1 / 14

Efficient Selective-ID IBE Without Random Oracle

Efficient Selective-ID IBE Without Random Oracle. Dan Boneh Stanford University. Xavier Boyen Voltage Security. I am “alice@stanford.edu”. email encrypted using public key: “alice@stanford.edu”. Private key. Identity Based Encryption ( IBE ).

deanna
Download Presentation

Efficient Selective-ID IBE Without Random Oracle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Selective-ID IBE Without Random Oracle Dan Boneh Stanford University Xavier Boyen Voltage Security

  2. I am“alice@stanford.edu” email encrypted using public key: “alice@stanford.edu” Private key Identity Based Encryption (IBE) • IBE: Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address, current-date, … CA/PKG master-key

  3. IBE System • IBE system is made up of 4 algorithms: setup: generate params and master-key, MK. keygen: given pub-key ID and master-key output priv-key, dID Encrypt: using pub-key ID (and params) Decrypt: using priv-key. • Main use of IBE: • reduce need for online pub-key directory.

  4. ID1 dID1 params ID* , m0, m1  G C* = Enc( mb , ID* , params) b’  {0,1} Semantic Secure IBE systems [BF’01] • Semantic security when attacker has few private keys. • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ +  • (t,)-security: no t-time alg. can -break IBE sem. sec. Challenger Attacker RunSetup , ID2 , ID3 , …, IDn RunKeyGen , dID2 , dID3 , …, dIDn b{0,1} IDi ID*

  5. : pub-key to attack ID1 dID1 params m0, m1  G C* = Enc( mb , ID* , params) b’  {0,1} Selective-ID Secure IBE[CHK’03] • Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ +  Challenger Attacker RunSetup , ID2 , ID3 , …, IDn RunKeyGen , dID2 , dID3 , …, dIDn , ID* b{0,1} IDi ID*

  6. Known Results • BF’01: Full sem. sec. IBE system in RO model. • Based on Comp. Bilinear-DH assumption. • Extends to provide CCA2 in RO model. • CHK’03: Selective-ID Secure IBE without RO. • Based on Decision Bilinear-DH assumption. • Problem: bilinear map per bit of ID. • Current: (two) efficient Selective-ID secure IBE. • No Random oracles. • Based on Decision Bilinear-DH assumption. • 0 pairings for enc. 2 pairings for dec.

  7. Bilinear maps (abstractly) • G , G1 :finite cyclic groups of prime order q. • Def: An admissible bilinear map e: GG G1 is: • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate: g generates G  e(g,g) generates G1 . • “Efficiently” computable. • Currently: examples from algebraic geometry where Dlog in G believed to be hard.

  8. Bilinear Diffie-Hellman Problems • Def: Alg. A -solves Bilinear-DH in group G if: Pr[ A(g,h,gx,gy) = e(g,h)xy ] >  where g,h  G and x,y  {1,…,q-1}. • Def: Alg. A -solves Bilinear-DDH in group G if: Pr[ A(g,h,gx,gy, e(g,h)xy) = 1 ] - Pr[ A(g,h,gx,gy, e(g,h)r) = 1 ] | >  where g,h  G and x,y,r  {1,…,q-1}.

  9. Selective-ID IBE system • Setup: params = (g, g1=gx, g2, h) G1 ; MK = g2x • KeyGen (ID, MK): given pub-key ID{1,…,q} do: r{1,…,q-1} ; dID = (MK(g1ID h)r, gr) • Encrypt ( m, ID, (g,g1,g2,h) ): s{1,…,q-1} ; C = ( me(g1,g2)s , gs , (g1ID h)s ) • Decrypt (C, dID): C = (C0 , C1 , C2) using dID = (d1, d2) observe: e(C1 , d1) / e(C2, d2) = e(g1, g2)s

  10. Security Theorem • Thm:  t-time alg. that -breaks IBE sem. sec. in G   t-time alg. that -solves bilinear-DDH in G. ~

  11. ID*  {1,…,q} params = (g, g1, g2, h=g1-ID*g) ID* ID {1,…,q} dID = ( d0 , d1 ) m0, m1  G b’  {0,1} 1 if z=xy0 if z rand C* = ( mbR , g3 , g3 ) Proof Algorithm for Bilinear-DDH (g, g1, g2=gx, g3=gy, R=e(g,g1)z) Attacker Unknown: MK=g1x d0=g2-/(ID-ID*)(g1IDh)r, d1 = g2-1/(ID-ID*)gr

  12. ID*  {1,…,q} params = (g, g1, g2, h=g1-ID*g) ID* ID {1,…,q} dID = ( d0 , d1 ) m0, m1  G b’  {0,1} 1 if b=b’0 otherwise C* = ( mbR , g3 , g3 ) Proof Algorithm for Bilinear-DDH (g, g1, g2=gx, g3=gy, R=e(g,g1)z) Attacker

  13. Applications • Our IBE + CHK’04  efficient CCA2 public-key system w/o Random Oracles from Bilinear-DDH: • Enc: 3 exp. (4 exp. in CS) • Dec: two pairings + 2exp. (2 exp. in CS) • CT size: 3|G| + one-time-sig. (4|G| in CS) • Comparable to Cramer-Shoup (but a bit worse). • Shorter CT using BB’04 short sigs w/o R.O. • 2nd system: one fewer bilinear maps for dec. • Gives more efficient CCA2 public-key system.

  14. Extensions • Hierarchical IBE[LH’02, GS’02] • System extends to give an efficient Selective-ID H-IBE without R.O. • 2-HIBE + CHK’04  Efficient CCA2 Selective-ID IBE without R.O. • 2nd system: more efficient Selective-ID IBE. • one fewer bilinear maps for dec. • But, based on stronger assumption (DH-Inversion). • Recently[BB’04]: • Full-IBE with no RO based on Bilinear-DDH.

More Related