Certificateless Public Key Encryption without Paring

Certificateless Public Key Encryption without Paring Joonsang Baek, Reihaneh Safavi-Naunu, and Willy Susilo 報告者：陳國璋

Outline • 前言 • 動機 • Model • Security Notion • Scheme • 結論

前言 • Certificateless Public Key Encryption (CLPKE)特點 • 無須要求public key certification • 沒有key escrow問題 • 缺點：依賴IBE (Identity-Based Encryption)也就是使用bilinear pairing • 此paper改進：不依賴bilinear pairing

前言 • Security against • Public key replacement attack • Chosen ciphertext attack • 此scheme架構在standard computation Diffie-Hellman (CDH) problem

動機 • A想寄秘密訊息給B • 使用PKE A需要B的公鑰才能對訊息加密 • 當運算過程中都是正確的，只有B擁有的密鑰才會對應到訊息加密的公鑰，才能解回密文 • 一個直接的涵義，必須要保證B的公鑰是正確的

動機 • 在一般PKE中，要取得公鑰要透過CA驗證 • 準確的說，CA在B的公鑰作digital sign與digital certificate，這包含了 • Resulting signature • 公鑰能防備CA中某些對公鑰有興趣的團體

動機 • 為了避免透過CA取得金鑰，改用IBE，但是IBE有下列兩個缺點 • Bilinear pairing • Key escrow • 這篇論文的貢獻是不使用bilinear pairing來架構CLPKE

Model • 目的：允許sender傳送秘密訊息給recipient時，不須透過CA來取得recipient的公鑰 • 根據上述結果，certificate checking要被移除，且能降低系統複雜度 • 此外，sender必須保證只有誠實的recipient才能完成適當驗證過程來取得正確的”partial private key”(這必須要跟key generation center(KGC)取得的identity ID有關聯)，才有能力解密

Model • 跟原本的CLPKE相同的algorithm • Setup • SetSecretValue • SetPrivateKey • Encrypt • Decrypt

Model • 跟原本的CLPKE不同的algorithm • PartialKeyExtract • SetPublicKey

Model • PartialKeyExtract algorithm不同處 • 輸出要保持私密的partial private key • 輸出能被user的公鑰所產生的partial public key

Model • SetPublicKey algorithm不同處 • 藉由PartialKeyExtract的輸出當SetPublicKey的輸入，這樣uesr沒有透過KGC來取得partial public/private pair來取得public key是不可能的

Model • CLPKE所包含的algorithm – 1 • Setup • 由KGC執行 • 產生common parameter params • 產生master key masterKey • 注意一點的是，params會回傳給所有對公鑰有興趣的團體 • (params,masterKey) = Setup()

Model • CLPKE所包含的algorithm – 2 • PartialKeyExtract • KGC執行 • 把params, masterKey和接收到的identity ID當輸入 • 產生private key DID, public key PID • (PID,DID) = PartialKeyExtract(params,masterKey,ID)

Model • CLPKE所包含的algorithm – 3 • SetSecretValue • User執行 • 產生secret value sID • sID = SetSecretValue(params,ID)

Model • CLPKE所包含的algorithm – 4 • SetPrivateKey • User執行 • 產生private key SKID • SKID = SetPrivateKey(params,DID,sID)

Model • CLPKE所包含的algorithm – 5 • SetPublicKey • User執行 • 產生public key PKID • PKID = SetPublicKey(params,PID,sID,ID)

Model • CLPKE所包含的algorithm – 6 • Encrypt • Sender執行 • Plaintext M -> Cipertext C • C = Encrypt(params,ID,PKID,M)

Model • CLPKE所包含的algorithm – 7 • Decrypt • Recipient執行 • 解密密文δ，不是原本明文就是Reject訊息 • δ= Decrypt(params,SKID,C)

Security Notion • Indistinguishability of CLPKE ciphertexts under chosen ciphertext attack • 簡稱IND-CLPKE-CCA • 跟原本的CLPKE不同處在於attacker的”public key request” queries必須執行PartialKeyExtract algorithm並得到回應才行

Security Notion • 如同原本的CLPKE，我們假設2種不同型態的攻擊者AI與AII • AI沒有透過KGC取得master key • AII有透過KGC取得master key

Security Notion • Def: IND-CLPKE-CCA • AI: type I attacker (public key replacement attack) • AII: type II attacker (chosen ciphertext attack) • Π: CLPKE scheme

Security Notion • 考慮用2個games “Game I”與”Game II”分別和AI與AII跟challenger互動 • Challenger必須保有當攻擊者查詢的紀錄結果(history of query-answer)

Security Notion • Game I: 攻擊者AI與challenger互動 • Phase I-1: • challenger執行setup() • 產生masterKey與params • challenger把params給AI，而masterKey保持私秘

Security Notion • Phase I-2: AI有下列行動 - 1 • AI要求partial key extract queries i.e. (ID, ”partial key extract”) • challenger 計算(PID,DID) = PartialKeyExtract(params,masterKey,ID) • 回傳(PID,DID)給AI

Security Notion • Phase I-2: AI有下列行動 – 2 • AI要求private key extract queries i.e. (ID, ”private key extract”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • SKID = SetPrivateKey(params,DID,sID) • 回傳SKID給AI

Security Notion • Phase I-2: AI有下列行動 – 3 • AI要求public key request queries i.e. (ID, ”public key request”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • PKID = SetPublicKey(params,PID,sID,ID) • 回傳PKID給AI

Security Notion • Phase I-2: AI有下列行動 – 4 • AI隨時可以取代public key PKID

Security Notion • Phase I-2: AI有下列行動 – 5 • AI要求decryption queries i.e. (ID,PKID,C,” decryption”) • 如果challenger在query-answer中有找到SKID • 計算δ= Decrypt(params,SKID,C) ， δ可能是明文或是”Reject”訊息 • 回傳δ給AI • 如果challenger在query-answer中沒找到SKID • 透過”knowledge extractor”去解密文δ • 回傳δ給AI

Security Notion • 有關”knowledge extractor” • 原本的CLPKE遇到公鑰被取代的情況時，解密結果只會回傳”Reject”訊息 • 新的CLPKE遇到上述情況時，可以透過knowledge extractor來對要求的密文解密 • “Secure Integration of Asymmetric and Symmetric Encryption Scheme”有更詳細的說明

Security Notion • Phase I-3: • AI輸出2篇等長明文(M0,M1)跟target identity ID* • ID*的限制 • 沒有查詢過PartialKeyExtract與SetPrivateKey • 不等於public key被取代的identity • challenger接收到(M0,M1)和ID*後，隨機挑選β {0,1}並建立C* = Encrypt(params,PKID*,Mβ) • 回傳C*給AI

Security Notion • Phase I-4: • AI可作跟Phase I-2相同的queries • ID*的限制跟Phase I-3相同 • 限制不能查詢有關C*的decryption query • Phase I-5: • AI輸出β’ {0,1}

Security Notion • Game II: 攻擊者AII與challenger互動 • Phase II-1: • challenger執行Setup() • 產生masterKey與params • challenger把masterKey與params給AII

Security Notion • Phase II-2: AII有下列行動 – 1 • 計算partial key與ID的關連性，AII計算(PID,DID) = PartialKeyExtract(params,masterKey,ID)

Security Notion • Phase II-2: AII有下列行動 – 2 • AII要求private key extract queries i.e. (ID, ”private key extract”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • SKID = SetPrivateKey(params,DID,sID) • 回傳SKID給AII

Security Notion • Phase II-2: AII有下列行動 – 3 • AII要求public key request queries i.e. (ID, ”public key request”) • challenger計算 • (PID,DID) = PartialKeyExtract(params,masterKey,ID) • sID = SetSecretValue(params,ID) • PKID = SetPublicKey(params,PID,sID,ID) • 回傳PKID給AII

Security Notion • Phase II-2: AII有下列行動 – 4 • AII要求decryption queries i.e. (ID,PKID,C,” decryption”) • 如果challenger在query-answer中有找到SKID • 計算δ= Decrypt(params,SKID,C) ， δ可能是明文或是”Reject”訊息 • 回傳δ給AII

Security Notion • Phase II-3: • AII輸出2篇等長明文(M0,M1)跟target identity ID* • ID*的限制 • 沒有查詢過SetPrivateKey • challenger接收到(M0,M1)和ID*後，隨機挑選β {0,1}並建立C* = Encrypt(params,PKID*,Mβ) • 回傳C*給AII

Security Notion • Phase II-4: • AII可作跟Phase II-2相同的queries • ID*的限制跟Phase II-3相同 • 限制不能查詢有關C*的decryption query • Phase II-5: • AII輸出β’ {0,1}

Security Notion

Security Notion • Def: standard “computation Diffie-Hellman (CDH)” problem • p, q are two primes s.t. q | p-1 • g: generator of Zp* • A: attacker, tries to solve that • Given (g,ga,gb), for uniform a,b Zq*, compute κ=gab • AdvZq*CDH=Pr[A(g,ga,gb)=gab]

Scheme • 此CLPKE scheme是根據Schnorr signature • 計算成本相當低，是因為 • Schnorr signature帶來的效率 • 有效的把Schnorr signature與public key encryption作結合

Scheme • Schnorr signature • “Efficient identification and signatures for smart cards” • hashed ElGamal Encryption • “Secure Integration of Asymmetric and Symmetric Encryption Scheme”

Scheme • Setup() • 產生2質數p和q s.t. q | p-1 • g為Zp*的generator • Random value x Zp*，並計算 y=gx • Hash functions • H1:{0,1}*×Zq*→Zq* • H2:{0,1} ×{0,1} →Zq* • H3:Zp*×Zp*→{0,1} , • Return params = (p,q,g,y,H1,H2,H3) and masterKey = (p,q,g,x,H1,H2,H3)

Scheme • PartialKeyExtract(params,masterKey,ID) • Random value s Zq* • Compute w = gs and t = s+xH1(ID,w) • Return (PID,DID) = (w,t)

Scheme • SetSecretValue(params,ID) • Random value z Zq* • Return z

Certificateless Public Key Encryption without Paring

Certificateless Public Key Encryption without Paring

Presentation Transcript

Chapter 8. Public Key Encryption

Public Key Encryption Systems

Public Key Encryption

Public Key Encryption 3

Certificateless encryption and its infrastructures

Anonymity-preserving Public-Key Encryption

ElGamal Public Key Encryption

Public-key encryption

RSA Public-Key Encryption

Public Key Encryption

Public-key encryption

Public-key Encryption

Public Key Encryption

ElGamal Public Key Encryption

RSA Public Key Encryption Algorithm

RSA Public Key Encryption Algorithm

Public Key Encryption

Public Key Encryption

RSA Public Key Encryption Algorithm