A New Public Key Cryptosystem with Key Escrow...
43
A New Public Key Cryptosystem with Key Escrow Capabilities Ruxandra Olimid University of Bucharest [email protected] 25 september 2012 Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 1 / 31
Transcript of A New Public Key Cryptosystem with Key Escrow...
A New Public Key Cryptosystem with Key EscrowCapabilities
Ruxandra Olimid
University of [email protected]
25 september 2012
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 1 / 31
Confidentiality
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 2 / 31
Confidentiality
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 3 / 31
Public Key Encryption
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 4 / 31
Public Key Encryption
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 5 / 31
Lawful Interception
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 6 / 31
Motivation
Communication monitoring
Delegation of duties
Backup of cryptographic keys
Solutions?
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 7 / 31
Motivation
Communication monitoring
Delegation of duties
Backup of cryptographic keys
Solutions?
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 7 / 31
Trivial Approach
The authority that performs interception owns the secret keys of the users..
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 8 / 31
Trivial Approach
The authority that performs interception owns the secret keys of the users..
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 9 / 31
IBE (Identity Based Encryption)
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 10 / 31
Our Goal
NOT to find a better solution than IBE
Find a solution based on ASKGA (Asymmetric Group Key Agreement)
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 11 / 31
Our Contribution
1 Define a lawful interception system based on ASGKA
2 Analyze its security and its performance
3 Extend the system to allow hierarchical structures
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 12 / 31
ASGKA
Introduced by Wu et al. [Eurocrypt’09]The parties agree on a same public keyEach party owns a different secret key
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 13 / 31
Our Idea
For n = 2 ASGKA provides lawful interception abilities...
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 14 / 31
Our Idea
We extend to n > 2...
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 15 / 31
Our Idea
... and make all the manager keys equal.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 16 / 31
Preliminaries
Definition
Let G , GT be 2 cyclic groups of prime order p, G =< g >. An efficientlycomputable bilinear map is a map e : G × G → GT that satisfies:
1 Bilinearity: e(ua, vb) = e(u, v)ab, ∀u, v ∈ G and ∀a, b ∈ Z2 Non-degeneracy: e(g , g) 6= 1
3 Computability: e(g1, g2) can be efficiently computed, ∀g1, g2 ∈ G
Decisional Bilinear Diffie-Hellman (DBDH) Assumption
Given g , ga, gb, g c ∈ G , no PPT adversary can distinguish (with anon-negligible advantage) e(g , g)abc from Z = e(g , g)z , z ∈ Zq.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 17 / 31
Preliminaries
Definition
Let G , GT be 2 cyclic groups of prime order p, G =< g >. An efficientlycomputable bilinear map is a map e : G × G → GT that satisfies:
1 Bilinearity: e(ua, vb) = e(u, v)ab, ∀u, v ∈ G and ∀a, b ∈ Z2 Non-degeneracy: e(g , g) 6= 1
3 Computability: e(g1, g2) can be efficiently computed, ∀g1, g2 ∈ G
Decisional Bilinear Diffie-Hellman (DBDH) Assumption
Given g , ga, gb, g c ∈ G , no PPT adversary can distinguish (with anon-negligible advantage) e(g , g)abc from Z = e(g , g)z , z ∈ Zq.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 17 / 31
Our Proposal
1 Public parameters generationPairGen(1λ)→ Y = (p,G ,GT , e)
2 Manager keys generationFor hman,Xman ←R G , rman ←R Z∗
p:Rman = g−rman
Aman = e(Xman, g)σman = Xmanhrman
man
3 Users keys generationFor i = 1..n
hi ←R G , ri ←R Z∗p:
Xi = Xmanhrman−riman
Ri = g−ri
Ai = e(Xi , g)σi = Xih
rii
4 Keys distribution
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 18 / 31
Our Proposal
1 Public parameters generationPairGen(1λ)→ Y = (p,G ,GT , e)
2 Manager keys generationFor hman,Xman ←R G , rman ←R Z∗
p:Rman = g−rman
Aman = e(Xman, g)σman = Xmanhrman
man
3 Users keys generationFor i = 1..n
hi ←R G , ri ←R Z∗p:
Xi = Xmanhrman−riman
Ri = g−ri
Ai = e(Xi , g)σi = Xih
rii
4 Keys distribution
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 18 / 31
Our Proposal
1 Public parameters generationPairGen(1λ)→ Y = (p,G ,GT , e)
2 Manager keys generationFor hman,Xman ←R G , rman ←R Z∗
p:Rman = g−rman
Aman = e(Xman, g)σman = Xmanhrman
man
3 Users keys generationFor i = 1..n
hi ←R G , ri ←R Z∗p:
Xi = Xmanhrman−riman
Ri = g−ri
Ai = e(Xi , g)σi = Xih
rii
4 Keys distribution
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 18 / 31
Our Proposal
1 Public parameters generationPairGen(1λ)→ Y = (p,G ,GT , e)
2 Manager keys generationFor hman,Xman ←R G , rman ←R Z∗
p:Rman = g−rman
Aman = e(Xman, g)σman = Xmanhrman
man
3 Users keys generationFor i = 1..n
hi ←R G , ri ←R Z∗p:
Xi = Xmanhrman−riman
Ri = g−ri
Ai = e(Xi , g)σi = Xih
rii
4 Keys distributionRuxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 18 / 31
Our Proposal
Encryption: A plaintext m ∈ GT is encrypted using the public key(Ri ,Ai ) of a group member Pi as (t →R Z∗
p):c = (c1, c2, c3) = (g t ,Rt
i ,mAti )
Decryption: A ciphertext c = (c1, c2, c3):
may be decrypted by Pi :m = c3
e(σi ,c1)e(hi ,c2)
may be decrypted by Pman:m = c3
e(σman,c1)e(hman,c2)
Theorem (Correctness)
The basic system is correctly defined, in the sense that only the intendedgroup member and the manager are allowed to decrypt a ciphertext.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 19 / 31
Our Proposal
Encryption: A plaintext m ∈ GT is encrypted using the public key(Ri ,Ai ) of a group member Pi as (t →R Z∗
p):c = (c1, c2, c3) = (g t ,Rt
i ,mAti )
Decryption: A ciphertext c = (c1, c2, c3):
may be decrypted by Pi :m = c3
e(σi ,c1)e(hi ,c2)
may be decrypted by Pman:m = c3
e(σman,c1)e(hman,c2)
Theorem (Correctness)
The basic system is correctly defined, in the sense that only the intendedgroup member and the manager are allowed to decrypt a ciphertext.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 19 / 31
Our Proposal
Encryption: A plaintext m ∈ GT is encrypted using the public key(Ri ,Ai ) of a group member Pi as (t →R Z∗
p):c = (c1, c2, c3) = (g t ,Rt
i ,mAti )
Decryption: A ciphertext c = (c1, c2, c3):
may be decrypted by Pi :m = c3
e(σi ,c1)e(hi ,c2)
may be decrypted by Pman:m = c3
e(σman,c1)e(hman,c2)
Theorem (Correctness)
The basic system is correctly defined, in the sense that only the intendedgroup member and the manager are allowed to decrypt a ciphertext.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 19 / 31
Ind-CPA Security
Theorem
The basic system is Ind-CPA secure under the Decisional BilinearDiffie-Hellman (DBDH) assumption.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 20 / 31
A New Member Joins the Group
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 21 / 31
A Member Leaves the Group
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 22 / 31
The Manager Leaves the Group
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 23 / 31
Extension to Hierarchical Structures
.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 24 / 31
Extension to Hierarchical Structures
Each secret key and each public key consists of m sub-keys
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 25 / 31
Extension to Hierarchical Structures
Each secret key and each public key consists of m sub-keys
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 25 / 31
Building Blocks
BasicGen: the previously proposed protocol;
FwdGen: BasicGen where skman = ski , ∀i = 1..n;
CopyGen: BasicGen where skman = ski and pkman = pki , ∀i = 1..n;
BasicGen
FwdGen CopyGen
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 26 / 31
Building Blocks
BasicGen: the previously proposed protocol;
FwdGen: BasicGen where skman = ski , ∀i = 1..n;
CopyGen: BasicGen where skman = ski and pkman = pki , ∀i = 1..n;
BasicGen FwdGen
CopyGen
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 26 / 31
Building Blocks
BasicGen: the previously proposed protocol;
FwdGen: BasicGen where skman = ski , ∀i = 1..n;
CopyGen: BasicGen where skman = ski and pkman = pki , ∀i = 1..n;
BasicGen FwdGen CopyGen
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 26 / 31
The Extended System
for each level l = 0..m − 1:for each participant on level l :
for each key component i = 1..m:- if i < m − l : FwdGen- if i = m − l : BasicGen- if i > m − l : CopyGen
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 27 / 31
The Extended System
Encryption: A plaintext m ∈ GT is encrypted using the public key((Ri1,Ai1), ..., (Rim,Aim)) of a group member Pi as (t →R Z∗
p):c = (c1, c21, ..., c2m, c3) = (g t ,Rt
i1, ...,Rtim,m(Ai1...Aim)t)
Decryption: A ciphertext c = (c1, c21, ..., c2m, c3):
may be decrypted by Pi :m = c3
e(σi1,c1)...(σim,c1)e(hi1,c21)...e(him,c2m)
may be decrypted by Pman, any manager of Pi in the hierarchy:m = c3
e(σman1,c1)...e(σmanm,c1)e(hman1,c21)...e(hmanm,c2m)
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 28 / 31
The Extended System
Encryption: A plaintext m ∈ GT is encrypted using the public key((Ri1,Ai1), ..., (Rim,Aim)) of a group member Pi as (t →R Z∗
p):c = (c1, c21, ..., c2m, c3) = (g t ,Rt
i1, ...,Rtim,m(Ai1...Aim)t)
Decryption: A ciphertext c = (c1, c21, ..., c2m, c3):
may be decrypted by Pi :m = c3
e(σi1,c1)...(σim,c1)e(hi1,c21)...e(him,c2m)
may be decrypted by Pman, any manager of Pi in the hierarchy:m = c3
e(σman1,c1)...e(σmanm,c1)e(hman1,c21)...e(hmanm,c2m)
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 28 / 31
The Extended System
Theorem
The extended system is correctly defined, in the sense that only theintended group member and any of his managers in the hierarchy areallowed to decrypt a ciphertext.
Theorem
The extended system remains Ind-CPA secure under the DecisionalBilinear Diffie-Hellman (DBDH) assumption.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 29 / 31
The Extended System
Theorem
The extended system is correctly defined, in the sense that only theintended group member and any of his managers in the hierarchy areallowed to decrypt a ciphertext.
Theorem
The extended system remains Ind-CPA secure under the DecisionalBilinear Diffie-Hellman (DBDH) assumption.
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 29 / 31
Future Work
Possible Improvments
Achieve Ind-CCA security
Decrease the role of the key generation authority
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 30 / 31
Thank you!
Questions
Ruxandra Olimid (UNIBUC) A New PKS with KE Capabilities 25 september 2012 31 / 31
![Improved Cryptanalysis of the KMOV Elliptic Curve Cryptosystem · Both attacks improve the existing attacks on the KMOV cryptosystem. 1 Introduction The RSA cryptosystem [21], invented](https://static.fdocuments.in/doc/165x107/5f0265ed7e708231d4041456/improved-cryptanalysis-of-the-kmov-elliptic-curve-cryptosystem-both-attacks-improve.jpg)
