Hierarchical identity-based encryption

Similar documents
Searchable encryption & Anonymous encryption

Identity-based encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Cryptology. Scribe: Fabrice Mouhartem M2IF

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Applied cryptography

From Selective to Full Security: Semi-Generic Transformations in the Standard Model

Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions

III. Pseudorandom functions & encryption

Pairing-Based Cryptography An Introduction

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

Identity Based Key Encapsulation with Wildcards

CPA-Security. Definition: A private-key encryption scheme

Identity Based Encryption

Boneh-Franklin Identity Based Encryption Revisited

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts

Semantic Security and Indistinguishability in the Quantum World

REMARKS ON IBE SCHEME OF WANG AND CAO

Strong Security Models for Public-Key Encryption Schemes

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

How to Delegate a Lattice Basis

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

6.892 Computing on Encrypted Data October 28, Lecture 7

Identity-based Hierarchical Key-insulated Encryption without Random Oracles

Efficient Selective Identity-Based Encryption Without Random Oracles

Notes on Property-Preserving Encryption

Direct Chosen-Ciphertext Secure Identity-Based Key Encapsulation without Random Oracles

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

A Strong Identity Based Key-Insulated Cryptosystem

Gentry IBE Paper Reading

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Hierarchical Functional Encryption

Standard Security Does Not Imply Indistinguishability Under Selective Opening

Cryptography from Pairings

CS 6260 Applied Cryptography

Better Security for Functional Encryption for Inner Product Evaluations

Efficient Identity-Based Encryption Without Random Oracles

Recent Advances in Identity-based Encryption Pairing-based Constructions

Theoretical Computer Science. Direct chosen-ciphertext secure identity-based key encapsulation without random oracles

Modern symmetric-key Encryption

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

A New Functional Encryption for Multidimensional Range Query

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

1 Number Theory Basics

G Advanced Cryptography April 10th, Lecture 11

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

Public-Key Encryption

Anonymous Constant-Size Ciphertext HIBE From Asymmetric Pairings

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Non-malleability under Selective Opening Attacks: Implication and Separation

Chosen-Ciphertext Security (I)

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

8 Security against Chosen Plaintext

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Provable security. Michel Abdalla

Secure and Practical Identity-Based Encryption

Public Key Cryptography

Stronger Public Key Encryption Schemes

Lecture 7: CPA Security, MACs, OWFs

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

CS 6260 Applied Cryptography

Identity-Based Online/Offline Encryption

Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters IBE Scheme

Hidden-Vector Encryption with Groups of Prime Order

Modern Cryptography Lecture 4

CTR mode of operation

Privacy-aware Attribute-based Encryption with User Accountability

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Lectures 2+3: Provable Security

Efficient Lattice (H)IBE in the Standard Model

Cryptographically Enforced RBAC

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Efficient Identity-based Encryption Without Random Oracles

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

2 Message authentication codes (MACs)

Simple SK-ID-KEM 1. 1 Introduction

Post-quantum security models for authenticated encryption

5199/IOC5063 Theory of Cryptology, 2014 Fall

arxiv: v1 [cs.cr] 24 Feb 2017

Decentralizing Inner-Product Functional Encryption

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Secure Certificateless Public Key Encryption without Redundancy

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Unbounded HIBE and Attribute-Based Encryption

Transcription:

Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 1 / 33

Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 2 / 33

Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 3 / 33

Identity-based encryption Goal: Allow senders to encrypt messages based on the receiver s identity. Key distribution center Key Setup msk Key Derivation ID mpk sk ID ID, M Encryption C Decryption M Sender eceiver ID Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 4 / 33

Hierarchical identity-based encryption (HIBE) oot I Level 1 1 I Level 2 2 I 3 Level 3 ID = (I 1,I 2,I 3 ) Identities are vectors of the form (id 1,..., id L ), where L is the HIBE depth. Hierarchical key derivation Users with (id 1, id 2 ) can derive keys for any user whose identity is of the form (id 1, id 1, *,..., *) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 5 / 33

HIBE key derivation oot oot msk Key Derivation ID 1 sk ID1 Level 1 ID 1 Key Derivation ID 2 sk (ID1,ID2) ID 2 Level 2 mpk, (ID 1,ID 2 ), M Sender Decryption C Encryption M Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 6 / 33

Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 7 / 33

Hierarchical Identity-based encryption (HIBE) Identity at level 1 l L is a vector id = (id 1,..., id l ) ID l. oot identity is represented by ε. An HIBE scheme is defined by four algorithms: Setup(1 k, L): Outputs a master public key mpk for a HIBE of depth L along with master secret key msk. KeyDer(sk (id 1,...,id l ), id l+1 ): Uses the secret key sk for identity id = (id 1,..., id l ) to compute a secret key sk id for the user with identity id. Enc(mpk, id, m): Generates a ciphertext C for identity id = (id 1,..., id l ) and message m using master public key mpk. Dec(C, sk id ): Allows the user in possession of sk id for identity id = (id 1,..., id l ) to decrypt the ciphertext C and get back a message m. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 8 / 33

HIBE security notions Just as in the IBE case, we can consider different attacks (adaptive-identity vs. selective-identity) and goals (indistinguishability and anonymity) for HIBE schemes. Indistinguishability The adversary s goal is to distinguish Enc(mpk, id, m0 ) from Enc(mpk, id, m1 ) for values id, m0,m 1 of its choice. Anonymity The adversary s goal is to distinguish Enc(mpk, id 0, m ) from Enc(mpk, id 1, m ) for values id 0, id 1, m of its choice. Adaptive-identity chosen-plaintext attacks In this model, the adversary is allowed to choose the challenge identity values at the time that it asks the challenge query. Selective-identity chosen-plaintext attacks In this model, the adversary has to choose the challenge identity values before seeing the public key. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 9 / 33

IND-HID-CPA: Indistinguishability under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ind-cpa-β HIBE,L,A (k) proc L(id, m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn β The advantage of A against the IND-HID-CPA security of HIBE is defined as [ ] [ ] Adv ind-cpa HIBE,L,A (k) = Pr Exp ind-cpa-1 HIBE,L,A (k) = 1 Pr Exp ind-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 10 / 33

IND-HID-CPA: An alternative definition Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-HID-CPA security of HIBE. proc Initialize(k, L) Game Exp ind-cpa HIBE,L,A (k) β {0, 1} (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(id, m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-HID-CPA security of HIBE is defined as [ ] Adv ind-cpa HIBE,L,A (k) = 2 Pr Exp ind-cpa HIBE,L,A (k) = true 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 11 / 33

IND-sHID-CPA: Indistinguishability under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-sHID-CPA security of HIBE. proc Initialize(k, L, id ) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp s-ind-cpa-β HIBE,L,A (k) proc L(m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn β The advantage of A against the IND-sHID-CPA security of HIBE is defined as [ ] [ ] Adv s-ind-cpa HIBE,L,A (k) = Pr Exp s-ind-cpa-1 HIBE,L,A (k) = 1 Pr Exp s-ind-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 12 / 33

IND-sHID-CPA: An alternative definition Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-sHID-CPA security of HIBE. Game Exp s-ind-cpa[l] HIBE proc Initialize(k, L, id ) β {0, 1} (mpk, msk) Setup(1 k ) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-sHID-CPA security of HIBE is defined as [ ] Adv s-ind-cpa HIBE,L,A (k) = 2 Pr Exp s-ind-cpa[l] HIBE = true 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 13 / 33

ANO-HID-CPA: Anonymity under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k ) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ano-cpa-β HIBE,L,A (k) proc L(id 0, id 1, m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn β The advantage of A against the ANO-HID-CPA security of HIBE is defined as [ ] [ ] Adv ano-cpa HIBE,L,A (k) = Pr Exp ano-cpa-1 HIBE,L,A (k) = 1 Pr Exp ano-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 14 / 33

ANO-sHID-CPA: Anonymity under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-sHID-CPA security of HIBE. Game Exp s-ano-cpa-β HIBE,L,A (k) proc Initialize(k, L, id 0, id 1) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn β The advantage of A against the ANO-sHID-CPA security of HIBE is defined as [ ] [ ] Adv s-ano-cpa HIBE,L,A (k) = Pr Exp s-ano-cpa-1 HIBE,L,A (k) = 1 Pr Exp s-ano-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 15 / 33

Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 16 / 33

Boneh-Boyen HIBE scheme (BB) Setup(1 k, L): (G, G T, p, ê) G(1 k ) g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1, G, G T, p, ê) msk g ab return (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 (H id ) l+1 rl+1 i,0 H i,1 sk l+1 g r l+1 return (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i ( H id i i,0 H ) t i,1 K ê(a, B) t C 3 m K return (C 1, (C 2,1,..., C 2,l ), C 3) Dec(sk, C): parse sk (id1,...,id l ) as (sk 0,..., sk l ) parse C as (C 1, C 2,1,..., C 2,l, C 3) K ê(sk 0, C l 1)/ i=1 ê(sk i, C 2,i ) m C 3/K return m Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 17 / 33

Additional comments about the BB HIBE scheme The secret key sk (id1,...,id l ) = (sk 0,..., sk l ) for identity (id 1,..., id l ) has the form: sk 0 = g ab l i=1 (Hid i i,0 H i,1) r i sk i = g r i for i = 1,..., l The secret key outputted by KeyDer can be re-randomized via andomize(sk (id1,...,id l )): parse sk (id1,...,id l ) as (sk 0,..., sk l ) for i = 1,..., l do r i Z p sk i sk i g r i sk 0 sk 0 l i=1 (Hid i i,0 H i,1) r i return (sk 0, sk 1,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 18 / 33

Correctness of BB HIBE scheme For a valid ciphertext, we have: K = ê(sk 0, C 1 )/ l i=1 ê(sk i, C 2,i ) = ê(g ab l i=1 (Hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g ab, g t ) l i=1 ê((hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g a, g b ) t = ê(a, B) t = K Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 19 / 33

Boneh-Boyen-Goh HIBE scheme (BBG-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i G for i = 1,..., L mpk (g 1, g 2, h 1, u 0,..., u L ) sk 0 h 2 For i = 1,..., L + 1 do sk i 1 msk (sk 0, sk 1,..., sk L, sk L+1 ) eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L, sk L+1 ) r l+1 Z p sk 0 sk 0 sk id l+1 l+1 (u l ) 0 i=1 uid i rl+1 i For i = l + 2,..., L do sk i sk i u r l+1 i sk L+1 sk L+1 g r l+1 1 eturn (sk 0, sk l+2,..., sk L, sk L+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g1 r C 2 ( u l ) 0 i=1 uid i r i C 3 m ê(h 1, g 2) r eturn (C 1, C 2, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L+1 ) Parse C as (C 1, C 2, C 3) m C 3 ê(c 2,sk L+1 ) ê(c 1,sk 0 ) eturn m Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 20 / 33

Waters HIBE scheme (Wa-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i,j G for i = 1,..., L; j = 0... n mpk (g 1, g 2, h 1, u 1,0,..., u L,n ) msk h 2 eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 F l+1 (id l+1 ) r l+1 sk l+1 g r l+1 1 eturn (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g r 1 For i = 1,..., l do C 2,i F i (id i ) r C 3 m ê(h 1, g 2) r eturn (C 1, C 2,1,..., C 2,l, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) Parse C as (C 1, C 2,1,..., C 2,l, C 3) m C 3 eturn m li=1 ê(sk i,c 2,i ) ê(c 1,sk 0 ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 21 / 33

Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 22 / 33

BDDH security of BB HIBE scheme Theorem Let BB refer to the Boneh-Boyen HIBE scheme described above, G be a pairing parameter generator, and A be an adversary against IND-sHID-CPA security of BB, making at most a single query to the L procedure. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv s-ind-cpa BB,L,A (k) 2 Advbddh (B). G,k Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 23 / 33

Security proof of BB scheme Proof will define a sequence of five games (G 0,..., G 4 ). For simplicity, we omit the pairing parameter generation in Initialize. We assume that id has length L. j denotes the smallest index such that id j id j in L procedure. G 0 : This game is the real attack game against BB. G 1 : We change the computation of H i,b so that H id i i,0 H i,1 = g α i for a random α i. G 2 : We change the simulation of the key derivation procedure KeyDer so that the game answers these queries without the knowledge of the master secret key. G 3 : We change the simulation of the L procedure so that C 2,i = C 1 α i. That is, we don t need to know t to compute it. G 4 : We change the simulation of the L procedure so that K is chosen uniformly at random. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 24 / 33

Game G 0 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 0 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., l do r i Z p ; sk i g r i sk 0 g ab l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 25 / 33

Game G 1 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do α i α i Z p ; H i,0 B α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 1 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., l do r i Z p ; sk i g r i sk 0 g ab l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 26 / 33

Game G 2 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 2 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do Z p ; sk i g r i r j r i Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 27 / 33

Game G 3 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 3 proc L(m 0, m 1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i C 1 α i K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do r i Z p ; sk i g r i r j Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 28 / 33

Game G 4 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 4 proc L(m 0, m 1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i C 1 α i K G C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do r i Z p ; sk i g r i r j Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 29 / 33

Probability analysis Claim 1 Adv s-ind-cpa BB,L,A (k) = 2 Pr [ G A 0 = true ] 1 Claim 2 Pr [ G A 1 = true ] = Pr [ G A 0 = true ] Claim 3 Pr [ G A 2 = true ] = Pr [ G A 1 = true ] Claim 4 Pr [ G A 3 = true ] = Pr [ G A 2 = true ] Claim 5 Pr [ G A 4 = true ] Pr [ G A 3 = true ] Adv bddh G,k (B) Claim 6 Pr [ G A 4 = true ] = 1/2 It s straightforward to verify that the security theorem follows from the claims above. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 30 / 33

Proof of Claims 1, 2, 4, and 6 Claim 1 follows the security definition. Claim 2 follows from the fact that H i,b is still uniformly distributed in G. Claim 4 follows from the fact that C 2 C 2,i = (H id i i,0 H i,1) t = ((B α i ) id i g α i B id i α i ) t = g α i t = C 1 α i is still being correctly computed. Claim 6 follows from the fact that A has no information about β in G 4. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 31 / 33

Proof of Claim 3 Claim 3 follows from the fact that (sk 0,..., sk l ) is still a valid random secret key for user id = (id 1,..., id l ), where r j = r j a/(α j (id j id j )) is the randomness being used to generate sk j. sk j = g r j = g r j a/(α j (id j id j )) = g r j g a/(α j (id j id j )) = g r j A 1/(α j (id j id j )) sk 0 = g ab (H id j j,0 H j,1) r j j 1 i=1 (Hid i i,0 H i,1) r i l i=j+1 (Hid i i,0 H i,1) r i = g ab ((B α j ) id j g α j B id j α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab ((g bα j ) id j g α j g bid j α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab (g bα j (id j bid j ) g α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab g ab (g α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 32 / 33

Proof of Claim 5 In order to prove Claim 5, we need to build an adversary B against the BDDH problem. Let (G, g, A, B, C, Z) be the input of B. To simulate procedure Initialize, B sets H i,0 = B α i and H i,1 = g α i B id i α i for random α i, α i and returns mpk = (g, A, B, H 1,0,..., H L,1 ) as the public key. When simulating procedure L, B sets C 1 = C, C 2,i = C 1 α i, and K = Z. B simulates procedures KeyDer and Finalize exactly as in G 3. When B is being executed in Game Exp bddh-0 G,k (B), B simulates G 3 to A. That is, Pr [ G A 3 = true ] = Pr [ Exp bddh-0 G,k (B) = true ]. When B is being executed in Game Exp bddh-1 G,k (B), B simulates G 4 to A. That is, Pr [ G A 4 = true ] = Pr [ Exp bddh-1 G,k (B) = true ]. The claim follows. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 33 / 33

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback