Key-Insulated Public Key Cryptosystems

Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physically-secure - but computationally-limited - device which stores a "master key". All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N-t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device. We focus primarily on key-insulated public-key encryption. We construct a (t, N)-key-insulated encryption scheme based on any (standard) publickey encryption scheme, and give a more efficient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security.

[1]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[2]  Birgit Pfitzmann,et al.  Self-Delegation with Controlled Propagation - or - What If You Lose Your Laptop , 1998, CRYPTO.

[3]  Wen-Guey Tzeng,et al.  Robust Key-Evolving Public Key Encryption Schemes , 2002, ICICS.

[4]  Arkadii G. D'yachkov,et al.  A survey of superimposed code theory , 1983 .

[5]  P. Erdös,et al.  Families of finite sets in which no set is covered by the union ofr others , 1985 .

[6]  Masayuki Abe,et al.  A Key Escrow Scheme with Time-Limited Monitoring for One-Way Communication , 2000, ACISP.

[7]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[8]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[9]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[10]  Matthew K. Franklin,et al.  Communication complexity of secure computation (extended abstract) , 1992, STOC '92.

[11]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[12]  Jessica Staddon,et al.  Efficient Methods for Integrating Traceability and Broadcast Encryption , 1999, CRYPTO.

[13]  Amos Fiat,et al.  Tracing traitors , 2000, IEEE Trans. Inf. Theory.

[14]  Stanislaw Jarecki,et al.  Adaptively Secure Threshold Cryptography: Introducing Concurrency, Removing Erasures , 2000, EUROCRYPT.

[15]  Hugo Krawczyk,et al.  Simple forward-secure signatures from any signature scheme , 2000, IACR Cryptol. ePrint Arch..

[16]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[17]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[18]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[19]  Tal Malkin,et al.  Efficient Generic Forward-Secure Signatures with an Unbounded Number Of Time Periods , 2002, EUROCRYPT.

[20]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[21]  Shouhuai Xu,et al.  Strong Key-Insulated Signature Schemes , 2003, Public Key Cryptography.

[22]  Catherine A. Meadows,et al.  Security of Ramp Schemes , 1985, CRYPTO.

[23]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[24]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[25]  Shiuh-Pyng Shieh,et al.  Secure Key-Evolving Protocols for Discrete Logarithm Schemes , 2002, CT-RSA.

[26]  Gene Itkis,et al.  Forward-Secure Signatures with Optimal Signing and Verifying , 2001, CRYPTO.

[27]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[28]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[29]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[30]  Marc Girault,et al.  Relaxing Tamper-Resistance Requirements for Smart Cards by Using (Auto-)Proxy Signatures , 1998, CARDIS.

[31]  Victor Boyko,et al.  On the Security Properties of OAEP as an All-or-Nothing Transform , 1999, CRYPTO.

[32]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[33]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[34]  Leonid Reyzin,et al.  A New Forward-Secure Digital Signature Scheme , 2000, ASIACRYPT.

[35]  Amit Sahai,et al.  Coding Constructions for Blacklisting Problems without Computational Assumptions , 1999, CRYPTO.

[36]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..