Identity Based Encryption

Size: px

Start display at page:

Download "Identity Based Encryption"

Derrick Moody
5 years ago
Views:

1 Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University

2 Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key E(pk, m) c encrypt m using pub-key pk D(sk, c) m decrypt c using sk obtain E( pk alice, msg ) pk alice

3 Example: ElGamal encryption n G(λ): (G, g, q) GenGroup(λ) sk := ( α F p ) ; pk := ( h g α ) n E(pk, m G): s Z q and do c ( g s, m h s ) n D(sk=α, c=(c 1,c 2 ) ): observe c 1 α = (g s ) α = h s n Security (IND-CPA) based on the DDH assumption: (g, h, g s, h s ) indist. from (g, h, g s, g rand )

4 Identity Based Encryption [Sha 84] n IBE: PKE system where PK is an arbitrary string e.g. address, phone number, IP addr encrypted using public key: alice@gmail.com CA/PKG master-key

5 Identity Based Encryption Four algorithms : (S,K,E,D) S(λ) (pp, mk) output params, pp, and master-key, mk K(mk, ID) d ID outputs private key, d ID, for ID E(pp, ID, m) c encrypt m using pub-key ID (and pp) D(d ID, c) m decrypt c using d ID IBE compresses exponentially many pk s into a short pp

6 CPA-Secure IBE systems (IND-IDCPA) [ B-Franklin 01 ] Semantic security when attacker has few private keys Challenger pp, mk S(λ) b {0,1} pp id sk id K(mk, id) ( id *, m 0, m 1 ) c * E( pp, id *, m b ) Attacker A id id * Adv IBE [A] (λ) := Pr[b=b ] ½ b {0,1}

7 CPA-Secure IBE systems (IND-sIDCPA) [CHK 04] Selective security: commit to target id * in advance Challenger pp, mk S(λ) b {0,1} id* pp id sk id K(mk, id) m 0, m 1 c * E( pp, id *, m b ) Attacker A id id * Adv sibe [A] (λ) := Pr[b=b ] ½ b {0,1}

8 selective full: generic conversion [BB 04] n The two models are equivalent in the RO model E(pp, id, m) E(pp, H(id), m) n In the standard model: complexity leveraging Lemma: A B: Adv IBE [A] 2 n Adv sibe [B] where n = ID e.g. n = 256

9 Why ID Based Encryption? Chosen Ciphertext Security [CHK 04, BK 04, BMW 05] IBE Forward Secure Encryption [CHK 03, BBG 05] Searching on Encrypted data blindable Adaptive Oblivious Transfer [GH 08] [BDOP 04, AB 05] Digital Signatures Secret Handshakes [BBD 03,LDB 03 ]

10 Black box separation [BPRVW 08] Trapdoor functions CCA-secure public-key enc. IBE Main reason: short pp defines exp. many public keys pp Id 1 Id 2 Id 3 sk id1 sk id2 sk id3 Id 2n sk id2 n

11 Functional encryption [BSW 11] ABE [SW 05] Hierarchical IBE [HL 02, GS 02] IBE public-key crypto trapdoor functions public-key encryption symmetric crypto PRF PRP PRG signatures

12 IBE in practice Bob encrypts message with pub-key: role=accounting time=week-num policy-based encryption short-lived keys Aug. 2011: Voltage Secur with over one billion secure business s sent annually and over 50 million worldwide users.

13 IBE: functional encryption view [BSW 11] mk pp f 1 f 2 f 3 f 4 sk 1 sk 2 sk 3 sk 4 E( pp, data ), sk 1 f 1 (data) IBE: first non-trivial functionality E(pp, (id 0,m) ), sk id output data m if id=id 0 otherwise

14 Constructing IBE

15 Can we build an IBE?? n ElGamal is not an IBE: sk := ( α F p ) ; pk := ( h g α ) q pk can be any string: h = alice@gmail.com G but cannot compute secret key α q Attempts using trapdoor Dlog [MY 92] but inefficient

16 Can we build an IBE?? n RSA is not an IBE: pk := ( N=p q, e ) ; sk := ( d ) q Cannot map ID to (N,e) q How about: fix N and and use e id = Hash(id) n Problem: given ( N, e id, d id ) can factor N

17 IBE Constructions: three families Pairings e: G G! G Lattices (LWE) Quadratic Residuosity IBE w/ro BF 01 GPV 08 Cocks 01 BGH 07 IBE no RO CHK 03, ç è BB 04, W 05, ç è G 06, W 09, ç è CHKP 10, ABB 10, MP 12???? HIBE GS 03, BB 04 BBG 05, GH 09, LW 10, CHKP 10, ABB 10 ABB 10a?? extensions many some??

18 Pairing-based constructions

19 Some pairing-based IBE constructions n BF-IBE [BF 01]: BDH IND-IDCPA (in RO model) n BB-IBE [BB 04]: BDDH IND-sIDCPA n Waters-IBE [W 05]: generalizes BB-IBE BDDH IND-IDCPA (but long PP) n Gentry-IBE [G 06]: q-bdhe IND-IDCPA and short PP n DualSys-IBE [W 09]: 2-DLIN IND-IDCPA and short PP [LW 10, L 12]

20 BF-IBE: IBE in the RO model [BF 01] n S(λ): (G, G T, g, p) GenBilGroup(λ), α F p pp := [g, y g α ] G ; mk := α n K(mk, id): sk H(id)α H: ID G n E(pp, id, m): s F p and do C ( g s, m e(y, H(id)) s ) e(g α, H(id) s ) n D( sk, (c 1,c 2 ) ): observe: e( c 1, sk ) = e( g s, H(id) α )

Generate fake PP and fake MK MK: generate for all id MK : all

21 IBE w/o RO: a generic approach The all but one paradigm real system Generate real PP and real MK simulation Given id* do: Generate fake PP and fake MK MK: generate for all id MK : all but one (id id*) all id id id* challenge CT for id* solves some hard problem

22 BB-IBE: IBE w/o random oracles [BB 04] n S(λ): (G, G T, g, q) GenBilGroup(λ), α F p pp := [g, y g α, g 1, h] G ; mk := g 1 α n K(mk, id): sk ID ( mk (yid h) r, g r ) r F p n E(pp, id, m): s F p and do C ( g s, (y id h) s, m e(y,g 1 ) s ) n D( (sk 1,sk 2 ), (c 1,c 2,c 3 ) ): observe: e(c 1, sk 1 ) / e(c 2, sk 2 ) = e(y, g 1 ) s

23 Security: the all-but-one paradigm α F p real system g 1, h G simulation (all but one) Given id* do: β F p g 1, y G PP: g, y g α, g 1, h G PP: g, y, g 1, h y -id* g β MK: g 1 α G MK : β F p sk id ( mk (yid h) r, g r ) id=id* sk id ( d 0, d 1 ) d 0 = g 1 -β/(id-id*) (y id h) r d 1 = g 1-1/(id-id*) g r

24 Reduction to BDDH (g, y, g r, g s, e(y,g) rs ) p (g, y, g r, g s, R ) Given challenge (g, y, g 1 =g r, z=g s, T) do: pp = ( g, y, g 1, h y -id* g β ) ; mk = β F p n Respond to adversary queries for id id* using β n Challenge ciphertext for id* is ct* ( g s, (y id* h) s, m e(y,g 1 ) s ) = ( g s, (g β ) s, m e(y,g) rs ) = ( z, z β, m T )

From selective to full security [Wat 05] id * BB 1/(2 n ) W 1/q id=id* all but one a 1 id 1 + + a n id n = v all

25 From selective to full security [Wat 05] id * BB 1/(2 n ) W 1/q id=id* all but one a 1 id a n id n = v all but many With prob. (1/q) : (q = # private key queries from adv.) all queries are green, but challenge id* is blue

26 The system [Wat 05] n G(λ): α F p, g 1, h, y 1,,y n G pp= (g, g 1, y g α, h, y 1,, y n ) G, mk= g 1 α n K(sk, id, m): r F p, id=b 1 b 2 b n {0,1} n b y y id 1 b 1 h yn n h sk id ( mk ( ) r, g r ) G 2 n E(pk, id=b 1 b 2 b n, m ): e(c 1,g) / e(y 1 b 1 yn b n h, c 2 ) = e(g 1, y)

27 Gentry s IBE [Gen 06] n S(λ): (G, G T, g, q) GenBilGroup(λ), α F p pp := [g, y g α, h] G ; mk := α n K(mk, id): sk [ r F p, (h g-r ) 1/(α-id) ] n E(pp, id, m): s F p and do C ( y s g -s id, e(g,g) s, m e(g,h) -s ) g s(α-id)

28 Proof idea (IND-IDCPA security) Simulator knows one private key for every ID can respond to all private key queries tight reduction to hardness assumption Hardness assumption (simplified): q-bddh [MSK 02, BB 04, ] given g,v, g α, g ( α 2),, g ( α q ) : e(g,v) ( α q+1 ) p uniform(g T ) (q = # private key queries from adv.) note: challenge ct always decrypts correctly under simulator s secret key

29 Proof idea (IND-IDCPA security) Simulator: given g,v, g α, g ( α 2),, g ( α q ) n Setup: rand. poly. f(x) = a 0 + a 1 x + +a q x q F p [x] give adv. PP := ( g, y=g α, h g f(α) ) n Queries: need sk = [ r F p, (h g-r ) 1/(α-id) ] do: r f(id), (h g -r ) 1/(α-id) [f(α) f(id)] / (α id) = g and observe that [ f(x) f(id)] / (x id) F p [x]

30 DualSys IBE [Wat 09, LW 10, L 12] Covered in Allison Lewko s lecture n Full security: IND-IDCPA n n Short PP Security from 2-DLIN The system: (in composite order groups) G = G p1 G p2 G p3 n Ciphertext lives in G p and is same as in BB n Secret key: sk ID ( mk (yid h) r R p3, g r R p3 )

31 New Signature Systems CDH short and efficient sigs (!!)

32 IBE Simple digital Signatures [N 01] q Sign(MK, m): sig K(MK, m) q Verify(PP, m, sig): Test that sig decrypts messages encrypted using m n Conversely: which sig. systems give an IBE? q Rabin signatures: [Cocks 01, BGH 07] q GPV signatures: [GPV 09] q Open problem: IBE from GMR, GHR, CS,

33 Signatures w/o Random Oracles Example: signature system from BB-IBE (selectively unforgeable) n G(λ): α F p, g 1, h G pk = ( g, g 1, y g α, h) G, sk = g 1 α n Sign(sk, m): r F p, S ( sk (y m h) r, g r ) G 2 n Verify(pk, m, S=(s 1,s 2 ) ): e(s 1, g) / e(y m? h, s 2 ) = e(g 1, y) Can be made exist. unforgeable in composite order groups [LW 10,GLOW 12]

34 Waters Sigs: existentially unforgeable [Wat 05] n G(λ): α F p, g 1, h, y 1,,y n G pk = (g, g 1, y g α, h, y 1,, y n ) G, sk = g 1 α n Sign(sk, m): r F p, m=m 1 m 2 m n {0,1} n m y 1 y m m 1 h yn n h S ( sk ( ) r, g r ) G 2 n Verify(pk, m, S=(s 1, s 2 ) ): e(s 1,g) / e(y 1 m 1 yn m n h, s 2 ) = e(g 1, y)

35 Summary thus far IBE from pairings: q BDDH or 2-DLIN efficient secure IBE Short signatures from pairings: q CDH existential unforgeablility q with RO: sig G, without RO: sig G 2 [BLS 01] [Wat 05]

36 Anonymous IBE Simplest non-trivial example of private index functional encryption

37 Anonymous IBE [BDOP 04, AB 05, BW 05, ] Goal: IBE ciphertext E(pp, id, m) Why? should reveal no info about recipient id n n A natural security goal More importantly, enables searching on enc. Data Constructions: n RO model: BF-IBE n std. model: 2-DLIN [BW 06], Gentry [Gen 06] composite order groups [BW 07], and SXDH [D 10] also many lattice-based constructions [GPV 09, CHKP 10, ABB 10]

38 Anon. IBE systems (anonind-idcpa) Semantic security when attacker has few private keys Challenger pp, mk S(λ) b {0,1} pp id sk id K(mk, id) (id *, m * ) c * [ E(pp, id *,m * ) or rand. ] Attacker A id id * Adv aibe [A] (λ) := Pr[b=b ] ½ b {0,1}

alarm sk user= Dr.Evil? bank Proxy needs key that lets it test user=dr.

39 Anon. IBE Basic searching on enc. data from merchant sk 0 E pk [ transactions ] (contains user id) yes no ring alarm sk user= Dr.Evil? bank Proxy needs key that lets it test user=dr.evil and nothing else. Merchant: embed c E( pp, user, 1 ) in ciphertext hidden Proxy: has sk 0 K( sk, Dr.Evil ) ; tests D(sk 0,c) 1

40 Hierarchical IBE

41 Hierarchical IBE [HL 02, GS 02, BBG 04, ] mk id 1 id 2 id 3 id 4 sk sk sk sk (id 1, id 11 ) (id 4, id 41 ) sk sk sk sk sk sk delegation n Can encrypt a message to id = (id 1, id 11, id 111 ) n Only sk id and parents can decrypt q Coalition of other nodes learns nothing

42 Some pairing-based HIBEs n GS-HIBE [GS 03]: BDH IND-IDCPA (in RO model) n BB-HIBE [BB 04]: BDDH IND-sIDCPA n BW-HIBE [BW 05]: 2-DLIN anonind-sidcpa ciphertext size grows linearly with hierarchy depth adaptive security: sec. degrades exp. in hierarchy depth

43 Some pairing-based HIBEs n GS-HIBE [GS 03]: BDH IND-IDCPA (in RO model) n BB-HIBE [BB 04]: BDDH IND-sIDCPA n BW-HIBE [BW 05]: 2-DLIN anonind-sidcpa n BBG-HIBE [BBG 05]: d-bddh IND-sIDCPA ciphertext size indep. of hierarchy depth (unknown from LWE) adaptive security: sec. degrades exp. in hierarchy depth

44 Some pairing-based HIBEs n GS-HIBE [GS 03]: BDH IND-IDCPA (in RO model) n BB-HIBE [BB 04]: BDDH IND-sIDCPA n BW-HIBE [BW 05]: 2-DLIN anonind-sidcpa n BBG-HIBE [BBG 05]: d-bddh IND-sIDCPA ciphertext size indep. of hierarchy depth (unknown from LWE) n DualSys-HIBE [LW 10]: (various, short) IND-IDCPA Similar size as BBG and good for poly. depth hierarchies

45 Example: BBG-HIBE [BBG 05] n S(λ): (G, G T, g, q) GenBilGroup(λ), α F p pp := [g, y g α, g 2, g 3, h 1,, h d ] G ; mk := (g 2 ) α n K(mk, (id 1,,id k ) ): sk [ mk (h 1id 1 h kid k g 3 ) r, g r, h k+1 r, h k+2 r, h dr ] for decryption for delegation

46 Example: BBG-HIBE [BBG 05] n S(λ): (G, G T, g, q) GenBilGroup(λ), α F p pp := [g, y g α, g 2, g 3, h 1,, h d ] G ; mk := (g 2 ) α n Delegation: sk(id 1,,id k ) sk(id 1,,id k,id k+1 ) sk [ mk (h 1id 1 h kid k g 3 ) r, g r, h k+1 r, h k+2 r, h dr ] absorb and re-randomize

47 Example: BBG-HIBE [BBG 05] n S(λ): (G, G T, g, q) GenBilGroup(λ), α F p pp := [g, y g α, g 2, g 3, h 1,, h d ] G ; mk := (g 2 ) α n Delegation: sk(id 1,,id k ) sk(id 1,,id k,id k+1 ) sk [ mk (h 1id 1 h kid k g 3 ) r, g r, h k+1 r, h k+2 r, h dr ] sk [ mk (h 1id 1 h k+1id k+1 g 3 ) t, g t, h k+2 t, h dt ]

48 Example: BBG-HIBE [BBG 05] n S(λ): (G, G T, g, q) GenBilGroup(λ), α F p pp := [g, y g α, g 2, g 3, h 1,, h d ] G ; mk := (g 2 ) α n E(pp, (id 1,,id k ), m): s F p and do C ( g s, (h 1 id 1 h kid k g 3 ) s, m e(y,g 2 ) s )

49 Final note: many further generalizations n Wildcard IBE [ABCD 06] encrypt to: ID = ( id 1, id 2, *, id 3, *, id 4 ) n Hidden vector encryption [BW 06] and Inner product encryption [KSW 08] q Support more general searches on encrypted data e.g. range queries, conjunctive queries, n Next topic: attribute based encryption [SW 05]

50 Open problems: n HIBE or IBE w/o RO from quadratic residuosity n Threshold IBE from LWE (and threshold signatures) id PKG 1 mk 1 id PKG 2 mk 2 mk PKG 3 mk 3 Shamir secret sharing blows up vector length n Gentry or DualSys IBE from LWE (IND-IDCPA, const. size PP)

51 THE END

Searchable encryption & Anonymous encryption

Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /