Lecture 17: Re-encryption



Similar documents
International Electronic Journal of Pure and Applied Mathematics IEJPAM, Volume 8, No. 2 (2014)

Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage

Categorical Heuristic for Attribute Based Encryption in the Cloud Server

Lecture 25: Pairing-Based Cryptography

Overview of Public-Key Cryptography

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Sharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment

CS 758: Cryptography / Network Security

Combined Proxy Re-Encryption

CIS 5371 Cryptography. 8. Encryption --

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Identity-Based Encryption from the Weil Pairing

SFWR ENG 4C03 - Computer Networks & Computer Security

Public Key Cryptography: RSA and Lots of Number Theory

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

The application of prime numbers to RSA encryption

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Lecture 3: One-Way Encryption, RSA Example

CSCE 465 Computer & Network Security

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

A short primer on cryptography

New Efficient Searchable Encryption Schemes from Bilinear Pairings

SECURITY IN NETWORKS

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption

1 Message Authentication

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Public Key Cryptography and RSA. Review: Number Theory Basics

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Introduction to Cryptography

CS Computer Security Third topic: Crypto Support Sys

CPSC 467b: Cryptography and Computer Security

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture 9: Application of Cryptography

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Introduction to Cryptography CS 355

The Mathematics of the RSA Public-Key Cryptosystem

VoteID 2011 Internet Voting System with Cast as Intended Verification

Digital Signatures. Prof. Zeph Grunschlag

Advanced Cryptography

Chapter 7: Network security

Computer Security: Principles and Practice

Cryptography and Network Security Chapter 10

Associate Prof. Dr. Victor Onomza Waziri

Introduction. Digital Signature

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Public Key (asymmetric) Cryptography

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

A Secure Decentralized Access Control Scheme for Data stored in Clouds

Chapter 10. Network Security

Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment

Lecture 6 - Cryptography

Cryptography and Network Security

Performance Evaluation of three Data Access Control Schemes for Cloud Computing

ECE 842 Report Implementation of Elliptic Curve Cryptography

Lukasz Pater CMMS Administrator and Developer

Practice Questions. CS161 Computer Security, Fall 2008

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10

CRYPTOGRAPHY IN NETWORK SECURITY

Secure Deduplication of Encrypted Data without Additional Independent Servers

On the Difficulty of Software Key Escrow

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Analysis on Secure Data sharing using ELGamal s Cryptosystem in Cloud

Paillier Threshold Encryption Toolbox

Computing on Encrypted Data

Chapter 2 Homework 2-5, 7, 9-11, 13-18, 24. (9x + 2)(mod 26) y 1 1 (x 2)(mod 26) 3(x 2)(mod 26) U : y 1 = 3(20 2)(mod 26) 54(mod 26) 2(mod 26) c

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Network Security. HIT Shimrit Tzur-David

Elements of Applied Cryptography Public key encryption

Cryptography and Network Security

Public Key Cryptography. Performance Comparison and Benchmarking

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Kleptography: The unbearable lightness of being mistrustful

Symmetric Key cryptosystem

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

A Factoring and Discrete Logarithm based Cryptosystem

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Transcription:

600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy re-encryption is a relatively newly-devised cryptographic primitive. The goal of proxy re-encryption is to securely enable the reencryption of ciphertexts from one secret key to another, without relying on trusted parties. Example Alice receives emails from many clients encrypted under her public key. When she leaves for summer vacation, she wants to delegate her email to Bob, but does not want to share a secret key with him. 2 Approaches 2.1 Naïve Way Alice simply stores her secret key on the mail server. When mail arrives for her, the mail server decrypts using her stored secret key and reencrypts using Bob s public key. C a = Encrypt P Ka (M) C b = Encrypt P Kb (Decrypt SKa (C a )) The obvious problem with this strategy is that the mail server must be completely trusted - an unlikely real-world expectation. Up til 1997, this was unfortunately the best solution available. That year, Mambo and Okamoto suggested that there may be more efficient approaches involving partial decryptions, but offered no additional security benefits for Alice s secret key. [MO97] 2.2 Atomic Re-encryption: Blaze, Bleumer & Strauss, 1998 The BBS approach is based on the ElGamal cryptosystem and introduces the notion of a re-encryption key RK A B. [BBS98] Using RK A B allows the proxy to re-encrypt from one secret key to another without ever learning the plaintext. Let s recall the BBS re-encryption scheme. 17-1

Key Generation: < g >= G of prime order q. SK a = a Z q, randomly selected. P K a = g a RK A B = b/a = b a 1 (mod q) SK b = b Z q, randomly selected. P K b = g b Encryption: m G, random r Z q C a = (g r m, g ar ) Decryption: m = gr m (g ar ) 1/a Re-encryption: C a = (g r m, g ar ) C b = (g r m, (g ar ) RK A B) = (g r m, (g ar ) b/a ) = (g r m, g br ) Since the BBS proxy re-encryption algorithm is based on ElGamal, the ciphertext is semantically secure. Furthermore, without knowing a or b the proxy (mail server) cannot distinguish between RK A B = b/a and any random element of Z q. This scheme is very elegant. However, there are several issues that one might want to improve on: Bidirectionality: The proxy can compute (RK A B ) 1 = a/b, which would enable it to re-encrypt Bob s messages under Alice s key - Bob may not like this. Collusion: If the proxy colludes with Alice, it is trivial for them both to learn SK B. Likewise, the proxy and Bob may collude to learn Alice s secret key. Re-encryption key generation: In order to compute RK A B, one party must share his or her secret key with the other or they must rely on a trusted third party or compute some secure multiparty computation with the proxy. Can we do better? 2.3 Unidirectional Proxy Re-encryption We wish to improve on BBS in the following ways: No pre-sharing: Only require the use of SK a and P K b to create a re-encryption key from Alice to Bob. That is, Bob s secret key is not required. Unidirectionality: A re-encryption key from Alice to Bob should not allow re-encryptions from Bob to Alice. 17-2

Collusion-resistance: Even if working together, Alice and the proxy should not be able to learn anything about Bob s secret key. (Note that no pre-sharing seems to imply this nice collusion resistance property.) 2.3.1 Related Attempt: Dodis & Ivan, 2003 In 2003, Dodis and Ivan proposed a general scheme for proxy encryption (not re-encryption) using only standard public key cryptosystems. [DI03] However, their system required Alice and Bob to pre-share a secret. Although it is clear that such a pre-sharing phase is possible to accomplish securely (e.g., via Diffie-Hellman), it is undesireable. It may be that Alice and Bob have no prior relationship whatsoever and bidirectional communication is impossible. 2.3.2 Ateniese, Fu, Green & Hohenberger, 2005 In 2005, Ateniese et al. constructed the first unidirectional, collusion resistant re-encryption without any required pre-sharing between parties, based on bilinear maps[afgh06]. We will first review this algebraic setting and then describe their scheme. Bilinear Maps Bilinear maps gained great popularity in cryptography in 2001 when Boneh and Franklin used them to construct a special type of encryption scheme. Let s review the basics here. Let G 1, G 2, G 3 be cyclic groups of prime order q. Function e : G 1 G 2 G 3 is a bilinear map iff for all g 1 G 1, g 2 G 2, a, b Z q, that e(g a 1, gb 2 ) = e(g 1, g 2 ) ab. This proxy re-encryption algorithm uses bilinear maps of the form e : G 1 G 1 G 2, where G 1 =< g >. e must be efficiently computable. Also, e must be non-degenerate; that is, < e(g, g) >= G 2. Note that with bilinear maps, the traditional Diffie-Hellman problem is not computationally difficult: DDH: Given (g, g a, g b, g c ), is g ab = g c? This is equivalent to asking if e(g, g c ) = e(g a, g b ) Z c = Z ab (where Z = e(g, g)). If e is efficiently computable (as is required by the re-encryption algorithm), then so is the DDH problem. Therefore, cryptosystems using bilinear maps occasionally rely on the Decisional Bilinear Diffie-Hellman (DBDH) assumption and its related Inversion (DBDHI): DBDH: Given (g, g a, g b, g c (all G 1 ), T G 2 ), is T = e(g, g) abc? k-dbdhi: Given (g, g y, g y2...g yk (all in G 1 ), T G 2 ), is T = e(g, g) 1/y? See [Bet] for more information on Bilinear Maps and complexity assumptions. 17-3

The AFGH Algorithm Key Generation: < g >= G 1 of prime order q. SK a = a Z q, randomly selected. P K a = g a random r Z q Z = e(g, g) RK A B = (g b ) 1/a = g b/a SK b = b Z q, randomly selected. P K b = g b Encryption: m G 2. C a = (Z r m, g ra ) Decryption (Alice): m = Zr m e(g ra,g 1/a ) = Zr m Z r Re-encryption: C a = (Z r m, g ra ) C b = (Z r m, e(g ra, RK A B )) = (Z r m, e(g ra, g b/a )) = (Z r m, Z rb ) Decryption (Bob): m = Analysis Zr m (Z rb ) 1/b This algorithm offers several nice features (but it is still not perfect!). Let s take a closer look at its properties. No pre-sharing of secret keys. That is, Alice is able to compute RK A B using only SK a and P K b ; Bob does not need to share SK b with Alice or any other party in order for the proxy re-encryption to function. It is non-interactive: only Bob s public key and Alice s secret key are used to create the re-encryption key, so no prior arrangement or secret sharing is necessary. Taken together with the lack of pre-sharing, this means that Alice may use this scheme without any prior knowledge on the part of Bob. Proxy security is maintained. There is no way for the proxy to read the messages it is re-encrypting or extract either party s secret keys (on its own). It is unidirectional under the Inverse Exponent Assumption (equivalent to the Diffie- Hellman Assumption): the proxy cannot calculate g a/b from g b/a, and so Bob s ciphertexts cannot be re-encrypted for Alice. 17-4

The algorithm is collusion-resistant; it is hard for the proxy to extract b from RK A B = g b/a, even with the help of Alice. The semantic security of ElGamal with this re-encryption function is retained under the Decisional Bilinear Diffie-Hellman Inversion Assumption (DBDHI). Note that AFGH ciphertexts have two different forms: The original form (Z r m, g ra ) and the re-encrypted form (Z r m, Z rb ). In the first form the second element in the pair is an element of G 1 ; in the second form, the second element is an element of G 2. Aside from aesthetic objections about modifying the ciphertext in this way, the effect is that AFGH ciphertexts may only be re-encrypted once. Once RK A B has been used to produce C b, RK B C cannot be used to produce a ciphertext for Charlie. This has benefits and drawbacks. Alice is afforded an additional measure of control; she knows that even if she authorizes re-encryption for Bob, Bob can t then delegate to someone else. However, it is conceivable that in some situations the ability to further delegate might be highly desirable. 3 Other Applications Distributed Encrypted Storage Suppose we want to build an encrypted filesystem. Not just any encrypted file system - we want a distributed system where clients request the keys to files from a key server. Standard key server schemes suffer a big risk: the owners of the encrypted content must trust the key server to act correctly and securely. Also, the operator of the key server has complete control access to all of the encryption keys and must be trustworthy. Adapting the AFGH re-encryption scheme allows us to reduce the trust needed in the key server. Under this system, only the content owners have the capability to grant access to files, without sharing any secret keys, and the server operator has no access to the stored keys. Proxy re-encryption enables this in a not-terribly-inefficient way. 1. First, encrypt the filesystem using a fast symmetric key cryptosystem such as AES. A separate session key is used for each file. 2. Group Manager Alice then encrypts all of the file session keys under her proxy reencryption public key P K a. 3. When coworker Bob requests access to file F, Alice generates the re-encryption key RK A B and gives it to the key server. (For the next file Bob requests, this step does not need to be done.) 4. The key server (which may or may not be the same host as the file server) re-encrypts the file containing the AES key to F from Alice s public key to Bob s. 5. Bob may now use his secret key to decrypt the AES key file, which he uses to decrypt file F. 17-5

Alice may also act as a Group Manager. She would then be responsible for encrypting all of the stored AES keys under her SK a, and computing re-encryption keys as necessary for subordinates/coworkers to access the files they need. AFGH [AFGH06] implemented this filesystem on top of the Chefs networked file system using 128-bit AES. Running on a 2.8Ghz Pentium IV using an elliptic-curve crypto library, the system took 7.7ms for encryption, 21.7ms for re-encryption and 3.4ms for the final decryption. This performance was impractical when each filesystem block was encrypted separately, but was within range of practicality when encryption was performed on a more conventional per-file basis. Additional Applications Proxy re-encryption has also been used as the basis for program obfuscation. It is also being studied in relation to Identity-Based Encryption (IBE) and re-signature schemes. References [AFGH06] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved Proxy Reencryption Schemes with Applications to Secure Distributed Storage. In NDSS, 2006. [BBS98] M. Blaze, G. Bleumer, and M. Strauss. Divertable protocols and atomic proxy cryptography. In EUROCRYPT, 1998. [Bet] John Bethancourt. Intro to Bilinear Maps. http://www.cs.cmu.edu/ ~bethenco/bilinear_maps.pdf. [Online; accessed 8-April-2007]. [DI03] Y. Dodis and A. Ivan. Proxy Cryptography Revisited. In NDSS, 2003. [MO97] M. Mambo and E. Okamoto. Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts. In TFECCS, 1997. 17-6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information