1 / 21

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions. Brent Waters. Identity-Based Encryption [S84,BF01,C01]. MSK. Public Params. ID. ID’. Authority. Decrypt iff ID’ = ID. 2. IBE Security [BF01]. Public Params. ID Q. ID 1. ID 1. ID Q. Challenger. Attacker. ….

lee-winters
Download Presentation

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dual System Encryption:Realizing IBE and HIBE from Simple Assumptions Brent Waters

  2. Identity-Based Encryption [S84,BF01,C01] MSK Public Params ID ID’ Authority Decrypt iff ID’ = ID 2

  3. IBE Security [BF01] Public Params IDQ ID1 ID1 IDQ Challenger Attacker … M0, M1, ID* IDi(challenge ID) b Enc(Mb , PP, ID*) b’ Adv = Pr[b’=b] -1/2

  4. IBE Security Proofs ID Space Priv. Key Space • 2 Goals: • Answer Attacker Queries • Use Attacker Response • “Partitioning” [BF01, C01, CHK03, BB04, W05] Attacker Simulator Challenge Space

  5. Partitioning and Aborts ID Space Priv. Key Space Challenge Space Abort and try again ID1 ID2… … IDQ ID*(challenge ID) Simulator Attacker 

  6. Finding a Balance ID Space Priv. Key Space • Aborts effect security loss • Challenge Space -> “right size” • C.S. = 1/Q (for Q queries ) => 1/Q no abort Simulator Challenge Space

  7. Structure gives problems! • Hierarchical IBE • Q queries per HIBE level => (1/Q)depth loss • Attribute-Based Encryption similar Partitioning won’t work! :gov :edu

  8. The Gentry Approach [G06,GH09] • Ready for both • Shove degree Q poly into Short params => Complex Assumption

  9. Our Results • IBE (w/ short parameters) • HIBE • Broadcast Encryption • Full Security • Simple Assumption: Decision Linear Given: g, u, v, ga , ub, Dist: va+b from R

  10. Dual System Encryption ID ID ID ID • 2 types of Keys & CTs Normal Used in real system Semi-Functional   Normal  Semi-Functional • Types are indist. (with a caveat)

  11. Principles • No aborts I’m ready for anything! Simulator • Change things slowly • Hybrid over keys form • Goal: Everything Semi Functional

  12. Proof Overview – 3 Steps ID1 ID2 IDQ ID1 ID2 IDQ ID* ID Challenge CT  Semi Func. Keys  Semi. Func. (one at a time!!) Argue Security Simulator …

  13. Problem: Simulator can test keys! ? • Create S.F. CT for “Bob” and unknown key for “Bob” • Decryption works iff key is normal Simulator “Bob” “Bob”

  14. Resolution: Tweak Semantics • Add “tags” tc , tk to C.T. and Key • Decrypt iff IDc = IDkAND tc tk • Negl. correctness error (can patch) • SW08 revocation IDc , tc IDK , tK

  15. Problem: Simulator can test keys! ? • Sim. Picks A, B 2 Zp : F(ID) = A ¢ ID + B • Challenge CT and unknown key tags  F(ID) Simulator “Bob” , tk =x “Bob” , tc =x • Dec. Fails regardless of Semi Functionality! • 2 different IDs look independent • Hybrid  simple assumption

  16. How it is built p1 p2 p3 ID ID ID ID • Subgroup version N= p1 p2 p3 Normal S.F. Normal S.F.

  17. Glimpse of Subgroup Construction Setup: KeyGen(ID): Encrypt(ID,M): • Similarities to Boneh-Boyen04 • D. Linear same concepts, more messy

  18. Conclusions and Speculation • Dual Encryption: Change Forms First! • One by one  Small Assumptions • HIBE, B.E. became easier • Prediction: ABE + Functional Enc. • Need new techniques • Prediction: Simple Assumptions & Full Security

  19. Dual Interpretation Interpretation 1: Selective Security + Assumptions were bad • Not ultimately necessary Alternative: They lead us in the right directions • Full secure schemes “look like” selective • Gentry06 beyond partitioning

  20. Thank you 20

  21. The Gentry Approach [G06,GH09] • Ready for both • Simulator 1-key per identity – always looks good • Shove degree Q poly into Short params => Complex Assumption

More Related