Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis

1. Proxy Cryptography Revisited
Anca-Andreea Ivan , Yevgeniy Dodis
New York University
NDSS 2003
PDSG
NYU
1

2. Outline of the talk
 Introduction
– What and Why?
 Related work
 Unidirectional (UPF ) vs. Bidirectional (BPF)
 Encryption UPF
 Encryption BPF
 Signature UPF & BPF
 Conclusions
PDSG
NYU
2

3. Introduction
 Problem:
 Allow Bob to decrypt ciphertext or sign messages on behalf
of Alice, without knowing the secret key of Alice.
 Solution:
 Third party (Escrow) helps Bob
 Proxy functions
 Our goal:
 Formalize and clarify the notion proxy functions
 Construct simple schemes satisfying the formal definitions
PDSG
NYU
3

4. Scenario: Key Escrow
User
Escrow
(ISP)
PDSG
NYU
FBI
I have a warrant
to monitor email
for one week.
4

5. Scenario: Key Escrow
User
Escrow
(ISP)
PDSG
NYU
FBI
I have a warrant
to monitor email
for one week.
5

6. Related work
 Atomic
proxy functions [BlSt98]
 Mobile agents proxy signatures [KBKL01,LKK01]
 Proxy signature is different from original signature
 Two-party signatures [BeSa02,MR01a,MR01b,NKDM03]
 Interactive protocols
 Two-party encryption [Mac03]
 Interactive protocols
 Threshold cryptography [Des89,…]
PDSG
NYU
6

7. Blaze/Strauss scheme – closer look
[BlSt98]
 Informal definition for
encryption/signature proxy
functions
 Try to modify existing
cryptographic primitives to satisfy
the definitions
 Result:
 Weak security guarantees
 Semi-formal implementations
 El-Gamal encryption
 Modified Fiat-Shamir
signatures
PDSG
NYU
[IvDo03]
 Starting with the problem at hand,
create formal model and
definitions
 Design simple, possibly new
schemes that satisfy the definitions
 Result:
 Strong, formal security
guarantees
 Encryption and signatures (…)
 Unidirectional and
bidirectional
7

8. Unidirectional proxy function (UPF)
Key distribution
Alice
PDSG
NYU
Escrow
Bob
8

9. Bidirectional proxy function (BPF)
Key distribution
Alice
PDSG
NYU
Escrow
Bob
9

10. Definition of UPF Encryption
Key distribution
Alice
Escrow
Bob
UDec
UEnc
PDSG
NYU
c’=p(c)
c=UEnc(m)
m=f(c’)
10

11. Encryption UPF - Security
 Classic
CCA: “The only way to decrypt c = Enc(m) of an
unknown message m, is to ask the decryptor to decrypt c.”
 Unidirectional proxy functions CCA:
 CCA secure against Bob when helped by Escrow: “The only
way for Bob to decrypt c = Enc(m) of an unknown message
m is by asking Escrow to transform c with p(c).”
 CCA secure against Escrow when helped by Bob: “The only
way for Escrow to decrypt c = Enc(m) of an unknown
message m is to ask Bob to decrypt c’ = f(c) .”
 Similarly,
PDSG
NYU
we can define CPA and OW security.
11

12. Generic Encryption UPF
EK1,EK2
Key distribution
DK1
DK1,DK2
Alice
DK1,DK2
D2
D1
E2
Escrow
DK1
c=E1(E2(m))
DK2
Bob
DK2
E1
PDSG
NYU
c’=D1(c)
m=D2(c’)
12

13. Specialized UPF Encryption
El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)
Key distribution
EK=e
d1
DK=d=d1*d2
Alice
d=d1 * d2
m=cd mod n
Bob
Escrow
d1
c
d2
c’=cd1 mod n
d2
m=c’d2 mod n
c=me mod n
PDSG
NYU
13

14. Definition of BPF Encryption
Key distribution
Alice
m=BDec(c)
Escrow
c
c’=∏(c)
Bob
m=BDec(c’)
c=BEnc(m)
PDSG
NYU
14

15. Encryption BPF - Security
 BPF
Alice  Bob = UPF Alice  Bob +
UPF Bob  Alice
 Bidirectional proxy functions CCA:
 CCA secure against Alice when helped by Escrow
 CCA secure against Escrow when helped by Alice
 CCA secure against Bob when helped by Escrow
 CCA secure against Escrow when helped by Bob
 Similarly,
PDSG
NYU
we can define CPA and OW security.
15

16. Generic Encryption BPF
Key distribution
EK1,EK2,EK3
DK1,DK2
DK2,DK3
Alice
DK1,DK2
D1
D2
E1
E2
PDSG
NYU
DK3,DK1
Escrow
DK2,DK3
D2
E3
Bob
DK3,DK1
D3
D1
E3
E1
16

17. Specialized Encryption BPF
El-Gamal (CPA)
EK1=gx1,EK2=gx2
DK1=x1
Alice
Key distribution
DK2=x2
x2-x1
Bob
Escrow
x2-x1
x1
x2
c’
m=c/grx1
c
c’=(gr,mgrx1gr(x2-x1))
m=c’/grx2
c=(gr,mgrx1)
PDSG
NYU
17

18. Signatures
 Signatures
schemes are similar to encryption
schemes.
 Signatures UPF
 S’ = ( UniGen , UniSig , UniVer , PSig , FSig )
 Generic UPF (UF-CMA)
 Specialized UPF – RSA-Hash
 Signatures
BPF
 S’ = ( BiGen , BiSig , BiVer , Π )
 Generic Signatures BPF
PDSG
NYU
18

19. Conclusions
 Start
from the problem formulated in [BlSt98]
 Created formal model and security definitions
 Designed simple schemes
 Encryption & Signatures; UPF/BPF; Generic and Specialized
 Future work:
 Generic schemes have a factor of two slowdown compared to
classic schemes.
 Specialized schemes eliminate the slowdown, but could not
create specialized schemes for all classic schemes (e.g.
Cramer-Shoup).
 Better scalability to multi-user setting.
 Natural asymmetric proxy functions.
PDSG
NYU
19

20. Thank you.
http://www.cs.nyu.edu/ivan/papers.htm
PDSG
NYU
20

21. Scenario 1:
President
Vice-president 1
PDSG
NYU
I am going away
for one week. Please
cooperate.
Vice-president 2
21

22. Unidirectional vs. Bidirectional




Scenario 1: Can the vice-presidents have “meaningful” keys?
Scenario 2: Can the FBI have a “meaningful” key?
A “meaningful” key is a key that can be used by itself for
signature/encryption.
Unidirectional:
 “Meaningful” KU  KF , KP s.t. both KF and KP have no meaning on their
own.
 FBI and Proxy should not be able to attack the User without cooperation.

Bidirectional:
 “Meaningful” KU , KF  KP s.t. only KP has no “meaning”
 FBI and Proxy should not be able to attack the User without cooperation.
 User and Proxy should not be able to attack the FBI without cooperation.
PDSG
NYU
22

23. Encryption proxy functions
Bidirectional
c1=EncU(m1)
U(DKU): m1=DecU(c1)
m2=DecU(c’2)
Unidirectional
c1=EncU(m1)
U(DKU): m1=DecU(c1)
F(DKF): m1=DecF(c’1)
m2=DecF(c2)
PDSG
NYU
c2=EncF(m2)
P(K’P): c’1= f(c1)
F(K’F): m1=g(c’1)
P(K”P): c2’= f(c2)
P(KPP): c’12= Π PP(c12))
P(K ): c’ = Π (c
U(K”U): m2=g(c’2)
c2=EncF(m2)
F(DKF): m2=DecF(c2)
23

24. Signature proxy functions
Bidirectional
T=VerU(s1)
Unidirectional
U(SKU): s1=SigU(m1)
s’2=SigU(m2)
T=VerU(s1)
U(SKU): s1=SigU(m1)
F(SKF): s’1=SigF(m1)
s2=SigF(m2)
PDSG
NYU
T=VerF(s2)
P(K’P): s1= f(s’1)
F(K’F): s’1=g(m1)
P(K”P): s2= f(s’2)
P(KPP): ss12= Π PP(s’12))
P(K ): = Π (s’
U(K”U): s’2=g(m2)
T=VerF(s2)
F(DKF): s2=SigF(m2)
24

25. Specialized Encryption UPF
El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)
RSA: E = ( Gen, Enc(m) = me mod n, Dec(c) = cd
mod n )
 Idea: split the secret key into two shares.
 ( EKU , DKU )  Gen
 EKU = e ; DKU = d = d1 * d2 ; KP = d1 KF = d2
DKU=d1 * d2
 UEnc( m ) = Enc(m ) = me mod n
 UDec( c ) = Dec( c ) = ce mod n
 f( c ) = cd2 mod n = c’ ; p( c’ ) = cd1 mod n
 f( p( Enc( m ) ) ) = m
KP=d1
KF =d2
 RSA-UPF is unidirectionally OW secure.
 Open problem: design scheme for Cramer-Shoup
(CCA)

PDSG
NYU
25

26. Generic Encryption BPF

Idea: P “re-encrypts” c = Enc(m) with a key
shared by U and F.
DK1,DK2






E = ( Gen , Enc , Dec )
BiGen:
( EK1,DK1, EK2,DK2, EK3,DK3)  Gen ;
DKU = ( DK1,DK2 ) ; DKF = ( DK2,DK3 ) ;
KP = ( DK1,DK3 )
BiEnc(m) = Enc1( Enc2( m ) ) = c
BiDec(c) = Dec2( Dec1 ( c ) ) = m
Π( c ) = Enc3( Dec1(c ) ) = c’
E’ is
PDSG bidirectionally
NYU
secure.
DK1,DK3
CCA2 secure if E is CCA2
DK3,DK2
26

27. Specialized Encryption BPF

El-Gamal (CPA):
 E = ( Gen, Enc(m) = ( gr , grx m ), Dec(c)= grxm/(gr)x )
 ( EKU = gx1, DKU = x1 )  Gen ; ( EKF = gx2 ,DKF = x2 )  Gen ;
 KP = DKF – DKU = x2-x1
 BiEncU( m ) = EncU(m ) = ( gr , grx1 m )
 BiDecU( c ) = DecU( c ) = grx1m/(gr)x1
 ΠP( BiEncU( m ) ) = ( gr , grx1 m gr(x2-x1) ) = (gr , grx2m)
 BiDecF( ΠP( BiEncU( m ) ) ) = m
 El-Gamal-BPF is bidirectionally CPA secure.

Note: RSA cannot be made bidirectional (because of factorization). In the
case of El-Gamal, it is safe to publish the public keys.
PDSG
NYU
27