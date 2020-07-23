Successfully reported this slideshow.
seminar of Efficient selective id secure identity based encryption without random oracles Advance in Cryptogrophy - Eurocrypt 2004 by Dan Boneh and Xavier Boyen

Published in: Science
License: CC Attribution License
Efficient selective id secure identity based encryption without random oracles

  1. 1. 1/19 Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles Advances in Cryptology—EUROCRYPT 2004 Dan Boneh and Xavier Boyen Stanford University Voltage Security December 2004 林彥賓 2020 年 5 月 21 日 Boneh and Boyen 2020 年 5 月 21 日
  2. 2. 2/19 Outline Introduction Hierarchical IBE Preliminaries Selective Identity, Adaptive Chosen Ciphertext/Plantext Secure Complexity Assumptions Bilinear Diffie-Hellman Assumption Bilinear Diffie-Hellman Inversion Assumption The Proposed Scheme Efficient Selective Identity IBE and HIBE Based on BDH Without Random Oracles Security Proof Fast KeyGen More Efficient Scheme Boneh and Boyen 2020 年 5 月 21 日
  3. 3. 3/19 Hierarchical IBE A vector of dimension ℓ represents an identity at depth ℓ master-key as the private key at depth 0 IBE system is an HIBE where all identities are at depth 1 Boneh and Boyen 2020 年 5 月 21 日
  4. 4. 4/19 Selective Identity Secure IBE and HIBE Systems Init: The adversary outputs an identity ID∗ where it wishes to be challenged Setup: The challenger runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself. Phase 1: The adversary issues queries q1, ..., qm where query qi is one of: Private key query < IDi > where IDi ̸= ID∗ and IDi is not a prefix of ID∗ . The challenger the private key di corresponding to the public key < IDi > Decryption query < Ci > for identity ID∗ or any prefix of ID∗ . The challenger responds the decrypted plaintext to the adversary. Boneh and Boyen 2020 年 5 月 21 日
  5. 5. 5/19 Selective Identity Secure IBE and HIBE Systems Challenge: Adversary outputs two plaintexts M0, M1. The challenger picks a random bit b ∈ 0, 1 and send C = Encrypt(params, ID∗, Mb) to the adversary Phase 2: The adversary issues additional queries qm+1, ..., qn where qi is one of: Private key query < IDi > where IDi ̸= ID∗ and IDi is not a prefix of ID∗ . The challenger responds as in Phase 1 Decryption query < Ci ̸= C > for ID∗ or any prefix of ID∗ . The challenger responds as in Phase 1 Guess: Finally, the adversary outputs a guess b′ ∈ 0, 1. The adversary wins if b′ = b Advantage of the adversary A in attacking the scheme ϵ: Advϵ,A = |Pr[b − b′]−1 2| Boneh and Boyen 2020 年 5 月 21 日
  6. 6. 6/19 Selective Identity, Adaptive Chosen Ciphertext/Plantext Secure definition: (t, qID, qc, ϵ) IND-sID-CCA secure of IBE or HIBE system ϵ If for any t-time IND-sID-CCA adversary A that makes at most qID chosen private key queries and at most qc chosen decryption queries we have that Advϵ,A < ϵ definition: (t, qID, ϵ) IND-sID-CPA secure of IBE or HIBE system ϵ Selective Identity Chosen Plantext Secure Boneh and Boyen 2020 年 5 月 21 日
  7. 7. 7/19 Bilinear Diffie-Hellman Assumption given a tuple g, ga, gb, gc ∈ G as input, output e(g, g)abc ∈ G1. An algorithm A has advantage ϵ in solving BDH if Pr[A(g, ga , gb , gc ) = e(g, g)abc ] ≥ ϵ An algorithm B that output b ∈ {0, 1} has advantage ϵ in solving decision BDH if |Pr[B(g, ga , gb , gc , e(g, g)abc ) = 0] − Pr[B(g, ga , gb , gc , T) = 0]| ≥ ϵ T is random choice of G1 definition: (Decision) BDH assumptions (Decision) (t, ϵ) BDH assumption holds in G if no t-time algorithm has advantage at least ϵ in solving the (Decision) BDH problem in G Boneh and Boyen 2020 年 5 月 21 日
  8. 8. 8/19 Bilinear Diffie-Hellman Inversion Assumption given the (q + 1) tuple g, gx, g(x2), ..., g(xq) ∈ (G′)q+1 as input, compute e(g, g)1/x ∈ G′ 1 An algorithm A has advantage ϵ in solving q-BDHI if Pr[A(g, gx , g(x2) , ..., g(xq) ) = e(g, g)1/x ] ≥ ϵ An algorithm B that output b ∈ {0, 1} has advantage ϵ in solving decision BDH if |Pr[B(g, gx , g(x2) , ..., g(xq) , e(g, g)1/x ) = 0]−Pr[B(g, gx , g(x2) , ..., g(xq) , T) = 0]| ≥ T is random choice of G1 definition: (Decision) BDHI assumptions (Decision) (t, q, ϵ) BDHI assumption holds in G if no t-time algorithm has advantage at least ϵ in solving the (Decision) q-BDHI problem in G Boneh and Boyen 2020 年 5 月 21 日
  9. 9. 9/19 Efficient Selective Identity IBE and HIBE Based on BDH Without Random Oracles Setup(ℓ): Generate system parameters for an HIBE of maximum depth ℓ 1 Select generator g ∈ G∗ 2 Select a random a ∈ Zp 3 Set g1 = ga 4 Pick random elements < h1, ..., hl > 5 Pick a random element g2 ∈ G Public parameters: params = (g, g1, g2, h1, ..., hl) Master key: ga 2 Function Fj : Zp −→ G for j = 1, ..., ℓ: Fj(x) = gx 1hj Boneh and Boyen 2020 年 5 月 21 日
  10. 10. 10/19 Efficient Selective Identity IBE and HIBE Based on BDH Without Random Oracles KeyGen(dID|j−1, ID): Generate the private key dID for an identity ID = (I1, ..., Ij) ∈ Zj p, j ≤ ℓ 1 Pick random r1, ..., rj ∈ Zp 2 Compute: dID = (ga 2 · j∏ k=1 Fk(Ik)rk , gr1 , ..., grj Encrypt(params, ID, M):Encrypt a message M 1 Pick a random s ∈ Zp 2 Compute C = (e(g1, g2)s · M, gs , F1(I1)s , ..., Fj(Ij)s ) Boneh and Boyen 2020 年 5 月 21 日
  11. 11. 11/19 Efficient Selective Identity IBE and HIBE Based on BDH Without Random Oracles Decrypt(dID, C): Let C = (A, B, C1, ..., Cj) compute: M = A · ∏j k=1 e(Ck, dk) e(B, d0) e(g1 = ga, g2)s · M · ∏j k=1 e(Fk(Ik),g)srk e(g,g2)sa ∏j k=1 e(g,Fk(Ik))srk = e(g, g2)sa · M · 1 e(g,g2)sa = M Boneh and Boyen 2020 年 5 月 21 日
  12. 12. 12/19 Security Proof Theorem Give (t, ϵ) of Decision BDH assumption and (t′, qs, ϵ) of HIBE, then: t′ < t − Θ(Tlqs), T is the maxium time for an exponentiation in G If A has advantage ϵ in attacking the HIBE system, algorithm B solves the Decision BDH problem will also be ϵ Boneh and Boyen 2020 年 5 月 21 日
  13. 13. 13/19 Security Proof Game parameter g g1 = ga g2 = gb g3 = gc T = e(g, g)abc or uniform and independent value in G1 Initialization: 1 A outputting an identity ID∗ = (I∗ 1, ..., I∗ k) ∈ Zk p, k ≤ ℓ Boneh and Boyen 2020 年 5 月 21 日
  14. 14. 14/19 Security Proof Setup: system parameters params = (g, g1, g2, h1, ..., hl) 1 B picks random a1, ..., al ∈ Zp 2 hj = g −Ij∗ 1 gaj , j = 1, ..., ℓ 3 Fj(x) = gx 1hj = g x−I∗ j 1 gaj Note that the corresponding master key, g2 = gab ∈ G is unknown to B Boneh and Boyen 2020 年 5 月 21 日
  15. 15. 15/19 Security Proof Phase 1: 1 A issue private key of ID = (I1, ..., Iu) ∈ Zu p, u ≤ ℓ 2 Let j be the smallest index such that Ij ̸= I∗ j , 1 ≤ j ≤ u 3 B pick random element r1, ..., rj ∈ Zp and return to A: d0 = g −aj Ij−Ij∗ 2 j∏ v=1 Fv(Iv)rv , d1 = gr1 , ..., dj−1 = grj−1 , dj = g −1 Ij−I∗ j 2 grj let r′ j = rj − b/(Ij − I∗ j ), so: g −aj (Ij−I∗ j ) 2 Fj(Ij)rj = g −baj (Ij−I∗ j ) (g Ij−I∗ j 1 gaj )rj · (ga 2 = gab ) · (g−b 1 = g−ab ) = ga 2(g Ij−I∗ j 1 gaj ) rj− b Ij−I∗ j = ga 2Fj(Ij)r′ j which matched the defined of private key: d0 = ga 2( j−1∏ v=1 Fv(Iv)rv )Fj(Ij)r′ j , d1 = gr1 , ..., dj = gr′ j ) Boneh and Boyen 2020 年 5 月 21 日
  16. 16. 16/19 Security Proof Challenge: 1 A output two message M0, M1 2 B pick random bit s ∈ {0, 1} 3 B respond ciphertext C = (Ms · T, g3, ga1 3 , ..., gak 3 ) = (Ms · T, gc, F1(I∗ 1)c, ..., Fk(I∗ k)c) Phase 2: same as Phase 1 Guess: 1 A output s′ ∈ {0, 1} if s = s′ , B output 1 meaning T = e(g, g)abc else B output 0 T = e(g, g)abc: C is same as real attack game in A’s view, so |Pr[s = s′] − 1/2| > ϵ T is random: Pr[s = s′] = 1/2 |Pr[B(g, ga , gb , gc , e(g, g)abc ) = 0]|−Pr[B(g, ga , gb , gc , T) = 0] ≥ |( 1 2 ±ϵ)− 1 2 | = Boneh and Boyen 2020 年 5 月 21 日
  17. 17. 17/19 Fast KeyGen In the case of non-hierarchical IBE or j = 1 1 Select random f ∈ Zp 2 Set h1 = gf 3 Compute: dID = (ga 2hr 1gr·ID 1 , gr ) = (ga 2g(f+a·ID)r , gr ) with less exponential calculation Boneh and Boyen 2020 年 5 月 21 日
  18. 18. 18/19 More Efficient Scheme Set hash H : {0, 1}∗ −→ Z∗ p Use H to make public keys (ID) ∈ Z∗ p Setup: 1 Select random generator g ∈ G∗ 2 Select random x, y ∈ Z∗ p 3 Set X = gx, Y = gy 4 params = (g, X, y), master − key = (x, y) KeyGen(master − key, ID): Create private key for public key ID 1 Pick a random r ∈ Zp 2 Compute K = g1/ID+x+y ∈ G 3 Ouput private key dID = (r, K) Boneh and Boyen 2020 年 5 月 21 日
  19. 19. 19/19 More Efficient Scheme encrypt(params, ID, M): To encrypt a message M 1 pick a random s ∈ Z∗ p 2 Compute C = (gs·ID Xs , Ys , e(g, g)s M) Decrypt(dID, C): To decrypt ciphertext C = (A, B, C), compute C e(ABr, K) = C e(gs(ID+x+ry), g1/(ID+x+ry)) = e(g, g)sM e(g, g)s = M Boneh and Boyen 2020 年 5 月 21 日

