Identity-based encryption

Similar documents
Searchable encryption & Anonymous encryption

Hierarchical identity-based encryption

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Applied cryptography

Efficient Identity-based Encryption Without Random Oracles

Efficient Identity-Based Encryption Without Random Oracles

Secure and Practical Identity-Based Encryption

REMARKS ON IBE SCHEME OF WANG AND CAO

Boneh-Franklin Identity Based Encryption Revisited

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Simple SK-ID-KEM 1. 1 Introduction

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

A Strong Identity Based Key-Insulated Cryptosystem

Cryptology. Scribe: Fabrice Mouhartem M2IF

Pairing-Based Cryptography An Introduction

Secure Certificateless Public Key Encryption without Redundancy

G Advanced Cryptography April 10th, Lecture 11

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Provable security. Michel Abdalla

Efficient Selective Identity-Based Encryption Without Random Oracles

Gentry IBE Paper Reading

Short Signatures Without Random Oracles

1 Number Theory Basics

Identity Based Encryption

Type-based Proxy Re-encryption and its Construction

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts

Better Security for Functional Encryption for Inner Product Evaluations

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Recent Advances in Identity-based Encryption Pairing-based Constructions

Identity Based Key Encapsulation with Wildcards

5.4 ElGamal - definition

Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions

Hidden-Vector Encryption with Groups of Prime Order

T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Public Key Cryptography

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

Cryptography from Pairings

The Cramer-Shoup Cryptosystem

Identity-Based Online/Offline Encryption

Short Exponent Diffie-Hellman Problems

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

The Twin Diffie-Hellman Problem and Applications

Direct Chosen-Ciphertext Secure Identity-Based Key Encapsulation without Random Oracles

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Remove Key Escrow from The Identity-Based Encryption System

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

ASYMMETRIC ENCRYPTION

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

New Anonymity Notions for Identity-Based Encryption

Secure Identity Based Encryption Without Random Oracles

CS 6260 Applied Cryptography

An Introduction to Pairings in Cryptography

Theoretical Computer Science. Direct chosen-ciphertext secure identity-based key encapsulation without random oracles

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Advanced Topics in Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

Stronger Public Key Encryption Schemes

Semantic Security and Indistinguishability in the Quantum World

CPA-Security. Definition: A private-key encryption scheme

Secure Identity Based Encryption Without Random Oracles

Symmetric Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Certificateless Signcryption without Pairing

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Notes on Property-Preserving Encryption

5199/IOC5063 Theory of Cryptology, 2014 Fall

From Selective to Full Security: Semi-Generic Transformations in the Standard Model

Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles

Delegation in Predicate Encryption Supporting Disjunctive Queries

Recent Advances in Identity-based Encryption Pairing-free Constructions

Multi-key Hierarchical Identity-Based Signatures

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time

Lecture Note 3 Date:

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Decentralizing Inner-Product Functional Encryption

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

RSA-OAEP and Cramer-Shoup

Privacy-aware Attribute-based Encryption with User Accountability

On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Notes for Lecture 17

Non-interactive Zaps and New Techniques for NIZK

Transcription:

Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43

Identity-based encryption (IBE) Goal: Allow senders to encrypt messages based on the receiver s identity. Key distribution center Key Setup msk Key Derivation ID mpk sk ID ID, M Encryption C Decryption M Sender Receiver ID Michel Abdalla (ENS & CNRS) Identity-based encryption 2 / 43

IBE properties Generalization of public-key encryption User public key can be an arbitrary string (e.g., email address) One system-wide public key for all users Encryption can be performed using system-wide public key and users identity Users need to contact a key generation center to obtain their secret keys Michel Abdalla (ENS & CNRS) Identity-based encryption 3 / 43

Outline 1 Introduction 2 IBE definition [Sha84, BF03] Syntax Security notions 3 Complexity Assumptions 4 IBE schemes Boneh-Boyen IBE [BB04] Boneh-Franklin IBE [BF03] 5 References Michel Abdalla (ENS & CNRS) Identity-based encryption 4 / 43

Identity-based encryption (IBE) An IBE scheme is defined by four algorithms: Setup(1 k ): Outputs a master public key mpk and a master secret key msk. KeyDer(msk, id): Uses the master secret key msk to compute a secret key sk id for the user with identity id. Enc(mpk, id, m): Generates a ciphertext C for identity id and message m using master public key mpk. Dec(C, sk id ): Allows the user in possession of sk id to decrypt the ciphertext C to get back a message m. Michel Abdalla (ENS & CNRS) Identity-based encryption 5 / 43

IBE security notions In the following slides, we consider two different types of attacks (adaptive-identity vs. selective-identity) and two security goals (indistinguishability and anonymity) notions of security for IBE schemes. Indistinguishability The adversary s goal is to distinguish Enc(mpk, id, m 0 ) from Enc(mpk, id, m 1 ) for values id 1, m 0,m 1 of its choice. Anonymity The adversary s goal is to distinguish Enc(mpk, id 0, m) from Enc(mpk, id 1, m) for values id 0, id 1, m of its choice. Adaptive-identity chosen-plaintext attacks In this model, the adversary is allowed to choose the challenge identity values at the time that it asks the challenge query. Selective-identity chosen-plaintext attacks In this model, the adversary has to choose the challenge identity values before seeing the public key. Michel Abdalla (ENS & CNRS) Identity-based encryption 6 / 43

IND-ID-CPA: Indistinguishability under chosen-plaintext attacks Let IBE = (Setup, KeyDer, Enc, Dec) be an identity-based encryption scheme. Let A be an adversary against the IND-ID-CPA security of IBE. proc Initialize(k) (mpk, msk) R Setup(1 k ) Return mpk proc KeyDer(id) R sk id KeyDer(msk, id) Return sk id Game Exp ind-cpa-β A,IBE (k) proc LR(id, m 0, m 1 ) C R Enc(mpk, id, m β ) Return C proc Finalize(β ) Return β The advantage of A against the IND-ID-CPA security of IBE is defined as [ ] [ ] Adv ind-cpa A,IBE (k) = Pr Exp ind-cpa-1 A,IBE (k) = 1 Pr Exp ind-cpa-0 A,IBE (k)) = 1 Michel Abdalla (ENS & CNRS) Identity-based encryption 7 / 43

IND-ID-CPA: An alternative definition Let IBE = (Setup, KeyDer, Enc, Dec) be an identity-based encryption scheme. Let A be an adversary against the IND-ID-CPA security of IBE. proc Initialize(k) β R {0, 1} (mpk, msk) R Setup(1 k ) Return mpk proc KeyDer(id) R sk id KeyDer(msk, id) Return sk id Game Exp ind-cpa A,IBE (k) proc LR(id, m 0, m 1 ) C R Enc(mpk, id, m β ) Return C proc Finalize(β ) Return (β = β) The advantage of A against the IND-ID-CPA security of IBE is defined as [ ] Adv ind-cpa A,IBE (k) = 2 Pr Exp ind-cpa A,IBE (k) = true 1 Michel Abdalla (ENS & CNRS) Identity-based encryption 8 / 43

IND-sID-CPA: Indistinguishability under selective-identity chosen-plaintext attacks Let IBE = (Setup, KeyDer, Enc, Dec) be an identity-based encryption scheme. Let A be an adversary against the IND-sID-CPA security of IBE. proc Initialize(k, id ) (mpk, msk) R Setup(1 k ) Return mpk proc KeyDer(id) R sk id KeyDer(msk, id) Return sk id Game Exp s-ind-cpa-β A,IBE (k) proc LR(m 0, m 1 ) C R Enc(mpk, id, m β ) Return C proc Finalize(β ) Return β The advantage of A against the IND-sID-CPA security of IBE is defined as [ ] [ ] Adv s-ind-cpa A,IBE (k) = Pr Exp s-ind-cpa-1 A,IBE (k) = 1 Pr Exp s-ind-cpa-0 A,IBE (k)) = 1 Michel Abdalla (ENS & CNRS) Identity-based encryption 9 / 43

IND-sID-CPA: An alternative definition Let IBE = (Setup, KeyDer, Enc, Dec) be an identity-based encryption scheme. Let A be an adversary against the IND-sID-CPA security of IBE. proc Initialize(k, id ) β R {0, 1} (mpk, msk) R Setup(1 k ) Return mpk proc KeyDer(id) R sk id KeyDer(msk, id) Return sk id Game Exp s-ind-cpa A,IBE (k) proc LR(m 0, m 1 ) C R Enc(mpk, id, m β ) Return C proc Finalize(β ) Return (β = β) The advantage of A against the IND-sID-CPA security of IBE is defined as [ ] Adv s-ind-cpa A,IBE (k) = 2 Pr Exp s-ind-cpa A,IBE (k) = true 1 Michel Abdalla (ENS & CNRS) Identity-based encryption 10 / 43

ANO-ID-CPA: Anonymity under chosen-plaintext attacks Let IBE = (Setup, KeyDer, Enc, Dec) be an identity-based encryption scheme. Let A be an adversary against the ANO-ID-CPA security of IBE. proc Initialize(k) (mpk, msk) R Setup(1 k ) Return mpk proc KeyDer(id) R sk id KeyDer(msk, id) Return sk id Game Exp ano-cpa-β A,IBE (k) proc LR(id 0, id 1, m ) C R Enc(mpk, id β, m ) Return C proc Finalize(β ) Return β The advantage of A against the ANO-ID-CPA security of IBE is defined as [ ] [ ] Adv ano-cpa A,IBE (k) = Pr Exp ano-cpa-1 A,IBE (k) = 1 Pr Exp ano-cpa-0 A,IBE (k)) = 1 Michel Abdalla (ENS & CNRS) Identity-based encryption 11 / 43

ANO-sID-CPA: Anonymity under selective-identity chosen-plaintext attacks Let IBE = (Setup, KeyDer, Enc, Dec) be an identity-based encryption scheme. Let A be an adversary against the ANO-sID-CPA security of IBE. proc Initialize(k) Game Exp s-ano-cpa-β A,IBE (k) (mpk, msk) R Setup(1 k, id 0, id 1) Return mpk proc KeyDer(id) R sk id KeyDer(msk, id) Return sk id proc LR(m ) C R Enc(mpk, id β, m ) Return C proc Finalize(β ) Return β The advantage of A against the ANO-sID-CPA security of IBE is defined as [ ] [ ] Adv s-ano-cpa A,IBE (k) = Pr Exp s-ano-cpa-1 A,IBE (k) = 1 Pr Exp s-ano-cpa-0 A,IBE (k)) = 1 Michel Abdalla (ENS & CNRS) Identity-based encryption 12 / 43

Outline 1 Introduction 2 IBE definition [Sha84, BF03] Syntax Security notions 3 Complexity Assumptions 4 IBE schemes Boneh-Boyen IBE [BB04] Boneh-Franklin IBE [BF03] 5 References Michel Abdalla (ENS & CNRS) Identity-based encryption 13 / 43

Computational Diffie-Hellman (CDH) Let G be a finite cyclic group of prime order p. Let A be an adversary against the CDH problem in a group G. proc Initialize(G) g R G x R Z p ; X g x y R Z p ; Y g y Return (G, g, X, Y ) Game Exp cdh G (A) proc Finalize(Z) Return (Z = g xy ) The advantage of A against the CDH problem is defined as [ ] Adv cdh G (A) = Pr Exp cdh G (A) = true Michel Abdalla (ENS & CNRS) Identity-based encryption 14 / 43

Decisional Diffie-Hellman (DDH) Let G be a finite cyclic group of prime order p. Let A be an adversary against the CDH problem in a group G. Game ExpG ddh-0 (A) proc Initialize(G) g R G x R Z p ; X g x y R Z p ; Y g y z ab mod p ; Z g z Return (G, g, X, Y, Z) proc Finalize(β ) Return (β = 1) Game ExpG ddh-1 (A) proc Initialize(G) g R G x R Z p ; X g x y R Z p ; Y g y z R Z p ; Z g z Return (G, g, X, Y, Z) proc Finalize(β ) Return (β = 1) The advantage of A in solving the DDH problem is defined as [ ] [ ] Adv ddh G (A) = Pr Exp ddh-0 G (A) = true Pr Exp ddh-1 G (A) = true Michel Abdalla (ENS & CNRS) Identity-based encryption 15 / 43

Bilinear Diffie-Hellman (BDH) Let G be a pairing parameter generator. Let A be an adversary against the BDH problem relative to G. proc Initialize(1 k ) (G, G T, p, ê) R G(1 k ) g R G a R Z p ; A g a b R Z p ; B g b c R Z p ; C g b Return (G, g, A, B, C) Game Exp bdh G,k (A) proc Finalize(Z) Return (Z = ê(g, g) abc ) The advantage of A against the BDH problem relative to G is defined as [ ] Adv bdh G,k (A) = Pr Exp bdh G,k (A) = true Michel Abdalla (ENS & CNRS) Identity-based encryption 16 / 43

Bilinear Decisional Diffie-Hellman (BDDH) Let G be a pairing parameter generator. Let A be an adversary against the BDDH problem relative to G. Game Exp bddh-0 G,k (A) proc Initialize(1 k ) (G, G T, p, ê) R G(1 k ) g R G a R Z p ; A g a b R Z p ; B g b c R Z p ; C g b z abc mod p ; Z ê(g, g) z Return (G, g, A, B, C, Z) proc Finalize(β ) Return (β = 1) Game Exp bddh-1 G,k (A) proc Initialize(1 k ) (G, G T, p, ê) R G(1 k ) g R G a R Z p ; A g a b R Z p ; B g b c R Z p ; C g b z R Z p ; Z ê(g, g) z Return (G, g, A, B, C, Z) proc Finalize(β ) Return (β = 1) The advantage of A in solving the BDDH problem is defined as [ ] [ ] Adv bddh G,k (A) = Pr Exp bddh-0 G,k (A) = true Pr Exp bddh-1 G,k (A) = true Michel Abdalla (ENS & CNRS) Identity-based encryption 17 / 43

Outline 1 Introduction 2 IBE definition [Sha84, BF03] Syntax Security notions 3 Complexity Assumptions 4 IBE schemes Boneh-Boyen IBE [BB04] Boneh-Franklin IBE [BF03] 5 References Michel Abdalla (ENS & CNRS) Identity-based encryption 18 / 43

Boneh-Boyen IBE scheme (BB1) Setup(1 k ): (G, G T, p, ê) R G(1 k ) g R G a R Z p ; A g a b R Z p ; B g b h R Z p ; H g h mpk (g, A, B, H, G, G T, p, ê) msk g ab return (mpk, msk) KeyDer(msk, id): R r Z p usk 1 g r usk 2 msk (B id H ) r return (usk 1, usk 2 ) Enc(mpk, id, m): t R Z p ; C 1 g t C 2 ( B id H ) t K ê(a, B) t C 3 m K return (C 1, C 2, C 3 ) Dec(usk, C): parse usk as (usk 1, usk 2 ) parse C as (C 1, C 2, C 3 ) K ê(usk 2, C 1 )/ê(usk 1, C 2 ) m C 3 /K return m Michel Abdalla (ENS & CNRS) Identity-based encryption 19 / 43

Correctness of BB1 IBE scheme For a valid ciphertext, we have: K = ê(usk 2, C 1 )/ê(usk 1, C 2 ) = ê(msk (B id H ) r, g t )/ê(g r, ( B id H ) t ) = ê(g ab (B id H ) r, g t )/ê(g r, ( B id H ) t ) = ê(g ab, g t ) ê( ( B id H ) r, g t )/ê(g r, ( B id H ) t ) = ê(g a, g b ) t ê( ( B id H ), g) rt /ê(g, ( B id H ) ) rt = ê(a, B) t = K Michel Abdalla (ENS & CNRS) Identity-based encryption 20 / 43

BDDH security of BB1 IBE scheme Theorem Let BB1 refer to the Boneh-Boyen IBE scheme described above, G be a pairing parameter generator, and A be an adversary against IND-sID-CPA security of BB1, making at most a single query to the LR procedure. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv s-ind-cpa A,BB1 (k) 2 Adv bddh G,k (B). Michel Abdalla (ENS & CNRS) Identity-based encryption 21 / 43

Security proof of BB1 scheme Proof will define a sequence of five games (G 0,..., G 4 ). For simplicity, we assume that mpk = (g, A, B, H) and omit the other values. We also omit the pairing parameter generation in procedure Initialize. G 0 This game is the real attack game against BB1. G 1 We change the computation of H so that B id H = g α for a random α. G 2 We change the simulation of the key derivation procedure KeyDer so that the game answers these queries without the knowledge of the master secret key. G 3 We change the simulation of the LR procedure so that C 2 = C 1 α. That is, we don t need to know t to compute it. G 4 We change the simulation of the LR procedure so that K is chosen uniformly at random. Michel Abdalla (ENS & CNRS) Identity-based encryption 22 / 43

Game G 0 proc Initialize(k, id ) β R {0, 1} g R G a R Z p ; A g a b R Z p ; B g b h R Z p ; H g h mpk (g, A, B, H) msk g ab Return mpk proc Finalize(β ) Return (β = β) Game G A 0 proc LR(m 0, m 1 ) t R Z p ; C 1 g t C 2 (Bid H) t K ê(a, B) t C 3 m β K Return (C 1, C 2, C 3 ) proc KeyDer(id) R r Z p ; usk 1 g r usk 2 g ab (B id H) r Return (usk 1, usk 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 23 / 43

Game G 1 proc Initialize(k, id ) β R {0, 1} g R G a R Z p ; A g a b R Z p ; B g b Game G A 1 α R Z p ; H B id g α mpk (g, A, B, H) msk g ab Return mpk proc Finalize(β ) Return (β = β) proc LR(m 0, m 1 ) t R Z p ; C 1 g t C 2 (Bid H) t K ê(a, B) t C 3 m β K Return (C 1, C 2, C 3 ) proc KeyDer(id) R r Z p ; usk 1 g r usk 2 g ab (B id H) r Return (usk 1, usk 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 24 / 43

Game G 2 Game G A 2 proc Initialize(k, id ) β R {0, 1} g R G a R Z p ; A g a b R Z p ; B g b α R Z p ; H B id g α mpk (g, A, B, H) msk g ab Return mpk proc Finalize(β ) Return (β = β) proc LR(m 0, m 1 ) t R Z p ; C 1 g t C 2 (Bid H) t K ê(a, B) t C 3 m β K Return (C 1, C 2, C 3 ) proc KeyDer(id) r R Z p ; usk 1 g r A 1/(id id ) usk 2 A α/(id id ) id (B H) r Return (usk 1, usk 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 25 / 43

Game G 3 proc Initialize(k, id ) β R {0, 1} g R G a R Z p ; A g a b R Z p ; B g b α R Z p ; H B id g α mpk (g, A, B, H) msk g ab Return mpk proc Finalize(β ) Return (β = β) Game G A 3 proc LR(m0, m 1 ) t R Z p ; C 1 g t α C2 C 1 K ê(a, B) t C3 m β K Return (C1, C 2, C 3 ) proc KeyDer(id) R r Z p ; usk 1 g r A 1/(id id ) usk 2 A α/(id id ) id (B H) r Return (usk 1, usk 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 26 / 43

Game G 4 proc Initialize(k, id ) β R {0, 1} g R G a R Z p ; A g a b R Z p ; B g b α R Z p ; H B id g α mpk (g, A, B, H) msk g ab Return mpk proc Finalize(β ) Return (β = β) Game G A 4 proc LR(m0, m 1 ) t R Z p ; C1 g t C2 C 1 α K R G C 3 m β K Return (C 1, C 2, C 3 ) proc KeyDer(id) R r Z p ; usk 1 g r A 1/(id id ) usk 2 A α/(id id ) id (B H) r Return (usk 1, usk 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 27 / 43

Probability analysis Claim 1 Adv s-ind-cpa A,BB1 (k) = 2 Pr [ G A 0 = true ] 1 Claim 2 Pr [ G A 1 = true ] = Pr [ G A 0 = true ] Claim 3 Pr [ G A 2 = true ] = Pr [ G A 1 = true ] Claim 4 Pr [ G A 3 = true ] = Pr [ G A 2 = true ] Claim 5 Pr [ G A 4 = true ] Pr [ G A 3 = true ] Adv bddh G,k (B) Claim 6 Pr [ G A 4 = true ] = 1/2 It s straightforward to verify that the security theorem follows from the claims above. Michel Abdalla (ENS & CNRS) Identity-based encryption 28 / 43

Proof of Claims 1, 2, 4, and 6 Claim 1 follows the security definition. Claim 2 follows from the fact that H is still uniformly distributed in G. Claim 4 follows from the fact that C 2 C 2 = (B id H) t = (B id B id g α ) t = g αt = C 1 α is still being correctly computed. Claim 6 follows from the fact that A has no information about β in G 4. Michel Abdalla (ENS & CNRS) Identity-based encryption 29 / 43

Proof of Claim 3 Claim 3 follows from the fact that (usk 1, usk 2 ) is still a valid random secret key for user id, where r is being implicitly set to r a/(id id ). usk 1 = g r = g r a/(id id ) = g r g a/(id id ) = g r A 1/(id id ) usk 2 = g ab (B id H) r = g ab (B id H) a/(id id ) id (B H) r = g ab (B id B id g α ) a/(id id ) id (B H) r = g ab (g b(id id ) g α ) a/(id id ) id (B H) r = g ab g ab g aα/(id id ) id (B H) r = A α/(id id ) id (B H) r Michel Abdalla (ENS & CNRS) Identity-based encryption 30 / 43

Proof of Claim 5 In order to prove Claim 5, we need to build an adversary B against the BDDH problem. Let (G, g, A, B, C, Z) be the input of B. To simulate procedure Initialize, B chooses α at random, sets H = B id g α and returns mpk = (g, A, B, H) as the public key. When simulating procedure LR, B sets C 1 = C, C 2 = C 1 α, and K = Z. B simulates procedures KeyDer and Finalize exactly as in G 3. When B is being executed in Game Exp bddh-0 G,k (B), B simulates G 3 to A. That is, Pr [ G A 3 = true ] = Pr [ Exp bddh-0 G,k (B) = true ]. When B is being executed in Game Exp bddh-1 G,k (B), B simulates G 4 to A. That is, Pr [ G A 4 = true ] = Pr [ Exp bddh-1 G,k (B) = true ]. The claim follows. Michel Abdalla (ENS & CNRS) Identity-based encryption 31 / 43

Boneh-Franklin BasicIdent IBE scheme Let G be a pairing parameter generator. Let H : {0, 1} G be a random oracle. Setup(1 k ): (G, G T, p, ê) R G(1 k ) g R G ; s R Z p ; S g s msk s mpk ((G, G T, p, ê), S, H) return (mpk, msk) Enc(mpk, id, m): R r Z p ; C 1 g r Q id H(id) ; K (ê(s, Q id )) r C 2 m K return (C 1, C 2 ) KeyDer(msk, id): Q id H(id) usk Q s id return (usk) Dec(usk, C): parse C as (C 1, C 2 ) K ê(c 1, usk) m C 2 /K return m Michel Abdalla (ENS & CNRS) Identity-based encryption 32 / 43

BDDH security of Boneh-Franklin BasicIdent IBE scheme Theorem Let BF refer to the Boneh-Franklin BasicIdent IBE scheme in the previous slide, G be a pairing parameter generator, and A be an adversary against IND-ID-CPA security of BF, making at most q H queries to the random oracle H and at most a single query to the LR procedure. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv ind-cpa A,BF (k) 2 q H Adv bddh G,k (B). Michel Abdalla (ENS & CNRS) Identity-based encryption 33 / 43

Security proof of BF scheme Proof will define a sequence of five games (G 0,..., G 4 ). For simplicity, we assume that mpk = S and omit the other values. We also omit the pairing parameter generation in procedure Initialize. G 0 This game is the real attack game against BF. G 1 We guess the hash query involved in the challenge query and abort if the guess is incorrect, returning a random output for the game. G 2 We change the simulation of the random oracle procedure H so that the game knows the discrete log of H(id) for any identity other than the challenge. G 3 We change the simulation of the key derivation procedure KeyDer so that the game answers these queries without the knowledge of the master secret key. G 4 In this game, we change the simulation of the LR procedure so that K is chosen uniformly at random. Michel Abdalla (ENS & CNRS) Identity-based encryption 34 / 43

Game G 0 proc Initialize(k) β R {0, 1} Λ H ε ; ctr 0 s R Z p ; S g s msk s mpk S Return mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) usk H(id) s Return usk Game G A 0 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; Y R G Λ H Λ H {(ctr, id, Y, y)} Return (C1, C 2 ) proc LR(id, m 0, m 1 ) R r Z p ; C1 g r K ê(s, H(id )) r C2 m β K Return (C1, C 2 ) proc Finalize(β ) Return (β = β) Michel Abdalla (ENS & CNRS) Identity-based encryption 35 / 43

Game G 1 proc Initialize(k) β R {0, 1} i R {1,..., q H } Λ H ε ; ctr 0 s R Z p ; S g s msk s mpk S Return mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) usk H(id) s Return usk Game G A 1 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; Y R G if i = ctr and id id, abort Λ H Λ H {(ctr, id, Y, y)} Return (C 1, C 2 ) proc LR(id, m 0, m 1 ) R r Z p ; C1 g r K ê(s, H(id )) r C2 m β K Return (C1, C 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 36 / 43

Game G 2 proc Initialize(k) β R {0, 1} i R {1,..., q H } Λ H ε ; ctr 0 s R Z p ; S g s msk s mpk S Return mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) usk H(id) s Return usk Game G A 2 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y R Z p ; Y g y if i = ctr and id id, abort Λ H Λ H {(ctr, id, Y, y)} Return (C 1, C 2 ) proc LR(id, m 0, m 1 ) R r Z p ; C1 g r K ê(s, H(id )) r C2 m β K Return (C1, C 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 37 / 43

Game G 3 proc Initialize(k) β R {0, 1} i R {1,..., q H } Λ H ε ; ctr 0 s R Z p ; S g s msk s mpk S Return mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) read (ctr, id, Y, y) Λ H usk S y Return usk Game G A 3 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y R Z p ; Y g y if i = ctr and id id, abort Λ H Λ H {(ctr, id, Y, y)} Return (C 1, C 2 ) proc LR(id, m 0, m 1 ) R r Z p ; C1 g r K ê(s, H(id )) r C2 m β K Return (C1, C 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 38 / 43

Game G 4 proc Initialize(k) β R {0, 1} i R {1,..., q H } Λ H ε ; ctr 0 s R Z p ; S g s msk s mpk S Return mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) read (ctr, id, Y, y) Λ H usk S y Return usk Game G A 4 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y R Z p ; Y g y if i = ctr and id id, abort Λ H Λ H {(ctr, id, Y, y)} Return (C 1, C 2 ) proc LR(id, m 0, m 1 ) r R Z p ; C1 g r K R G T C 2 m β K Return (C 1, C 2 ) Michel Abdalla (ENS & CNRS) Identity-based encryption 39 / 43

Probability analysis Claim 1 Adv ind-cpa A,BF (k) = 2 Pr [ G A 0 = true ] 1 Claim 2 Pr [ G A 1 = true ] = (1 1/q H ) 1/2 + 1/q H Pr [ G A 0 = true ] Claim 3 Pr [ G A 2 = true ] = Pr [ G A 1 = true ] Claim 4 Pr [ G A 3 = true ] = Pr [ G A 2 = true ] Claim 5 Pr [ G A 4 = true ] Pr [ G A 3 = true ] Adv bddh G,k (B) Claim 6 Pr [ G A 4 = true ] = 1/2 It s straightforward to verify that the security theorem follows from the claims above. Michel Abdalla (ENS & CNRS) Identity-based encryption 40 / 43

Proof of claims Claim 1 follows the security definition. Claims 3 and 4 are true because the changes made to the games do not affect their outcome. Claims 2 follows from the fact that the output of the game is chosen uniformly at random when aborting. Pr [ G A 1 = true ] = Pr [ G A 1 = true abort ] + Pr [ G A 1 = true abort ] = Pr [ G A 1 = true abort ] Pr [ abort ] + Pr [ G A 1 = true abort ] Pr [ abort ] = 1/2 (1 1/q H ) + Pr [ G A 1 = true abort ] 1/q H = 1/2 (1 1/q H ) + Pr [ G A 0 = true ] 1/q H Michel Abdalla (ENS & CNRS) Identity-based encryption 41 / 43

Proof of claims (cont.) In order to prove Claim 5, we need to build an adversary B against the BDDH problem. Let (G, g, A, B, C, Z) be the input of B. B sets mpk = A, C1 = B, H(id ) = C, and K = Z. Everything else in the simulation is performed as in G 3. When B is being executed in Game Exp bddh-0 G,k (B), B simulates G 3 to [ ] [ ] A. That is, Pr G A 3 = true = Pr Exp bddh-0 G,k (B) = true. When B is being executed in Game Exp bddh-1 G,k (B), B simulates G 4 to [ ] [ ] A. That is, Pr G A 4 = true = Pr Exp bddh-1 G,k (B) = true. The claim follows. Claim 6 follows from the fact that A has no information about β in G 4 and that the output of the game is chosen uniformly at random when aborting. Michel Abdalla (ENS & CNRS) Identity-based encryption 42 / 43

References I Dan Boneh and Xavier Boyen. Efficient selective-id secure identity based encryption without random oracles. EUROCRYPT 2004, LNCS 3027, pages 223 238, May 2004. Springer. Dan Boneh and Matthew K. Franklin. Identity based encryption from the Weil pairing. SIAM Journal on Computing, 32(3):586 615, 2003. Extended Abstract in CRYPTO 2001. Adi Shamir. Identity-based cryptosystems and signature schemes. CRYPTO 1984, LNCS 196, pages 47 53, August 1984. Springer. Michel Abdalla (ENS & CNRS) Identity-based encryption 43 / 43

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback