Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single-bit Re-encryption with Applications to Distributed Proof Systems Nikita Borisov and Kazuhiro Minami University of Illinois at Urbana-Champaign.

Published byOphelia Rachel Martin Modified over 9 years ago

Similar presentations

Presentation on theme: "Single-bit Re-encryption with Applications to Distributed Proof Systems Nikita Borisov and Kazuhiro Minami University of Illinois at Urbana-Champaign."— Presentation transcript:

1 Single-bit Re-encryption with Applications to Distributed Proof Systems Nikita Borisov and Kazuhiro Minami University of Illinois at Urbana-Champaign

2 Distributed Proof System (DPS) Construct a proof in a peer-to-peer way Useful for distributed authorization: –E.g., SD3, Binder, Grey system, PeerAccess, MK system etc. ?grant(Alice) Location Server Role Server ?doctor_present (room112) ?role(Alice, doctor) True Hospital Alice MRI 112

3 Integrity and Confidentiality Each peer specifies trust in the correctness of remote facts using rules with quoted facts Each peer protects its private facts with confidentiality policies MRI 112 Location Server ?doctor_present (room112) True grant(P) :- LocationServer says doctor_present(room112) acl(doctor_present(room112)) = {MRI112} MRI112  acl(location(P, room112))

4 Minami-Kotz (MK) algorithm A peer sends an encrypted fact to a principal who is not authorized to see it BobAlice Dave ?grant(Tom)?role(Tom, doctor) E Bob (True) grant(P) :- Dave says role(P,doctor)role(Tom, doctor) Use a randomized encryption scheme (RSA- OAEP) to prevent dictionary attacks acl(role(P,R)) = {Bob}

5 Safety of the MK algorithm High level analysis No disclosure of confidential facts to unauthorized parties Implementation-level analysis A covert channel using a random padding in an encrypted value

6 Our Solution Re-encrytion with Goldwasser-Micali (GM) public-key cryptosystem –Transform the encryption of a single bit into another, while preserving the bit value Commutative encryption scheme –Essentially a n-out-of-n threshold encryption necessary in distributed proof systems

7 MK Algorithm p 1 ’s knowledgep 2 ’s knowledge acl(f 3 ) = {p 1 }

8 MK Algorithm p 1 ’s knowledge p 2 ’s knowledge acl(f 3 ) = {p 1 }

9 Attack on the MK Algorithm p 1 ’s knowledge p 2 ’s knowledge T + ‘013342’ acl(f 3 ) = {p 1 } p 3 is in my proof ! p 4 must be in that proof, too Then, p 4 must have fact f 3 ! 

10 Attack on the MK Algorithm p 1 ’s knowledge p 2 ’s knowledge ‘Hi’ + ‘013342’ acl(f 3 ) = {p 1 }

11 Goldwasser-Micali (GM) Scheme with Re-encryption Represent a boolean value based on quadratic residuosity (QR) –True if a (mod n) = b 2 (mod n) –False otherwise Use re-encryption to convert an encrypted value to another BobAlice David a (= b 2 mod n)a’ (= b’ 2 mod n) n = pq

12 GM Encryption Scheme Public key: (n, x) where x is an NQR modulo n Private key: (p, q) where n = pq Encryption of a bit b: y 2 x b (mod n) where y is a random number With p and q, easy to check whether an encrypted value is a QR or an NQR

13 Unlinkability via Re-encryption BobAlice Dave a ay 2 mod n n = pq Pick y at random For all QR a and y, there exist QR a’ and y’ such that ay 2 = a’y’ 2 Tom a’

14 Commutative Encryption We cannot support nested encryption in the MK algorithm (e.g., E i (E j (T)) ) Instead, we support commutative encryption (e.g., E {i,j} (T) ) –Gives more proving power –Preserves the same safety property of the MK algorithm

15 Construction of Commutative Encryption Represented as a list of encrypted bits E.g., E {0,1,...,n} (b) = (E 1 (b 1 ),E 2 (b 2 ),...,E n (b n )) where b = b 1  b 2 ...  b n To obtain E {i,j} (b) from E {i} (b) 1.Form a pair (E {i} (b), E {j} (0)) 2.Re-randomize the pair by picking a random bit b’, and if b’ = 1 then obtain (E {i} (  b), E {j} (1)) where E {i} (  b) = x i E {i} (b)

16 Conclusion Identify a covert channel in the MK algorithm Apply single-bit re-encryption based on GM scheme Design a commutative encryption compatible with single-bit re-encryption Future work includes exploration of other applications such as e-voting and online games

17 Questions?

Download ppt "Single-bit Re-encryption with Applications to Distributed Proof Systems Nikita Borisov and Kazuhiro Minami University of Illinois at Urbana-Champaign."

Similar presentations

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
Secure Context-sensitive Authorization Kazuhiro Minami and David Kotz Dartmouth College.

Secure Context-sensitive Authorization Kazuhiro Minami and David Kotz Dartmouth College.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
7. Asymmetric encryption-

7. Asymmetric encryption-
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Similar presentations

Ads by Google