Download presentation

Presentation is loading. Please wait.

Published byRudy Barns Modified over 2 years ago

1
PDSG NYU 1 Proxy Cryptography Revisited Anca-Andreea Ivan, Yevgeniy Dodis New York University NDSS 2003

2
PDSG NYU 2 Outline of the talk Introduction – What and Why? Related work Unidirectional (UPF ) vs. Bidirectional (BPF) Encryption UPF Encryption BPF Signature UPF & BPF Conclusions

3
PDSG NYU 3 Introduction Problem: Allow Bob to decrypt ciphertext or sign messages on behalf of Alice, without knowing the secret key of Alice. Solution: Third party (Escrow) helps Bob Proxy functions Our goal: Formalize and clarify the notion proxy functions Construct simple schemes satisfying the formal definitions

4
PDSG NYU 4 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)

5
PDSG NYU 5 Scenario: Key Escrow User FBI I have a warrant to monitor email for one week. Escrow (ISP)

6
PDSG NYU 6 Related work Atomic proxy functions [BlSt98] Mobile agents proxy signatures [KBKL01,LKK01] Proxy signature is different from original signature Two-party signatures [BeSa02,MR01a,MR01b,NKDM03] Interactive protocols Two-party encryption [Mac03] Interactive protocols Threshold cryptography [Des89,…]

7
PDSG NYU 7 Blaze/Strauss scheme – closer look [BlSt98] Informal definition for encryption/signature proxy functions Try to modify existing cryptographic primitives to satisfy the definitions Result: Weak security guarantees Semi-formal implementations El-Gamal encryption Modified Fiat-Shamir signatures [IvDo03] Starting with the problem at hand, create formal model and definitions Design simple, possibly new schemes that satisfy the definitions Result: Strong, formal security guarantees Encryption and signatures (…) Unidirectional and bidirectional

8
PDSG NYU 8 Unidirectional proxy function (UPF) Bob Alice Key distribution Escrow

9
PDSG NYU 9 Bidirectional proxy function (BPF) Bob Alice Key distribution Escrow

10
PDSG NYU 10 Definition of UPF Encryption Bob Alice Key distribution Escrow UEnc UDec c=UEnc(m) c’=p(c) m=f(c’)

11
PDSG NYU 11 Encryption UPF - Security Classic CCA: “The only way to decrypt c = Enc(m) of an unknown message m, is to ask the decryptor to decrypt c.” Unidirectional proxy functions CCA: CCA secure against Bob when helped by Escrow: “The only way for Bob to decrypt c = Enc(m) of an unknown message m is by asking Escrow to transform c with p(c).” CCA secure against Escrow when helped by Bob: “The only way for Escrow to decrypt c = Enc(m) of an unknown message m is to ask Bob to decrypt c’ = f(c).” Similarly, we can define CPA and OW security.

12
PDSG NYU 12 Generic Encryption UPF DK2DK1 E2E1 D2D1 c’=D1(c) c=E1(E2(m)) Key distribution BobAliceEscrow DK1,DK2 EK1,EK2 DK1,DK2 m=D2(c’) DK2DK1

13
PDSG NYU 13 Bob AliceEscrow Key distribution Specialized UPF Encryption El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) DK=d=d1*d2 d2d1 d2d1 c=m e mod n c c’=c d1 mod n m=c’ d2 mod n m=c d mod n d=d1 * d2 EK=e

14
PDSG NYU 14 Definition of BPF Encryption Bob Alice Key distribution Escrow c=BEnc(m)m=BDec(c) c c’= (c) m=BDec(c’)

15
PDSG NYU 15 Encryption BPF - Security BPF Alice Bob = UPF Alice Bob + UPF Bob Alice Bidirectional proxy functions CCA: CCA secure against Alice when helped by Escrow CCA secure against Escrow when helped by Alice CCA secure against Bob when helped by Escrow CCA secure against Escrow when helped by Bob Similarly, we can define CPA and OW security.

16
PDSG NYU 16 Generic Encryption BPF DK2,DK3 BobAlice Escrow Key distribution DK1,DK2 DK3,DK1 E1 E2D2 D1 D2E3 D3D1 E3E1 DK1,DK2 DK3,DK1 EK1,EK2,EK3

17
PDSG NYU 17 Specialized Encryption BPF El-Gamal (CPA) BobAlice Key distribution Escrow x2-x1x2-x1 DK1=x 1 DK2=x 2 x2-x1 c=(g r,mg rx1 ) m=c/g rx1 c c’=(g r,mg rx1 g r(x2-x1) ) c’ m=c’/g rx2 x1x1 x2x2 EK1=g x1,EK2=g x2

18
PDSG NYU 18 Signatures Signatures schemes are similar to encryption schemes. Signatures UPF S’ = ( UniGen, UniSig, UniVer, PSig, FSig ) Generic UPF (UF-CMA) Specialized UPF – RSA-Hash Signatures BPF S’ = ( BiGen, BiSig, BiVer, ) Generic Signatures BPF

19
PDSG NYU 19 Conclusions Start from the problem formulated in [BlSt98] Created formal model and security definitions Designed simple schemes Encryption & Signatures; UPF/BPF; Generic and Specialized Future work: Generic schemes have a factor of two slowdown compared to classic schemes. Specialized schemes eliminate the slowdown, but could not create specialized schemes for all classic schemes (e.g. Cramer-Shoup). Better scalability to multi-user setting. Natural asymmetric proxy functions.

20
PDSG NYU 20 Thank you. http://www.cs.nyu.edu/ivan/papers.htm

21
PDSG NYU 21 Scenario 1: I am going away for one week. Please cooperate. Vice-president 2Vice-president 1 President

22
PDSG NYU 22 Unidirectional vs. Bidirectional Scenario 1: Can the vice-presidents have “meaningful” keys? Scenario 2: Can the FBI have a “meaningful” key? A “meaningful” key is a key that can be used by itself for signature/encryption. Unidirectional: “Meaningful” K U K F, K P s.t. both K F and K P have no meaning on their own. FBI and Proxy should not be able to attack the User without cooperation. Bidirectional: “Meaningful” K U, K F K P s.t. only K P has no “meaning” FBI and Proxy should not be able to attack the User without cooperation. User and Proxy should not be able to attack the FBI without cooperation.

23
PDSG NYU 23 Encryption proxy functions BidirectionalUnidirectional c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) c 2 =Enc F (m 2 ) m 2 =Dec U (c’ 2 ) P(K P ): c’ 1 = P (c 1 ) m 2 =Dec F (c 2 ) c 1 =Enc U (m 1 )U(DK U ): m 1 =Dec U (c 1 ) P(K’ P ): c’ 1 = f(c 1 ) F(K’ F ): m 1 =g(c’ 1 ) c 2 =Enc F (m 2 ) F(DK F ): m 2 =Dec F (c 2 ) P(K” P ): c 2 ’= f(c 2 )U(K” U ): m 2 =g(c’ 2 ) P(K P ): c’ 2 = P (c 2 ) F(DK F ): m 1 =Dec F (c’ 1 )

24
PDSG NYU 24 Signature proxy functions BidirectionalUnidirectional T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) s’ 2 =Sig U (m 2 ) s 2 =Sig F (m 2 )T=Ver F (s 2 ) T=Ver U (s 1 )U(SK U ): s 1 =Sig U (m 1 ) P(K’ P ): s 1 = f(s’ 1 )F(K’ F ): s’ 1 =g(m 1 ) T=Ver F (s 2 ) F(DK F ): s 2 =Sig F (m 2 ) P(K” P ): s 2 = f(s’ 2 )U(K” U ): s’ 2 =g(m 2 ) F(SK F ): s’ 1 =Sig F (m 1 ) P(K P ): s 1 = P (s’ 1 ) P(K P ): s 2 = P (s’ 2 )

25
PDSG NYU 25 Specialized Encryption UPF El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA) RSA: E = ( Gen, Enc(m) = m e mod n, Dec(c) = c d mod n ) Idea: split the secret key into two shares. ( EK U, DK U ) Gen EK U = e ; DK U = d = d 1 * d 2 ; K P = d 1 K F = d 2 UEnc( m ) = Enc(m ) = m e mod n UDec( c ) = Dec( c ) = c e mod n f( c ) = c d2 mod n = c’ ; p( c’ ) = c d1 mod n f( p( Enc( m ) ) ) = m RSA-UPF is unidirectionally OW secure. Open problem: design scheme for Cramer-Shoup (CCA) DK U =d 1 * d 2 K P =d 1 K F =d 2

26
PDSG NYU 26 Generic Encryption BPF Idea: P “re-encrypts” c = Enc(m) with a key shared by U and F. E = ( Gen, Enc, Dec ) BiGen: ( EK 1,DK 1, EK 2,DK 2, EK 3,DK 3 ) Gen ; DK U = ( DK 1,DK 2 ) ; DK F = ( DK 2,DK 3 ) ; K P = ( DK 1,DK 3 ) BiEnc(m) = Enc 1 ( Enc 2 ( m ) ) = c BiDec(c) = Dec 2 ( Dec 1 ( c ) ) = m ( c ) = Enc 3 ( Dec 1 (c ) ) = c’ E’ is bidirectionally CCA2 secure if E is CCA2 secure. DK1,DK2 DK3,DK2DK1,DK3

27
PDSG NYU 27 Specialized Encryption BPF El-Gamal (CPA): E = ( Gen, Enc(m) = ( g r, g rx m ), Dec(c)= g rx m/(g r ) x ) ( EK U = g x1, DK U = x 1 ) Gen ; ( EK F = g x2,DK F = x 2 ) Gen ; K P = DK F – DK U = x 2 -x 1 BiEnc U ( m ) = Enc U (m ) = ( g r, g rx1 m ) BiDec U ( c ) = Dec U ( c ) = g rx1 m/(g r ) x1 P ( BiEnc U ( m ) ) = ( g r, g rx1 m g r(x2-x1) ) = (g r, g rx2 m) BiDec F ( P ( BiEnc U ( m ) ) ) = m El-Gamal-BPF is bidirectionally CPA secure. Note: RSA cannot be made bidirectional (because of factorization). In the case of El-Gamal, it is safe to publish the public keys.

Similar presentations

OK

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Seminar ppt on power electronics Ppt on natural vegetation and wildlife of north america Ppt on cell structure for class 8 Ppt on statistics in maths draw Ppt on 21st century skills definition Ppt on marketing management by philip kotler definition Ppt on low level languages Isometric view ppt online Ppt on fire extinguisher types and sizes Ppt on refraction and reflection of light