Identity-Based Cryptography on Hidden-Order Groups

Transcription

1 vailable olie at Procedia Egieerig 9 (0) Iteratioal Worshop o Iformatio ad Electroics Egieerig (IWIEE) Idetity-Based Cryptography o Hidde-Order Groups Chalgu Li a a Key Laboratory of Networ Security ad Cryptology, Fujia Normal Uiversity, Fuzhou, P..Chia bstract ecetly, Saxea ad Soh preseted oe ovel cryptographic primitive based o associative oe-way fuctios, called oracle-based group with ifeasible iversio (O-GII), ad it requires the order of group is hidde. I this paper, we propose three ID-based cryptographic schemes, such as ID-based o-iteractive ey sharig (ID-NIKS) scheme, hierarchical ID-based ecryptio (HIBE) scheme, ad ID-based sigature (IBS) scheme, based o hidde-order groups. We say that the security proof of our proposed schemes is a ope problem. 0 Published by Elsevier Ltd. Selectio ad/or peer-review uder resposibility of Harbi Uiversity of Sciece ad Techology Ope access uder CC BY-NC-ND licese. Keywords: ID-based o-iteractive ey sharig; Hierarchical ID-based ecryptio; ID-based sigature; Group iversio problem. Itroductio Idetity-based cryptograhy (IBC) [6,3] is a public ey cryptography which the public ey ca be a arbitrary strig, such as the recipiet s address. The user s private ey is geerated by a trusted authority, called the private ey geerator (PKG), which applies its master ey to the user s idetity after the user autheticates itself. Shamir [6] gave the otio of IBC for simplifyig public ey ad the certificate maagemet ad proposed the first ID-based sigature (IBS) scheme. However, it is ot util much later that Boeh ad Frali [3] preseted the first secure ad truly practical ID-based ecryptio (IBE) scheme. d they proved its security i the radom oracle model []. Subsequetly, may practical IBC, icludig IBS [5,6], (H)IBE [,7,6], ad ID-based ey distributio [0,6] etc., are proposed. There are several classes of existig IBC based o differet assumptios ad mathematic tools. Some of them are based o groups with a biliear map [3,8,6,4]; some of them are based o quadratic Correspodig author. Tel.: Fax: address: clli@fju.edu.c Published by Elsevier Ltd. Ope access uder CC BY-NC-ND licese. doi:0.06/j.proeg

2 068 Chalgu Li / Procedia Egieerig 9 (0) residuosity problem modulo a composite [7,4]; others are based o hard problems o lattices [9,]. ecetly, Saxea ad Soh [5] preseted a ew cryptographic primitive, called a oracle-based group with ifeasible iversio (O-GII), which is a strog associative oe-way fuctio (SOWF) alog with a oracle allowig verifiable computatio, ad proposed a practical oe roud ey agreemet protocol for arbitrary size groups. I additio, they poited out that this cryptographic primitive ca be used to desig IBC ad proposed the IBE scheme based o hidde-order groups. However, they claimed that the security proof of this proposed IBE scheme is a ope problem. I this paper, we do ot focus o the security of IBC ad pay our attetios o how to costruct some ID-based cryptographic schemes based o hiddeorder groups, that is, oracle-based group with ifeasible iversio problem. We propose ID-based oiteractive ey sharig (ID-NIKS) scheme, hierarchical ID-based ecryptio (HIBE) scheme, ad IDbased sigature (IBS) scheme, based o hidde-order groups.. Prelimiaries We oly describe the group iversio problem (GIP) for the oracle-based group with ifeasible iversio (O-GII For more iformatio about strog associative oe-way fuctios (O-SOWFs) ad group with ifeasible iversio (GII), the readers are referred to [5]. Defiitio (O-GII [5] blac-box costructio of a SOWF implemeted with a PV-Oracle, O, is called a Oracle-GII (O-GII Cocretely, a O-GII costructio has three PPT algorithms: Setup, Sample, ad Compute. Group Iversio Problem (GIP We say that a PPT algorithm breas the O-GII if it is able to ivert the O-GII ad compute iverse i G by havig oly blac-box access to the Compute algorithm. We call this as the group iversio problem (GIP Formally, the advatage of i solvig GIP is defied as: O( Compute( master-ey,, P ) ( P, ): GIP params dv ( τ) = Pr ( params, master-ey ) Setup( τ) ;. ( P, σ P) ( Sample params Defiitio (GIP [5] We say that algorithm ( KO, δ, ε ) -breas the O-GII f if rus at most timeδ ; maes at most K adaptive queries to the oracle O by implemetig the Compute algorithm; ad O GIP dv ( τ ) is at least ε. lteratively, we say that the O-GII is ( K, δ, ε ) O attac if o such algorithm exists. -secure uder a adaptive emar. ) GII must have hidde order for the group. Sice the group G is of fiite order, the oly way to achieve o-ivertibility is to eep the order of this group hidde; ) the defiitios for IBC are referred to [3, 6]. 3. Three ID-based Cryptographic Schemes I the followig three subsectios, we propose ID-based o-iteractive ey sharig (ID-NIKS) scheme, hierarchical ID-based ecryptio (HIBE) scheme, ad ID-based sigature (IBS) scheme, based o hidde-order groups (group iversio problem

3 Chalgu Li / Procedia Egieerig 9 (0) ID-based No-iteractive Key Sharig (ID-INSK) Scheme There are three algorithms for the ID-based o-iteractive ey sharig (ID-INSK) scheme, that are, setup algorithm, ey geeratio algorithm ad shared ey algorithm, deoted by Setup-NIKS, KeyGe ad SharedKey, respectively. The detailed descriptios of them are as follows. Setup-NIKS:. Set (, σ ),( Y, σy) Sample( params );. Let { } H : { 0, } ey are as follows respectively: par ={ Y, Z, H, H }, m-ey ={ σ, σ }. H : 0, Z ad G be two cryptographic hash fuctios. The system parameters par ad the master ey m- KeyGe: Let { 0,} id be the idetity bit strig.. Set i = H id Z ;. i Compute ( σ, iy, ) = Y G. So the private ey is prv-ey id = Y G. SharedKey: Give the system parameter par, the private ey prv-ey ad the idetity id id B of B, where id idb, do:. Set i = H id ad i B = H idb ;. -i Compute ( ˆ B i i+ ib K = H ( ε( prv- ey, i), ε( Yi, ))) = H( Y, B id B -i It is easy to compute that ˆ B i i+ ib KB, = H( ( ε( prv- eyid, i), (, ))) ( B ε YiB = H Y This implies that the etities ad B ca compute a commo secret ey without iteractive ay iformatio each other expect for oly usig the public idetity. 3. Hierarchical Idetity-Based Ecryptio Scheme I IBE scheme, there is a sigle PKG which should verify the idetity ad establish secure chaels to trasfer user s private eys. However, it may be a bottleec i a large etwor. Hierarchical ID-based ecryptio (HIBE) setups a several levels of PKGs ad the root PKG delegates to geerate the private ey ad oly verify the idetity for the lower-level PKGs. The advatage of HIBE is that the autheticatio ad trasmissio of private ey ca be doe locally. Here, we propose a HIBE is based o hidde-order groups. There are four algorithms as follows: Setup-HIBE:. Set Y 0 0 Y 0 0 Z ( σ,, Y ) = Y ; 3. Let H { } Z ad H { } Y (, σ ), (, σ ) Sample params ;. Compute : 0, : 0, G be two cryptographic hash fuctios. They are treated as radom oracles i the security aalysis. The system parameters par ad the,,, σ, σ. master ey m-ey are as follows respectively: par ={ } Y0 Z0 H H, m-ey = { } 0 Y0 KeyGe: Let IDt = ( I,..., It) {0,} be the idetity strig of depth t for t. The correspodig private ey d t ca be geerated by givig the paret idetity IDt = ( I,..., It ) ad the correspodig private ey d t. If t =, the do as follows:. Compute i = H ( I ) Z ;. Compute d = ( σ, i, Y ) = Y. If t, the do as follows: 3. Compute it = H( I,..., It) Z ; 4. Set t t t Yt (, σ ),( Y, σ ) Sample params, the σ t i σ t t it Y is the sample iformatio for. t Yt 5. t t

4 070 Chalgu Li / Procedia Egieerig 9 (0) t t Yt t t t t 0 0 j= j j i it it it it i t j j Compute d = ( σ σ,, d ) = Y d = Y ( Y ); 6. Compute t = σ Yt t = t t Z (,, ) Y. HID-Ecrypt: To ecrypt a message { 0,} follows:. Compute ij = H( I,..., I j) Z, for j,..., t; m for < log usig the idetity IDt = ( I,..., It), do as =. Geerate (, σ ) Sample params ; 3. i + Compute C = m H ( ( σ,, ε( Y, i + ))) = m H ( Y ); Compute (,, j (, )) j Z i l i l l j ( i C = σ ε Z i = = Y Y i ), for j =,..., t. j l= l l l= l 0 0 l= l l The, the ciphertext is C = ( C0, C, C,..., C t HID-Decrypt: To decrypt the ciphertext C = ( C0, C, C,..., C t ), usig the private ey d t, do as follows:. Compute ˆ(, ) ( i ) j ( il l ) i t ( j ij ) i + D = O C d = Y Y Y Y = Y.. t t 0 0 l= l l 0 0 j= j j 0 The, the decrypted message is m = C H ( D 3.3 ID-Based Sigature Scheme The ID-based sigature (IBS) scheme by usig the O-GII icludes the followig four algorithms: Setup: it does as the followig steps.. Set (, ),( Y, ) Y 3. Let H { } Z ad H { } σ σ Sample params ;. Compute Z ( σ,, Y) = Y; : 0, : 0, G be two cryptographic hash fuctios. The system parameters par ad the master ey m-ey are as follows respectively: par,,, σ, σ. ={ Y Z H H },m-ey ={ } KeyGe: Let Y id {0,} be the idetity bit strig.. Set i = H ; id Z. Compute ( σ, iy, ) = Y G. So the private ey is prv- eyid = Y. Sig: Let M {0,} be the message. To sig M, a siger computes m = H M Z (we would have m Z with overwhelmig probability The siger computes α ε( -, ) ( i m m m prv ey m id = Y ) = Y. So, the sigature of the siger o M is ( id, M, α Verify: To verify a sigature ( id, M, α ) o message M, compute i = H ( id) ad H M Z ad the? chec that the equality ε( Y, ( i + ) m) = O ( αε, ( Z, im)) holds. The correct of the above sigature ca be guarateed by the followig equatio ( i+ ) m? im m m im im Y = α Z = ( Y ) ( Y 4. Coclusios I this paper, we propose three ID-based cryptographic schemes, such as ID-based o-iteractive ey sharig (ID-NIKS) scheme, hierarchical ID-based ecryptio (HIBE) scheme, ad ID-based sigature (IBS) scheme, based o hidde-order groups. Their security proofs are still a ope problem.

5 Chalgu Li / Procedia Egieerig 9 (0) cowledgemets This research is supported by the Natioal Natural Sciece Foudatio of Chia uder Grat No , the Natural Sciece Foudatio of Fujia Provice uder Grat No. 0J0547, ad the esearch Foudatio of Educatio Bureau of Fujia Provice uder Grat No. JB07. efereces []. Bellare ad P. ogaway. adom oracles are practical: paradigm for desigig efficiet protocols. I: Proceedigs of First ual Cof. Computer ad Commuicatios Security, CM, pages 6 73, 993. [] D. Boeh ad. Boye. Secure idetity based ecryptio without radom oracles. I: dvaces i Cryptology - CYPTO 04, volume 35 of LNCS, pages Spriger-Verlag, 004. [3] D. Boeh ad M. K. Frali. Idetity based ecryptio from the Weil pairig. I: dvaces i Cryptology - CYPTO 0, volume 39 of LNCS, pages 3 9. Spriger-Verlag, 00. [4] D. Boeh, C. Getry, ad M. Hamburg. Space-efficiet idetity based ecryptiowithout pairigs. I: Proceedigs of the 48th ual IEEE Symposium o Foudatios of Computer Sciece, pages IEEE Computer Society, 007. [5] D. Boeh, B. Ly, ad H. Shacham. Short sigatures from the Weil pairig. I: dvaces i Cryptology - siacrypt 00, volume 48 of LNCS, pages Spriger-Verlag, 00. [6] S. Chatterjee ad P. Sarar. Idetity-based ecryptio. Spriger-Heidelberg Publisher, Lodo, 00. [7] C. Cocs. idetity based ecryptio scheme based o quadratic residues. I: Proceedigs of Cryptography ad Codig 00, volume 60 of LNCS, pages Spriger-Verlag, 00. [8] C. Getry. Practical idetity based ecryptio without radom oracles. I: dvaces i Cryptology - EUOCYPT 06, volume 4004 of LNCS, pages Spriger-Verlag, 006. [9] C. Getry, C. Peiert, ad V. Vaiutaatha. Trapdoors for hard lattices ad ew cryptographic costructios. I: Proceedigs of the 40th aual CM symposium o Theory of computig, pages CM, 008. [0] K. G. Paterso, S. Sriivasa, O the relatios betwee o-iteractive ey distributio, idetity-based ecryptio ad trapdoor discrete log groups, Des. Codes Cryptogr., 5, pages 9 4, 009. [] C. Peiert. Some recet progress i lattice-based cryptography. I: Proceedigs of TCC 09, volume 5444 of LNCS, page 7 7. Spriger-Verlag, 009. [] M. abi ad. Sherma. ssociative oe way fuctios: ew paradigm for secret-ey agreemet ad digital sigatures. I: Tech. ep. CST-383/UMICS-T-93-4, 993. [3] M. abi ad. Sherma. observatio o associative oe-way fuctios i complexity theory. If. Proc. Lett., pages 39 44, 997. [4]. Sahai ad H. Seyalioglu. Fully secure accoutable-authority idetity-based ecryptio. I: Proceedigs of PKC, volume 657 of LNCS, pages Spriger-Verlag, 0. [5]. Saxea ad B. Soh. cryptographic primitive based o hidde-order groups. Joural of Mathematical Cryptology, 3():89 3, 009. [6]. Shamir. Idetity based cryptosystems ad sigature schemes. I: dvaces i Cryptology - CYPTO 84, volume 96 of LNCS, pages Spriger-Verlag, 984. [7] B. Waters. Efficiet idetity based ecryptio without radom oracles. I: dvaces i Cryptology- EUOCYPT 05, volume 3494 of LNCS, pages 4 7. Spriger-Verlag, 005.