Identity-Based Encryption. Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)

Transcription

1 Identity-Based Encryption Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)

2 Public-key encryption PKI pk KeyGen sk M Enc C Dec M Sender (pk) Receiver (sk) 2

3 Identity-based encryption (IBE) Shamir 1984: public key can be any string, e.g. identity encrypt to ID = bob@gmail.com Key distribution center (msk) Setup msk KeyDer mpk ID sk ID ID, M Enc C Dec M Sender (mpk) Receiver (sk ID ) 3

4 Applications of IBE Encrypt to ID = bob@ibm.com Temporary keys, key revocation: ID = bob@ibm.com, 2007 Encrypting to the future: ID = release-date Trusted clock publishes sk date on date User credentials: ID = bob@ibm.com, role=adminstrator Credential is a decryption key cryptographic policy enforcement 4

5 Security of IBE schemes Security notion: IND-ID-CPA mpk A b ID d ID ID*,M 0,M 1 C* KeyDer(msk, ) (mpk,msk) R Setup (ID*,M 0,M 1,state) R A KeyDer (mpk) b R {0,1} ; C* R Enc(mpk,ID*,M b ) b R A Dec (C*,state) A wins iff b = b and never queried KeyDer(ID*) Adv ind-id-cpa (A) = 2 Pr [b =b] 1 IBE = Pr[b =1 b=1] Pr[b =1 b=0] 5

6 Security of IBE schemes Security notion: IND-ID-CCA mpk A ID d ID ID,C M KeyDer(msk, ) Dec(d ID, ) (mpk,msk) R Setup (ID*,M 0,M 1,state) R A KeyDer (mpk) b R {0,1} ; C* R Enc(mpk,ID*,M b ) b R A Dec (C*,state) A wins iff b = b and never queried KeyDer(ID*) or Dec(ID*,C*) ID*,M 0,M 1 C* Adv ind-id-cca (A) = 2 Pr [b =b] 1 IBE = Pr[b =1 b=1] Pr[b =1 b=0] b 6

7 Pairings (aka bilinear maps) Groups G = (g) and G T of prime order p with map e : G G G T that is efficiently computable non-degenerate: x,y G such that e(x,y) 1 bilinear: x,y,z G : e(xy,z) = e(x,z) e(y,z) e(x,yz) = e(x,y) e(x,z) 7

8 Pairings (aka bilinear maps) Bilinearity allows to move exponents around: a e(g a,g b ) = e(g,g b ) e(g,g b ) = e(g,g b ) a = e(g,g) ab = e(g ab,g) = e(g,g ab ) = e(g b,g a ) solve decisional Diffie-Hellman (DDH) in G: e(g a,g b ) = e(g,c) C = g ab 8

9 Pairing assumptions Computational Diffie-Hellman (CDH) in G: Given g a,g b, compute g ab Bilinear Diffie-Hellman (BDH): Given g a,g b,g c, compute e(g,g) abc Bilinear decisional Diffie-Hellman (BDDH): Given g a,g b,g c, decide Z = e(g,g) abc or random q-strong Diffie-Hellman: Given g x,g x2,,g xq, compute (c, g 1/(x+c) ) 9

10 The Boneh-Franklin IBE scheme Step 1. ElGamal encryption in G KeyGen: x R Z p X g x sk x ; pk X Enc(pk,M): r R Z p C ( g r, X r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / (C 1 ) x But DDH is easy in G insecure! Attack: given (C 1,C 2 ), test whether e(c 1,X) = e(g,c 2 /M b ) 10

11 The Boneh-Franklin IBE scheme Step 2. ElGamal encryption in G T KeyGen: x,y R Z p X g x ; Y g y sk x ; pk (X,Y) Enc(pk,M): r R Z p C ( g r, e(x,y) r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,Y) x IND-CPA secure under BDDH assumption 11

12 The Boneh-Franklin IBE scheme Step 3. sk g xy KeyGen: x R Z p X g x ; Y g y ; d g xy sk d ; pk (X,Y) Enc(pk,M): r R Z p C ( g r, e(x,y) r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,d) IND-CPA secure under BDDH assumption 12

13 The Boneh-Franklin IBE scheme Step 3. sk Y x KeyGen: x R Z p ; Y R G X g x ; d Y x sk d ; pk (X,Y) Enc(pk,M): r R Z p C ( g r, e(x,y) r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,d) IND-CPA secure under BDDH assumption 13

14 The Boneh-Franklin IBE scheme Step 4. Y H(ID), split key generation Setup: x R Z p X g x msk x ; mpk X Enc(pk,M): r R Z p C ( g r, e(x,h(id)) r M ) KeyDer(msk,ID): d ID H(ID) x Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,d ID ) IND-CPA secure under BDDH assumption in the ROM 14

15 Security of Boneh-Franklin IBE Theorem: If BDDH is (t,ε) hard, then BF-IBE is (t,q H,q K,ε ) IND-ID-CPA secure in the random oracle model for ε = (q H + q D + 1) ε t = t (q H + q D ) t exp mpk g a,g b,g c,z A x H(x) ID d ID M 0,M 1 C* H( ) KeyDer( ) B A x H(x) ID d ID M 0,M 1 C* b Z = e(g,g) abc? 15

16 Searchable encryption (SE) [BDOP04] PKI pk KeyGen sk W Enc C Test t W Trapd W W =W? Sender (pk) Mail server Receiver (sk) high bandwidth low bandwidth 16

17 Searchable encryption from IBE [BDOP04, ABC+05] Generic construction of SE from IBE: SE.KeyGen = IBE.Setup meaning (SE.pk, SE.sk) = (IBE.mpk, IBE.msk) SE.Trapd = IBE.KeyDer meaning SE.t W = IBE.sk ID=W SE.Enc(W) = IBE.Enc(ID=W, M) for some fixed M SE.Test(t W,C) = ( IBE.Dec(t W,C) = M ) Security relies on anonymity of IBE meaning ciphertext does not reveal ID? 17

18 Hierarchical IBE (HIBE) [GS02] Root (msk) msk KeyDer ID 1 sk (ID1) ID 1 Receiver 1 (sk ID1 ) KeyDer ID 2 sk (ID1,ID2) ID 2 Receiver 2 (sk (ID1,ID2) ) Dec C M Sender (mpk) mpk, (ID 1,ID 2 ), M Enc 18

19 Application to encrypted addresses as hierarchical identities = (com, ibm, zurich, nev) (com, ibm) can derive keys (com, ibm, zurich) can derive keys 19

20 Attribute-based encryption (ABE) [GPSW06, BSW07] Key-policy ABE: ciphertext set of attributes A = {a 1,,a λ } decryption key F: AND/OR combination of clauses (a i A) decrypt iff F(A) = 1 e.g. encrypted audit logs, targeted broadcast Ciphertext-policy ABE: decryption key set of attributes A = {a 1,,a λ } ciphertext AND/OR combination of attributes 20

21 Inner product encryption [KSW07] decryption key vector x = (x 1,,x λ ) ciphertext vector y = (y 1,,y λ ) decrypt iff x y = x 1 y x λ y λ = 0 Some special cases: IBE: x = (ID, 1) ; y = (-1, ID ) Polynomial evaluation: sk P decrypts C w iff P(w)=0 key for P = a d x d + +a 0 x = (a d,,a 1,a 0 ) encrypt to w y = (w d,,w, 1) Threshold, AND, OR, CNF and DNF formulas 21

22 IBE implies Digital Signatures Forward secure encryption Searchable encryption IND-CCA secure PKE Transformations in standard model 22

23 Standard Model Instantiations? Commutative Blinding Exponent Inversion 23

24 Commutative e(c,d ) /,d ) blinding IBE [BB04] 2,d 1 ) / e(c 1,d 2 ) = e(h(id) r,g r,g s s ))// e(g r, r, α H(ID) s s )) = e(h(id) r,g Setup: r,g s s ))// [[ e(g,α) r e(g r r,h(id) s KeyDer(msk,ID): s )] )] α = 1/ 1/ e(g,α) R G rr s R Z p msk α d ID (g s, α H(ID) s ) mpk e(g,α), pk H for hash H Enc(pk,ID,M): r R Z p C (g r,h(id) r,e(g,α) r M) Dec(d ID,C): (d 1,d 2 ) d ID (C 1,C 2,C 3 ) C M C 3 e(c 2,d 1 )/ e(c 1,d 2 ) Boneh-Boyen IBE : H(ID) = u 0 u 1 ID [ pk H = (u 0,u 1 ) ] Waters IBE: : H(ID) = u 0 u i ID i [ pk H = (u 0,u 1,,u n ) ] 24

25 Proof idea of Waters IBE [W05] H = programmable hash function treat H as information theoretic object to assist proof [HK08] Lemma: Given g,g x, Waters hash H(ID) = u 0 u IDi i can be setup such that 1. H(ID) = g x a(id) g b(id) 2. for all ID* ID (1),., ID (q) : Pr[ a(id*) = 0 and for all i: a(id (i) ) 0 ] = non-negl. How? Later. 25

26 Security of Waters IBE Theorem: If BDDH is (t,ε) hard, then Waters-IBE is (t,q K,ε ) IND-ID-CPA secure. mpk g x,g y,g r,z A ID d ID KeyDer( ) B A ID d ID ID*,M 0,M 1 ID*,M 0,M 1 C* C* b Z = e(g,g) xyr? 26

27 Proof idea Adversary B given g,g x,g y,g r, Z=e(g,g) xyr or random? Run A: Setup: 1. msk = α := g xy 2. mpk = e(g,α)=e(g x,g y ); Setup pk H such that H(ID) = g x a(id) g b(id) and for all ID* ID (1),., ID (q) : Pr[ a(id*) = 0 and for all i: a(id (i) ) 0 ] = non-negl. KeyDer(msk,ID): hope: a(id) 0 1. d 1 = α H(ID) s = g xy (g x a(id) g b(id) ) s = g xy+x a(id) s g b(id) s Define s:=-y/a(id)+s to cancel out xy! 2. d 2 = g s can also be computed from g y Enc(ID*,M 0,M 1 ): hope a(id*) = 0 1. C * 1 = g r 2. C * 2 = H(ID) r = (g b(id*) ) r = C * 1 b(id*) 3. C * 3 = e(g,α) r M b = Z M b 27

28 Conclusion If for one i: a(id (i) ) = 0 or a(id*) 0, then B aborts Previous lemma: happens only with non-negl. probability In all other cases: B can use A to break BDDH (Actual proof slightly more involved!) g x,g y,g r,z Leaves to prove lemma B A ID d ID ID*,M 0,M 1 C* Z = e(g,g) xyr? 28

29 Random walks Bernoulli random walk of length t: X i R {-1,1} X = X 1 + X t Lemma: for all a sqrt(t): Pr[X = a] 1/sqrt(t) We need: special random walk with X i R {-1,0,1} essentially same behavior 29

30 Proof of Lemma Lemma: Given g,g x, Waters hash can be setup such that H(ID) = u 0 u i IDi = g x a(id) g b(id) and for all ID*, ID (1),., ID (q) : Pr[ a(id*) = 0 and for all i: a(id (i) ) 0 ] = non-negl. Define u i := (g x ) ai g bi where a i {-t,,t} obtained by a {-1,0,1} random walk of length t b i R Z p (random masks ) Then: H(ID) = u 0 u IDi i = g x a(id) g b(id), a(id) = a 0 + a 1 ID a n ID n є {-(n+1)t,,(n+1)t} is random walk of length (hw(id)+1)t for all ID: 1/sqrt(nt) Pr[a(ID) = 0] 1/sqrt(t) for all ID ID : Pr[a(ID) = 0 a(id ) = 0] 1/sqrt(t) union bound, t := O(q 2 ) Pr[ a(id*)=0 and for all i: a(id (i) ) 0] 1/q sqrt(n) 30

31 Standard model IBE schemes 1. Commutative blinding IBE IND-sID-CPA secure [BB04] IND-ID-CPA secure [Waters05] 2. Exponent-inversion IBE IND-sID-CPA secure [BB04] IND-ID-CPA secure [Gentry06,K07] Open problems Standard model IBE not based on pairings Bottleneck: such an IBE scheme implies digital signature 31