E1(E2(m)) Key distribution BobAliceEscrow DK1,DK2 EK1,EK2 DK1,DK2 m=D2(c’) DK2DK1
PDSG NYU 13 Bob AliceEscrow Key distribution Specialized UPF Encryption El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) DK=d=d1*d2 d2d1 d2d1 c=m e mod n c c’=c d1 mod n m=c’ d2 mod n m=c d mod n d=d1 * d2 EK=e
PDSG NYU 14 Definition of BPF Encryption Bob Alice Key distribution Escrow c=BEnc(m)m=BDec(c) c c’= (c) m=BDec(c’)
PDSG NYU 15 Encryption BPF - Security BPF Alice Bob = UPF Alice Bob + UPF Bob Alice Bidirectional proxy functions CCA: CCA secure against Alice when helped by Escrow CCA secure against Escrow when helped by Alice CCA secure against Bob when helped by Escrow CCA secure against Escrow when helped by Bob Similarly, we can define CPA and OW security.
PDSG NYU 17 Specialized Encryption BPF El-Gamal (CPA) BobAlice Key distribution Escrow x2-x1x2-x1 DK1=x 1 DK2=x 2 x2-x1 c=(g r,mg rx1 ) m=c/g rx1 c c’=(g r,mg rx1 g r(x2-x1) ) c’ m=c’/g rx2 x1x1 x2x2 EK1=g x1,EK2=g x2
PDSG NYU 18 Signatures Signatures schemes are similar to encryption schemes. Signatures UPF S’ = ( UniGen, UniSig, UniVer, PSig, FSig ) Generic UPF (UF-CMA) Specialized UPF – RSA-Hash Signatures BPF S’ = ( BiGen, BiSig, BiVer, ) Generic Signatures BPF
PDSG NYU 19 Conclusions Start from the problem formulated in [BlSt98] Created formal model and security definitions Designed simple schemes Encryption & Signatures; UPF/BPF; Generic and Specialized Future work: Generic schemes have a factor of two slowdown compared to classic schemes. Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup). Better scalability to multi-user setting. Natural asymmetric proxy functions.
PDSG NYU 20 Thank you. http://www.cs.nyu.edu/ivan/papers.htm
PDSG NYU 21 Scenario 1: I am going away for one week. Please cooperate. Vice-president 2Vice-president 1 President
PDSG NYU 22 Unidirectional vs. Bidirectional Scenario 1: Can the vice-presidents have “meaningful” keys? Scenario 2: Can the FBI have a “meaningful” key? A “meaningful” key is a key that can be used by itself for signature/encryption. Unidirectional: “Meaningful” K U K F, K P s.t. both K F and K P have no meaning on their own. FBI and Proxy should not be able to attack the User without cooperation. Bidirectional: “Meaningful” K U, K F K P s.t. only K P has no “meaning” FBI and Proxy should not be able to attack the User without cooperation. User and Proxy should not be able to attack the FBI without cooperation.
PDSG NYU 23 Encryption proxy functions BidirectionalUnidirectional c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) c 2 =Enc F (m 2 ) m 2 =Dec U (c’ 2 ) P(K P ): c’ 1 = P (c 1 ) m 2 =Dec F (c 2 ) c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) P(K’ P ): c’ 1 = f(c 1 ) F(K’ F ): m 1 =g(c’ 1 ) c 2 =Enc F (m 2 ) F(DK F ): m 2 =Dec F (c 2 ) P(K” P ): c 2 ’= f(c 2 )U(K” U ): m 2 =g(c’ 2 ) P(K P ): c’ 2 = P (c 2 ) F(DK F ): m 1 =Dec F (c’ 1 )
PDSG NYU 24 Signature proxy functions BidirectionalUnidirectional T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) s’ 2 =Sig U (m 2 ) s 2 =Sig F (m 2 )T=Ver F (s 2 ) T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) P(K’ P ): s 1 = f(s’ 1 )F(K’ F ): s’ 1 =g(m 1 ) T=Ver F (s 2 ) F(DK F ): s 2 =Sig F (m 2 ) P(K” P ): s 2 = f(s’ 2 )U(K” U ): s’ 2 =g(m 2 ) F(SK F ): s’ 1 =Sig F (m 1 ) P(K P ): s 1 = P (s’ 1 ) P(K P ): s 2 = P (s’ 2 )
PDSG NYU 25 Specialized Encryption UPF El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) RSA: E = ( Gen, Enc(m) = m e mod n, Dec(c) = c d mod n ) Idea: split the secret key into two shares. ( EK U, DK U ) Gen EK U = e ; DK U = d = d 1 * d 2 ; K P = d 1 K F = d 2 UEnc( m ) = Enc(m ) = m e mod n UDec( c ) = Dec( c ) = c e mod n f( c ) = c d2 mod n = c’ ; p( c’ ) = c d1 mod n f( p( Enc( m ) ) ) = m RSA-UPF is unidirectionally OW secure. Open problem: design scheme for Cramer-Shoup (CCA) DK U =d 1 * d 2 K P =d 1 K F =d 2
PDSG NYU 26 Generic Encryption BPF Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F. E = ( Gen, Enc, Dec ) BiGen: ( EK 1,DK 1, EK 2,DK 2, EK 3,DK 3 ) Gen ; DK U = ( DK 1,DK 2 ) ; DK F = ( DK 2,DK 3 ) ; K P = ( DK 1,DK 3 ) BiEnc(m) = Enc 1 ( Enc 2 ( m ) ) = c BiDec(c) = Dec 2 ( Dec 1 ( c ) ) = m ( c ) = Enc 3 ( Dec 1 (c ) ) = c’ E’ is bidirectionally CCA2 secure if E is CCA2 secure. DK1,DK2 DK3,DK2DK1,DK3
PDSG NYU 27 Specialized Encryption BPF El-Gamal (CPA): E = ( Gen, Enc(m) = ( g r, g rx m ), Dec(c)= g rx m/(g r ) x ) ( EK U = g x1, DK U = x 1 ) Gen ; ( EK F = g x2,DK F = x 2 ) Gen ; K P = DK F – DK U = x 2 -x 1 BiEnc U ( m ) = Enc U (m ) = ( g r, g rx1 m ) BiDec U ( c ) = Dec U ( c ) = g rx1 m/(g r ) x1 P ( BiEnc U ( m ) ) = ( g r, g rx1 m g r(x2-x1) ) = (g r, g rx2 m) BiDec F ( P ( BiEnc U ( m ) ) ) = m El-Gamal-BPF is bidirectionally CPA secure. Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys.