Simple SK-ID-KEM 1. 1 Introduction
|
|
- Nicholas Terry
- 5 years ago
- Views:
Transcription
1 1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented the first efficient and security-proved identity-based encryption scheme using pairing on elliptic curve. In 2003 Sakai and Kasahara proposed another IBE scheme with pairing, which has the potential to improve performance. Later, Chen and Cheng proved the security of a variant of Sakai and Kasahara s scheme. While, both the security-provable schemes employ the Fujisaki- Okamoto transformation which restrict the size of messages. To address this issue, Bentahar el al. extended the key encapsulation mechanism to IBE and presented a few constructions in line with Boneh and Franklin s scheme. In this paper we present another ID-KEM as the counterpart of the Sakai-Kasahara style scheme and prove its security. 1 Introduction To simplify the management of public keys in the public key based cryptosystems, Shamir proposed the identity-based cryptography in which the public key of each party is the party s identity that could be an arbitrary string [10]. In 2001, Boneh and Franklin presented a secure and efficient ID-based encryption [3] (BF-IBE for short), based on pairings on elliptic curves. Using the same tool, Sakai and Kasahara [14] proposed another IBE which has the potential to achieve better performance. After employing the Fujisaki-Okamoto transformation [8] as BF-IBE does, Chen and Cheng [5] proved that the security of the strengthened variant of Sakai-Kasahara scheme (SK-IBE for short) can be reduced to the well-exploited complexity assumption (k-bdhi). Because both BF-IBE and SK-IBE make use of the Fujisaki-Okamoto transformation, two schemes have restricted message spaces. A natural way to process arbitrarily long messages is to use hybrid encryption. A hybrid encryption scheme consists of two basic operations. One operation uses a public-key encryption technique (the so called key encapsulation mechanism: KEM) to derive a shared key; another operation uses the shared key in a standard symmetric-key technique (the so called data encapsulation mechanism: DEM) to encrypt the actual message. Cramer and Shoup [7] rigorously formalized the notion of hybrid encryption and presented the sufficient conditions for KEM and DEM to construct an IND-CCA2 secure public key encryption [2] (latest work [9] shows 1 This note was written in Jun Later another SK-ID-KEM was published as [6]. The title is changed to Simple SK-ID-KEM, because the scheme is simpler than SK-ID-KEM in [6] but bases its security on a stronger complexity assumption.
2 2 that the conditions in [7] may not be necessary). Recently, Bentahar el al. [4] extended the hybrid encryption to the identity-based schemes and presented a sufficient condition for ID-KEM to construct an IND-ID-CCA2 secure IBE (formalized by Boneh and Franklin [3]). And in the same work the authors also presented a few ID-KEMs in line with Boneh and Franklin s scheme. In this paper, based on Bentahar el al. s work, we present another ID-KEM as the counterpart of the Sakai-Kasahara style IBE and formally analyze the security of the mechanism. The paper proceeds as follows. In the following section, we review the used primitive and related assumptions and recall the security model of IBE and ID- KEM. In Section 3, we present an ID-KEM following the SK-IBE construction (SK-ID-KEM for short) and prove its security. 2 Preliminary 2.1 Bilinear Pairing and Related Assumptions In this section, we briefly review the necessary facts about bilinear maps. Definition 1 A pairing is a bilinear map ê : G 1 G 1 G 2 with two cyclic groups G 1 and G 2 of prime order q, which has the following properties [3]: 1. Bilinear: ê(sp, tr) = ê(p, R) st for all P, R G 1 and s, t Z q. 2. Non-degenerate: For a given point Q G 1, ê(q, R) = 1 G2 for all R G 1 if and only if Q = 1 G1. 3. Computable: There is an efficient algorithm to compute ê(p, Q) for any P, Q G 1. We recall some widely used assumptions related with pairing, including BDH and its variants, and then propose a new assumption which will be used to analyze the security of SK-ID-KEM. Assumption 1 (Bilinear Diffie-Hellman (BDH) [3]) For x, y, z R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, yp, zp, to compute ê(p, P ) xyz is hard. Assumption 2 (Decisional Bilinear Diffie-Hellman (DBDH)) For x, y, z, r R Z q, P G 1, ê : G 1 G 1 G 2, to distinguish between the distributions P, xp, yp, zp, ê(p, P ) xyz and P, xp, yp, zp, ê(p, P ) r is hard. Assumption 3 (Gap Bilinear Diffie-Hellman (GBDH) [13]) With the help of an oracle to solve the DBDH problem, solving the BDH problem is still hard. Assumption 4 (Bilinear Inverse Diffie-Hellman (BIDH) [15]) For x, y R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, yp, to compute ê(p, P ) x/y is hard.
3 3 Assumption 5 (Decisional Bilinear Inverse Diffie-Hellman (DBIDH)) For x, y, r R Z q, P G 1, ê : G 1 G 1 G 2, to distinguish between the distributions P, xp, yp, ê(p, P ) x/y and P, xp, yp, ê(p, P ) r is hard. Assumption 6 (Bilinear Square Diffie-Hellman (BSDH) [15]) For x, y R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, yp, to compute ê(p, P ) x2y is hard. Assumption 7 (Decisional Bilinear Square Diffie-Hellman (DBSDH)) For x, y, r R Z q, P G 1, ê : G 1 G 1 G 2, to distinguish between the distributions P, xp, yp, ê(p, P ) x2y and P, xp, yp, ê(p, P ) r is hard. Theorem 1 ([15]) BDH, BSDH, BIDH are polynomial time equivalent. Theorem 2 DBSDH and DBIDH are polynomial time equivalent. Proof: First, prove that DBSDH implies DBIDH. Given a DBIDH question (P, xp, yp, T ), set (Q = yp, Q 1 = P = y 1 Q, Q 2 = xp = x/yq, T ) as the input of DBSDH, and then return the result from the DBSDH oracle. Secondly, prove that DBIDH implies DBSDH. Given a DBSDH question (P, xp, yp, T ), set (Q = xp, Q 1 = yp = y/xq, Q 2 = P = x 1 Q, T ) as the input of DBIDH, and then return the result from the DBIDH oracle. Theorem 3 If DBDH is easy, so are DBSDH and DBIDH. Proof: First, let us prove that if DBDH is easy, so is DBSDH. This is straightforward. Given (P, xp, yp, T ), algorithm A for DBSDH invokes algorithm B for DBDH by asking (P, xp, xp, yp, T ) and returns the result from B. Combine Theorem 2, the theorem follows. Assumption 8 (q-bilinear Diffie-Hellman Inverse (q-bdhi) [1]) For an integer q, and x R Z q, P G 1, ê : G 1 G 1 G 2, given P, xp, x 2 P,..., x q P, to compute ê(p, P ) 1/x is hard. Theorem 4 1-BDHI, BDH, BSDH and BIDH are polynomial equivalent. Proof: First, prove that BIDH implies 1-BDHI. Given a 1-BDHI question (P, xp ), randomly choose y Z q and set the input to BIDH to be (P, xp, yp ). For the output T from BIDH, return T 1/y. Second, prove that 1-BDHI implies BDH. Given a BDH question (P, xp, yp, zp ), set the input to 1-BDHI to be (xp, P ) to get T 1 = ê(p, P ) x3. Similarly get T 2 = ê(p, P ) y3, T 3 = ê(p, P ) z3. Set the input to 1-BDHI to be (xp + yp, P ) to get T 4 = ê(p, P ) (x+y)3. Similarly get T 5 = ê(p, P ) (x+z)3, T 6 = ê(p, P ) (y+z)3. Set the input to 1-BDHI to be (xp + yp + zp, P ) to get T 7 = ê(p, P ) (x+y+z)3. Compute ê(p, P ) xyz = ( T7 T1 T2 T3 T 4 T 5 T 6 ) 1/6. Combine Theorem 1, the theorem follows.
4 4 From Theorem 3 and 4, we have GBDH implies that 1-BDHI is still hard even provided the existence of a DBIDH oracle. In this paper, we are going to use a (possibly) stronger assumption than GBDH as follow. Assumption 9 q-gap Bilinear Diffie-Hellman Inverse (q-gbdhi) With the help of an oracle to solve the DBIDH problem, solving the q-bdhi problem is still hard. 2.2 Security Model of IBE Following from Shamir s proposal, an identity-based encryption is specified by four algorithms: Setup G ID (1 k ): Given a security parameter k, the probabilistic polynomialtime algorithms (PPT) algorithm generates a public system parameter M pk and the master secret key M sk. Extract X ID (M pk, M sk, ID A ): Given the system parameter M pk, the master key M sk and an identity string ID A {0, 1} of party A, the PPT algorithm returns the corresponding private key d IDA for A. Encrypt E ID (M pk, ID A, m): Given the system parameter M pk, an identifier ID A and a message m from the message space M, the PPT algorithm outputs the ciphertext c in the cipherspace C. Decrypt D ID (M pk, d IDA, c): Given the system parameter M pk, the private key d IDA and a ciphertext c, the deterministic polynomial-time algorithm outputs the corresponding plaintext m. If the ciphertext is invalid, a reject symbol is returned instead. Boneh and Franklin [3] formalized a strong security notion of IBE: IND-ID- CCA2 security, by the following game between a challenger and an adversary A which consists of a pair of PPT algorithms (A 1, A 2 ). IND-ID-CCA2 IBE Game (M pk, M sk ) G ID (1 k ); (ID, (m 1, m 2 ), σ) A X ID(M pk,m sk, ),D ID (M pk,m sk,, ) 1 (M pk ); b {0, 1}; c E ID (M pk, ID, m b ); b A X ID(M pk,m sk, ),D ID (M pk,m sk,, ) 2 (σ, c ). where m 1, m 2 M (the message space) with same size; σ is some state information passed from A 1 to A 2 ; X ID (M pk, M sk, ) is the Extract oracle that the adversary can access by providing an identifier to get the corresponding private key; and D ID (M pk, M sk,, ) is the Decrypt oracle that the adversary can access by providing an identifier and a ciphertext to get the plaintext decrypted with the private key corresponding to the input identifier or a reject symbol. There are two constraints when A 2 accesses the oracles. (1) A 2 cannot access oracle X ID with input ID ; (2) A 2 cannot access oracle D ID with input (ID, c ).
5 5 We define adversary A s advantage in attacking an IBE scheme E as the following function of the security parameter k: Adv IND-ID-CCA2 A,E (k) = 2 Pr[b = b ] 1. A secure IBE requires that for any adversary A, Adv IND-ID-CCA2 A,E (k) is negligible. Recall that a function f(k) is negligible if for every polynomial p(k), there exists n 0 such that for every n > n 0, f(n) < p(n). 2.3 ID-KEM Following up Cramer and Shoup s formalization of hybrid encryption [7], Bentahar el al. [4] extended the hybrid encryption to identity-based schemes. Their main result is that an IND-ID-CCA2 secure IBE can be constructed from an IND-KEM-CCA2 secure ID-KEM and a secure DEM. Similar to IBE, an ID-KEM scheme is specified by four algorithms as well. Setup G ID KEM (1 k ): Given a security parameter k, the PPT algorithm generates a public system parameter M pk and the master secret key M sk. Extract X ID KEM (M pk, M sk, ID A ): Given the system parameter M pk, the master key M sk and an identity string ID A {0, 1} of party A, the PPT algorithm returns the corresponding private key d IDA for A. Encapsulate E ID KEM (M pk, ID A ): Given the system parameter M pk and an identifier ID A, the PPT algorithm outputs a pair (e, c) where e is a key in the key space K corresponding to the security parameter k and c is the key encapsulation of e. Decapsulate D ID KEM (M pk, d IDA, c): Given the system parameter M pk, the private key d IDA and an encapsulation c, the deterministic polynomialtime algorithm outputs the corresponding key e or a reject symbol. Again, ID-KEM-CCA2 security is formalized by a two stage game between a challenger and an adversary which consists of a pair of PPT algorithms (A 1, A 2 ). IND-ID-CCA2 KEM Game (M pk, M sk ) G ID KEM (1 k ); (ID, σ) A X ID KEM (M pk,m sk, ),D ID KEM (M pk,m sk,, ) 1 (M pk ); (e 0, c ) E ID KEM (M pk, ID ); e 1 K; b {0, 1}; b A X ID KEM (M pk,m sk, ),D ID KEM (M pk,m sk,, ) 2 (σ, c, e b ). where σ is some state information passed from A 1 to A 2 ; X ID KEM (M pk, M sk, ) is the Extract oracle that the adversary can access by providing an identifier to get the corresponding private key; and D ID KEM (M pk, M sk,, ) is the Decapsulate oracle that the adversary can access by providing an identifier and an encapsulation to get the key e decapsulated with the private key corresponding
6 6 to the input identifier or a reject symbol. There are two constraints when A 2 accesses the oracles. (1) A 2 cannot access oracle X ID KEM with input ID ; (2) A 2 cannot access oracle D ID KEM with input (ID, c ). We define adversary A s advantage in attacking an ID-KEM scheme E as the following function of the security parameter k: Adv ID-KEM-CCA2 A,E (k) = 2 Pr[b = b ] 1. A secure ID-KEM requires that for any adversary A, Adv ID-KEM-CCA2 A,E (k) is negligible. Apart from the security requirement, we also require in this paper that the ID-KEM has an extra property as follow. In an ID-KEM, for the pair (M pk, M sk ) generated by the Setup algorithm and every (ID A, d IDA ) where ID A {0, 1} and d IDA is generated by the Extract algorithm using (M pk, M sk, ID A ), all encapsulations created with (M pk, ID A ) decapsulate properly with (M pk, d IDA ) (in other words, BadKeyPairs (Section 7.1 [7]) are negligibly few). It is easy to see that SK-ID-KEM presented in this paper has this property. 2.4 DEM A DEM uses the key generated by a KEM to encrypt the actual messages. As the key will only be used for one messages, a DEM can be constructed from a one-time symmetric-key encryption which consists of two deterministic polynomial-time algorithms: Encrypt E SK (e, m): Given a secret key e K and a message m, the algorithm outputs the ciphertext c. Decrypt D SK (e, c): Given a secret key e K and a cipertext c, the algorithm outputs the plaintext m, or a reject symbol if the ciphertext c is invalid. Security of one-time symmetric-key encryption is defined by the following game (the called Find and Guess game or FG-CCA) between a challenger and an adversary which consists of a pair of PPT algorithms (A 1, A 2 ). FG-CCA One-time Symmetric-key Encryption Game ((m 1, m 2 ), σ) A 1 (1 k ); b {0, 1}; e K; c E SK (e, m b ); b A D SK(e, ) 2 (σ, c ). where m 1, m 2 are of equal length; σ is some state information passed from A 1 to A 2 ; and D SK (e, ) is the Decrypt oracle that the adversary can access by providing a ciphertext to get the plaintext decrypted with the secret key e or a reject symbol. In the game, A 2 cannot access oracle D SK with input c.
7 7 We define adversary A s advantage in attacking a one-time symmetric-key encryption E as the following function of the security parameter k: Adv FG-CCA A,E (k) = 2 Pr[b = b ] 1. A secure one-time symmetric-key encryption requires that for any adversary A, Adv FG-CCA A,E (k) is negligible. 2.5 Hybrid IBE A hybrid IBE construction consisting of the concatenation of an ID-KEM with a DEM proceeds as follows. Here, we assume that the key space output by the KEM is identical with the secret key space used by the DEM. Encryption Input: (M pk, ID A, m) (e, c 1 ) E ID KEM (M pk, ID A ); c 2 E SK (e, m); Output: c = (c 1, c 2 ). A Hybrid IBE Decryption Input: (M pk, d IDA, c) parse c as (c 1, c 2 ); e D ID KEM (M pk, d IDA, c 1 ); if e =, return ; m D SK (e, c 2 ); Output: m. Similar to the result of hybrid encryption in [7], Bentahar et al. obtained the following theorem of the security of a hybrid IBE. Theorem 5 ([4]) Let A be a PPT adversary against the hybrid ID-based encryption scheme E (with an ID-KEM-CCA2 secure KEM E 1 and an FG-CCA secure DEM E 2 ) in the sense of ID-IND-CCA2 adversaries, then there exists PPT adversaries B 1 and B 2, whose running time is essentially that of A, such that Adv IND-ID-CCA2 A,E (k) 2Adv ID-KEM-CCA2 (k) + Adv FG-CCA (k) B 1,E 1 B 2,E 2 Some FG-CCA secure DEMs are already on the shelf [12]. Bentahar et al. presented a few secure ID-KEMs in line with the Boneh-Franklin s IBE. In the following section, we introduce another ID-KEM based on Sakai and Kasahara s IBE proposal which has the potential to achieve even better performance. 3 SK-ID-KEM 3.1 Construction Setup G ID KEM (1 k ): Given the security parameter k, the algorithm proceeds as follow. Generate two cyclic groups G 1 and G 2 of prime order q and a bilinear pairing map ê : G 1 G 1 G 2. Pick a random generator P G 1.
8 8 Pick a random s Z q and compute P pub = sp. Pick two cryptographic hash functions H 1 : {0, 1} Z q and H 2 : G 2 {0, 1} n for some integer n > 0. Set M pk = q, G 1, G 2, ê, n, P, P pub, H 1, H 2 and M sk = s. Extract X ID KEM (M pk, M sk, ID A ): Given a string ID A {0, 1}, public system parameters M pk and the master-key M sk = s, the algorithm returns 1 d IDA = s+h 1(ID A ) P. Encapsulate E ID KEM (M pk, ID A ): 1. Compute P A = H 1 (ID A )P + P pub. 2. Pick a random r Z q and compute c = rp A. 3. Compute g r = ê(p, P ) r and e = H 2 (c, g r ). 4. Output (e, c). Decapsulate D ID KEM (M pk, d IDA, c): 1. Compute g r = ê(c, d IDA ) and e = H 2 (c, g r ). 2. Output e. 3.2 Security Proof of SK-ID-KEM The security strength of SK-ID-KEM can be defined by the following theorem. Theorem 6 The SK-ID-KEM is secure against adaptive chosen ciphertext attacks provided that the q-gbdhi assumption is sound, and H 1 and H 2 are random oracles. Specifically, suppose there exists an ID-KEM-CCA2 adversary A against SK- ID-KEM that has advantage ɛ(k) and running time t(k). Suppose also that during the attack A makes at most q D queries on Decapsulation query, q i queries on H i for i = 1, 2, note that H 1 can be queried directly by A or indirectly by an Extraction query, a Decapsulation query or the Challenge operation. Then there exists an algorithm B to solve the q 1 -GBDHI problem with advantage Adv B (k) and running time t B (k) where Adv B (k) ɛ(k) q 1 t B (k) O(t(k) + q D χ + q 2 1 (T + O)) where χ is the time of computing pairing, T is the time of a scalar operation in G 1, and O is time of one access to the DBIDH oracle. Proof: Algorithm B is given as input a random q 1 -BDHI instance q, G 1, G 2, ê, P, xp, x 2 P,... x q1 P where x is a random element from Z q and has the access to the DBIDH oracle O ( ) DBIDH. Algorithm B finds ê(p, P )1/x by interacting with A and O ( ) DBIDH as follows: Algorithm B first chooses an index I with 1 I q 1 and simulates algorithm Setup of SK-ID-KEM to create the public system parameters M pk as follow. 1. Randomly choose different h 0,..., h q1 1 Z q and let f(z) be the polynomial f(z) = q 1 1 i=1 (z +h i). Reformulate f to get f(z) = q 1 1 i=0 c iz i. The constant term c 0 is non-zero because h i 0 and c i are computable from h i.
9 2. Compute Q = q 1 1 i=0 c ix i P = f(x)p and xq = q 1 1 i=0 c ix i+1 P = xf(x)p. 3. Check that Q G 1. If Q = 1 G1, then there must be such h i = x which can be easily identified, and so, B solves the q 1 -BDHI problem directly. Otherwise, B continues. 4. Compute f i (z) = f(z)/(z + h i ) = q 1 2 j=0 d jz j 1 and x+h i Q = f i (x)p = q1 2 j=0 d jx j P for 1 i < q Set T = q 1 1 i=1 c ix i 1 P and compute T 0 = ê(t, Q + c 0 P ). 6. Now, B maintains a list P S list = (h 0, ), (h 1 +h 0, 1 h 1+x Q),..., (h i+h 0, 1 9 h i+x Q),..., (h q1 1 + h 0, 1 h q1 1+x Q) 7. Finally, B set M pk = q, G 1, G 2, ê, n, Q, xq h 0 Q, H 1, H 2 (i.e., setting P pub = xq h 0 Q and M sk = x h 0 which B does not know). H 1 and H 2 are two random oracles controlled by B. Now B starts to respond to queries as follows. H 1 -query(id i ): B maintains an initially empty list of tuples ID i, h i, d i indexed by ID i as explained below. We refer to this list as H1 list. When A queries the oracle H 1 at a point ID i, B responds as follows: 1. If ID i already appears on the H1 list in a tuple ID i, h i, d i, then B responds with H 1 (ID i ) = h i. 2. Otherwise, if the query is on the I-th distinct ID, then B stores ID I, h 0, into the tuple list and responds with H 1 (ID I ) = h Otherwise, B selects a random integer h i + h 0 (i > 0) from P S list which has 1 not been chosen by B and stores ID i, h i + h 0, h i+xp into the tuple list. B responds with H 1 (ID i ) = h i + h 0. H 2 -query(x i, Y i ): At any time algorithm A can issue queries to the random oracle H 2. To respond to these queries, B maintains an initially empty list of tuples called H2 list. Each entry in the list is a tuple in the form X i, Y i, Z i indexed by (X i, Y i ). To respond to a query on (X i, Y i ), B does the following operations: 1. If on the list there is a tuple indexed by (X i, Y i ), then B responds with Z i. 2. Otherwise, B searches L D (a list maintained in the Decapsulation step specified later) to find the pairs (c j, e j ) with c j = X i. For every such pair, B queries O ( ) DBIDH with (Q, X i, xq, Y i ). Once O ( ) DBIDH returns 1 for one pair, B inserts the tuple X i, Y i, e j into H2 list, meanwhile removes the tuple (c j, e j ) from L D and returns e j. For other situations, B continues. 3. B randomly chooses a string Z i {0, 1} n and inserts a new tuple X i, Y i, Z i into the list. It responds to A with Z i. Extraction query(id i ): B first looks through list H list 1. If ID i is not on the list, B queries H 1 (ID i ). B then checks the value d i : if d i, B responds with d i ; otherwise, B aborts the game (Event 1). Decapsulation query(id i, c i ): B maintains an initially empty list, denoted by L D, of pairs in the form c i, e i. To respond to the query, B first looks through
10 10 list H1 list. If ID i is not on the list, then B queries H 1 (ID i ). Depending on the value of d i for ID i on H1 list, B responds differently. If d i, then B first computes g r = ê(c i, d i ), and then queries Z i = H 2 (c i, g r ). B responds with Z i. Otherwise (d i = ), B takes following actions: 1. B searches H2 list and puts all the tuples with X j = c i into an initially empty set L T. 2. For every tuple X j, Y j, Z j in L T, B queries O ( ) DBIDH with (Q, c i, xq, Y j ). If O ( ) DBIDH returns 1 for one query, then B returns the corresponding Z j. 3. Otherwise, B randomly chooses e {0, 1} n and inserts c i, e into the list L D. Finally B returns e. Challenge query(id ). If ID is not on the list H list 1, B queries H 1 (ID ) first. 2 If d ID on H 1 is not represented by, B aborts the game (Event 2). Otherwise, B randomly chooses r Z q and e {0, 1} n, and returns (e, rq) as the challenge (k, C ). For simplicity, if (ID, rq) has been queried on the Decapsulation query, B tries another random r. Guessing. Once A outputs its guess, B answers the q 1 -BDHI challenge in the following way. 1. B searches H2 list and puts all the tuples with X j = rq into an initially empty set L T. 2. For each tuple X j, Y j, Z j in L T, B queries O ( ) DBIDH with (Q, rq, xq, Y j). If O ( ) DBIDH returns 1 (i.e., Y j = (Q, Q) r/x ), B computes T = Y 1/r j and returns (T/T 0 ) 1/c2 0 as the answer to the q1 -BDHI problem. Note that ê(p, P ) 1/x = (T/T 0 ) 1/c2 0 if T = ê(q, Q) 1/x. 3. Otherwise, B failed (Event 3). Claim: If algorithm B does not abort during the simulation, then algorithm A s view is identical to its view in the real attack. Proof: B s responses to H 1 queries are uniformly and independently distributed in Z q as in the real attack because of the behavior of the Setup phase in the simulation. H 2 is modelled as a random oracle which requires that for each unique input, there should be only one response. We note that the simulation substantially makes use of the programmability of random oracle and the access to the DBIDH oracle to guarantee the unique response for every H 2 query. There are two subcases in the simulation. 2 In fact we can assume that the adversary has queried H 1(ID ) before the challenge phase in the attack. This assumption is reasonable because if in the real attack, A does not issue this query before the challenge phase or even in the whole game, we can tweak the adversary in mind so that the last step of A 1 is to issue the query H 1(ID ), after the adversary has chosen the challenge identifier ID. This obviously does not affect the adversary s ability to win the game.
11 11 The adversary queries the Decapsulation oracle on (ID, c i ). Although B cannot compute F = ê(c i, 1 xq) (note that if the game does not abort, d ID = 1 x Q), B makes use of O( ) DBIDH to test if F has been queried to H 2 as an input Y i. If F has been queried, B uses the existing response. Otherwise, B randomly generates the response and keeps a record in L D. The adversary queries on H 2 (c i, Y i ). If (c i, Y i ) has not been queried before on H 2, B should make sure that the response must be consistent with the possible existing response generated in the Decapsulation queries. Again, B exploits the access to the DBIDH oracle. By testing ê(c j, 1 x Q)? = Y i for all c j s in L D and, if the equation holds, returning the corresponding response in L D, B guarantees that the output in this query is consistent with the one in the Decapsulation query. Without programmability of a random oracle, this cannot be done. The responses in other types of query are valid as well. Hence the claim is founded. The left problem is to calculate the probability that B does not abort the game. The game could abort when at least one of following events happened. (1) Event 1, denoted as H 1 : A queried a private key which is represented by at some point. (2) Event 2, denoted as H 2 : A did not choose ID I as the challenge identity. (3) Event 3, denoted as H 3 : A did not query (rq, ê(q, Q) r/x ) on H 2. Since H 2 is a random oracle, Pr[A wins H 3 ] = 1 2, we have Pr[A wins] = Pr[A wins H 3 ] Pr[H 3 ] + Pr[A wins H 3 ] Pr[H 3 ] 1 2 (1 Pr[H 3]) + Pr[H 3 ] = Pr[H 3]. Pr[A wins] Pr[A wins H 3 ] Pr[H 3 ] = 1 2 (1 Pr[H 3]) = Pr[H 3]. So, we have Pr[H 3 ] ɛ(k). We note that H 2 implies H 1 because of the rules of the game. Overall, we have Adv B (k) = Pr[H 2 H 3 ] ɛ(k) q 1. References 1. D. Boneh and X. Boyen. Efficient selective-id secure identity-based encryption without random oracles. In Proceedings of Advances in Cryptology - Eurocrypt 2004, LNCS 3027, pp , Springer-Verlag, M. Bellare, A. Desai, D. Pointcheval and P. Rogaway. Relations among notions of security for public-key encryption schemes. In Proceedings of Advances in Cryptology-Crypto 98, LNCS 1462, pp , Springer-Verlag, 1998.
12 12 3. D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. In Proceedings of Advances in Cryptology - Crypto 2001, LNCS 2139, pp , Springer-Verlag, K. Bentahar, P. Farshim, J. Malone-Lee, N. P. Smart. Generic Constructions of Identity-Based and Certificateless KEMs. Cryptology eprint Archive, Report 2005/ L. Chen and Z. Cheng. Security proof of the Sakai-Kasahara s identity-based encryption scheme. In submission. 6. L. Chen Z. Cheng J. Malone-Lee and N.P. Smart. An efficient ID-KEM based on the Sakai-Kasahara key construction. IEE Proceedings Information Security R. Cramer and V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33, 167C226, E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In Proceedings of Advances in Cryptology - CRYPTO 99, LNCS 1666, pp , Springer-Verlag, K. Kurosawa and Y. Desmedt. A New Paradigm of Hybrid Encryption Scheme. In Proceedings of Advances in Cryptology - CRYPTO 04, LNCS 3152, pp , Springer-Verlag, A. Shamir. Identity-based cryptosystems and signature schemes. In Proceedings of Advances in Cryptology - Crypto 84, LNCS 196, pp.47 53, Springer-Verlag, V. Shoup. A Proposal for an ISO Standard for Public Key Encryption ISO CD Encryption algorithms Part 2: Asymmetric ciphers T. Okamoto and D. Pointcheval. The gap-problems: a new class of problems for the security of cryptographic schemes. In Proceedings of Public Key Cryptography - PKC 2001, LNCS 1992, PP , Springer-Verlag, R. Sakai and M. Kasahara. ID based cryptosystems with pairing on elliptic curve. Cryptology eprint Archive, Report 2003/ F. Zhang, R. Safavi-Naini and W. Susilo. An efficient signature scheme from bilinear pairings and its applications. In Proceedings of International Workshop on Practice and Theory in Public Key Cryptography - PKC 2004, 2004.
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationOn Security Proof of McCullagh-Barreto s Key Agreement Protocol and its Variants
On Security Proof of McCullagh-Barreto s Key Agreement Protocol and its Variants Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, UK E-mail: m.z.cheng@mdx.ac.uk
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationGeneric Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit
Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationCertificateless Signcryption without Pairing
Certificateless Signcryption without Pairing Wenjian Xie Zhang Zhang College of Mathematics and Computer Science Guangxi University for Nationalities, Nanning 530006, China Abstract. Certificateless public
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationRemove Key Escrow from The Identity-Based Encryption System
Remove Key Escrow from The Identity-Based Encryption System Zhaohui Cheng, Richard Comley and Luminita Vasiu School of Computing Science, Middlesex University, White Hart Lane, London N17 8HR, UK. {m.z.cheng,r.comley,l.vasiu}@mdx.ac.uk
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More information2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R
A Public Key Encryption In Standard Model Using Cramer-Shoup Paradigm Mahabir Prasad Jhanwar and Rana Barua mahabir r, rana@isical.ac.in Stat-Math Unit Indian Statistical Institute Kolkata, India Abstract.
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationIdentity Based Undeniable Signatures
Identity Based Undeniable Signatures Benoît Libert Jean-Jacques Quisquater UCL Crypto Group Place du Levant, 3. B-1348 Louvain-La-Neuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationNew Framework for Secure Server-Designation Public Key Encryption with Keyword Search
New Framework for Secure Server-Designation Public Key Encryption with Keyword Search Xi-Jun Lin,Lin Sun and Haipeng Qu April 1, 2016 Abstract: Recently, a new framework, called secure server-designation
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationThe Twin Diffie-Hellman Problem and Applications
The Twin Diffie-Hellman Problem and Applications David Cash 1 Eike Kiltz 2 Victor Shoup 3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationChosen Ciphertext Security with Optimal Ciphertext Overhead
Chosen Ciphertext Security with Optimal Ciphertext Overhead Masayuki Abe 1, Eike Kiltz 2 and Tatsuaki Okamoto 1 1 NTT Information Sharing Platform Laboratories, NTT Corporation, Japan 2 CWI Amsterdam,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationOne-Round ID-Based Blind Signature Scheme without ROS Assumption
One-Round ID-Based Blind Signature Scheme without ROS Assumption Wei Gao 1, Xueli Wang 2, Guilin Wang 3, and Fei Li 4 1 College of Mathematics and Econometrics, Hunan University, Changsha 410082, China
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationOn (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)
On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique) Sanjit Chatterjee and Palash Sarkar Applied Statistics Unit
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationPublic-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use
Public-Key Cryptography Tutorial on Dr. Associate Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur http://cse.iitkgp.ac.in/ abhij/ January 30, 2017 Short
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationNon-interactive Designated Verifier Proofs and Undeniable Signatures
Non-interactive Designated Verifier Proofs and Undeniable Signatures Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, University of London, UK {c.j.kudla,kenny.paterson}@rhul.ac.uk
More informationID-based tripartite key agreement with signatures
-based tripartite key agreement with signatures 1 Divya Nalla ILab, Dept of omputer/info Sciences, University of Hyderabad, Gachibowli, Hyderabad, 500046, India divyanalla@yahoocom bstract : This paper
More informationChosen-Ciphertext Security without Redundancy
This is the full version of the extended abstract which appears in Advances in Cryptology Proceedings of Asiacrypt 03 (30 november 4 december 2003, Taiwan) C. S. Laih Ed. Springer-Verlag, LNCS 2894, pages
More informationKey Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited
Key Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited Takahiro Matsuda and Goichiro Hanaoka Research Institute for Secure Systems, National Institute of Advanced Industrial Science
More informationNew Anonymity Notions for Identity-Based Encryption
Formal to Practical Security LNCS 5458, pages 138 157. V. Cortier, C. Kirchner, M. Okada, and H. Sakurada Eds. Springer-Verlag. New Anonymity Notions for Identity-Based Encryption Malika Izabachène and
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationT Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju
March 28 th, 2006 ID-based authentication frameworks and primitives Helsinki University of Technology mkivihar@cc.hut.fi 1 Overview Motivation History and introduction of IB schemes Mathematical basis
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationIdentity Based Key Encapsulation with Wildcards
Identity Based Key Encapsulation with Wildcards James Birkett 1, Alexander W. Dent 1, Gregory Neven 2, and Jacob Schuldt 1 1 Information Security Group, Royal Holloway, University of London, Egham, TW20
More informationToward Hierarchical Identity-Based Encryption
Toward Hierarchical Identity-Based Encryption Jeremy Horwitz and Ben Lynn Stanford University, Stanford, CA 94305, USA, {horwitz blynn}@cs.stanford.edu Abstract. We introduce the concept of hierarchical
More informationIdentity-Based Chameleon Hash Scheme Without Key Exposure
Identity-Based Chameleon Hash Scheme Without Key Exposure Xiaofeng Chen, Fangguo Zhang, Haibo Tian, and Kwangjo Kim 1 Key Laboratory of Computer Networks and Information Security, Ministry of Education,
More informationEquivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks
Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks Yodai Watanabe 1, Junji Shikata 2, and Hideki Imai 3 1 RIKEN Brain Science Institute 2-1 Hirosawa, Wako-shi,
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationOn the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups
Des. Codes Cryptogr. (2009) 52:219 241 DOI 10.1007/s10623-009-9278-y On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups Kenneth G. Paterson
More informationChosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman
A preliminary version of this paper appears in the proceedings of the 10th International Workshop on Practice and Theory in Public Key Cryptography, PKC 2007, Lecture Notes in Computer Science Vol.???,
More informationA Certificateless Signature Scheme based on Bilinear Pairing Functions
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationA Domain Extender for the Ideal Cipher
A Domain Extender for the Ideal Cipher Jean-Sébastien Coron 2, Yevgeniy Dodis 1, Avradip Mandal 2, and Yannick Seurin 3,4 1 New York University 2 University of Luxembourg 3 University of Versailles 4 Orange
More informationRing Signatures without Random Oracles
Ring Signatures without Random Oracles Sherman S. M. Chow 1, Joseph K. Liu 2, Victor K. Wei 3 and Tsz Hon Yuen 3 1 Department of Computer Science Courant Institute of Mathematical Sciences New York University,
More informationAn Identity-Based Signature from Gap Diffie-Hellman Groups
An Identity-Based Signature from Gap Diffie-Hellman Groups Jae Choon Cha 1 and Jung Hee Cheon 2 1 Department of Mathematics Korea Advanced Institute of Science and Technology Taejon, 305 701, Korea jccha@knot.kaist.ac.kr
More informationEfficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings
Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings 1 Lan Nguyen and Rei Safavi-Naini School of Information Technology and Computer Science University of Wollongong,
More informationAn Efficient ID-based Digital Signature with Message Recovery Based on Pairing
An Efficient ID-based Digital Signature with Message Recovery Based on Pairing Raylin Tso, Chunxiang Gu, Takeshi Okamoto, and Eiji Okamoto Department of Risk Engineering Graduate School of Systems and
More informationKey-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems
Key-Exposure Free Chameleon Hashing and Signatures Based on Discrete Logarithm Systems Xiaofeng Chen, Fangguo Zhang, Haibo Tian, Baodian Wei, and Kwangjo Kim 1 School of Information Science and Technology,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Helger Lipmaa 1 Cybernetica AS, Estonia 2 Tallinn University, Estonia Abstract. It is known that there exists a reduction from the CCA1- security of
More informationA Signature Scheme based on Asymmetric Bilinear Pairing Functions
A Signature Scheme based on Asymmetric Bilinear Pairing Functions Routo Terada 1 and Denise H. Goya 2 1 University of São Paulo, Brasil rt@ime.usp.br 2 University of São Paulo, Brasil dhgoya@ime.usp.br
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More information