Single-bit Re-encryption
with Applications to
Distributed Proof Systems
Nikita Borisov and Kazuhiro Minami
University of Illinois
at Urbana-Champaign
Distributed Proof System (DPS)
• Construct a proof in a peer-to-peer way
• Useful for distributed authorization:
– E.g., SD3, Binder, Grey system, PeerAccess, MK
system etc.
Hospital
Alice
?grant(Alice)
True
MRI
112
?doctor_present
(room112)
True
?role(Alice,
Location doctor)
Server
True
Role
Server
Integrity and Confidentiality
• Each peer specifies trust in the correctness of
remote facts using rules with quoted facts
• Each peer protects its private facts with
confidentiality policies
MRI
112
?doctor_present (room112)
True
grant(P) :- LocationServer says
doctor_present(room112)
Location
Server
acl(doctor_present(room112))
= {MRI112}
MRI112  acl(location(P, room112))
Minami-Kotz (MK) algorithm
• A peer sends an encrypted fact to a principal
who is not authorized to see it
• Use a randomized encryption scheme (RSAOAEP) to prevent dictionary attacks
?grant(Tom)
Bob
?role(Tom, doctor)
Dave
Alice
EBob(True)
EBob(True)
grant(P) :- Dave says role(P,doctor)
role(Tom, doctor)
acl(role(P,R)) = {Bob}
Safety of the MK algorithm
High level
analysis
Implementation-level
analysis
No disclosure of
confidential facts to
unauthorized parties
A covert channel
using a random
padding in an
encrypted value
Our Solution
• Re-encrytion with Goldwasser-Micali (GM)
public-key cryptosystem
– Transform the encryption of a single bit into
another, while preserving the bit value
• Commutative encryption scheme
– Essentially a n-out-of-n threshold encryption
necessary in distributed proof systems
MK Algorithm
acl(f3) = {p1}
p1’s knowledge
p2’s knowledge
MK Algorithm
p2’s knowledge
p1’s knowledge
acl(f3) = {p1}
Attack on the MK Algorithm
p3 is in my proof !
p4Then,
must pbe
in that
4 must
proof,
havetoo
fact f3!
T + ‘013342’
T + ‘013342’
p1’s knowledge
T + ‘013342’

acl(f3) = {p1}
p2’s knowledge
Attack on the MK Algorithm
‘Hi’ + ‘013342’
‘Hi’ + ‘013342’
p1’s knowledge
‘Hi’ + ‘013342’
acl(f3) = {p1}
p2’s knowledge
Goldwasser-Micali (GM)
Scheme with Re-encryption
• Represent a boolean value based on quadratic
residuosity (QR)
– True if a (mod n) = b2 (mod n)
– False otherwise
• Use re-encryption to convert an encrypted value to
another
Bob
n = pq
a’ (= b’2 mod n)
David
Alice
a (= b2 mod n)
GM Encryption Scheme
• Public key: (n, x) where x is an NQR
modulo n
• Private key: (p, q) where n = pq
• Encryption of a bit b: y2xb (mod n) where y
is a random number
• With p and q, easy to check whether an
encrypted value is a QR or an NQR
Unlinkability via Re-encryption
Tom
a’
Bob
n = pq
ay2 mod n
Alice
a
Dave
Pick y at random
For all QR a and y, there exist QR a’ and y’ such that
ay2 = a’y’2
Commutative Encryption
• We cannot support nested encryption in the
MK algorithm (e.g., Ei(Ej(T)) )
• Instead, we support commutative encryption
(e.g., E{i,j}(T) )
– Gives more proving power
– Preserves the same safety property of the MK
algorithm
Construction of Commutative
Encryption
•
•
Represented as a list of encrypted bits
E.g., E{0,1,...,n} (b) = (E1(b1),E2(b2),...,En(bn))
where b = b1  b2  ...  bn
To obtain E{i,j} (b) from E{i}(b)
1. Form a pair (E{i}(b), E{j}(0))
2. Re-randomize the pair by picking a random
bit b’, and if b’ = 1 then obtain (E{i}(b),
E{j}(1)) where E{i}(b) = xiE{i}(b)
Conclusion
• Identify a covert channel in the MK
algorithm
• Apply single-bit re-encryption based on GM
scheme
• Design a commutative encryption compatible with
single-bit re-encryption
• Future work includes exploration of other
applications such as e-voting and online games
Questions?