# PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003.

## Presentation on theme: "PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003."— Presentation transcript:

PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003

PDSG NYU 2 Outline of the talk  Introduction – What and Why?  Related work  Unidirectional (UPF ) vs. Bidirectional (BPF)  Encryption UPF  Encryption BPF  Signature UPF & BPF  Conclusions

PDSG NYU 3 Introduction  Problem:  Allow Bob to decrypt ciphertext or sign messages on behalf of Alice, without knowing the secret key of Alice.  Solution:  Third party (Escrow) helps Bob  Proxy functions  Our goal:  Formalize and clarify the notion proxy functions  Construct simple schemes satisfying the formal definitions

PDSG NYU 4 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)

PDSG NYU 5 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)

PDSG NYU 6 Related work  Atomic proxy functions [BlSt98]  Mobile agents proxy signatures [KBKL01,LKK01]  Proxy signature is different from original signature  Two-party signatures [BeSa02,MR01a,MR01b,NKDM03]  Interactive protocols  Two-party encryption [Mac03]  Interactive protocols  Threshold cryptography [Des89,…]

PDSG NYU 7 Blaze/Strauss scheme – closer look [BlSt98]  Informal definition for encryption/signature proxy functions  Try to modify existing cryptographic primitives to satisfy the definitions  Result:  Weak security guarantees  Semi-formal implementations  El-Gamal encryption  Modified Fiat-Shamir signatures [IvDo03]  Starting with the problem at hand, create formal model and definitions  Design simple, possibly new schemes that satisfy the definitions  Result:  Strong, formal security guarantees  Encryption and signatures (…)  Unidirectional and bidirectional

PDSG NYU 8 Unidirectional proxy function (UPF) Bob Alice Key distribution Escrow

PDSG NYU 9 Bidirectional proxy function (BPF) Bob Alice Key distribution Escrow

PDSG NYU 10 Definition of UPF Encryption Bob Alice Key distribution Escrow UEnc UDec c=UEnc(m) c’=p(c) m=f(c’)

PDSG NYU 11 Encryption UPF - Security  Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.”  Unidirectional proxy functions CCA:  CCA secure against Bob when helped by Escrow: “The only way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).”  CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c).”  Similarly, we can define CPA and OW security.

PDSG NYU 12 Generic Encryption UPF DK2DK1 E2E1 D2D1 c’=D1(c) c=E1(E2(m)) Key distribution BobAliceEscrow DK1,DK2 EK1,EK2 DK1,DK2 m=D2(c’) DK2DK1

PDSG NYU 13 Bob AliceEscrow Key distribution Specialized UPF Encryption El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) DK=d=d1*d2 d2d1 d2d1 c=m e mod n c c’=c d1 mod n m=c’ d2 mod n m=c d mod n d=d1 * d2 EK=e

PDSG NYU 14 Definition of BPF Encryption Bob Alice Key distribution Escrow c=BEnc(m)m=BDec(c) c c’=  (c) m=BDec(c’)

PDSG NYU 15 Encryption BPF - Security  BPF Alice  Bob = UPF Alice  Bob + UPF Bob  Alice  Bidirectional proxy functions CCA:  CCA secure against Alice when helped by Escrow  CCA secure against Escrow when helped by Alice  CCA secure against Bob when helped by Escrow  CCA secure against Escrow when helped by Bob  Similarly, we can define CPA and OW security.

PDSG NYU 16 Generic Encryption BPF DK2,DK3 BobAlice Escrow Key distribution DK1,DK2 DK3,DK1 E1 E2D2 D1 D2E3 D3D1 E3E1 DK1,DK2 DK3,DK1 EK1,EK2,EK3

PDSG NYU 17 Specialized Encryption BPF El-Gamal (CPA) BobAlice Key distribution Escrow x2-x1x2-x1 DK1=x 1 DK2=x 2 x2-x1 c=(g r,mg rx1 ) m=c/g rx1 c c’=(g r,mg rx1 g r(x2-x1) ) c’ m=c’/g rx2 x1x1 x2x2 EK1=g x1,EK2=g x2

PDSG NYU 18 Signatures  Signatures schemes are similar to encryption schemes.  Signatures UPF  S’ = ( UniGen, UniSig, UniVer, PSig, FSig )  Generic UPF (UF-CMA)  Specialized UPF – RSA-Hash  Signatures BPF  S’ = ( BiGen, BiSig, BiVer,  )  Generic Signatures BPF

PDSG NYU 19 Conclusions  Start from the problem formulated in [BlSt98]  Created formal model and security definitions  Designed simple schemes  Encryption & Signatures; UPF/BPF; Generic and Specialized  Future work:  Generic schemes have a factor of two slowdown compared to classic schemes.  Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup).  Better scalability to multi-user setting.  Natural asymmetric proxy functions.

PDSG NYU 20 Thank you. http://www.cs.nyu.edu/ivan/papers.htm

PDSG NYU 21 Scenario 1: I am going away for one week. Please cooperate. Vice-president 2Vice-president 1 President

PDSG NYU 22 Unidirectional vs. Bidirectional  Scenario 1: Can the vice-presidents have “meaningful” keys?  Scenario 2: Can the FBI have a “meaningful” key?  A “meaningful” key is a key that can be used by itself for signature/encryption.  Unidirectional:  “Meaningful” K U  K F, K P s.t. both K F and K P have no meaning on their own.  FBI and Proxy should not be able to attack the User without cooperation.  Bidirectional:  “Meaningful” K U, K F  K P s.t. only K P has no “meaning”  FBI and Proxy should not be able to attack the User without cooperation.  User and Proxy should not be able to attack the FBI without cooperation.

PDSG NYU 23 Encryption proxy functions BidirectionalUnidirectional c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) c 2 =Enc F (m 2 ) m 2 =Dec U (c’ 2 ) P(K P ): c’ 1 =  P (c 1 ) m 2 =Dec F (c 2 ) c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) P(K’ P ): c’ 1 = f(c 1 ) F(K’ F ): m 1 =g(c’ 1 ) c 2 =Enc F (m 2 ) F(DK F ): m 2 =Dec F (c 2 ) P(K” P ): c 2 ’= f(c 2 )U(K” U ): m 2 =g(c’ 2 ) P(K P ): c’ 2 =  P (c 2 ) F(DK F ): m 1 =Dec F (c’ 1 )

PDSG NYU 24 Signature proxy functions BidirectionalUnidirectional T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) s’ 2 =Sig U (m 2 ) s 2 =Sig F (m 2 )T=Ver F (s 2 ) T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) P(K’ P ): s 1 = f(s’ 1 )F(K’ F ): s’ 1 =g(m 1 ) T=Ver F (s 2 ) F(DK F ): s 2 =Sig F (m 2 ) P(K” P ): s 2 = f(s’ 2 )U(K” U ): s’ 2 =g(m 2 ) F(SK F ): s’ 1 =Sig F (m 1 ) P(K P ): s 1 =  P (s’ 1 ) P(K P ): s 2 =  P (s’ 2 )

PDSG NYU 25 Specialized Encryption UPF El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)  RSA: E = ( Gen, Enc(m) = m e mod n, Dec(c) = c d mod n )  Idea: split the secret key into two shares.  ( EK U, DK U )  Gen  EK U = e ; DK U = d = d 1 * d 2 ; K P = d 1 K F = d 2  UEnc( m ) = Enc(m ) = m e mod n  UDec( c ) = Dec( c ) = c e mod n  f( c ) = c d2 mod n = c’ ; p( c’ ) = c d1 mod n  f( p( Enc( m ) ) ) = m  RSA-UPF is unidirectionally OW secure.  Open problem: design scheme for Cramer-Shoup (CCA) DK U =d 1 * d 2 K P =d 1 K F =d 2

PDSG NYU 26 Generic Encryption BPF  Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F.  E = ( Gen, Enc, Dec )  BiGen: ( EK 1,DK 1, EK 2,DK 2, EK 3,DK 3 )  Gen ; DK U = ( DK 1,DK 2 ) ; DK F = ( DK 2,DK 3 ) ; K P = ( DK 1,DK 3 )  BiEnc(m) = Enc 1 ( Enc 2 ( m ) ) = c  BiDec(c) = Dec 2 ( Dec 1 ( c ) ) = m   ( c ) = Enc 3 ( Dec 1 (c ) ) = c’  E’ is bidirectionally CCA2 secure if E is CCA2 secure. DK1,DK2 DK3,DK2DK1,DK3

PDSG NYU 27 Specialized Encryption BPF  El-Gamal (CPA):  E = ( Gen, Enc(m) = ( g r, g rx m ), Dec(c)= g rx m/(g r ) x )  ( EK U = g x1, DK U = x 1 )  Gen ; ( EK F = g x2,DK F = x 2 )  Gen ;  K P = DK F – DK U = x 2 -x 1  BiEnc U ( m ) = Enc U (m ) = ( g r, g rx1 m )  BiDec U ( c ) = Dec U ( c ) = g rx1 m/(g r ) x1   P ( BiEnc U ( m ) ) = ( g r, g rx1 m g r(x2-x1) ) = (g r, g rx2 m)  BiDec F (  P ( BiEnc U ( m ) ) ) = m  El-Gamal-BPF is bidirectionally CPA secure.  Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys.

Download ppt "PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003."

Similar presentations