IDENTITY BASED ENCRYPTION

1

IDENTITY BASED ENCRYPTION

SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA

KEY CONSTRUCTION

N. DENIZ SARIER

2

Introduction

•Public Key Encryption follows “encrypt/decrypt” model

•A new model of key encapsulation with better flexibility and security proofs

3

Public Key Encryption

4

Key Encapsulation Mechanism(KEM)

Encap Decap

symmetric keyk*

Symmetric-Key Encryption

public key, coin private key

c*

KEM

5

How to get a Security Proof ?

To get a security proof, one needs

– Computational problem P,

– Security notion,

– Cryptosystem

– Reduction of the problem P to an attack that breaks the security notion

6

How to get a Security Proof ?

Reduction of the problem P to an attack:- Adversary A against the scheme- Reduction uses A to solve P

Under the assumption that P is hard, the scheme is unbreakable

7

Today we will discuss

• Two new generic constructions

• A new computational assumption

• Two new identity based encryption schemes

OUTLINE

8

Theorem:

Given any weakly secure Key Encapsulation Mechanism,

we construct a Public Key Encryption scheme that is highly secure using two additional secure hash functions

A New Generic Construction

9

• Combination of security goals with attack models

• For different attack models, different oracle access

SECURITY NOTIONS

OW-PCA IND-CCA

10

Onewayness Against Plaintext Checking Attacks (OW-PCA)

PCA PC

SuccA(1l) = Pr [m* = m]

11

• (pk , sk) KeyGen (1l )

• (k* , c*) Encap (pk , r)

• k´ A (pk , c* , Opc )

OW-PCA secureKey Encapsulation

A

(pk , c*)

k´

PC

SuccA(1l) = Pr [k´ = k*]

12

AdvA(1l) = | Pr [b´ = b] – ½ |

IND-CCA

13

Theorem:

Given any OW-PCA secure Key Encapsulation Mechanism, we construct a Public Key Encryption scheme that is IND-CCA secure using two additional hash functions in random oracle model.


14

The basic principle:

• The hash function is replaced by a truly random function each time the scheme is used

• Throughout the security game, the adversary cannot compute hash values by itself, it must query the oracle embedding the function

Random Oracle Model

15

• At start of experiment, H is completely undefined

• When H is called with query x for the first time, H selects h uniformly at random over the image set Ĥ and inserts (x , h) in a database H-List

• For each query x, H first searches for (x, h) in H-List. If found, h is returned.

Random Oracle Model

16


Theorem:

Suppose that the hash functions H2 and H3 are random oracles. Given any OW-PCA secure Key Encapsulation Mechanism,

we construct an IND-CCA secure Public Key Encryption scheme in random oracle model.

•A ( , A , q2 , q3 , qD )

• B ( ' , B , qPC )

' , B = A + qPC poly(l)

qPC (q2 + q3 + qD (q2 + 1))

17


C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )

18

Security Game

Setup

A D

H

PC

pk

sk

b´

Problem:

invert c*

Solution:

Session key k*

19

C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )

• (pk , c* , common parameters)

•Setup

•(pk , common parameters)

• H2 -queries: On each new input k,

• If 1 PC (k , c* ) , k* = k , terminate (E2)

• Else , h2 RANGE (H2) , (k , h2) H2List.

Security Proof

20

C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )

•H3 -queries: On each new input (m , k),

• If 1 PC(k, c* ) , k* = k , terminate (E3).

•Else, h3 RANGE(H3) , (k, m, h3) H3List.

•Decryption queries: On each new input (c1, c2, c3)

• If (k, m, c3) H3List, return

• Elseif m H2 (k) c2. ,return

• Elseif 1 PC (k, c1) return m, else return .

Security Proof

21

C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )

•Challenge :

• A outputs (m0 , m1) st. | m0 | = | m1 |

• B picks h2* , h3

* where hi * RANGE(Hi

)

• B picks {0,1} and returns C= (c*, m h2*, h3

* ) to A

•B answers A's random oracle and decryption queries as before.

•If k* = k , B will return k* , otherwise B fails

Security Proof

22

Simulation of Oracles

• Unless k* has been asked to H2 and H3 B breaks the OW-PCA of the KEM.

•Decryption oracle

• C= (c1, c2, c3) rejected if (m,k) H3List

• A has to guess a right value for h3 without querying H3

probability 1/ 2k1 ( H3: {0 , 1}* → {0 , 1}k1 )

23

• Claim: A´s view

• GuessH3 is A's correctly guessing the output of H3

Pr [SuccessB] = Pr [E2 V E3] = | Pr [´= ] | Pr [GuessH3] – ½ |

• From the definition of A | Pr [´ = ] – ½ | >

Pr [SuccessB] > - Pr [GuessH3 ] > - qD / 2k1

• ( 2k1 = 260 , qD = 230 Pr [SuccessB] )

Analysis

24

II. New Construction

C= (c1, c2, c3) = (c1, m H2 (k) , r H3 (m,k) )

25

II. New Construction

Theorem:

• A ( , A , q2, q3 , qD )

• BKEM ( ' , B , qPC )

• ' , B A + qPC poly(l) +qD q3

is the time to compute KEM(r) = Encap(r , pk)

• qPC (q2 + q3 + qD(q2+1))

26

C= (c1, c2, c3) = (c1, m H2 (k) , r H3 (m,k) )

•Setup

•H2 –queries

•H3 –queries

•Decryption queries: On each new input (c1, c2, c3)

• (ki, mi, h3i) in H3List, ri= h3i c3

• ri check for KEM (ri) = (c1, ki) . If not return

• Elseif mi H2 (ki) c2. , return , else return mi

Security Proof

27

• II. Construction can also be proven secure without using the

Plaintext Checking oracle.

Onewayness of Key encapsulation mechanism

At the end of the game, a random entry in H2List or H3List is choosen

The tightness is ' / (q2 + q3 )

Analysis

28

•Additional hash function

• C = (c1 , c2 , c3) = (c1 , m H2 (k) , r H3 (m , k) , H4 (r , m , k , c1 ))

• No check ri , KEM (ri) = (c1 , k)

• B = A + qPC poly (l) + qD

An Improvement

29





OUTLINE

30

Assumptions

Diffie-Hellman Inversion (k-DHI): For k Z , x Z*

q and P G , given (P, xP, x2 P, ....., xkP),

computing (1/x) P ( for k-BDHI, computing ê(P, P) 1/x ) is hard

k-CAA1’:

For k Z and x Z*q , P G , given (P, xP, (h1, 1/(x+ h1)P), …, (hk,

1/(x+ hk) P) ) computing (1/x) P ( for k-BCAA1’, computing ê(P, P) (1/x) ) is hard.

31

A New Assumption

Generalized (k-BCAA1’):

For k Z and x Z*q , P G

* , ê: G x G F, given

(P , xP , rx P , ( h1 , 1 / ( x+ h1) P ) ,…, ( hk , 1 / ( x + hk ) P ))

computing ê(P, P)r is hard.

32





OUTLINE

33

Public key encryption scheme where public key is an arbitrary string (ID)

email encrypted using public key:

“deniz@b-it”

I am “deniz@b-it”

Private key

master-key

CA/PKG


34

SAKAI KASAHARAKEY CONSTRUCTION

• Setup(l)

– a prime q, groups G and F

– P G*

, ê: G x G F

– x Z∈ q* , Ppub= xP

–User A’s pk= IDA

–User A’s sk = dA = [1/ (x+H1 (IDA)) ] P

–H1 is an ordinary hash function (not MapToPoint)

35

SAKAI KASAHARA´S IBE SCHEME (SK-IBE)

•Setup (l) : Four Hash Functions

•Encrypt (M, IDA)

–σ {0 , 1}n and r = H3(σ,M)

– rQA = r (xP + H1 (IDA)P)

–C = < rQA , σ H2 (ê (P , P)r) , M H4(σ( >

• Decrypt (C = (U , V , W), dA)

– k´ = ê(dA , U)) , σ´ = V H2 (k´) and M´ = W H4 (σ´)

– Integrity check: r´ = H3 (σ´ , M´)

36

• Tightness

• 4 1 / [ q1 q2 (q3 + q4)] 1 / q3

for q1 = q2 = q3 = q4 =q

Security of SK-IBE

Res 1 Res 2 Res 3 A1 (t1 , 1) A2 (t2 , 2) A3 (t3 , 3) A4 (t4 , 4)

FullIdent BasicPubhy BasicPub k-BDHI

37

A New IBE SchemeSK-IBE1

• Setup (l): Three Hash functions

• Encrypt (m)– r Zq

*

– rQA = r(xP + H1 (IDA)P)

–C = < rQA , m H2 (ê (P,P)r) , H3 (m , (ê (P,P)r) ) >

•Decrypt (C = (U , V , W))

– k´ = ê(dA , U)) , m´ = V H2 (k´)

– Integrity check: H3 (k´ , m´) = W

38

Security Proof of SK-IBE1

Theorem:

• H1, H2 and H3 are random oracles

• ASK-IBE1 (A , , q1, q2 , q3 , qD)

• B (B , ' ‚ qPC) against GAP-Generalized k-BCAA1'

• ' / q1 , B = A + qPC poly(l)

• qPC (q2 + q3 + qD (q2 + 1))

39

•Setup (l)

•Encrypt (m)–r Zq

*

–rQA= r(Ppub + H1 (IDA)P)

–C = <rQA, m H2(gr) , r H3(m, gr) >

•Decrypt (C = (U , V , W))–k´ = ê(dA , U)) , m´ = V H2 (k´)

–r´ = H3 (k´ , m´) W

–Integrity check: r´QA = U

SK-IBE2

40


Theorem:


• ASK-IBE2 (A , , q1, q2 , q3 , qD)

• B (B , ' ) solves the Generalized q1-BCAA1'

• ' 2 / q1 (q2 + q3 ) , B = A + qD q3

is the time to compute ê and multiplication

41

• Two New Generic Constructions for PKE Setting

-IND-CCA secure KEM/DEM-IND-CCA secure PKE

•Two New IBE Schemes based on SK Key Construction

-SK-IBE1 GAP Problem, tighter, easier problem -SK-IBE2 Generalized k-BCAA1' , less tight, harder problem

CONCLUSION

42

THANK YOU

FOR YOUR ATTENTION

43

•Setup (l)

•Extract (IDA)


*

–rQA= r (Ppub + H1 (IDA)P)

–C = < rQA , m H2 (gr) , r H3 (m , gr) , H4 (r , m , gr , rQA) >

•Decrypt (C = (U , V ,W , Z))–k´ = ê(dA , U)) , m´ = V H2 (k´)

–r´ = H3 (k´ , m´) W

– Integrity check: H4 (r´ , m´ , k´ , r´QA) = Z

A New IBE SchemeSK-IBE2

44

Hybrid PKE

• Hybrid PKE = KEM + DEM

• DEM(k) symmetric encryption

• DEM

• C Encrypt {DEM} (M , k)

• M or Decrypt {DEM} (C , k)

• Keys of KEM are from the same key space of DEM.

45

• (pk , sk) KGen (1l)

• (m0 , m1 , s) A1 (pk ,O) s.t | m0 | = | m1 |

• b {0 , 1}

• c Enc (pk , mb)

• b´ A2 (s , c , O)

AdvA(1l) = | Pr [b´ = b] – ½ |

IND-CCA

46

Key Encapsulation Mechanism(KEM)

KEM can be defined by three algorithms:

• (pk , sk) KGen (1l)

• (k , c) Encap (pk , r)

• k or Decap (sk , c)

47

•PCA

• 1 or 0 Opca (k , c)

• OW-PCA

• (pk , sk) KGen (1l )

• (k , c) Encap (pk , r)

• k´ A (pk , c , Opca )

OW-PCA KEM

A

(pk , c)

k´

PCA

48

An IBE scheme can be defined by four algorithms:

• (param , Mpk and Msk ) Setup (1l)

• di Extract (IDi, , Msk , param)

• c C Encrypt (IDi , param , m)

• m {0 , 1}n or Decrypt (di , param , c)


49

• (param , Msk) KGen (1l)

• (m0 , m1 , s , IDch ) A1 (param , O1) s.t | m0 | = | m1 |

• b {0 , 1}

• c Enc (param , IDch , mb )

• b´ A2 (s , c , O2)

AdvA(1l) = | Pr [b´ = b] – ½ |

IND-ID-CCA

50

SAKAI KASAHARA´S IBE SCHEME (SK-IBE)

• Setup (l)–H1: {0 , 1}* → Zq* and H2: F → {0 , 1}n

–H3: {0 , 1}n x {0 , 1}n → Zq* and H4: {0 , 1}n → {0 , 1}n

• Extract (IDA) = dA

• Encrypt (M)–σ {0 , 1}n and r = H3(σ,M)

– rQA = r (Ppub + H1 (IDA)P)

–C = < rQA , σ H2 (gr) , M H4(σ( >

• Decrypt (C = (U , V , W))– g´ = ê(dA , U)) , σ´ = V H2 (g´) and M´ = W H4 (σ´)

– Integrity check: r´ = H3 (σ´ , M´)

51


Theorem:


• ASK-IBE1 (A , , q1, q2 , q3 , qD)

• B (B , ' ‚ qPC) against GAP-Generalized k-BCAA1'

• ' / q1 , B = A + qPC poly(l)

• qPC (q2 + q3 + qD (q2 + 1))

52

• GAP- Generalized k-BCAA1'

• 1I q1 ( IND-ID-CCA) , h0 Zq*

• Ppub = xP - h0 P

• H1–queries (IDj)

• If IDj = IDI , (IDI , h0 , dj = ) to H1List and return h0

• Else, (IDj , hj + h0 , dj = 1 / (hj + x)P) to H1List and return hj + h0


53

• Extraction-query (IDi)

• If dj , B returns dj

• Else, B aborts (E1)

• H2 –queries (k) • H3 –queries (m,k)


54

• Decryption query (Ci = (Ui , Vi , Wi) , IDi)

• i = I , Ci = ( rixP , mi H2 (ê (P , P)ri ) , H3 (mi , ê(P , P )ri )

• If IDi H1List , B queries H1(IDi)

• di = , if (mi , Xi , Wi) H3List , reject

• If H2 (Xi) mi Vi , reject

• If Xi ê(P , P)ri , reject, else return mi


55

• Challenge ((m0 , m1) , IDI))

• If H1 (IDI) and IDI = IDch and so dch = , B continues, else B aborts (E4 )

• Else if H1(IDch) and dch , B aborts (E5)

• Else , (IDch , h0 , ) to H1List and continue

• At this stage , H1 (IDch) = h0 and dch =

´ / q1


56

•Setup (l)

•Extract (IDA)


*

–rQA= r(Ppub + H1 (IDA)P)

–C = <rQA, m H2(gr) , r H3(m, gr) >

•Decrypt (C = (U , V , W))–k´ = ê(dA , U)) , m´ = V H2 (k´)

–r´ = H3 (k´ , m´) W

–Integrity check: r´QA = U

SK-IBE2

57


Theorem:


• ASK-IBE2 (A , , q1, q2 , q3 , qD)

• B (B , ' ) solves the q1 -BDHI

• ' 2 / q1 (q2 + q3 ) , B = A + qD q3

is the time to compute ê and multiplication

58

• q1 -BDHI

• 1 I q1 ( IND-ID-CCA), h0 Zq* , r Zq

*

• Ppub = xQ - h0 Q

• H1–queries (IDj) ,

• If IDj = IDI , (IDI , h0 , dj = ) to H1List and return h0

• Else, (IDj , hj + h0 , dj = 1 / (hj + x)Q) to H1List and return hj + h0


59

• H2–queries (kj): As a random oracle

• H3–queries (mj , kj): As a random oracle

• Decryption queries (C = (Uj , Vj , Wj) , IDI):

• Challenge (rQ , V* , W*)


60

• Guess

• Pick a random ki from H2List or H3List

• T = ki (1/r) and return (T / T0)

• ê (P , P) (1/x) = (T / T0) T = (Q , Q)(1/x)


61

• Analysis

• Event E = k (H2List H3List)

• Pr [E ] 2

• Pr [SuccessB] 2 / q1 (q2 + q3 ) / q2 for q1 = q2 = q3 = q


IDENTITY BASED ENCRYPTION

Documents

Transcript of IDENTITY BASED ENCRYPTION