Study on The Secure Key-Evolving Protocols

1. Study on The Secure Key-Evolving Protocols Kim Joong Man 20022036 seopo@icu.ac.kr

2. Contents • Introduction • What is the Key-evolving? • Preliminaries • Key-evolving encryption scheme • Key-evolving signature scheme • Previous Work • FutureWork • References

3. Introduction • The Key Exposure Problem • The exposure of the secret (signing) key is the total break of the system • In practice, a more serious threat to security than the possibility of cryptanalysis of the signature scheme itself • How to protect Bob’s private key • Replace Bob’s public key when his private key is exposed - Not practical since Bob may not be aware of losing his private key • Protect Bob’s private key on a secure device - Quite costly • Use a threshold scheme to distribute SK - TA’s bear heavy load of computation

4. Our Goal • To mitigate damage caused by key exposure • Single-machine technique : no distribution of keys • No special hardware

5. ……… Period 1 Period 2 Period T h h h h …… SK SK1 SK2 SKT What is the Key-evolving? (Anderson’s Key-Evolving Paradigm) • Break lifetime of scheme into T time periods • e.g., 1 period = 1 day; T = 365 • PK fixed – important for key management! • SK evolves via public one-way function h • SKj is deleted after time period j is over • Signature is pair ( j,tag ) , where j is the time period in which the signature occurred

6. Preliminaries • Forward-secure • The compromise of the current secret keywill not compromise previous secret keys • Backward-secure • The compromise of the current secret key will not compromise future secret keys • Key-independent • The protocol is both Forward-secure and Backward-secure

7. Key generation algorithm Gen (1k, N ) = ( PK, SK0 ) Private key update algorithm Upd ( PK, SKj-1, j ) = SKj Encryption algorithm Enc ( PK, m, j ) = < j,c > Decryption algorithm Dec ( SKj, < j,c > ) = m Key-evolving encryption scheme N is the total number of time periods, 1k is a security parameter j is the current time period

8. Key generation algorithm Gen (1k, N ) = ( PK, SK1 ) Signing algorithm Sign ( SKj , M ) = < j,sign > Secret key update algorithm Upd ( SKj ) = SKj+1 Verification algorithm If Ver ( PK, M, < j,sign > ) = 1 then accept else reject Key-evolving signature scheme N is the total number of time periods, 1k is a security parameter sign is the signature of M at the current time period j j+1 is the next time period

9. P = 2q + 1 Select f(x) ≡ Set up : Previous Work – TT01 Gen (1k, N ) = ( PK, SK0 )

10. Previous Work – TT01 Upd ( PK, SKj-1) = SKj The decryptor Bob and TA together compute SKj = f(j) from their shares in a secure distributed way Enc ( PK, m, j ) = < j, α, s > Dec ( SKj, < j, α, s > ) = m Compute and return

11. TA1 TA2 TA3 …… TAz Secure channel Bob Compute SKj Previous Work – TT01 • Key evolving with TA • TA’s together compute SKj at the current time period j • Only Bob (decryptor) knows SKj • Use the Lagrange interpolation method • Communicate via private channel between TA’s and Bob

12. Future Work • Survey the secure key-evolving schemes • Analysis of previous schemes • Bringing up the problems in key-evolving protocols • Modifying in more efficient scheme

13. References [1]R.J.Anderson, “Two remarks on public key cryptology”, In rump Session Euro-crypt’97 [2] C.F.Lu, S.W.Shieh, “ Secure Key-Evolving Protocols”, RSA 2002 [3] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, “Handbook of Applied Cryptography”, BocaRaton, 1997 [4] W.Tzeng and Z.Tzeng, “Robust Key-evolving public key encryption schemes”, Record 2001/009, Cryptology ePrint Archive 2001 [5] J.Katz, “A forward-secure public-key encryption scheme”, Cryptology ePrint Archive Report 2002 [6] M.Bellare , S.K.Miner,” A Forward-Secure Digital Signature Scheme”, Cryptology - CRYPTO '99 Proceedings, LNCS 1666 [7] R.Anderson, Invited lecture, Fourth Annual Conference on Computer and Communications Security, ACM, 1997