T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

Similar documents
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

An Introduction to Pairings in Cryptography

REMARKS ON IBE SCHEME OF WANG AND CAO

Applied cryptography

Boneh-Franklin Identity Based Encryption Revisited

ABHELSINKI UNIVERSITY OF TECHNOLOGY

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Pairing-Based Cryptography An Introduction

G Advanced Cryptography April 10th, Lecture 11

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

A Strong Identity Based Key-Insulated Cryptosystem

Public Key Cryptography

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Secure and Practical Identity-Based Encryption

1 Number Theory Basics

Simple SK-ID-KEM 1. 1 Introduction

Introduction to Cryptography. Lecture 8

Remove Key Escrow from The Identity-Based Encryption System

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Identity-based encryption

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit

Cryptography from Pairings

Efficient Identity-Based Encryption Without Random Oracles

Recent Advances in Identity-based Encryption Pairing-based Constructions

Introduction to Elliptic Curve Cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Cryptosystems CHAPTER 4

Advanced Topics in Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Secure Certificateless Public Key Encryption without Redundancy

Introduction to Elliptic Curve Cryptography. Anupam Datta

Provable security. Michel Abdalla

Lecture 1: Introduction to Public key cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Efficient Identity-based Encryption Without Random Oracles

The Exact Security of Pairing Based Encryption and Signature Schemes

5.4 ElGamal - definition

RSA-OAEP and Cramer-Shoup

Cryptography IV: Asymmetric Ciphers

Recent Advances in Identity-based Encryption Pairing-free Constructions

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Efficient Selective Identity-Based Encryption Without Random Oracles

One can use elliptic curves to factor integers, although probably not RSA moduli.

Type-based Proxy Re-encryption and its Construction

Toward Hierarchical Identity-Based Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

ID-Based Blind Signature and Ring Signature from Pairings

Post-quantum security models for authenticated encryption

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Secure Bilinear Diffie-Hellman Bits

CPSC 467b: Cryptography and Computer Security

ASYMMETRIC ENCRYPTION

Gentry IBE Paper Reading

CPSC 467b: Cryptography and Computer Security

Project: Supersingular Curves and the Weil Pairing in Elliptic Curve Cryptography

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

The odd couple: MQV and HMQV

Advanced Cryptography 1st Semester Public Encryption

Chapter 8 Public-key Cryptography and Digital Signatures

CPSC 467: Cryptography and Computer Security

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex

ECS 189A Final Cryptography Spring 2011

Pairing-Based Cryptographic Protocols : A Survey

Lecture Note 3 Date:

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

DATA PRIVACY AND SECURITY

The Twin Diffie-Hellman Problem and Applications

Cryptographical Security in the Quantum Random Oracle Model

Lecture Notes, Week 6

CPSC 467b: Cryptography and Computer Security

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups

Notes for Lecture 17

Week : Public Key Cryptosystem and Digital Signatures

An Identity-Based Signature from Gap Diffie-Hellman Groups

CPSC 467: Cryptography and Computer Security

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

A New Paradigm of Hybrid Encryption Scheme

An Introduction to Probabilistic Encryption

Introduction to Modern Cryptography. Benny Chor

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

RSA RSA public key cryptosystem

Multi-key Hierarchical Identity-Based Signatures

Short Signature Scheme From Bilinear Pairings

Public-Key Encryption: ElGamal, RSA, Rabin

Transcription:

March 28 th, 2006 ID-based authentication frameworks and primitives Helsinki University of Technology mkivihar@cc.hut.fi 1 Overview Motivation History and introduction of IB schemes Mathematical basis Boneh-Franklin IB cryptosystem IB-PKI vs. conventional PKI Conclusion 2

Agenda Motivation History and introduction of IB schemes Mathematical basis Boneh-Franklin IB cryptosystem IB-PKI vs. conventional PKI Conclusion 3 PK authentication infrastructures Main functions: signature schemes key agreement Functions usually constructed with asymmetric encryption primitives Not a requirement, though Main goal: minimize the need for and exchange of secret information 4

Directory-based PKI public_key = F(private_key) Problems: binding the public information to actual identity (due to restrictions in forming the asymmetric key pairs) Current PKI solution: certificates and CAs heavy infrastructure and administration costs 5 Current PKI (e.g. X.509 & LDAP) RA RA RA X.509 certificate - Public key owner info - Cert. IDs -CA info - Public key - Validity - Hash of the previous - Hash signature (by the CA) Manage, revoke Manage, revoke Delegate-CA Root-CA Delegate-CA Delegate-CA Delegate-CA Delegate-CA Delegate-CA Issue certificates Certify delegate s public key Publish certs LDAP cert. storage Validate Alice s key Binding Alice Public Private Digital signing Key agreement Encryption Public Key generationprivate Bob 6

Informative public keys? What if the key generation is reversed? private_key = F(public_key) No secrecy here private_key = F(master_key, public_key) Public key has freedom of choice Public key?= user s identity Public Private 7 Identity as the public key Deterministic algorithm => trivial binding from ID to key material mkivihar@cc.hut.fi 1 F System-wide master key Otakaari 1 02150 ESPOO Catch: if this is global, there is no need to go get user-specific information 8

Agenda Motivation History and introduction of IB schemes Mathematical basis Boneh-Franklin IB cryptosystem IB-PKI vs. conventional PKI Conclusion 9 History Shamir introduced the concept in 1984 An RSA-based signature scheme No key agreement, nor encryption Girault s scheme in 1991 RSA-based PKI functionality without actual encryption Not exactly ID-based (public key depends on the secret key as well) Mathematical basis Special elliptic curve classes for ECDLP in 1983 by Menezes, Okamoto and Vanstone ID-based cryptosystems based on elliptic curves Key agreement schemes by Sakai, Ohgishi & Kasahara (SOK) and Joux in 2000 First fully fledged IB-PKI by Boneh and Franklin 2001 10

Properties of IB-PK-AFs (*) (*) Identity-Based Public Key Authentication Framework Trusted Authority (TA) handles key generation for everyone Highly centralized trust element (TA can decrypt everything) Keygen essentially an authentication service (similar to certificate applying in PKI) No key channel needed Binding of identity and public-key based on trust in The generation function Uncompromised TA master key Sound TA authentication service Non-interactivity 11 Non-interactivity in IB-PK-AFs No need to contact directories Verification of a signature Key agreement No need to establish key channels Authenticated key establishment (Key) data origin authentication assuming TA is honest, of course 12

Functions in IB-PK-AFs (*) (*) Identity-Based Public Key Authentication Framework Done at cryptosystem setup Done at user setup B&F here already Encryption Signing Verification Shamir s system System parameters setup User key generation Encryption Decryption Boneh and Franklin cryptosystem -Master key -Algebraic structures, and their key elements -Hash functions -Mappings -etc. - Input: User ID, master key - Output: User private key -Computations performed in secrecy Key agreement System dependent, done at each function SOK, Joux 13 Agenda Motivation History and introduction of IB schemes Mathematical basis Boneh-Franklin IB cryptosystem IB-PKI vs. conventional PKI Conclusion 14

Elliptic curves (1/4) Sets of pairs of field elements (points) satisfying 2 3 a third degree polynomial y [ + xy] = x + ax + b Any field is ok, in EC cryptography finite fields of prime a power of a small prime order are used An additive operation is defined on the points of a certain EC => a group is formed. Repeated additions of a fixed point equal exponentiation Normal finite field methods for extracting a discrete logarithm do not work due to lack of multiplication operation between group elements 15 Elliptic curves (2/4) Elliptic curve group defined on real numbers, with addition procedure O Elliptic curve group defined on a finite field (23 points) 16

Elliptic curves (3/4) Usage in PKI based on ECDLP Encrypting usually done with extracting (hashing) an element from the EC group ECC -> real PKI (but still dir-based ) Selecting the underlying field order, from: E ( Fq ) = q+ 1 + t = O( q), 2 q t 2 q Best known ECDLP runs in time ( ( Fq ) ) c (cf. DLP of finite fields log 1/3 q( log log q) e 2/3 ) Key size = 2 * security parameter 1 2 O E O q 17 Elliptic curves (4/4) For a prime power q=p m, the EC group is described by a tuple (q,a,b,g,n,h), where G E( F q ) is the generator of a subgroup of prime order n in the EC group, and G = n, n E( Fq ) h= E( Fq ) / n cofactor, preferably small (=1) integer MOV-attack resistance requires that n does not B divide q 1 for all small B (<20, or small enough such that the subexp DL is hard in the underlying field) Fortunately, a subset of these weak curves have other applications 18

Weak elliptic curves ECs, for which the underlying field characteristic p divides the Frobenius trace t, are called supersingular (a subset of the type of elliptic curves susceptible to MOV-attacks) Weakness: an efficient mapping from the EC group to the underlying field with a guaranteed small extension (which has subexponential solvability for DL) 19 Weil pairing for ECs (1/2) Isomorphism ( = invertible) Map between (prime-) ordersubgroups of an elliptic curve and the underlying field) α <z > E(F p k) <z> F p k ez ( P, Q) Unmodified Weil pairing Q=(x,y ) E(F p ) P=(x,y) 20

Weil pairing for ECs (2/2) α ( ) Fix an order- generator z E F k p such that P z or Q z, but not both Then the Weil pairing is defined as ( ez( P Q) α F ) e ( ) p k z P Q ( ) ( ) α ( F k ) p, = 1, 1 ( ord P = ord Q = ) ( ( a, b Z) : P aq Q bp) The supersingular property condition assures that E(F p k) is non-cyclic, and that there exists a non-empty order-α subgroup for P, the elements of which are not mapped to unity 21 Weil pairing properties Notation: (G 1,+), (G 2,*) groups under Weil pairing (G 1 is the EC subgroup and G 2 the underlying field ext. subgroup) Identity: ( P G1 ): ez( P, P) = 1G 2 Bilinearity: ( PQ, G1 ):, ez( P+ RQ, ) = ez( PQ, ) ez( RQ, ) ez( P, Q+ R) = ez( P, Q) ez( P, R) Non-degeneracy: ( P G, 1 P O) : e (, ) 1 (, z P z G e ) 2 z z P (P and z must be independent according to the mapping definition) Efficiency: mapping is practically efficiently computable 22

Weil pairing: MOV-reduction According to Menezes-Okamoto-Vanstone (-83) ( ) Given PnP, EFp Apply Weil pairing; according to bilinearity property: ξ = e P, z z z ( ) (, ) (, ) n η = e np z = e P z = ξ z n which is a DL problem in a finite field 1/3 2/3 ck log p( log( k log p) ) with a running time of O( e ) (cf. for ECDLP) 0,5 p O( e ) F p, k 6 k 23 Modified Weil pairing What if P=aQ? (This is the case with e.g. Boneh- Franklin cryptosystem) (, ) (, ) (, ) a a e z P Q = e z aq Q = e z Q Q = 1G 2 Apply a distortion function (Verheul, 2001) Modified Weil pairing, defined as P, Q G where : 1 : e( P, Q) = ez ( P, Φ( Q) ) Φ E F E F p k p k distortion function mapping a point to a linearly independent point Properties Symmetry Bilinearity ( ) ( ) is a 24

Modified Weil pairing and DDH a b c Decisional Diffie-Hellman: given p, p, p, p G decide if ab c( mod G ) In a general group this seems as hard as DL In a supersingular EC group, when given PaPbPcP,,, G1; abc,, Z c Calculate η = e( P, cp) = e( P, P) and ab ξ = e( ap, bp) = e( P, P) Now ab c( mod G1 ) ξ = η DDH is easy in supersingular EC groups! Bilinearity extracts the discrete logarithm 25 Agenda Motivation History and introduction of IB schemes Mathematical basis Boneh-Franklin IB cryptosystem IB-PKI vs. conventional PKI Conclusion 26

Boneh-Franklin IB cryptosystem First practical IB cryptosystem (2001) Provides actual asymmetric encryption in IB framework Provably secure (although not the algorithm 13.2) in IND- CCA2 (indistinguishable adaptive chosen-ciphertext in RO model applied in IB framework conventional PKI is insecure in CCA already) Uses bilinear maps (one instantiation is Weil pairings in supersingular EC groups) Relies on the bilinearity property of the Weil pairings (= Bilinear DH problem (*) ) ( ) compute (*) PaPbPcP,,, e PP, abc 27 Boneh-Franklin: FullIdent Mao s presentation of BF system is not IND- CCA2 secure (BF s BasicIdent is malleable fails NM-CPA: Malice can modify the ciphertext without knowing the secret r, and NM- CPA is a weaker notion than CCA2-security) Extra hash functions and random variables are needed for this purpose We present here the IND-CCA2-secure FullIdent-scheme 28

BF: System parameters setup (1/2) Performed by TA Group descriptions ( G1, + );( G 2,* ) Bilinear map e: ( G1, + ) ( G1, + ) ( G2,* ) Generator: P G 1 Global key material Master key: Public key: s p= G = G P U Z ;( ) p 1 2 pub = sp 29 BF: System parameters setup (2/2) Hash functions Identity hasher H { } * 1: 0,1 G1 Public key hasher H2 : G2 { 0,1} n, n=log size of message and cipher space Session key / message integrator n n * H3 :{ 0,1} { 0,1 } Zq; q = ord( P) n n Session key hasher H :{ 0,1} { 0,1} Publish Desc G1, G2, e, H1, H2, H3, H4, n, P, Ppub 4 30

BF: User key generation Performed by TA to a user after thorough verification of the user s identity Key material: Public key, deterministically from the ID string: QID = H1( ID) G1 Private key: did = sqid Identity hash need not be straight to G 1, as shown by B&F in their paper: rather a conventional hash followed by an admissible encoding function (simple elliptic curve point calculator) 31 BF: Encryption, idea Message M 1011011100011100 1001101101000001 1101011001010101 1010111001010100 0011011001001111 1100111110011001 1001010010010011 1010100100100101 1001101010010101 010001010010101 Random session key Mix session key Hash and message H 3 H 4 session key P Deterministic user public key from ID H 1 H 2,e + User ID Ciphertext = [ Malleability protection Encrypted session key Encrypted message ] P pub M + H 4 (session key) 32

BF: Encryption, operation Compute the recipient s Choose a random session key ID ( ) Q = H ID G 1 1 σ { 0,1} n Set malleability protection ( σ ) r = H M 3, Calculate ciphertext C = <U,V,W> = ( ( ID pub )) ( σ ) rp, σ H e Q, rp, M H 2 4 33 BF: Decryption, operation Compute the session key: σ = ( ( ID )) V H e d U 2, Decrypt the message: M = W H4 ( σ ) Check message integrity: calculate If U = rp, then message is intact ( σ ) r = H M 3, Accept message M, iff intact 34

BF: Decryption, correctness Message is hidden XORing with an OTP opened correctly, if session key opened correctly M = W H4 ( σ ) For the session key: result of H 2 must equal that of H 2 after encryption H2D = H2( e( did, U) ) = H2( e( sqid, rp) ) = s H e( Q, rp) = H e Q, rsp = ( ID ) ( ID ) ( ( ID, pub )) = E 2 2 H e Q rp H 2 2 ( ) 35 BF: Instantiation with ECs (1/2) Needed Group descriptions Bilinear map Hash functions With a k-bit prime p and another prime q, such that p 2( mod3) p= 6q 1 2 3 G 1 is an EC y = x + 1 over Fp G 2 is F p 2 3 Use a distortion map Φ ( x, y) = ( ζ x, y), ζ 1 F, ζ 1 0( mod p) p 2 and a Weil pairing e defined with the help of divisors of functions over EC groups 36

BF: Instantiation with ECs (2/2) Bilinear map e is now epq (, ) = e' P, Φ Q Hash functions (cryptographically strong): H 2 H 4 as described (e.g. Whirlpool, SHA-256) * H : { 0,1 } * 1 Fp as a normal hash function (above) Define function MapToPoint:Fp G 1 MapToPoint Now the first hash is 2 ( ) ( ) ( p 6 y 1 ) y 0 0 2 1 /3 = 6y 0 ( ( )) ( ) * ( ) = MapToPoint ( ) H ID H ID 1 1 37 BF: Security parameter If r is exposed, adversary can decrypt M and σ and modify the message at will r is protected by the difficulty of extracting discrete logarithm from rp (P is public) but rp belongs to a supersingular EC group, where a DL solver runs in subexponential time Extension parameter defines security parameter BF keylens for 128-bit entropy ext.size (l) key length 6 423 bits 5 508 bits 4 635 bits 3 846 bits 2 1269 bits 1 2538 bits (RSA) 38

Security notions IND-ID-CCA2, adaptive chosen ciphertext attacks for identity-based frameworks OWE, One-Way Encryption, defined for standard public-key schemes all-or-nothing model: M is either bit-by-bit correctly guessed, or the challenge fails Random public key K pub Adversary C=K pub (M) Guess of M Challenger 39 IND-CCA2 sec. in IB framework (1) Challenger-adversary game as in normal IND-CCA2; (called IND-ID-CCA2) decryptions and private key extractions are allowed (not for the challenge ID, though) System params setup Adversary Pre-challenge adaptive chosen decryption queries / extractions of private keys of identities Pre-challenge responses Response: C ID (m b ) Challenge: m 0, m 1, ID Post-challenge adaptive chosen decryption queries / extractions of private keys of identities Post-challenge responses Challenger Guess: b 40

IND-CCA2 sec. in IB framework (2) Adversary assumed to be PPT-bounded Adversary wins the game, if he guesses, which of the messages was encrypted IND-CCA2 notion satisfied, if the adversary cannot gain a non-negligible (inverse polynomial in the size of the security parameter) advantage in guessing correctly Semantic security 41 BF: Security proof (1/5) Assumption: Bilinear DH problem (BDH) is hard in the instantiated group (BDH is assumed to be hard (superpolynomial, albeit subexponential) in supersingular EC groups) Proof is a reduction through two types of security notions and cryptosystems to an algorithm of solving BDH IND-ID-CCA2 FullIdent I2C=Identity-to-Conventional IND-CCA2 BasicPub hy FO=Fujisaki-Okamoto OWE BasicPub BDHR=BDH-Reduction G 1,G 2 BDH 42

BF: Security proof (2/5) Basic theorem: Assume H 1 H 4 are random oracles A is a t-time, ε-advantage IND-ID-CCA2-adversary on FullIdent, n is the blocksize of encryption A has q E extraction, q D decryption and q Hi hash queries (hash queries for oracle H i ) There is an algorithm B for solving BDH in the instantiation groups, such that time B FO tq,, q Adv ( ) time ( H H ) ( B) 4 3 ε FO adv, qh, q, 2 4 H q 3 D e( 1+ qe + qd) q H2 n 43 BF: Security proof (3/5) The Fujisaki-Okamoto functions FO are defined as: ( ) ( tq q ) = t+ Onq ( + q ) FO,, time H4 H3 H4 H3 q ( ) ( ) ( ) D 1 2 FO adv ε, qh, q 4 H, q 3 D = ε + 1 1 1 2 qh + q 4 H 3 q I2C reduction states that the adversary in IND-ID- CCA2-setting with its time- and advantage parameters has a time-parameter of the same order, and advantage ε ( ) against BasicPub hy in IND-CCA2-setting e + q + q 1 E D 44

BF: Security proof (4/5) Scheme BasicPub: same as BasicIdent (Mao s version of BF-IBE), but public key is random, not generated from any ID Scheme BasicPub hy : same as FullIdent, but public key is random Sketch of proof of I2C B against BasicPub hy will use A against FullIdent by Simulating the challenger as a random oracle for A for extraction queries (there are no identities in BasicPub hy ) Relaying and translating decryption queries to BasicPub hy challenger Relaying and translating (probabilistically) challenges and responses between A and BasicPub hy challenger 45 BF: Security proof (5/5) Fujisaki-Okamoto proof omitted BDH-reduction premise is that the adversary in OWEsetting with its time- and advantage parameters has a time-parameter of the same order, and advantage.( ε 2 n )/ q H against BDH in the instantiated groups 2 Proof of the BDH-reduction follows the same format as the I2C-reduction: B simulates (as a random oracle) H 2 to A making sure to respond consistently to queries The input extractable group elements to B will be translated as system parameters to A: ap=p pub, bp=q ID, cp=first part of the ciphertext C = <cp,r> 46

BF Security proof: BDH (1/6) Challenge phase Group descriptions and Weil pairing description are passed as is Bcreates an oracle access to H 2 ( keystream generator ) BDH instances are translated to parts of the public key and the challenge ciphertext Algorithm A Adversary PP, = apq, = bp pub ID cp, R { 0,1} n U Algorithm B PaPbPcP,,, Challenger 47 BF Security proof: BDH (2/6) Challenge phase Since P pub =ap, a is the secret master key Thus d ID =aq ID =abp Ais assumed to return the correct plaintext, so we mark M = R H2( e( cp, did )) = R H2( D) Also, D is the solution to the BDH problem, since e( cp, did ) = e( cp, aqid ) = e( cp, aqid ) = ecpaq (, ID ) = ecpabp (, ) = e( PabcP, ) = abc e( P, P) 48

BF Security proof: BDH (3/6) Oracle queries (A will want to map the G 2 -group element to a bitstring which is supposed to happen with the private (unknown) key): The hash H 2 is simulated by randomly producing an n-bit value The already given hashes are memorized in a list in case A will ask them again, and for later guesses Algorithm A Adversary H2 ( X ) =? ( ) = U { } H2 X Y 0,1 n Algorithm B Challenger 49 BF Security proof: BDH (4/6) Guess A s guess is as such, meaningless, since we do not know the hash pre-image (which would correspond to the abcp or the solution of the BDH-problem) However, in order for A to have computed the message from interactions with the challenger, the pre-image must be within the memorized list of hashes B just randomly outputs one of these pre-images Adversary Algorithm A M ' Algorithm B abcp = H ( X i) U H list 2 2 Challenger 50

BF Security proof: BDH (5/6) Time constraints: B s work is all about using A, translating instances (O(1) work) and maintaining the oracle query list (O(q D ) work) B s work is the of same order as A s => PPT-bounded Advantage: Selection of the public key and cipher text depends on the original challenger; B outputs the ciphertext and oracle responses uniformly random If A has advantage ε, then PM [ ' = M] ε 51 BF Security proof: BDH (6/6) Advantage: Let T be the event that D appears in the memorized list, and δ = P[ T ] If A outputs a correct answer and the D is not found in the list, then A has acted independently of the hashes. In this case the guess is random: PM [ = M' T] 2 n From these: ε P[ M= M' ] = PM [ = M' TPT ] [ ] + PM [ = M' TP ] [ T] PT [ ] + PM [ = M' T] P[ T] δ + 2 n ( 1 δ) n n Solving for δ : δ > δ ( 1 2 ) > ε 2 The advantage follows by dividing by the number of oracle queries 52

IB and dir PKI Directory TTPs RA, CA, LDAP-rep. PKG/TA Operations needing interaction System setup, fetching public key, fetching revoc.lists, Identity-based (Weil pairing) System setup Key gen. User PKG/TA Key length (128 bit entropy) Revocation 2540 bits (RSA) 256 bits (ECC) 420 1270 bits (l=6..2) Timed, or lists Timed 53 Open problems Non-interactive key (/identity) revocation Random elements inclusion in the key generation Lessening the dependency on a single TA (some solutions, not completely satisfactory, exist, e.g. B&F, Mao) Multi-party IB-PKI Ad hoc IB-PKI 54

Conclusion Instantiable IB-PKI a new area: More efficient than conventional PKI Important open problems Elliptic-curve algebra involved Backed by long history of mathematical research New applications bound to emerge Promising applications in ad hoc peering networks 55

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback