Presentation is loading. Please wait.

Presentation is loading. Please wait.

PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003.

Published byRudy Barns Modified over 9 years ago

Similar presentations

Presentation on theme: "PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003."— Presentation transcript:

1 PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003

2 PDSG NYU 2 Outline of the talk  Introduction – What and Why?  Related work  Unidirectional (UPF ) vs. Bidirectional (BPF)  Encryption UPF  Encryption BPF  Signature UPF & BPF  Conclusions

3 PDSG NYU 3 Introduction  Problem:  Allow Bob to decrypt ciphertext or sign messages on behalf of Alice, without knowing the secret key of Alice.  Solution:  Third party (Escrow) helps Bob  Proxy functions  Our goal:  Formalize and clarify the notion proxy functions  Construct simple schemes satisfying the formal definitions

4 PDSG NYU 4 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)

5 PDSG NYU 5 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)

6 PDSG NYU 6 Related work  Atomic proxy functions [BlSt98]  Mobile agents proxy signatures [KBKL01,LKK01]  Proxy signature is different from original signature  Two-party signatures [BeSa02,MR01a,MR01b,NKDM03]  Interactive protocols  Two-party encryption [Mac03]  Interactive protocols  Threshold cryptography [Des89,…]

7 PDSG NYU 7 Blaze/Strauss scheme – closer look [BlSt98]  Informal definition for encryption/signature proxy functions  Try to modify existing cryptographic primitives to satisfy the definitions  Result:  Weak security guarantees  Semi-formal implementations  El-Gamal encryption  Modified Fiat-Shamir signatures [IvDo03]  Starting with the problem at hand, create formal model and definitions  Design simple, possibly new schemes that satisfy the definitions  Result:  Strong, formal security guarantees  Encryption and signatures (…)  Unidirectional and bidirectional

8 PDSG NYU 8 Unidirectional proxy function (UPF) Bob Alice Key distribution Escrow

9 PDSG NYU 9 Bidirectional proxy function (BPF) Bob Alice Key distribution Escrow

10 PDSG NYU 10 Definition of UPF Encryption Bob Alice Key distribution Escrow UEnc UDec c=UEnc(m) c’=p(c) m=f(c’)

11 PDSG NYU 11 Encryption UPF - Security  Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.”  Unidirectional proxy functions CCA:  CCA secure against Bob when helped by Escrow: “The only way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).”  CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c).”  Similarly, we can define CPA and OW security.

12 PDSG NYU 12 Generic Encryption UPF DK2DK1 E2E1 D2D1 c’=D1(c) c=E1(E2(m)) Key distribution BobAliceEscrow DK1,DK2 EK1,EK2 DK1,DK2 m=D2(c’) DK2DK1

13 PDSG NYU 13 Bob AliceEscrow Key distribution Specialized UPF Encryption El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) DK=d=d1*d2 d2d1 d2d1 c=m e mod n c c’=c d1 mod n m=c’ d2 mod n m=c d mod n d=d1 * d2 EK=e

14 PDSG NYU 14 Definition of BPF Encryption Bob Alice Key distribution Escrow c=BEnc(m)m=BDec(c) c c’=  (c) m=BDec(c’)

15 PDSG NYU 15 Encryption BPF - Security  BPF Alice  Bob = UPF Alice  Bob + UPF Bob  Alice  Bidirectional proxy functions CCA:  CCA secure against Alice when helped by Escrow  CCA secure against Escrow when helped by Alice  CCA secure against Bob when helped by Escrow  CCA secure against Escrow when helped by Bob  Similarly, we can define CPA and OW security.

16 PDSG NYU 16 Generic Encryption BPF DK2,DK3 BobAlice Escrow Key distribution DK1,DK2 DK3,DK1 E1 E2D2 D1 D2E3 D3D1 E3E1 DK1,DK2 DK3,DK1 EK1,EK2,EK3

17 PDSG NYU 17 Specialized Encryption BPF El-Gamal (CPA) BobAlice Key distribution Escrow x2-x1x2-x1 DK1=x 1 DK2=x 2 x2-x1 c=(g r,mg rx1 ) m=c/g rx1 c c’=(g r,mg rx1 g r(x2-x1) ) c’ m=c’/g rx2 x1x1 x2x2 EK1=g x1,EK2=g x2

18 PDSG NYU 18 Signatures  Signatures schemes are similar to encryption schemes.  Signatures UPF  S’ = ( UniGen, UniSig, UniVer, PSig, FSig )  Generic UPF (UF-CMA)  Specialized UPF – RSA-Hash  Signatures BPF  S’ = ( BiGen, BiSig, BiVer,  )  Generic Signatures BPF

19 PDSG NYU 19 Conclusions  Start from the problem formulated in [BlSt98]  Created formal model and security definitions  Designed simple schemes  Encryption & Signatures; UPF/BPF; Generic and Specialized  Future work:  Generic schemes have a factor of two slowdown compared to classic schemes.  Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup).  Better scalability to multi-user setting.  Natural asymmetric proxy functions.

20 PDSG NYU 20 Thank you. http://www.cs.nyu.edu/ivan/papers.htm

21 PDSG NYU 21 Scenario 1: I am going away for one week. Please cooperate. Vice-president 2Vice-president 1 President

22 PDSG NYU 22 Unidirectional vs. Bidirectional  Scenario 1: Can the vice-presidents have “meaningful” keys?  Scenario 2: Can the FBI have a “meaningful” key?  A “meaningful” key is a key that can be used by itself for signature/encryption.  Unidirectional:  “Meaningful” K U  K F, K P s.t. both K F and K P have no meaning on their own.  FBI and Proxy should not be able to attack the User without cooperation.  Bidirectional:  “Meaningful” K U, K F  K P s.t. only K P has no “meaning”  FBI and Proxy should not be able to attack the User without cooperation.  User and Proxy should not be able to attack the FBI without cooperation.

23 PDSG NYU 23 Encryption proxy functions BidirectionalUnidirectional c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) c 2 =Enc F (m 2 ) m 2 =Dec U (c’ 2 ) P(K P ): c’ 1 =  P (c 1 ) m 2 =Dec F (c 2 ) c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) P(K’ P ): c’ 1 = f(c 1 ) F(K’ F ): m 1 =g(c’ 1 ) c 2 =Enc F (m 2 ) F(DK F ): m 2 =Dec F (c 2 ) P(K” P ): c 2 ’= f(c 2 )U(K” U ): m 2 =g(c’ 2 ) P(K P ): c’ 2 =  P (c 2 ) F(DK F ): m 1 =Dec F (c’ 1 )

24 PDSG NYU 24 Signature proxy functions BidirectionalUnidirectional T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) s’ 2 =Sig U (m 2 ) s 2 =Sig F (m 2 )T=Ver F (s 2 ) T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) P(K’ P ): s 1 = f(s’ 1 )F(K’ F ): s’ 1 =g(m 1 ) T=Ver F (s 2 ) F(DK F ): s 2 =Sig F (m 2 ) P(K” P ): s 2 = f(s’ 2 )U(K” U ): s’ 2 =g(m 2 ) F(SK F ): s’ 1 =Sig F (m 1 ) P(K P ): s 1 =  P (s’ 1 ) P(K P ): s 2 =  P (s’ 2 )

25 PDSG NYU 25 Specialized Encryption UPF El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)  RSA: E = ( Gen, Enc(m) = m e mod n, Dec(c) = c d mod n )  Idea: split the secret key into two shares.  ( EK U, DK U )  Gen  EK U = e ; DK U = d = d 1 * d 2 ; K P = d 1 K F = d 2  UEnc( m ) = Enc(m ) = m e mod n  UDec( c ) = Dec( c ) = c e mod n  f( c ) = c d2 mod n = c’ ; p( c’ ) = c d1 mod n  f( p( Enc( m ) ) ) = m  RSA-UPF is unidirectionally OW secure.  Open problem: design scheme for Cramer-Shoup (CCA) DK U =d 1 * d 2 K P =d 1 K F =d 2

26 PDSG NYU 26 Generic Encryption BPF  Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F.  E = ( Gen, Enc, Dec )  BiGen: ( EK 1,DK 1, EK 2,DK 2, EK 3,DK 3 )  Gen ; DK U = ( DK 1,DK 2 ) ; DK F = ( DK 2,DK 3 ) ; K P = ( DK 1,DK 3 )  BiEnc(m) = Enc 1 ( Enc 2 ( m ) ) = c  BiDec(c) = Dec 2 ( Dec 1 ( c ) ) = m   ( c ) = Enc 3 ( Dec 1 (c ) ) = c’  E’ is bidirectionally CCA2 secure if E is CCA2 secure. DK1,DK2 DK3,DK2DK1,DK3

27 PDSG NYU 27 Specialized Encryption BPF  El-Gamal (CPA):  E = ( Gen, Enc(m) = ( g r, g rx m ), Dec(c)= g rx m/(g r ) x )  ( EK U = g x1, DK U = x 1 )  Gen ; ( EK F = g x2,DK F = x 2 )  Gen ;  K P = DK F – DK U = x 2 -x 1  BiEnc U ( m ) = Enc U (m ) = ( g r, g rx1 m )  BiDec U ( c ) = Dec U ( c ) = g rx1 m/(g r ) x1   P ( BiEnc U ( m ) ) = ( g r, g rx1 m g r(x2-x1) ) = (g r, g rx2 m)  BiDec F (  P ( BiEnc U ( m ) ) ) = m  El-Gamal-BPF is bidirectionally CPA secure.  Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys.

Download ppt "PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003."

Similar presentations

1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
7. Asymmetric encryption-

7. Asymmetric encryption-
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Identity Based Encryption

Identity Based Encryption

Similar presentations

Ads by Google