Efficient IdentityBased Encryption Without Random Oracles - PowerPoint PPT Presentation

About This Presentation
Title:

Efficient IdentityBased Encryption Without Random Oracles

Description:

IBE: Public key encryption scheme where public key. is an ... 'David Bowie' 'Madonna' Private Key Set. Challenge Set 'Artist Formerly Known As Prince' ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 19
Provided by: brentw7
Category:

less

Transcript and Presenter's Notes

Title: Efficient IdentityBased Encryption Without Random Oracles


1
Efficient Identity-BasedEncryption Without
Random Oracles
  • Brent Waters
  • Stanford Universtiy

Additional slides contributed by Dan Boneh.
2
Identity-Based Encryption (IBE)
  • IBE Public key encryption scheme where public
    key is an arbitrary string (ID).
  • Examples users e-mail address, current-date,

CA/PKG
master-key
3
Brief History of IBE
  • Shamir 84
  • Challenged community with IBE concept
  • BF01
  • Pairing-based cryptography
  • Proof uses Random Oracles
  • CHK03
  • Introduced weaker Selective-ID model
  • Proof without Random Oracles
  • Ciphertext element per bit of identity

4
Brief History of IBE
  • BB04 Eurocrypt
  • Efficient system in Selective-ID model
  • BB04 (Crypto)
  • Proof in full model w/o Random Oracles
  • Not practical system
  • This work
  • Practical system with proof in full model w/o
    Random Oracles
  • Mathematically similar to BB04 (Eurocrypt)

5
IBE System
  • Setup
  • Generate public parameters
  • Key Gen
  • Generate a private key
  • Encrypt
  • Encrypt message M for given identity, ID
  • Decrypt
  • Decrypt a ciphertext if have private key for
    identity

6
IBE Semantic Security
Challenger
Attacker
Setup
, ID2 , ID3 , , IDm
KeyGen
, dID2 , dID3 , , dIDm
b?0,1
IDi ? ID
  • Def Alg. A ?-breaks IBE sem. sec. if
    Prbb gt ½ ?
  • (t,?)-security no t-time alg. can ?-break IBE
    sem. sec.

7
Bilinear Maps
  • G , G1 finite cyclic groups of prime order p.
  • Def An admissible bilinear map e G?G ? G1
    is
  • Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
    g?G
  • Non-degenerate g generates G ?
    e(g,g) generates G1 .
  • Efficiently computable.

8
Complexity Assumption
  • Def Alg. A ?-solves Bilinear-DDH in group
    G if
  • Pr A(g,ga,gb,gc, e(g,g)abc) 1 -
    Pr A(g,ga,gb,gc, e(g,g)z) 1 gt ?
  • where g ? G and a,b,c,z ? 1,,p-1.

9
Our Scheme
  • Setup
  • Key Gen(v)
  • Encrypt(v,M)
  • Decrypt(d,CC0,C1,C2)

g,g1ga , g2, u, Uu1, un 2 G MKg2a
dg2a(uÕi 2 Vui)r ,gr
Vi vi 1
e(g1,g2)tM, gt, (uÕi 2 Vui)t
Observe e(d1,C1)/e(d2,C2) e(g1,g2)t
10
Comparison to BB04
  • Setup
  • Key Gen(v)
  • Encrypt(v,M)
  • Decrypt(d,CC0,C1,C2)

g,g1ga , g2, u, Uu1, ,un 2 G MKga
dg2a(uÕi 2 Vui)r ,gr
Vi vi 1
e(g1,g2)tM, gt, (uÕi 2 Vui)t
Observe e(d1,C1)/e(d2,C2) e(g1,g2)t
11
Comparison to BB04
  • Setup
  • Key Gen(v)
  • Encrypt(v,M)
  • Decrypt(d,CC0,C1,C2)

g,g1ga , g2, h 2 G MKga
dg2a(g1vh)r ,gr
e(g1,g2)tM, gt, (g1vh)t
Observe e(d1,C1)/e(d2,C2) e(g1,g2)t
12
Proof Idea
  • Commit to parameters
  • Identities can either generate keys for them or
    use as a challenge
  • Must abort if adversarys actions dont match
  • Difficulty is in bounding abort probability

13
Bounding abort probability
  • Limit dependencies
  • Bob in Private Key set gt
  • Alice in Private Key Set
  • Pairwise independence is enough
  • If v and v differ in at least 1 bit
  • uÕi 2 Vui and uÕi 2 Vui differ in at least
    one element
  • Prnot abort gt 1/(8(n1)q) q- is max of
    queries

14
Signature Scheme
  • Transformation from IBE scheme into signature
    scheme (IBE keys sigs)
  • Efficient signature scheme relies on
    Computational-DH assumption
  • ..., but has somewhat large public key

15
Conclusions Open Problems
  • Presented fully secure and efficient IBE scheme
    in standard model
  • Can we reduce public parameter size?
  • Get tight bounds?

16
(No Transcript)
17
Proof Idea
Set m4q (q-max number of queries) Guess k from 0
to n Choose random y,y1, ... yn 2 Zp Choose
random x,x1,...xn 2 0,m-1 Set ugyg1p-kmx
uigyi g1xi For a given identity, v, we
have uÕi 2 Vuigyå yi g1 pkmxå xi In
challenge set if xåi 2 V xikm (BB04)
18
Proof Idea
  • xåi 2 V xikm
  • Can construct private key if xåi 2 V xi ¹ 0
    mod m
  • Use as challenge otherwise (and k guessed
    correctly)
  • Since identities differ by at least one bit, get
    pairwise independence
  • Bound probability of aborting as 1/(8(n1)q)
Write a Comment
User Comments (0)
About PowerShow.com