Available Online at www.ijpret.com 486
APPLIED RESEARCH IN ENGINEERING AND
TECHNOLOGY
A PATH FOR HORIZING YOUR INNOVATIVE WORK
IMPROVED PROXY RE-ENCRYPTION SCHEMES WITH ATOMIC PROXY
CRYPTOGRAPHY
MISS. ABHILASHA A. DESHMUKH 2, DR. H. R. DESHMUKH2
1. Student of Master of Engineering in (CSE), IBSS college of Engineering and Technology, Amravati, India. 2. Head of the Department of (CSE), IBSS College of Engineering and Technology, Amravati, India
Accepted Date: 05/03/2015; Published Date: 01/05/2015
\
Abstract: First, we introduce the notion of divertibility as a protocol property as opposed to
the existing notion as a language property. We give a definition of protocol divertibility that applies to arbitrary 2-party protocols. We propose a sufficiency criterion for divertibility that is satisfied by many existing protocols and which, surprisingly, generalizes to cover several protocols not normally associated with divertibility. It is not clear whether atomic proxy functions exist in general for all public-key cryptosystems. Finally, we discuss the relationship between divertibility and proxy cryptography.
Keywords: Proxy, Re-Encryption, Cryptography
Corresponding Author: MISS. ABHILASHA A. DESHMUKH
Access Online On:
www.ijpret.com
How to Cite This Article:
Abhilasha A. Deshmukh, IJPRET, 2015; Volume 3 (9): 486-493
Available Online at www.ijpret.com 487 INTRODUCTION
Proxy re-encryption allows a proxy to transform a ciphertext computed under Alice’s public key into one that can be opened by Bob’s secret key. This paper investigates two general ways in which an intermediary sitting between the participants of a 2-party protocol might transform the communication messages without “destroying” the protocol. First, we consider
protocoldivertibility, in which the (honest) intermediary, called a warden, randomizes all
messages so that the intended underlying protocol succeeds. Many useful applications of this primitive. For instance, Alice might wish temporarily forward encrypted email to her colleague Bob, without giving him her secret key. In this case, Alice the delegator could designate a proxy to reencrypt her incoming mail into a format that Bob the delegate can decrypt using his own secret key.
2. Proxy Re-encryption
A methodology for delegating decryption rights was first introduced by Mambo and Okamoto [1997] purely as an efficiency improvement over traditional the notion of “atomic proxy cryptography,” in which a semitrusted proxy computes a function that converts ciphertexts for Alice into ciphertexts for Bob without seeing the underlying plaintext.
In their Elgamal-based scheme, with modulus a safe prime p = 2q + 1, the proxy is entrusted with the delegation key b/a mod q for the purpose of diverting ciphertexts from Alice to Bob via computing (mgkmod p, (gak)b/amod p). The authors noted, however, that this scheme contained an inherent restriction: it is bidirectional; that is, the value b/a can be used to divert ciphertexts from Alice to Bob and vice versa. Thus, this scheme is only useful when the trust relationship between Alice and Bob is mutual Alice’s secret key s is divided into two shares s1 and s2, where s = s1 + s2, and distributed to the proxy and Bob. On receiving ciphertexts of the form (mgsk, gk), the proxy first computes (mgsk/(gk)s1 ), which Bob can decrypt as (mgs2k/(gk)s2 ) = m.
3.Improved Proxy Re-Encryption Schemes
To talk about “improvements,” we need to get a sense of the benefits and drawbacks of previous schemes.
1. Unidirectional: Delegation from A → B does not allow re-encryption fromB → A.
2. Noninteractive: Re-encryption keys can be generated by Alice using Bob’s public key; no
Available Online at www.ijpret.com 488 in the BBS scheme is transparent in the sense that neither the sender of an encrypted message nor any of the delegatees have to be aware of the existence of the proxy.
4. Original access: Alice can decrypt re-encrypted ciphertexts that were originally sent to her. In
some applications.
5. Key optimal: The size of Bob’s secret storage remains constant, regardless of how many
delegations he accepts. We call this a key optimal scheme. the storage of both Bob and the proxy grows linearly with the number of delegations Bob accepts.
6. Collusion “safe”: One drawback of all previous schemes is that by colluding, Bob and the
proxy can recover Alice’s secret key: for Dodis–Ivan, s = s1 +s2; for BBS, a = (a/b) ∗b. We will mitigate this problem, allowing recovery of a “weak” secret key. In general, collusion “safeness” allows Alice to delegate decryption rights, while keeping signing rights for the same public key. In practice, a user can
7. Temporary: To their constructions to form schemes where Bob is only able to decrypt
messages intended for Alice that were authored during some specific time period i.
8. Nontransitive: The proxy, alone, cannot redelegate decryption rights. For example, from
rka→b and rkb→c, he cannot produce rka→c.
9. Nontransferable: The proxy and a set of colluding delegatees cannot redelegate decryption
rights. For example, from rka→b, skb, and pkc, they cannot produce rka→c.
4. Atomic Proxy Cryptography
A basic goal of public-key encryption is to allow only the key or keys select date the time of encryption to decrypt the ciphertext. In proxy cryptography, the holders of public-key pairs A
and B create and publish a proxy key πA→B such that D(Π(E(m, eA), πA→B), dB) = m, where
E(m, e) is the public encryption function of message m under encryption key e, D(c, d) is the
Available Online at www.ijpret.com 489 4.1 Proxy encryption
Although the problem of proxy cryptography seems like a natural extension of public-key cryptography, existing cryptosystems do not lend themselves to obvious proxy functions. It has been argued that such a scheme makes the system as a whole less trustworthy due to the extra engineering effort involved.
Cryptosystem X (encryption)
Let p be a prime of the form 2q + 1 for a prime q and let g be a generator in ZZ
p; p and g are global parameters shared by all users. A’s secret key a, 0 < a < p − 1, is selected at random and must be in ZZ
2q, i.e., relatively prime to p −1.( A also calculates the inverse a−1 mod2q). A publishes the
public key ga mod p. Message encryption requires a unique randomly-selected secret parameter k ∈ ZZ
2q.T o encrypt m with A’s key, the sender computes and sends two ciphertext values (c1, c2):
c1 = mgk mod p
c2 = (ga)k mod p
Decryption reverses the process; since
c(a−1)2 = gk (mod p)
it is easy for A (who knows a−1) to calculate gk and recover m:
m = c1((c(a−1)2 )−1) mod p
The efficiency of this scheme is comparable to standard ElGamal encryption.
Symmetric proxy function for X
Available Online at www.ijpret.com 490 the proxy key πA→B is a−1b and the proxy function is simply cπA→B 2 .
Security of X
First, we show that X is secure—that cleartext and secret keys cannot be recovered from ciphertext and public keys. Beyond that, public keys, and proxy keys. Specifically, we will show that the problem of recovering m from (ga, gb, gc, . . .,mgk, gak, a−1b, a−1c, . ..).
4.2 Proxy identification
In this section we describe a discrete-log-based identification scheme. With p, g, a as before, Alice wishes to convince Charlotte that she controls a; Charlotte will verify using public key ga. As before, the proxy key πA→B will be a/b—it will be safe to publish a/b and Alice and Charlotte can easily use a/b to transform the protocol so Charlotte is convinced that Alice controls b.
Cryptosystem Y (identification)
Let p and g be a prime and a generator in ZZ p, respectively. A lice picks random a ∈ Z2q to be her secret key and publishes ga as her public key. Each round of the identification protocol is as follows:– Alice picks a random k ∈ ZZ
2q and sends Charlotte s1 = gk.– Charlotte picks a random bit and sends it to Alice.– Depending on the bit received, Alice sends Charlotte either s2 = k or s_2 =k/a.– Depending on the bit, Charlotte checks that (ga)s_2 = s1 or that gs2 = gk. This round is repeated as desired.
Symmetric proxy function for Y
A symmetric proxy key is a/b. Suppose Charlotte wants to run the protocol with gb instead of
ga. Either Alice or Charlotte or any intermediary can use the proxy key to convert Alice’s responses k/a to k/b.
Security of Y
Available Online at www.ijpret.com 491 4.3 Proxy signature
The concept of proxy cryptography also extends to digital signature schemes. A signature proxy function transforms a message signature so that it will verify with a public key other than that of the original signer. I n other words, a signature proxy function Π(s, πA→B) with proxy key
πA→B transforms signature signed by the secret component of key A such that V (m,Π(S(m,A),
πA→B), B)returns valid, where S(m, k) is the signature function for message m by key k and V
(m, s, k) is the verify function for message m with signature s by key k.
Cryptosystem Z (signature)
To sign a message m, Alice picks k1, k2, . . .k_ at random and computes gk1 , . . .gk_.Ne xt Alice computes h(gk1, . . .gk_) and extracts 4 pseudorandom bits β1, . . ., β_.Fo r each i, depending on the i’th pseudorandombit, Alice (who knows a) computes s2,i = (ki − mβi)/a; that is, s2,i = (ki − m)/a or s2,i = ki/a. The signature consists of two components: s1 = (gk1, . . ., gk_) s2 = ((k1 −
mβ1)/a, . . . , (k_ − mβ_)/a)To verify the signature, first the βi’s are recovered using the hash
function.The signature is then verified one “round” at a time, where the i’th round is(gki , (ki −mβi)/a). To verify (gk, (k−mβ)/a) using public key ga, the recipient Charlotte raises (ga) to the power (k−mβ)/a and checks that it matches gk/gmβ.
Symmetric proxy function for Z
A symmetric proxy key πA→B for this signature scheme is a/b. The proxy function Π leaves s1 alone and maps each component s2, i to s2, iπA→B.
Security of Z
This scheme relies on the existence of a “hash” function h. Specifically (Hash Assumption), we assume there exists a function h such that:– On random input (ga,m), it is difficult to generate
{ri} and {βi} such thath(gar1+mβ1 , . . ., gar_+mβ_) = _β1 . . ., β__. – More generally, it is difficult
to generate such {ri} and {βi} on input ga,m,and samples of signatures on random messages signed with a.It is not our intention to conjecture about the existence of such functions hThe ga, a signer needs to produce _gki_ and_(ki −mβi)/a_.Th us, putting _βi_ = h(_gki _) and then
Available Online at www.ijpret.com 492 Conceptually, divertibility and proxiability of protocols are both defined in terms of an effectiveness property and one or two security properties..However, it isnot at all obvious whether there exist atomic proxy schemes in general.More importantly,
6. ACKNOWLEDGEMENTS
We thank to H. R. Deshmukh Sir, Nikhil Band Sir and Ankit Mune for helpful discussions and comments.
7. REFERENCES
1. [BS98] Matt Blaze, Martin Strauss. Atomic Proxy Cryptography. AT&T Labs-
2. Research TR98.5.1 [Bleu97] Gerrit Bleumer. On Protocol Divertibility. AT&T Labs-Research TR97.34.2
3. [BD91] Mike V. D. Burmester, Yvo Desmedt. All languages in NP have divertible zero-knowledge proofs and arguments under cryptographic assumptions. Eurocrypt ’90 LNCS 473, Springer-Verlag 1991, 1–10.
4. [CEG88] David Chaum, Jan-Hendrik Evertse, Jeroen van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. Eurocrypt ’87. LNCS 304, Springer-Verlag 1988, 127–141.
5. [CPS95] Jan L. Camenisch, Jean-Marc Piveteau, Markus A. Stadler. Blind Signatures
6. Based on the Discrete Logarithm Problem. Eurocrypt ’94. LNCS 950, Springer-Verlag 1995, 428–432.
7. [DeL84] John M. DeLaurentis. A Further Weakness in the Common Modulus Protocol for the RSA Cryptoalgorithm. Cryptologia 8/3 (1984) 253–259.
8. [DH76] Whitfield Diffie, Martin E. Hellman. New Directions in Cryptography.
9. KALLAHALLA, M., RIEDEL, E., SWAMINATHAN, R., WANG, Q., AND FU, K. 2003. Plutus: scalable secure File sharing on untrusted storage. In Proceedings of the Second USENIX
Available Online at www.ijpret.com 493 10. LI, J., KROHN, M. N., MAZI`ERES, D., AND SHASHA, D. 2004. Secure untrusted data repository
11. (SUNDR). In Proceedings of the 6th Symposium on Operating Systems Design and
Implementation.
