Identity-Based Online/Offline Encryption

Similar documents
An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Gentry IBE Paper Reading

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

A Strong Identity Based Key-Insulated Cryptosystem

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Searchable encryption & Anonymous encryption

Secure and Practical Identity-Based Encryption

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Identity-based encryption

Applied cryptography

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Efficient Identity-based Encryption Without Random Oracles

Efficient Identity-Based Encryption Without Random Oracles

An Introduction to Pairings in Cryptography

REMARKS ON IBE SCHEME OF WANG AND CAO

Recent Advances in Identity-based Encryption Pairing-free Constructions

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

Multi-key Hierarchical Identity-Based Signatures

G Advanced Cryptography April 10th, Lecture 11

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Remove Key Escrow from The Identity-Based Encryption System

Boneh-Franklin Identity Based Encryption Revisited

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

Efficient Selective Identity-Based Encryption Without Random Oracles

1 Number Theory Basics

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Lecture 1: Introduction to Public key cryptography

Toward Hierarchical Identity-Based Encryption

Pairing-Based Cryptography An Introduction

Public Key Cryptography

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Notes for Lecture 17

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Introduction to Elliptic Curve Cryptography

Simple SK-ID-KEM 1. 1 Introduction

Identity Based Encryption

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Secure Certificateless Public Key Encryption without Redundancy

Conditional Proxy Broadcast Re-Encryption

New Framework for Secure Server-Designation Public Key Encryption with Keyword Search

Post-quantum security models for authenticated encryption

Generic construction of (identity-based) perfect concurrent signatures

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Certificateless Signcryption without Pairing

Pairing-Based Cryptographic Protocols : A Survey

Public Key Cryptography

Fully Homomorphic Encryption

Cryptography from Pairings

Practice Assignment 2 Discussion 24/02/ /02/2018

Identity-Based Authenticated Asymmetric Group Key Agreement Protocol

Type-based Proxy Re-encryption and its Construction

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Fixed Argument Pairings

RSA-256bit 數位電路實驗 TA: 吳柏辰. Author: Trumen

Hierarchical identity-based encryption

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Cryptology. Scribe: Fabrice Mouhartem M2IF

10 Modular Arithmetic and Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

A New Functional Encryption for Multidimensional Range Query

Instantiating the Dual System Encryption Methodology in Bilinear Groups

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

RSA. Ramki Thurimella

Identity Based Proxy Signature from RSA without Pairings

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Short Signatures Without Random Oracles

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Lecture V : Public Key Cryptography

T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

Secure Identity Based Encryption Without Random Oracles

Introduction to Elliptic Curve Cryptography. Anupam Datta

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

ABHELSINKI UNIVERSITY OF TECHNOLOGY

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

Lattice Reduction Attack on the Knapsack

Certificate-Based Signature Schemes without Pairings or Random Oracles

DATA PRIVACY AND SECURITY

Public Key Encryption with Conjunctive Field Keyword Search

COS Cryptography - Final Take Home Exam

MATH 158 FINAL EXAM 20 DECEMBER 2016

Delegation in Predicate Encryption Supporting Disjunctive Queries

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Recent Advances in Identity-based Encryption Pairing-based Constructions

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

An Overview of Homomorphic Encryption

Transcription:

Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4

Identity-based Encryption Review Identity-based Encryption IBE The notion was first proposed in 1984 by Shamir and there have been many efficient schemes since 2001, e.g., Boneh-Franklin IBE in 2001; Boneh-Boyen IBE in 2004; Waters IBE in 2005; Gentry IBE in 2006; Simply the certificate management The public key is a piece of public information such as email address, ID number or telephone number The private key is computed by the private key generator PKG Encryption When Alice wants to send some sensitive data m to Bob, for secure, she must encrypt it first in a secure encryption system. E.g.: A secure Identity-based Encryption system. Cm = E Bob m Alice Bob

Encryption in a untrusted environment When Alice is home, she may just store the data in her secure PC. When Alice is outside, she may store her data in a convenient device with a limited computation power, such as a smartcard. The encryption must be achieved in the smartcard which is not powerful enough for efficient encryption Need a better IBE A more suitable identity-based encryption system for smartcard application should satisfy the property: Part of the encryption process can be performed prior to knowing the data item and the public key of the recipient. The real encryption process is very quick once the data item and the ID are known.

IBOOE The encryption can be divided into two phases: Offline Phase: Pre-computation before the data item and the public key are known. Online Phase: Very efficient encryption after the data item and the public key are presented. Unfortunately... All previously published IBE schemes do not accommodate this feature Computation depends on the public key Cannot be naturally slitted into efficient online/offline phases

Our Contribution 1 We propose two IBOOE schemes from the two previous IBE schemes. Boneh-Boyen IBE: secure in the selective-id model Gentry IBE: secure in the standard model 2 The computation in the online phase of our IBOOE is very efficient Boneh-Boyen IBE We only show its CPA construction for simplicity. Let e : G G G T be the bilinear map, G, G T be two cyclic groups of order p and g be the corresponding generator in G. Setup: The system parameters are generated as follow. Choose at random a secret a Z p, choose g, g 2, h 1 randomly from G, and set the value g 1 = g a. The master public params and master secret key K are, respectively, params = g, g 1, g 2, h 1, K = g2 a.

Boneh-Boyen IBE KeyGen: To generate a private key for ID Z p, pick a random r Z p and output d ID = d 1, d 2 = g2 a h 1g1 ID r, g r Encrypt: General Encryption: Given a message m G T and the public key ID Z p, randomly choose s Z p, and output the ciphertext C µ = h 1 g1 ID s, g s, eg 1, g 2 s m = c 1, c 2, c 3 Natural" Online/offline Encryption Let s try to separate it into online and offline phases naturally": Offline encryption: randomly choose s Z p and output C of = h1 s, gs 1, gs, eg 1, g 2 s. Store the offline parameters C of for the online phase. Online encryption: given m G T and ID Z p, and output C on = h 1 gs s 1 ID, eg 1, g 2 s m. The ciphertext for ID is C ν and C ν = h 1 g1 ID s, g s, eg 1, g 2 s m.

Offline encryption: choose α,β, s Z p and output C of = h 1 g1 α s, g sβ 1, gs, eg 1, g 2 s. Store C of, α, β 1 for the online phase. Online encryption: given m G T and ID Z p, and output C on = β 1 ID α, eg 1, g 2 s m. The ciphertext for ID is C ν, and C ν = h 1 g1 α s, g sβ 1, β 1 ID α, g s, eg 1, g 2 s m Decryption From Original Encryption: C µ = h 1 g1 ID s, g s, eg 1, g 2 s m From Natural" Online/offline Encryption: C ν = h 1 g1 ID s, g s, eg 1, g 2 s m.

Decryption C ν = h 1 g1 α s, g sβ 1, β 1 ID α, g s, eg 1, g 2 s m. h 1 g1 α s g sβ ID α 1 β 1 = h 1 g1 ID s C ν C µ = h 1 g1 ID s, g s, eg 1, g 2 s m Therefore, the decryption of these three schemes is the same. Analysis Natural" Online/offline Encryption Online Phase: C on = h 1 gs s 1 ID, eg 1, g 2 s m. The cost is one exponentiation + two multiplications Online Phase: C on = β 1 ID α, eg 1, g 2 s m. The cost is one modular computation + one multiplication

CCA secure The Boneh-Boyen IBE uses one-time strong signature scheme to achieve CCA secure. We can choose a proper signature scheme, such as Boneh-Boyen short signature, so that we can divide it into online/offline signature and the cost on online phase is only one modular computation. Analysis CCA Natural" Online/offline Encryption Online Phase: C on = h 1 gs s 1 ID, eg 1, g 2 s m, σ on The cost is one exponentiation + two multiplications +one modular computation Online Phase: C on = β 1 ID α, eg 1, g 2 s m, σ on The cost is two modular computations + one multiplication

Gentry IBE Let e : G G G T be the bilinear map, G, G T be two cyclic groups of order p and g be the corresponding generator in G. Setup: Choose at random a secret a Z p, choose g, h 1, h 2, h 3 randomly from G, and set the value g 1 = g a G. Choose a secure hash function H : {0, 1} Z p. The master public params and the master secret key K are params = g, g 1, h 1, h 2, h 3, H, K = a. KeyGen KeyGen: To generate a private key for ID Z p, pick random r ID,i Z p for i = 1, 2, 3, and output { d ID = r ID,i, h ID,i : i = 1, 2, 3 }, where h ID,i = h i g r ID,i 1 a ID. If ID = a, abort. It requires the same random values r ID,i for ID.

Encryption Encryption: General Encryption: Given a message m G T and the public key ID Z p, randomly choose s Z p and output the ciphertext C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c = c 1, c 2, c 3, c 4 where H c = Hc 1, c 2, c 3 Z p. Natural" Online/offline Encryption Offline encryption: randomly choose s Z p, and output C of = g s 1, g s, eg, g s, eg, h 1 s, eg, h 2 s, eg, h 3 s. Store the offline parameters C of for the online phase. Online encryption: given m G T and ID Z p, and output C on = g 1 g s s ID, eg, h 1 s m, eg, h 2 s eg, h 3 s H c, where the computation of H c is the same as the general encryption and the ciphertext for ID is C ν = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c.

Offline Encryption: Choose α,β, γ, θ, s Z p, and output C of = g1 s g sα, g sβ, eg, g s, eg, h 1 s, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ Store C of, α, β 1, γ, θ 1 for the online computation. Online Encryption: Given m G T and ID Z p, output C on = β 1 α ID, eg, h 1 s m, θ 1 H c γ, where H c is the hash value of all elements and C ν is C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ. Decryption General Encryption: C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c Natural Online/offline Encryption C ν = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c

Decryption C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ. g s 1 g sα g sβ β 1 α ID = g s 1 g sid eg, h 2 s eg, h 3 sγ eg, h 3 sθ θ 1 H c γ = eg, h 2 s eg, h 3 sh c C ν g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c Therefore, the decryptions for all three are the same. Analysis Natural Online/offline Encryption Online Phase: C on = g s 1 g s ID, eg, h 1 s m, eg, h 2 s eg, h 3 s H c The cost is two exponentiations + three multiplications Online Phase: C on = β 1 α ID, eg, h 1 s m, θ 1 H c γ. The cost is two modular computations + one multiplication.

The proof for the two schemes are similar, we just take the IBOOE based on Gentry IBE as the example. Private Key Encryption Decryption Gentry IBE & IBOOE same different actually same Therefore, we just show that the simulator can simulate the challenge ciphertext C ν for IBOOE from the challenge ciphertext C µ for Gentry IBE. Ciphertext Gentry IBE C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ.

Simulation Gentry IBE IBOOE g1 sg sid g1 sg sα, g sβ, β 1 α ID Given g1 sg sid, randomly choose k 1, k 2 Z p and output g1 sg sα g sβ β 1 α ID g k 1 s 1 1 g sid k 1 +k 2 g1 sg sid k 1 +k 2 k 2 Analysis g s 1 g sid k 1 k 1 +k 2 g s 1 g sid 1 k 1 +k 2 k 2 Let α = k 1ID+k 2 a k 1 +k 2, β = a ID k 1 +k 2, we have g k 1 s 1 1 g sid k 1 +k 2 g1 sg sid k 1 +k 2 k 2 g1 sg sα g sβ β 1 α ID

Simulation Gentry IBE IBOOE eg, h 2 s eg, h 3 sh c eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ In Gentry IBE, the simulator can simulate eg, h 2 s eg, h 3 sh c because it can simulate eg, h 2 s, eg, h 3 s and H c. Therefore, randomly choose γ,θ Z p, we can simulate eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ from eg, h 2 s, eg, h 3 s and H c too. Analysis Gentry IBE C µ = g1 s g sid, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sh c C ν = g1 s g sα, g sβ, β 1 α ID, eg, g s, eg, h 1 s m, eg, h 2 s eg, h 3 sγ, eg, h 3 sθ, θ 1 H c γ. 1 We can simulate IBOOE based on the simulation of Gentry IBE without any additional requirements. 2 Therefore, IBOOE achieve the same leave of security to Gentry IBE.

Comparison E: the exponentiation in G; M: the multiplication in G; m: the modular computation in Z p. Scheme Boneh-Boyen IBOOE Gentry IBOOE Online natural 1E+2M+1m 2E+3M Online ours 1M+2m 1M+2m When the data is pre-encrypted in the offline phase, the online phase can be much more efficient and requires only one modular computation. 1 We introduced a new notion of Identity-Based Online/offline Encryption IBOOE. 2 IBOOE schemes are useful where the computational power of a device is limited. 3 We presented two IBOOE schemes based on two existing IBE schemes, such that online encryption is extremely efficient.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback