1 / 56

Certificateless Public Key Encryption without Paring

Certificateless Public Key Encryption without Paring. Joonsang Baek, Reihaneh Safavi-Naunu, and Willy Susilo 報告者:陳國璋. Outline. 前言 動機 Model Security Notion Scheme 結論. 前言. Certificateless Public Key Encryption (CLPKE) 特點 無須要求 public key certification 沒有 key escrow 問題

jayme
Download Presentation

Certificateless Public Key Encryption without Paring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Certificateless Public Key Encryption without Paring Joonsang Baek, Reihaneh Safavi-Naunu, and Willy Susilo 報告者:陳國璋

  2. Outline • 前言 • 動機 • Model • Security Notion • Scheme • 結論

  3. 前言 • Certificateless Public Key Encryption (CLPKE)特點 • 無須要求public key certification • 沒有key escrow問題 • 缺點:依賴IBE (Identity-Based Encryption)也就是使用bilinear pairing • 此paper改進:不依賴bilinear pairing

  4. 前言 • Security against • Public key replacement attack • Chosen ciphertext attack • 此scheme架構在standard computation Diffie-Hellman (CDH) problem

  5. Outline • 前言 • 動機 • Model • Security Notion • Scheme • 結論

  6. 動機 • A想寄秘密訊息給B • 使用PKE A需要B的公鑰才能對訊息加密 • 當運算過程中都是正確的,只有B擁有的密鑰才會對應到訊息加密的公鑰,才能解回密文 • 一個直接的涵義,必須要保證B的公鑰是正確的

  7. 動機 • 在一般PKE中,要取得公鑰要透過CA驗證 • 準確的說,CA在B的公鑰作digital sign與digital certificate,這包含了 • Resulting signature • 公鑰能防備CA中某些對公鑰有興趣的團體

  8. 動機 • 為了避免透過CA取得金鑰,改用IBE,但是IBE有下列兩個缺點 • Bilinear pairing • Key escrow • 這篇論文的貢獻是不使用bilinear pairing來架構CLPKE

  9. Outline • 前言 • 動機 • Model • Security Notion • Scheme • 結論

  10. Model • 目的:允許sender傳送秘密訊息給recipient時,不須透過CA來取得recipient的公鑰 • 根據上述結果,certificate checking要被移除,且能降低系統複雜度 • 此外,sender必須保證只有誠實的recipient才能完成適當驗證過程來取得正確的”partial private key”(這必須要跟key generation center(KGC)取得的identity ID有關聯),才有能力解密

  11. Model • 跟原本的CLPKE相同的algorithm • Setup • SetSecretValue • SetPrivateKey • Encrypt • Decrypt

  12. Model • 跟原本的CLPKE不同的algorithm • PartialKeyExtract • SetPublicKey

  13. Model • PartialKeyExtract algorithm不同處 • 輸出要保持私密的partial private key • 輸出能被user的公鑰所產生的partial public key

  14. Model • SetPublicKey algorithm不同處 • 藉由PartialKeyExtract的輸出當SetPublicKey的輸入,這樣uesr沒有透過KGC來取得partial public/private pair來取得public key是不可能的

  15. Model • CLPKE所包含的algorithm – 1 • Setup • 由KGC執行 • 產生common parameter params • 產生master key masterKey • 注意一點的是,params會回傳給所有對公鑰有興趣的團體 • (params,masterKey) = Setup()

  16. Model • CLPKE所包含的algorithm – 2 • PartialKeyExtract • KGC執行 • 把params, masterKey和接收到的identity ID當輸入 • 產生private key DID, public key PID • (PID,DID) = PartialKeyExtract(params,masterKey,ID)

  17. Model • CLPKE所包含的algorithm – 3 • SetSecretValue • User執行 • 產生secret value sID • sID = SetSecretValue(params,ID)

  18. Model • CLPKE所包含的algorithm – 4 • SetPrivateKey • User執行 • 產生private key SKID • SKID = SetPrivateKey(params,DID,sID)

  19. Model • CLPKE所包含的algorithm – 5 • SetPublicKey • User執行 • 產生public key PKID • PKID = SetPublicKey(params,PID,sID,ID)

  20. Model • CLPKE所包含的algorithm – 6 • Encrypt • Sender執行 • Plaintext M -> Cipertext C • C = Encrypt(params,ID,PKID,M)

  21. Model • CLPKE所包含的algorithm – 7 • Decrypt • Recipient執行 • 解密密文δ,不是原本明文就是Reject訊息 • δ= Decrypt(params,SKID,C)

  22. Outline • 前言 • 動機 • Model • Security Notion • Scheme • 結論

  23. Security Notion • Indistinguishability of CLPKE ciphertexts under chosen ciphertext attack • 簡稱IND-CLPKE-CCA • 跟原本的CLPKE不同處在於attacker的”public key request” queries必須執行PartialKeyExtract algorithm並得到回應才行

  24. Security Notion • 如同原本的CLPKE,我們假設2種不同型態的攻擊者AI與AII • AI沒有透過KGC取得master key • AII有透過KGC取得master key

  25. Security Notion • Def: IND-CLPKE-CCA • AI: type I attacker (public key replacement attack) • AII: type II attacker (chosen ciphertext attack) • Π: CLPKE scheme

  26. Security Notion • 考慮用2個games “Game I”與”Game II”分別和AI與AII跟challenger互動 • Challenger必須保有當攻擊者查詢的紀錄結果(history of query-answer)

  27. Security Notion • Game I: 攻擊者AI與challenger互動 • Phase I-1: • challenger執行setup() • 產生masterKey與params • challenger把params給AI,而masterKey保持私秘

  28. Security Notion • Phase I-2: AI有下列行動 - 1 • AI要求partial key extract queries i.e. (ID, ”partial key extract”) • challenger 計算(PID,DID) = PartialKeyExtract(params,masterKey,ID) • 回傳(PID,DID)給AI

  29. Security Notion • Phase I-2: AI有下列行動 – 2 • AI要求private key extract queries i.e. (ID, ”private key extract”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • SKID = SetPrivateKey(params,DID,sID) • 回傳SKID給AI

  30. Security Notion • Phase I-2: AI有下列行動 – 3 • AI要求public key request queries i.e. (ID, ”public key request”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • PKID = SetPublicKey(params,PID,sID,ID) • 回傳PKID給AI

  31. Security Notion • Phase I-2: AI有下列行動 – 4 • AI隨時可以取代public key PKID

  32. Security Notion • Phase I-2: AI有下列行動 – 5 • AI要求decryption queries i.e. (ID,PKID,C,” decryption”) • 如果challenger在query-answer中有找到SKID • 計算δ= Decrypt(params,SKID,C) , δ可能是明文或是”Reject”訊息 • 回傳δ給AI • 如果challenger在query-answer中沒找到SKID • 透過”knowledge extractor”去解密文δ • 回傳δ給AI

  33. Security Notion • 有關”knowledge extractor” • 原本的CLPKE遇到公鑰被取代的情況時,解密結果只會回傳”Reject”訊息 • 新的CLPKE遇到上述情況時,可以透過knowledge extractor來對要求的密文解密 • “Secure Integration of Asymmetric and Symmetric Encryption Scheme”有更詳細的說明

  34. Security Notion • Phase I-3: • AI輸出2篇等長明文(M0,M1)跟target identity ID* • ID*的限制 • 沒有查詢過PartialKeyExtract與SetPrivateKey • 不等於public key被取代的identity • challenger接收到(M0,M1)和ID*後,隨機挑選β {0,1}並建立C* = Encrypt(params,PKID*,Mβ) • 回傳C*給AI

  35. Security Notion • Phase I-4: • AI可作跟Phase I-2相同的queries • ID*的限制跟Phase I-3相同 • 限制不能查詢有關C*的decryption query • Phase I-5: • AI輸出β’ {0,1}

  36. Security Notion • Game II: 攻擊者AII與challenger互動 • Phase II-1: • challenger執行Setup() • 產生masterKey與params • challenger把masterKey與params給AII

  37. Security Notion • Phase II-2: AII有下列行動 – 1 • 計算partial key與ID的關連性,AII計算(PID,DID) = PartialKeyExtract(params,masterKey,ID)

  38. Security Notion • Phase II-2: AII有下列行動 – 2 • AII要求private key extract queries i.e. (ID, ”private key extract”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • SKID = SetPrivateKey(params,DID,sID) • 回傳SKID給AII

  39. Security Notion • Phase II-2: AII有下列行動 – 3 • AII要求public key request queries i.e. (ID, ”public key request”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • PKID = SetPublicKey(params,PID,sID,ID) • 回傳PKID給AII

  40. Security Notion • Phase II-2: AII有下列行動 – 4 • AII要求decryption queries i.e. (ID,PKID,C,” decryption”) • 如果challenger在query-answer中有找到SKID • 計算δ= Decrypt(params,SKID,C) , δ可能是明文或是”Reject”訊息 • 回傳δ給AII

  41. Security Notion • Phase II-3: • AII輸出2篇等長明文(M0,M1)跟target identity ID* • ID*的限制 • 沒有查詢過SetPrivateKey • challenger接收到(M0,M1)和ID*後,隨機挑選β {0,1}並建立C* = Encrypt(params,PKID*,Mβ) • 回傳C*給AII

  42. Security Notion • Phase II-4: • AII可作跟Phase II-2相同的queries • ID*的限制跟Phase II-3相同 • 限制不能查詢有關C*的decryption query • Phase II-5: • AII輸出β’ {0,1}

  43. Security Notion

  44. Security Notion • Def: standard “computation Diffie-Hellman (CDH)” problem • p, q are two primes s.t. q | p-1 • g: generator of Zp* • A: attacker, tries to solve that • Given (g,ga,gb), for uniform a,b Zq*, compute κ=gab • AdvZq*CDH=Pr[A(g,ga,gb)=gab]

  45. Outline • 前言 • 動機 • Model • Security Notion • Scheme • 結論

  46. Scheme • 此CLPKE scheme是根據Schnorr signature • 計算成本相當低,是因為 • Schnorr signature帶來的效率 • 有效的把Schnorr signature與public key encryption作結合

  47. Scheme • Schnorr signature • “Efficient identification and signatures for smart cards” • hashed ElGamal Encryption • “Secure Integration of Asymmetric and Symmetric Encryption Scheme”

  48. Scheme • Setup() • 產生2質數p和q s.t. q | p-1 • g為Zp*的generator • Random value x Zp*,並計算 y=gx • Hash functions • H1:{0,1}*×Zq*→Zq* • H2:{0,1} ×{0,1} →Zq* • H3:Zp*×Zp*→{0,1} , • Return params = (p,q,g,y,H1,H2,H3) and masterKey = (p,q,g,x,H1,H2,H3)

  49. Scheme • PartialKeyExtract(params,masterKey,ID) • Random value s Zq* • Compute w = gs and t = s+xH1(ID,w) • Return (PID,DID) = (w,t)

  50. Scheme • SetSecretValue(params,ID) • Random value z Zq* • Return z

More Related