A New Biometric Identity Based Encryption Scheme

Transcription

1 NEYIRE DENIZ SARIER (2008). A New Bometrc Identty Based Encrypton Scheme. In Techncal Sessons for 2008 Internatonal Symposum on Trusted Computng (TrustCom 2008) n Proceedngs of the 9th Internatonal Conference for Young Computer Scentsts, ICYCS 2008, Zhang Ja Je, Hunan, Chna, November 18-21, 2008, GUOJUN WANG, JIANER CHEN, MICHAEL R. FELLOWS & HUADONG MA, edtors, IEEE Computer Socety. ISBN URL ng any of these documents wll adhere to the terms and constrants nvoked by each copyrght holder, and n partcular use them only for noncommercal purposes. These works may not be posted elsewhere wthout the explct wrtten permsson of the copyrght holder. (Last update 2017/11/29-18 :21.) are mantaned by the authors or by other copyrght holders, notwthstandng that these works are posted here electroncally. It s understood that all persons copy- A New Bometrc Identty Based Encrypton Scheme Neyre Denz Sarer Bonn-Aachen Internatonal Center for Informaton Technology Computer Securty Group Dahlmannstr. 2, D Bonn Germany denzsarer@yahoo.com Abstract In ths paper, we present a new and effcent bometrc dentty based encrypton scheme (BIO-IBE) usng the Saka Kasahara Key Constructon and prove ts securty n the random oracle model based on the well-exploted k- BDHI computatonal problem. Our new scheme acheves better effcency n terms of the key generaton and decrypton algorthms compared to the exstng fuzzy IBE schemes. The man dfference of the new BIO-IBE scheme s the structure of the key generaton algorthm, where a unque bometrc dentty strng ID obtaned from the bometrc attrbutes s used nstead of pckng a dfferent polynomal for each user as n other fuzzy IBE schemes. Keywords: Bometrcs, fuzzy IBE, fuzzy extracton. 1. Introducton Recently, Saha and Waters proposed a new Identty Based Encrypton (IBE) system called fuzzy IBE that uses bometrc attrbutes as the dentty nstead of an arbtrary strng lke an emal address. In fuzzy IBE, the prvate key components are generated by combnng the values of a unque polynomal on each attrbute wth the master secret key. However, due to the nosy nature of bometrcs, fuzzy IBE allows for error tolerance n the decrypton stage, where a cphertext encrypted wth the bometrcs w could be decrypted by the recever usng the prvate key correspondng to the dentty w, provded that w and w are wthn a certan dstance of each other. Besdes, the bometrcs s used as publc nformaton, hence the compromse of the bometrcs does not affect the securty of the system. Ths document s provded as a means to ensure tmely dssemnaton of scholarly and techncal work on a non-commercal bass. Copyrght and all rghts theren 1.1. Related Work The frst fuzzy IBE scheme s descrbed by Saha and Waters n [11] and the securty s reduced to the MBDH problem n the standard model, where the sze of the publc parameters s lnear n the number of the attrbutes of the system or the number of attrbutes of a user. Prett et al [10] acheved a more effcent fuzzy IBE scheme wth short publc parameter sze by usng the random oracle model (ROM). Baek et al [1] descrbed two new fuzzy IBE schemes wth an effcent key generaton algorthm and proved the securty n the random oracle model based on the DBDH assumpton. Besdes, Burnett et al [4] descrbed a bometrc dentty based sgnature scheme, where they used the bometrc nformaton as the dentty and construct the publc key of the user usng a fuzzy extractor [8], whch s then used n the modfed SOK-IBS scheme [2] Our Contrbuton In ths paper, we present a new bometrc dentty based encrypton scheme usng the Saka Kasahara Key Constructon [6] and acheve better effcency compared to the exstng fuzzy IBE schemes n terms of the key generaton and decrypton algorthms. Frst, we have a structurally smpler key generaton algorthm compared to [10, 1] snce we use an ordnary one-way hash functon nstead of a MaptoPont hash functon and we reduce the number of exponentatons n the group G from 3n as n [10] (and from 2n as n [1]) to n. Also, the decrypton algorthm requres d blnear parng computatons and d exponentatons, whereas the exstng schemes requre d + 1 blnear parng computatons and 2d exponentatons. The securty of our new scheme reduces to the well exploted k-bdhi computatonal problem n the random oracle model. The man dfference of our bometrc IBE scheme s the structure of the key generaton algorthm, where a unque bometrc dentty strng ID obtaned from the bometrc attrbutes s used nstead of pckng a dfferent polynomal for each user and computng the prvate key components for each attrbute usng ths polynomal, the master key and the attrbutes. Thus, our scheme s constructed usng a dfferent approach compared to the exstng fuzzy IBE schemes.

2 2. Defntons and Buldng Blocks In order to ntroduce the new bometrc IBE scheme, at frst, we revew the defntons and requred computatonal prmtves. Gven a set S, x R S defnes the assgnment of a unformly dstrbuted random element from the set S to the varable x. A functon ǫ(k) s defned as neglgble f for any constant c, there exsts k 0 N wth k > k 0 such that ǫ < (1/k) c. Fnally, we defne the Lagrange coeffcent µ,s for µ Z p and a set S of elements n Z p as x µ j µ,s(x) = µ µ j µ j S,µ j µ Defnton 2.1. Blnear Parng Let G and F be multplcatve groups of prme order p and let g be a generator of G. Z p denotes Z p \ {0} and G denotes G \ {1}, where {0} and {1} are the dentty elements of Z p and G, respectvely. A blnear parng s denoted by ê : G G F f the followng two condtons hold. 1. a, b Z p, we have ê(g a, g b ) = ê(g, g) ab 2. ê(g, g) 1, namely the parng s non-degenerate. The securty of our scheme s reduced to the wellexploted complexty assumpton (k-bdhi) [6], whch s stated as follows. Defnton 2.2. k-blnear Dffe-Hellman Inverse (k- BDHI) For an nteger k, and x R Z p, g G, ê : G G F, gven (g, g x, g x2,..., g xk ), computng ê(g, g) 1/x s hard Fuzzy Identty Based Encrypton In [1], the generc fuzzy IBE scheme s defned as follows. Setup(): Gven a securty parameter k 0, the Prvate Key Generator (PKG) generates the master secret key ms and the publc parameters of the system. Key Generaton: Gven a user s dentty and ms, the PKG returns the correspondng prvate key D ID. Encrypt: A probablstc algorthm that takes as nput an dentty w U, publc parameters and a message m M and outputs the cphertext c C. Here, M, C and U denote the message space, the cphertext space and the unverse of attrbutes. Decrypt: A determnstc algorthm that gven the prvate key D ID and a cphertext encrypted wth w such that w w d, returns ether the underlyng message m or a reject message. Here d s the error tolerance parameter of the scheme. In our new bometrc IBE scheme, the dentty s equal to the bometrc nformaton of the user, from whch the key generaton algorthm obtans the bometrc features (or attrbutes) w and a unque bometrc dentty strng ID. The detals of ths extracton process s presented n secton Securty Model In [11], the Selectve-ID model of securty for fuzzy IBE (IND-FSID-CPA) s defned usng a game between a challenger and an adversary as follows. Phase 1: The adversary declares the challenge dentty w = (µ 1,..., µ n ). Phase 2: The challenger runs the Setup algorthm and returns to the adversary the system parameters. Phase 3: The adversary ssues prvate key queres for any dentty w such that w w < d. Phase 4: The adversary sends two equal length messages m 0 and m 1. The challenger returns the cphertext that s encrypted usng the dentty w and the message m β, where β R {0, 1}. Phase 5: Phase 3 s repeated. Phase 6: The adversary outputs a guess β for β. The advantage of the adversary A s defned as Adv IND FSID CPA A = Pr[β = β] 1 2 For our bometrc IBE scheme we gve the securty proof based on the noton of IND-FSID-CPA (Indstngushablty aganst Fuzzy Selectve Identty, Chosen Plantext Attack), but our scheme can easly be modfed usng the generc constructon REACT [9] to be secure aganst CCA (Chosen Cphertext Attack) Bometrc Fuzzy Extracton Any bometrc based encrypton or sgnature scheme requres the bometrc measurement of the recever or the sgner, respectvely. Bascally, the framework for bometrc encrypton s (1) extractng features; (2) quantzaton and codng per feature and concatenatng the output codes; (3) applyng error correcton codng (ECC) and hashng [5]. After capturng the bometrc nformaton of the user through a readng devce, feature extracton s appled to obtan the feature vector (or the attrbutes) of the bometrcs. In [11, 1], each attrbute s assocated wth a unque nteger µ Z p usng a hash functon and used as the dentty w = (µ 1,..., µ n ) n the fuzzy IBE scheme. Here, n denotes the sze of the attrbutes of each user. Snce some of the

3 attrbutes could be common n some users, a unque polynomal s selected for each user and ncluded n the key generaton algorthm to bnd the prvate key to the user. Ths way, dfferent users cannot collude n order to decrypt a cphertext that should be only decrypted by the real recever. In our bometrc IBE scheme, we use the bometrc template b of the user, whch s obtaned by concatenatng the extracted features, n order to bnd the prvate key to the user s dentty and thus avod colluson attacks. Instead of choosng a unque polynomal for each user, we use a fuzzy extractor to obtan a unque strng ID va error correcton codes from the bometrc template b of the user n such a way that an error tolerance t s allowed. In other words, we wll obtan the same strng ID even f the fuzzy extractor s appled on a dfferent b such that ds(b, b ) < t. Here, ds() s the dstance metrc used to measure the varaton n the bometrc readng and t s the error tolerance parameter. Formally, an (M, l, t) fuzzy extractor s defned as follows. Defnton 2.3. Let M = {0, 1} v be a fnte dmensonal metrc space wth a dstance functon ds : M M Z +. Here, b M and ds measures the dstance between b and b, where b, b M. An (M, l, t) fuzzy extractor conssts of two functons Gen and Rep. Gen: A probablstc generaton procedure that takes as nput b M and outputs an dentty strng ID {0, 1} l and a publc parameter PAR, that s used by the Rep functon to regenerate the same strng ID from b such that ds(b, b ) t. Rep: A determnstc reproducton procedure that takes as nput b and the publcly avalable parameter PAR, and outputs ID f ds(b, b ) t. In [4], the authors descrbe a concrete fuzzy extractor usng a [n, k, 2t + 1] BCH error correcton code, Hammng Dstance metrc and a one-way hash functon H : {0, 1} n {0, 1} l. Specfcally, The Gen functon takes the bometrcs b as nput and returns ID = H(b) and publc parameter PAR = b C e (ID), where C e s a one-to-one encodng functon. The Rep functon takes a bometrc b and PAR as nput and computes ID = C d (b PAR) = C d (b b C e (ID)). ID = ID f and only f ds(b, b ) t. Here C d s the decodng functon that corrects the errors upto the threshold t. 3. A New Effcent Bometrc IBE Scheme Our new bometrc IBE scheme BIO-IBE uses Saka- Kasahara s Key Constructon [6, 12] for the generaton of the prvate keys. Ths way, BIO-IBE acheves better performance over exstng fuzzy IBE schemes due to the use of an ordnary hash functon and due the total number of exponentatons and blnear parngs requred. Besdes, the fuzzy extracton process s only performed by the sender to form the cphertext and can be effcently mplemented on the fnte feld F 2 m, where m 10 as descrbed n [4, 8]. In order to encrypt a message, the sender obtans the bometrc nformaton and the correspondng publc parameter P AR of the recever, extracts the features (attrbutes) and computes the bometrc strng ID usng the fuzzy extractor. We assume that f w w d, then we have ds(b, b ) t and thus ID = ID. The detals of BIO-IBE s presented as follows. Setup(): Gven a securty parameter k 0, the parameters of the scheme are generated as follows. 1. Generate two cyclc groups G and F of prme order p > 2 k0 and a blnear parng ê : G G F. Pck a random generator g G. 2. Pck a random x Z p and compute P pub = g x. 3. Pck two cryptographc hash functons H 1 : Z p {0, 1} Z p and H 2 : F {0, 1} k1. In addton, the PKG pcks H : b {0, 1}, an encodng functon C e and a decodng functon C d together wth a specfc feature extracton method F e appled on the bometrc b. The message space s M = {0, 1} k1. The cphertext space s C = U G n {0, 1} k1. The master publc key s (p, G, F, ê, k 1, g, P pub, H 1, H 2, H, C e, C d, F e ) and the master secret key s ms = x. Key Generaton: Frst, a user s bometrc attrbutes w U are obtaned from the raw bometrc nformaton usng a reader and the feature extractor F e and each attrbute µ w s assocated to a unque nteger n Z p as n [11]. Besdes, the dentty strng ID = H(b) s calculated from the bometrc template b (whch s composed of the µ s) usng a fuzzy extractor as n [4]. Gven a user s bometrc attrbutes w and ID, the PKG returns Dµ ID = g 1/(x+H1(µ,ID)) = g 1/(x+hID ) for each µ w. Encrypt: The sender obtans a bometrc readng of the recever together wth the assocated publc parameter PAR, extracts the feature vector w and computes ID = Rep(b, PAR). Here, f ds((b, b ) < t, then ID = ID. Gven a plantext m M, ID and w, the followng steps are performed. 1. Pck a random polynomal r( ) of degree d 1 over Z p such that r(0) = r and compute the shares r(µ ) = r Z p for µ w.

4 2. Compute L = P pub g H1(µ,ID ) = g x+hid and the sesson key V = H 2 (ê(g, g) r ). 3. Set the cphertext to c = (w, U, W) = (w, L r, m V ) for each [1, n]. Decrypt: Gven c = (w, U, W) C and Dµ ID for µ w and [1, n], choose an arbtrary set S w w such that S = d and compute m = W V as V = H 2 ( (ê(u, Dµ ID )) µ,s(0) ) µ S = H 2 ( µ S (ê(g r(x+hid ), g 1/(x+hID ) )) µ,s(0) ) = H 2 ( (ê(g, g) r ) µ,s(0) ) µ S = H 2 (ê(g, g) r ) Here, the polynomal r( ) of degree d 1 s nterpolated usng d ponts by polynomal nterpolaton n the exponents usng Shamr s secret sharng method [13]. Also, h ID = h ID for each µ S and ID = ID. Theorem 3.1. Suppose the hash functons H 1, H 2 are random oracles and there exsts a polynomal tme adversary A wth advantage ǫ that can break the scheme BIO-IBE n the Fuzzy Selectve ID model by makng q 1, q 2 random oracle queres, and q ex prvate key extracton queres. Then there exsts a polynomal tme algorthm B that solves the k-bdhi problem wth k = q 1 + q ex + 1. Proof. Assume that a polynomal tme attacker A breaks BIO-IBE, then usng A, we show that one can construct an attacker B solvng the k-bdhi problem. Suppose that B s gven the k-bdhi problem (q, g, ê, G, F, g x, g x2,..., g xk ), B wll compute ê(g, g) 1/x usng A as follows. Phase 1: A outputs the challenge dentty w. Phase 2: B smulates the publc parameters for A. 1. B selects h 0,..., h k 1 Z p and sets f(z) = k 1 j=1 (z+h j), whch could be wrtten as f(z) = k 1 j=0 c jz j. The constant term c 0 s non-zero because h j 0 and c j are computable from h j. 2. B computes Q = k 1 j=0 (gxj ) cj = g f(x) and Q x = g xf(x) = k 1 j=0 (gxj+1 ) cj. If Q = 1, then x = h j for some j, then k- BDHI problem could be solved drectly [7]. 3. B computes f j (z) = f(z) z+h j = k 2 v=0 d j,vz j for 1 j < k and Q 1/(x+hj) = g fj(x) = k 2 v=0 (gxv ) dj,v [7]. 4. Set T = k 1 j=1 (gxj 1 ) cj = g (f(x) c0)/x and set T 0 = ê(t, Q g c0 ). B returns A the publc parameters (q, g, ê, G, F, P pub, H 1, H 2, d, FE), where d Z +, P pub = Q x h0 and H 1, H 2 are random oracles controlled by B as follows. Here, FE denotes the fuzzy extracton algorthm. H 1 -queres: For a query (µ, ID w ), where [1, n], f there exsts j, l, µ, ID w, h j + h 0, Q 1/(x+hj) n H 1 Lst, return h j + h 0. Otherwse, 1. If µ w, ID w = ID and l d, return h j + h 0 and add j, l, µ, ID, h j +h 0, Q 1/(x+hj) to H 1 Lst. Increment j and l by If µ w, ID w = ID and l = d, then return h 0, add the tuple j, d, µ, ID w, h 0, to H 1 Lst. Increment j by Else, return h j + h 0 and add the tuple j, l, µ, ID w, h j + h 0, Q 1/(x+hj) to H 1 Lst. Increment j by 1. Here, j and l denotes the values of two counters, where 1 j q 1 and 1 l d. H 2 -queres: Upon recevng a query R, 1. If there exsts (R, ξ) n H 2 Lst, return ξ. Else, 2. Choose ξ R {0, 1} k1 and return to A. Phase 3: B smulates the prvate key extracton queres of A as follows. Extracton queres: Upon recevng a query (w, ID w ) wth w w < d, (thus ID w ID ), for every µ w, run the H 1 -oracle smulator and obtan j, l, µ, ID w, h j + h 0, Q 1/(x+hj) from H 1 Lst. If ID w ID, return Dµ IDw = Q 1/(x+hj) for each µ w. Remark 3.1. To mprove the reducton cost, we can add the followng condton to the extracton queres: If the extracton query s on the challenge dentty ID w = ID, (namely w w d), A s gven the frst d 1 prvate key components Dµ ID = Q 1/(x+hj) upto the case when µ = µ, whch s the d th entry n the H 1 Lst wth respect to the second counter. Then, we slghtly change the securty model of our scheme by requrng the adversary A to select the arbtrary subset S of w for the computaton of the sesson key such that µ S wth S = d. Phase 4: Upon recevng the messages (m 0, m 1 ) wth m 0 = m 1, B generates the challenge C. R 1. Pck r Z p for each µ w unless µ = µ.

5 2. Compute U µ = Q r(x+h1(µ,id )) for each µ w except for µ = µ. 3. Pck r R Z p and compute U µ = Q r. 4. B chooses β {0, 1} and W R {0, 1} k1. 5. Set the cphertext to C = (w, U µ, m β W ) where µ w. Remark 3.2. If the condton n Remark 3.1 s appled, then the only way for the adversary A to have any advantage s to query the H 2 oracle wth the correct sesson key constructed usng the d prvate key components, where A already knows d 1 of them except for µ. And A has to compute the prvate key share of µ due to the Remark 3.1. Phase 5: B answers A s random oracle and prvate key extracton queres as before. The only condton on the prvate key extracton queres s that the attacker A cannot query the prvate key Dµ ID. Phase 6: At some pont, A responds wth ts guess β for the underlyng plantext m β, whch could only be computed from m β = W H 2 ( µ S (ê(u µ, D ID µ ))). The only way for A to have any advantage n ths game s when H 2 Lst contans the value R = ê(u µ, Dµ ID ) µ,s(0) µ S = ê(q, Q 1/x ) r µ,s (0) Λ where Λ = µ S,µ µ ê(q, Q) r µ,s(0) Remark 3.3. Obvously, the value Λ can be computed by B (also computable by A f the condtons of Remark 3.1 s appled), snce B knows the prvate key components Dµ ID for each µ S, µ µ, and B also knows the correspondng r s. We set T = (R /Λ) 1/(r µ,s (0)) = ê(q, Q 1/x ). The soluton to the k-bdhi problem, ê(g, g 1/x ), s obtaned by outputtng (T/T 0 ) 1/c2 0 = ê(g, g 1/x ) as n [7]. T/T 0 = ê(g, g) f(x) f(x)/x /ê(g (f(x) c0)/x, g f(x)+c0 ) = ê(g, g) f(x) f(x)/x f(x) f(x)/x+c2 0 /x = ê(g, g) c2 0 /x Let H be the event that algorthm A ssues a query for H 2 (R ) at some pont durng the smulaton. Pr[H] n the smulaton above s equal to Pr[H] n the real attack [3]. Also, n the real attack we have Pr[H] ǫ due to the followng facts. If the H 2 Lst does not contan the value R, then we have Pr[β = β H] = 1 2. By the defnton of A, we have Pr[β = β] 1 2 > ǫ. Combnng all the results and defnng the event E as E = Pr[β = β ], we obtan the followng as n [3] E = Pr[β = β H]Pr[H] + Pr[β = β H]Pr[ H] Pr[β = β ] 1 2 (1 Pr[H]) Pr[β = β ] 1 2 (1 + Pr[H]). Therefore, ǫ Pr[β = β H] Pr[H] Pr[H] 2ǫ. It follows that B produces the correct answer by pckng a random entry from the H 2 Lst wth probablty ( ) at least 2ǫ n due to the q ( n 2 entres n the H 2 Lst and dfferent d) q 2 d choces for A to compute the sesson key. Hence, 2Adv FSID-IND-CPA (A) ( n BIO-IBE d) q2 Adv k-bdhi (B) When we apply the condton on Remark 3.1, the adversary( A) wll have only one choce for the set S, thus the n factor s elmnated from the reducton cost resultng d n 2Adv FSID-IND-CPA BIO-IBE (A) q 2 Adv k-bdhi (B) The modfed securty model gves the adversary as much power as possble by provdng the adversary wth d 1 prvate key components, and the restrcton for the set S s necessary for B to have any advantage n ths game. Thus, the mproved reducton cost s obtaned by requrng a stronger securty model than the Fuzzy Selectve-ID model of [11, 1]. 4. Concluson In ths paper, we propose a new bometrc dentty based encrypton scheme BIO-IBE. Due to the employment of the Saka Kasahara Key Constructon, we obtan a more effcent scheme compared to the schemes n [10, 1]. We summarze n the followng tables the propertes of BIO- IBE and compare the computatonal costs of each algorthm used n the schemes. Obvously, BIO-IBE s more effcent n terms of the sub-algorthms of the schemes. Besdes, the computatonal cost of the fuzzy extracton F E s small, snce the operatons n FE algorthm are performed on the fnte feld of F 2 m, where m 10 accordng to [4]. The only dsadvantage s that the reducton s not tght, however, the BIO-IBE s reduced to a well-exploted computatonal

6 Fgure 1. Computatonal Costs of Varous Fuzzy IBE Schemes [1] SW-RO EFIBE-I EFIBE-II BIO-IBE Sze of D ID 2n G 2n G 2n G n G Sze of C (n + 1) G + F (n + 1) G + F (n + 1) G + F n G + k 1 Cost of Key n(t e + T ) n(t H + T m + 3T e) n(t H + 2T e) n(t H + T m + 2T e) Generaton +FE ID Cost of n(t e + T H) n(t e + T m + T H) n(t e + T H) n(2t e + T m) Encrypt +2T e + T p + T m +2T e + T p + T m +2T e + T p + T m +T p + FE ID Cost of d(2t e + T m + T p) d(2t e + T m + T p) d(2t e + T m + T p) Decrypt +T p + T + T m +T p + T + T m +T p + T + T m d(t e + T p) Abbrevatons: S s the bt-length of an element n set (or group) S; n s the number of elements n an dentty; T e s the computaton tme for a sngle exponentaton n G; T H s the computaton tme for MaptoPont hash functon; T m s the computaton tme for a sngle multplcaton n G; T s the computaton tme for a sngle nverse operaton n Z p; T p s the computaton tme for a sngle parng operaton; T m s the computaton tme for a sngle multplcaton n F; T the computaton tme for a sngle nverse operaton n F; d s the error tolerance parameter; FE ID s the computaton tme for the fuzzy extracton process; k 1 output sze of the hash functon. problem. Fnally, an open problem s to prove the securty of BIO-IBE n the standard model. Table 1. Propertes of Varous Fuzzy IBE Schemes Scheme Assumpton Hash Securty Functon Model SW-RO Decsonal BDH MaptoPont ROM EFIBE-I Decsonal BDH MaptoPont ROM EFIBE-II Decsonal BDH MaptoPont ROM BIO-IBE Computatonal k-bdhi One-way ROM Acknowledgement The author s grateful to her supervsor Prof. Joachm von zur Gathen for hs valuable support. References Dr. [1] J. Baek, W. Suslo, and J. Zhou, "New constructons of fuzzy dentty-based encrypton," n ACM Symposum on Informaton, Computer and Communcatons Securty (ASI- ACCS 2007), ACM, 2007, pp [2] M. Bellare, C. Namprempre, and G. Neven, "Securty Proofs for Identty-Based Identfcaton and Sgnature Schemes," n Advances n Cryptology-EUROCRYPT 2004, LNCS 3027, Sprnger, 2004, pp [3] D. Boneh and M. K. Frankln, "Identty-Based Encrypton from the Wel Parng," SIAM J. Comput., vol.32, pp , [4] A. Burnett, F. Byrne, T. Dowlng, and A. Duffy, "A Bometrc Identty Based Sgnature Scheme," Internatonal Journal of Network Securty, vol.5, pp , [5] C. Chen, R. N. J. Veldhus, T. A. M. Kevenaar, and A. H. M. Akkermans, "Mult-bts bometrc strng generaton based on the lkelyhood rato," IEEE conference on Bometrcs: Theory, Applcatons and Systems, 2007, pp [6] L. Chen and Z. Cheng, "Securty Proof of Saka-Kasahara s Identty-Based Encrypton Scheme," n Cryptography and Codng, IMA Int. Conf., LNCS 3796, Sprnger, 2005, pp [7] L. Chen, Z. Cheng, J. Malone-Lee, and N. Smart, "Effcent ID-KEM based on the Saka-Kasahara key constructon," IEE Proceedngs Informaton Securty, vol. 153, pp , [8] Y. Dods, R. Ostrovsky, L. Reyzn, and A. Smth, "Fuzzy Extractors: How to Generate Strong Keys from Bometrcs and Other Nosy Data," CoRR, abs/cs/ , [9] T. Okamoto and D. Pontcheval, "REACT: Rapd Enhanced- Securty Asymmetrc Cryptosystem Transform," n Topcs n Cryptology (CT-RSA 2001), LNCS 2020, Sprnger, 2001, pp [10] M. Prrett, P. Traynor, P. McDanel, and B. Waters, "Secure attrbute-based systems," n ACM Conference on Computer and Communcatons Securty, ACM, 2006, pp [11] A. Saha and B. Waters, "Fuzzy Identty-Based Encrypton," n Advances n Cryptology-EUROCRYPT 2005, LNCS 3494, Sprnger, 2005, pp [12] R. Saka and M. Kasahara, "ID based Cryptosystems wth Parng on Ellptc Curve," Cryptology eprnt Archve, Report 2003/054, [13] A. Shamr, "How to Share a Secret," Commun. ACM, vol.22, pp , 1979.