2. Outline of the talk
Introduction
– What and Why?
Related work
Unidirectional (UPF ) vs. Bidirectional (BPF)
Encryption UPF
Encryption BPF
Signature UPF & BPF
Conclusions
PDSG
NYU
2
3. Introduction
Problem:
Allow Bob to decrypt ciphertext or sign messages on behalf
of Alice, without knowing the secret key of Alice.
Solution:
Third party (Escrow) helps Bob
Proxy functions
Our goal:
Formalize and clarify the notion proxy functions
Construct simple schemes satisfying the formal definitions
PDSG
NYU
3
10. Definition of UPF Encryption
Key distribution
Alice
Escrow
Bob
UDec
UEnc
PDSG
NYU
c’=p(c)
c=UEnc(m)
m=f(c’)
10
11. Encryption UPF - Security
Classic
CCA: “The only way to decrypt c = Enc(m) of an
unknown message m, is to ask the decryptor to decrypt c.”
Unidirectional proxy functions CCA:
CCA secure against Bob when helped by Escrow: “The only
way for Bob to decrypt c = Enc(m) of an unknown message
m is by asking Escrow to transform c with p(c).”
CCA secure against Escrow when helped by Bob: “The only
way for Escrow to decrypt c = Enc(m) of an unknown
message m is to ask Bob to decrypt c’ = f(c) .”
Similarly,
PDSG
NYU
we can define CPA and OW security.
11
12. Generic Encryption UPF
EK1,EK2
Key distribution
DK1
DK1,DK2
Alice
DK1,DK2
D2
D1
E2
Escrow
DK1
c=E1(E2(m))
DK2
Bob
DK2
E1
PDSG
NYU
c’=D1(c)
m=D2(c’)
12
13. Specialized UPF Encryption
El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)
Key distribution
EK=e
d1
DK=d=d1*d2
Alice
d=d1 * d2
m=cd mod n
Bob
Escrow
d1
c
d2
c’=cd1 mod n
d2
m=c’d2 mod n
c=me mod n
PDSG
NYU
13
14. Definition of BPF Encryption
Key distribution
Alice
m=BDec(c)
Escrow
c
c’=∏(c)
Bob
m=BDec(c’)
c=BEnc(m)
PDSG
NYU
14
15. Encryption BPF - Security
BPF
Alice Bob = UPF Alice Bob +
UPF Bob Alice
Bidirectional proxy functions CCA:
CCA secure against Alice when helped by Escrow
CCA secure against Escrow when helped by Alice
CCA secure against Bob when helped by Escrow
CCA secure against Escrow when helped by Bob
Similarly,
PDSG
NYU
we can define CPA and OW security.
15
16. Generic Encryption BPF
Key distribution
EK1,EK2,EK3
DK1,DK2
DK2,DK3
Alice
DK1,DK2
D1
D2
E1
E2
PDSG
NYU
DK3,DK1
Escrow
DK2,DK3
D2
E3
Bob
DK3,DK1
D3
D1
E3
E1
16
17. Specialized Encryption BPF
El-Gamal (CPA)
EK1=gx1,EK2=gx2
DK1=x1
Alice
Key distribution
DK2=x2
x2-x1
Bob
Escrow
x2-x1
x1
x2
c’
m=c/grx1
c
c’=(gr,mgrx1gr(x2-x1))
m=c’/grx2
c=(gr,mgrx1)
PDSG
NYU
17
18. Signatures
Signatures
schemes are similar to encryption
schemes.
Signatures UPF
S’ = ( UniGen , UniSig , UniVer , PSig , FSig )
Generic UPF (UF-CMA)
Specialized UPF – RSA-Hash
Signatures
BPF
S’ = ( BiGen , BiSig , BiVer , Π )
Generic Signatures BPF
PDSG
NYU
18
19. Conclusions
Start
from the problem formulated in [BlSt98]
Created formal model and security definitions
Designed simple schemes
Encryption & Signatures; UPF/BPF; Generic and Specialized
Future work:
Generic schemes have a factor of two slowdown compared to
classic schemes.
Specialized schemes eliminate the slowdown, but could not
create specialized schemes for all classic schemes (e.g.
Cramer-Shoup).
Better scalability to multi-user setting.
Natural asymmetric proxy functions.
PDSG
NYU
19
22. Unidirectional vs. Bidirectional
Scenario 1: Can the vice-presidents have “meaningful” keys?
Scenario 2: Can the FBI have a “meaningful” key?
A “meaningful” key is a key that can be used by itself for
signature/encryption.
Unidirectional:
“Meaningful” KU KF , KP s.t. both KF and KP have no meaning on their
own.
FBI and Proxy should not be able to attack the User without cooperation.
Bidirectional:
“Meaningful” KU , KF KP s.t. only KP has no “meaning”
FBI and Proxy should not be able to attack the User without cooperation.
User and Proxy should not be able to attack the FBI without cooperation.
PDSG
NYU
22
25. Specialized Encryption UPF
El-Gamal (CPA), RSA (OW), BF-IBE (IB-CPA)
RSA: E = ( Gen, Enc(m) = me mod n, Dec(c) = cd
mod n )
Idea: split the secret key into two shares.
( EKU , DKU ) Gen
EKU = e ; DKU = d = d1 * d2 ; KP = d1 KF = d2
DKU=d1 * d2
UEnc( m ) = Enc(m ) = me mod n
UDec( c ) = Dec( c ) = ce mod n
f( c ) = cd2 mod n = c’ ; p( c’ ) = cd1 mod n
f( p( Enc( m ) ) ) = m
KP=d1
KF =d2
RSA-UPF is unidirectionally OW secure.
Open problem: design scheme for Cramer-Shoup
(CCA)
PDSG
NYU
25
26. Generic Encryption BPF
Idea: P “re-encrypts” c = Enc(m) with a key
shared by U and F.
DK1,DK2
E = ( Gen , Enc , Dec )
BiGen:
( EK1,DK1, EK2,DK2, EK3,DK3) Gen ;
DKU = ( DK1,DK2 ) ; DKF = ( DK2,DK3 ) ;
KP = ( DK1,DK3 )
BiEnc(m) = Enc1( Enc2( m ) ) = c
BiDec(c) = Dec2( Dec1 ( c ) ) = m
Π( c ) = Enc3( Dec1(c ) ) = c’
E’ is
PDSG bidirectionally
NYU
secure.
DK1,DK3
CCA2 secure if E is CCA2
DK3,DK2
26
27. Specialized Encryption BPF
El-Gamal (CPA):
E = ( Gen, Enc(m) = ( gr , grx m ), Dec(c)= grxm/(gr)x )
( EKU = gx1, DKU = x1 ) Gen ; ( EKF = gx2 ,DKF = x2 ) Gen ;
KP = DKF – DKU = x2-x1
BiEncU( m ) = EncU(m ) = ( gr , grx1 m )
BiDecU( c ) = DecU( c ) = grx1m/(gr)x1
ΠP( BiEncU( m ) ) = ( gr , grx1 m gr(x2-x1) ) = (gr , grx2m)
BiDecF( ΠP( BiEncU( m ) ) ) = m
El-Gamal-BPF is bidirectionally CPA secure.
Note: RSA cannot be made bidirectional (because of factorization). In the
case of El-Gamal, it is safe to publish the public keys.
PDSG
NYU
27
Notas del editor
Our work is closely related to two-party non-interactive one-round threshold cryptography.
It is not necessary to design schemes equivalent to “natural” one-party schemes. In fact, it is hard to modify existing schemes to make them accomplish this goal.