Dennis Hofheinz, Jessica Koch, Christoph Striecks Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting Dennis Hofheinz, Jessica Koch, Christoph Striecks Karlsruhe Institute of Technology, Germany

Overview Identity-Based Encryption (IBE) Tight Security Underlying IBE-Scheme by Chen and Wee - Proof Idea Result: (almost) Tight Security for Multi-Instance, Multi-Ciphertext IBE

Identity-Based Encryption (IBE)

IBE-IND-CPA Security C* for id* M0 or M1 ? succ.prob = 1 2 + ε1

Multi-Instance, Multi-Ciphertext IBE-IND-CPA Security M0i,c or M1i,c? succ.prob = 1 2 + εmulti

Tight Security . . . . . . Ni instances Nc chall. ciphertexts Nu user secret keys security proof = reduction to hard problem (adv. = εP) attack adv. ε1 = Nu·εP (generic) attacks potentially easier attack adv. εmulti = Ni·Nc·ε1 = Ni·Nc·Nu·εP

Tight Security Our goal: tight security i.e. εmulti ≈ εP independent of Ni, Nc, Nu → smaller keys, smaller groups … recently: (somewhat) tightly secure multi-instance/multi-ciphertext PKE [HJ12, LJYP14] [Chen,Wee13]: somewhat tightly secure IBE 1 instance/1 ciphertext: ε1 ≈ Nu·εP

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : normal i i depends on idi = i and position

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* … i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 … i id|i = 1 … i same type id|i* = id|i Decryption

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal normal C*: type i C*: id|i* = 1*… i* normal usk: type i usk: id|i = 1 … i same type id|i* = id|i Decryption

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* … i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 … i id|i = 1 … i same type id|i* = id|i same type id|i* ≠ id|i Decryption

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 i id|i = 1 … i same type id|i* = id|i same type id|i* ≠ id|i Decryption

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* … i* normal C*: id|i* = 1*… i* normal usk: type i+1 usk: 1 … i i+1 id|i+1 = 1 … i+1 same type id|i* = id|i same type id|i* ≠ id|i different type id|i+1* = id|i+1 Decryption

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal normal C*: type i C*: id|i* = 1*… i* normal usk: type i+1 usk: i+1 id|i+1 = 1 … i+1 same type id|i* = id|i same type id|i* ≠ id|i different type id|i+1* = id|i+1 Decryption

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type n C*: 1* … n* normal C*: id* = 1*… n* normal usk: type n usk: 1 … n id = 1 … n id* ≠ id for all usks

Proof Idea of Chen and Wee Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal 1* n* normal C*: type n C*: id* = 1*… n* normal usk: type n usk: 1 n id = 1 … n id* ≠ id for all usks → usks useless for decryption → replace C* by random → Adversary can only guess

Proof Idea of Chen and Wee Game hop: type i → type i+1 Chall. C*: 1* … i* i+1 test usk*: 1* … i* usk: 1 … i i+1 test C: 1 … i Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

Proof Idea of Chen and Wee Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

Proof Idea of Chen and Wee Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

Proof Idea of Chen and Wee Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:

≈ Our Approach Problem for multi-instance, multi-ciphertext: Guessing of id*i+1: 1. for each instance → loss = 2Ni 2. different chall. ciphertexts have different id-bits → generation is not possible Our solution: distribute randomness into 2 compartments ≈

Our Approach Solution: no guessing id*i+1 = 0 id*i+1 = 1 Simulator gets: no reaction no reaction i+1 i+1 C*: 1* … i* i+1 1* … i* i+1 usk: 1 … i i+1 1 … i i+1 1 … i i+1 1 … i i+1 type i = type i+1 type i ≠ type i+1 type i ≠ type i+1 type i = type i+1

Our Approach Solution: no guessing id*i+1 = 0 id*i+1 = 1 Simulator gets: no reaction no reaction i+1 i+1 C*: usk: 1 … i i+1 1 … i i+1 type i = type i+1 type i ≠ type i+1 type i ≠ type i+1 type i = type i+1

Conclusion no guessing О(n) reductions: n = length of identity → loss independent of the number of ciphertexts , instances and usk-queries first fully secure multi-instance, multi-ciphertext IBE with loss О(n) for n-bit identities under a simple assumption