Identity-based Hierarchical Key-insulated Encryption without Random Oracles

Transcription

1 Identity-based Hierarchica Key-insuated Encryption without Random Oraces Yohei Watanabe 1,3 Junji Shikata 1,2 1 Graduate Schoo of Environment and Information Sciences, YNU, Japan 2 Institute of Advanced Sciences, YNU, Japan 3. ITRI, AIST, Japan

2 Key Insuation [DKXY02] One of soutions to key exposure probem 2. Even if is exposed, the security is not compromised uness at east one is exposed 1. If a number of are exposed, the fact does not affect at other time-periods The scheme is secure if it satisfies 1 strongy secure if it satisfies both 1 and 2 2

3 Hierarchica Key Insuation [HHSI05] There seem to be various practica appications! 3

4 Identity-based Hierarchica Key-insuated Encryption [HHSI05] Abbreviated to ``hierarchica IKE Identity-based encryption (IBE) with hierarchica key insuation Intuition: NOT hierarchica IBE (HIBE) with key insuation First proposed by Hanaoka et a. at ASIACRYPT 2005 [HHSI05] In the random orace mode (ROM) However, NO known hierarchica IKE schemes w/o ROM! 4

5 Our Contribution We propose an -eve hierarchica IKE scheme that achieves: (1) Strong security in the standard mode from simpe assumptions Using asymmetric pairing From Symmetric externa Diffie-Heman (SXDH) assumption Based on Juta-Roy HIBE [JR13] and its variant [RS14] (2) Space efficiency (any parameters do not depend on ID-space sizes) Constant-size parameters when the hierarchy is one (i.e. = 1) Pubic parameters of the existing scheme [WLC+08] depend on ID-space sizes due to the underying Waters IBE [wat05] Why is achieving (1) and (2) chaenging? (more on this ater) Hierarchica IKE from any HIBE does not satisfy strong security Proof technique of Waters dua-system IBE [Wat09] does not work we 5

6 Type-3 Pairing and SXDH Assumption Type-3 Pairing (asymmetric pairing) e: G 1 G 2 G T No efficienty computabe isomorphisms between G 1 and G 2 are known SXDH Assumption [BBS04] Decisiona Diffie Heman (DDH) assumptions hod in G 1 and G 2, respectivey Advantage of A in the DDHi game (i {1, 2}) is defined by: Adv λ Pr b = b D p, G 1, G 2, G T, g 1, g 2, e G c 1, c 2 Z p, b 0, 1 if b = 0 then T g i c 1 c 2 ese T G i b A D, g i c 1, g i c 2, T. 6

7 Time-period Map Function [HHSI05] Functions for severa kinds of time-periods T 0,, T 1 Exampe: = 4, time= 9:59 / 7th / Oct. / 2015 T 0 time = t 19 0 = 1st 15th / Oct. / 2015, T 1 time = t 10 1 = Oct. / 2015, T 2 time = t 5 2 = Set. Oct. / 2015, T 3 time = t 2 3 = Ju. Dec. /

8 Hierarchica IKE: Mode Exampe: = 2 time,time t i time Δ T i 1 (time) if t i = T i time i otherwise T 0 (time) τ i 1 t i 1 t i 1 time (i 1) 8

9 Hierarchica IKE: Security IND-KE-CPA security: KG orace M 0, M 1, time * A C b A KI orace i time C Enc(, time, M b ) Limitation of KI orace A can issue any queries if there exists at east one specia eve j 0,, incude strong security Hierarchy 4 3 j i T i (time) : Keys for that A can obtain 9 time *

10 Why Hierarchica IKE from HIBE is Insufficient -eve Hierarchica IKE ( + 1)-eve HIBE 2 (, t 1,, t 2 ) If secret key for is eaked, a other secret keys can be generated the resuting scheme does not meet strong security does not meet IND-KE-CPA security! 10

11 Why Waters Technique Does Not Work Waters dua system IBE [Wat09] Ciphertext ct contains tag C and secret key sk I contains tag K Important proof technique: Some pairwise independent function is embedded into the pubic parameter for canceing vaues It raises tag C = tag K for the same identity However, the proof works we since it is enough to generate Ony tag K for a identities Ony tag C for the target identity On the other hand, in (hierarchica) IKE, A can get secret keys for (i.e. tag K ) as we as for Waters technique cannot seem to be appied! 11

12 Why Juta Roy HIBE? We can avoid such a coision probem! sk I does not contain any tag, though ct contains tag Juta Roy HIBE [JR13] and its variant [RS14] Constant-size IBE (when = 1) IND-ID-CPA security under the SXDH assumption Constant-size owest-eve key unike [Wat09,LW11] It eads to constant-size decryption key Remark There might be other constant-size IBE schemes that can avoid the coision probem 12

13 Basic Idea of Our Construction Specific ( + 1)-eve HIBE ( ( + 1)-eve Juta Roy HIBE ) + (, )-secret sharing: secret B and shares β i (0 i 1) s.t. B = 1 i=0 β i hk ID,0 g B (D 1, D 1, D 2, D 2, D 3 g B, K j, K j 1 ) j=1 i hk ID,ti i (, t 1,, t i ) g β i (g β i, D 1, D 1, D 2, D 2, D 3 g j=0 i 1 βj, K 1, K 1 ) (, t 1,, t 0 ) g β 0 dk ID,t0 (g β 0, D 1, D 1, D 2, D 2, D 3 ) A β i are needed to generate correct decryption key D 1, D 1, D 2, D 2, D 3 Adversary cannot generate decryption key for * at time *! 13

14 Encryption and Decryption Procedure Enc(mpk,, time, M): mpk (z, g 1, g α 1, u 1,j, w j=0 1, h 1, ) Choose s, tag Z p. Compute 1 s C 0 Mz s, C 1 g 1 s, C 2 g 1 α s, C 3 t j u 1,j I tag u 1, w 1 h1, j=0 where t j T j (time) (0 j 1). Output C C 0, C 1, C 2, C 3, tag. Dec dk I,t0, C, time : dk I,t0 (R 0, D 1, D 1, D 2, D 2, D 3 ) M = C 0 e C 3, D 3 e C 1, D 1 tag D1 e C 2, D 2 tag D2. 14

15 Parameter Evauation and Comparison #pp #dk #hk i #C Enc. cost Dec. cost G 6 G (2i + 6) G 4 G + Z p [0,0, + 4,1] [3,0,2,0] G : bit-ength of a group eement in G 1, G 2, or G T Z p : bit-ength of an eement in Z p #pp, #dk, #hk i, #C: sizes of pubic parameter, dec. key, i-th heper key, and ciphertext [,,, ] : [pairing, muti-exp., reguar-exp., fix-based-exp.] HHSI05 ( = 1) WLC+08 (threshod t = 1) Our scheme ( = 1) #pp #dk #hk #C Enc. cost Dec. cost 2 G 3 G G 4 G + r [1,0,2,1] [4,0,2,1] Assumption CBDH (in ROM) 2n+ 5 G 4 G 2 G 4 G [0,1,2,1] [3,0,0,0] DBDH 16 G 6 G 7 G 4 G + Z p [0,0,5,1] [3,0,2,0] SXDH r : randomness that depends on the security parameter n : size of ID space (i.e., I 0,1 n ) 15

16 16 CCA-secure Hierarchica IKE An we-known transformation [CHK04,BCHK06] : ( 1) We cannot appy the transformation to a hierarchica IKE scheme in a generic way since it does not have deegating functionaity: ( 1) However, by modifying the proposed hierarchica IKE scheme, we can reaize CCA-secure scheme based on the transformation: ( 1)

17 17 Concusion We proposed -eve hierarchica IKE scheme: met strong security (IND-KE-CPA security) without ROM secure under the SXDH assumption, which is a simpe, static one achieved constant-size parameters when = 1 We aso showed CCA-secure scheme from Proposed CPA-secure hierarchica IKE scheme; and Any one-time signature