Key-Insulated Public Key Cryptosystems Moti Yung, RSA Labs and Columbia U.

1
Key-Insulated Public Key CryptosystemsMoti
Yung, RSA Labs and Columbia U.
2
Key Exposure Protection

• Talk based on papers published in EC-02 and
  PKC-03 (Joint work with Y. Dodis, J. Katz and S.
  Xu)
• Nowadays assuming a mobile device and a host
  (e.g., a home computer) is right (everyone will
  have/has a mobile and a computer).
• Thus we can strengthen crypto based on it! .and
  derive other applications in the process..

3
Key Exposure

• Most cryptosystems rely on possession of small
  totally secret entity (key) to perform various
  complex tasks.
• What if the key is lost/stolen/exposed? (e.g.,
  mobile device, Internet, snooping)?
• One of the most serious real-life'' attacks
• often easier to steal the key than to break the
  underlying cryptography.
• Can we do anything?

4
Solution Approaches

• Tamper-resistant hardware (smartcards).
• Partial Key Exposure (weaker problem)
• Secret sharing, Threshold Cryptography.
• All-or-Nothing Transforms (AONT), ERFs.
• Key Evolution change secret key over time such
  that exposure of current key minimizes the
  overall damage.
• Forward security (protect past transactions)
• Key-Insulated Security (this talk)

5
Forward Security

• N periods, single public key PK
• Initial Secret key SK0
• At period i
• secret key SKi Upd(i, SKi-1)
• effective public key PKi (PK, i)
• Public OP done with PKi, secret OP done with SKi
• Goal under exposure of SKi,
• Periods 1,,(i-1) are still secure
• Periods i,,N are necessarily completely broken

SK0
SK1
SKi-1
SKi
SKN

SKi1

6
Key-Insulated Security

• N periods, single public key PK
• Initial Secret key SK0,
• At period i
• secret key SKi Upd(i, SKi-1, )
• effective public key PKi (PK, i)
• Public OP done with PKi, secret OP done with SKi
• Goal under exposure of SKi1,SKi2,,SKit
• Any period i ? i1,,it is still secure
• Only periods i1,,it are (necessarily) broken

SKit

SKi1

SKi2
SKN

SK0
7
High-Level Idea

• Unlike forward security, user U no longer
  performs key updates by itself
• Helper H assists the user
• forward-security limitation no longer applies!
• All secret OPs are still done by U alone
• Different from threshold/server-aided crypto!
• (t,N)-security exposure of any t secret keys
  leaves every non-exposed period secure
• Strong (t,N)-security H should not be able to
  perform any of the secret OPs (untrusted H)

8
More on the Model

• Stronger than forward security guarantee
• New introduction of possibly untrusted H
• cheap key updates one message from H to U
• All OPs by U (unlike Threshold)
• H cant compromise U (no master key)
• Possible formalization
• Setup (PK, SK0, SK), U gets SK0, H gets SK
• SKiUpd(SKi-1, SK), where H sends SK
• What if Adv compromises key update?
• H cannot send SK!
• SKiUpd(SKi-1, hi), where H sends hi Help(SK,i)

9
Key Updates

• Secure Key Updates
• Minimal possible harm under exposure of
  inter-period key-updating information (the his)
• Key update exposure between periods (i-1) and i ?
  key exposure at periods (i-1) and i
• SKi-1 hi ( SKi) ? SKi-1 SKi
• Random Access Key Updates
• H can help go between SKj and SKi for any i,j
• E.g., emergency future Sig or past Dec
• SKiUpd(SKj, hij), where hij Help(SK, (j?i))

10
The Attacker

• Fully adaptive and concurrent
• attacks all N periods concurrently
• adaptively issues key exposure requests (for
  security against H, replaced by the knowledge of
  SK)
• succeeds if breaks any one of the non-exposed
  periods (for signature means forges a new
  message in the given period)
• Typically stronger than real life

11
Brief Generic Summary

• Any non-exposed period secure
• All OPs done without helper
• Key Updates
• Secure against inter-period exposure
• Cheap and non-interactive
• Random access can go from any j to any i
• Security against helper
• Fully adaptive and concurrent attacker
• Achieve all, but often a subset suffices

12
Applications

• Key Exposure Protection (original)
• Limited-Time Delegation
• Limited-Time Key Escrow
• Identity-based Cryptography
• Users identified by non-crypto ID(U)i
• One common public key
• t users cant compromise another user
• Ideal tN-1, but smaller t often enough

13
Relation to ID-based Crypto

• An (N-1,N)-key-insulated signature / encryption
  scheme is also an ID-based scheme DKXY02,BP02
• Our approach based on trapdoor primitives
  encompasses all known non-generic constructions
  of ID-based primitives S84,BF01,CC03,
• Also yields new constructions (e.g., signature
  based on 2t-root/factoring assumption)

14
This Work vs. Related Work

• Key-insulated paradigm DKXY02
• Introduced and formalized the notion
• Constructions of public-key encryption schemes
  with rigorous security proofs
• Strong security
• Other related ideas (all non-adaptive)
• Signature delegation GPR98
• Tamper-resistant signatures G98
• Key-evolving PKE schemes TT01,LS02 (weak
  non-adaptive model)

15
Our Results I Signatures

• Strong key-insulated signature schemes
• Generic scheme based on any signature scheme
• Scheme based on discrete logarithms
• Most efficient scheme based on any trapdoor
  signature scheme (similar approach works for
  encryption, but only one trapdoor encryption
  scheme is known)

16
Generic Signature Scheme

• Building blocks
• Any regular signature scheme
• Parameters
• tN-1, maximal resiliency
• Everything constant (equal to 2 or 3)
• Pretty much optimal uses a certification idea
• (Like in forward security sig. Easier than enc.)
• Morale While we do not have full implementation
  of PKI, we can exploit its ideas

17
Optimal Signature Scheme

• PK(VKU,VKH), SK0SKU, SKSKH
• SKi (SKU, ski, SigH(vki,i))
• SigH(vki,i) is certificate for (ski, vki)
• Update H sends ski, cert-ISigH(vki,i) for
  current-period keys (ski, vki)
• Signature of m at period i
• (Sigvki(m), SigU(m, i), cert-ISigH(vki,i))
• Verification check all sigs
• (Note same trick with SKU can make any key
  insulated signature strong)

18
Efficiency

• Achieves optimal security
• (Small) slowdown
• Signing time x2
• Verification time, signature length x3
• Key update 1 signing operation 1 key
  generation (key generation may be costly)

19
Idea behind all DL-based schemes

• Secret polynomial p(x)a0a1xatxt
• PK (ga0, ga1,, gat)
• SK0 a0 p(0), SK (a1,,at)
• Effective Keys at period i
• SKi p(i) PKi gp(i) gSKi
• Notice
• PKi ga0 (ga1)i (ga2)i2 (gat)it f(PK, i)
• SKi SKj (SKi - SKj) SKj hij ,
• where hijHelp(SK,(j?i)) p(j) p(i)

20
Idea Continued

• Take cryptosystem where pk gsk
• E.g., Schnorr signature, ElGamal encryption
• Evolve keys as stated (functionality)
• Security intuition
• For any t keys p(i1),p(i1),,p(it), the value
  p(i) is truly random for i ? i1,,it
• Helper w/o a0 any value p(i) is random
• Hardness of discrete log ensures that ga0, ga1,,
  gat do not help the breaker

21
Security?

• Thm for fixed i1,,it, cant break security at
  any period i ? i1,,it
• Security means adversary cannot forge a
  signature in these periods (even when initially
  can access signing machine, cannot sign on its
  own a new message)

22
Security ?

• Security against non-adaptive adversary only!
• Public key is committing, so need to know in
  advance in which period to embed the unknown
  discrete log
• This is unrealistic model to limit the adversary
  to attack at given times!

23
Getting Adaptive Security

• Use two random generators g and h!
• sk (x,y) pk z gx hy
• 2-generator Okamoto vs. 1-generator Schnorr

24
Getting Adaptive Security

• Use two random generators g and h!
• sk (x,y) pk z gx hy
• 2-generator Okamoto vs. 1-generator Schnorr

• Many legal ways to open the public key
• Use p(x) and q(y) to evolve both keys
• SKi (xip(i), yiq(i)), PKi zi gxi hyi
• No longer decide in advance where to put the
  hardness know all secret keys, reduce to
  hardness of computing logg h !

25
More Details on Key Evolution

• Use two generators!
• Random p(x) a0 a1x atxt and q(x)
  b0 b1x btxt
• Now PK (ga0hb0, ga1 hb1,, gat hbt)
• and SK (a1,b1,,at,bt)
• Effective keys for period i
• SKi (p(i), q(i)) PKi gp(i)hq(i)

26
Efficiency

• Only secure against a given number t of break-ins
  (public-key size is O(t))
• Efficiency
• Fast key update (no cryptographic ops)
• Basic signing (encrypting) time same as
  Okamoto-Schnorr (two-generator ElGamal)
• Has (small) overhead of computing the period
  public key, but can be done once per period
  (computing polynomial in the exponent trick)

27
Using trapdoor signatures

• Say signature F has skx, vk(y,f), where
  yf(x) and f satisfies
• f is easy to invert using trapdoor T
• Given u, z, easy to verify if f(u)z using f
  only
• Note, sk does not have to include T !
• Examples
• Schemes where f is a trapdoor permutation
  (Guillou-Quisquater, Fiat-Shamir, Ong-Schnorr)
• Recent signatures in gap-DH groups where DDH is
  easy and CDH is hard CC03
• (all use f(ga) gab where f gb and Tb)

28
Using trapdoor signatures

• Set global PKf, SKT, vkiRO(i)
• H sends ski f-1(vki) (computed using T) to U,
  who uses (ski, vki) for period i
• To get strong security, distribute T and jointly
  compute ski f-1(vki)
• Easy for most common schemes
• Same approach is used in current identity-based
  schemesS84,BF01,CC03

29
Efficiency

• As efficient as the underlying signature
  (encryption) scheme
• Achieves optimal security in RO model
• Drawback only works for specific assumptions

30
Our Results II Encryption

• Key-insulated public-key encryption
• (t,N)-security from any semantically-secure
  encryption scheme
• Can extend to (t,N)-CCA2-security
• Efficient (t,N)-security based on DDH
• (t,N)-CCA2-security based on DDH
• All schemes are strong and have secure key
  updates /random access key updates
• Also third scheme based on BF01.

31
Preliminaries

• Encryption algorithm takes public key PK, period
  i, and message M and returns lti, Cgt
• lti,Cgt ? EPK(i, M)
• Decryption algorithm takes secret key SKi and
  ciphertext lti, Cgt and returns M

32
The Adversary

• Intuitively adversary tries to fail the
  encryption on any of unexposed key periods
• Adversary has access to
• Key exposure oracle Exp(i) returns SKi
• Left-and-right oracle Given a vector b (b1,
  , bN), oracle LRPK,b(i,M0,M1) returns EPK(i, Mbi)

33
Definition of Security

• Vector b (b1, , bN) chosen at random
• Adversary gets PK asks t queries to Exp and
  poly-many queries to LR concurrently and
  adaptively
• Adversary outputs (i, b) s.t. Exp(i) not called
• (t,N)-secure if Prb bi
  ½ is negligible

34
Generic Construction

• Building blocks
• Semantically-secure encryption scheme
• All-or-nothing transform (AONT)
• t-cover free family of sets
• Parameters
• PK SK O(t2 log N)
• Enc. time and ciphertext length O(t log N)
• Key updating time O(t log N)
• Using the cover-free property, adversary cannot
  learn keys of other periods for any t corruptions.

35
Result

• A generic scheme that works for N periods, t
  exposures and requires O(t2 log N) in total, O(t
  log N) per period.
• The proof uses the fact that we use all or
  nothing and embeds an unknown key (in a guessed
  position) and breaks it if adversary is
  successful.

36
Approach for DL-Based Schemes

• Idea random p(x)a0 a1x atxt
• PK (ga0, ga1,, gat) SK0 a0 SK (a1,,at)
• Effective keys for period i
• SKi p(i) PKi gp(i) gSKi
• Notice again
• PKi ga0 (ga1)i (ga2)i2 (gat)it
• SKi SKj (SKi - SKj) SKj Help(SK,(i,j))

37
Approach, continued

• Now use El Gamal encryption
• EPK(i, M) lti, gr, (PKi)r Mgt
• Intuition
• For any t keys p(i1),p(i1),,p(it), the value
  p(i) is truly random for i ? i1,,it
• Hardness of discrete log ensures that ga0, ga1,,
  gat do not help

38
Security?

• Again only non-adaptive case.
• So not secure in the sense we want.

39
Adaptive Security

• Again, we use two generators! .
• Random p(x) a0 a1x atxt and q(x)
  b0 b1x btxt
• Now PK (ga0hb0, ga1 hb1,, gat hbt)
• and SK (a1,b1,,at,bt)
• Effective keys for period i
• SKi (p(i), q(i)) PKi gp(i)hq(i)

40
Adaptive Security contd

• Encrypt as EPK(i,M) lti, gr, hr, (PKi)r
  Mgt
• Decrypt via DSKi(lti, (u, v, z)gt)
  z/up(i)vq(i)
• Thm Scheme achieves strong (t,N)-security
  against adaptive adversary
• Remark Modification based on Cramer-Shoup
  achieves CCA2 (security even when adversary
  probes the system freely with ciphertexts of its
  choice.)

41
Proof Sketch

• DDH given (g,h,u,w) decide if loggu loghw
• Use g and h, choose all secret keys, publish PK.
  Note all Exp-queries can be answered!
• When Adv asks LR-query (i,m0,m1), choose random b
  and return (u, w, up(i)wq(i)mb)
• If loggu loghw, perfect simulation
• If u,w random, view of Adv is info-theoretically
  independent of b

42
Conclusions

• Formal definition of key-insulated model
• Many advantages over previous models
• Variety of efficient implementations
• Key-insulated paradigm is relevant to many
  algorithms and protocols
• Inspired further research (e.g.,
  intrusion-resilient model) relation to
  ID-based..
• Applications to delegation, key escrow, ID-based
  sig. etc.

43
Conclusions

• Cryptography should evolve as technology evolves
• Cryptography should be part of a solution, even
  when the problem does not look cryptographic
• and sometimes relatively efficient/ simple
  solutions are found
• Alsobetter security solution may lead to new
  functionality!