Key-Insulated Public Key Cryptosystems Moti Yung, RSA Labs and Columbia U.

Key Exposure Protection Talk based on papers published in: EC-02 and PKC-03 (Joint work with: Y. Dodis, J. Katz and S. Xu) Nowadays: assuming a mobile device and a host (e.g., a home computer) is right (everyone will have/has a mobile and a computer). Thus: we can strengthen crypto based on it! ….and derive other applications in the process…..

Key Exposure Most cryptosystems rely on possession of small totally secret entity (key) to perform various complex tasks. What if the key is lost/stolen/exposed? (e.g., mobile device, Internet, snooping)? One of the most serious ``real-life'' attacks: –often easier to steal the key than to break the underlying “cryptography”. Can we do anything?

Solution Approaches Tamper-resistant hardware (smartcards). Partial Key Exposure (weaker problem) –Secret sharing, Threshold Cryptography. –All-or-Nothing Transforms (AONT), ERF’s. Key Evolution: change secret key over time such that exposure of “current” key minimizes the overall “damage”. –Forward security (protect past transactions) –Key-Insulated Security (this talk)

Forward Security N periods, single public key PK Initial Secret key SK 0 At period i: –secret key SK i = Upd(i, SK i-1 ) –“effective” public key PK i = (PK, i) –Public OP done with PK i, secret OP done with SK i Goal: under exposure of SK i, –Periods 1,…,(i-1) are still secure –Periods i,…,N are necessarily completely broken SK 0 SK 1 SK i-1 SK i SK N … SK i+1 … exposed good bad (non-exposed)

SK i t Key-Insulated Security N periods, single public key PK Initial Secret key SK 0, … At period i: –secret key SK i = Upd(i, SK i-1, …) –“effective” public key PK i = (PK, i) –Public OP done with PK i, secret OP done with SK i Goal: under exposure of SK i 1,SK i 2,…,SK i t –Any period i  {i 1,…,i t } is still secure –Only periods i 1,…,i t are (necessarily) broken … SK * helper key SK i 1 … SK i 2 SK N … SK 0... exposed good

High-Level Idea Unlike forward security, user U no longer performs key updates by itself: –“Helper” H assists the user –forward-security limitation no longer applies! All secret OPs are still done by U alone –Different from threshold/server-aided crypto! (t,N)-security: exposure of any t secret keys leaves every non-exposed period secure Strong (t,N)-security: H should not be able to perform any of the secret OPs (untrusted H)

More on the Model Stronger than forward security guarantee New: introduction of possibly untrusted H –cheap key updates: one message from H to U –All OPs by U (unlike Threshold) –H can’t compromise U (no “master” key) Possible formalization: –Setup: (PK, SK 0, SK * ), U gets SK 0, H gets SK * –SK i =Upd(SK i-1, SK * ), where H sends SK * What if Adv compromises key update? –H cannot send SK * ! –SK i =Upd(SK i-1, h i ), where H sends h i = Help(SK *,i)

Key Updates Secure Key Updates: –Minimal possible harm under exposure of inter- period key-updating information (the h i ’s) –Key update exposure between periods (i-1) and i  key exposure at periods (i-1) and i –SK i-1 + h i (+ SK i )  SK i-1 + SK i Random Access Key Updates: –H can help go between SK j and SK i for any i,j –E.g., emergency “future Sig” or “past Dec” –SK i =Upd(SK j, h ij ), where h ij = Help(SK *, (j  i))

The Attacker Fully adaptive and concurrent –attacks all N periods concurrently –adaptively issues “key exposure” requests (for security against H, replaced by the knowledge of SK * ) –succeeds if breaks any one of the non- exposed periods (for signature means forges a “new” message in the given period) Typically stronger than “real life”

Brief Generic Summary Any non-exposed period secure All OPs done without helper Key Updates: –Secure against inter-period exposure –Cheap and non-interactive –Random access: can go from any j to any i Security against helper Fully adaptive and concurrent attacker Achieve all, but often a subset suffices

Applications Key Exposure Protection (original) Limited-Time Delegation Limited-Time Key Escrow Identity-based Cryptography –Users identified by “non-crypto” ID(U)=i –One common public key –t users can’t compromise another user –Ideal: t=N-1, but smaller t often enough assume trusted helper

Relation to ID-based Crypto An (N-1,N)-key-insulated signature / encryption scheme is also an ID-based scheme [DKXY02,BP02] Our approach based on “trapdoor primitives” encompasses all known non- generic constructions of ID-based primitives [S84,BF01,CC03,…] –Also yields new constructions (e.g., signature based on 2 t -root/factoring assumption)

This Work vs. Related Work Key-insulated paradigm [DKXY02] –Introduced and formalized the notion –Constructions of public-key encryption schemes with rigorous security proofs –Strong security Other related ideas (all non-adaptive): –Signature delegation [GPR98] –“Tamper-resistant” signatures [G98] –“Key-evolving” PKE schemes [TT01,LS02] (weak non-adaptive model)

Our Results I: Signatures Strong key-insulated signature schemes –Generic scheme based on any signature scheme –Scheme based on discrete logarithms –Most efficient: scheme based on any “trapdoor signature” scheme (similar approach works for encryption, but only one “trapdoor encryption” scheme is known)

Generic Signature Scheme Building blocks –Any regular signature scheme Parameters: –t=N-1, maximal resiliency –Everything constant (equal to 2 or 3) Pretty much “optimal” uses a “certification idea” (Like in forward security: sig. Easier than enc.) Morale: While we do not have full implementation of PKI, we can exploit its ideas…

Optimal Signature Scheme PK=(VK U,VK H ), SK 0 =SK U, SK * =SK H SK i = (SK U, sk i, Sig H (vk i,i)) –Sig H (vk i,i) is “certificate” for (sk i, vk i ) Update: H sends sk i, cert-I=Sig H (vk i,i) for current-period keys (sk i, vk i ) Signature of m at period i: (Sig vk i (m), Sig U (m, i), cert-I=Sig H (vk i,i)) Verification: check all sigs (Note: same trick with SK U can make any key insulated signature strong)

Efficiency… Achieves “optimal” security (Small) slowdown: –Signing time x2 –Verification time, signature length x3 –Key update = 1 signing operation + 1 key generation (key generation may be costly…)

Idea behind all DL-based schemes Secret polynomial p(x)=a 0 +a 1 x+…+a t x t PK = (g a 0, g a 1,…, g a t ) SK 0 = a 0 = p(0), SK * = (a 1,…,a t ) “Effective Keys” at period i: SK i = p(i); PK i = g p(i) = g SK i Notice: –PK i = g a 0 (g a 1 ) i (g a 2 ) i 2 … (g a t ) i t = f(PK, i) –SK i = SK j + (SK i - SK j ) = SK j + h ij, where h ij =Help(SK*,(j  i)) = p(j) – p(i)

Idea Continued Take cryptosystem where pk = g sk –E.g., Schnorr signature, ElGamal encryption Evolve keys as stated (functionality) Security intuition: –For any t keys p(i 1 ),p(i 1 ),…,p(i t ), the value p(i) is truly random for i  {i 1,…,i t } –Helper: w/o a 0 any value p(i) is random –Hardness of discrete log ensures that g a 0, g a 1,…, g a t do not “help” the breaker

Security? Thm: for fixed {i 1,…,i t }, can’t break security at any period i  {i 1,…,i t } Security means: adversary cannot forge a signature in these periods (even when initially can access signing machine, cannot sign on its own a new message)

Security ? Security against non-adaptive adversary only! –Public key is “committing”, so need to know in advance in which period to embed the “unknown discrete log” This is unrealistic model to limit the adversary to attack at given times!

Getting Adaptive Security Use two random generators g and h! sk = (x,y); pk = z = g x h y –2-generator Okamoto vs. 1-generator Schnorr sk=x; pk=z=g x ; Sig(m)=(g r,r-tx), where t=O(g r,m) Ver((w,a),m) = = [w = z t g a ] ? sk=(x,y); pk=z=g x h y ; Sig(m)=(g r h s,r-tx,s-ty), where t=O(g r h s,m) Ver((w,a,b),m) = = [w = z t g a h b ] ?

Getting Adaptive Security Use two random generators g and h! sk = (x,y); pk = z = g x h y –2-generator Okamoto vs. 1-generator Schnorr Many legal ways to open the public key Use p(x) and q(y) to evolve both keys –SK i = (x i =p(i), y i =q(i)), PK i = z i = g x i h y i No longer decide in advance where to put the hardness: know all secret keys, reduce to hardness of computing log g h !

More Details on Key Evolution Use two generators! Random p(x) = a 0 + a 1 x + … + a t x t and q(x) = b 0 + b 1 x + … + b t x t Now: PK = (g a 0 h b 0, g a 1 h b 1,…, g a t h b t ) and SK * = (a 1,b 1,…,a t,b t ) “Effective keys” for period i: SK i = (p(i), q(i)); PK i = g p(i) h q(i)

Efficiency… Only secure against a given number t of break-ins (public-key size is O(t)) Efficiency: –Fast key update (no cryptographic ops) –Basic signing (encrypting) time same as Okamoto- Schnorr (two-generator ElGamal) –Has (small) overhead of computing the “period public key”, but can be done once per period– (computing polynomial in the exponent trick)

Using “trapdoor” signatures Say signature F has sk=x, vk=(y,”f”), where y=f(x) and f satisfies: 1.f is easy to invert using trapdoor T 2.Given u, z, easy to verify if f(u)=z using “f” only Note, sk does not have to include T ! Examples: –Schemes where f is a trapdoor “permutation” (Guillou-Quisquater, Fiat-Shamir, Ong-Schnorr) –Recent signatures in “gap-DH” groups where DDH is easy and CDH is hard [CC03] (all use f(g a ) = g ab where “f” = g b and T=b)

Using “trapdoor” signatures Set global PK=“f”, SK * =T, vk i =RO(i) H sends sk i = f -1 (vk i ) (computed using T) to U, who uses (sk i, vk i ) for period i To get strong security, distribute T and jointly compute sk i = f -1 (vk i ) –Easy for most common schemes Same approach is used in current identity-based schemes[S84,BF01,CC03]

Efficiency As efficient as the underlying signature (encryption) scheme Achieves optimal security in RO model Drawback: only works for specific assumptions

Our Results II: Encryption Key-insulated public-key encryption –(t,N)-security from any semantically-secure encryption scheme –Can extend to (t,N)-CCA2-security –Efficient (t,N)-security based on DDH –(t,N)-CCA2-security based on DDH –All schemes are strong and have secure key updates /random access key updates –Also: third scheme based on BF01….

Preliminaries Encryption algorithm takes public key PK, period i, and message M and returns  E PK (i, M) Decryption algorithm takes secret key SK i and ciphertext and returns M

The Adversary Intuitively: adversary tries to fail the encryption on any of unexposed key periods Adversary has access to: –Key exposure oracle – Exp(i) returns SK i –Left-and-right oracle – Given a vector b = (b 1, …, b N ), oracle LR PK,b (i,M 0,M 1 ) returns E PK (i, M b i )

Definition of Security Vector b = (b 1, …, b N ) chosen at random Adversary gets PK; asks t queries to Exp and poly-many queries to LR concurrently and adaptively Adversary outputs (i, b’) s.t. Exp(i) not called (t,N)-secure if | Pr[b’ = b i ] – ½ | is negligible

Generic Construction Building blocks: –Semantically-secure encryption scheme –All-or-nothing transform (AONT) –t-cover free family of sets Parameters: –|PK| = |SK| = O(t 2 log N) –Enc. time and ciphertext length = O(t log N) –Key updating time = O(t log N) Using the cover-free property, adversary cannot learn keys of other periods for any t corruptions.

Result A generic scheme that works for N periods, t exposures and requires O(t 2 log N) in total, O(t log N) per period. The proof uses the fact that we use all or nothing and embeds an unknown key (in a guessed position) and breaks it if adversary is successful.

Approach for DL-Based Schemes Idea: random p(x)=a 0 + a 1 x + … + a t x t PK = (g a 0, g a 1,…, g a t ); SK 0 = a 0 ; SK * = (a 1,…,a t ) “Effective keys” for period i: SK i = p(i); PK i = g p(i) = g SK i Notice again: PK i = g a 0 ( g a 1 ) i ( g a 2 ) i 2 … ( g a t ) i t SK i = SK j + (SK i - SK j ) = SK j + Help(SK*,(i,j))

Approach, continued… Now use El Gamal encryption: E PK (i, M) = Intuition: –For any t keys p(i 1 ),p(i 1 ),…,p(i t ), the value p(i) is truly random for i  {i 1,…,i t } –Hardness of discrete log ensures that g a 0, g a 1,…, g a t do not “help”

Security? Again: only non-adaptive case…. So not secure in the sense we want.

Adaptive Security Again, we use two generators! …………. Random p(x) = a 0 + a 1 x + … + a t x t and q(x) = b 0 + b 1 x + … + b t x t Now: PK = (g a 0 h b 0, g a 1 h b 1,…, g a t h b t ) and SK * = (a 1,b 1,…,a t,b t ) “Effective keys” for period i: SK i = (p(i), q(i)); PK i = g p(i) h q(i)

Adaptive Security cont’d… Encrypt as: E PK (i,M) = Decrypt via: D SK i ( ) = z/u p(i) v q(i) Thm: Scheme achieves strong (t,N)- security against adaptive adversary Remark: Modification based on Cramer- Shoup achieves CCA2 (security even when adversary probes the system freely with ciphertexts of its choice.)

Proof Sketch DDH: given (g,h,u,w) decide if log g u = log h w Use g and h, choose all secret keys, publish PK. Note: all Exp-queries can be answered! When Adv asks LR-query (i,m 0,m 1 ), choose random b and return (u, w, u p(i) w q(i) m b ) –If log g u = log h w, perfect simulation –If u,w random, view of Adv is info- theoretically independent of b

Conclusions Formal definition of “key-insulated” model Many advantages over previous models Variety of efficient implementations Key-insulated paradigm is relevant to many algorithms and protocols –Inspired further research (e.g., intrusion- resilient model); relation to ID-based.. Applications to delegation, key escrow, ID- based sig. etc.

Conclusions Cryptography should evolve as technology evolves Cryptography should be part of a solution, even when the problem does not look “cryptographic …and sometimes relatively efficient/ simple solutions are found… Also…better security solution may lead to new functionality!