Searchable encryption & Anonymous encryption

Size: px

Start display at page:

Download "Searchable encryption & Anonymous encryption"

Aleesha Harrington
5 years ago
Views:

1 Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

2 Outline 1 Searchable Encryption Motivation Syntax Security notions BDOP scheme Security of BDOP-PEKS 2 Anonymous identity-based encryption HIBE definition Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE Boneh-Franklin IBE Gentry IBE 3 Generic constructions of PEKS Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

3 Motivation Suppose Bob sends an encrypted to Alice Alice s gateway may want to test if the contains the word urgent, so that it could route the accordingly Still, Alice does not want the gateway to be able to decrypt her messages Public-key encryption with keyword search (PEKS): Enable gateway to test whether a given keyword is present in the without learning anything else about the Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

4 PEKS: Basic idea Bob encrypts his using a standard public-key encryption scheme (PKE) He then appends the public-key encryption with keyword search (PEKS) of each keyword Enc(pk Alice, m) PEKS(pk Alice, w 1 )... PEKS(pk Alice, w l ) Main property: Alice can give the gateway a trapdoor t w that allows it to test whether w i = w for i = 1,..., l Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

5 PEKS: Public-key encryption with keyword search [BDOP04] PEKS: Public-key encryption with keyword search [BDOP04] Goal: Allow gateway to test for the presence of keywords in ciphertexts. Goal: Allow gateway to test for the presence of keywords in ciphertexts Sender w pk PEKS Key Generation Gateway sk Trapdoor w eceiver C Test T w YES (1) / NO (0) 89 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

6 Public-key encryption with keyword search (PEKS) A PEKS scheme is defined by four algorithms: KeyGen(1 k ): Outputs a secret and public key pair (pk, sk) for the PEKS scheme. Td(sk, w): Uses the secret key sk to compute a trapdoor t w for keyword w. PEKS(pk, w): Generates a ciphertext C for keyword w using public key pk. Test(t w, C): Allows the gateway in possession of t w to test for the presence of w in C. It returns 1 if C is an encryption of w and 0 otherwise. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

7 PEKS security goals There are two main security notions associated with PEKS schemes. Keyword privacy The adversary should be unable to distinguish PEKS(pk, w0 ) from PEKS(pk, w1 ) for keywords w 0, w 1 of its choice. The trapdoor for a keyword w should only allow the gateway to learn whether a given ciphertext contains w. Consistency This condition states that Test(t w, C) should return 1 if w = w and 0 if w w. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

8 IND-PEKS-CPA: Indistinguishability under chosen-plaintext attacks Let PEKS = (KeyGen, PEKS, Td, Test) be a PEKS scheme. Let A be an adversary against the IND-PEKS-CPA security of PEKS. proc Initialize(k) (pk, sk) KeyGen(1 k ) β {0, 1} eturn pk proc Td(w) t w Td(sk, w) eturn t w Game Exp ind-cpa PEKS,A (k) proc L(w 0, w 1 ) C PEKS(pk, w β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-PEKS-CPA security of PEKS is defined as [ ] Adv ind-cpa PEKS,A (k) = 2 Pr Exp ind-cpa PEKS,A (k) = true 1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

9 CONSIST: Consistency under chosen-plaintext attacks Let PEKS = (KeyGen, PEKS, Td, Test) be a PEKS scheme. Let A be an adversary against the CONSIST security of PEKS. proc Initialize(k) (pk, sk) KeyGen(1 k ) eturn pk Game Exp peks-consist PEKS,A (k) proc Finalize(w, w ) C PEKS(pk, w) t Td(sk, w ) eturn (w w ) (Test(t, C)) The the advantage of an adversary A against the consistency of PEKS is defined as [ ] Adv peks-consist PEKS,A (k) = Pr Exp peks-consist PEKS,A (k) = true Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

10 BDOP-PEKS scheme: Intuition Use Boneh-Franklin BasicIdent IBE scheme as a starting point and fix a message m. Keywords in BDOP-PEKS are mapped to identities in BasicIdent. Trapdoor in BDOP-PEKS simply corresponds to a decryption key in BasicIdent. To encrypt a keyword w in BDOP-PEKS, one encrypts m for identity w in BasicIdent. To test whether a ciphertext C encrypts a keyword w, one decrypts C using the secret key for w and test whether the result equals m. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

11 Boneh-Franklin BasicIdent IBE scheme Let G be a pairing parameter generator. Let H : {0, 1} G be a random oracle. Setup(1 k ): (G, G T, p, ê) G(1 k ) g G ; s Z p ; S g s msk s mpk ((G, G T, p, ê), S, H) return (mpk, msk) Enc(mpk, id, m): r Z p ; C 1 g r Q id H(id) ; K (ê(s, Q id )) r C 2 m K return (C 1, C 2 ) KeyDer(msk, id): Q id H(id) sk Q s id return (sk) Dec(sk, C): parse C as (C 1, C 2 ) K ê(c 1, usk) m C 2 /K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

12 BDOP-PEKS scheme: Description KeyGen(1 k ): (G, G T, p, ê) G(1 k ) g G s Z p pk (G, G T, p, ê, g, g s ) sk (pk, s) eturn (pk, sk) PEKS(pk, w): parse pk as (G, G T, p, ê, g, g s ) r Z pt ê(h(w), g s ) r C (g r, T ) eturn C Td(sk, w): parse sk as ((G, G T, p, ê, g, g s ), s) t w (pk, H(w) s ) eturn t w Test(t w, C): parse t w as ((G, G T, p, ê, g, g s ), X ) parse C as (U, V )T ê(x, U) if V = T then eturn 1 else eturn 0 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

13 BDDH keyword privacy of BDOP-PEKS Theorem Let BDOP-PEKS refer to the BDOP-PEKS scheme described above, G be a pairing parameter generator, and A be an adversary against IND-PEKS-CPA security of BDOP-PEKS, making at most a single query to the L procedure and at most q H queries to the random oracle H. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv ind-cpa BDOP-PEKS,A (k) 2 q H Adv bddh G,k (B). Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

14 Computational consistency of BDOP-PEKS Theorem Let BDOP-PEKS refer to the BDOP-PEKS scheme described above, G be a pairing parameter generator, and A be an adversary against IND-PEKS-CPA security of BDOP-PEKS, making at most q H queries to the random oracle H. Then, the advantage Adv peks-consist BDOP-PEKS,A (k) of A against the consistency of PEKS is at most qh 2 /p. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

15 Outline 1 Searchable Encryption Motivation Syntax Security notions BDOP scheme Security of BDOP-PEKS 2 Anonymous identity-based encryption HIBE definition Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE Boneh-Franklin IBE Gentry IBE 3 Generic constructions of PEKS Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

16 Hierarchical identity-based encryption (HIBE) oot I Level 1 1 I Level 2 2 I 3 Level 3 ID = (I 1,I 2,I 3 ) Identities are vectors of the form (id 1,..., id L ), where L is the HIBE depth. Hierarchical key derivation Users with (id 1, id 2 ) can derive keys for any user whose identity is of the form (id 1, id 1, *,..., *) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

17 HIBE Syntax Identity at level 1 l L is a vector id = (id 1,..., id l ) ID l. oot identity is represented by ε. An HIBE scheme is defined by four algorithms: Setup(1 k, L): Outputs a master public key mpk for a HIBE of depth L along with master secret key msk. KeyDer(sk (id 1,...,id l ), id l+1 ): Uses the secret key sk for identity id = (id 1,..., id l ) to compute a secret key sk id for the user with identity id. Enc(mpk, id, m): Generates a ciphertext C for identity id = (id 1,..., id l ) and message m using master public key mpk. Dec(C, sk id ): Allows the user in possession of sk id for identity id = (id 1,..., id l ) to decrypt the ciphertext C and get back a message m. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

18 ANO-HID-CPA: Anonymity under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k ) β {0, 1} eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ano-cpa HIBE,L,A (k) proc L(id 0, id 1, m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the ANO-HID-CPA security of HIBE is defined as [ ] Adv ano-cpa HIBE,L,A (k) = 2 Pr Exp ano-cpa HIBE,L,A (k) = true 1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

19 ANO-sHID-CPA: Anonymity under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-sHID-CPA security of HIBE. Game Exp s-ano-cpa HIBE,L,A (k) proc Initialize(k, L, id 0, id 1) (mpk, msk) Setup(1 k, L) β {0, 1} eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the ANO-sHID-CPA security of HIBE is defined as [ ] Adv s-ano-cpa HIBE,L,A (k) = 2 Pr Exp s-ano-cpa HIBE,L,A (k) = true 1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

20 Boneh-Boyen HIBE scheme (BB) Setup(1 k, L): (G, G T, p, ê) G(1 k ) g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1, G, G T, p, ê) msk g ab return (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 (H id ) l+1 rl+1 i,0 H i,1 sk l+1 g r l+1 return (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i ( H id i i,0 H ) t i,1 K ê(a, B) t C 3 m K return (C 1, (C 2,1,..., C 2,l ), C 3) Dec(sk, C): parse sk (id1,...,id l ) as (sk 0,..., sk l ) parse C as (C 1, C 2,1,..., C 2,l, C 3) K ê(sk 0, C l 1)/ i=1 ê(sk i, C 2,i ) m C 3/K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

21 Additional comments about the BB HIBE scheme The secret key sk (id1,...,id l ) = (sk 0,..., sk l ) for identity (id 1,..., id l ) has the form: sk 0 = g ab l i=1 (Hid i i,0 H i,1) r i sk i = g r i for i = 1,..., l The secret key outputted by KeyDer can be re-randomized via andomize(sk (id1,...,id l )): parse sk (id1,...,id l ) as (sk 0,..., sk l ) for i = 1,..., l do r i Z p sk i sk i g r i sk 0 sk 0 l i=1 (Hid i i,0 H i,1) r i return (sk 0, sk 1,..., sk l ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

22 Correctness of BB HIBE scheme For a valid ciphertext, we have: K = ê(sk 0, C 1 )/ l i=1 ê(sk i, C 2,i ) = ê(g ab l i=1 (Hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g ab, g t ) l i=1 ê((hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g a, g b ) t = ê(a, B) t = K Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

23 Boneh-Boyen-Goh HIBE scheme (BBG-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i G for i = 1,..., L mpk (g 1, g 2, h 1, u 0,..., u L ) sk 0 h 2 For i = 1,..., L + 1 do sk i 1 msk (sk 0, sk 1,..., sk L, sk L+1 ) eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L, sk L+1 ) r l+1 Z p sk 0 sk 0 sk id l+1 l+1 (u l ) 0 i=1 uid i rl+1 i For i = l + 2,..., L do sk i sk i u r l+1 i sk L+1 sk L+1 g r l+1 1 eturn (sk 0, sk l+2,..., sk L, sk L+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g1 r C 2 ( u l ) 0 i=1 uid i r i C 3 m ê(h 1, g 2) r eturn (C 1, C 2, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L+1 ) Parse C as (C 1, C 2, C 3) m C 3 ê(c 2,sk L+1 ) ê(c 1,sk 0 ) eturn m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

24 Waters HIBE scheme (Wa-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i,j G for i = 1,..., L; j = 0... n mpk (g 1, g 2, h 1, u 1,0,..., u L,n ) msk h 2 eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 F l+1 (id l+1 ) r l+1 sk l+1 g r l+1 1 eturn (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g r 1 For i = 1,..., l do C 2,i F i (id i ) r C 3 m ê(h 1, g 2) r eturn (C 1, C 2,1,..., C 2,l, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) Parse C as (C 1, C 2,1,..., C 2,l, C 3) m C 3 eturn m li=1 ê(sk i,c 2,i ) ê(c 1,sk 0 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

25 Boneh-Franklin BasicIdent IBE scheme Let G be a pairing parameter generator. Let H : {0, 1} G be a random oracle. Setup(1 k ): (G, G T, p, ê) G(1 k ) g G ; s Z p ; S g s msk s mpk ((G, G T, p, ê), S, H) return (mpk, msk) Enc(mpk, id, m): r Z p ; C 1 g r Q id H(id) ; K (ê(s, Q id )) r C 2 m K return (C 1, C 2 ) KeyDer(msk, id): Q id H(id) sk Q s id return (sk) Dec(sk, C): parse C as (C 1, C 2 ) K ê(c 1, usk) m C 2 /K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

26 Anonymity of Boneh-Franklin BasicIdent IBE scheme Theorem Let BF refer to the Boneh-Franklin BasicIdent IBE scheme in the previous slide, G be a pairing parameter generator, and A be an adversary against ANO-ID-CPA security of BF, making at most q H queries to the random oracle H and at most a single query to the L procedure. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv ano-cpa A,BF (k) 2 q H Adv bddh G,k (B). Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

27 Anonymity of BF scheme Proof will define a sequence of five games (G 0,..., G 4 ). For simplicity, we assume that mpk = S and omit the other values. We also omit the pairing parameter generation in procedure Initialize. G 0 This game is the real attack game against BF. G 1 We guess the hash query involved in the challenge query and abort if the guess is incorrect, returning a random output for the game. G 2 We change the simulation of the random oracle procedure H so that the game knows the discrete log of H(id) for any identity other than the one used in the challenge. G 3 We change the simulation of the key derivation procedure KeyDer so that the game answers these queries without the knowledge of the master secret key. G 4 In this game, we change the simulation of the L procedure so that K is chosen uniformly at random. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

28 Game G 0 proc Initialize(k) β {0, 1} Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) sk H(id) s eturn sk Game G A 0 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; Y G Λ H Λ H {(ctr, id, Y, y)} eturn (C1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) proc Finalize(β ) eturn (β = β) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

29 Game G 1 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) sk H(id) s eturn sk Game G A 1 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; Y G if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

30 Game G 2 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) sk H(id) s eturn sk Game G A 2 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y Z p ; Y g y if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

31 Game G 3 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) read (ctr, id, Y, y) Λ H sk S y eturn sk Game G A 3 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y Z p ; Y g y if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

32 Game G 4 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) read (ctr, id, Y, y) Λ H sk S y eturn sk Game G A 4 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y Z p ; Y g y if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K G T C 2 m K eturn (C 1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

33 Probability analysis Claim 1 Adv ano-cpa A,BF (k) = 2 Pr [ G A 0 = true ] 1 Claim 2 Pr [ G A 1 = true ] = (1 1/q H ) 1/2 + 1/q H Pr [ G A 0 = true ] Claim 3 Pr [ G A 2 = true ] = Pr [ G A 1 = true ] Claim 4 Pr [ G A 3 = true ] = Pr [ G A 2 = true ] Claim 5 Pr [ G A 4 = true ] Pr [ G A 3 = true ] Adv bddh G,k (B) Claim 6 Pr [ G A 4 = true ] = 1/2 It s straightforward to verify that the security theorem follows from the claims above. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

34 Proof of claims Claim 1 follows the security definition. Claims 3 and 4 are true because the changes made to the games do not affect their outcome. Claims 2 follows from the fact that the output of the game is chosen uniformly at random when aborting. Pr [ G A 1 = true ] = Pr [ G A 1 = true abort ] + Pr [ G A 1 = true abort ] = Pr [ G A 1 = true abort ] Pr [ abort ] + Pr [ G A 1 = true abort ] Pr [ abort ] = 1/2 (1 1/q H ) + Pr [ G A 1 = true abort ] 1/q H = 1/2 (1 1/q H ) + Pr [ G A 0 = true ] 1/q H Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

35 Proof of claims (cont.) In order to prove Claim 5, we need to build an adversary B against the BDDH problem. Let (G, g, A, B, C, Z) be the input of B. B sets mpk = A, C1 = B, H(id β) = C, and K = Z. Everything else in the simulation is performed as in G 3. When B is being executed in Game Exp bddh-0 G,k (B), B simulates G 3 to [ ] [ ] A. That is, Pr G A 3 = true = Pr Exp bddh-0 G,k (B) = true. When B is being executed in Game Exp bddh-1 G,k (B), B simulates G 4 to [ ] [ ] A. That is, Pr G A 4 = true = Pr Exp bddh-1 G,k (B) = true. The claim follows. Claim 6 follows from the fact that A has no information about β in G 4 and that the output of the game is chosen uniformly at random when aborting. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

36 Gentry IBE scheme Setup(1 k ): (G, G T, p, ê) G(1 k ) g G a Z p ; A g a h Z p ; H g h mpk (g, A, H, G, G T, p, ê) msk a return (mpk, msk) KeyDer(msk, id): r Z p sk 1 r sk 2 (g r H) 1/(a id) return (sk 1, sk 2 ) Enc(mpk, id, m): t Z p C 1 (g id A) t C 2 ê(g, g) t K ê(g, H) t C 3 m K return (C 1, C 2, C 3 ) Dec(sk, C): parse sk as (sk 1, sk 2 ) parse C as (C 1, C 2, C 3 ) K ê(sk 2, C 1 ) C sk1 2, m C 3 /K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

37 Correctness of Gentry IBE scheme For a valid ciphertext, we have: K = ê(sk 2, C 1 ) C sk 1 2 = ê((g r H) 1/(a id), (g id A) t ) ê(g, g) tr = ê(g r H, g t ) ê(g, g) tr = ê(g r, g t ) ê(h, g t ) ê(g, g) tr = ê(h, g t ) = K Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

38 Outline 1 Searchable Encryption Motivation Syntax Security notions BDOP scheme Security of BDOP-PEKS 2 Anonymous identity-based encryption HIBE definition Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE Boneh-Franklin IBE Gentry IBE 3 Generic constructions of PEKS Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

39 The bdop-ibe-2-peks transform PEKS (KeyGen, PEKS, Td, Test) IBE (Setup, KeyDer, Enc, Dec) Trapdoor t w pk sk Keyword w mpk msk Identity w Td(sk, w) Secret key sk w KeyDer(msk, w) C PEKS(pk, w) C Enc(mpk, w, 0 k ) Test(t w, C) Dec(sk w, C) = 0 k? Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

40 The new-ibe-2-peks transform PEKS (KeyGen, PEKS, Td, Test) IBE (Setup, KeyDer, Enc, Dec) Trapdoor t w pk sk Keyword w mpk msk Identity w Td(sk, w) Secret key sk w KeyDer(msk, w) C PEKS(pk, w) C 1 {0, 1} k C 2 Enc(mpk, w, C 1 ) Test(t w, C) Dec(sk w, C 2 ) = C 1? Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40

Hierarchical identity-based encryption

Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,