Lecture 7: Boneh-Boyen Proof & Waters IBE System

Similar documents
Identity-based encryption

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Efficient Identity-Based Encryption Without Random Oracles

Secure and Practical Identity-Based Encryption

G Advanced Cryptography April 10th, Lecture 11

Efficient Identity-based Encryption Without Random Oracles

Applied cryptography

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Simple SK-ID-KEM 1. 1 Introduction

A Strong Identity Based Key-Insulated Cryptosystem

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Secure Certificateless Public Key Encryption without Redundancy

Boneh-Franklin Identity Based Encryption Revisited

REMARKS ON IBE SCHEME OF WANG AND CAO

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Efficient Selective Identity-Based Encryption Without Random Oracles

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

Searchable encryption & Anonymous encryption

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Pairing-Based Cryptography An Introduction

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Identity-Based Online/Offline Encryption

Introduction to Cryptography. Lecture 8

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Short Signatures Without Random Oracles

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Cryptology. Scribe: Fabrice Mouhartem M2IF

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 28: Public-key Cryptography. Public-key Cryptography

Advanced Topics in Cryptography

Remove Key Escrow from The Identity-Based Encryption System

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Type-based Proxy Re-encryption and its Construction

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Hierarchical identity-based encryption

Gentry IBE Paper Reading

Multi-key Hierarchical Identity-Based Signatures

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Short Exponent Diffie-Hellman Problems

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Public Key Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

Recent Advances in Identity-based Encryption Pairing-based Constructions

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

Hidden-Vector Encryption with Groups of Prime Order

Unbounded HIBE and Attribute-Based Encryption

Secure Identity Based Encryption Without Random Oracles

An Introduction to Pairings in Cryptography

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Introduction to Elliptic Curve Cryptography. Anupam Datta

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Lecture 5, CPA Secure Encryption from PRFs

5.4 ElGamal - definition

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

2 Message authentication codes (MACs)

Advanced Cryptography 03/06/2007. Lecture 8

Stronger Public Key Encryption Schemes

Toward Hierarchical Identity-Based Encryption

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Cryptography from Pairings

Identity Based Undeniable Signatures

T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

6.892 Computing on Encrypted Data October 28, Lecture 7

Introduction to Cybersecurity Cryptography (Part 4)

The Twin Diffie-Hellman Problem and Applications

On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 2: Perfect Secrecy and its Limitations

10 Concrete candidates for public key crypto

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Public Key Cryptography

Lecture 7: CPA Security, MACs, OWFs

Secure Identity Based Encryption Without Random Oracles

New Framework for Secure Server-Designation Public Key Encryption with Keyword Search

HIBE With Short Public Parameters Without Random Oracle

Constrained Pseudorandom Functions and Their Applications

Lecture 17: Constructions of Public-Key Encryption

2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R

Instantiating the Dual System Encryption Methodology in Bilinear Groups

Lecture 22: RSA Encryption. RSA Encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture 15

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Transcription:

CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system, which is an IBE system without random oracle. We started proving that this system is secure under the Selective- ID Model. In that model the attacker states from the beginning the identity she is going to attack, ID, before seeing the public parameters and has the ability to request as many secret keys she likes for any other ID. Remember that Setup phase worked as follows: The trusted authority picks three random group elements of a group G of prime order p: g, h, u G. Then she picks random a, b Z p. The Master Secret Key is MSK = g ab. The Public Parameters are P P = (g, h, u, e(g, g) ab ) and the hash function f(id) = u ID h where ID Z p. For the proof we have to show that an attacker on BB system can be used to solve the Decisional Bidirectional Diffie-Hellman problem. That is, the simulator (or BB Challenger) will get the following parameters: g, A = g a, B = g b, C = g c and T G T where T = e(g, g) abc or T is a random element from G T. To solve DBDH he has to answer with /2 plus more than negligible probability correctly whether T = e(g, g) abc or random. The initial Setup we proposed for the simulator was the following:. Choose a random y Z p. 2. The public parameters are: P P = (g, e(g, g) ab = e(a, B), u = A, h = A ID g y ). Notice that we know beforehand the identity ID the attacker will attack. 3. f(id) = u ID h = A ID ID g y.. Simulator s View However the above schema looks special to the simulator. Firstly, we have that f(id ) = g y which is a special value. We inserted the random parameter g y so that the attacker doesn t get f(id ) = and quit. In addition the cipher text from the simulator s point of view is the following: CT = (C 0, C, C 2 ) = (Me(g, g) abs, g s, g a ID s g ys ) 7-

where ID = ID ID. Notice now that if ID = 0 as a simulator we cannot decrypt CT. That is because we try to find the blinding factor e(g, g) abs. If ID 0 we can do the following: ( C2 C y ) ID = ( g a ID s ) ID = g as By taking e(g b, g as ) we calculate the blinding factor e(g, g) abs. If ID were 0, we wouldn t be able to do that. That way the simulation seems a little less magical to the simulator. As we mentioned in the previous lecture we need to add randomness in the key generation phase, so that the attacker thinks that keys are distributed randomly. We can do that by re-randomizing the keys. If we give a key for a certain ID, the next key can be random, based on the previous key and the public parameters. Suppose we gave the following key with random parameter r: K = g ab f(id) r, K 2 = g r. Then we can choose a random t Z p and create a key with randomness r = t + r. This can be done since: K = g ab f(id) r+t = g ab f(id) r f(id) t = K f(id) t K 2 = g r+t = g r g t = K 2 g t 2 Proof of Security (continued) Theorem 2. (Boneh-Boyen IBE) Decisional-BDH is hard Boneh-Boyen IBE is CPA selective-id secure. Proof. The simulator (the DBDH attacker) is given the following parameters: A = g a, B = g b, C = g c, T where T = e(g, g) abc or random. We suppose that she has gone through the Setup and Key Phase, the way we discussed in the first part of the proof. Now we are going to examine the Challenge Phase. That is, the attacker sends to the simulator two messages M 0 and M to encrypt. The simulator chooses a random γ {0, }. Then she should present the attacker with the (valid) encryption of M γ. In order to do that she calculates the following: C 0 = M γ T C = g c = C That is c plays the role of s C 2 = f(id ) c = g yc = C y y is known because we chose it The simulator sends CT = (C 0, C, C 2 ) to the attacker and the attacker responds with γ ; his guess of γ. Actually, before she does that he might request another set of secret keys for various identities (except ID ) and the simulator can respond as before with random secret keys. If (A, B, C, T ) was a correct DBDH combination, the attacker will respond with γ = γ and the simulator will respond with yes correctly, thus solving DBDH. If T was random, then the attacker will give a random answer with probability 0.5 and the simulator will answer correctly in half of the cases. Notice that in contrast to BF proof the probability 7-2

we need to abort is 0, because we know beforehand the identity ID the attacker wants to attack. That is the strangeness of the selective ID model. In the next section we will see a cryptosystem that uses a less restrictive assumption. To complete the proof say that the probability of success of the BB attacker is 2 + ɛ, where ɛ is not negligible. Then the probability of solving DBDH is: P r(success) = P r(success T = e(g, g) ab )P r(t = e(g, g) ab ) + P r(success T = R)P r(t = R) = = ( 2 + ɛ) 2 + 2 2 = 2 + ɛ 2 3 Waters 05 System As we mentioned in the above proof the selective-id model imposes a very strong assumption on the proof of security. That is, the attacker picks at the very beginning only one identity to attack and notifies everyone about it. In order to make a weaker assumption we partition the identities space in two sets: challenge space and the rest. The special identities the attacker is allowed to attack lie in the challenge space. If she asks for a private key for one of them, we abort. For all the others we provide her with the secret keys. Hopefully in the end she will attack one special ID. Supposing that the attacker makes Q private key queries, the challenge space s size is /Q of the whole identity space. The cryptosystem is the following: 3. System We assume that each identity is an element of {0, } n, i.e. n-bits integers. Then the following is the Setup phase for Waters IBE system. The algorithms for Encrypt, Decrypt and KeyGen are exactly the same as in the Boneh-Boyen system. Setup. Pick two random (a, b) Z p. 2. Pick n + 2 random elements from group G of prime order p: g, h, u, u 2,..., u n. 3. The public parameters are P P = (g, e(g, g) ab, h, u, u 2,..., u n ), where e(g, g) ab G T. 4. Suppose each ID consists of the following bits ID = (ID, ID 2,..., ID n ). Then we define f(id) = h n i= uid i i. 5. The master secret key is MSK = g ab as in BB system. 7-3

3.2 Proof of Security (Sketch) Theorem 3. (Waters IBE) Decisional-BDH is hard Waters IBE is CPA Q-selective- ID secure (where by Q-selective-ID we mean that the attacker can attack only ID s in the challenge space of size /Q). Sketch of Proof. As before the security of the system is based on DBDH assumption. That is, we are given a tuple g, A = g a, B = g b, C = g c, T and we try to find if T = e(g, g) abc using an attacker on the cryptosystem. This adversary is allowed now to make Q private key queries of identities and attack some other identity. Q is known to us from the beginning. The setup phase we do is the following. For every i from to n (n is the number of bits of every ID) we choose a random x i {0,,..., c Q} where c is a constant (c 8). Also we choose a random y i Z p. From these we calculate each u i for the cryptosystem as u i = A x i g y i. Remember A = g a. We choose a random z {0,,..., n} and a random y Z p. We define h = A Qz g y. According to the cryptosystem the function f(id) is the following: where f(id) = h n i= u ID i i = A t(id) g w(id) t(id) = Qz + i ID i x i w(id) = y + i ID i y i The assertion we do now is that when t(id) = 0, the identity ID is in challenge space and when t(id) 0, it is inside the private space. The high level argument for that assertion is that Qz comes in multiples of Q. Therefore when we pick n random elements ID i from the identity space, the probability that i ID ix i is also a multiple of Q is less than /Q. That is the relative size of the challenge space. The probability that for a random identity t(id) 0 is Q. Using these ideas it is provable that the cryptosystem is secure. 4 Crypto Attack Exercise Try to break a Boneh-Franklin encryption where the public key is P K = (g, g y ) and the secret key for identity ID is SK ID = H(ID) y, where the Boneh-Boyen function H(ID) = f(id) = u ID h is used; or prove that this system is secure. Solution The proposed system is not secure because we can do the following to acquire the secret key of any identity ID we want (provided we can acquire at least two secret keys for other identities): 7-4

. We request the secret keys for two identities ID, ID 2 different than ID. These are: X = f(id ) y = (u ID h) y and X 2 = (u ID 2 h) y. 2. We calculate the following quantity: Q = ( X ) X 2 = ( uid y u ID 2y hy h y ) = u ()y = u y 3. We calculate Q 2 = X ID Q = uy h y ID u y = h y ID 4. Finally we get Q 3 = Q ID 2 = h y. With the above we can find the secret key of ID and decrypt his messages by Q ID Q 3 = (u y ) ID h y = H(ID ) y = SK ID. References [] Brent Waters. Efficient Identity-Based Encryption Without Random Oracles. Proceedings of Eurocrypt 2005. 7-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback