Identity-Based Online/Offline Encryption

Transcription

1 Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline

2 Identity-based Encryption Review Identity-based Encryption IBE The notion was first proposed in 1984 by Shamir and there have been many efficient schemes since 2001, e.g., Boneh-Franklin IBE in 2001; Boneh-Boyen IBE in 2004; Waters IBE in 2005; Gentry IBE in 2006; Simply the certificate management The public key is a piece of public information such as address, ID number or telephone number The private key is computed by the private key generator PKG Encryption When Alice wants to send some sensitive data m to Bob, for secure, she must encrypt it first in a secure encryption system. E.g.: A secure Identity-based Encryption system. Cm = E Bob m Alice Bob

3 Encryption in a untrusted environment When Alice is home, she may just store the data in her secure PC. When Alice is outside, she may store her data in a convenient device with a limited computation power, such as a smartcard. The encryption must be achieved in the smartcard which is not powerful enough for efficient encryption Need a better IBE A more suitable identity-based encryption system for smartcard application should satisfy the property: Part of the encryption process can be performed prior to knowing the data item and the public key of the recipient. The real encryption process is very quick once the data item and the ID are known.

4 IBOOE The encryption can be divided into two phases: Offline Phase: Pre-computation before the data item and the public key are known. Online Phase: Very efficient encryption after the data item and the public key are presented. Unfortunately... All previously published IBE schemes do not accommodate this feature Computation depends on the public key Cannot be naturally slitted into efficient online/offline phases

5 Our Contribution 1 We propose two IBOOE schemes from the two previous IBE schemes. Boneh-Boyen IBE: secure in the selective-id model Gentry IBE: secure in the standard model 2 The computation in the online phase of our IBOOE is very efficient Boneh-Boyen IBE We only show its CPA construction for simplicity. Let e : G G G T be the bilinear map, G, G T be two cyclic groups of order p and g be the corresponding generator in G. Setup: The system parameters are generated as follow. Choose at random a secret a Z p, choose g, g 2, h 1 randomly from G, and set the value g 1 = g a. The master public params and master secret key K are, respectively, params = g, g 1, g 2, h 1, K = g2 a.

6 Boneh-Boyen IBE KeyGen: To generate a private key for ID Z p, pick a random r Z p and output d ID = d 1, d 2 = g2 a h 1g1 ID r, g r Encrypt: General Encryption: Given a message m G T and the public key ID Z p, randomly choose s Z p, and output the ciphertext C µ = h 1 g1 ID s, g s, eg 1, g 2 s m = c 1, c 2, c 3 Natural" Online/offline Encryption Let s try to separate it into online and offline phases naturally": Offline encryption: randomly choose s Z p and output C of = h1 s, gs 1, gs, eg 1, g 2 s. Store the offline parameters C of for the online phase. Online encryption: given m G T and ID Z p, and output C on = h 1 gs s 1 ID, eg 1, g 2 s m. The ciphertext for ID is C ν and C ν = h 1 g1 ID s, g s, eg 1, g 2 s m.

7 Offline encryption: choose α,β, s Z p and output C of = h 1 g1 α s, g sβ 1, gs, eg 1, g 2 s. Store C of, α, β 1 for the online phase. Online encryption: given m G T and ID Z p, and output C on = β 1 ID α, eg 1, g 2 s m. The ciphertext for ID is C ν, and C ν = h 1 g1 α s, g sβ 1, β 1 ID α, g s, eg 1, g 2 s m Decryption From Original Encryption: C µ = h 1 g1 ID s, g s, eg 1, g 2 s m From Natural" Online/offline Encryption: C ν = h 1 g1 ID s, g s, eg 1, g 2 s m.

8 Decryption C ν = h 1 g1 α s, g sβ 1, β 1 ID α, g s, eg 1, g 2 s m. h 1 g1 α s g sβ ID α 1 β 1 = h 1 g1 ID s C ν C µ = h 1 g1 ID s, g s, eg 1, g 2 s m Therefore, the decryption of these three schemes is the same. Analysis Natural" Online/offline Encryption Online Phase: C on = h 1 gs s 1 ID, eg 1, g 2 s m. The cost is one exponentiation + two multiplications Online Phase: C on = β 1 ID α, eg 1, g 2 s m. The cost is one modular computation + one multiplication

9 CCA secure The Boneh-Boyen IBE uses one-time strong signature scheme to achieve CCA secure. We can choose a proper signature scheme, such as Boneh-Boyen short signature, so that we can divide it into online/offline signature and the cost on online phase is only one modular computation. Analysis CCA Natural" Online/offline Encryption Online Phase: C on = h 1 gs s 1 ID, eg 1, g 2 s m, σ on The cost is one exponentiation + two multiplications +one modular computation Online Phase: C on = β 1 ID α, eg 1, g 2 s m, σ on The cost is two modular computations + one multiplication

10 Gentry IBE Let e : G G G T be the bilinear map, G, G T be two cyclic groups of order p and g be the corresponding generator in G. Setup: Choose at random a secret a Z p, choose g, h 1, h 2, h 3 randomly from G, and set the value g 1 = g a G. Choose a secure hash function H : {0, 1} Z p. The master public params and the master secret key K are params = g, g 1, h 1, h 2, h 3, H, K = a. KeyGen KeyGen: To generate a private key for ID Z p, pick random r ID,i Z p for i = 1, 2, 3, and output { d ID = r ID,i, h ID,i : i = 1, 2, 3 }, where h ID,i = h i g r ID,i 1 a ID. If ID = a, abort. It requires the same random values r ID,i for ID.

11 Encryption Encryption: General Encryption: Given a message m G T and the public key ID Z p, randomly choose s Z p and output the ciphertext C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c = c 1, c 2, c 3, c 4 where H c = Hc 1, c 2, c 3 Z p. Natural" Online/offline Encryption Offline encryption: randomly choose s Z p, and output C of = g s 1, g s, eg, g s, eg, h 1 s, eg, h 2 s, eg, h 3 s. Store the offline parameters C of for the online phase. Online encryption: given m G T and ID Z p, and output C on = g 1 g s s ID, eg, h 1 s m, eg, h 2 s eg, h 3 s H c, where the computation of H c is the same as the general encryption and the ciphertext for ID is C ν = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c.

12 Offline Encryption: Choose α,β, γ, θ, s Z p, and output C of = g1 s g sα, g sβ, eg, g s, eg, h 1 s, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ Store C of, α, β 1, γ, θ 1 for the online computation. Online Encryption: Given m G T and ID Z p, output C on = β 1 α ID, eg, h 1 s m, θ 1 H c γ, where H c is the hash value of all elements and C ν is C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ. Decryption General Encryption: C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c Natural Online/offline Encryption C ν = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c

13 Decryption C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ. g s 1 g sα g sβ β 1 α ID = g s 1 g sid eg, h 2 s eg, h 3 sγ eg, h 3 sθ θ 1 H c γ = eg, h 2 s eg, h 3 sh c C ν g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c Therefore, the decryptions for all three are the same. Analysis Natural Online/offline Encryption Online Phase: C on = g s 1 g s ID, eg, h 1 s m, eg, h 2 s eg, h 3 s H c The cost is two exponentiations + three multiplications Online Phase: C on = β 1 α ID, eg, h 1 s m, θ 1 H c γ. The cost is two modular computations + one multiplication.

14 The proof for the two schemes are similar, we just take the IBOOE based on Gentry IBE as the example. Private Key Encryption Decryption Gentry IBE & IBOOE same different actually same Therefore, we just show that the simulator can simulate the challenge ciphertext C ν for IBOOE from the challenge ciphertext C µ for Gentry IBE. Ciphertext Gentry IBE C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ.

15 Simulation Gentry IBE IBOOE g1 sg sid g1 sg sα, g sβ, β 1 α ID Given g1 sg sid, randomly choose k 1, k 2 Z p and output g1 sg sα g sβ β 1 α ID g k 1 s 1 1 g sid k 1 +k 2 g1 sg sid k 1 +k 2 k 2 Analysis g s 1 g sid k 1 k 1 +k 2 g s 1 g sid 1 k 1 +k 2 k 2 Let α = k 1ID+k 2 a k 1 +k 2, β = a ID k 1 +k 2, we have g k 1 s 1 1 g sid k 1 +k 2 g1 sg sid k 1 +k 2 k 2 g1 sg sα g sβ β 1 α ID

16 Simulation Gentry IBE IBOOE eg, h 2 s eg, h 3 sh c eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ In Gentry IBE, the simulator can simulate eg, h 2 s eg, h 3 sh c because it can simulate eg, h 2 s, eg, h 3 s and H c. Therefore, randomly choose γ,θ Z p, we can simulate eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ from eg, h 2 s, eg, h 3 s and H c too. Analysis Gentry IBE C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ. 1 We can simulate IBOOE based on the simulation of Gentry IBE without any additional requirements. 2 Therefore, IBOOE achieve the same leave of security to Gentry IBE.

17 Comparison E: the exponentiation in G; M: the multiplication in G; m: the modular computation in Z p. Scheme Boneh-Boyen IBOOE Gentry IBOOE Online natural 1E+2M+1m 2E+3M Online ours 1M+2m 1M+2m When the data is pre-encrypted in the offline phase, the online phase can be much more efficient and requires only one modular computation. 1 We introduced a new notion of Identity-Based Online/offline Encryption IBOOE. 2 IBOOE schemes are useful where the computational power of a device is limited. 3 We presented two IBOOE schemes based on two existing IBE schemes, such that online encryption is extremely efficient.