efficient selective id ibe without random oracle
Download
Skip this Video
Download Presentation
Efficient Selective-ID IBE Without Random Oracle

Loading in 2 Seconds...

play fullscreen
1 / 14

Efficient Selective-ID IBE Without Random Oracle - PowerPoint PPT Presentation


  • 163 Views
  • Uploaded on

Efficient Selective-ID IBE Without Random Oracle. Dan Boneh Stanford University. Xavier Boyen Voltage Security. I am “[email protected]”. email encrypted using public key: “[email protected]”. Private key. Identity Based Encryption ( IBE ).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Efficient Selective-ID IBE Without Random Oracle' - deanna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
efficient selective id ibe without random oracle

Efficient Selective-ID IBE Without Random Oracle

Dan Boneh

Stanford University

Xavier Boyen

Voltage Security

identity based encryption ibe

I am“[email protected]

email encrypted using public key:

[email protected]

Private key

Identity Based Encryption (IBE)
  • IBE: Public key encryption scheme where public key is an arbitrary string (ID).
    • Examples: user’s e-mail address, current-date, …

CA/PKG

master-key

ibe system
IBE System
  • IBE system is made up of 4 algorithms:

setup: generate params and master-key, MK.

keygen: given pub-key ID and master-key output priv-key, dID

Encrypt: using pub-key ID (and params)

Decrypt: using priv-key.

  • Main use of IBE:
    • reduce need for online pub-key directory.
semantic secure ibe systems bf 01

ID1

dID1

params

ID* , m0, m1  G

C* = Enc( mb , ID* , params)

b’  {0,1}

Semantic Secure IBE systems [BF’01]
  • Semantic security when attacker has few private keys.
  • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ + 
  • (t,)-security: no t-time alg. can -break IBE sem. sec.

Challenger

Attacker

RunSetup

, ID2 , ID3 , …, IDn

RunKeyGen

, dID2 , dID3 , …, dIDn

b{0,1}

IDi ID*

selective id secure ibe chk 03

: pub-key to attack

ID1

dID1

params

m0, m1  G

C* = Enc( mb , ID* , params)

b’  {0,1}

Selective-ID Secure IBE[CHK’03]
  • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ + 

Challenger

Attacker

RunSetup

, ID2 , ID3 , …, IDn

RunKeyGen

, dID2 , dID3 , …, dIDn

,

ID*

b{0,1}

IDi ID*

known results
Known Results
  • BF’01: Full sem. sec. IBE system in RO model.
    • Based on Comp. Bilinear-DH assumption.
    • Extends to provide CCA2 in RO model.
  • CHK’03: Selective-ID Secure IBE without RO.
    • Based on Decision Bilinear-DH assumption.
    • Problem: bilinear map per bit of ID.
  • Current: (two) efficient Selective-ID secure IBE.
    • No Random oracles.
    • Based on Decision Bilinear-DH assumption.
    • 0 pairings for enc. 2 pairings for dec.
bilinear maps abstractly
Bilinear maps (abstractly)
  • G , G1 :finite cyclic groups of prime order q.
  • Def: An admissible bilinear map e: GG G1 is:
    • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
    • Non-degenerate: g generates G  e(g,g) generates G1 .
    • “Efficiently” computable.
  • Currently: examples from algebraic geometry where Dlog in G believed to be hard.
bilinear diffie hellman problems
Bilinear Diffie-Hellman Problems
  • Def: Alg. A -solves Bilinear-DH in group G if:

Pr[ A(g,h,gx,gy) = e(g,h)xy ] > 

where g,h  G and x,y  {1,…,q-1}.

  • Def: Alg. A -solves Bilinear-DDH in group G if:

Pr[ A(g,h,gx,gy, e(g,h)xy) = 1 ] - Pr[ A(g,h,gx,gy, e(g,h)r) = 1 ] | > 

where g,h  G and x,y,r  {1,…,q-1}.

selective id ibe system
Selective-ID IBE system
  • Setup: params = (g, g1=gx, g2, h) G1 ; MK = g2x
  • KeyGen (ID, MK): given pub-key ID{1,…,q} do:

r{1,…,q-1} ; dID = (MK(g1ID h)r, gr)

  • Encrypt ( m, ID, (g,g1,g2,h) ):

s{1,…,q-1} ; C = ( me(g1,g2)s , gs , (g1ID h)s )

  • Decrypt (C, dID): C = (C0 , C1 , C2) using dID = (d1, d2)

observe: e(C1 , d1) / e(C2, d2) = e(g1, g2)s

security theorem
Security Theorem
  • Thm:

 t-time alg. that -breaks IBE sem. sec. in G

 t-time alg. that -solves bilinear-DDH in G.

~

proof

ID*  {1,…,q}

params = (g, g1, g2, h=g1-ID*g)

ID* ID {1,…,q}

dID = ( d0 , d1 )

m0, m1  G

b’  {0,1}

1 if z=xy0 if z rand

C* = ( mbR , g3 , g3 )

Proof

Algorithm for Bilinear-DDH

(g, g1, g2=gx, g3=gy, R=e(g,g1)z)

Attacker

Unknown: MK=g1x

d0=g2-/(ID-ID*)(g1IDh)r, d1 = g2-1/(ID-ID*)gr

proof1

ID*  {1,…,q}

params = (g, g1, g2, h=g1-ID*g)

ID* ID {1,…,q}

dID = ( d0 , d1 )

m0, m1  G

b’  {0,1}

1 if b=b’0 otherwise

C* = ( mbR , g3 , g3 )

Proof

Algorithm for Bilinear-DDH

(g, g1, g2=gx, g3=gy, R=e(g,g1)z)

Attacker

applications
Applications
  • Our IBE + CHK’04  efficient CCA2 public-key system w/o Random Oracles from Bilinear-DDH:
    • Enc: 3 exp. (4 exp. in CS)
    • Dec: two pairings + 2exp. (2 exp. in CS)
    • CT size: 3|G| + one-time-sig. (4|G| in CS)
  • Comparable to Cramer-Shoup (but a bit worse).
    • Shorter CT using BB’04 short sigs w/o R.O.
  • 2nd system: one fewer bilinear maps for dec.
    • Gives more efficient CCA2 public-key system.
extensions
Extensions
  • Hierarchical IBE[LH’02, GS’02]
    • System extends to give an efficient Selective-ID H-IBE without R.O.
    • 2-HIBE + CHK’04  Efficient CCA2 Selective-ID IBE without R.O.
  • 2nd system: more efficient Selective-ID IBE.
    • one fewer bilinear maps for dec.
    • But, based on stronger assumption (DH-Inversion).
  • Recently[BB’04]:
    • Full-IBE with no RO based on Bilinear-DDH.
ad