encryption Presented by NTU Singapore

Transcription

1 A survey on identity based encryption Presented by Qi Saiyu NTU Singapore

2 Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE)

3 Before start Concentrate on Functionalities utilities in real applications Ignore Design details

4 Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE)

5 Introduction of public key encryption A public key encryption scheme consists of three algorithms (Gen, Enc, Dec) Gen(): outputs a pair of keys (pk; sk) wherepk is called the public key and sk is called the private key Enc(): takes as input a public key pk and a message m, outputs a ciphtertext c Dec(): takes as input a private key sk and a ciphtertext c. It outputs m encrypted in c

6 An example User A Transmit via the Internet Search B s public key to encrypt the document User B received the ciphtertext Use its private key to decrypt the ciphtertext User B Generate a key pair (pk, sk)

7 Security Hard to determine sk knowing pk Hard to recover message m, knowing pk and ciphertext c

8 A problem: how to distribute the public key How does A acquire the correct public key of B? An adversary can generate a key pair (pk, sk) by itself, gives pk to A and says it is B s public key If A uses pk to generate ciphtertexts, the adversary can use sk to decrypt these ciphtertexts

9 A traditional solution:public Key Infrastructure (PKI) Idea: provide the binding between a public key and an user s identity Certificate authorities (CA) issue digital certificates to bind a user and his public key An adversary can not issue a fake certificate to bind a user and his public key Before using the public key of a user, the sender must first verify the certificate of that user

10 An example Certificate Authority generates If the idenity a is sign-verify valid, Certificate = key pair (SK, issues VK) a certificate of a digital and signature an entity s and publishes description publishes the certificate (name, etc.) VK + on its website entity s public key (pk 2 ) + Proves its identity and expiration Every sends one date knows pk of 2 the to CA public key + VK is CA s verification key CA s name and saves VK in its database Fetches the certificate from CA s website + a signature of CA by using SK Verifies if the signature contained in the certificate (pk 1, sk 1 ) (pk 2, sk 2 ) is valid by using VK? If it is, uses pk 2 to encrypt m (pk 3, sk 3 )

11 Problems with PKI Computation complexity: Sender must fetch recipient s certificate and verify its validity to acquire the recipient s correct public key Storage complexity: CA must maintain a large list of certificates Management complexity: When a user s s public key is expired, CA must ask the user to provide a new public key, generate a new certificate for the public key and uses it to replace the old certificate

12 A new solution: Identity Based encryption Public keys can be any string ti (such as an address, phone number, or name of a user) Sender can use recipient s identity attribute (such as an address, phone number, or name of a user) as his public key to encrypt a message for him When recipient receives the ciphtertext, he contacts a third party (Private Key Generator),authenticates himself to it and obtains his private key. The recipient can then decrypt the ciphtertext

13 Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE)

14 Related work Shamir (CRYPTO, 1984) Boneh and Franklin (CRYPTO, 2001) Waters (EUROCRYPT, 2005) Boldyreva, Goyaland and Kumar (CCS, 2008) Waters (CRYPTO, 2009).

15 Boneh and Franklin (CRYPTO, 2001) Identity based encryption consists of four algorithms: Setup() Output: public parameter pp and master key s Extract (pp, s, id) Output: private key d id corresponding to id Encrypt (pp, id, m) Output: an encryption c of m Decrypt (pp, d id, c) Output: if d id is the private key corresponding to id, m can be decryptedd

16 An example setup public parameters public parameters M encrypted using bob@ncsu.edu public parameters Authentication Private key for bob@ncsu.edu master key encrypt decrypt extract

17 Definition of security Inherit the security of public key encryption: a user without a private key of id cannot learn the content of a ciphtertext encrypted by id

18 Advantage: simplify the management of a large number of public keys Rather than storing a big database of public keys and their certificates, the public keys can be derived from usernames There is no need for sender to obtain recipient s certificate when encrypting a message Sender can send encrypted message to recipient even if the recipient i thas not yet setup his private key No requirement of a CA to maintain a list of certificates

19 Revocation of old public keys By using PKI B must apply new certificate for its new public key at CA A must obtain the new certificate of B By using IBE A does not need to obtain a new certificate from B every time B s private key is updated The of B 2006 The of B 2007 Only B needs to acquire new private keys at PKG Private key for (The of B 2006) Private key for (The of B 2007)

20 Delegation of duties Runs setup to get (pp, s) ) Using s to generate private key for each assistant corresponding to its responsibility Distributes the private keys An outside user only needs to get pp Producing Purchasing Human-resources Encrypt using Producing Encrypt using Purchasing. The manager can decrypt all ciphtertexts but each assistant can only decrypt the ciphtertexts falling in its responsibility

21 Summary Any string can be treated as public key (such as name, responsibility and time) Several attributes can be concatenated as a public key (name place time) The recipient must satisfy the requirements in the public key(string) to decrypt

22 Outline Introduction of public key encryption Basic identity based encryption (IBE) Hierarchical identity based encryption (HIBE)

23 Related work Horwitz and Lynn (EUROCRYPT, 2002) Boneh, Boyen and Goh (EUROCRYPT, 2005) Boyen and Waters (CRYPTO, 2006).

24 Intuition An ID can be a vector of strings: (id 1, id 2, id k) (1 k L) The master key s generates the private key d k for ID=(id 1, id 2, id k ) s, (id 1, id 2, id k ) d k (1 k L) The private key d k 1 for ID k 1 =(id 1, id 2, id k 1 ) generates the private key d k for ID k =(id 1, id 2, id k ) d k-1, (id 1, id 2, id k-1 ) d k, (id 1, id 2, id k-1, id k )

25 Boneh, Boyen and Goh (CRYPTO, 2005) HIBE consists of four algorithms: Setup(L) Input: maximum dimension L Output: public parameter pp and master key s Extract (d k 1, ID k ) Input: d k 1 the private key of (id 1, id 2, id k 1 ) ID k (id 1 1, id 2 2,, id k 1,, id k k) ) Output: private key d k corresponding to ID k Encrypt (pp, ID k, m) Output: an encryption c of m Decrypt (d k, c) Output: if d k is the private key corresponding to ID k, m can be decrypted

26 An example pp, s School Encrypt (Sh (School, lcsbb) CS, Bob) d Math d CS (School, Math) (School, CS) d Bob Decrypt(d Bob ) Bob (School, CS, Bob) (School, Math, user1) (School, CS, user2) (School, CS, user3)

27 Security Similar with IBE: a user without a private key of ID cannot learn the content of a ciphtertext encrypted by ID

28 Application When ID is a single string, becomes IBE Private key delegation

29 Q & A Thanks!