TY - GEN
T1 - Key-insulated public key cryptosystems
AU - Dodis, Yevgeniy
AU - Katz, Jonathan
AU - Xu, Shouhuai
AU - Yung, Moti
N1 - Publisher Copyright:
© Springer-Verlag Berlin Heidelberg 2002.
PY - 2002
Y1 - 2002
N2 - Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physically-secure – but computationally-limited – device which stores a “master key”. All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t,N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N−t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device. We focus primarily on key-insulated public-key encryption. We construct a (t,N)-key-insulated encryption scheme based on any (standard) publickey encryption scheme, and give a more efficient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security.
AB - Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internet-connected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of key-insulated security whose goal is to minimize the damage caused by secret-key exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physically-secure – but computationally-limited – device which stores a “master key”. All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t,N)-key-insulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N−t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physically-secure device. We focus primarily on key-insulated public-key encryption. We construct a (t,N)-key-insulated encryption scheme based on any (standard) publickey encryption scheme, and give a more efficient construction based on the DDH assumption. The latter construction is then extended to achieve chosen-ciphertext security.
UR - http://www.scopus.com/inward/record.url?scp=84947254092&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84947254092&partnerID=8YFLogxK
U2 - 10.1007/3-540-46035-7_5
DO - 10.1007/3-540-46035-7_5
M3 - Conference contribution
AN - SCOPUS:84947254092
SN - 9783540435532
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 65
EP - 82
BT - Advances in Cryptology - EUROCRYPT 2002 - International Conference on the Theory and Applications of Cryptographic Techniques, 2002, Proceedings
A2 - Knudsen, Lars R.
PB - Springer Verlag
T2 - International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2002
Y2 - 28 April 2002 through 2 May 2002
ER -