Study on The Secure Key-Evolving Protocols Kim Joong Man

2 Contents Introduction What is the Key-evolving? Preliminaries Key-evolving encryption scheme Key-evolving signature scheme Previous Work Future Work References

3 Introduction The Key Exposure Problem The exposure of the secret (signing) key is the total break of the system In practice, a more serious threat to security than the possibility of cryptanalysis of the signature scheme itself How to protect Bob’s private key Replace Bob’s public key when his private key is exposed - Not practical since Bob may not be aware of losing his private key Protect Bob’s private key on a secure device - Quite costly Use a threshold scheme to distribute SK - TA’s bear heavy load of computation

4 Our Goal To mitigate damage caused by key exposure Single-machine technique : no distribution of keys No special hardware

5 What is the Key-evolving? (Anderson’s Key-Evolving Paradigm) Break lifetime of scheme into T time periods e.g., 1 period = 1 day; T = 365 PK fixed – important for key management! SK evolves via public one-way function h SK j is deleted after time period j is over Signature is pair ( j,tag ), where j is the time period in which the signature occurred Period 1Period 2Period T ……… SKSK 1 SK 2 …… SK T h h hh

6 Preliminaries Forward-secure The compromise of the current secret key will not compromise previous secret keys Backward-secure The compromise of the current secret key will not compromise future secret keys Key-independent The protocol is both Forward-secure and Backward-secure

7 Key-evolving encryption scheme Key generation algorithm Private key update algorithm Gen (1 k, N ) = ( PK, SK 0 ) Encryption algorithm Decryption algorithm Upd ( PK, SK j-1, j ) = SK j Enc ( PK, m, j ) = Dec ( SK j, ) = m N is the total number of time periods, 1 k is a security parameter j is the current time period

8 Key-evolving signature scheme Gen (1 k, N ) = ( PK, SK 1 ) Secret key update algorithm Verification algorithm Sign ( SK j, M ) = Upd ( SK j ) = SK j+1 If Ver ( PK, M, ) = 1 then accept else reject If Ver ( PK, M, ) = 1 then accept else reject Key generation algorithm Signing algorithm N is the total number of time periods, 1 k is a security parameter sign is the signature of M at the current time period j j+1 is the next time period

9 Previous Work – TT01 Gen (1 k, N ) = ( PK, SK 0 ) P = 2q + 1 Select f(x) ≡ Set up :

10 Previous Work – TT01 Upd ( PK, SK j-1 ) = SK j Enc ( PK, m, j ) = Dec ( SK j, ) = m The decryptor Bob and TA together compute SK j = f(j) from their shares in a secure distributed way Compute and return

11 Previous Work – TT01 Key evolving with TA TA’s together compute SK j at the current time period j Only Bob (decryptor) knows SK j Use the Lagrange interpolation method Communicate via private channel between TA’s and Bob TA 1 …… Bob TA z TA 3 TA 2 Secure channel Compute SK j

12 Future Work Survey the secure key-evolving schemes Analysis of previous schemes Bringing up the problems in key-evolving protocols Modifying in more efficient scheme

13 References [1] R.J.Anderson, “ Two remarks on public key cryptology”, In rump Session Euro-crypt’97 [2] C.F.Lu, S.W.Shieh, “ Secure Key-Evolving Protocols”, RSA 2002 [3] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, “Handbook of Applied Cryptography”, BocaRaton, 1997 [4] W.Tzeng and Z.Tzeng, “Robust Key-evolving public key encryption schemes”, Record 2001/009, Cryptology ePrint Archive 2001 [5] J.Katz, “A forward-secure public-key encryption scheme”, Cryptology ePrint Archive Report 2002 [6] M.Bellare, S.K.Miner,” A Forward-Secure Digital Signature Scheme”, Cryptology - CRYPTO '99 Proceedings, LNCS 1666 [7] R.Anderson, Invited lecture, Fourth Annual Conference on Computer and Communications Security, ACM, 1997