Title: Single-bit Re-encryption with Applications to Distributed Proof Systems
1Single-bit Re-encryption with Applications to
Distributed Proof Systems
- Nikita Borisov and Kazuhiro Minami
- University of Illinois
- at Urbana-Champaign
2Distributed Proof System (DPS)
- Construct a proof in a peer-to-peer way
- Useful for distributed authorization
- E.g., SD3, Binder, Grey system, PeerAccess, MK
system etc.
3Integrity and Confidentiality
- Each peer specifies trust in the correctness of
remote facts using rules with quoted facts - Each peer protects its private facts with
confidentiality policies
MRI 112
Location Server
grant(P) - LocationServer says
doctor_present(room112)
acl(doctor_present(room112)) MRI112
MRI112 ? acl(location(P, room112))
4Minami-Kotz (MK) algorithm
- A peer sends an encrypted fact to a principal who
is not authorized to see it
- Use a randomized encryption scheme (RSA-OAEP) to
prevent dictionary attacks
Dave
Bob
Alice
grant(P) - Dave says role(P,doctor)
role(Tom, doctor)
acl(role(P,R)) Bob
5Safety of the MK algorithm
High level analysis
Implementation-level analysis
A covert channel using a random padding in an
encrypted value
No disclosure of confidential facts to
unauthorized parties
6Our Solution
- Re-encrytion with Goldwasser-Micali (GM)
public-key cryptosystem - Transform the encryption of a single bit into
another, while preserving the bit value - Commutative encryption scheme
- Essentially a n-out-of-n threshold encryption
necessary in distributed proof systems
7MK Algorithm
acl(f3) p1
p1s knowledge
p2s knowledge
8MK Algorithm
acl(f3) p1
p2s knowledge
p1s knowledge
9Attack on the MK Algorithm
p3 is in my proof !
p4 must be in that proof, too
Then, p4 must have fact f3!
?
acl(f3) p1
p2s knowledge
p1s knowledge
10Attack on the MK Algorithm
acl(f3) p1
p2s knowledge
p1s knowledge
11Goldwasser-Micali (GM) Scheme with Re-encryption
- Represent a boolean value based on quadratic
residuosity (QR) - True if a (mod n) b2 (mod n)
- False otherwise
- Use re-encryption to convert an encrypted value
to another
David
Bob
Alice
a ( b2 mod n)
a ( b2 mod n)
n pq
12GM Encryption Scheme
- Public key (n, x) where x is an NQR modulo n
- Private key (p, q) where n pq
- Encryption of a bit b y2xb (mod n) where y is a
random number - With p and q, easy to check whether an encrypted
value is a QR or an NQR
13Unlinkability via Re-encryption
Dave
Bob
Alice
a
ay2 mod n
n pq
Pick y at random
14Commutative Encryption
- We cannot support nested encryption in the MK
algorithm (e.g., Ei(Ej(T)) ) - Instead, we support commutative encryption (e.g.,
Ei,j(T) ) - Gives more proving power
- Preserves the same safety property of the MK
algorithm
15Construction of Commutative Encryption
- Represented as a list of encrypted bits E.g.,
E0,1,...,n (b) (E1(b1),E2(b2),...,En(bn)) - where b b1 ? b2 ? ... ? bn
- To obtain Ei,j (b) from Ei(b)
- Form a pair (Ei(b), Ej(0))
- Re-randomize the pair by picking a random bit b,
and if b 1 then obtain (Ei(?b), Ej(1))
where Ei(?b) xiEi(b)
16Conclusion
- Identify a covert channel in the MK algorithm
- Apply single-bit re-encryption based on GM scheme
- Design a commutative encryption compatible with
single-bit re-encryption - Future work includes exploration of other
applications such as e-voting and online games
17Questions?