Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dennis Hofheinz, Jessica Koch, Christoph Striecks

Published byEmil Watkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Dennis Hofheinz, Jessica Koch, Christoph Striecks"— Presentation transcript:

1 Dennis Hofheinz, Jessica Koch, Christoph Striecks
Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting Dennis Hofheinz, Jessica Koch, Christoph Striecks Karlsruhe Institute of Technology, Germany

2 Overview Identity-Based Encryption (IBE) Tight Security
Underlying IBE-Scheme by Chen and Wee - Proof Idea Result: (almost) Tight Security for Multi-Instance, Multi-Ciphertext IBE

3 Identity-Based Encryption (IBE)

4 IBE-IND-CPA Security C* for id* M0 or M1 ? succ.prob = ε1

5 Multi-Instance, Multi-Ciphertext IBE-IND-CPA Security
M0i,c or M1i,c? succ.prob = εmulti

6 Tight Security . . . . . . Ni instances Nc chall. ciphertexts
Nu user secret keys security proof = reduction to hard problem (adv. = εP) attack adv. ε1 = Nu·εP (generic) attacks potentially easier attack adv. εmulti = Ni·Nc·ε1 = Ni·Nc·Nu·εP

7 Tight Security Our goal: tight security i.e. εmulti ≈ εP
independent of Ni, Nc, Nu → smaller keys, smaller groups … recently: (somewhat) tightly secure multi-instance/multi-ciphertext PKE [HJ12, LJYP14] [Chen,Wee13]: somewhat tightly secure IBE 1 instance/1 ciphertext: ε1 ≈ Nu·εP

8 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : normal i i depends on idi = i and position

9 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 i id|i = 1 … i same type id|i* = id|i Decryption

10 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal normal C*: type i C*: id|i* = 1*… i* normal usk: type i usk: id|i = 1 … i same type id|i* = id|i Decryption

11 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 i id|i = 1 … i same type id|i* = id|i same type id|i* ≠ id|i Decryption

12 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 i id|i = 1 … i same type id|i* = id|i same type id|i* ≠ id|i Decryption

13 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* i* normal C*: id|i* = 1*… i* normal usk: type i+1 usk: 1 i i+1 id|i+1 = 1 … i+1 same type id|i* = id|i same type id|i* ≠ id|i different type id|i+1* = id|i+1 Decryption

14 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal normal C*: type i C*: id|i* = 1*… i* normal usk: type i+1 usk: i+1 id|i+1 = 1 … i+1 same type id|i* = id|i same type id|i* ≠ id|i different type id|i+1* = id|i+1 Decryption

15 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type n C*: 1* n* normal C*: id* = 1*… n* normal usk: type n usk: 1 n id = 1 … n id* ≠ id for all usks

16 Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal 1* n* normal C*: type n C*: id* = 1*… n* normal usk: type n usk: 1 n id = 1 … n id* ≠ id for all usks → usks useless for decryption → replace C* by random → Adversary can only guess

17 Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: 1* i* i+1 test usk*: 1* i* usk: 1 i i+1 test C: 1 i Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

18 Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

19 Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

20 Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

21 ≈ Our Approach Problem for multi-instance, multi-ciphertext:
Guessing of id*i+1: 1. for each instance → loss = 2Ni 2. different chall. ciphertexts have different id-bits → generation is not possible Our solution: distribute randomness into 2 compartments

22 Our Approach Solution: no guessing id*i+1 = 0 id*i+1 = 1 Simulator
gets: no reaction no reaction i+1 i+1 C*: 1* i* i+1 1* i* i+1 usk: 1 i i+1 1 i i+1 1 i i+1 1 i i+1 type i = type i+1 type i ≠ type i+1 type i ≠ type i+1 type i = type i+1

23 Our Approach Solution: no guessing id*i+1 = 0 id*i+1 = 1 Simulator
gets: no reaction no reaction i+1 i+1 C*: usk: 1 i i+1 1 i i+1 type i = type i+1 type i ≠ type i+1 type i ≠ type i+1 type i = type i+1

24 Conclusion no guessing О(n) reductions: n = length of identity
→ loss independent of the number of ciphertexts , instances and usk-queries first fully secure multi-instance, multi-ciphertext IBE with loss О(n) for n-bit identities under a simple assumption

25

Download ppt "Dennis Hofheinz, Jessica Koch, Christoph Striecks"

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.

A Black-Box Construction of a CCA2 Encryption Scheme from a Plaintext Aware (sPA1) Encryption Scheme Dana Dachman-Soled University of Maryland.
I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Attribute-based Encryption

Attribute-based Encryption
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.

Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Similar presentations

Ads by Google