Singlebit Reencryption with Applications to Distributed Proof Systems

1
Single-bit Re-encryption with Applications to
Distributed Proof Systems

• Nikita Borisov and Kazuhiro Minami
• University of Illinois
• at Urbana-Champaign

2
Distributed Proof System (DPS)

• Construct a proof in a peer-to-peer way
• Useful for distributed authorization
• E.g., SD3, Binder, Grey system, PeerAccess, MK
  system etc.

3
Integrity and Confidentiality

• Each peer specifies trust in the correctness of
  remote facts using rules with quoted facts
• Each peer protects its private facts with
  confidentiality policies

MRI 112
Location Server
grant(P) - LocationServer says
doctor_present(room112)
acl(doctor_present(room112)) MRI112
MRI112 ? acl(location(P, room112))
4
Minami-Kotz (MK) algorithm

• A peer sends an encrypted fact to a principal who
  is not authorized to see it

• Use a randomized encryption scheme (RSA-OAEP) to
  prevent dictionary attacks

Dave
Bob
Alice
grant(P) - Dave says role(P,doctor)
role(Tom, doctor)
acl(role(P,R)) Bob
5
Safety of the MK algorithm
High level analysis
Implementation-level analysis
A covert channel using a random padding in an
encrypted value
No disclosure of confidential facts to
unauthorized parties
6
Our Solution

• Re-encrytion with Goldwasser-Micali (GM)
  public-key cryptosystem
• Transform the encryption of a single bit into
  another, while preserving the bit value
• Commutative encryption scheme
• Essentially a n-out-of-n threshold encryption
  necessary in distributed proof systems

7
MK Algorithm
acl(f3) p1
p1s knowledge
p2s knowledge
8
MK Algorithm
acl(f3) p1
p2s knowledge
p1s knowledge
9
Attack on the MK Algorithm
p3 is in my proof !
p4 must be in that proof, too
Then, p4 must have fact f3!
?
acl(f3) p1
p2s knowledge
p1s knowledge
10
Attack on the MK Algorithm
acl(f3) p1
p2s knowledge
p1s knowledge
11
Goldwasser-Micali (GM) Scheme with Re-encryption

• Represent a boolean value based on quadratic
  residuosity (QR)
• True if a (mod n) b2 (mod n)
• False otherwise
• Use re-encryption to convert an encrypted value
  to another

David
Bob
Alice
a ( b2 mod n)
a ( b2 mod n)
n pq
12
GM Encryption Scheme

• Public key (n, x) where x is an NQR modulo n
• Private key (p, q) where n pq
• Encryption of a bit b y2xb (mod n) where y is a
  random number
• With p and q, easy to check whether an encrypted
  value is a QR or an NQR

13
Unlinkability via Re-encryption
Dave
Bob
Alice
a
ay2 mod n
n pq
Pick y at random
14
Commutative Encryption

• We cannot support nested encryption in the MK
  algorithm (e.g., Ei(Ej(T)) )
• Instead, we support commutative encryption (e.g.,
  Ei,j(T) )
• Gives more proving power
• Preserves the same safety property of the MK
  algorithm

15
Construction of Commutative Encryption

• Represented as a list of encrypted bits E.g.,
  E0,1,...,n (b) (E1(b1),E2(b2),...,En(bn))
• where b b1 ? b2 ? ... ? bn
• To obtain Ei,j (b) from Ei(b)
• Form a pair (Ei(b), Ej(0))
• Re-randomize the pair by picking a random bit b,
  and if b 1 then obtain (Ei(?b), Ej(1))
  where Ei(?b) xiEi(b)

16
Conclusion

• Identify a covert channel in the MK algorithm
• Apply single-bit re-encryption based on GM scheme
• Design a commutative encryption compatible with
  single-bit re-encryption
• Future work includes exploration of other
  applications such as e-voting and online games

17
Questions?