Efficient selective id ibe without random oracle
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

Efficient Selective-ID IBE Without Random Oracle PowerPoint PPT Presentation


  • 103 Views
  • Uploaded on
  • Presentation posted in: General

Efficient Selective-ID IBE Without Random Oracle. Dan Boneh Stanford University. Xavier Boyen Voltage Security. I am [email protected] email encrypted using public key: [email protected] Private key. Identity Based Encryption ( IBE ).

Download Presentation

Efficient Selective-ID IBE Without Random Oracle

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Efficient selective id ibe without random oracle

Efficient Selective-ID IBE Without Random Oracle

Dan Boneh

Stanford University

Xavier Boyen

Voltage Security


Identity based encryption ibe

I [email protected]

email encrypted using public key:

[email protected]

Private key

Identity Based Encryption (IBE)

  • IBE: Public key encryption scheme where public key is an arbitrary string (ID).

    • Examples: user’s e-mail address, current-date, …

CA/PKG

master-key


Ibe system

IBE System

  • IBE system is made up of 4 algorithms:

    setup:generate params and master-key, MK.

    keygen:given pub-key ID and master-keyoutput priv-key, dID

    Encrypt:using pub-key ID (and params)

    Decrypt:using priv-key.

  • Main use of IBE:

    • reduce need for online pub-key directory.


Semantic secure ibe systems bf 01

ID1

dID1

params

ID* , m0, m1  G

C* = Enc( mb , ID* , params)

b’  {0,1}

Semantic Secure IBE systems [BF’01]

  • Semantic security when attacker has few private keys.

  • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ + 

  • (t,)-security: no t-time alg. can -break IBE sem. sec.

Challenger

Attacker

RunSetup

, ID2 , ID3 , …, IDn

RunKeyGen

, dID2 , dID3 , …, dIDn

b{0,1}

IDi ID*


Selective id secure ibe chk 03

: pub-key to attack

ID1

dID1

params

m0, m1  G

C* = Enc( mb , ID* , params)

b’  {0,1}

Selective-ID Secure IBE[CHK’03]

  • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ + 

Challenger

Attacker

RunSetup

, ID2 , ID3 , …, IDn

RunKeyGen

, dID2 , dID3 , …, dIDn

,

ID*

b{0,1}

IDi ID*


Known results

Known Results

  • BF’01: Full sem. sec. IBE system in RO model.

    • Based on Comp. Bilinear-DH assumption.

    • Extends to provide CCA2 in RO model.

  • CHK’03: Selective-ID Secure IBE without RO.

    • Based on Decision Bilinear-DH assumption.

    • Problem: bilinear map per bit of ID.

  • Current: (two) efficient Selective-ID secure IBE.

    • No Random oracles.

    • Based on Decision Bilinear-DH assumption.

    • 0 pairings for enc. 2 pairings for dec.


Bilinear maps abstractly

Bilinear maps (abstractly)

  • G , G1 :finite cyclic groups of prime order q.

  • Def: An admissible bilinear map e: GG G1 is:

    • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG

    • Non-degenerate: g generates G  e(g,g) generates G1 .

    • “Efficiently” computable.

  • Currently: examples from algebraic geometrywhere Dlog in G believed to be hard.


Bilinear diffie hellman problems

Bilinear Diffie-Hellman Problems

  • Def: Alg. A -solves Bilinear-DH in group G if:

    Pr[ A(g,h,gx,gy) = e(g,h)xy ] > 

    where g,h  G and x,y  {1,…,q-1}.

  • Def: Alg. A -solves Bilinear-DDH in group G if:

    Pr[ A(g,h,gx,gy, e(g,h)xy) = 1 ] - Pr[ A(g,h,gx,gy, e(g,h)r) = 1 ] | > 

    where g,h  G and x,y,r  {1,…,q-1}.


Selective id ibe system

Selective-ID IBE system

  • Setup: params = (g, g1=gx, g2, h) G1 ; MK = g2x

  • KeyGen (ID, MK): given pub-key ID{1,…,q} do:

    r{1,…,q-1} ; dID = (MK(g1ID h)r, gr)

  • Encrypt ( m, ID, (g,g1,g2,h) ):

    s{1,…,q-1} ; C = ( me(g1,g2)s , gs , (g1ID h)s )

  • Decrypt (C, dID): C = (C0 , C1 , C2) using dID = (d1, d2)

    observe: e(C1 , d1) / e(C2, d2) = e(g1, g2)s


Security theorem

Security Theorem

  • Thm:

     t-time alg. that -breaks IBE sem. sec. in G

     t-time alg. that -solves bilinear-DDH in G.

~


Proof

ID*  {1,…,q}

params = (g, g1, g2, h=g1-ID*g)

ID* ID {1,…,q}

dID = ( d0 , d1 )

m0, m1  G

b’  {0,1}

1 if z=xy0 if z rand

C* = ( mbR , g3 , g3 )

Proof

Algorithm for Bilinear-DDH

(g, g1, g2=gx, g3=gy, R=e(g,g1)z)

Attacker

Unknown: MK=g1x

d0=g2-/(ID-ID*)(g1IDh)r, d1 = g2-1/(ID-ID*)gr


Proof1

ID*  {1,…,q}

params = (g, g1, g2, h=g1-ID*g)

ID* ID {1,…,q}

dID = ( d0 , d1 )

m0, m1  G

b’  {0,1}

1 if b=b’0 otherwise

C* = ( mbR , g3 , g3 )

Proof

Algorithm for Bilinear-DDH

(g, g1, g2=gx, g3=gy, R=e(g,g1)z)

Attacker


Applications

Applications

  • Our IBE + CHK’04  efficient CCA2 public-key system w/o Random Oracles from Bilinear-DDH:

    • Enc: 3 exp.(4 exp. in CS)

    • Dec: two pairings + 2exp.(2 exp. in CS)

    • CT size: 3|G| + one-time-sig.(4|G| in CS)

  • Comparable to Cramer-Shoup (but a bit worse).

    • Shorter CT using BB’04 short sigs w/o R.O.

  • 2nd system: one fewer bilinear maps for dec.

    • Gives more efficient CCA2 public-key system.


Extensions

Extensions

  • Hierarchical IBE[LH’02, GS’02]

    • System extends to give an efficient Selective-ID H-IBE without R.O.

    • 2-HIBE + CHK’04  Efficient CCA2 Selective-ID IBE without R.O.

  • 2nd system: more efficient Selective-ID IBE.

    • one fewer bilinear maps for dec.

    • But, based on stronger assumption (DH-Inversion).

  • Recently[BB’04]:

    • Full-IBE with no RO based on Bilinear-DDH.


  • Login