Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Similar documents
Applied cryptography

6.892 Computing on Encrypted Data October 28, Lecture 7

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

G Advanced Cryptography April 10th, Lecture 11

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

The Cramer-Shoup Cryptosystem

Fully Key-Homomorphic Encryption and its Applications

DATA PRIVACY AND SECURITY

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Searchable encryption & Anonymous encryption

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

5199/IOC5063 Theory of Cryptology, 2014 Fall

General Impossibility of Group Homomorphic Encryption in the Quantum World

El Gamal A DDH based encryption scheme. Table of contents

Gentry IBE Paper Reading

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

On the Selective-Opening Security of DHIES

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Identity-based encryption

Leakage Resilient ElGamal Encryption

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

On the CCA1-Security of Elgamal and Damgård s Elgamal

Standard versus Selective Opening Security: Separation and Equivalence Results

Non-malleability under Selective Opening Attacks: Implication and Separation

Introduction to Cybersecurity Cryptography (Part 4)

1 Number Theory Basics

Notes for Lecture 16

Efficient Identity-based Encryption Without Random Oracles

Lattice Based Crypto: Answering Questions You Don't Understand

A Posteriori Openable Public Key Encryption *

Introduction to Cybersecurity Cryptography (Part 4)

Smooth Projective Hash Function and Its Applications

Post-quantum security models for authenticated encryption

Public-Key Encryption

Identity Based Encryption

How to Delegate a Lattice Basis

On Homomorphic Encryption and Secure Computation

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Public Key Cryptography

Two-Round PAKE from Approximate SPH and Instantiations from Lattices

Public Key Cryptography

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Multikey Homomorphic Encryption from NTRU

14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University

Cryptology. Scribe: Fabrice Mouhartem M2IF

Lossy Trapdoor Functions and Their Applications

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Fully Homomorphic Encryption over the Integers

Evaluating 2-DNF Formulas on Ciphertexts

ADVERTISING AGGREGATIONARCHITECTURE

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 17: Constructions of Public-Key Encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture 16: Public Key Encryption:II

Structure Preserving CCA Secure Encryption

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Classical hardness of the Learning with Errors problem

Better Security for Functional Encryption for Inner Product Evaluations

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Chapter 11 : Private-Key Encryption

Fully Homomorphic Encryption over the Integers

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Information-theoretic Secrecy A Cryptographic Perspective

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Advanced Topics in Cryptography

A New Paradigm of Hybrid Encryption Scheme

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Public Key Cryptography

Chosen-Ciphertext Security (I)

Spooky Encryption and its Applications

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Computing with Encrypted Data Lecture 26

Katz, Lindell Introduction to Modern Cryptrography

Identity-Based Encryption from the Diffie-Hellman Assumption

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Public-Key Encryption: ElGamal, RSA, Rabin

Modern Cryptography Lecture 4

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

A Strong Identity Based Key-Insulated Cryptosystem

Lecture 18: Message Authentication Codes & Digital Signa

Lattice Cryptography

Introduction to Cryptography. Lecture 8

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Stronger Public Key Encryption Schemes

6.892 Computing on Encrypted Data September 16, Lecture 2

i-hop Homomorphic Encryption Schemes

Shai Halevi IBM August 2013

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Transcription:

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT)

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts PKE = (Gen, Enc, Dec) pk= m c = Enc pk (m) sk= m = Dec sk (c) Semantic security [GM84]: Enc pk (m) Enc pk (0)

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Users have identities; encryption only requires global public parameters and recipient's identity IBE = (IBEGen, IBEExtract, IBEEnc, IBEDec) [S84, BF01] PP m c = Enc PP ( Bob, m) sk Bob

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Adversary is allowed to obtain keys for arbitrary identities Semantic security: Adversary must distinguish messages for an unqueried identity Selective security: Adversary declares target ID at start ID sk ID

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Same definition for full and selective security, except we place an a priori bound t on the number of ID queries adversary can make PP may depend on t ID sk ID at most t times

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts [GLW12] Assumptions Ciphertext Size PP Size PKE w/linear hash proof; key homomorphism Same as underlying PKE Θ(t lg ID ) PKE PKs [DKXY02] Semantic-secure PKE Θ(t lg ID ) PKE ciphertexts Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; key homomorphism; weak multi-key malleability Same as underlying PKE Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; Same as underlying PKE Θ(t 2 lg ID ) PKE PKs multi-key malleability [DKXY02] DDH 3 group elements Θ(t lg ID ) elts [GLW12] DDH 3 group elements Θ(t lg ID ) elts This work DDH 2 group elements Θ(t 2 lg ID ) elts [GLW12] QR 2 RSA group elements Θ(t lg ID ) elts This work LWE Same as [GPV08] Θ(t 2 lg ID ) PKs This work NTRU Same as [HPS98] Θ(t 2 lg ID ) PKs

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts [GLW12] Assumptions Ciphertext Size PP Size PKE w/linear hash proof; key homomorphism Same as underlying PKE Θ(t lg ID ) PKE PKs [DKXY02] Semantic-secure PKE Θ(t lg ID ) PKE ciphertexts Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; key homomorphism; weak multi-key malleability Same as underlying PKE Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; Same as underlying PKE Θ(t 2 lg ID ) PKE PKs multi-key malleability [DKXY02] DDH 3 group elements Θ(t lg ID ) elts [GLW12] DDH 3 group elements Θ(t lg ID ) elts This work DDH 2 group elements Θ(t 2 lg ID ) elts [GLW12] QR 2 RSA group elements Θ(t lg ID ) elts This work LWE Same as [GPV08] Θ(t 2 lg ID ) PKs This work NTRU Same as [HPS98] Θ(t 2 lg ID ) PKs

~ Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts [GLW12] Assumptions Ciphertext Size PP Size PKE w/linear hash proof; key homomorphism Same as underlying PKE Θ(t lg ID ) PKE PKs [DKXY02] Semantic-secure PKE Θ(t lg ID ) PKE ciphertexts Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; key homomorphism; weak multi-key malleability Same as underlying PKE Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; Same as underlying PKE Θ(t 2 lg ID ) PKE PKs multi-key malleability [DKXY02] DDH 3 group elements Θ(t lg ID ) elts [GLW12] DDH 3 group elements Θ(t lg ID ) elts This work DDH 2 group elements Θ(t 2 lg ID ) elts [GLW12] QR 2 RSA group elements Θ(t lg ID ) elts This work LWE Same as [GPV08] Θ(t 2 lg ID ) PKs This work NTRU Same as [HPS98] Θ(t 2 lg ID ) PKs

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts [GLW12] Assumptions Ciphertext Size PP Size PKE w/linear hash proof; key homomorphism Same as underlying PKE Θ(t lg ID ) PKE PKs [DKXY02] Semantic-secure PKE Θ(t lg ID ) PKE ciphertexts Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; key homomorphism; weak multi-key malleability Same as underlying PKE Θ(t 2 lg ID ) PKE PKs This work Semantic-secure PKE; Same as underlying PKE Θ(t 2 lg ID ) PKE PKs multi-key malleability [DKXY02] DDH 3 group elements Θ(t lg ID ) elts [GLW12] DDH 3 group elements Θ(t lg ID ) elts This work DDH 2 group elements Θ(t 2 lg ID ) elts [GLW12] QR 2 RSA group elements Θ(t lg ID ) elts This work LWE Same as [GPV08] Θ(t 2 lg ID ) PKs This work NTRU Same as [HPS98] Θ(t 2 lg ID ) PKs

Key Homomorphism A public-key encryption scheme has a secretkey to public-key homomorphism μ if: secret keys group G (group operation +) public keys group H (group operation ) (pk, sk) Gen implies pk = μ(sk) sk, sk' G, μ(sk+sk') = μ(sk) μ(sk') = + =

GLW Construction Identity map φ: ID {0,1} n (view as subset) IBEGen: Run Gen n PP = (pk 1,pk n ) msk = (sk 1,sk n ) IBEExtract: sk ID = i φ(id) sk i IBEEnc: pk ID = i φ(id) pk i c = Enc(pk ID, m)

GLW Construction Identity map φ: ID {0,1} n (view as subset) IBEGen: Run Gen n PP = (pk 1,pk n ) msk = (sk 1,sk n ) IBEExtract: sk ID = i φ(id) sk i IBEEnc: pk ID = i φ(id) pk i c = Enc(pk ID, m)

GLW Construction Identity map φ: ID {0,1} n (view as subset) IBEGen: Run Gen n PP = (pk 1,pk n ) msk = (sk 1,sk n ) IBEExtract: sk ID = i φ(id) sk i IBEEnc: pk ID = i φ(id) pk i c = Enc(pk ID, m)

GLW Construction Identity map φ: ID {0,1} n (view as subset) IBEGen: Run Gen n PP = (pk 1,pk n ) msk = (sk 1,sk n ) IBEExtract: sk ID = i φ(id) sk i IBEEnc: pk ID = i φ(id) pk i c = Enc(pk ID, m)

Cover-Free Maps What to use as φ? t-cover-free map: no group of t subsets completely covers another ID 0, ID 1, ID t, φ(id 0 ) \ i=1t φ(id i ) Ø (Note: We can make t-cover-free maps with n=θ(t 2 ) that support exponentially many IDs in total. [CHH+07])

Selective Security of GLW Thm. If PKE is semantically secure and φ is (t+1)-cover-free, then the GLW construction is a selectively-secure t-bc-ibe. Proof: guess the uncovered key in φ(id*) pk* Choose i φ(id*) randomly (pk j, sk j ) Gen for j i Let pk i = pk* j i, j φ(id*) pk j-1 If i φ(id), abort ID* PP ID sk ID m 0, m 1 m 0, m 1 c* By construction, pk ID* = pk* c* b b

Weak Multi-Key Malleability PKE is weakly n-key malleable if PPT Sim that can convert a ciphertext of an unknown message to a ciphertext under the product of n keys, one of which is the original Enc(m) Sim Enc(m) Enc(m)

Full Security of GLW Thm. If PKE is semantically secure and weakly n-key malleable, and φ is (t+1)- cover-free, then the GLW construction is a (fully) semantically-secure t-bc-ibe.

Example ElGamal encryption: (pk, sk) = (gx, x) Enc pk (m) = (g r, (g x ) r m) homomorphism μ: g x g y = g x+y = + = sk ID = i φ(id) x i IBE ciphertext is just a PKE ciphertext 2 group elements! Constructions from QR [GLW12], LWE [GPV07]

Multi-Key Malleability PKE is n-key malleable if PPT Comb, Mod: Enc(m) Comb Mod Enc(m)

Multi-Key Malleability PKE is n-key malleable if PPT Comb, Mod: Enc(m) Enc(m) Mod Mod Enc(m) s Enc(m)

BC-IBE from Multi-Key Malleability IBEGen: Run Gen n PP = (pk 1,pk n ) msk = (sk 1,sk n ) IBEExtract: sk ID = Comb(φ(ID), msk) IBEEnc: i = min(φ(id)) c' = Enc(pk i, m) c = Mod(PP, φ(id), c)

BC-IBE from Multi-Key Malleability IBEGen: Run Gen n PP = (pk 1,pk n ) msk = (sk 1,sk n ) IBEExtract: sk ID = Comb(φ(ID), msk) IBEEnc: i = min(φ(id)) c' = Enc(pk i, m) Thm. If PKE is semantically secure and n-key-malleable, and φ is (t+1)-coverfree, then this BC-IBE is (fully) semantically secure. c = Mod(PP, φ(id), c)

NTRU Consider polynomial ring R = Z[x]/(xr +1) χ = distribution over R w/coeffs bounded by B f,g χ, f 1 mod 2 sk=f; pk=2g/f (over R q ) Enc(pk, b): h,e χ; c = h pk + 2e + b Dec(sk, c): Output sk c (mod 2)

NTRU-Based Construction Comb: Given: sk 1 sk n Return i sk i Comb Mod: Given: c = h pk i +2e+b pk 1 pk n Enc(m) Sample h j χ (j [n]\i) Return c + j [n]\i h j pk j = j h j pk j + 2e + b Mod Enc(m)

NTRU-Based Construction Modified ciphertexts are now of the form i 2h i g i /f i + 2e + b Combined keys are of the form j f j Thus, decryption yields ι 2h i g i ( f )) + 2e( f ) + ( f )b (mod 2) j i i j j j j We can set parameters q, r, B s.t. this equals b

Bounded-CCA Security Any selectively-secure IBE implies a CCA-secure PKE [BCHK07] The reduction carries over in the bounded-collusion model; any selectively-secure t-bc-ibe implies a t- bounded CCA PKE. GLW construction: semantically-secure PKE with homomorphism bounded-cca PKE with same ciphertext size bounded-cca NTRU construction has smaller ciphertexts than any known NTRU-based CCA PKE

Open Problems More examples! Other properties that yield BC-IBE (possibly with smaller public parameters)

Questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback