Title: Key-Insulated Public Key Cryptosystems Moti Yung, RSA Labs and Columbia U.
1Key-Insulated Public Key CryptosystemsMoti
Yung, RSA Labs and Columbia U.
2Key Exposure Protection
- Talk based on papers published in EC-02 and
PKC-03 (Joint work with Y. Dodis, J. Katz and S.
Xu) - Nowadays assuming a mobile device and a host
(e.g., a home computer) is right (everyone will
have/has a mobile and a computer). - Thus we can strengthen crypto based on it! .and
derive other applications in the process..
3Key Exposure
- Most cryptosystems rely on possession of small
totally secret entity (key) to perform various
complex tasks. - What if the key is lost/stolen/exposed? (e.g.,
mobile device, Internet, snooping)? - One of the most serious real-life'' attacks
- often easier to steal the key than to break the
underlying cryptography. - Can we do anything?
4Solution Approaches
- Tamper-resistant hardware (smartcards).
- Partial Key Exposure (weaker problem)
- Secret sharing, Threshold Cryptography.
- All-or-Nothing Transforms (AONT), ERFs.
- Key Evolution change secret key over time such
that exposure of current key minimizes the
overall damage. - Forward security (protect past transactions)
- Key-Insulated Security (this talk)
-
5Forward Security
- N periods, single public key PK
- Initial Secret key SK0
- At period i
- secret key SKi Upd(i, SKi-1)
- effective public key PKi (PK, i)
- Public OP done with PKi, secret OP done with SKi
- Goal under exposure of SKi,
- Periods 1,,(i-1) are still secure
- Periods i,,N are necessarily completely broken
SK0
SK1
SKi-1
SKi
SKN
SKi1
6Key-Insulated Security
- N periods, single public key PK
- Initial Secret key SK0,
- At period i
- secret key SKi Upd(i, SKi-1, )
- effective public key PKi (PK, i)
- Public OP done with PKi, secret OP done with SKi
- Goal under exposure of SKi1,SKi2,,SKit
- Any period i ? i1,,it is still secure
- Only periods i1,,it are (necessarily) broken
SKit
SKi1
SKi2
SKN
SK0
7High-Level Idea
- Unlike forward security, user U no longer
performs key updates by itself - Helper H assists the user
- forward-security limitation no longer applies!
- All secret OPs are still done by U alone
- Different from threshold/server-aided crypto!
- (t,N)-security exposure of any t secret keys
leaves every non-exposed period secure - Strong (t,N)-security H should not be able to
perform any of the secret OPs (untrusted H)
8More on the Model
- Stronger than forward security guarantee
- New introduction of possibly untrusted H
- cheap key updates one message from H to U
- All OPs by U (unlike Threshold)
- H cant compromise U (no master key)
- Possible formalization
- Setup (PK, SK0, SK), U gets SK0, H gets SK
- SKiUpd(SKi-1, SK), where H sends SK
- What if Adv compromises key update?
- H cannot send SK!
- SKiUpd(SKi-1, hi), where H sends hi Help(SK,i)
9Key Updates
- Secure Key Updates
- Minimal possible harm under exposure of
inter-period key-updating information (the his) - Key update exposure between periods (i-1) and i ?
key exposure at periods (i-1) and i - SKi-1 hi ( SKi) ? SKi-1 SKi
- Random Access Key Updates
- H can help go between SKj and SKi for any i,j
- E.g., emergency future Sig or past Dec
- SKiUpd(SKj, hij), where hij Help(SK, (j?i))
10The Attacker
- Fully adaptive and concurrent
- attacks all N periods concurrently
- adaptively issues key exposure requests (for
security against H, replaced by the knowledge of
SK) - succeeds if breaks any one of the non-exposed
periods (for signature means forges a new
message in the given period) - Typically stronger than real life
11Brief Generic Summary
- Any non-exposed period secure
- All OPs done without helper
- Key Updates
- Secure against inter-period exposure
- Cheap and non-interactive
- Random access can go from any j to any i
- Security against helper
- Fully adaptive and concurrent attacker
- Achieve all, but often a subset suffices
12Applications
- Key Exposure Protection (original)
- Limited-Time Delegation
- Limited-Time Key Escrow
- Identity-based Cryptography
- Users identified by non-crypto ID(U)i
- One common public key
- t users cant compromise another user
- Ideal tN-1, but smaller t often enough
13Relation to ID-based Crypto
- An (N-1,N)-key-insulated signature / encryption
scheme is also an ID-based scheme DKXY02,BP02 - Our approach based on trapdoor primitives
encompasses all known non-generic constructions
of ID-based primitives S84,BF01,CC03, - Also yields new constructions (e.g., signature
based on 2t-root/factoring assumption)
14This Work vs. Related Work
- Key-insulated paradigm DKXY02
- Introduced and formalized the notion
- Constructions of public-key encryption schemes
with rigorous security proofs - Strong security
- Other related ideas (all non-adaptive)
- Signature delegation GPR98
- Tamper-resistant signatures G98
- Key-evolving PKE schemes TT01,LS02 (weak
non-adaptive model)
15Our Results I Signatures
- Strong key-insulated signature schemes
- Generic scheme based on any signature scheme
- Scheme based on discrete logarithms
- Most efficient scheme based on any trapdoor
signature scheme (similar approach works for
encryption, but only one trapdoor encryption
scheme is known)
16Generic Signature Scheme
- Building blocks
- Any regular signature scheme
- Parameters
- tN-1, maximal resiliency
- Everything constant (equal to 2 or 3)
- Pretty much optimal uses a certification idea
- (Like in forward security sig. Easier than enc.)
- Morale While we do not have full implementation
of PKI, we can exploit its ideas
17Optimal Signature Scheme
- PK(VKU,VKH), SK0SKU, SKSKH
- SKi (SKU, ski, SigH(vki,i))
- SigH(vki,i) is certificate for (ski, vki)
- Update H sends ski, cert-ISigH(vki,i) for
current-period keys (ski, vki) - Signature of m at period i
- (Sigvki(m), SigU(m, i), cert-ISigH(vki,i))
- Verification check all sigs
- (Note same trick with SKU can make any key
insulated signature strong)
18Efficiency
- Achieves optimal security
- (Small) slowdown
- Signing time x2
- Verification time, signature length x3
- Key update 1 signing operation 1 key
generation (key generation may be costly)
19Idea behind all DL-based schemes
- Secret polynomial p(x)a0a1xatxt
- PK (ga0, ga1,, gat)
- SK0 a0 p(0), SK (a1,,at)
- Effective Keys at period i
- SKi p(i) PKi gp(i) gSKi
- Notice
- PKi ga0 (ga1)i (ga2)i2 (gat)it f(PK, i)
- SKi SKj (SKi - SKj) SKj hij ,
- where hijHelp(SK,(j?i)) p(j) p(i)
20Idea Continued
- Take cryptosystem where pk gsk
- E.g., Schnorr signature, ElGamal encryption
- Evolve keys as stated (functionality)
- Security intuition
- For any t keys p(i1),p(i1),,p(it), the value
p(i) is truly random for i ? i1,,it - Helper w/o a0 any value p(i) is random
- Hardness of discrete log ensures that ga0, ga1,,
gat do not help the breaker
21Security?
- Thm for fixed i1,,it, cant break security at
any period i ? i1,,it - Security means adversary cannot forge a
signature in these periods (even when initially
can access signing machine, cannot sign on its
own a new message)
22Security ?
- Security against non-adaptive adversary only!
- Public key is committing, so need to know in
advance in which period to embed the unknown
discrete log - This is unrealistic model to limit the adversary
to attack at given times!
23Getting Adaptive Security
- Use two random generators g and h!
- sk (x,y) pk z gx hy
- 2-generator Okamoto vs. 1-generator Schnorr
24Getting Adaptive Security
- Use two random generators g and h!
- sk (x,y) pk z gx hy
- 2-generator Okamoto vs. 1-generator Schnorr
- Many legal ways to open the public key
- Use p(x) and q(y) to evolve both keys
- SKi (xip(i), yiq(i)), PKi zi gxi hyi
- No longer decide in advance where to put the
hardness know all secret keys, reduce to
hardness of computing logg h !
25More Details on Key Evolution
- Use two generators!
- Random p(x) a0 a1x atxt and q(x)
b0 b1x btxt - Now PK (ga0hb0, ga1 hb1,, gat hbt)
- and SK (a1,b1,,at,bt)
- Effective keys for period i
- SKi (p(i), q(i)) PKi gp(i)hq(i)
26Efficiency
- Only secure against a given number t of break-ins
(public-key size is O(t)) - Efficiency
- Fast key update (no cryptographic ops)
- Basic signing (encrypting) time same as
Okamoto-Schnorr (two-generator ElGamal) - Has (small) overhead of computing the period
public key, but can be done once per period
(computing polynomial in the exponent trick)
27Using trapdoor signatures
- Say signature F has skx, vk(y,f), where
yf(x) and f satisfies - f is easy to invert using trapdoor T
- Given u, z, easy to verify if f(u)z using f
only - Note, sk does not have to include T !
- Examples
- Schemes where f is a trapdoor permutation
(Guillou-Quisquater, Fiat-Shamir, Ong-Schnorr) - Recent signatures in gap-DH groups where DDH is
easy and CDH is hard CC03 - (all use f(ga) gab where f gb and Tb)
28Using trapdoor signatures
- Set global PKf, SKT, vkiRO(i)
- H sends ski f-1(vki) (computed using T) to U,
who uses (ski, vki) for period i - To get strong security, distribute T and jointly
compute ski f-1(vki) - Easy for most common schemes
- Same approach is used in current identity-based
schemesS84,BF01,CC03
29Efficiency
- As efficient as the underlying signature
(encryption) scheme - Achieves optimal security in RO model
- Drawback only works for specific assumptions
30Our Results II Encryption
- Key-insulated public-key encryption
- (t,N)-security from any semantically-secure
encryption scheme - Can extend to (t,N)-CCA2-security
- Efficient (t,N)-security based on DDH
- (t,N)-CCA2-security based on DDH
- All schemes are strong and have secure key
updates /random access key updates - Also third scheme based on BF01.
31Preliminaries
- Encryption algorithm takes public key PK, period
i, and message M and returns lti, Cgt - lti,Cgt ? EPK(i, M)
- Decryption algorithm takes secret key SKi and
ciphertext lti, Cgt and returns M
32The Adversary
- Intuitively adversary tries to fail the
encryption on any of unexposed key periods - Adversary has access to
- Key exposure oracle Exp(i) returns SKi
- Left-and-right oracle Given a vector b (b1,
, bN), oracle LRPK,b(i,M0,M1) returns EPK(i, Mbi)
33Definition of Security
- Vector b (b1, , bN) chosen at random
- Adversary gets PK asks t queries to Exp and
poly-many queries to LR concurrently and
adaptively - Adversary outputs (i, b) s.t. Exp(i) not called
- (t,N)-secure if Prb bi
½ is negligible
34Generic Construction
- Building blocks
- Semantically-secure encryption scheme
- All-or-nothing transform (AONT)
- t-cover free family of sets
- Parameters
- PK SK O(t2 log N)
- Enc. time and ciphertext length O(t log N)
- Key updating time O(t log N)
- Using the cover-free property, adversary cannot
learn keys of other periods for any t corruptions.
35Result
- A generic scheme that works for N periods, t
exposures and requires O(t2 log N) in total, O(t
log N) per period. - The proof uses the fact that we use all or
nothing and embeds an unknown key (in a guessed
position) and breaks it if adversary is
successful.
36Approach for DL-Based Schemes
- Idea random p(x)a0 a1x atxt
- PK (ga0, ga1,, gat) SK0 a0 SK (a1,,at)
- Effective keys for period i
- SKi p(i) PKi gp(i) gSKi
- Notice again
- PKi ga0 (ga1)i (ga2)i2 (gat)it
- SKi SKj (SKi - SKj) SKj Help(SK,(i,j))
37Approach, continued
- Now use El Gamal encryption
- EPK(i, M) lti, gr, (PKi)r Mgt
- Intuition
- For any t keys p(i1),p(i1),,p(it), the value
p(i) is truly random for i ? i1,,it - Hardness of discrete log ensures that ga0, ga1,,
gat do not help
38Security?
- Again only non-adaptive case.
- So not secure in the sense we want.
39Adaptive Security
- Again, we use two generators! .
- Random p(x) a0 a1x atxt and q(x)
b0 b1x btxt - Now PK (ga0hb0, ga1 hb1,, gat hbt)
- and SK (a1,b1,,at,bt)
- Effective keys for period i
- SKi (p(i), q(i)) PKi gp(i)hq(i)
40Adaptive Security contd
- Encrypt as EPK(i,M) lti, gr, hr, (PKi)r
Mgt - Decrypt via DSKi(lti, (u, v, z)gt)
z/up(i)vq(i) - Thm Scheme achieves strong (t,N)-security
against adaptive adversary - Remark Modification based on Cramer-Shoup
achieves CCA2 (security even when adversary
probes the system freely with ciphertexts of its
choice.)
41Proof Sketch
- DDH given (g,h,u,w) decide if loggu loghw
- Use g and h, choose all secret keys, publish PK.
Note all Exp-queries can be answered! - When Adv asks LR-query (i,m0,m1), choose random b
and return (u, w, up(i)wq(i)mb) - If loggu loghw, perfect simulation
- If u,w random, view of Adv is info-theoretically
independent of b
42Conclusions
- Formal definition of key-insulated model
- Many advantages over previous models
- Variety of efficient implementations
- Key-insulated paradigm is relevant to many
algorithms and protocols - Inspired further research (e.g.,
intrusion-resilient model) relation to
ID-based.. - Applications to delegation, key escrow, ID-based
sig. etc.
43Conclusions
- Cryptography should evolve as technology evolves
- Cryptography should be part of a solution, even
when the problem does not look cryptographic - and sometimes relatively efficient/ simple
solutions are found - Alsobetter security solution may lead to new
functionality!