Single-bit Re-encryption with Applications to Distributed Proof Systems - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Single-bit Re-encryption with Applications to Distributed Proof Systems

Description:

Single-bit Re-encryption with Applications to Distributed Proof Systems Nikita Borisov and Kazuhiro Minami University of Illinois at Urbana-Champaign – PowerPoint PPT presentation

Number of Views:115
Avg rating:3.0/5.0
Slides: 18
Provided by: Kazu97
Category:

less

Transcript and Presenter's Notes

Title: Single-bit Re-encryption with Applications to Distributed Proof Systems


1
Single-bit Re-encryption with Applications to
Distributed Proof Systems
  • Nikita Borisov and Kazuhiro Minami
  • University of Illinois
  • at Urbana-Champaign

2
Distributed Proof System (DPS)
  • Construct a proof in a peer-to-peer way
  • Useful for distributed authorization
  • E.g., SD3, Binder, Grey system, PeerAccess, MK
    system etc.

3
Integrity and Confidentiality
  • Each peer specifies trust in the correctness of
    remote facts using rules with quoted facts
  • Each peer protects its private facts with
    confidentiality policies

MRI 112
Location Server
grant(P) - LocationServer says
doctor_present(room112)
acl(doctor_present(room112)) MRI112
MRI112 ? acl(location(P, room112))
4
Minami-Kotz (MK) algorithm
  • A peer sends an encrypted fact to a principal who
    is not authorized to see it
  • Use a randomized encryption scheme (RSA-OAEP) to
    prevent dictionary attacks

Dave
Bob
Alice
grant(P) - Dave says role(P,doctor)
role(Tom, doctor)
acl(role(P,R)) Bob
5
Safety of the MK algorithm
High level analysis
Implementation-level analysis
A covert channel using a random padding in an
encrypted value
No disclosure of confidential facts to
unauthorized parties
6
Our Solution
  • Re-encrytion with Goldwasser-Micali (GM)
    public-key cryptosystem
  • Transform the encryption of a single bit into
    another, while preserving the bit value
  • Commutative encryption scheme
  • Essentially a n-out-of-n threshold encryption
    necessary in distributed proof systems

7
MK Algorithm
acl(f3) p1
p1s knowledge
p2s knowledge
8
MK Algorithm
acl(f3) p1
p2s knowledge
p1s knowledge
9
Attack on the MK Algorithm
p3 is in my proof !
p4 must be in that proof, too
Then, p4 must have fact f3!
?
acl(f3) p1
p2s knowledge
p1s knowledge
10
Attack on the MK Algorithm
acl(f3) p1
p2s knowledge
p1s knowledge
11
Goldwasser-Micali (GM) Scheme with Re-encryption
  • Represent a boolean value based on quadratic
    residuosity (QR)
  • True if a (mod n) b2 (mod n)
  • False otherwise
  • Use re-encryption to convert an encrypted value
    to another

David
Bob
Alice
a ( b2 mod n)
a ( b2 mod n)
n pq
12
GM Encryption Scheme
  • Public key (n, x) where x is an NQR modulo n
  • Private key (p, q) where n pq
  • Encryption of a bit b y2xb (mod n) where y is a
    random number
  • With p and q, easy to check whether an encrypted
    value is a QR or an NQR

13
Unlinkability via Re-encryption
Dave
Bob
Alice
a
ay2 mod n
n pq
Pick y at random
14
Commutative Encryption
  • We cannot support nested encryption in the MK
    algorithm (e.g., Ei(Ej(T)) )
  • Instead, we support commutative encryption (e.g.,
    Ei,j(T) )
  • Gives more proving power
  • Preserves the same safety property of the MK
    algorithm

15
Construction of Commutative Encryption
  • Represented as a list of encrypted bits E.g.,
    E0,1,...,n (b) (E1(b1),E2(b2),...,En(bn))
  • where b b1 ? b2 ? ... ? bn
  • To obtain Ei,j (b) from Ei(b)
  • Form a pair (Ei(b), Ej(0))
  • Re-randomize the pair by picking a random bit b,
    and if b 1 then obtain (Ei(?b), Ej(1))
    where Ei(?b) xiEi(b)

16
Conclusion
  • Identify a covert channel in the MK algorithm
  • Apply single-bit re-encryption based on GM scheme
  • Design a commutative encryption compatible with
    single-bit re-encryption
  • Future work includes exploration of other
    applications such as e-voting and online games

17
Questions?
Write a Comment
User Comments (0)
About PowerShow.com