The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

Similar documents
CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Identity-based encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Hierarchical identity-based encryption

Efficient Identity-Based Encryption Without Random Oracles

Secure and Practical Identity-Based Encryption

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Efficient Identity-based Encryption Without Random Oracles

Arbitrary-State Attribute-Based Encryption with Dynamic Membership

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Pairing-Based Cryptography An Introduction

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Efficient Selective Identity-Based Encryption Without Random Oracles

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

G Advanced Cryptography April 10th, Lecture 11

Searchable encryption & Anonymous encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

Cryptology. Scribe: Fabrice Mouhartem M2IF

New Constructions of Revocable Identity-Based Encryption from Multilinear Maps

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Applied cryptography

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Boneh-Franklin Identity Based Encryption Revisited

New Revocable IBE in Prime-Order Groups: Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters

A Strong Identity Based Key-Insulated Cryptosystem

Hidden-Vector Encryption with Groups of Prime Order

Secure Certificateless Public Key Encryption without Redundancy

Instantiating the Dual System Encryption Methodology in Bilinear Groups

REMARKS ON IBE SCHEME OF WANG AND CAO

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Simple SK-ID-KEM 1. 1 Introduction

On the (Im)possibility of Projecting Property in Prime-Order Setting

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Cryptography from Pairings

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Provable security. Michel Abdalla

Advanced Topics in Cryptography

Type-based Proxy Re-encryption and its Construction

An Introduction to Pairings in Cryptography

Revocable Identity-Based Encryption from Lattices

T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

Constrained Pseudorandom Functions and Their Applications

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts

Gentry IBE Paper Reading

Notes for Lecture 17

Dynamic Key-Aggregate Cryptosystem on Elliptic Curves for Online Data Sharing

El Gamal A DDH based encryption scheme. Table of contents

Identity-Based Online/Offline Encryption

Introduction to Cryptography. Lecture 8

Recent Advances in Identity-based Encryption Pairing-based Constructions

Expressive Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts

Public Key Cryptography

A survey on quantum-secure cryptographic systems

CSC 774 Advanced Network Security

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

CSC 774 Advanced Network Security

New Framework for Secure Server-Designation Public Key Encryption with Keyword Search

ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET

Short Signatures Without Random Oracles

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

An Efficient Broadcast Encryption Supporting Designation and Revocation Mechanisms

Lossy Trapdoor Functions and Their Applications

Bounded Ciphertext Policy Attribute Based Encryption

Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization

Delegation in Predicate Encryption Supporting Disjunctive Queries

Identity Based Encryption

Lecture 1: Introduction to Public key cryptography

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time

Anonymous and Adaptively Secure Revocable IBE with Constant-Size Public Parameters

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

An Efficient Cloud-based Revocable Identity-based Proxy Re-encryption Scheme for Public Clouds Data Sharing

Directly Revocable Key-Policy Attribute- Based Encryption with Verifiable Ciphertext Delegation

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Multi-key Hierarchical Identity-Based Signatures

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

Attribute-Based Encryption Optimized for Cloud Computing

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

Master s thesis, defended on June 20, 2007, supervised by Dr. Oleg Karpenkov. Mathematisch Instituut. Universiteit Leiden

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Unbounded HIBE and Attribute-Based Encryption

DATA PRIVACY AND SECURITY

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Adaptive Security of Compositions

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Public-Key Encryption: ElGamal, RSA, Rabin

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Discrete Logarithm Problem

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Transcription:

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin)

Provable Security How to show your cryptosystem is secure: Cryptosystem If Assumption Holds then Cryptosystem Secure Assumption Prove contrapositive

What if the Assumption is False? Cryptosystem Assumption Cannot reason about security Adversary can use the attack on assumption to break cryptosystem

How to Pick a Good Assumption? Increase the size of parameters e.g., RSA assumes factoring a large number into 2 primes is hard Factor: 77, 3869, 7269, Use a family of assumptions As you increase a parameter k you become more confident in the security of the assumption Example: k-linear [HK7, Sha7]

Family of Strictly Weaker Assumptions < < < < A k+ A A 2 A k An assumption A k+ is weaker than assumption A k, if If A k holds then so does A k+ (Breaking A k+ also breaks A k ) The assumption, A k+, is strictly weaker than assumption, A k, if A k+ is weaker than A k And an oracle for A k does not help break A k+

DDH Assumption Given < g, g a, g b, T > For some g, g a, g b, T G Does T =? g ab It is hard to compute a discrete log in a finite cyclic group G No polynomial time algorithm can achieve non-negligible advantage deciding

Bilinear Maps e: G G G T Bilinear: e g a, g b = e(g, g) ab for all a, b Z p Non-Degenerate: If g generates G, then e(g, g) Computable: e is efficiently computable on all input DDH does not hold for groups in which bilinear maps can be computed < g, g a, g b, T =? g ab > e g a, g b =? e(g, T)

DBDH Assumption How can we use DDH in bilinear groups? Given < g, g a, g b, g c, T > For some g, g a, g b, g c G and T G T Does T =? e(g, g) abc Hard to compute discrete log: in G and G T Bilinear maps have 2 inputs Can t undo a bilinear map No polynomial time algorithm can achieve non-negligible advantage deciding

Decision Linear (DLIN) Assumption How can we use DDH in settings where bilinear maps exist? Given < g, g s, g s 2, g s r, g s 2r 2, T > g, g s, g s 2, g s r, g s 2r 2, T G Does T =? g r +r 2 This is like 2 DDH problems: g, g s, g r, g s r It is hard to compute discrete logs Bilinear maps only pair 2 elements (not 3: g s, g s 2, g r +r 2 ) No polynomial time algorithm can achieve non-negligible advantage deciding, even in generic bilinear groups [BBS4] Only a decisional problem computationally same as DDH

k-linear Family of Assumptions k-linear generalizes the Linear Assumption -Linear is DDH 2-Linear is Linear Assumption For k Given < g, g s,, g s k, g s r,, g s kr k, T > g, g s,, g s k, g s r,, g s kr k, T G Does T =? g r + +r k This is like k DDH problems No polynomial time algorithm can achieve non-negligible advantage deciding Only a decisional problem computationally same as DDH

How are DLIN and DBDH Related? If DLIN holds, then so does DBDH < g, g s, g s 2, g s r, g s 2r 2, T =? g r +r 2 > DLIN Instance < g, g s, g s 2, T =? g r +r 2, e g s r, g s 2 e g s 2r 2, g s > = < g, g s, g s 2, T =? g r +r 2, e(g, g) (s s 2 )(r +r 2 ) > DBDH Decider [BW6]

Can extend DBDH to a Family of Assumptions? DLIN DDH DBDH Why? For k > 2 unclear how k-linear and DBDH are related k-linear only operates in the source group Example: Boneh-Boyen IBE the message is hidden in target group k-linear???? This is should be like k DBDH problems

Failed Attempt Given g, g a, g b, g s,, g s k, g s r,, g s kr k ε and T ε G T Does T? = e g, g s i abr i i = e g, g abs ir i i = e g, g ab(s r + +s k r k ) Embeds k DBDH instances: (g, g a, g b, g s ir i, e g, g ab(s ir i ) ) But is equivalent to DBDH: g, g a, g b, g s ir i i = g (s r + +s k r k ), T? = e g, g abs ir i i

k-bdh Assumption Given g, g a, g b, g s,, g s k, g s r,, g s kr k ε G and T ε G T Does T =? e g, g abr i i = e g s i, g s i (a s i )(b s i )r i i = e g, g ab(r + +r k ) Embeds k DBDH instances: (g s i, g a, g b, g s ir i,e g s i, g s i (a s i )(b s i )r i ) And is a family of strictly weaker assumptions!

A Family of Weaker Assumptions If the k-bdh assumption holds, so does the (k+)-bdh assumption g, g x, g y, v,, v k, v r,, v k r k, T =? e g, g xyr i k-bdh Instance i k v k+, r k+ Random Values < g, g x, g y r, v,, v k+, v r,, v k+ k+, T e(g x, g y ) r k+ =? e g, g xyr i i k+ (k+)-bdh Decider >

Evidence of a Family of Strictly Weaker Assumptions An oracle for k-bdh does not help in deciding a (k+)-bdh instance Similar to the separation proof of k-linear [Sha7] Generic Group Model [BS84,Nechaev94,Shoup97] Interact with adversary using an idealized version of groups Bound the probability of finding an inconsistency if actual groups were used Oracle to k-bdh is implemented as a modified k-multilinear map maps k elements in G and one element G T to an element group G M

Application: IBE Setup: Public parameters: g, u = g x, v = g s,, v k = g s r r k, v,, v k k, w,, w k Master key: s,, s k, r,, rk, x KeyGen(ID): Select random n,, n k Z p For each i k output K A,i, K B,i = (g xr i w i u ID n i, vi n i ) Encrypt (m, ID): Select random y,, y k Z p Output C = m e g x, v i r i i k y i For each i k output C A,i, C B,i = (v i yi, w i u ID y i ) Decrypt(c): C i k e(k B,i,C B,i ) i k e(k A,i,C A,i ) = m e gx,v i r i y i i k e(v i n i, w i u ID y i i k ) i k e(gxr i w i uid n i,vi yi ) = m

Conclusions Goal: Introduction the k-bdh Family of Assumptions Relationship to standard assumptions (DDH, k-linear, DBDH) It is a family of strictly weaker assumptions Usable: We construct an IBE in the Boneh-Boyen Framework Future Work IBE construction grows with k (public parameters, keys, encryption) Different applications http://eprint.iacr.org/22/687

Efficient Delegation of Key Generation and Revocation Functionalities in Identity-Based Encryption Jae Hong Seo Myongji University, Republic of Korea Session ID: Session Classification: CRYP-F4 Intermediate

Identity Based Encryption Publish mpk ABC University user@abc.edu time download Issue DK Sender Enc(mpk,, M) User

Revocation Functionality in Identity-Based Encryption Publish mpk ABC University user@abc.edu time download If user leaves the system (by expiration of contract) or user s secret key is leaked (by hacking) and so he want to obtain other secret key? KGC should revoke user s secret key!! (and issues a new key if needed) Sender user

Trivial Approach for Revocation Functionality in IBE Publish mpk ABC University user@abd.edu time download Issue DK,T Sender Enc(mpk,, T, M) User

Trivial Approach for Revocation Functionality in IBE user@abc.edu Publish mpk ABC University time download Revoke DK,T Issue DK,T user2@abc.edu Sender User2 User

Trivial Approach for Revocation Functionality in IBE user@abc.edu Publish mpk ABC University time download Revoke DK,T Issue DK,T user2@abc.edu KGC s role: Issuing/Revoking secret keys Excessive workload for a single KGC Sender User2 User

Our Goal: Delegation of KGC s Roles (Key Generation & Revocation) Publish mpk ABC University time download ABC, Science ABC, Law ABC, Science, Math ABC, Science, Math, prof. Emura

Our Goal: Delegation of KGC s Roles (Key Generation & Revocation) Publish mpk ABC University time download Efficient Key Generation & Revocation ABC, Science Efficient Key Generation & Revocation ABC, Science, Math Efficient Key Generation & Revocation ABC, Science, Math, prof. Emura ABC, Law

Outline Previous Approaches Revocable Symmetric Key Encryption: Broadcast Encryption Revocable Identity-Based Encryption Trivial Approach Exponentially large secret key Our Approach Asymmetric trade Further Study

Broadcast Encryption (BE) Technique Each node has the corresponding key. KEY KEY KEY KEY KEY u u 2 u 3 u 4 u 5 u 6 u 7 u 8 We consider a binary tree kept by KGC

Broadcast Encryption (BE) Technique u u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node

Broadcast Encryption (BE) Technique If u 3, u 4, and u 6 are revoked, first compute triangles containing only non-revoked users. u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked

Broadcast Encryption (BE) Technique Encrypt a session key using KEY, KEY, KEY. Then, only non-revoked user can recover the session key. # of triangles ~ log N (where N is # of leaf nodes) u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked

Revocable IBE: Combining BE technique with IBE scheme Publish mpk ABC University KGC Issue SK time download Size of KU T is logn. KU T Each time period download Enc(mpk,, T, M) Sender user

Revocable IBE: Combining BE technique with IBE scheme Publish mpk ABC University KGC Issue SK time download Size of KU T is logn. KU T Each time period download Enc(mpk,, T, M) Sender user

Revocable IBE: Combining BE technique with IBE scheme Key Revocation Key Generation u u 2 u 3 u 4 u 5 u 6 u 7 u 8 u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked Whenever a user is registered in the system, the user is assigned in the leaf node of binary tree.

Revocable IBE: Combining BE technique with IBE scheme u u 2 u 3 u 4 u 5 u 6 u 7 u 8 u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Key Update Information related to time T Secret Key related to the identity of u 2

Revocable IBE: Combining BE technique with IBE scheme Since u 2 has both related to the same node, u 2 can create a decryption key related to both his identity and time u u 2 u 3 u 4 u 5 u 6 u 7 u 8 u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Key Update Information related to time T Secret Key related to the identity of u 2

Revocable IBE: Combining BE technique with IBE scheme Publish mpk ABC University KGC Issue SK time download Size of KU T is logn. KU T Each time period download Sender Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from KU T and SK user

Trivial Approach for Our Goal ABC, Science, Math, Prof. Emura ABC, Law ABC, Science Hierarchical Structure for Key Generation ABC University

Trivial Approach Binary Tree for Revocation (managed by KGC) ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC, Law ABC, Science, Math, Prof. Emura

Trivial Approach Binary Tree for Revocation Binary Tree for Revocation (managed by KGC) (managed by College) Science u 2 u 3 u 4 u 5 u 6 u 7 Law Math u 2 u 3 u 4 u 5 u 6 u 7 ABC, Science ABC, Law ABC, Science, Math, Prof. Emura

Trivial Approach Binary Tree for Revocation Binary Tree for Revocation (managed by KGC) (managed by College) Binary Tree for Revocation (managed by Department) Math u 2 u 3 u 4 u 5 u 6 u 7 NICT, NSRI Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Law Emura u 2 u 3 u 4 u 5 u 6 u 7 ABC, Science, Math, Prof. Emura

Trivial Approach ABC University Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC Science needs to store log N size secret keys ABC, Science, Math, prof. Emura

Key Update for time period T (managed by KGC) Trivial Approach Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC Science needs to store log N size secret keys ABC, Science, Math, prof. Emura

Key Update for time period T (managed by KGC) Science Trivial is not revoked Approach on time T. () It can create a decryption key relate to its identity & time T. (2) It can generate Key Update for its children. Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC,WNRI Science needs to store log N size secret keys ABC, Science, Math, prof. Emura

Key Update for time period T (managed by KGC) Trivial Approach Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law Key Update for T (managed by Science) Math u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC, Science ABC Math u 2 u 3 u 4 u 5 u 6 u 7 Science needs to store log N size secret keys Binary Tree for Revocation (managed by Science)

Key Update for time period T (managed by KGC) Trivial Approach Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law Key Update for T (managed by Science) Does Science need log N size secret key? Math u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC, Science A Math u 2 u 3 u 4 u 5 u 6 u 7 Science needs to store log N size secret keys Binary Tree for Revocation (managed by Science)

Key Update for time period T (managed by KGC) Trivial Approach Therefore, children should have (logn) 2 subkeys. ABC, Science No! The parent (Science) has log N size secret key and one subkey is used for each time period. A child (Math) does not know which Science subkey u 2 u will 3 ube 4 uused 5 u 6 ufor 7 each u 8 time period. Key Update for T keys (managed by Science) Math u 2 u 3 u 4 u 5 u 6 u 7 u 8 Does SAL need log N size secret key? n-th level user has (logn) n size secret ABC University Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 Law A,WNRI Science needs to store log N size secret keys Binary Tree for Revocation (managed by Science) Math u 2 u 3 u 4 u 5 u 6 u 7

Trivial Approach

Our Approach Asymmetric Trade Product Product

Our Approach Asymmetric Trade Technically difficult part: Separated subkeys do not leak any information. To this end, we used several re-randomization Product techniques. Product

Our Result We propose the first practical RHIBE scheme Our scheme is based on Boneh-Boyen HIBE scheme The size of secret key is O(l 2 log N), where l is user s level. We proved that the proposed scheme satisfies a weaker security notion such as selective security notion.

Further Study Fully secure RHIBE Different revocation method, such as Subset Difference Revocation methodology in functional encryption

Thanks!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback