CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system, which is an IBE system without random oracle. We started proving that this system is secure under the Selective- ID Model. In that model the attacker states from the beginning the identity she is going to attack, ID, before seeing the public parameters and has the ability to request as many secret keys she likes for any other ID. Remember that Setup phase worked as follows: The trusted authority picks three random group elements of a group G of prime order p: g, h, u G. Then she picks random a, b Z p. The Master Secret Key is MSK = g ab. The Public Parameters are P P = (g, h, u, e(g, g) ab ) and the hash function f(id) = u ID h where ID Z p. For the proof we have to show that an attacker on BB system can be used to solve the Decisional Bidirectional Diffie-Hellman problem. That is, the simulator (or BB Challenger) will get the following parameters: g, A = g a, B = g b, C = g c and T G T where T = e(g, g) abc or T is a random element from G T. To solve DBDH he has to answer with /2 plus more than negligible probability correctly whether T = e(g, g) abc or random. The initial Setup we proposed for the simulator was the following:. Choose a random y Z p. 2. The public parameters are: P P = (g, e(g, g) ab = e(a, B), u = A, h = A ID g y ). Notice that we know beforehand the identity ID the attacker will attack. 3. f(id) = u ID h = A ID ID g y.. Simulator s View However the above schema looks special to the simulator. Firstly, we have that f(id ) = g y which is a special value. We inserted the random parameter g y so that the attacker doesn t get f(id ) = and quit. In addition the cipher text from the simulator s point of view is the following: CT = (C 0, C, C 2 ) = (Me(g, g) abs, g s, g a ID s g ys ) 7-
where ID = ID ID. Notice now that if ID = 0 as a simulator we cannot decrypt CT. That is because we try to find the blinding factor e(g, g) abs. If ID 0 we can do the following: ( C2 C y ) ID = ( g a ID s ) ID = g as By taking e(g b, g as ) we calculate the blinding factor e(g, g) abs. If ID were 0, we wouldn t be able to do that. That way the simulation seems a little less magical to the simulator. As we mentioned in the previous lecture we need to add randomness in the key generation phase, so that the attacker thinks that keys are distributed randomly. We can do that by re-randomizing the keys. If we give a key for a certain ID, the next key can be random, based on the previous key and the public parameters. Suppose we gave the following key with random parameter r: K = g ab f(id) r, K 2 = g r. Then we can choose a random t Z p and create a key with randomness r = t + r. This can be done since: K = g ab f(id) r+t = g ab f(id) r f(id) t = K f(id) t K 2 = g r+t = g r g t = K 2 g t 2 Proof of Security (continued) Theorem 2. (Boneh-Boyen IBE) Decisional-BDH is hard Boneh-Boyen IBE is CPA selective-id secure. Proof. The simulator (the DBDH attacker) is given the following parameters: A = g a, B = g b, C = g c, T where T = e(g, g) abc or random. We suppose that she has gone through the Setup and Key Phase, the way we discussed in the first part of the proof. Now we are going to examine the Challenge Phase. That is, the attacker sends to the simulator two messages M 0 and M to encrypt. The simulator chooses a random γ {0, }. Then she should present the attacker with the (valid) encryption of M γ. In order to do that she calculates the following: C 0 = M γ T C = g c = C That is c plays the role of s C 2 = f(id ) c = g yc = C y y is known because we chose it The simulator sends CT = (C 0, C, C 2 ) to the attacker and the attacker responds with γ ; his guess of γ. Actually, before she does that he might request another set of secret keys for various identities (except ID ) and the simulator can respond as before with random secret keys. If (A, B, C, T ) was a correct DBDH combination, the attacker will respond with γ = γ and the simulator will respond with yes correctly, thus solving DBDH. If T was random, then the attacker will give a random answer with probability 0.5 and the simulator will answer correctly in half of the cases. Notice that in contrast to BF proof the probability 7-2
we need to abort is 0, because we know beforehand the identity ID the attacker wants to attack. That is the strangeness of the selective ID model. In the next section we will see a cryptosystem that uses a less restrictive assumption. To complete the proof say that the probability of success of the BB attacker is 2 + ɛ, where ɛ is not negligible. Then the probability of solving DBDH is: P r(success) = P r(success T = e(g, g) ab )P r(t = e(g, g) ab ) + P r(success T = R)P r(t = R) = = ( 2 + ɛ) 2 + 2 2 = 2 + ɛ 2 3 Waters 05 System As we mentioned in the above proof the selective-id model imposes a very strong assumption on the proof of security. That is, the attacker picks at the very beginning only one identity to attack and notifies everyone about it. In order to make a weaker assumption we partition the identities space in two sets: challenge space and the rest. The special identities the attacker is allowed to attack lie in the challenge space. If she asks for a private key for one of them, we abort. For all the others we provide her with the secret keys. Hopefully in the end she will attack one special ID. Supposing that the attacker makes Q private key queries, the challenge space s size is /Q of the whole identity space. The cryptosystem is the following: 3. System We assume that each identity is an element of {0, } n, i.e. n-bits integers. Then the following is the Setup phase for Waters IBE system. The algorithms for Encrypt, Decrypt and KeyGen are exactly the same as in the Boneh-Boyen system. Setup. Pick two random (a, b) Z p. 2. Pick n + 2 random elements from group G of prime order p: g, h, u, u 2,..., u n. 3. The public parameters are P P = (g, e(g, g) ab, h, u, u 2,..., u n ), where e(g, g) ab G T. 4. Suppose each ID consists of the following bits ID = (ID, ID 2,..., ID n ). Then we define f(id) = h n i= uid i i. 5. The master secret key is MSK = g ab as in BB system. 7-3
3.2 Proof of Security (Sketch) Theorem 3. (Waters IBE) Decisional-BDH is hard Waters IBE is CPA Q-selective- ID secure (where by Q-selective-ID we mean that the attacker can attack only ID s in the challenge space of size /Q). Sketch of Proof. As before the security of the system is based on DBDH assumption. That is, we are given a tuple g, A = g a, B = g b, C = g c, T and we try to find if T = e(g, g) abc using an attacker on the cryptosystem. This adversary is allowed now to make Q private key queries of identities and attack some other identity. Q is known to us from the beginning. The setup phase we do is the following. For every i from to n (n is the number of bits of every ID) we choose a random x i {0,,..., c Q} where c is a constant (c 8). Also we choose a random y i Z p. From these we calculate each u i for the cryptosystem as u i = A x i g y i. Remember A = g a. We choose a random z {0,,..., n} and a random y Z p. We define h = A Qz g y. According to the cryptosystem the function f(id) is the following: where f(id) = h n i= u ID i i = A t(id) g w(id) t(id) = Qz + i ID i x i w(id) = y + i ID i y i The assertion we do now is that when t(id) = 0, the identity ID is in challenge space and when t(id) 0, it is inside the private space. The high level argument for that assertion is that Qz comes in multiples of Q. Therefore when we pick n random elements ID i from the identity space, the probability that i ID ix i is also a multiple of Q is less than /Q. That is the relative size of the challenge space. The probability that for a random identity t(id) 0 is Q. Using these ideas it is provable that the cryptosystem is secure. 4 Crypto Attack Exercise Try to break a Boneh-Franklin encryption where the public key is P K = (g, g y ) and the secret key for identity ID is SK ID = H(ID) y, where the Boneh-Boyen function H(ID) = f(id) = u ID h is used; or prove that this system is secure. Solution The proposed system is not secure because we can do the following to acquire the secret key of any identity ID we want (provided we can acquire at least two secret keys for other identities): 7-4
. We request the secret keys for two identities ID, ID 2 different than ID. These are: X = f(id ) y = (u ID h) y and X 2 = (u ID 2 h) y. 2. We calculate the following quantity: Q = ( X ) X 2 = ( uid y u ID 2y hy h y ) = u ()y = u y 3. We calculate Q 2 = X ID Q = uy h y ID u y = h y ID 4. Finally we get Q 3 = Q ID 2 = h y. With the above we can find the secret key of ID and decrypt his messages by Q ID Q 3 = (u y ) ID h y = H(ID ) y = SK ID. References [] Brent Waters. Efficient Identity-Based Encryption Without Random Oracles. Proceedings of Eurocrypt 2005. 7-5