Single-bit Re-encryption with Applications to Distributed Proof Systems

1. Single-bit Re-encryption with Applications to Distributed Proof Systems Nikita Borisov and Kazuhiro Minami University of Illinois at Urbana-Champaign

2. Hospital Alice ?doctor_present (room112) ?role(Alice, doctor) MRI 112 Location Server Role Server ?grant(Alice) True True True Distributed Proof System (DPS) • Construct a proof in a peer-to-peer way • Useful for distributed authorization: • E.g., SD3, Binder, Grey system, PeerAccess, MK system etc.

3. ?doctor_present (room112) True Integrity and Confidentiality • Each peer specifies trust in the correctness of remote facts using rules with quoted facts • Each peer protects its private facts with confidentiality policies MRI 112 Location Server grant(P) :- LocationServer says doctor_present(room112) acl(doctor_present(room112)) = {MRI112} MRI112  acl(location(P, room112))

4. ?grant(Tom) ?role(Tom, doctor) EBob(True) EBob(True) Minami-Kotz (MK) algorithm • A peer sends an encrypted fact to a principal who is not authorized to see it • Use a randomized encryption scheme (RSA-OAEP) to prevent dictionary attacks Dave Bob Alice grant(P) :- Dave says role(P,doctor) role(Tom, doctor) acl(role(P,R)) = {Bob}

5. Safety of the MK algorithm Implementation-level analysis High level analysis A covert channel using a random padding in an encrypted value No disclosure of confidential facts to unauthorized parties

6. Our Solution • Re-encrytion with Goldwasser-Micali (GM) public-key cryptosystem • Transform the encryption of a single bit into another, while preserving the bit value • Commutative encryption scheme • Essentially a n-out-of-n threshold encryption necessary in distributed proof systems

7. MK Algorithm acl(f3) = {p1} p1’s knowledge p2’s knowledge

8. MK Algorithm acl(f3) = {p1} p2’s knowledge p1’s knowledge

9. T + ‘013342’ T + ‘013342’ T + ‘013342’ Attack on the MK Algorithm p3 is in my proof ! p4 must be in that proof, too Then, p4 must have fact f3!  acl(f3) = {p1} p2’s knowledge p1’s knowledge

10. ‘Hi’ + ‘013342’ ‘Hi’ + ‘013342’ ‘Hi’ + ‘013342’ Attack on the MK Algorithm acl(f3) = {p1} p2’s knowledge p1’s knowledge

11. Goldwasser-Micali (GM) Scheme with Re-encryption • Represent a boolean value based on quadratic residuosity (QR) • True ifa(mod n) =b2(mod n) • False otherwise • Use re-encryption to convert an encrypted value to another David Bob Alice a’ (= b’2 mod n) a (= b2 mod n) n = pq

12. GM Encryption Scheme • Public key: (n, x) where x is an NQR modulo n • Private key: (p, q) where n = pq • Encryption of a bit b: y2xb (mod n) where y is a random number • With p and q, easy to check whether an encrypted value is a QR or an NQR

13. Tom a’ For all QR a and y, there exist QR a’ and y’ such that ay2 = a’y’2 Unlinkability via Re-encryption Dave Bob Alice a ay2mod n n = pq Pick y at random

14. Commutative Encryption • We cannot support nested encryption in the MK algorithm (e.g., Ei(Ej(T)) ) • Instead, we support commutative encryption (e.g., E{i,j}(T) ) • Gives more proving power • Preserves the same safety property of the MK algorithm

15. Construction of Commutative Encryption • Represented as a list of encrypted bits E.g., E{0,1,...,n} (b) = (E1(b1),E2(b2),...,En(bn)) where b = b1  b2 ...  bn • To obtain E{i,j} (b) from E{i}(b) • Form a pair (E{i}(b), E{j}(0)) • Re-randomize the pair by picking a random bit b’, and if b’ = 1 then obtain (E{i}(b), E{j}(1)) where E{i}(b) = xiE{i}(b)

16. Conclusion • Identify a covert channel in the MK algorithm • Apply single-bit re-encryption based on GM scheme • Design a commutative encryption compatible with single-bit re-encryption • Future work includes exploration of other applications such as e-voting and online games

17. Questions?