Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Forward secure asynchronous messaging from puncturable encryption
1. 1/27
Forward Secure Asynchronous Messaging from
Puncturable Encryption
2015 IEEE Symposium on Security and Privacy
Matthew D. Green and Ian Miers
Department of Computer Science
The Johns Hopkins University
20 July 2015
林彥賓
2020 年 7 月 8 日
Green and Miers 2020 年 7 月 8 日
3. 3/27
Puncturable Encryption
definition
tag: unique string for the message identifier (ID of a message)
puncturing: revoke decryption capability of the secret key to some
message
fine-grained: do something to the specific messages
coarse-grained: do something to all messages
forward-secure: exposure of long-term secret information does not
compromise the security of previously-generated session keys.
Green and Miers 2020 年 7 月 8 日
4. 4/27
Why Puncturable?
Suppose Alice want to
keep a lot of ciphertext
keep secrete of the category(attribute ot tag) of ciphertext
So she hash the tag with ciphertext
Suppose Alice only need the message that is not associate to tag A
someday
1 puncture secrete with tag A and get new secrete key
2 decrypt all ciphertext and get the correct message that is not
associate to tag A
if Alice need message associate to tag A someday, just use the origin key
to get result
Green and Miers 2020 年 7 月 8 日
5. 5/27
Negligible function
definition: Negligible function
For every positive integer c there exists an integer Nc such that for all
x > Nc
|u(x)| <
1
xc
=
1
poly(x)
use in security proof of adversary bound
represent as negl() in this paper
Green and Miers 2020 年 7 月 8 日
6. 6/27
Puncturable Encryption
A puncturable encryption scheme is a tuple of probabilistic algorithms
(PPKE.KeyGen, PPKE.Encrypt, PPKE.Decrypt, PPKE.Puncture) with the
following syntax:
PPKE.KeyGen(1k, d) −→ (PK, SK0):
input: security parameter k and maximum number of tags per
cipher-text d
output: public key PK and initial secret key SK0
PPKE.Encrypt(PK, M, t1, ..., td) −→ CT
input:public key PK, a plaintext M and a list of tags t1, ..., td
output:ciphertext CT
PPKE.Puncture(PK, SKi−1, t) −→ SKi
input: secrete key SKi−1 and tag t
output: secret key SKi that can decrypt any ciphertext SK’, except for
ciphertexts encrypted with t
PPKE.Decrypt(PK, SKi, CT, t1, ..., td) −→ {M}or{⊥}
input: secret key SKi and a ciphertext CT
output: plaintext M, or ⊥ if decryption fails
Green and Miers 2020 年 7 月 8 日
7. 7/27
Correctness
on input (k, M, n, d, t1, ..., tn, t∗
1, ..., t∗
d)
1 Compute (PK, SK0) ←− PPKE.KeyGen(lk, d)
2 If n > 0 then for i = 1, ..., n compute
SKi = PPKE.Puncture(SKi−1, ti)
3 Set CT = PPKE.Encrypt(PK, M, t∗
1, ..., t∗
d)
The scheme is correct if for all sufficiently large k; d > 0, n ≥ 0 both
polynomial in k; t1, ..., tn ∈ T, t∗
1, ..., t∗
d ∈ T{t1, ..., tn} it holds that
PPKE.Decrypt(SKn, CT, t∗
1, ..., t∗
d) = M
with probability 1−negl(k) taken over the random coins of the experiment.
Green and Miers 2020 年 7 月 8 日
8. 8/27
Security: INDPUN-ATK game
Setup: On input a security parameter k and a maximum number of
tags d, the challenger initializes two empty sets P, C and a counter
n = 0. It runs (PK, SK0) ←− PPKE.KeyGen(1k, d) and gives PK to
the adversary.
Phase 1: The adversary can repeatedly issue any of the following
queries:
Puncture(t): The challenger increments n, computes
SKn ←− PPKE.Puncture(SKn−1, t) and adds t to the set P
Corrupt(): The first time the adversary issues this query, the
challenger returns the most recent secret key SKn to the adversary and
sets C −→ P. All subsequent queries return ⊥
Decrypt(CT, t1, ..., td): If ATK = CPA the challenger returns ⊥. If
ATK = CCA the challenger computes
M ←− PPKE.Decrypt(SKn, CT, t1, ..., td) and returns M to the
adversary.
Green and Miers 2020 年 7 月 8 日
9. 9/27
Security: INDPUN-ATK game
Challenge: The adversary submits two messages m0, m1 along with
tags t∗
1, ..., t∗
d.
If the adversary has previously issued a Corrupt query and
{t∗
1, ..., t∗
d} ∩ C = ∅, the challenger rejects the challenge
Otherwise the challenger samples a random bit b, and returns
CT∗
←− PPKE.Encrypt(PK, Mb, t∗
1, ..., t∗
d) to the adversary
Phase 2: This phase is identical to Phase 1 with the following
restrictions:
Corrupt(): returns ⊥ if {t∗
1, ..., t∗
d} ∩ P = ∅
Decrypt(CT, t1, ..., td) returns ⊥ if (CT, t1, ..., td) = (CT∗
, t∗
1, ..., t∗
d
Guess: The adversary outputs a guess b′. The adversary wins if b = b′.
Definition: security for puncturable encryption
For ATK ∈ {CPA, CCA} if for all adversaries A and for sufficiently large
k, it holds that A’s advantage in the INDPUN- ATK game is bounded by
1/2 + negl(k)
Green and Miers 2020 年 7 月 8 日
10. 10/27
Construction: CPA-secure scheme
PPKE.Keygen(1k, d): Input security parameter k and maximum
number of tags per cipher-text d
1 Choose a group G of prime order p, a generator g and a hash function
H : {0, 1}∗
−→ Zp
2 Choose random a, b, r ∈ Zp
3 Set g1 = ga
, g2 = gb
4 Set q() a degree-d polynomial that q(0) = b
5 Define V(x) = gq(x)
6 Let t0 a tag
7 Set sk
(1)
0 = ga+r
2 , sk
(2)
0 = V(H(t0))r
, sk
(3)
0 = gr
, sk
(4)
0 = t0
8 Output
PK = g, g1, g2, V(1), ..., V(d) SK0 = sk
(1)
0 , sk
(2)
0 , sk
(3)
0 , sk
(4)
0
Green and Miers 2020 年 7 月 8 日
11. 11/27
Construction: CPA-secure scheme
PPKE.Encrypt(PK, M, t1, ..., td): Input the public parameters PK, a
message M to encrypt and a set of tags t1, ..., td ∈ {0, 1}∗{t0}
1 Select a random s ∈ Zp
2 Output CT = ct(1)
= Me(g1, g2)s
, ct(2)
= gs
, ct(3,1)
=
V(H(t1))s
, ..., ct(3,d)
= V(H(td))s
PPKE.Puncture(PK, SKi, t): Input an existing secret key SKi and a
tag t ∈ {0, 1}∗{t0}
1 Phase SKi = [sk0, ..., ski]
2 Phase sk0 = sk
(1)
0 , sk
(2)
0 , sk
(3)
0 , t0
3 Select random λ, r0, r1 ∈ Zp
4 Copute sk′
0 = sk
(1)
0 gr0−λ
2 , sk
(2)
0 V(H(t0))r0
, sk
(3)
0 gr0
, t0, ski+1 =
gλ+r1
2 , V(H(t))r1
, gr1
, t
5 Output SKi+1 = [sk′
0, (sk0) ?, sk1, ..., ski+1]
Green and Miers 2020 年 7 月 8 日
12. 12/27
Construction: CPA-secure scheme
PPKE.Decrypt(SKi, CT, t1, ..., td): Input a private key SKi, a
ciphertext CT and a set of tags t1, ..., td associated with the
ciphertext
1 Parse the ciphertext CT as (ct(1)
, ct(2)
, ct(3,1)
, ..., ct(3,d))
and parse
SKi as [sk0, ..., ski]
2 Compute a set of coefficients 1, ..., d, ′
such that
w′
q(H(sk
(4)
i )) +
∑d
k=1(wkq(H(tk))) = q(0) = b
3 Output M = ct(1)
/
∏i
j=0 Zj, where
Zj =
e(sk
(1)
j , ct(2)
)
e(sk
(3)
j ,
∏d
k=1((ct(3,k))wj ))e(sk
(2)
j , ct(2))w′
Green and Miers 2020 年 7 月 8 日
16. 16/27
Correctness?
How to proof there is no coefficients that
w′
q(H(sk
(4)
i )) +
d∑
k=1
(wkq(H(tk))) = q(0) = b
if sk
(4)
i ∈ {t1, ..., td}
Green and Miers 2020 年 7 月 8 日
17. 17/27
Construction: CCA-secure scheme
Let hash H1 : GT × M × Td −→ Zp
Let hash H2 : GT −→ {0, 1}ℓ
PPKE.Encrypt′(PK, M, t1, ..., td):
1 Select a random σ ∈ GT
2 Compute s = H1(σ, M, (t1, ..., td))
3 Compute CT′
= PPKE.Encrypt(PK, σ, t1, ..., td)
4 Output
CT = (CT′
, H2(σ) ⊕ M)
PPKE.Decrypt′(SKi, CT, t1, ..., td):
1 Parse the ciphertext CT as (CT′
, S)
2 Compute σ′
= PPKE.Decrypt(SKi, CT′
, t1, ..., td)
3 Compute M′
= S ⊕ H2(σ)
4 Compute s′
= H1(σ, M′
, (t1, ..., td))
5 Compute CT′′
= PPKE.Encrypt(PK, σ′
, t1, ..., td)
if CT′
= CT′′
return M′
else return ⊥
Green and Miers 2020 年 7 月 8 日
18. 18/27
HIBE Construction Of Boneh, Boyen and Goh
BBG.Setup(G, ℓ, a): For a HIBE scheme at most depth ℓ given secret
a
1 Select random g ∈ G
2 Set g1 = ga
3 Select random g2, g3, h1, ..., hℓ ∈ G
4 Output:
MPK = (g, g1, g2, g3, h1, ..., hℓ), MSK = ga
2
BBG.Keygen(skID|k−1, suffix): To generate a a private key skID|k for
an identity ID||sufix = (I1, ..., Ik) of length k ≤ ℓ
1 Select random r ∈ Zp
2 Output:
skID|k = (ga
2(hI1
1 , ..., hIk
k g3)r
, gr
, hr
k, ..., hr
ℓ) = (a0, a1, bk, ..., bℓ)
BBG.Encrypt(PK, ID, M): Input a message M under ID
1 pick a random s ∈ Zp
2 Output:
CT = (e(g1, g2)s
M, gs
, (hI1
1 · ... · hIk
k g3)s
)
Green and Miers 2020 年 7 月 8 日
19. 19/27
HIBE Construction Of Boneh, Boyen and Goh
BBG.Decrypt(skID, CT) To decrypt a ciphertext CT = (A, B, C)
output:
A
e(a1, C)
e(B, a0)
= e(g1, g2)s
M
e(gr, (hI1
1 · ... · hIk
k g3)s)
e(gs, ga
2(hI1
1 · ... · hIk
k g3)r)
= e(g1, g2)s
M
e(g, (hI1
1 · ... · hIk
k g3))sr
e(g, (hI1
1 · ... · hIk
k g3))sre(g, g2)a
= M
e(g1, g2)s
e(g1 = ga, g2)s
= M (1)
Green and Miers 2020 年 7 月 8 日
20. 20/27
Puncturable Forward Secure PKE
PFSE.Keygen(1k, d, ℓ): Input a security parameter k, the number of
tags per ciphertext d and a tree depth ℓ
1 Select G, GT of order p
2 Select random a, b ∈ Zp, g3, h1, ..., hℓ ∈ G
3 Set g1 = ga
, g2 = gb
4 Select hash H : {0, 1} −→ Zp
5 Let t0 a tag
6 Set:
PKPPKE = (g, g1, g2, gq(1)
, ..., gq(d)
), PKPFSE = (g, g1, g2, g3, h1, ..., hℓ)
7 Select random r1, r2, r3, a1, a2 ∈ Zp, a1 + a2 = a
8 Set: hskL = BBG.Keygen(PKPFSE, a1, 0), hskR =
BBG.Keygen(PKPFSE, a1, 1)
9 Set: ppkesk∅ = [(ga2+r3
2 , V(H(t0))r3
, gr3
, t0)]
10 Set D0 = (0, {hskL, hskR}, ppkesk∅)
11 Set
SK = (tsk1
∅, D1) = PFSE.NextInterval(D0)
12 Output PK, SK
Green and Miers 2020 年 7 月 8 日
21. 21/27
Puncturable Forward Secure PKE
PFSE.Encrypt(PK, M, Tcur, t1, ..., td): Input PK, a message M, a
time period Tcur, a set of tags t1, ..., td ∈ {0, 1}∗t0
1 Select random s ∈ Zp
2 Compute HIBE identity T1, ..., Tk = IndexToPath(Tcur, ℓ)
3 Compute ct(1)
= e(g1, g2)s
M, ct(2)
= gs
, ct(3,1)
=
V(H(t1))s
, ..., ct(3,d)
= V(H(td))s
, ct(4)
= (hT1
1 · ... · hTk
k g3)s
4 Output ct = (ct(1)
, ct(2)
, ct(3,1)
, ..., ct(3,d)
, ct(4)
), Tcur, (t1, ..., td)
PFSE.Puncture(PK, SK, t): Input the current secret key
SK = (tski
T, Di) where T represents the set of punctures in the
current time period
1 Parse tski
T = (hski, ppkeskT)
2 Compute
ppkeskT∪{t} = PPKE.Puncture(PKPPKE, ppkeskT, t)
3 Output tski
T∪{t} = (hski, ppkeskT∪{t})
Green and Miers 2020 年 7 月 8 日
22. 22/27
Puncturable Forward Secure PKE
PFSE.NextInterval(Di): Parse Di = (i, HSKs, ppkesk∅)
1 Extract the HIBE key hskP corresponding to time period i from HSKs
2 Compute
hskL = BBG.Keygen(hskP, 0), hskR = BBG.Keygen(hskP, 1)
3 Compute HSKs′
including the two new keys but without the parent
(i.e. HSKs′
= (HSKshskP) ∪ {hskL, hskR})
4 Set D′
= (i + 1, HSKs′
, ppkesk∅)
5 Parse hskP = (a0, ...), ppkesk∅ = (sk
(1)
0 , sk
(2)
0 , sk
(3)
0 , t0)
6 Select random γ ∈ G, r ∈ Zp
7 Compute
hsk′
P = (a0gγ
2 , ...), ppkesk′
∅ = (sk
(1)
0 g−γ+r
2 , sk
(2)
0 V(H(t0))r
, sk
(3)
0 gr
, t0)
8 Output: (tski
∅ = (hsk′
P, ppkesk′
∅), D′
)
Green and Miers 2020 年 7 月 8 日