180 likes | 297 Views
Efficient Identity-Based Encryption Without Random Oracles. Brent Waters Stanford Universtiy. Additional slides contributed by Dan Boneh. I am “alice@stanford.edu”. email encrypted using public key: “alice@stanford.edu”. Private key. Identity-Based Encryption (IBE).
E N D
Efficient Identity-BasedEncryption Without Random Oracles Brent Waters Stanford Universtiy Additional slides contributed by Dan Boneh.
I am“alice@stanford.edu” email encrypted using public key: “alice@stanford.edu” Private key Identity-Based Encryption (IBE) • IBE: Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address, current-date, … CA/PKG master-key
Brief History of IBE • Shamir ’84 • Challenged community with IBE concept • BF’01 • Pairing-based cryptography • Proof uses Random Oracles • CHK’03 • Introduced weaker “Selective-ID” model • Proof without Random Oracles • Ciphertext element per bit of identity
Brief History of IBE • BB’04 Eurocrypt • Efficient system in Selective-ID model • BB’04 (Crypto) • Proof in full model w/o Random Oracles • Not practical system • This work • Practical system with proof in full model w/o Random Oracles • Mathematically similar to BB’04 (Eurocrypt)
IBE System • Setup • Generate public parameters • Key Gen • Generate a private key • Encrypt • Encrypt message M for given identity, ID • Decrypt • Decrypt a ciphertext if have private key for identity
ID1 dID1 params ID* , m0, m1 G C* = Enc( mb , ID* , params) b’ {0,1} IBE Semantic Security Challenger Attacker Setup , ID2 , ID3 , …, IDm KeyGen , dID2 , dID3 , …, dIDm b{0,1} IDi ID* • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ + • (t,)-security: no t-time alg. can -break IBE sem. sec.
Bilinear Maps • G , G1: finite cyclic groups of prime order p. • Def: An admissible bilinear map e: GG G1 is: • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate:g generates G e(g,g) generates G1 . • Efficiently computable.
Complexity Assumption • Def: Alg. A -solves Bilinear-DDH in group G if: | Pr[ A(g,ga,gb,gc,e(g,g)abc)= 1 ] -Pr[ A(g,ga,gb,gc,e(g,g)z)= 1 ] | > where g G and a,b,c,z {1,…,p-1}.
Our Scheme • Setup • Key Gen(v) • Encrypt(v,M) • Decrypt(d,C=C0,C1,C2) g,g1=ga , g2, u’, U=u1, …un2 G MK=g2a d=g2a(u’Õi 2 Vui)r ,gr V´{i : vi =1} e(g1,g2)tM, gt, (u’Õi 2 Vui)t Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t
Comparison to BB’04 • Setup • Key Gen(v) • Encrypt(v,M) • Decrypt(d,C=C0,C1,C2) g,g1=ga , g2, u’, U=u1, …,un2 G MK=ga d=g2a(u’Õi 2 Vui)r ,gr V´{i : vi =1} e(g1,g2)tM, gt, (u’Õi 2 Vui)t Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t
Comparison to BB’04 • Setup • Key Gen(v) • Encrypt(v,M) • Decrypt(d,C=C0,C1,C2) g,g1=ga , g2, h2 G MK=ga d=g2a(g1vh)r ,gr e(g1,g2)tM, gt, (g1vh)t Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t
Private Key Set Challenge Set “bob@stanford.edu” “Madonna” “Peter Clarke” “Carleton Kingsford III” “Artist Formerly Known As Prince” “David Bowie” Proof Idea • Commit to parameters • Identities can either generate keys for them or use as a challenge • Must abort if adversary’s actions don’t match • Difficulty is in bounding abort probability
Bounding abort probability • Limit dependencies • “Bob” in Private Key set => “Alice” in Private Key Set • Pairwise independence is enough • If v and v’ differ in at least 1 bit u’Õi 2 Vuiandu’Õi 2 V’uidiffer in at least one element • Pr[not abort] > 1/(8(n+1)q) q- is max # of queries
Signature Scheme • Transformation from IBE scheme into signature scheme (IBE keys =sigs) • Efficient signature scheme relies on Computational-DH assumption • ..., but has somewhat large public key
Conclusions + Open Problems • Presented fully secure and efficient IBE scheme in standard model • Can we reduce public parameter size? • Get tight bounds?
Proof Idea Set m=4q (q-max number of queries) Guess k from 0 to n Choose random y’,y1, ... yn2 Zp Choose random x’,x1,...xn2 [0,m-1] Set u’=gy’g1p-km+x’ ui=gyi g1xi For a given identity, v, we have u’Õi 2 Vui=gy’+å yi g1 p+km+x’å xi In challenge set if x’+åi 2 V xi=km (BB’04)
Proof Idea • x’+åi 2 V xi=km Can construct private key if x’+åi 2 V xi ¹ 0 mod m Use as challenge otherwise (and k guessed correctly) Since identities differ by at least one bit, get pairwise independence Bound probability of aborting as 1/(8(n+1)q)