1 / 18

Efficient Identity-Based Encryption Without Random Oracles

Efficient Identity-Based Encryption Without Random Oracles. Brent Waters Stanford Universtiy. Additional slides contributed by Dan Boneh. I am “alice@stanford.edu”. email encrypted using public key: “alice@stanford.edu”. Private key. Identity-Based Encryption (IBE).

tyler
Download Presentation

Efficient Identity-Based Encryption Without Random Oracles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Identity-BasedEncryption Without Random Oracles Brent Waters Stanford Universtiy Additional slides contributed by Dan Boneh.

  2. I am“alice@stanford.edu” email encrypted using public key: “alice@stanford.edu” Private key Identity-Based Encryption (IBE) • IBE: Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address, current-date, … CA/PKG master-key

  3. Brief History of IBE • Shamir ’84 • Challenged community with IBE concept • BF’01 • Pairing-based cryptography • Proof uses Random Oracles • CHK’03 • Introduced weaker “Selective-ID” model • Proof without Random Oracles • Ciphertext element per bit of identity

  4. Brief History of IBE • BB’04 Eurocrypt • Efficient system in Selective-ID model • BB’04 (Crypto) • Proof in full model w/o Random Oracles • Not practical system • This work • Practical system with proof in full model w/o Random Oracles • Mathematically similar to BB’04 (Eurocrypt)

  5. IBE System • Setup • Generate public parameters • Key Gen • Generate a private key • Encrypt • Encrypt message M for given identity, ID • Decrypt • Decrypt a ciphertext if have private key for identity

  6. ID1 dID1 params ID* , m0, m1  G C* = Enc( mb , ID* , params) b’  {0,1} IBE Semantic Security Challenger Attacker Setup , ID2 , ID3 , …, IDm KeyGen , dID2 , dID3 , …, dIDm b{0,1} IDi ID* • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ +  • (t,)-security: no t-time alg. can -break IBE sem. sec.

  7. Bilinear Maps • G , G1: finite cyclic groups of prime order p. • Def: An admissible bilinear map e: GG G1 is: • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate:g generates G  e(g,g) generates G1 . • Efficiently computable.

  8. Complexity Assumption • Def: Alg. A -solves Bilinear-DDH in group G if: | Pr[ A(g,ga,gb,gc,e(g,g)abc)= 1 ] -Pr[ A(g,ga,gb,gc,e(g,g)z)= 1 ] | >  where g  G and a,b,c,z  {1,…,p-1}.

  9. Our Scheme • Setup • Key Gen(v) • Encrypt(v,M) • Decrypt(d,C=C0,C1,C2) g,g1=ga , g2, u’, U=u1, …un2 G MK=g2a d=g2a(u’Õi 2 Vui)r ,gr V´{i : vi =1} e(g1,g2)tM, gt, (u’Õi 2 Vui)t Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t

  10. Comparison to BB’04 • Setup • Key Gen(v) • Encrypt(v,M) • Decrypt(d,C=C0,C1,C2) g,g1=ga , g2, u’, U=u1, …,un2 G MK=ga d=g2a(u’Õi 2 Vui)r ,gr V´{i : vi =1} e(g1,g2)tM, gt, (u’Õi 2 Vui)t Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t

  11. Comparison to BB’04 • Setup • Key Gen(v) • Encrypt(v,M) • Decrypt(d,C=C0,C1,C2) g,g1=ga , g2, h2 G MK=ga d=g2a(g1vh)r ,gr e(g1,g2)tM, gt, (g1vh)t Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t

  12. Private Key Set Challenge Set “bob@stanford.edu” “Madonna” “Peter Clarke” “Carleton Kingsford III” “Artist Formerly Known As Prince” “David Bowie” Proof Idea • Commit to parameters • Identities can either generate keys for them or use as a challenge • Must abort if adversary’s actions don’t match • Difficulty is in bounding abort probability

  13. Bounding abort probability • Limit dependencies • “Bob” in Private Key set => “Alice” in Private Key Set • Pairwise independence is enough • If v and v’ differ in at least 1 bit u’Õi 2 Vuiandu’Õi 2 V’uidiffer in at least one element • Pr[not abort] > 1/(8(n+1)q) q- is max # of queries

  14. Signature Scheme • Transformation from IBE scheme into signature scheme (IBE keys =sigs) • Efficient signature scheme relies on Computational-DH assumption • ..., but has somewhat large public key

  15. Conclusions + Open Problems • Presented fully secure and efficient IBE scheme in standard model • Can we reduce public parameter size? • Get tight bounds?

  16. Proof Idea Set m=4q (q-max number of queries) Guess k from 0 to n Choose random y’,y1, ... yn2 Zp Choose random x’,x1,...xn2 [0,m-1] Set u’=gy’g1p-km+x’ ui=gyi g1xi For a given identity, v, we have u’Õi 2 Vui=gy’+å yi g1 p+km+x’å xi In challenge set if x’+åi 2 V xi=km (BB’04)

  17. Proof Idea • x’+åi 2 V xi=km Can construct private key if x’+åi 2 V xi ¹ 0 mod m Use as challenge otherwise (and k guessed correctly) Since identities differ by at least one bit, get pairwise independence Bound probability of aborting as 1/(8(n+1)q)

More Related