Gentry IBE Paper Reading

Similar documents
Efficient Identity-based Encryption Without Random Oracles

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Efficient Identity-Based Encryption Without Random Oracles

G Advanced Cryptography April 10th, Lecture 11

Efficient chosen ciphertext secure identity-based encryption against key leakage attacks

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Type-based Proxy Re-encryption and its Construction

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Boneh-Franklin Identity Based Encryption Revisited

REMARKS ON IBE SCHEME OF WANG AND CAO

Applied cryptography

Smooth Projective Hash Function and Its Applications

Identity-Based Online/Offline Encryption

Identity-based encryption

Simple SK-ID-KEM 1. 1 Introduction

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Advanced Topics in Cryptography

A New Paradigm of Hybrid Encryption Scheme

Cryptology. Scribe: Fabrice Mouhartem M2IF

Secure and Practical Identity-Based Encryption

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Secure Certificateless Public Key Encryption without Redundancy

Lecture 7: Boneh-Boyen Proof & Waters IBE System

A Strong Identity Based Key-Insulated Cryptosystem

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

The Cramer-Shoup Cryptosystem

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Efficient Selective Identity-Based Encryption Without Random Oracles

On the CCA1-Security of Elgamal and Damgård s Elgamal

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

1 Number Theory Basics

Public Key Cryptography

Public Key Cryptography

Short Exponent Diffie-Hellman Problems

Stronger Public Key Encryption Schemes

arxiv: v2 [cs.cr] 14 Feb 2018

RSA-OAEP and Cramer-Shoup

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

2 Preliminaries 2.1 Notations Z q denotes the set of all congruence classes modulo q S denotes the cardinality of S if S is a set. If S is a set, x R

Pairing-Based Cryptography An Introduction

Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION

Remove Key Escrow from The Identity-Based Encryption System

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

CTR mode of operation

Lecture Note 3 Date:

6.892 Computing on Encrypted Data October 28, Lecture 7

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

CPA-Security. Definition: A private-key encryption scheme

Modern symmetric-key Encryption

Identity Based Encryption

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Structure Preserving CCA Secure Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Multi-key Hierarchical Identity-Based Signatures

On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups

Searchable encryption & Anonymous encryption

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Post-quantum security models for authenticated encryption

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Efficient Lattice (H)IBE in the Standard Model

Katz, Lindell Introduction to Modern Cryptrography

The Twin Diffie-Hellman Problem and Applications

Non-malleability under Selective Opening Attacks: Implication and Separation

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Certificateless Signcryption without Pairing

Toward Hierarchical Identity-Based Encryption

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

On Post-Quantum Cryptography

Modern Cryptography Lecture 4

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Hierarchical identity-based encryption

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

5199/IOC5063 Theory of Cryptology, 2014 Fall

KDM-CCA Security from RKA Secure Authenticated Encryption

Cryptographic Security of Macaroon Authorization Credentials

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Lecture 5, CPA Secure Encryption from PRFs

Chosen-Ciphertext Security (I)

Transcription:

Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014

Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT 2006, 445-464, 2006.

Outline 1 Introduction of Identity-Based Encryption Background Security Model 2 Gentry IBE Gentry IBE s Contribution Construction 1: Chosen-Paintext Security Construction 2: Chosen-Ciphertext Security 3 Conclusion

Outline 1 Introduction of Identity-Based Encryption Background Security Model 2 Gentry IBE Gentry IBE s Contribution Construction 1: Chosen-Paintext Security Construction 2: Chosen-Ciphertext Security 3 Conclusion

Background of Identity-Based Encryption Identity-Based Encryption system is a public key encryption system in which a user s public key may be an arbitrary string and the private key is generated by a trusted authority, called a Private Key Generator (PKG), which applies its master key to the user s identity after the user authenticates it self. Motivation To simplify public key and certificate management.[1] Features disparate public keys public identities public key certificates eliminated

Definition of Identity-Based Encryption An identity-based encryption scheme E is a tuple of four polynomial-time algorithms (Setup, Extract, Encrypt, Decrypt) satisfying the following: The environment set-up algorithm Setup takes as input a security parameter 1 k and returns params (system parameters) and a master-key. The key generation algorithm Extract takes as input an arbitrary ID {0, 1} and master-key, and returns a private key d ID Extract master-key(id).

Definition of Identity-Based Encryption The encryption algorithm Enc takes as input an ID and a message M M, and returns a ciphertext C Enc ID (M) C. The decryption algorithm Dec takes a private key d ID and a ciphertext C C, and returns M Dec did (C) M. It is required that Pr[Dec Extractmaster-key (ID) (Enc ID (M)) = M] except with possibly negligible probability over master-key output by Setup(1 k ), any M in M, any ID {0, 1}, and any randomness used by Enc and Extract.

Security Model of Identity-Based Encryption IND-CCA IND-ID-CCA Challenger Adversary Challenger Adversary ST KenGen(k) pk Setup(k) params (pk,sk) (params,mk) c i ID i, c i P Dec sk (c i ) m i Dec Extract (c i ) m i 1 ID i Extract mk (ID i ) d IDi P m 0, m 1 m 0, m 1, ID C Enc pk (m b ) c Enc(m b, ID ) c P Same as Phase 1 Same as Phase 1 2 c c ID ID, (c, ID) (c, ID ) G b = b? b b = b? b AdvIdCCA SIBE,A = Pr[c = c ] 1 2

Security Model of Identity-Based Encryption Definition An IBE system is (t, q ID, q C, ɛ) IND-ID-CCA secure if all t-time IND-ID-CCA adversaries making at most q ID private key queries and at most q C chosen ciphertext queries have advantage at most ɛ in winning the above IND-ID-CCA game. Definition An IBE system is (t, q ID, ɛ) IND-ID-CPA secure if it is (t, q ID, 0, ɛ) IND-ID-CCA secure.

Outline 1 Introduction of Identity-Based Encryption Background Security Model 2 Gentry IBE Gentry IBE s Contribution Construction 1: Chosen-Paintext Security Construction 2: Chosen-Ciphertext Security 3 Conclusion

Gentry IBE s Contribution CCA secure without random oracles A tight reduction via Cramer-Shoup proof style on a stronger assumption Recipient-anonymity

Preliminaries Bilinear Maps G and G T are two multiplicative cyclic groups of prime order p; g is a generator of G e : G G G T is a bilinear map. Properties Bilinear: for all u, v G and a, b Z, we have e(u a, v b ) = e(u, v) ab. Non-degenerate: e(g, g) 1. Definition A group G is a bilinear group if the group action in G can be computed efficiently and there exists a group G T and an efficiently computable bilinear map e : G G G T as above.

Reduction Proof A top-level concept In the simulation, we pack the hard problem in a fashion that adversary would accept, ask the adversary to do its job and study what the adversary has done. For a decisional hard problem: 1 If the input of the decisional hard problem is True. The adversary should be able to attack with its full advantage if the adversary cannot notice it is a simulation rather than an actual attack. 2 If the input is False. The adversary should have no advantage to do its job whatsoever.

Reduction Proof Now we have three tasks in the proof: 1 To provide the environment and the cryptanalysis training course so that the simulation is polynomially indistinguishable from an actual attack. 2 To encrypt a valid challenge ciphertext with the hard problem embedded so that if the input of hard problem is from random space it would also make the ciphertext into the same distribution so that in the adversary s view the ciphertext is independent of its message. 3 To answer the hard problem with the educated guess from the adversary.

Complexity Assumptions q-bdhe Given a vector of 2q + 1 elements ( g, g, g α, g (α2),..., g (αq), g (αq+2),..., g (α2q ) ) G 2q+1 as input, output e(g, g ) (αq+1). Decisional q-abdhe Given a vector of q + 4 elements ( ) g, g (αq+2), g, g α, g (α2),..., g (αq), Z G q+3 G T as input, output 1 if Z = e(g, g ) (αq+1), otherwise output 0. From now on, we use g i and g i to denote g(αi) and g (αi).

Construction 1 Let G and G T be groups of order p, and let e : G G G T be the bilinear map. Setup generators g, h R G, α R Z p, g 1 = g α G, outputs params = (g, g 1, h), master-key = α. R Extract(ID) r ID Zp, h ID = (hg r ID ) 1 α ID d ID = (r ID, h ID ). Encrypt(m, ID) s R Z p, outputs C = (g s 1g s ID, e(g, g) s, m e(g, h) s ). Decrypt(C, ID) Let C = (u, v, w) with ID, outputs m = w e(u, h ID )v r ID. (ID α), outputs

Reduction Proof for Construction 1 I Suppose adversary A (t, ɛ, q ID )-breaks the IND-ID-CPA security of the construction 1, we construct simulator B(g, g q+2, g, g 1,..., g q, Z) where q = q ID + 1. Setup polynomial f(x) R Z p [x] of degree q, h = g f(α), outputs params = (g, g 1, h). Phase 1 Key query For ID Z p, F ID (x) = f(x) f(id) x ID, outputs d ID = (r ID, h ID ) = (f(id), g F ID(α) ). Validity: g F ID(α) = g f(α) f(id) α ID = (hg f(id) ) 1 α ID.

Reduction Proof for Construction 1 II Challenge A outputs M 0, M 1, ID, B flips a fair coin c {0, 1}, computes d ID = (r ID, h ID ), let F 2,ID (x) = xq+2 (ID ) q+2 x ID, sets u = g αq+2 (ID ) q+2 v = Z e(g, q i=0 g F 2,ID,i i ) w = M c /e(u, h ID )v r ID and outputs the challenge ciphertext C = (u, v, w). Phase 2 B responds to queries the same way as in Phase 1. Guess A outputs c. If c = c, B outputs 1; otherwise outputs 0.

Reduction Proof for Construction 1 III Now we study the two cases: Case 1: Z = e(g q+1, g ) Goal: A cannot distinguish it is a simulation. The validity of the challenger ciphertext: Let s = (log g g )F 2,ID (α). Since Z = e(g q+1, g ), u = g s(α ID ) = g s 1g s ID v = e(g q+1, g )e(g, q g F 2,ID,i α i ) i=0 = e(g, g αq+1 +( q i=0 F 2,ID,iα i) ) = e(g log g g, g F 2,ID (α) ) = e(g, g) s M c /w = e(g s(α ID ), (g f(α) g f(id ) ) α ID )e(g, g) sf(id ) = e(g s, hg f(id ) )e(g s, g f(id ) ) = e(g, h) s 1

Reduction Proof for Construction 1 IV WARNING! Private key simulation (Different from PKE) Question: Could A distinguish the simulation from private key distribution? To prove the private keys issued by B are appropriately distributed. Let ID = {ID 1,..., ID qid, α, ID }, we have ID q + 1. Since f(x) is a uniformly random polynomial of degree q, in A s view private keys d ID = (r ID, h ID ), r ID = f(id), h ID = (hg r ID ) 1 α ID are uniformly random and independent.

Reduction Proof for Construction 1 V Case 2: Z is uniformly random Goal: c is independent in A s view whatsoever. Z is uniformly random (u, v) is uniformly random and independent 1 v e(u, g) α ID holds with 1 1/p. On the other hand, r ID is uniformly random and independent in A s view Therefore, M c /w = e(u, h ID )v r ID = e(u, h) α ID ( v is 1 )r ID e(u,g) α ID uniformly random and independent in A s view To summarize, B would have ɛ advantage to solve the hard problem except with negligible probability.

Construction 2 Let G and G T be groups of order p, and let e : G G G T be the bilinear map. Setup generators g, h 1, h 2, h 3 R G, α R Zp,g 1 = g α G, a collision-resistant hash function H, outputs params = (g, g 1, h 1, h 2, h 3, H), master-key = α. Extract(ID) For i = 1, 2, 3, r ID,i R Zp, h ID,i = (hg r ID,i ) 1 α ID (ID α), outputs d ID = {(r ID,i, h ID,i ) : i {1, 2, 3}}. Encrypt(M, ID) s R Z p,u = g s 1g s ID, v = e(g, g) s, w = m e(g, h 1 ) s, β = H(u, v, w), y = e(g, h 2 ) s e(g, h 3 ) sβ, outputs C = (u, v, w, y). Decrypt(C, ID) Let C = (u, v, w, y). β = H(u, v, w) and tests y? = e(u, h ID,2 h β ID,3 )vr ID,2+r ID,3 β. Yes, m = w e(u, h ID,1 )v r ID,1 Otherwise the recipient outputs.

Reduction Proof for Construction 2 I Suppose adversary A (t, ɛ, q ID, q C )-breaks the IND-ID-CCA security of the construction 2, we construct simulator B(g, g q+2, g, g 1,..., g q, Z) where q = q ID + 2. Setup Three random polynomials f i (x) R Z p [x] of degree q for i = 1, 2, 3, computes h i = g fi(α) and outputs params = (g, g 1, h 1, h 2, h 3 ). Phase 1 [Private key queries] For ID Z p, B uses f i (x) to generate {(r ID,i, h ID,i ) : i = 1, 2, 3} as before so that (r ID,i, h ID,i ) = (f i (ID), g F i,id(α) ). [Decryption queries] For (C, ID), B check the data-integrity, generates a private key for ID as above and decrypts it.

Reduction Proof for Construction 2 II Challenge After A outputs M 0, M 1, ID, B flips a fair coin c {0, 1}, computes d ID = {(r ID,i, h ID,i) : i = 1, 2, 3}, (u, v, w) using (r ID,1, h ID,1), β = H(u, v, w), y = e(u, h ID,2 h β ID,3 )vr ID,2+r ID,3 β, outputs C = (u, v, w, y). Phase 2 B responds to queries the same way as in Phase 1. Guess A outputs c. If c = c, B outputs 1; otherwise outputs 0. Then we consider the two cases: Case 1: Z = e(g q+1, g ) Goal: A cannot distinguish it is a simulation. Key generation simulation is good as before. Decryption simulation Goal: Reject all invalid ciphertext Question: Have we leaked any information so that A could use to generate an invalid ciphertext that would pass the data-integrity check?

Reduction Proof for Construction 2 III What A wants to do: to make (u, v, w, y ) for a not queried ID where v e(u, g) 1 α ID valid. A needs to find a y = a u (log g h ID,2 + β log g h ID,3 ) + a v (r ID,2 + β r ID,3 ) (1) where a u = log g u, a y = log e(g,g) y, a v log e(g,g) v. From the construction of the private key: log g h 2 = (α ID) log g h ID,2 + r ID,2 (2) log g h 3 = (α ID) log g h ID,3 + r ID,3 (3) Then Equation (1) changes to: a u a y = ( α ID )(log g h 2 + β log g h 3 ) + (a v au α ID )(r ID,2 + β r ID,3 ) (4)

Reduction Proof for Construction 2 IV WARNING! r ID,i = f i (ID) A s learning from r ID1,2,..., r IDq 2,2, h 2, r ID1,3,, r IDq 2,3, h 3. 1 1 1 1 0 0 0 0 ID 1 ID 2 ID q 2 α 0 0 0 0 [λ (2) 0, λ(2) 1,..., λ(2) q, λ (3).......... 0, λ(3) 1,..., λ(3) q ] ID q 1 ID q 2 ID q q 2 α q 0 0 0 0 f 0 0 0 0 1 1 1 1 0 0 0 0 ID 1 ID 2 ID q 2 α.......... 0 0 0 0 ID q 1 ID q 2 ID q q 2 α q a u a y = ( α ID )(log g h 2 + β log g h 3 ) + (a v au α ID )(f γ ID β γ ID ) where γ ID = (1, ID,..., ID q ). SAFE! γ ID β γ ID is linear independent of V. A finds such a y with negligible probability. V (5)

Reduction Proof for Construction 2 V Case 2: Z is uniformly random. Goal: c is independent in A s view whatsoever. Unbounded computational power of A. From the challenge ciphertextψ = (u, v, w, y) for ID : log e(g,g) (M c /w) = a u α ID log g h 1 + (a v a u α ID )r ID,1 (6) c should be independent in A s view as discussed in Construction 1. WARNING! the independence of r ID,1 is no longer guaranteed. Question: Is it possible for A to generate related invalid ciphertext which could pass the data-integrity so that it would be numerically decrypted?

Reduction Proof for Construction 2 VI If A queries an invalid ciphertext ψ = (u, v, w, y ) for unqueried identity ID, where (u, v, w, y, ID) (u, v, w, y, ID ) and β = H(u, v, w ). There are three cases to consider: 1 (u, v, w ) = (u, v, w): Hashes are equal as well. ID = ID y y, reject. ID ID A must find a y that satisfies Equation (5), but γ ID βγ ID is independent of [V 1,..., V 2q 2, γ ID βγ ID ]. 2 (u, v, w ) (u, v, w) and β = β : Hash function!? 3 (u, v, w ) (u, v, w) and β β : ID ID Negligible probability for essentially the same reason as Item 1. ID = ID Then γ ID βγ ID and γ ID β γ ID are linearly independent to each other and the columns of V.

Reduction Proof for Construction 2 VII SAFE! No information about r ID,1 is leaked. c is independent in A s view. Therefore, CCA Secure. B would have ɛ advantage to solve the hard problem except with negligible probability.

Outline 1 Introduction of Identity-Based Encryption Background Security Model 2 Gentry IBE Gentry IBE s Contribution Construction 1: Chosen-Paintext Security Construction 2: Chosen-Ciphertext Security 3 Conclusion

Conclusion Guarded decryption! Data-integrity check with message information and extra random augments Add redundancy against more powerful attacks For CPA secure, one thing different in IBE system is it needs to prove the key generation simulation. For CCA secure, Cramer-Shoup security proof technique is very useful, but it needs thoroughness and carefulness.

Bibliography I Adi Shamir. Identity-based cryptosystems and signature schemes. In GeorgeRobert Blakley and David Chaum, editors, Advances in Cryptology, volume 196 of Lecture Notes in Computer Science, pages 47 53. Springer Berlin Heidelberg, 1985.

Thankyou.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback