Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group...
-
date post
21-Dec-2015 -
Category
Documents
-
view
230 -
download
2
Transcript of Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group...
Strongly Secure Certificateless Encryption
Alexander W. Dent
Information Security Group
This is joint work with…
Benoit LibertUCL, Belgium
Kenny PatersonRoyal Holloway
Table of Contents
• Certificateless encryption (7 slides)
• A theoretical construction (4 slides)
• A practical construction (1 slide)
• Conclusions (2 slides)
Certificateless Encryption
Certificateless Encryption
• Public-key encryption– Receivers generate their own keys– Senders are required to download certificates
• Identity-based encryption– KGC generates decryption keys– Inherent key escrow problem– Senders not required to download certificates– Revocation could be a problem
Certificateless Encryption
• Certificateless encryption– Each user generates their own public key
from a randomly generated “secret value”.– KGC provides a partial private key for a user’s
identity.– Encryption requires the user’s public key and
the user’s identity.– Decryption requires a private key based on
the user’s secret value and partial private key.
Certificateless Encryption
• Certificateless encryption– Senders not required to download certificates– No inherent key escrow problem– Revocation potentially still a problem
• Two security models:– Security against an outsider attacker– Security against a KGC
Certificateless Encryption
(ID*, m0 , m1) C*
Encryption oracle
Extract partial private key
IDdID
Extract full private key ID
skID
Request public key
ID
pkID
Replace public key
(ID , pkID)
Decrypt
C m
Certificateless Encryption
• Assume queries that trivially win the game are not allowed:– E.g. finding the full private key for ID*.– E.g. finding the partial private key for ID* and
replacing the challenge public key.– E.g. finding the decryption of C*.
• Similar model for the KGC. Attacker is given the KGC’s master private key.
Certificateless Encryption
• How do we define the decrypt oracle?– Original paper defined the decryption oracle
as decrypting ciphertexts using the private key associated with the current public key.
– Known as strong decryption oracle.– Doesn’t appear to reflect any realistic attack.– Several schemes secure in the random oracle
model using strong decryption oracles.– We provide the first standard-model schemes.
Certificateless Encryption
• Why is this an interesting problem?– The original security model.– Intellectual challenge: several papers and
informal conversations have suggested that the community thinks this can’t be achieved.
– Model with non-polynomial-time challenger.– Proves security in weaker models.
Theoretical Construction
Theoretical Construction
• We use a Naor-Yung/Sahai construction.
• Use multiple passively secure encryption schemes and a NIZK proof system.
• One passively secure certificateless encryption scheme: CE.
• Two instances of a passively secure public-key encryption schemes: E.
Theoretical Construction
• ID and pk are the user’s identity and public key.
• mpk1 and mpk2 are part of the system parameters
• Decryption process uses the certificateless encryption scheme
CE E E
m
C1 C3C2
IDpk mpk1 mpk2
NIZK proof that (C1,C2,C3) are all encryptions of the same message.
+
Theoretical Construction
• Two independent instances of the public-key encryption scheme required for strong decryption oracles.
• This could be replaced with one instance of an IND-CCA2 secure public-key encryption scheme.
• One instance of the public-key encryption scheme is sufficient for weaker models.
Theoretical Construction
• Passively secure certificateless encryption schemes can be constructed from passively secure public-key encryption and identity-based encryption [LQ06].
• Passively secure public-key encryption schemes can be constructed from trapdoor one-way functions [GL89].
• NIZK can be constructed from trapdoor one-way permutations [FLS99,BY96,S99].
Practical Construction
Practical Construction
• Based on a 2-level Waters HIBE.
• Chosen ciphertext security achieved using Boyen-Mei-Waters techniques.
• Underlying assumptions:– 3-Party DDH assumption in a pairing group:
“Given randomly chosen (gx, gy, gz), distinguish gxyz from a random element”.
– Collision resistant hash functions.
Conclusions
Conclusions
• It is possible to build certificateless encryption schemes that are secure with strong decryption oracles in the standard model.– Is it really necessary to improve on the
constructions?– Intellectual challenge: is it possible to prove
security in a model where the KGC is allowed to pick the system parameters adversarially?
Conclusions
• Certificateless encryption schemes exist providing that trapdoor one-way permutations exist and passively secure identity-based encryption exist.– We are unaware of any proof that gives
minimal conditions for identity-based encryption to exist.
– Can we find minimal assumptions for the existence of certificateless encryption?
Questions?