Post on 02-Feb-2016
description
1
IDENTITY BASED ENCRYPTION
SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA
KEY CONSTRUCTION
N. DENIZ SARIER
2
Introduction
•Public Key Encryption follows “encrypt/decrypt” model
•A new model of key encapsulation with better flexibility and security proofs
3
Public Key Encryption
4
Key Encapsulation Mechanism(KEM)
Encap Decap
symmetric keyk*
Symmetric-Key Encryption
public key, coin private key
c*
KEM
5
How to get a Security Proof ?
To get a security proof, one needs
– Computational problem P,
– Security notion,
– Cryptosystem
– Reduction of the problem P to an attack that breaks the security notion
6
How to get a Security Proof ?
Reduction of the problem P to an attack:- Adversary A against the scheme- Reduction uses A to solve P
Under the assumption that P is hard, the scheme is unbreakable
7
Today we will discuss
• Two new generic constructions
• A new computational assumption
• Two new identity based encryption schemes
OUTLINE
8
Theorem:
Given any weakly secure Key Encapsulation Mechanism,
we construct a Public Key Encryption scheme that is highly secure using two additional secure hash functions
A New Generic Construction
9
• Combination of security goals with attack models
• For different attack models, different oracle access
SECURITY NOTIONS
OW-PCA IND-CCA
10
Onewayness Against Plaintext Checking Attacks (OW-PCA)
PCA PC
SuccA(1l) = Pr [m* = m]
11
• (pk , sk) KeyGen (1l )
• (k* , c*) Encap (pk , r)
• k´ A (pk , c* , Opc )
OW-PCA secureKey Encapsulation
A
(pk , c*)
k´
PC
SuccA(1l) = Pr [k´ = k*]
12
AdvA(1l) = | Pr [b´ = b] – ½ |
IND-CCA
13
Theorem:
Given any OW-PCA secure Key Encapsulation Mechanism, we construct a Public Key Encryption scheme that is IND-CCA secure using two additional hash functions in random oracle model.
A New Generic Construction
14
The basic principle:
• The hash function is replaced by a truly random function each time the scheme is used
• Throughout the security game, the adversary cannot compute hash values by itself, it must query the oracle embedding the function
Random Oracle Model
15
• At start of experiment, H is completely undefined
• When H is called with query x for the first time, H selects h uniformly at random over the image set Ĥ and inserts (x , h) in a database H-List
• For each query x, H first searches for (x, h) in H-List. If found, h is returned.
Random Oracle Model
16
A New Generic Construction
Theorem:
Suppose that the hash functions H2 and H3 are random oracles. Given any OW-PCA secure Key Encapsulation Mechanism,
we construct an IND-CCA secure Public Key Encryption scheme in random oracle model.
•A ( , A , q2 , q3 , qD )
• B ( ' , B , qPC )
' , B = A + qPC poly(l)
qPC (q2 + q3 + qD (q2 + 1))
17
A New Generic Construction
C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )
18
Security Game
Setup
A D
H
PC
pk
sk
b´
Problem:
invert c*
Solution:
Session key k*
19
C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )
• (pk , c* , common parameters)
•Setup
•(pk , common parameters)
• H2 -queries: On each new input k,
• If 1 PC (k , c* ) , k* = k , terminate (E2)
• Else , h2 RANGE (H2) , (k , h2) H2List.
Security Proof
20
C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )
•H3 -queries: On each new input (m , k),
• If 1 PC(k, c* ) , k* = k , terminate (E3).
•Else, h3 RANGE(H3) , (k, m, h3) H3List.
•Decryption queries: On each new input (c1, c2, c3)
• If (k, m, c3) H3List, return
• Elseif m H2 (k) c2. ,return
• Elseif 1 PC (k, c1) return m, else return .
Security Proof
21
C = (c1 , c2 , c3) = (c1 , m H2 (k) , H3 (m , k) )
•Challenge :
• A outputs (m0 , m1) st. | m0 | = | m1 |
• B picks h2* , h3
* where hi * RANGE(Hi
)
• B picks {0,1} and returns C= (c*, m h2*, h3
* ) to A
•B answers A's random oracle and decryption queries as before.
•If k* = k , B will return k* , otherwise B fails
Security Proof
22
Simulation of Oracles
• Unless k* has been asked to H2 and H3 B breaks the OW-PCA of the KEM.
•Decryption oracle
• C= (c1, c2, c3) rejected if (m,k) H3List
• A has to guess a right value for h3 without querying H3
probability 1/ 2k1 ( H3: {0 , 1}* → {0 , 1}k1 )
23
• Claim: A´s view
• GuessH3 is A's correctly guessing the output of H3
Pr [SuccessB] = Pr [E2 V E3] = | Pr [´= ] | Pr [GuessH3] – ½ |
• From the definition of A | Pr [´ = ] – ½ | >
Pr [SuccessB] > - Pr [GuessH3 ] > - qD / 2k1
• ( 2k1 = 260 , qD = 230 Pr [SuccessB] )
Analysis
24
II. New Construction
C= (c1, c2, c3) = (c1, m H2 (k) , r H3 (m,k) )
25
II. New Construction
Theorem:
• A ( , A , q2, q3 , qD )
• BKEM ( ' , B , qPC )
• ' , B A + qPC poly(l) +qD q3
is the time to compute KEM(r) = Encap(r , pk)
• qPC (q2 + q3 + qD(q2+1))
26
C= (c1, c2, c3) = (c1, m H2 (k) , r H3 (m,k) )
•Setup
•H2 –queries
•H3 –queries
•Decryption queries: On each new input (c1, c2, c3)
• (ki, mi, h3i) in H3List, ri= h3i c3
• ri check for KEM (ri) = (c1, ki) . If not return
• Elseif mi H2 (ki) c2. , return , else return mi
Security Proof
27
• II. Construction can also be proven secure without using the
Plaintext Checking oracle.
Onewayness of Key encapsulation mechanism
At the end of the game, a random entry in H2List or H3List is choosen
The tightness is ' / (q2 + q3 )
Analysis
28
•Additional hash function
• C = (c1 , c2 , c3) = (c1 , m H2 (k) , r H3 (m , k) , H4 (r , m , k , c1 ))
• No check ri , KEM (ri) = (c1 , k)
• B = A + qPC poly (l) + qD
An Improvement
29
Today we will discuss
• Two new generic constructions
• A new computational assumption
• Two new identity based encryption schemes
OUTLINE
30
Assumptions
Diffie-Hellman Inversion (k-DHI): For k Z , x Z*
q and P G , given (P, xP, x2 P, ....., xkP),
computing (1/x) P ( for k-BDHI, computing ê(P, P) 1/x ) is hard
k-CAA1’:
For k Z and x Z*q , P G , given (P, xP, (h1, 1/(x+ h1)P), …, (hk,
1/(x+ hk) P) ) computing (1/x) P ( for k-BCAA1’, computing ê(P, P) (1/x) ) is hard.
31
A New Assumption
Generalized (k-BCAA1’):
For k Z and x Z*q , P G
* , ê: G x G F, given
(P , xP , rx P , ( h1 , 1 / ( x+ h1) P ) ,…, ( hk , 1 / ( x + hk ) P ))
computing ê(P, P)r is hard.
32
Today we will discuss
• Two new generic constructions
• A new computational assumption
• Two new identity based encryption schemes
OUTLINE
33
Public key encryption scheme where public key is an arbitrary string (ID)
email encrypted using public key:
“deniz@b-it”
I am “deniz@b-it”
Private key
master-key
CA/PKG
IDENTITY BASED ENCRYPTION
34
SAKAI KASAHARAKEY CONSTRUCTION
• Setup(l)
– a prime q, groups G and F
– P G*
, ê: G x G F
– x Z∈ q* , Ppub= xP
–User A’s pk= IDA
–User A’s sk = dA = [1/ (x+H1 (IDA)) ] P
–H1 is an ordinary hash function (not MapToPoint)
35
SAKAI KASAHARA´S IBE SCHEME (SK-IBE)
•Setup (l) : Four Hash Functions
•Encrypt (M, IDA)
–σ {0 , 1}n and r = H3(σ,M)
– rQA = r (xP + H1 (IDA)P)
–C = < rQA , σ H2 (ê (P , P)r) , M H4(σ( >
• Decrypt (C = (U , V , W), dA)
– k´ = ê(dA , U)) , σ´ = V H2 (k´) and M´ = W H4 (σ´)
– Integrity check: r´ = H3 (σ´ , M´)
36
• Tightness
• 4 1 / [ q1 q2 (q3 + q4)] 1 / q3
for q1 = q2 = q3 = q4 =q
Security of SK-IBE
Res 1 Res 2 Res 3 A1 (t1 , 1) A2 (t2 , 2) A3 (t3 , 3) A4 (t4 , 4)
FullIdent BasicPubhy BasicPub k-BDHI
37
A New IBE SchemeSK-IBE1
• Setup (l): Three Hash functions
• Encrypt (m)– r Zq
*
– rQA = r(xP + H1 (IDA)P)
–C = < rQA , m H2 (ê (P,P)r) , H3 (m , (ê (P,P)r) ) >
•Decrypt (C = (U , V , W))
– k´ = ê(dA , U)) , m´ = V H2 (k´)
– Integrity check: H3 (k´ , m´) = W
38
Security Proof of SK-IBE1
Theorem:
• H1, H2 and H3 are random oracles
• ASK-IBE1 (A , , q1, q2 , q3 , qD)
• B (B , ' ‚ qPC) against GAP-Generalized k-BCAA1'
• ' / q1 , B = A + qPC poly(l)
• qPC (q2 + q3 + qD (q2 + 1))
39
•Setup (l)
•Encrypt (m)–r Zq
*
–rQA= r(Ppub + H1 (IDA)P)
–C = <rQA, m H2(gr) , r H3(m, gr) >
•Decrypt (C = (U , V , W))–k´ = ê(dA , U)) , m´ = V H2 (k´)
–r´ = H3 (k´ , m´) W
–Integrity check: r´QA = U
SK-IBE2
40
Security Proof of SK-IBE2
Theorem:
• H1, H2 and H3 are random oracles
• ASK-IBE2 (A , , q1, q2 , q3 , qD)
• B (B , ' ) solves the Generalized q1-BCAA1'
• ' 2 / q1 (q2 + q3 ) , B = A + qD q3
is the time to compute ê and multiplication
41
• Two New Generic Constructions for PKE Setting
-IND-CCA secure KEM/DEM-IND-CCA secure PKE
•Two New IBE Schemes based on SK Key Construction
-SK-IBE1 GAP Problem, tighter, easier problem -SK-IBE2 Generalized k-BCAA1' , less tight, harder problem
CONCLUSION
42
THANK YOU
FOR YOUR ATTENTION
43
•Setup (l)
•Extract (IDA)
•Encrypt (m)–r Zq
*
–rQA= r (Ppub + H1 (IDA)P)
–C = < rQA , m H2 (gr) , r H3 (m , gr) , H4 (r , m , gr , rQA) >
•Decrypt (C = (U , V ,W , Z))–k´ = ê(dA , U)) , m´ = V H2 (k´)
–r´ = H3 (k´ , m´) W
– Integrity check: H4 (r´ , m´ , k´ , r´QA) = Z
A New IBE SchemeSK-IBE2
44
Hybrid PKE
• Hybrid PKE = KEM + DEM
• DEM(k) symmetric encryption
• DEM
• C Encrypt {DEM} (M , k)
• M or Decrypt {DEM} (C , k)
• Keys of KEM are from the same key space of DEM.
45
• (pk , sk) KGen (1l)
• (m0 , m1 , s) A1 (pk ,O) s.t | m0 | = | m1 |
• b {0 , 1}
• c Enc (pk , mb)
• b´ A2 (s , c , O)
AdvA(1l) = | Pr [b´ = b] – ½ |
IND-CCA
46
Key Encapsulation Mechanism(KEM)
KEM can be defined by three algorithms:
• (pk , sk) KGen (1l)
• (k , c) Encap (pk , r)
• k or Decap (sk , c)
47
•PCA
• 1 or 0 Opca (k , c)
• OW-PCA
• (pk , sk) KGen (1l )
• (k , c) Encap (pk , r)
• k´ A (pk , c , Opca )
OW-PCA KEM
A
(pk , c)
k´
PCA
48
An IBE scheme can be defined by four algorithms:
• (param , Mpk and Msk ) Setup (1l)
• di Extract (IDi, , Msk , param)
• c C Encrypt (IDi , param , m)
• m {0 , 1}n or Decrypt (di , param , c)
IDENTITY BASED ENCRYPTION
49
• (param , Msk) KGen (1l)
• (m0 , m1 , s , IDch ) A1 (param , O1) s.t | m0 | = | m1 |
• b {0 , 1}
• c Enc (param , IDch , mb )
• b´ A2 (s , c , O2)
AdvA(1l) = | Pr [b´ = b] – ½ |
IND-ID-CCA
50
SAKAI KASAHARA´S IBE SCHEME (SK-IBE)
• Setup (l)–H1: {0 , 1}* → Zq* and H2: F → {0 , 1}n
–H3: {0 , 1}n x {0 , 1}n → Zq* and H4: {0 , 1}n → {0 , 1}n
• Extract (IDA) = dA
• Encrypt (M)–σ {0 , 1}n and r = H3(σ,M)
– rQA = r (Ppub + H1 (IDA)P)
–C = < rQA , σ H2 (gr) , M H4(σ( >
• Decrypt (C = (U , V , W))– g´ = ê(dA , U)) , σ´ = V H2 (g´) and M´ = W H4 (σ´)
– Integrity check: r´ = H3 (σ´ , M´)
51
Security Proof of SK-IBE1
Theorem:
• H1, H2 and H3 are random oracles
• ASK-IBE1 (A , , q1, q2 , q3 , qD)
• B (B , ' ‚ qPC) against GAP-Generalized k-BCAA1'
• ' / q1 , B = A + qPC poly(l)
• qPC (q2 + q3 + qD (q2 + 1))
52
• GAP- Generalized k-BCAA1'
• 1I q1 ( IND-ID-CCA) , h0 Zq*
• Ppub = xP - h0 P
• H1–queries (IDj)
• If IDj = IDI , (IDI , h0 , dj = ) to H1List and return h0
• Else, (IDj , hj + h0 , dj = 1 / (hj + x)P) to H1List and return hj + h0
Security Proof of SK-IBE1
53
• Extraction-query (IDi)
• If dj , B returns dj
• Else, B aborts (E1)
• H2 –queries (k) • H3 –queries (m,k)
Security Proof of SK-IBE1
54
• Decryption query (Ci = (Ui , Vi , Wi) , IDi)
• i = I , Ci = ( rixP , mi H2 (ê (P , P)ri ) , H3 (mi , ê(P , P )ri )
• If IDi H1List , B queries H1(IDi)
• di = , if (mi , Xi , Wi) H3List , reject
• If H2 (Xi) mi Vi , reject
• If Xi ê(P , P)ri , reject, else return mi
Security Proof of SK-IBE1
55
• Challenge ((m0 , m1) , IDI))
• If H1 (IDI) and IDI = IDch and so dch = , B continues, else B aborts (E4 )
• Else if H1(IDch) and dch , B aborts (E5)
• Else , (IDch , h0 , ) to H1List and continue
• At this stage , H1 (IDch) = h0 and dch =
´ / q1
Security Proof of SK-IBE1
56
•Setup (l)
•Extract (IDA)
•Encrypt (m)–r Zq
*
–rQA= r(Ppub + H1 (IDA)P)
–C = <rQA, m H2(gr) , r H3(m, gr) >
•Decrypt (C = (U , V , W))–k´ = ê(dA , U)) , m´ = V H2 (k´)
–r´ = H3 (k´ , m´) W
–Integrity check: r´QA = U
SK-IBE2
57
Security Proof of SK-IBE2
Theorem:
• H1, H2 and H3 are random oracles
• ASK-IBE2 (A , , q1, q2 , q3 , qD)
• B (B , ' ) solves the q1 -BDHI
• ' 2 / q1 (q2 + q3 ) , B = A + qD q3
is the time to compute ê and multiplication
58
• q1 -BDHI
• 1 I q1 ( IND-ID-CCA), h0 Zq* , r Zq
*
• Ppub = xQ - h0 Q
• H1–queries (IDj) ,
• If IDj = IDI , (IDI , h0 , dj = ) to H1List and return h0
• Else, (IDj , hj + h0 , dj = 1 / (hj + x)Q) to H1List and return hj + h0
Security Proof of SK-IBE2
59
• H2–queries (kj): As a random oracle
• H3–queries (mj , kj): As a random oracle
• Decryption queries (C = (Uj , Vj , Wj) , IDI):
• Challenge (rQ , V* , W*)
Security Proof of SK-IBE2
60
• Guess
• Pick a random ki from H2List or H3List
• T = ki (1/r) and return (T / T0)
• ê (P , P) (1/x) = (T / T0) T = (Q , Q)(1/x)
Security Proof of SK-IBE2
61
• Analysis
• Event E = k (H2List H3List)
• Pr [E ] 2
• Pr [SuccessB] 2 / q1 (q2 + q3 ) / q2 for q1 = q2 = q3 = q
Security Proof of SK-IBE2