Download - Identity-Based Encryptio n and Pairings
Mihir Bellare, UCSD1
Identity-Based Encryptionand Pairings
Mihir Bellare, UCSD2
The People
Mihir Bellare, UCSD3
The Awards
Mihir Bellare, UCSD4
Example: I = [email protected] has identity I
Receiver Bob
Sender Alice
Trusted Authority
certI
CM
certI
Receiver Bob
Sender Alice
Trusted Authority
skI
CM
I
PKE
IBE
Sender needs Receiver’s certificate before she can encryptTrusted authority (CA), given pk, provides receiver with a certificate certIReceiver generates her own key pair (pk,sk)
Sender only needs receiver’s identity I before she can encryptTrusted authority (CA), given I, provides receiver with a decryption key
Receiver generates nothing a priori
Mihir Bellare, UCSD5
P K
E
D
mpkmsk
M
C
sk
I
M
algorithmparameter generation
key generation
encryption
decryption
IBE = (P,K, E ,D)Syntax of an IBE scheme
mpk master public key
msk master secret key
I identity
sk secret (decryption) key for I
M message
C ciphertext
P
K
E
D
The correct decryption requirementfor identity I and message M asks that
Pr[D(mpk,K(mpk,msk, I), E(mpk, I,M)) = M ] = 1
Mihir Bellare, UCSD6
Security of an IBE scheme
IBE = (P,K, E ,D) is an IBE scheme.
AC $ E(mpk, I,M)
I
mpk
sk0 $ K(mpk,msk, I 0)
for any I 0 6= I
M = ?
Adversary A should be unable to figure out a message M encrypted to identity I, evengiven
• The master public key mpk
• The identity I
• The ciphertext C
• AND: Secret key sk0 for any identity I 0 6= I
Mihir Bellare, UCSD7
Security of an IBE scheme IBE = (P,K, E ,D) is an IBE scheme.
Let A be an adversary.
Advind-cpaIBE (A) = 2Pr[IND-CPAA
IBE ) true]� 1
b Challenge bitExI Set of exposed identitiesChI Set of challenge identitiesb0 A’s output, guess of b
Security requires that adversary can’t figure out whether left (b=0) or right (b=1) messages are encrypted for challenge identities.
Even when it is allowed to obtain the secret keys of non-challenge identities.
Game IND-CPAIBE
Initialize
(mpk,msk) $ P ; b $ {0, 1}ExI ; ; ChI ;Return mpk
Expose(I)
If (I 2 ChI) then return ?ExI ExI [ {I}sk $ K(mpk,msk, I)Return sk
LR(I,M0,M1)
If (I 2 ExI) then return ?ChI ChI [ {I}C $ E(mpk, I,Mb)Return C
Finalize(b0)
Return (b = b0)
Mihir Bellare, UCSD8
Building an IBE scheme
IBE = (P,K, E ,D) is an IBE scheme.
It is hard to find a way to build an IND-CPA-secure IBE scheme based on conventional number theory.
With RSA, let• mpk = (N,e)• msk = (N,d)• sk = ?• C = ?
Mihir Bellare, UCSD9
Pairings
We say that e is a pairing if the following are true:
• Bi-linearity: e(gx, gy) = e(g, g)xy for all x, y 2 Zp
• Non-degeneracy: e(g, g) is a generator of GT .
Let e : G⇥G ! GT be a function, where G,GT are groups whose order p is a prime. Letg be a generator of G.
Game BDHe,g
Initialize
a, b, c $ Zp
Return ga, gb, gc
Finalize(Z)
Return (Z = e(g, g)abc)
Advbdhe,g (A) = Pr[BDH
Ae,g ) true]
Pairings that appear to be BDH-secure can be built from the Weil and Tate pairings over elliptic curves.
Mihir Bellare, UCSD10
Mihir Bellare, UCSD11
Boneh-Franklin IBE scheme Algorithm Pmsk $ Zp ; mpk gmsk
Return (mpk,msk)
e : G⇥G ! GT a BDH-secure pairing
g a generator of Gp the order of G,GT
Identity I 2 {0, 1}⇤Message M 2 {0, 1}mFunction H : {0, 1}⇤ ! GFunction G : GT ! {0, 1}m
Let i be such that H(I) = gi
Proof of correct decryption requirement: from decryption algorithm
from encryption algorithm
because H(I) = gi
bi-linearity
from encryption algorithm
bi-linearity
Algorithm E(mpk, I,M)
r $ Zp ; R gr ; K e(mpk, H(I)r)
W G(K)�M ; Return (R,W )
Algorithm D(mpk, sk, (R,W ))
L e(R, sk) ; M G(L)�W ; Return M
Algorithm K(mpk,msk, I)
sk H(I)msk ; Return sk
Let I 2 {0, 1}⇤ be an identity.Let M 2 {0, 1}m be a messageLet sk = K(mpk,msk, I) = H(I)msk
Let (R,W ) $ E(mpk, I,M)We show that D(mpk, sk, (R,W )) = M
L = e(R, sk)
= e(gr, H(I)msk)
= e(gr, gi·msk)
= e(g, g)ri·msk
= e(gmsk, g
ir)
= e(mpk, H(I)r)
= K
Mihir Bellare, UCSD12
IBE features
Sender only needs receiver’s identity I before she can encrypt
``Trusted’’ authority can decrypt all ciphertexts for all identities
IBE issues
``Trusted’’ authority can decrypt all ciphertexts for all identities
A secure channel is needed to communicate sk from trusted authority to receiverRevocation is a pain
Compromise of server storing msk can result in adversary decrypting all ciphertexts for all identities
Mihir Bellare, UCSD13