Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER."— Presentation transcript:

1 1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER

2 2 Introduction Public Key Encryption follows “encrypt/decrypt” model A new model of key encapsulation with better flexibility and security proofs

3 3 Public Key Encryption

4 4 Key Encapsulation Mechanism (KEM) EncapDecap symmetric key k* Symmetric-Key Encryption public key, coin private key c* KEM

5 5 How to get a Security Proof ? To get a security proof, one needs – Computational problem P, – Security notion, – Cryptosystem – Reduction of the problem P to an attack that breaks the security notion

6 6 How to get a Security Proof ? Reduction of the problem P to an attack: - Adversary A against the scheme - Reduction uses A to solve P Under the assumption that P is hard, the scheme is unbreakable

7 7 Today we will discuss Two new generic constructions A new computational assumption Two new identity based encryption schemes OUTLINE

8 8 Theorem: Given any weakly secure Key Encapsulation Mechanism, we construct a Public Key Encryption scheme that is highly secure using two additional secure hash functions A New Generic Construction

9 9 Combination of security goals with attack models For different attack models, different oracle access SECURITY NOTIONS OW-PCAIND-CCA

10 10 Onewayness Against Plaintext Checking Attacks (OW-PCA) PCA PC Succ A ( 1 l ) = Pr [m* = m]

11 11 (pk, sk)  KeyGen (1 l ) (k*, c*)  Encap (pk, r) k´  A (pk, c*, O pc ) OW-PCA secure Key Encapsulation A (pk, c*) k´ PC Succ A ( 1 l ) = Pr [k´ = k*]

12 12 Adv A ( 1 l ) = | Pr [b´ = b] – ½ | IND-CCA

13 13 Theorem: Given any OW-PCA secure Key Encapsulation Mechanism, we construct a Public Key Encryption scheme that is IND-CCA secure using two additional hash functions in random oracle model. A New Generic Construction

14 14 The basic principle: The hash function is replaced by a truly random function each time the scheme is used Throughout the security game, the adversary cannot compute hash values by itself, it must query the oracle embedding the function Random Oracle Model

15 15 At start of experiment, H is completely undefined When H is called with query x for the first time, H selects h uniformly at random over the image set Ĥ and inserts (x, h) in a database H-List For each query x, H first searches for (x, h) in H-List. If found, h is returned. Random Oracle Model

16 16 A New Generic Construction Theorem: Suppose that the hash functions H 2 and H 3 are random oracles. Given any OW-PCA secure Key Encapsulation Mechanism, we construct an IND-CCA secure Public Key Encryption scheme in random oracle model. A ( ,  A, q 2, q 3, q D ) B (  ',  B, q PC )  '  ,  B =  A + q PC poly(l) q PC  (q 2 + q 3 + q D (q 2 + 1))

17 17 A New Generic Construction C = (c 1, c 2, c 3 ) = (c 1, m  H 2 (k), H 3 (m, k) )

18 18 Security Game Setup A D H PC pk sk b´ Problem: invert c* Solution: Session key k*

19 19 C = (c 1, c 2, c 3 ) = (c 1, m  H 2 (k), H 3 (m, k) ) (pk, c *, common parameters) Setup (pk, common parameters) H 2 -queries: On each new input k, If 1  PC (k, c * ), k * = k, terminate (E 2 ) Else, h 2  RANGE (H 2 ), (k, h 2 )  H 2 List. Security Proof

20 20 C = (c 1, c 2, c 3 ) = (c 1, m  H 2 (k), H 3 (m, k) ) H 3 -queries: On each new input (m, k), If 1  PC(k, c * ), k * = k, terminate (E 3 ). Else, h 3  RANGE(H 3 ), (k, m, h 3 )  H 3 List. Decryption queries: On each new input (c 1, c 2, c 3 ) If (k, m, c 3 )  H 3 List, return  Elseif m  H 2 (k)  c 2.,return  Elseif 1  PC (k, c 1 ) return m, else return . Security Proof

21 21 C = (c 1, c 2, c 3 ) = (c 1, m  H 2 (k), H 3 (m, k) ) Challenge : A outputs (m 0, m 1 ) st. | m 0 | = | m 1 | B picks h 2 *, h 3 * where h i *  RANGE(H i ) B picks   {0,1} and returns C  = (c *, m   h 2 *, h 3 * ) to A B answers A's random oracle and decryption queries as before. If k * = k, B will return k *, otherwise B fails Security Proof

22 22 Simulation of Oracles Unless k * has been asked to H 2 and H 3  B breaks the OW-PCA of the KEM. Decryption oracle C= (c 1, c 2, c 3 ) rejected if (m,k)  H 3 List A has to guess a right value for h 3 without querying H 3  probability 1/ 2 k 1 ( H 3 : {0, 1} * → {0, 1} k 1 )

23 23 Claim: A´s view GuessH 3 is A's correctly guessing the output of H 3 Pr [SuccessB] = Pr [E 2 V E 3 ] = | Pr [  ´=  ] |  Pr [GuessH 3 ] – ½ | From the definition of A  | Pr [  ´ =  ] – ½ | >  Pr [SuccessB] >  - Pr [GuessH 3 ] >  - q D / 2 k 1 ( 2 k 1 = 2 60, q D = 2 30  Pr [SuccessB]   ) Analysis

24 24 II. New Construction C= (c 1, c 2, c 3 ) = (c 1, m  H 2 (k), r  H 3 (m,k) )

25 25 II. New Construction Theorem: A ( ,  A, q 2, q 3, q D ) B KEM (  ',  B, q PC )  '  ,  B   A + q PC poly(l) +q D q 3    is the time to compute KEM(r) = Encap(r, pk) q PC  (q 2 + q 3 + q D (q 2 +1))

26 26 C= (c 1, c 2, c 3 ) = (c 1, m  H 2 (k), r  H 3 (m,k) ) Setup H 2 –queries H 3 –queries Decryption queries: On each new input (c 1, c 2, c 3 )  (k i, m i, h 3i ) in H 3 List, r i = h 3i  c 3  r i check for KEM (r i ) = ( c 1, k i ). If not return  Elseif m i  H 2 (k i )  c 2., return , else return m i Security Proof

27 27 II. Construction can also be proven secure without using the Plaintext Checking oracle.  Onewayness of Key encapsulation mechanism  At the end of the game, a random entry in H 2 List or H 3 List is choosen  The tightness is  '   / (q 2 + q 3 ) Analysis

28 28 Additional hash function C = (c 1, c 2, c 3 ) = (c 1, m  H 2 (k), r  H 3 (m, k), H 4 (r, m, k, c 1 )) No check  r i, KEM (r i ) = (c 1, k)  B =  A + q PC poly (l) + q D  An Improvement

29 29 Today we will discuss Two new generic constructions A new computational assumption Two new identity based encryption schemes OUTLINE

30 30 Assumptions Diffie-Hellman Inversion (k-DHI): For k  Z, x  Z * q and P  G, given (P, xP, x 2 P,....., x k P), computing (1/x) P (  for k-BDHI, computing ê(P, P) 1/x ) is hard k-CAA1’: For k  Z and x  Z * q, P  G, given (P, xP, (h 1, 1/(x+ h 1 )P), …, (h k, 1/(x+ h k ) P) ) computing (1/x) P (  for k-BCAA1’, computing ê(P, P) (1/x) ) is hard.

31 31 A New Assumption Generalized (k-BCAA1’): For k  Z and x  Z * q, P  G *, ê: G x G  F, given (P, xP, rx P, ( h 1, 1 / ( x+ h 1 ) P ),…, ( h k, 1 / ( x + h k ) P )) computing ê(P, P) r is hard.

32 32 Today we will discuss Two new generic constructions A new computational assumption Two new identity based encryption schemes OUTLINE

33 33 Public key encryption scheme where public key is an arbitrary string (ID) email encrypted using public key: “deniz@b-it” I am “deniz@b-it” Private key master-key CA/PKG IDENTITY BASED ENCRYPTION

34 34 SAKAI KASAHARA KEY CONSTRUCTION Setup(l) – a prime q, groups G and F – P  G *, ê: G x G  F – x ∈ Z q *, P pub = xP –User A’s pk= ID A –User A’s sk = d A = [1/ (x+H 1 (ID A )) ] P –H 1 is an ordinary hash function (not MapToPoint)

35 35 SAKAI KASAHARA´S IBE SCHEME (SK-IBE) Setup (l) : Four Hash Functions Encrypt (M, ID A ) –σ  {0, 1} n and r = H 3 (σ,M) – rQ A = r (xP + H 1 (ID A )P) –C = Decrypt (C = (U, V, W), d A ) – k´ = ê(d A, U)), σ´ = V  H 2 (k´) and M´ = W  H 4 (σ´) – Integrity check: r´ = H 3 (σ´, M´)

36 36 Tightness  4   1 / [ q 1 q 2 (q 3 + q 4 )]   1 / q 3 for q 1 = q 2 = q 3 = q 4 =q Security of SK-IBE Res 1 Res 2 Res 3 A 1 (t 1,  1 ) A 2 (t 2,  2 ) A 3 (t 3,  3 ) A 4 (t 4,  4 ) FullIdent BasicPub hy BasicPub k-BDHI

37 37 A New IBE Scheme SK-IBE1 Setup (l): Three Hash functions Encrypt (m) – r  Z q * – rQ A = r(xP + H 1 (ID A )P) –C = Decrypt (C = (U, V, W)) – k´ = ê(d A, U)), m´ = V  H 2 (k´) – Integrity check: H 3 (k´, m´) = W

38 38 Security Proof of SK-IBE1 Theorem: H 1, H 2 and H 3 are random oracles A SK-IBE1 (  A, , q 1, q 2, q 3, q D ) B (  B,  ' ‚ q PC ) against GAP-Generalized k-BCAA1'  '   / q 1,  B =  A + q PC poly(l) q PC  (q 2 + q 3 + q D (q 2 + 1))

39 39 Setup (l) Encrypt (m) –r  Z q * –rQ A = r(P pub + H 1 (ID A )P) –C = Decrypt (C = (U, V, W)) –k´ = ê(d A, U)), m´ = V  H 2 (k´) –r´ = H 3 (k´, m´)  W –Integrity check: r´Q A = U SK-IBE2

40 40 Security Proof of SK-IBE2 Theorem: H 1, H 2 and H 3 are random oracles A SK-IBE2 (  A, , q 1, q 2, q 3, q D ) B (  B,  ' ) solves the Generalized q 1 -BCAA1'  '  2  / q 1 (q 2 + q 3 ),  B =  A + q D q 3    is the time to compute ê and multiplication

41 41 Two New Generic Constructions for PKE Setting -IND-CCA secure KEM/DEM -IND-CCA secure PKE Two New IBE Schemes based on SK Key Construction -SK-IBE1  GAP Problem, tighter, easier problem -SK-IBE2  Generalized k-BCAA1', less tight, harder problem CONCLUSION

42 42 THANK YOU FOR YOUR ATTENTION

43 43 Setup (l) Extract (ID A ) Encrypt (m) –r  Z q * –rQ A = r (P pub + H 1 (ID A )P) –C = Decrypt (C = (U, V,W, Z)) –k´ = ê(d A, U)), m´ = V  H 2 (k´) –r´ = H 3 (k´, m´)  W – Integrity check: H 4 (r´, m´, k´, r´Q A ) = Z A New IBE Scheme SK-IBE2

44 44 Hybrid PKE Hybrid PKE = KEM + DEM DEM(k) symmetric encryption DEM C  Encrypt {DEM} (M, k) M or   Decrypt {DEM} (C, k) Keys of KEM are from the same key space of DEM.

45 45 (pk, sk)  KGen (1 l ) (m 0, m 1, s)  A 1 (pk,O) s.t | m 0 | = | m 1 | b  {0, 1} c  Enc (pk, m b ) b´  A 2 (s, c, O) Adv A ( 1 l ) = | Pr [b´ = b] – ½ | IND-CCA

46 46 Key Encapsulation Mechanism (KEM) KEM can be defined by three algorithms: (pk, sk)  KGen (1 l ) (k, c)  Encap (pk, r) k or   Decap (sk, c)

47 47 PCA 1 or 0  O pca (k, c) OW-PCA (pk, sk)  KGen (1 l ) (k, c)  Encap (pk, r) k´  A (pk, c, O pca ) OW-PCA KEM A (pk, c) k´ PCA

48 48 An IBE scheme can be defined by four algorithms: (param, M pk and M sk )  Setup (1 l ) d i  Extract (ID i,, M sk, param) c  C  Encrypt (ID i, param, m) m  {0, 1} n or   Decrypt (d i, param, c) IDENTITY BASED ENCRYPTION

49 49 (param, M sk )  KGen (1 l ) (m 0, m 1, s, ID ch )  A 1 (param, O 1 ) s.t | m 0 | = | m 1 | b  {0, 1} c  Enc (param, ID ch, m b ) b´  A 2 (s, c, O 2 ) Adv A ( 1 l ) = | Pr [b´ = b] – ½ | IND-ID-CCA

50 50 SAKAI KASAHARA´S IBE SCHEME (SK-IBE) Setup (l) –H 1 : {0, 1}* → Z q * and H 2 : F → {0, 1} n –H 3 : {0, 1} n x {0, 1} n → Z q * and H 4 : {0, 1} n → {0, 1} n Extract (ID A ) = d A Encrypt (M) –σ  {0, 1} n and r = H 3 (σ,M) – rQ A = r (P pub + H 1 (ID A )P) –C = Decrypt (C = (U, V, W)) – g´ = ê(d A, U)), σ´ = V  H 2 (g´) and M´ = W  H 4 (σ´) – Integrity check: r´ = H 3 (σ´, M´)

51 51 Security Proof of SK-IBE1 Theorem: H 1, H 2 and H 3 are random oracles A SK-IBE1 (  A, , q 1, q 2, q 3, q D ) B (  B,  ' ‚ q PC ) against GAP-Generalized k-BCAA1'  '   / q 1,  B =  A + q PC poly(l) q PC  (q 2 + q 3 + q D (q 2 + 1))

52 52 GAP- Generalized k-BCAA1' 1  I  q 1 (  IND-ID-CCA), h 0  Z q * P pub = xP - h 0 P H 1 –queries (ID j ) If ID j = ID I, (ID I, h 0, d j =  ) to H 1 List and return h 0 Else, (ID j, h j + h 0, d j = 1 / (h j + x)P) to H 1 List and return h j + h 0 Security Proof of SK-IBE1

53 53 Extraction-query (ID i ) If d j  , B returns d j Else, B aborts (E 1 ) H 2 –queries (k) H 3 –queries (m,k) Security Proof of SK-IBE1

54 54 Decryption query (C i = (U i, V i, W i ), ID i ) i = I, C i = ( r i xP, m i  H 2 (ê (P, P) r i ), H 3 (m i, ê(P, P ) r i ) If ID i  H 1 List, B queries H 1 (ID i ) d i = , if (m i, X i, W i )  H 3 List, reject If H 2 (X i )  m i  V i, reject If X i  ê(P, P) r i, reject, else return m i Security Proof of SK-IBE1

55 55 Challenge ((m 0, m 1 ), ID I )) If H 1 (ID I ) and ID I = ID ch and so d ch = , B continues, else B aborts (E 4 ) Else if H 1 (ID ch ) and d ch  , B aborts (E 5 ) Else, (ID ch, h 0,  ) to H 1 List and continue At this stage, H 1 (ID ch ) = h 0 and d ch =   ´   / q 1 Security Proof of SK-IBE1

56 56 Setup (l) Extract (ID A ) Encrypt (m) –r  Z q * –rQ A = r(P pub + H 1 (ID A )P) –C = Decrypt (C = (U, V, W)) –k´ = ê(d A, U)), m´ = V  H 2 (k´) –r´ = H 3 (k´, m´)  W –Integrity check: r´Q A = U SK-IBE2

57 57 Security Proof of SK-IBE2 Theorem: H 1, H 2 and H 3 are random oracles A SK-IBE2 (  A, , q 1, q 2, q 3, q D ) B (  B,  ' ) solves the q 1 -BDHI  '  2  / q 1 (q 2 + q 3 ),  B =  A + q D q 3    is the time to compute ê and multiplication

58 58 q 1 -BDHI 1  I  q 1 (  IND-ID-CCA), h 0  Z q *, r  Z q * P pub = xQ - h 0 Q H 1 –queries (ID j ), If ID j = ID I, (ID I, h 0, d j =  ) to H 1 List and return h 0 Else, (ID j, h j + h 0, d j = 1 / (h j + x)Q) to H 1 List and return h j + h 0 Security Proof of SK-IBE2

59 59 H 2 –queries (k j ): As a random oracle H 3 –queries (m j, k j ): As a random oracle Decryption queries (C = (U j, V j, W j ), ID I ): Challenge (rQ, V *, W * ) Security Proof of SK-IBE2

60 60 Guess Pick a random k i from H 2 List or H 3 List T = k i (1/r) and return (T / T 0 ) ê (P, P) (1/x) = (T / T 0 )  T = (Q, Q) (1/x) Security Proof of SK-IBE2

61 61 Analysis Event E = k  (H 2 List  H 3 List) Pr [E ]  2  Pr [SuccessB]  2  / q 1 (q 2 + q 3 )   / q 2 for q 1 = q 2 = q 3 = q Security Proof of SK-IBE2

Download ppt "1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.

Public-Key Encryption in the Bounded-Retrieval Model Joël Alwen, Yevgeniy Dodis, Moni Naor, Gil Segev, Shabsi Walfish, Daniel Wichs Earlier Today: Yevgeniy.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Dennis Hofheinz, Jessica Koch, Christoph Striecks

Dennis Hofheinz, Jessica Koch, Christoph Striecks
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

Similar presentations

Ads by Google