REMARKS ON IBE SCHEME OF WANG AND CAO

Transcription

1 REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. - Abstract: In this paper we analyze and find an anomaly in the security proof of the identity-based encryption (IBE) scheme fullm-ibe of Wang and Cao [9], which is based on mbdp. ere we give another proof for fullm-ibe which is based on Bilinear Diffie-ellman Problem (BDP). We also obtain a tightness improvement using a stronger assumption, namely, the Bilinear Inverse Dicision Diffie-ellman problem (BIDDP). Key-Words: Public-Key Encryption, Identity-Based Encryption (IBE), IND-ID-CCA attack, BDP, BIDDP, Random Oracle.. Introduction In traditional (certificate based) public key cryptosystems, public keys are usually generated at random and secret keys are computed by the users. owever, in 984, Adi Shamir [7] introduced the concept of ID-based cryptosystems in which the public key of a user is derived from his identity and his private key is generated by a trusted third party called Private Key Generator (PKG). Main advantage of an ID-based cryptosystem is that it simplifies the key management process, which is a heavy burden in the traditional certificate based cryptosystem. The concept of ID-based encryption remained a concept till 00 when Boneh and Franklin [] proposed the first practical IBE scheme, BasicIdent. Using the padding technique of Fujisaki-Okamoto [4] they extended BasicIdent to FullIdent scheme, and proved that it is secure against chosen ciphertext attacks provided BDP is hard. In 003, Galindo [6] pointed out a flaw in the security proof of FullIdent [], and provided another proof for the security of FullIdent without changing the scheme or the underlying assumption. In 007, Wang [8] proposed another IBE scheme based on pairing which is more practical in multiple private key generator (PKG) environments than the IBE scheme BasicIdent of Boneh and Franklin []. In 007, Sunder Lal and Priyam Sharma [0] analyzed the security of the IBE scheme by Wang [8] and proved that it relies on the BDP for its security. In 007, Wang and Cao [9] (an updated version of [8]) used the transformation technique of Fujisaki-Okamoto [5], and the transformation from [6], to transform the IBE scheme of [8] into fullm-ibe scheme, and proved that it is secure against chosen ciphertext attack. For security, they relied on the modified version of Bilinear Diffie-ellman Problem (mbdp) (which is weaker than BDP). In this paper we re-analyze the security of the IBE scheme of Wang and Cao [9]. In the security analysis of fullm-ibe Wang and Cao used a public-key encryption scheme-basicpub, obtained from M-IBE (which is the IBE scheme of Wang [8]), but

2 BasicPub is not the public-key encryption scheme that we get from M-IBE, since the public parameters params contains more information that the public parameters params of M-IBE. This does not match with the general philosophy. In this paper, using another security proof, which matches with the general philosophy, we show that the scheme relies on the BDP for its security. We also obtain an improved tightness using BIDDP which is stronger than BDP.. Preliminaries:. Identity-Based Encryption (IBE) Scheme: An identity-based Encryption Scheme consists of four randomized algorithms: Setup, Extract, Encrypt, and Decrypt. Setup: It takes a security parameter k and returns system parameters params and master-key. The params which is known publically includes the description of a finite plaintext space M and the description of a finite ciphertext space C. The master-key is known only to the private key generator (PKG). Extract: This algorithm extracts private key from the given public key. It takes as input params, the master-key and an identity string ID {0, } *, and returns key d ID. String ID is used as public key, and d ID as the corresponding private key. Encrypt: Takes as input the params, an identity ID and a plaintext M M and returns a ciphertext C C. Decrypt: Takes as input params, a private key d ID, and C C. and returns M M. If params is the system parameters produced by the Setup algorithm, d ID is the private key, corresponding to ID, which is generated by the algorithm Extract, then M M, Decrypt (params, d ID, Encrypt (params, ID, M)) = M.. Adaptive Chosen Ciphertext Attack: Semantic security against adaptive chosen ciphertext attack for an identity-based encryption scheme (IND-ID-CCA) is defined through the following game between challenger and adversary. Setup: The challenger takes a security parameter k and runs the Setup algorithm. She then returns public system parameters params to the adversary and keeps the master-key to itself. Phase: The adversary issues queries q, q,., q n which is one of the following:

3 -Extraction query <ID j >: The challenger responds by running the algorithm extract to generate the private-key d j corresponding to the public-key ID j and returns to the adversary. -Decryption query <ID j, C j >: The challenger responds by running the algorithm extract to generate the private-key d j corresponding to the public-key ID j, uses this private key to decrypt the ciphertext C j and returns the resulting plaintext to the adversary. Challenge: The adversary outputs two equal length plaintext M 0, M M, with the only constrain that ID must not have appeared in any of the extraction query in Phase. The challenger picks a random bit b {0, } and sends the challenge C = Encrypt(params, ID, M b ) to the adversary. Phase: The adversary issues queries q n+, q n+,.., q t which is one of: -Extraction query <ID j > where ID j ID: The challenger responds as in Phase. -Decryption query <ID j, C j > <ID, C>: The challenger responds as in Phase. Guess: The adversary outputs a guess b {0, }. e wins the game if b = b. Such an adversary is called an IND-ID-CCA attacker. The advantage of an IND-ID-CCA attacker A against the scheme is defined to be: Adv A ( κ ) = Pr [ b ' = b ] where the probability is over the random choices made by the challenger and the adversary. An identity-based encryption scheme is said to be semantically secure against adaptive chosen ciphertext attack (IND-ID-CCA) if no polynomially bounded adversary has non-negligible advantage in the game described above..3 Bilinear Pairings: Let G be an additive group of order p, a prime and let P be a generator of G. Let G be a multiplicative group of the same order p. A map e : G G G is said to be a bilinear pairing if it satisfies the following properties: (Bilinearity): For all P, Q G and a, b Z p *, e ) ab ( ap, bp) = e( P, P. (Non-Degeneracy): For a given R G, e ( Q, R) =, for all Q G if and only if R = 0, where is the identity of G and 0 is the identity of G. (Computability): For all P, Q G, there is an efficient algorithm to compute e ( P, Q) in polynomial time. 3

4 Following are some of the mathematical problems in G, G : Computational Diffie-ellman Problem (CDP): Given P, ap, bp in G, for some (unknown) a, b Z p *, compute abp in G. Bilinear Diffie-ellman Problem (BDP): Given P, ap, bp, cp in G, for some (unknown) a, b, c Z * abc p,compute e ( P, P) in G. Bilinear Inverse Diffie-ellman Problem (BIDP): Given P, ap, bp in G, for some (unknown) a, b Z p *, compute e( P, P) a b in G. Bilinear Square Diffie-ellman Problem (BSDP): Given P, ap, bp in G for some (unknown) a, b Z p *, compute e a b ( P, P) in G. Modified Bilinear Diffie-ellman Problem (mbdp): Given P, ap, a - P, bp, cp in G, for some (unknown) a, b Z * abc p compute e ( P, P) in G. Bilinear Decision Diffie-ellman Problem (BDDP): Given P, ap, bp, cp in G and T G, for some (unknown) a, b, c Z * p, decide whether T = e ( P, P) abc. Modified Bilinear Decision Diffie-ellman Problem (mbddp): Given P, ap, a - P, bp, cp in G and T G, for some (unknown) a, b, c Z * p, decide whether T = e ( P, P) abc. Bilinear Inverse Decision Diffie-ellman Problem (BIDDP): Given P, ap, bp, cp in G and T G, for some (unknown) a, b, c Z * p, decide whether a bc T = ( ) e P, P. It may be noted here that, BIDDP is termed as Decisional Modified BDP in [3]. It is easy to show that, if we have an algorithm to solve the CDP in G or G, then using this algorithm we can solve BDP in <G, G, e>. In other words, the BDP in <G, G, e> is no harder than the CDP in G or G. But, the problem that, the CDP in G or G is no harder than the BDP is still an open problem. Also, it is shown in [7] that BDP, BIDP, and BSDP are all polynomial time equivalent. It is easy to see that mbdp is no harder than the BDP. mbddp is no harder than BDDP. Also, mbddp is no harder than BIDDP. 4

5 3. IBE Scheme by Wang and Cao ( fullm-ibe): We first describe the IBE scheme fullm-ibe proposed by Wang and Cao [9]. The scheme consists of the following four algorithms: Setup: The algorithm works as follows:. Runs IG on input k to generate two prime order groups G and G and a bilinear map e : G G G. ere G = G =p and G = < P >.. Chooses s Z p * and computes P Pub = s - P G. 0,, the ciphertext space C= G * x {0,} n and three cryptographic hash functions :{ 0,} * G, :G { 0,} n and n 3 :{ } k 0 k 0, { 0, } 0 Z * p The params is <G, G, e, n, p, P, P Pub,,, 3 >, and the master-key is s. k 3. For a suitable n and k 0 N, chooses the plaintext space 0 M={ } n Extract: For an identity ID {0,} *, PKG computes. Q ID = (ID) G as the public key, and. d ID = sq ID as the corresponding private key. Encrypt: To encrypt a plaintext m M for user with identity ID the sender. picks a random k * σ { 0,} 0 and compute r= 3 ( m σ ) Z. computes Q ID = (ID) and g ID = e (P, Q ID ) G, and 3. sets the ciphertext C=< rp Pub, (m σ) (g ID r ) >., p Decrypt: To decrypt a ciphertext C=<U, V> C, the receiver using the private key d ID, and params < G, G, e, n, p, P, P Pub, Q ID,, 3 >. computes m = V (e (U, d ID) ) = m σ, and. parses m σ and computes r ( m ) ciphertext iff U = rp Pub. 3. Outputs m. * 3, Z p = σ. Accepts the The correctness follows because ID r P, sq ID ) = e ( P, Q. ID e ( U, d ) = e ( rs ) 5

6 4. Security Analysis: Regarding the security of fullm-ibe, Wang and Cao [9] proved the following: Theorem: The fullm-ibe scheme is (t, q, q D, ε )-secure if the mbdp on (G,G, e) is 3 ( t + c q + q + q O log p + log p, ε / q secure. G ( ) ( ) ) D In the above proof Wang and Cao reduce the fullm-ibe to a scheme called BasicPub much the same way as is done in Boneh-Franklin [] and Galindo [6]. owever, contrary to the reduced form by Boneh-Franklin and Galindo, the reduced BasicPub of Wang and Cao need more public information than is available in the full scheme. Information P Pub = sp G is not a part of params in fullm-ibe, but it is a part of params in BasicPub of Wang and Cao. We feel it is an anomaly in the security proof of fullm-ibe. ere we provide a security proof which is free from this anomaly. Moreover, security proof is based on BDP as against mbdp of Wang and Cao. We prove the following theorem: Theorem: The fullm-ibe scheme is (t, q, q D, ε )-secure if the BDP on (G,G, e) is 3 ( t + c q + q + q O log p + log p, ε / q secure. G ( ) ( ) ) D To prove the above theorem we make use of a public-key encryption scheme called as BasicPub y which is obtained by applying Fujisaki-Okamoto transformation [5] to the public-key encryption scheme BasicPub-Wang in [0]. In the next subsection we describe the BasicPub-Wang. 4. BasicPub-Wang: The scheme has three algorithms: Keygen, Encrypt, and Decrypt. Algorithms Encrypt and Decrypt are same as that of IBE scheme of Wang [8] (which is called M-IBE in [9]). The scheme is as follows: Keygen: The algorithm works as follows:. As in the Setup algorithm of IBE scheme of Wang (M-IBE), IG generates two prime order groups G, G and a bilinear map e : G G G. Also, the PKG computes its public key P Pub and secret key s in the same way.. The plaintext space M = {0,} n, the ciphertext space C = G * x {0,} n and a cryptographic hash function : G {0, } n are chosen in the same way. 3. The algorithm now picks a random point Q ID 0 in G, the group generated by P. 6

7 4. The public key is <G, G, e, n, p, P, P Pub, Q ID, >, the private key is d ID =sq ID G. Encrypt: To encrypt m {0, } n, the algorithm chooses random r Z p * and computes C=< rp Pub, m (g ID r ) >, where g ID = e (P, Q ID ) G. Decrypt: To decrypt C=<U, V> the algorithm takes the public key < G, G, e, n, p, P, P Pub, Q ID, > and private key d ID as input,. computes m = V (e (U, d ID )), and. returns m. 4.BasicPub y : The scheme is obtained by applying the Fujisaki-Okamoto transformation [5] to BasicPub-Wang. The scheme has three algorithms: Keygen, Encrypt, and Decrypt. Algorithms Encrypt and Decrypt are same as that of fullm-ibe. The scheme is as follows: Keygen: The algorithm works as follows:. Runs IG on input k to generate two prime order groups G and G and a bilinear map e : G G G. ere G = G =p and G = < P >.. Chooses s Z p * and computes P Pub = s - P G. k 3. For a suitable n and k 0 N, chooses the plaintext space 0 M={ } n 0, ciphertext space C= G * x {0,} n and two cryptographic hash functions :G { 0,} n n k k * and 3 :{ } { } 0 0, 0 0, Z p., the 4. The algorithm now picks a random point Q ID 0 in G, the group generated by P. The public key is <G, G, e, n, p, P, P Pub, Q ID,, 3 >, the private key is d ID =sq ID G. Encrypt: To encrypt m {0, } n, the algorithm chooses random k { } 0 σ 0,, computes r = 3 (m, σ) and C=< rp Pub, (m σ) (g r ID ) >, where g ID = e (P, Q ID ) G. 7

8 Decrypt: To decrypt C=<U, V> the algorithm takes < G, G, e, n, p, P, P Pub, Q ID,, 3 > and private key d ID as input,. computes m = V (e (U, d ID )) = m σ,. parses m σ and computes r ( m ) If not rejects the ciphertext. 3. returns m. * 3, Z p To prove Theorem we proceed in the following three steps: = σ. Checks that U = rp Pub. We show that IND-ID-CCA attack on fullm-ibe can be converted into IND-CCA attack on BasicPub y. This will show that private key extraction queries do not help the adversary. We show that IND-CCA attack on BasicPub y can be converted into an IND-CPA attack on BasicPub-Wang. We show that IND-CPA attack on BasicPub-Wang can be converted into an algorithm that can solve BIDP. Lemma: Let A be a t time IND-ID-CCA adversary with advantage ε against the fullm-ibe scheme making at most q E private key extraction queries, q D decryption queries and q hash queries. Then there is an IND-CCA adversary B that has advantage at least ε q t ' t + c q multiple in G. q q E ( + q q ) G D E + ε against BasicPub y. Its running time is q, where c G denotes the time of computing a random Proof: The proof can be found in [9]. Lemma: Let A be a t time IND-CCA adversary with advantageε against BasicPub y making at most q D decryption queries and q hash queries. Then there is an IND-CPA adversary B that has advantage at least ( k 0 ε ) ( ) q D ( q ) / p ε against BasicPub-Wang with the running time t ' t + q ( T BasicPub + log p ), where T BasicPub is the running time of Encrypt algorithm in BasicPub-Wang. 8

9 Proof: This result is obtained by applying Fujisaki-Okamoto transformation. The proof can be found in [5]. Lemma and Lemma are the same as Lemma and Lemma respectively of [9]. Lemma3: Let A be a t time IND-CPA adversary with advantage atleast ε against BasicPub-Wang making at most q queries to. Then there is an algorithm B that has advantage at least in solving the BIDP. Its running time is t = O(t). ε q Proof: Algorithm B is given an input the BID parameters <G, G, e > produced by IG and a random instance <P, ap, bp> of the BIDP for these parameters i.e., P R G where a, b R Z * a b p. G = p = G. Let D = e( P, P) G be the solution to this problem. Algorithm B finds D by interacting with algorithm A as follows: Setup: Algorithm B creates the BasicPub public key K Pub = < G, G, e, n, P, P Pub, Q ID, > by setting P Pub = ap, Q ID = bp. Observe that, the private key associated to K Pub is d ID = a - Q ID = a - bp. -queries: At any time algorithm A may issue queries to. To respond to these queries algorithm B maintains a list of pairs called the -list. Each entry in the list is a pair of the form < X j, j >. Initially the list is empty. To respond to query X j algorithm B does the following:. If the query X j already appears on the -list, then he responds with (X j ) = j.. Otherwise, algorithm B just picks a random string j {0, } n and adds the tuple <X j, j > to the list. It responds to algorithm A with (X j ) = j. Challenge: Algorithm A outputs two equal length plaintext M 0, M in which it wishes to be challenged. Algorithm B then picks a random string R {0, } n and defines C to be the ciphertext, C = <U, V> where U = P and V = R. Algorithm B picks a random bit b {0,}and gives C, encryption of M b, as the challenge to algorithm A. Note that, the decryption of C is V (e (u, d ID )) = V (e (P, a - bp))= V a b (e( P, P) )= V (D). We set M b = V (D). Guess: Algorithm A outputs a guess b {0,} for b. 9

10 It is easy to see that A s view is identical to its view in the real attack. The setup is as in the real attack. Since a and b are random in Z p * so is the challenge, as the challenged 0, ciphertext C = <U,V> where U = P and V { } n. U = P imply U = a - ap i.e. adversary B chooses r = a - *, and his choice is justified as B sets the game in such a way that Z p any response of A enables him to output the right solution of the problem given to him. Since, P is a random in G and therefore the resulting encryption message, which is exclusive-or of two random strings in {0,} n, is also random plaintext. Thus, Adv A ( k ) = Pr [ b ' = b ] ε It still remains to calculate the probability that algorithm B outputs the correct result. The adversary A gains no advantage in distinguishing M 0, M if it has not asked for a b e ( P, P ),which is equal to D, to. Let denote the event that at the end of the simulation D appears in a pair on -lists. Using the technique of claim in [], we can show that Pr[] in the simulation above is equal to Pr[] in the real attack. If D does not appear in -lists i.e. If A never issues a query for (D), then the decryption of C is independent of A s view, since (D) is a random string in {0,} n independent of A s view. Thus, Pr [ b ' = b ] = Then, Pr[ b ' = b ] = Pr[ b ' = b ] Pr[ ] + Pr[ b ' = b ] Pr[ ] Pr[ ] + Pr[ b ' = b ] Pr[ ] Also, Pr[ b ' = b ] = = Pr[ ] + Pr[ ] = Pr[ ] + ( Pr[ ]) = + Pr[ b ' = b ]. Pr[ ] = Pr[ ]. Pr[ ]. ε Pr[ b ' = b ] Pr[ ]. Pr[ ] ε Also, since we pick a random element from -list, the probability that algorithm B produces the right answer is at least ε Pr [ ]. q Note that, if algorithm A answers correctly, then V M = (D). So algorithm B could scan through the -list, and pick a random pair <X j, j > such that j = (D), and output X j instead of picking a random pair from the entire -list. 0

11 In order to come up with the total concrete security, we assume that q E = q D (since extraction and decryption operations have almost same computational complexity). We also bound all hash queries q i with q. In Theorem of [], Zhang, Safavi-Naini and Susilo have shown that BDP, BIDP and BSDP are all polynomial time equivalent. Using this result we infer, that fullm-ibe is secure so long as the BDP is difficult. Therefore, from Lemma, Lemma and Lemma3, we get: If there exists an IND-ID-CCA adversary against algorithm A that has advantage ε against full M-IBE, then there is an algorithm B that can solve BDP with advantage at least ε. q We now prove a theorem which improves the tightness in the above theorem. ere we rely on a stronger assumption, namely, the BIDDP. To prove the theorem we work on the line of [6]. Theorem: Let A be a t time IND-CPA adversary against BasicPub-Wang with advantage atmost ε making atmost q hash queries. Then there is an algorithm B that can solve BIDDP with advantage ε and running time t' t. Proof: Algorithm B is given an input the BIDD parameters <G, G, e > produced by IG and a random instance <P, ap, bp, cp, T> of the BIDD problem for these parameters i.e., P R G * where a, b, c R Z * p. G = p = G. Algorithm B uses algorithm A to solve the BIDDP as follows: Setup: Algorithm B creates the BasicPub public key K Pub = < G, G, e, n, P, P Pub, Q ID, > by setting P Pub = ap, Q ID = bp. Observe that, the private key associated to K Pub is d ID = a - Q ID = a - bp. -queries: At any time algorithm A may issue queries to. To respond to these queries algorithm B maintains a list of pairs called the -list. Each entry in the list is a pair of the form < X j, j >. Initially the list is empty. To respond to query X j algorithm B does the following:. If the query X j already appears on the -list, then he responds with (X j ) = j.. Otherwise, algorithm B just picks a random string j {0, } n and adds the tuple <X j, j > to the list. It responds to algorithm A with (X j ) = j.

12 Challenge: A outputs two equal length plaintext M 0, M in which it wishes to be challenged. Algorithm B returns as the challenge ciphertext C = <cp, M b (T)>, where b {0,}. R Note that, the decryption of C is V (e (U, d ID )) = V (e (cp, a - bp)) = a bc V ( ( ) e P, P ) Guess: Algorithm A outputs its guess b for b. Algorithm B returns if b = b and 0 otherwise. Note that, we say an algorithm D(t,ε ) breaks BIDDP on (G, G ) if it runs in time at most t and a bc Pr[D(P, ap, bp, cp, ( ) ) = ] Pr[D(P, ap, bp, cp, T) = ] ε. e P, P where the probability is computed over the random choices of the parameters, and the random bits of D. The distribution on the left side is called BID distribution and is denoted by P BID, while the distribution on the right is called random BID distribution and is denoted by R BID. In the above game, algorithm B is simulating a real attack environment for A. If the random instance is from R BID, then Pr[b = b] = ½, since in this case the distribution of the ciphertext C is independent of the bit b. Otherwise, the instance comes from P BID, and C is valid encryption of M b. Therefore Pr[b = b] = ½ +ε by definition of A. Therefore, Pr [B (P BID )= Pr [B(R BID )=] = [/ + ε -/] = ε. With this second tightness improvement, we obtain that fullm-ibe scheme is (t,q, q D,ε ) IND-ID-CCA secure if the BIDDP problem on (G, G ) is t + c G 3 ( q + ) + ( + ) D q q O log q log q, q ε secure. ere, we got rid of a q factor in the security reduction at the cost of relying on a stronger assumption. Conclusion: In this paper we present another proof that the IBE scheme fullm-ibe of Wang and Cao [9] is secure against chosen ciphertext attack. We remove an anomaly in the security proof by Wang and Cao which is based on mbdp. We base our proof on the hardness of BDP which is stronger than mbdp. We also obtain a better tightness improvement using BIDDP, which is a stronger assumption.

13 References: ) D.Boneh and M.Franklin, Identity-based encryption from weil pairing, In Proc. Of CRYPTO 00, LNCS # 39, pp.3-9. Springer-Verlag, 00. ) D.Boneh and M.Franklin, Identity-based encryption from weil pairing, In SIAM J. of Computing, # 3, No. 3, pp , ) M.Choudary Gorantla, Raju Gangishetti and Ashutosh Saxena, A Survey On ID- Based Cryptographic Primitives, 4) E.Fujisaki and T.Okamoto, Secure integration of asymmetric and symmetric encryption schemes, In Advances in Cryptology-CRYPTO 999, LNCS # 666, pp , Springer-Verlag, ) E.Fujisaki and T.Okamoto, ow to enhance the security of public-key encryption at minimum cost, IEICE Trans. Fundamentals, E83-9():4-3, ) D.Galindo, Boneh-Franklin identity based encryption revisited, In proc. of ICALP 005, LNCS # 3580, pp Springer-Verlag, ) A.Shamir, Identity-based cryptosystems and signature schemes, In Proc. Of CRYPTO 984, LNCS # 96, pp Springer-Verlag, 984. Also available on 8) Shengbao Wang, Practical Identity-Based Encryption (IBE) in Multiple PKG Environments and Its Applications, 9) Shengbao Wang and Zhenfu Cao, Practical Identity-Based Encryption (IBE) in Multiple PKG Environments and Its Applications, 0) Sunder Lal and Priyam Sharma, Security proof for Shengbao Wang s identitybased encryption scheme, ) F.Zhang, R.Safavi-Naini, and W.Susilo, An efficient signature scheme from bilinear pairings and its applications, In International Workshop on Practice and Theory in Public Key Cryptography-PKC 004. LNCS # 947, pp.77-90, Springer-Verlag,