Single-bit Re-encryption with Applications to Distributed Proof Systems Nikita Borisov and Kazuhiro Minami University of Illinois at Urbana-Champaign

Distributed Proof System (DPS) Construct a proof in a peer-to-peer way Useful for distributed authorization: –E.g., SD3, Binder, Grey system, PeerAccess, MK system etc. ?grant(Alice) Location Server Role Server ?doctor_present (room112) ?role(Alice, doctor) True Hospital Alice MRI 112

Integrity and Confidentiality Each peer specifies trust in the correctness of remote facts using rules with quoted facts Each peer protects its private facts with confidentiality policies MRI 112 Location Server ?doctor_present (room112) True grant(P) :- LocationServer says doctor_present(room112) acl(doctor_present(room112)) = {MRI112} MRI112  acl(location(P, room112))

Minami-Kotz (MK) algorithm A peer sends an encrypted fact to a principal who is not authorized to see it BobAlice Dave ?grant(Tom)?role(Tom, doctor) E Bob (True) grant(P) :- Dave says role(P,doctor)role(Tom, doctor) Use a randomized encryption scheme (RSA- OAEP) to prevent dictionary attacks acl(role(P,R)) = {Bob}

Safety of the MK algorithm High level analysis No disclosure of confidential facts to unauthorized parties Implementation-level analysis A covert channel using a random padding in an encrypted value

Our Solution Re-encrytion with Goldwasser-Micali (GM) public-key cryptosystem –Transform the encryption of a single bit into another, while preserving the bit value Commutative encryption scheme –Essentially a n-out-of-n threshold encryption necessary in distributed proof systems

MK Algorithm p 1 ’s knowledgep 2 ’s knowledge acl(f 3 ) = {p 1 }

MK Algorithm p 1 ’s knowledge p 2 ’s knowledge acl(f 3 ) = {p 1 }

Attack on the MK Algorithm p 1 ’s knowledge p 2 ’s knowledge T + ‘013342’ acl(f 3 ) = {p 1 } p 3 is in my proof ! p 4 must be in that proof, too Then, p 4 must have fact f 3 ! 

Attack on the MK Algorithm p 1 ’s knowledge p 2 ’s knowledge ‘Hi’ + ‘013342’ acl(f 3 ) = {p 1 }

Goldwasser-Micali (GM) Scheme with Re-encryption Represent a boolean value based on quadratic residuosity (QR) –True if a (mod n) = b 2 (mod n) –False otherwise Use re-encryption to convert an encrypted value to another BobAlice David a (= b 2 mod n)a’ (= b’ 2 mod n) n = pq

GM Encryption Scheme Public key: (n, x) where x is an NQR modulo n Private key: (p, q) where n = pq Encryption of a bit b: y 2 x b (mod n) where y is a random number With p and q, easy to check whether an encrypted value is a QR or an NQR

Unlinkability via Re-encryption BobAlice Dave a ay 2 mod n n = pq Pick y at random For all QR a and y, there exist QR a’ and y’ such that ay 2 = a’y’ 2 Tom a’

Commutative Encryption We cannot support nested encryption in the MK algorithm (e.g., E i (E j (T)) ) Instead, we support commutative encryption (e.g., E {i,j} (T) ) –Gives more proving power –Preserves the same safety property of the MK algorithm

Construction of Commutative Encryption Represented as a list of encrypted bits E.g., E {0,1,...,n} (b) = (E 1 (b 1 ),E 2 (b 2 ),...,E n (b n )) where b = b 1  b 2 ...  b n To obtain E {i,j} (b) from E {i} (b) 1.Form a pair (E {i} (b), E {j} (0)) 2.Re-randomize the pair by picking a random bit b’, and if b’ = 1 then obtain (E {i} (  b), E {j} (1)) where E {i} (  b) = x i E {i} (b)

Conclusion Identify a covert channel in the MK algorithm Apply single-bit re-encryption based on GM scheme Design a commutative encryption compatible with single-bit re-encryption Future work includes exploration of other applications such as e-voting and online games

Questions?