1 / 61

IDENTITY BASED ENCRYPTION

IDENTITY BASED ENCRYPTION. SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION. N. DENIZ SARIER. Introduction. Public Key Encryption follows “encrypt/decrypt” model A new model of key encapsulation with better flexibility and security proofs. Public Key Encryption.

tokala
Télécharger la présentation

IDENTITY BASED ENCRYPTION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER

  2. Introduction Public Key Encryption follows “encrypt/decrypt” model A new model of key encapsulation with better flexibility and security proofs

  3. Public Key Encryption

  4. Key Encapsulation Mechanism (KEM) Symmetric-Key Encryption symmetric keyk* Encap Decap c* public key, coin private key KEM

  5. How to get a Security Proof? To get a security proof, one needs Computational problem P, Security notion, Cryptosystem Reduction of the problem P to an attack that breaks the security notion

  6. How to get a Security Proof? • Reduction of the problem P to an attack: • - Adversary A against the scheme • Reduction uses A to solve P • Under the assumption that P is hard, the scheme is unbreakable

  7. OUTLINE Today we will discuss • Two new generic constructions • A new computational assumption • Two new identity based encryption schemes

  8. A New Generic Construction Theorem: Given any weakly secureKey Encapsulation Mechanism, we construct a Public Key Encryption scheme that is highly secure using two additional secure hash functions

  9. SECURITY NOTIONS • Combination of security goals with attack models • For different attack models, different oracle access OW-PCA IND-CCA

  10. Onewayness Against Plaintext Checking Attacks (OW-PCA) PC PCA • SuccA(1l) = Pr [m* = m]

  11. (pk , c*) A k´ OW-PCA secure Key Encapsulation • (pk, sk)KeyGen (1l) • (k* , c*)Encap (pk , r) • k´ A (pk,c* , Opc ) PC • SuccA(1l) = Pr [k´ = k*]

  12. IND-CCA • AdvA(1l) = | Pr [b´ = b] – ½|

  13. A New Generic Construction Theorem: Given any OW-PCA secure Key Encapsulation Mechanism, we construct a Public Key Encryption scheme that is IND-CCA secure using two additional hash functions in random oracle model.

  14. Random Oracle Model The basic principle: • The hash function is replaced by a truly random function eachtimethe scheme is used • Throughout the security game, the adversary cannot compute hashvalues by itself, it must query the oracle embedding the function

  15. Random Oracle Model • At start of experiment, H is completely undefined • When H is called with query x for the first time, H selects h uniformly at random over the image set Ĥ and inserts (x , h) in adatabase H-List • For each query x, H first searches for (x, h) in H-List. If found,h is returned.

  16. A New Generic Construction • Theorem: • Suppose that the hash functions H2 and H3 are random oracles. Given any OW-PCA secure Key Encapsulation Mechanism, • we construct an IND-CCA secure Public Key Encryption scheme in random oracle model. • A( ,A , q2 , q3, qD) • B ( ' , B , qPC) •  '   , B = A + qPC poly(l) • qPC(q2 + q3 + qD (q2 +1))

  17. A New Generic Construction C = (c1 , c2 , c3) = (c1 , m  H2 (k) , H3 (m , k) )

  18. Security Game sk Setup Problem: invert c* A D pk H b´ Solution: Session key k* PC

  19. Security Proof • C = (c1 , c2 , c3) = (c1 , m  H2 (k) , H3 (m , k) ) • (pk, c*, common parameters) • Setup • (pk , common parameters) • H2 -queries: On each new input k, • If 1  PC (k , c*), k* = k , terminate (E2) • Else, h2 RANGE(H2) , (k, h2) H2List.

  20. Security Proof • C = (c1 , c2 , c3) = (c1 , m  H2 (k) , H3 (m , k) ) • H3 -queries: On each new input (m , k), • If 1 PC(k, c*), k* = k , terminate (E3). • Else, h3 RANGE(H3) , (k, m, h3) H3List. • Decryption queries: On each new input (c1, c2, c3) • If (k, m, c3) H3List, return  • Elseifm  H2 (k) c2.,return  • Elseif 1 PC (k, c1)return m, else return .

  21. Security Proof • C = (c1 , c2 , c3) = (c1 , m  H2 (k) , H3 (m , k) ) • Challenge: • A outputs (m0, m1) st. | m0| = | m1 | • B picks h2* , h3*where hi *  RANGE(Hi) • B picks  {0,1} and returns C= (c*, mh2*, h3* ) to A • B answers A's random oracle and decryption queries as before. • If k*= k , B will return k* , otherwise B fails

  22. Simulation of Oracles • Unlessk*has been asked toH2 and H3 • B breaks the OW-PCA of the KEM. • Decryption oracle • C= (c1, c2, c3) rejectedif (m,k)H3List • Ahas to guess a right value for h3 without querying H3 •  probability 1/ 2k1 ( H3: {0 , 1}* → {0 , 1}k1)

  23. Analysis • Claim: A´s view • GuessH3is A's correctly guessing the output of H3 • Pr [SuccessB] = Pr [E2V E3] = | Pr [´= ] |  Pr [GuessH3] – ½| • From the definition of A  | Pr [´ = ] – ½| >  • Pr [SuccessB] >  - Pr [GuessH3 ] >  - qD / 2k1 • ( 2k1 = 260 , qD = 230 Pr [SuccessB]  )

  24. II. New Construction C= (c1, c2, c3) = (c1, m  H2 (k) , r  H3 (m,k) )

  25. II. New Construction • Theorem: • A( , A , q2, q3, qD) • BKEM ( ' , B , qPC ) •  '  , BA + qPC poly(l) +qD q3 is the time to compute KEM(r) = Encap(r , pk) • qPC(q2 + q3 + qD(q2+1))

  26. Security Proof • C= (c1, c2, c3) = (c1, m  H2 (k) , r  H3 (m,k) ) • Setup • H2 –queries • H3 –queries • Decryption queries: On each new input (c1, c2, c3) •  (ki, mi, h3i) in H3List, ri= h3i c3 •  ri check for KEM (ri) = (c1, ki) . If not return  • Elseifmi H2 (ki) c2., return , elsereturn mi

  27. Analysis • II. Construction can also be proven secure without using the • Plaintext Checking oracle. •  Onewayness of Key encapsulation mechanism •  At the end of the game, a random entry in H2List or H3List is choosen •  The tightness is  '  / (q2 + q3)

  28. An Improvement • Additional hash function • C = (c1 , c2 , c3) = (c1 , m  H2 (k) , r  H3 (m , k) , H4 (r , m , k , c1 )) • No check  ri , KEM (ri) = (c1 , k) • B = A + qPC poly(l) + qD

  29. OUTLINE Today we will discuss • Two new generic constructions • A new computational assumption • Two new identity based encryption schemes

  30. Assumptions Diffie-Hellman Inversion (k-DHI): For k  Z , x Z*q and P G , given (P, xP, x2 P, ....., xkP), computing (1/x) P ( for k-BDHI, computing ê(P, P) 1/x ) is hard k-CAA1’: For k  Z and x Z*q , P  G , given (P, xP, (h1, 1/(x+ h1)P), …, (hk, 1/(x+ hk) P) ) computing (1/x) P ( for k-BCAA1’, computing ê(P, P) (1/x) ) is hard.

  31. A New Assumption Generalized (k-BCAA1’): For k  Z and x  Z*q , P G*,ê: G x G F, given (P , xP , rxP , ( h1 , 1 / ( x+ h1) P ) ,…, ( hk , 1 / ( x + hk ) P )) computing ê(P, P)r is hard.

  32. OUTLINE Today we will discuss • Two new generic constructions • A new computational assumption • Two new identity based encryption schemes

  33. I am“deniz@b-it” email encrypted using public key: “deniz@b-it” Private key IDENTITY BASED ENCRYPTION Public key encryption scheme where public key is an arbitrary string (ID) CA/PKG master-key

  34. SAKAI KASAHARA KEY CONSTRUCTION • Setup(l) • a prime q, groups G and F • PG* , ê: G x G F • x∈Zq* , Ppub= xP • User A’s pk= IDA • User A’s sk = dA = [1/ (x+H1 (IDA)) ] P • H1is an ordinary hash function (not MapToPoint)

  35. SAKAI KASAHARA´S IBE SCHEME (SK-IBE) • Setup (l) : Four Hash Functions • Encrypt (M, IDA) • σ  {0 , 1}n and r = H3(σ,M) • rQA = r (xP + H1 (IDA)P) • C = < rQA , σ H2 (ê (P , P)r) , M  H4(σ(> • Decrypt (C = (U , V , W), dA) • k´ = ê(dA , U)) , σ´ = V  H2 (k´) and M´ = W H4 (σ´) • Integrity check: r´ = H3 (σ´ , M´)

  36. Security of SK-IBE FullIdent BasicPubhy BasicPub k-BDHI Res 1 Res 2 Res 3 A1 (t1 , 1) A2 (t2 , 2) A3 (t3 , 3) A4 (t4 , 4) • Tightness • 4 1 / [ q1 q2 (q3 + q4)]  1 / q3 for q1 = q2 = q3 = q4 =q

  37. A New IBE Scheme SK-IBE1 • Setup (l): Three Hash functions • Encrypt (m) • r Zq* • rQA = r(xP+ H1 (IDA)P) • C = < rQA , mH2 (ê (P,P)r) , H3 (m , (ê (P,P)r)) > • Decrypt (C = (U , V , W)) • k´ = ê(dA , U)) , m´ = V  H2 (k´) • Integrity check: H3 (k´ , m´) = W

  38. Security Proof of SK-IBE1 • Theorem: • H1, H2 and H3 are random oracles • ASK-IBE1 (A , , q1, q2 , q3, qD) • B (B, '‚qPC) against GAP-Generalized k-BCAA1' • ' / q1 , B = A + qPC poly(l) • qPC(q2 + q3 + qD (q2 +1))

  39. SK-IBE2 • Setup (l) • Encrypt (m) • r Zq* • rQA= r(Ppub + H1 (IDA)P) • C = <rQA, mH2(gr) , r  H3(m, gr) > • Decrypt (C = (U , V , W)) • k´ = ê(dA , U)) , m´ = V  H2 (k´) • r´ = H3 (k´ , m´)  W • Integrity check: r´QA = U

  40. Security Proof of SK-IBE2 • Theorem: • H1, H2 and H3 are random oracles • ASK-IBE2 (A , , q1, q2 , q3, qD) • B (B, ' ) solves the Generalized q1-BCAA1' • ' 2/ q1(q2 + q3 ) , B = A+ qD q3 is the time to compute ê and multiplication

  41. CONCLUSION • Two New Generic Constructions for PKE Setting • IND-CCA secure KEM/DEM • IND-CCA secure PKE • Two New IBE Schemes based on SK Key Construction • SK-IBE1  GAP Problem, tighter, easier problem • SK-IBE2  Generalized k-BCAA1', less tight, harder problem

  42. THANK YOU FOR YOUR ATTENTION

  43. A New IBE Scheme SK-IBE2 • Setup (l) • Extract (IDA) • Encrypt (m) • r Zq* • rQA= r (Ppub + H1 (IDA)P) • C = < rQA , mH2 (gr) , r  H3 (m , gr) , H4 (r , m , gr , rQA) > • Decrypt (C = (U , V ,W , Z)) • k´ = ê(dA , U)) , m´ = V  H2 (k´) • r´ = H3 (k´ , m´)  W • Integrity check: H4 (r´ , m´ , k´, r´QA) = Z

  44. Hybrid PKE • Hybrid PKE= KEM + DEM • DEM(k) symmetric encryption • DEM • C Encrypt {DEM} (M , k) • M or  Decrypt {DEM} (C , k) • Keysof KEM are from the same key space of DEM.

  45. IND-CCA • (pk, sk)KGen (1l) • (m0 , m1 , s)  A1 (pk ,O) s.t | m0 | = | m1 | • b  {0 , 1} • cEnc (pk , mb) • b´  A2 (s , c , O) • AdvA(1l) = | Pr [b´ = b] – ½|

  46. Key Encapsulation Mechanism (KEM) • KEM can be defined by three algorithms: • (pk, sk)KGen (1l) • (k,c)Encap (pk , r) • k or  Decap (sk,c)

  47. (pk , c) A k´ OW-PCA KEM • PCA • 1 or 0 Opca (k , c) • OW-PCA • (pk, sk)KGen (1l) • (k , c)Encap (pk , r) • k´ A (pk,c , Opca ) PCA

  48. IDENTITY BASED ENCRYPTION An IBE scheme can be defined by four algorithms: • (param , Mpkand Msk ) Setup (1l) • di Extract (IDi, , Msk , param) • c  CEncrypt (IDi , param , m) • m {0 , 1}n or Decrypt (di , param , c)

  49. IND-ID-CCA • (param , Msk)KGen (1l) • (m0 , m1 , s , IDch )  A1 (param , O1) s.t | m0 | = | m1 | • b  {0 , 1} • cEnc (param , IDch , mb ) • b´  A2 (s , c , O2) • AdvA(1l) = | Pr [b´ = b] – ½|

  50. SAKAI KASAHARA´S IBE SCHEME (SK-IBE) • Setup (l) • H1: {0 , 1}* → Zq* and H2: F → {0 , 1}n • H3: {0 , 1}n x {0 , 1}n → Zq* and H4: {0 , 1}n → {0 , 1}n • Extract (IDA) = dA • Encrypt (M) • σ  {0 , 1}n and r = H3(σ,M) • rQA = r (Ppub + H1 (IDA)P) • C = < rQA , σ H2 (gr) , M  H4(σ(> • Decrypt (C = (U , V , W)) • g´ = ê(dA , U)) , σ´ = V  H2 (g´) and M´ = W H4 (σ´) • Integrity check: r´ = H3 (σ´ , M´)

More Related