1 / 43

Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04)

Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04). Markus Jakobsson Ari Juels RSA Labs. Paul Syverson NRL. Philippe Golle Stanford (now at PARC). Extra Acknowledgements. Most Mix illustrations cribbed from a talk by Ari Juels

rollo
Download Presentation

Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Universal Re-encryption:For Mix-Nets and Other Applications(to appear CT-RSA ’04) Markus Jakobsson Ari Juels RSA Labs Paul Syverson NRL Philippe Golle Stanford (now at PARC) UMBC Protocol Meeting 10/01/03

  2. Extra Acknowledgements • Most Mix illustrations cribbed from a talk by Ari Juels • Some RFID slides cribbed from Markus Jakobsson’s ACM WiSe’03 talk • See their Web pages for originals

  3. Talk Outline • Background and Motivation for mixes and universal re-encryption • Definitions, Security Properties • Implementation using ElGamal • Applications: Bulletin Board, RFID Privacy • Security Arguments

  4. message 1 message 2 message 3 message 4 What does a mix network do? Mix network Randomly permutes and decrypts inputs

  5. ? What does a mix network do? message 2 Key property: Adversary can’t tell which ciphertext corresponds to a given message

  6. From Bob Example application: Anonymizing bulletin board or e-mail From Alice From Charlie

  7. “Nobody loves Bob” Is it Bob, Charlie, self-love, or other? “I love Charlie” “I love Alice” Example application: Anonymizing bulletin board or e-mail From Alice From Charlie From Bob

  8. A look under the hood

  9. Basic Mix (Chaum ‘81) PK3 PK1 PK2 Server 3 Server 2 Server 1

  10. Encryption of Message PK3 PK1 PK2 message Ciphertext = EPK1[EPK2[EPK3[message]]]

  11. m1 decrypt and permute m2 decrypt and permute m2 m2 decrypt and permute m3 m2 m3 m1 m1 m1 m3 m3 Basic Chaumian Mix Server 1 Server 2 Server 3

  12. m1 decrypt and permute m2 decrypt and permute m2 m2 decrypt and permute m3 m2 m3 m1 m1 m1 m3 m3 Basic Chaumian Mix Observe: As long as one server is honest, privacy is preserved

  13. ? Basic Chaumian Mix Server 1 Server 3 Server 2 m3

  14. SK2 What if one server fails? Server 1 Server 2 Server 3 • Previous solution ideas: • Robustness: Share key among other mixes • Twinning Splitting • Reliability: Track and use reputable mixes

  15. SK2 What if one server fails? Server 1 Server 2 Server 3 X • New Idea: Mixing without keys • No need to depend on any server (recovery mechanism) • No need to trust servers to protect keys • No need for PKI

  16. A look further under the hood

  17. Basic Re-encryption Mixnet • Inputs are ciphertexts • Outputs are a re-encryption of the inputs. • ElGamal public key encryption: • Anyone can encrypt with the public key e • Those who know the secret key d can also decrypt • Malleable: can produce E2(m) from E1(m) without knowing d • Verifiable • Multiplicative homomorphism: given E(m) and E(m’) I can produce E(mm’)

  18. Universal Re-encryption Mixnet • Inputs are ciphertexts • Outputs are a re-encryption of the inputs. • ElGamal public key encryption: • Anyone can encrypt without the public key e • Those who know the secret key d can also decrypt • Messages encrypted with different keys are indistinguishable

  19. Talk Outline • Background and Motivation for mixes and universal re-encryption • Definitions, Security Properties • Implementation using ElGamal • Applications: Bulletin Board, RFID Privacy • Security Arguments

  20. Randomized Public-Key Cryptosystem • (PK, SK)  KG :generate key pairs • C  E(m, r, PK) :encryption of m • m  D(SK, C) :decryption of C

  21. Semantic Security • Adversary chooses (m0 , m1 ) • Messages are encrypted • (C0 , C1 ) = (E(m0, r0, PK), E(m1, r1, PK)) and randomly permuted • If adversary determines order correctly no better than by guessing (within ) system is semantically secure

  22. Re-encryption • Given: • Randomized public-key cryptosystem • Ciphertexts of form C = E(m, r, PK) • C’  Re(C, r’, PK) :Re-encryption of m

  23. Semantic Security underRe-encryption • Adversary chooses (C0 , C1 ) • Messages are re-encrypted • (C0’, C1’) = (Re(C0, r0’, PK), Re(C1, r1’, PK)) and randomly permuted • If adversary gets order correct no better than by guessing (within ) system is semantically secure under re-encryption

  24. Key-Privacy (Anonymity) • Adversary chooses message m • m is encrypted under PK0 and PK1 E(m, PK0 ) = C0 E(m, PK1 ) = C1 • If adversary guesses correspondence of ciphertext with public key with negligible advantage, scheme satisfieskey-privacy • Bellare et al. (ASIACRYPT’01) showed ElGamal provides anonymity under chosen-ciphertext assuming DDH.

  25. Universal Re-encryption • Given: • Randomized public-key cryptosystem • Ciphertexts of form C = E(m, r, PK) • C’  URe(C, r’, PK) : Universal re-encryption of m X

  26. Universal Semantic Security under Re-encryption • Combines semantic security and key-privacy • Given PK0 and PK1 adversary chooses (m0, m1, r0, r1 ) to produce (C0, C1 ) • Messages are universal re-encrypted (C0’, C1’) = (URe(C0, r0’), URe(C1, r1’)) • Ciphertexts are randomly ordered (Cb’, C1-b’) • If adversary gets order correct no better than by guessing (within ) system is universal semantically secure under re-encryption

  27. Talk Outline • Background and Motivation for mixes and universal re-encryption • Definitions, Security Properties • ElGamal based Universal Re-encryption • Applications: Bulletin Board, RFID Privacy • Security Arguments

  28. ElGamal Encryption • P,Q are prime, P = 2Q + 1 • GQ subgroup of ZP* of order Q • g generator of GQ • x GQ is private key • y = gx mod P is public key • E(m) = (gr, myr) where r GQ ,r random • D(G,M) = M/Gx = myr /gxr = m

  29. ElGamal with Re-encryption • Ciphertext (G,M) • Re-encryption (G’,M’) = (Ggr’, Myr’) • Needs public key y but not private key • D(G’,M’) = M’/G’x = myrr’ /gxrr’ = m • Introduced for voting • Much work on efficient provable shuffles

  30. Universal Re-encryption • (a,b) = (E[m]; E[1]) E is ElGamal enc • (a’,b’) = (R[b,k]a; R[b,k ’]) • R[*,k] is re-encryption with random k • (E[m]’, E[1]’)= ([(myr ykr’, gr gkr’), (yr’k’, gr’k’)] • D(E[m]’) = M’/G’x = mykrr’ /gxkrr’ = m

  31. Symmetric-hybrid Encryption • U[k1],U[1],e[k1,m] • U[1] is universal blank can be converted to U[mi] can be reused • e[k1,m] is symmetric encryption of m • Final message U[k1],U[k2],…U[kn],e[kn,e[kn-1,…e[k1,m]…] • Can also do an asymmetric hybrid

  32. Talk Outline • Background and Motivation for mixes and universal re-encryption • Definitions, Security Properties • Implementation using ElGamal • Applications: Low Volume Bulletin Board, RFID Privacy • Security Arguments

  33. Universal Mixnet (Bulletin Board) • Senders post messages universally encrypted for recipients • Proof of Knowledge if nonmalleability desired • Any server can download, mix, and repost any or all messages • Servers can be dynamic • Shuffle proof if desired • No PKI and less trust of each server • No robustness/reliability issues with server failure • No overhead or threats from replay (universal semantic security)

  34. Low Volume Bulletin Board • Suppose a bulletin board as above • Can mix with previous messages on board • Advantage: less delay retrieving new posts • Advantage: no need to detect replay (sort of) • Disadvantage: Must try decrypting all messages to find ones for you • Mitigate growth with message removal after PoK?

  35. RFID Tags • EZ Pass automated toll payment • Supermarket shipment tracking, stock monitoring, theft prevention • Consumer stock monitoring, ordering • Consumer theft-protection of belongings • Implants in family pets • Monitoring cash flows (500 Euro notes)

  36. Privacy Problems

  37. Privacy Solutions?

  38. Privacy Solutions?

  39. Privacy Solutions? Method 2: “Put to sleep” RFID tags Problems: • No continuous use • Complexity, key management, trust

  40. Privacy Solution: Blocker Tags (Juels, Rivest & Szydlo)

  41. Universal Re-encryption for RFID Tag Privacy (Example) • Alice at supermarket checkout. • Uses PKAlice from fidelity card. • Cashier creates universal ciphertexts on Alice’s purchase IDs. • As Alice walks home passes readers that re-encrypt her tags or does it herself. • Alice enters home, tags decrypted for home use.

  42. Security of ElGamal based BB • Correctness: Can do shuffle proofs of correct mixing • Communication privacy: If the universal cryptosystem is universal semantic-secure, then bulletin board construct provides communication privacy. • For ElGamal implementation, communication privacy reduced to DDH.

  43. Conclusions • Universal Re-encryption: New primitive • Proven Security: • ElGamal BB is correct (wrt mixing) • ElGamal BB reducible to DDH. • Applications: • Reduced trust in mixes • Less complex mixnets (no PKI) • Privacy preserving RFID tags • Future • Reduce receiver overhead in bulletin board • Meteor Mixing (with George Danezis)

More Related