Identity-Based Encryption Secure Against Chosen-Ciphertext Selective Opening Attack

Transcription

1 Identity-Based Encryption Secure Against Chosen-Ciphertext Selective Opening Attack Junzuo Lai, Robert H. Deng, Shengli Liu, Jian Weng, and Yunlei Zhao Shanghai Jiao Tong University, Shanghai , China Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 1 / 34

2 SOA Security IBE and Selective Opening Attack. SIM-SO-CCA Security. IBE with SIM-SO-CCA Security. Extractable 1SPO-IBE; Cross-Authentication Codes. Conclusion Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 2 / 34

3 Identity-Based Encryption An IBE scheme consists of the following four algorithms: Setup(1 κ ) ( PK, MSK ). PK: public parameter; MSK: master secret key. KeyGen(PK, MSK, ID) SK ID. SK ID is the private key for identity ID. Enc(PK, ID, M) CT. CT: ciphertext. Dec(PK, SK ID, CT) M/. An IBE scheme has completeness error ɛ if the correct decryption holds with probability at least 1 ɛ, where the probability is taken over the coins used in encryption. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 3 / 34

4 Identity-Based Encryption An IBE scheme consists of the following four algorithms: Setup(1 κ ) ( PK, MSK ). PK: public parameter; MSK: master secret key. KeyGen(PK, MSK, ID) SK ID. SK ID is the private key for identity ID. Enc(PK, ID, M) CT. CT: ciphertext. Dec(PK, SK ID, CT) M/. An IBE scheme has completeness error ɛ if the correct decryption holds with probability at least 1 ɛ, where the probability is taken over the coins used in encryption. unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 3 / 34

5 Identity-Based Encryption An IBE scheme consists of the following four algorithms: Setup(1 κ ) ( PK, MSK ). PK: public parameter; MSK: master secret key. KeyGen(PK, MSK, ID) SK ID. SK ID is the private key for identity ID. Enc(PK, ID, M) CT. CT: ciphertext. Dec(PK, SK ID, CT) M/. An IBE scheme has completeness error ɛ if the correct decryption holds with probability at least 1 ɛ, where the probability is taken over the coins used in encryption. unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 3 / 34

6 Identity-Based Encryption An IBE scheme consists of the following four algorithms: Setup(1 κ ) ( PK, MSK ). PK: public parameter; MSK: master secret key. KeyGen(PK, MSK, ID) SK ID. SK ID is the private key for identity ID. Enc(PK, ID, M) CT. CT: ciphertext. Dec(PK, SK ID, CT) M/. An IBE scheme has completeness error ɛ if the correct decryption holds with probability at least 1 ɛ, where the probability is taken over the coins used in encryption. unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 3 / 34

7 Selective Opening Attack Selective Opening Attack: a vector of ciphertexts, adaptive corruptions exposing not only some message but also the random coins. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 4 / 34

8 Selective Opening Attack Selective Opening Attack: a vector of ciphertexts, adaptive corruptions exposing not only some message but also the random coins. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 4 / 34

9 SIM-SO-CPA(CCA2) Security: SIM-SOA security requires that anything that can be computed by a PPT adversary from all the ciphertexts and the opened messages together with the corresponding randomness can also be computed by a PPT simulator with only the opened messages. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 5 / 34

10 Related works Bellare, Hofheinz and Yilek formalize the security model of SOA, including IND-SOA, SIM-SOA. SIM-SOA security is stronger than IND-SOA security. Fehr, Hofheinz, Kiltz, and Wee [FHKW2010] proposed the first construction of PKE with SIM-SO-CCA2 Security. Bellare, Waters, and S. Yilek[BWY2011] proposed the first construction of IBE with SIM-SO-CCA2 Security. How to construct IBE with SIM-SO-CCA2 Security remains open. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 6 / 34

11 Related works Bellare, Hofheinz and Yilek formalize the security model of SOA, including IND-SOA, SIM-SOA. SIM-SOA security is stronger than IND-SOA security. Fehr, Hofheinz, Kiltz, and Wee [FHKW2010] proposed the first construction of PKE with SIM-SO-CCA2 Security. Bellare, Waters, and S. Yilek[BWY2011] proposed the first construction of IBE with SIM-SO-CCA2 Security. How to construct IBE with SIM-SO-CCA2 Security remains open. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 6 / 34

12 Related works Bellare, Hofheinz and Yilek formalize the security model of SOA, including IND-SOA, SIM-SOA. SIM-SOA security is stronger than IND-SOA security. Fehr, Hofheinz, Kiltz, and Wee [FHKW2010] proposed the first construction of PKE with SIM-SO-CCA2 Security. Bellare, Waters, and S. Yilek[BWY2011] proposed the first construction of IBE with SIM-SO-CCA2 Security. How to construct IBE with SIM-SO-CCA2 Security remains open. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 6 / 34

13 Related works Bellare, Hofheinz and Yilek formalize the security model of SOA, including IND-SOA, SIM-SOA. SIM-SOA security is stronger than IND-SOA security. Fehr, Hofheinz, Kiltz, and Wee [FHKW2010] proposed the first construction of PKE with SIM-SO-CCA2 Security. Bellare, Waters, and S. Yilek[BWY2011] proposed the first construction of IBE with SIM-SO-CCA2 Security. How to construct IBE with SIM-SO-CCA2 Security remains open. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 6 / 34

14 Related works Bellare, Hofheinz and Yilek formalize the security model of SOA, including IND-SOA, SIM-SOA. SIM-SOA security is stronger than IND-SOA security. Fehr, Hofheinz, Kiltz, and Wee [FHKW2010] proposed the first construction of PKE with SIM-SO-CCA2 Security. Bellare, Waters, and S. Yilek[BWY2011] proposed the first construction of IBE with SIM-SO-CCA2 Security. How to construct IBE with SIM-SO-CCA2 Security remains open. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 6 / 34

15 SIM-SO-CCA2 Security: Exp cca so real A,M,R (1 κ ) Challenger A = (A 1, A 2, A 3 ) (PK, MSK) Setup(1 κ ) M = (M (1),..., M (n) ) M(α) R = (R (1),..., R (n) ) R PK (α, ID) (α, ID) A KeyGen( ),Dec( ) 1 (PK) CT = Enc(PK, ID, M; R) CT I (M (i),r (i) ) i I R( ID, M, I, out A ) I A KeyGen( ),Dec( ) 2 ( CT) out A A KeyGen( ),Dec( ) 3 (( M (i), R (i) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 7 / 34

16 SIM-SO-CCA2 Security: Exp cca so real A,M,R (1 κ ) Challenger A = (A 1, A 2, A 3 ) (PK, MSK) Setup(1 κ ) M = (M (1),..., M (n) ) M(α) R = (R (1),..., R (n) ) R PK (α, ID) (α, ID) A KeyGen( ),Dec( ) 1 (PK) CT = Enc(PK, ID, M; R) CT I (M (i),r (i) ) i I R( ID, M, I, out A ) I A KeyGen( ),Dec( ) 2 ( CT) out A A KeyGen( ),Dec( ) 3 (( M (i), R (i) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 7 / 34

17 SIM-SO-CCA2 Security: Exp cca so real A,M,R (1 κ ) Challenger A = (A 1, A 2, A 3 ) (PK, MSK) Setup(1 κ ) M = (M (1),..., M (n) ) M(α) R = (R (1),..., R (n) ) R PK (α, ID) (α, ID) A KeyGen( ),Dec( ) 1 (PK) CT = Enc(PK, ID, M; R) CT I (M (i),r (i) ) i I R( ID, M, I, out A ) I A KeyGen( ),Dec( ) 2 ( CT) out A A KeyGen( ),Dec( ) 3 (( M (i), R (i) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 7 / 34

18 SIM-SO-CCA2 Security: Exp cca so ideal A,M,R (1 κ ) Challenger S = (S 1, S 2, S 3 ) (α, ID) (α, ID) S 1 (1 κ ) M = (M (1),..., M (n) ) M(α) I [n] I S 2 (1 M(i) ) (M (i) ) i I (( Out S S ) ) 3 M (i) i I R( ID, M, I, out S ) SIM-SO-CCA2 Security: PPT A, PPT R, PPT M, S such that [ Pr R( ] [ ID, M, I, out A ) = 1 Pr R( ID, M, I, out S ) = 1] is negligible. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 8 / 34

19 SIM-SO-CCA2 Security: Exp cca so ideal A,M,R (1 κ ) Challenger S = (S 1, S 2, S 3 ) (α, ID) (α, ID) S 1 (1 κ ) M = (M (1),..., M (n) ) M(α) I [n] I S 2 (1 M(i) ) (M (i) ) i I (( Out S S ) ) 3 M (i) i I R( ID, M, I, out S ) SIM-SO-CCA2 Security: PPT A, PPT R, PPT M, S such that [ Pr R( ] [ ID, M, I, out A ) = 1 Pr R( ID, M, I, out S ) = 1] is negligible. unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 8 / 34

20 How to get SIM-SO-CCA2 Security: the idea Challenger S = (S 1, S 2, S 3 ) (α, ID) (α, ID) S 1 (1 κ ) M = (M (1),..., M (n) ) I I S 2 (1 M(i) ) (M (i) ) i I Out S S 3 (( M (i) ) i I ) Aim: ( ID, M, I, out A ) c ( ID, M, I, out S ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 9 / 34

21 How to get SIM-SO-CCA2 Security: the idea Challenger S = (S 1, S 2, S 3 ) (α, ID) (α, ID) S 1 (1 κ ) M M(α) M = (M (1),..., M (n) ) { (PK, MSK) Setup(1 κ ) (α, ID) A KeyGen,Dec( ) 1 (PK) } I I S 2 (1 M(i) ) Aim: (M (i) ) i I (( Out S S ) 3 M (i) i I ( ) ( ) ID, M, I, out A c ID, M, I, out S ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 10 / 34

22 How to get SIM-SO-CCA2 Security: the idea Challenger S = (S 1, S 2, S 3 ) (α, ID) (α, ID) S 1 (1 κ ) M M(α) M = (M (1),..., M (n) ) Aim: { (PK, MSK) Setup(1 κ ) (α, ID) A KeyGen( ),Dec( ) 1 (PK) } I I S 2 (1 M(i) ) (M (i) ) i I {I A KeyGen( ),Dec( ) 2 ( CT) } (( Out S S ) ) 3 M (i) i I ( ID, M, I, out A ) c ( ID, M, I, out S ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 11 / 34

23 How to get SIM-SO-CCA2 Security: the idea Challenger S = (S 1, S 2, S 3 ) (α, ID) (α, ID) S 1 (1 κ ) M M(α) M = (M (1),..., M (n) ) Aim: { (PK, MSK) Setup(1 κ ) (α, ID) A KeyGen( ),Dec( ) 1 (PK) } I I S 2 (1 M(i) ) (M (i) ) i I {I A KeyGen( ),Dec( ) 2 ( CT) } (( Out S S ) ) 3 M (i) i I {Out A A KeyGen( ),Dec( ) 3 ( ) ( ) ID, M, I, out A c ID, M, I, out S (( M (i), R (i)) i I ) } Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 12 / 34

24 SIM-SO-CPA Security for single bit messages IBE1 encrypts single bits. IBE1 is IND-ID-CPA secure. IBE1 is One-Sided Publicly Openable(1SPO). IBE1 is SIM-SO-CPA Secure. Definition 1 (1SPO-IBE1) Let C = Enc1(PK, ID, 0; R). Let Coins(PK, ID, C, 0) := {R C = IBE1.Enc(PK, ID, 0; R )}. An IBE1 scheme is One-Sided Publicly Openable if R POpen(PK, ID, C) outputs a random R in Coins(PK, ID, C, 0). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 13 / 34

25 SIM-SO-CPA Security for single bit messages IBE1 encrypts single bits. IBE1 is IND-ID-CPA secure. IBE1 is One-Sided Publicly Openable(1SPO). IBE1 is SIM-SO-CPA Secure. Definition 1 (1SPO-IBE1) Let C = Enc1(PK, ID, 0; R). Let Coins(PK, ID, C, 0) := {R C = IBE1.Enc(PK, ID, 0; R )}. An IBE1 scheme is One-Sided Publicly Openable if R POpen(PK, ID, C) outputs a random R in Coins(PK, ID, C, 0). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 13 / 34

26 SIM-SO-CPA Security for single bit messages C[0] = C[1] = C[0] C[0] C[1] C[0] opened with the original randomness opened with POpen opened with the original randomness opened with POpen Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 14 / 34

27 SIM-SO-CPA Security for multi-bit messages [BWY2011] M. Bellare, B. Waters, and S. Yilek. Identity-based encryption secure against selective opening attack. In TCC2011. IBE=(Setup, KeyGen, Enc, Dec) encrypting multi-bits. IBE.Setup=IBE1.Setup; IBE.KeyGen=IBE1.KeyGen; IBE.Enc: C 1 C 2... C l... IBE1.Enc IBE1.Enc... IBE1.Enc... m 1 (0/1) m 2 (0/1)... m l (0/1) CT = (C 1, C 2,..., C l ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 15 / 34

28 SIM-SO-CPA Security for multi-bit messages M. Bellare, B. Waters, and S. Yilek. Identity-based encryption secure against selective opening attack. In TCC, pages 235õ252, C 1 C 2... C l IBE.Dec:... IBE1.Dec IBE1.Dec... IBE1.Dec... m 1 m 2... m l SIM-SO-CPA Security for multi-bit messages follows from the SIM-SO- CPA Security of single-bit by hybrid argument. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 16 / 34

29 SIM-SO-CPA Security for multi-bit messages M. Bellare, B. Waters, and S. Yilek. Identity-based encryption secure against selective opening attack. In TCC, pages 235õ252, C 1 C 2... C l IBE.Dec:... IBE1.Dec IBE1.Dec... IBE1.Dec... m 1 m 2... m l SIM-SO-CPA Security for multi-bit messages follows from the SIM-SO- CPA Security of single-bit by hybrid argument. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 16 / 34

30 SIM-SO-CCA2 Security for multi-bit messages 2-level IND-ID-CPA CHK Transform ============== IND-ID-CCA2. CHK Transform SIM-SO-CPA =========== SIM-SO-CCA2 The signing key of OTS might be disclosed in the opening! Bit-wise Encryption from 1-bit IND-ID-CCA secure 1SPO-IBE? C 1 C 2... C l... IBE.Enc: IBE1.Enc IBE1.Enc... IBE1.Enc... m 1 (0/1) m 2 (0/1)... m l (0/1) IBE is NOT CCA2 secure even if IBE1 is! Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 17 / 34

31 SIM-SO-CCA2 Security for multi-bit messages 2-level IND-ID-CPA CHK Transform ============== IND-ID-CCA2. CHK Transform SIM-SO-CPA =========== SIM-SO-CCA2 The signing key of OTS might be disclosed in the opening! Bit-wise Encryption from 1-bit IND-ID-CCA secure 1SPO-IBE? C 1 C 2... C l... IBE.Enc: IBE1.Enc IBE1.Enc... IBE1.Enc... m 1 (0/1) m 2 (0/1)... m l (0/1) IBE is NOT CCA2 secure even if IBE1 is! unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 17 / 34

32 SIM-SO-CCA2 Security for multi-bit messages 2-level IND-ID-CPA CHK Transform ============== IND-ID-CCA2. CHK Transform SIM-SO-CPA =========== SIM-SO-CCA2 The signing key of OTS might be disclosed in the opening! Bit-wise Encryption from 1-bit IND-ID-CCA secure 1SPO-IBE? C 1 C 2... C l... IBE.Enc: IBE1.Enc IBE1.Enc... IBE1.Enc... m 1 (0/1) m 2 (0/1)... m l (0/1) IBE is NOT CCA2 secure even if IBE1 is! unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 17 / 34

33 SIM-SO-CCA2 Security for multi-bit messages 2-level IND-ID-CPA CHK Transform ============== IND-ID-CCA2. CHK Transform SIM-SO-CPA =========== SIM-SO-CCA2 The signing key of OTS might be disclosed in the opening! Bit-wise Encryption from 1-bit IND-ID-CCA secure 1SPO-IBE? C 1 C 2... C l... IBE.Enc: IBE1.Enc IBE1.Enc... IBE1.Enc... m 1 (0/1) m 2 (0/1)... m l (0/1) IBE is NOT CCA2 secure even if IBE1 is! unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 17 / 34

34 SIM-SO-CCA2: Our approach IBE.Enc: CT = (C 1, C 2,..., C l, T), T = XAuth(K 1,..., K l ). C 1, K 1 C 2, K 2... C l, K l... IBE ex.enc IBE ex.enc... IBE ex.enc... m 1 (0/1) m 2 (0/1)... m l (0/1) New Primitives: IBE ex and X-Authentication Code. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 18 / 34

35 SIM-SO-CCA2: Our approach IBE.Enc: CT = (C 1, C 2,..., C l, T), T = XAuth(K 1,..., K l ). C 1, K 1 C 2, K 2... C l, K l... IBE ex.enc IBE ex.enc... IBE ex.enc... m 1 (0/1) m 2 (0/1)... m l (0/1) New Primitives: IBE ex and X-Authentication Code. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 18 / 34

36 Extractable 1SPO-IBE Extractable 1SPO-IBE: IBE ex =(Setup ex,keygen ex, Enc ex, Dec ex ) IBE ex encrypts a single bit. IBE ex is One-Sided Publicly Openable. IBE ex also encapsulates a key, when encrypting 1. IBE ex is IND-ID-CCA2 secure, i.e, for random K, Enc ex (PK ex, ID, 1; R) c ( Enc ex (PK ex, ID, 0; R ), K ) (C, K) c (C, K ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 19 / 34

37 Extractable 1SPO-IBE Extractable 1SPO-IBE: IBE ex =(Setup ex,keygen ex, Enc ex, Dec ex ) IBE ex encrypts a single bit. IBE ex is One-Sided Publicly Openable. IBE ex also encapsulates a key, when encrypting 1. IBE ex is IND-ID-CCA2 secure, i.e, for random K, Enc ex (PK ex, ID, 1; R) c ( Enc ex (PK ex, ID, 0; R ), K ) (C, K) c (C, K ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 19 / 34

38 Extractable 1SPO-IBE Extractable 1SPO-IBE: IBE ex =(Setup ex,keygen ex, Enc ex, Dec ex ) IBE ex encrypts a single bit. IBE ex is One-Sided Publicly Openable. IBE ex also encapsulates a key, when encrypting 1. IBE ex is IND-ID-CCA2 secure, i.e, for random K, Enc ex (PK ex, ID, 1; R) c ( Enc ex (PK ex, ID, 0; R ), K ) (C, K) c (C, K ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 19 / 34

39 Extractable 1SPO-IBE Extractable 1SPO-IBE: IBE ex =(Setup ex,keygen ex, Enc ex, Dec ex ) IBE ex encrypts a single bit. IBE ex is One-Sided Publicly Openable. IBE ex also encapsulates a key, when encrypting 1. IBE ex is IND-ID-CCA2 secure, i.e, for random K, Enc ex (PK ex, ID, 1; R) c ( Enc ex (PK ex, ID, 0; R ), K ) (C, K) c (C, K ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 19 / 34

40 l-cross-authentication code [FHKW2010] S. Fehr, D. Hofheinz, E. Kiltz, and H. Wee. Encryption schemes secure against chosen-ciphertext selective opening attacks. In EUROCRYPT2010. l-cross-authentication code: l-xac=(xauth, XVer) T XAuth(K 1,..., K l ); 1/0 XVer(K, T); Correctness. fail XAC (κ) := Pr[XVer(K i, XAuth(K 1,..., K l )) 1], is negligible, where K 1,..., K l K in the probability. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 20 / 34

41 l-cross-authentication code [FHKW2010] S. Fehr, D. Hofheinz, E. Kiltz, and H. Wee. Encryption schemes secure against chosen-ciphertext selective opening attacks. In EUROCRYPT2010. l-cross-authentication code: l-xac=(xauth, XVer) T XAuth(K 1,..., K l ); 1/0 XVer(K, T); Correctness. fail XAC (κ) := Pr[XVer(K i, XAuth(K 1,..., K l )) 1], is negligible, where K 1,..., K l K in the probability. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 20 / 34

42 l-cross-authentication code [FHKW2010] S. Fehr, D. Hofheinz, E. Kiltz, and H. Wee. Encryption schemes secure against chosen-ciphertext selective opening attacks. In EUROCRYPT2010. l-cross-authentication code: l-xac=(xauth, XVer) T XAuth(K 1,..., K l ); 1/0 XVer(K, T); Correctness. fail XAC (κ) := Pr[XVer(K i, XAuth(K 1,..., K l )) 1], is negligible, where K 1,..., K l K in the probability. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 20 / 34

43 Security of l-cross-authentication code Security against impersonation and substitution attacks. Adv imp (κ) := max Pr[XVer(K, T ) = 1 K K] XAC T where the max is over all T XT, and Adv sub XAC (κ) := max Pr T K i K, T i,k i,f XVer(K i, T T := XAuth(K 1,..., K l ), ) = 1 T F(T) where the max is over all i [l], all K i = (K j ) j i K l 1 and all (possibly randomized) functions F : T T. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 21 / 34

44 Security of l-cross-authentication code Security against impersonation and substitution attacks. Adv imp (κ) := max Pr[XVer(K, T ) = 1 K K] XAC T where the max is over all T XT, and Adv sub XAC (κ) := max Pr T K i K, T i,k i,f XVer(K i, T T := XAuth(K 1,..., K l ), ) = 1 T F(T) where the max is over all i [l], all K i = (K j ) j i K l 1 and all (possibly randomized) functions F : T T. unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 21 / 34

45 Properties of l-xac Definition 2 (Strong and semi-unique l-xac.) Strongness: K 1,..., K l K. T XAuth(K 1,..., K l ). Given i, (K j ) j i and T, ˆK i ReSamp(K i, T) such that, conditioned on (K j ) j i and T, ˆK i s Ki. Semi-Uniqueness: The key space K = K a K b. Given tag T and K a K a, there exists at most one K b K b such that XVer((K a, K b ), T) = 1. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 22 / 34

46 Construction from Extractable 1SPO-IBE and XAC Construct IBE=(Setup, KeyGen, Enc, Dec) from (l + 1)-XAC=(XAuth, XVer) IBE ex =(Setup ex,keygen ex, Enc ex, Dec ex ) Setup(1 κ ) : (PK ex, MSK ex ) Setup ex (1 κ ). l { }} { K a K a and H : ID C C K b. PK = (PK ex, H, K a ), MSK = MSK ex. KeyGen(PK, MSK, ID) : SK ID KeyGen ex (PK ex, MSK ex, ID). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 23 / 34

47 Construction from Extractable 1SPO-IBE and XAC Construct IBE=(Setup, KeyGen, Enc, Dec) from (l + 1)-XAC=(XAuth, XVer) IBE ex =(Setup ex,keygen ex, Enc ex, Dec ex ) Setup(1 κ ) : (PK ex, MSK ex ) Setup ex (1 κ ). l { }} { K a K a and H : ID C C K b. PK = (PK ex, H, K a ), MSK = MSK ex. KeyGen(PK, MSK, ID) : SK ID KeyGen ex (PK ex, MSK ex, ID). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 23 / 34

48 Construction from Extractable 1SPO-IBE and XAC Construct IBE=(Setup, KeyGen, Enc, Dec) from (l + 1)-XAC=(XAuth, XVer) IBE ex =(Setup ex,keygen ex, Enc ex, Dec ex ) Setup(1 κ ) : (PK ex, MSK ex ) Setup ex (1 κ ). l { }} { K a K a and H : ID C C K b. PK = (PK ex, H, K a ), MSK = MSK ex. KeyGen(PK, MSK, ID) : SK ID KeyGen ex (PK ex, MSK ex, ID). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 23 / 34

49 Construction Enc(PK, ID, M) : To encrypt a message M = m 1 m l {0, 1} l (C i, K i ) Enc ex (PK ex, ID, 1) if m i = 1, C i Enc ex (PK ex, ID, 0), K i K if m i = 0 K l+1 = (K a, K b ), where K b = H(ID, C 1,..., C l ), T = XAuth(K 1,..., K l+1 ). CT = (C 1,..., C l, T). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 24 / 34

50 Construction Enc(PK, ID, M) : To encrypt a message M = m 1 m l {0, 1} l (C i, K i ) Enc ex (PK ex, ID, 1) if m i = 1, C i Enc ex (PK ex, ID, 0), K i K if m i = 0 K l+1 = (K a, K b ), where K b = H(ID, C 1,..., C l ), T = XAuth(K 1,..., K l+1 ). CT = (C 1,..., C l, T). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 24 / 34

51 Construction Enc(PK, ID, M) : To encrypt a message M = m 1 m l {0, 1} l (C i, K i ) Enc ex (PK ex, ID, 1) if m i = 1, C i Enc ex (PK ex, ID, 0), K i K if m i = 0 K l+1 = (K a, K b ), where K b = H(ID, C 1,..., C l ), T = XAuth(K 1,..., K l+1 ). CT = (C 1,..., C l, T). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 24 / 34

52 Construction Enc(PK, ID, M) : To encrypt a message M = m 1 m l {0, 1} l (C i, K i ) Enc ex (PK ex, ID, 1) if m i = 1, C i Enc ex (PK ex, ID, 0), K i K if m i = 0 K l+1 = (K a, K b ), where K b = H(ID, C 1,..., C l ), T = XAuth(K 1,..., K l+1 ). CT = (C 1,..., C l, T). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 24 / 34

53 Construction Dec(PK, SK ID, CT) : To decrypt CT = (C 1,..., C l, T), K b = H(ID, C 1,..., C l ); Set K l+1 = (K a, K b ) l XVer(K l+1, T) = 1? If not, output {}}{ M = 0 0. Otherwise, for i [l], and sets (m i, K i ) Dec ex(pk ex, SK ID, C i ) m i = XVer(K i, T) Outputs the message M = m 1 m l. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 25 / 34

54 Construction Dec(PK, SK ID, CT) : To decrypt CT = (C 1,..., C l, T), K b = H(ID, C 1,..., C l ); Set K l+1 = (K a, K b ) l XVer(K l+1, T) = 1? If not, output {}}{ M = 0 0. Otherwise, for i [l], and sets (m i, K i ) Dec ex(pk ex, SK ID, C i ) m i = XVer(K i, T) Outputs the message M = m 1 m l. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 25 / 34

55 Construction Dec(PK, SK ID, CT) : To decrypt CT = (C 1,..., C l, T), K b = H(ID, C 1,..., C l ); Set K l+1 = (K a, K b ) l XVer(K l+1, T) = 1? If not, output {}}{ M = 0 0. Otherwise, for i [l], and sets (m i, K i ) Dec ex(pk ex, SK ID, C i ) m i = XVer(K i, T) Outputs the message M = m 1 m l. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 25 / 34

56 Construction Dec(PK, SK ID, CT) : To decrypt CT = (C 1,..., C l, T), K b = H(ID, C 1,..., C l ); Set K l+1 = (K a, K b ) l XVer(K l+1, T) = 1? If not, output {}}{ M = 0 0. Otherwise, for i [l], and sets (m i, K i ) Dec ex(pk ex, SK ID, C i ) m i = XVer(K i, T) Outputs the message M = m 1 m l. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 25 / 34

57 Simulator Challenger S = (S 1, S 2, S 3 ) M M(α) = (M (1),..., M (n) ) (α, ID) (α, ID) S 1 (1 κ ) { (PK, MSK) Setup(1 κ ) (α, ID) A KeyGen,Dec( ) 1 (PK) } l I {}}{ I S 2 (1 M(i) ) { CT (i) = Enc(PK, ID (i), 1 1), I A KeyGen,Dec( ) 2 ( CT) } (M (i) ) i I (( Out S S ) ) 3 M (i) { If m (i) i I j = 0, ReSamp(K (i) j, T) ˆK (i) j R (i) j ( POpen(PK, ID, C (i) j ), ˆK (i) ) j Out A A KeyGen,Dec( ) (( 3 M (i), R (i)) ) } i I Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 26 / 34

58 Security Proof: Hybrid Argument Suppose that the first challenger ciphertext is CT = (C 1, C 2, C 3, T). Game 0: C 1 [m 1 ] C 2 [m 2 ] C 3 [m 3 ] T = XAuth(K 1, K 2, K 3, K 4 ) Game 1: C 1 [1] C 2 [m 2 ] C 3 [m 3 ] T = XAuth(K 1, K 2, K 3, K 4 ) Game 2: C 1 [1] C 2 [1] C 3 [m 3 ] T = XAuth(K 1, K 2, K 3, K 4 ) Game 3: C 1 [1] C 2 [1] C 3 [1] T = XAuth(K 1, K 2, K 3, K 4 ) The green parts will be opened with POpen and ReSample. We will prove that Game 0 c Game 1 c Game 2 c Game 3. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 27 / 34

59 Security Proof: Hybrid Argument ( Game 1 c Game 2) if m 2 = 1, Game 1 = Game 2; if m 2 = 0, reduction to the IND-ID-CCA2 security of IBE ex. The IND-ID-CCA2 adversary B KeyGen ex,dec ex (ID, C, K ) for IBE ex prepares the challenge ciphertext Game 1: C 1 [1] C 2 [0] C 3 [m 3 ] T = XAuth(K 1, K 2, K 3, K 4 ) Game: C 1 [1] C C 3 [m 3 ] T = XAuth(K 1, K, K 3, K 4 ) Game 2: C 1 [1] C 2 [1] C 3 [m 3 ] T = XAuth(K 1, K 2, K 3, K 4 ) It opens C with ˆK ReSamp(K 1, K 3, K 4, T), R 2 ( POpen(PK, ID, C ), ˆK ) Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 28 / 34

60 Security Proof: Hybrid Argument B KeyGen ex,dec ex (ID, C, K ) answers A s queries his own oracles KeyGen ex ( ), Dec ex ( ) except A s Dec query for CT = ( C 1,..., C l, T ) under ID and C j = C. In this case B KeyGen ex,dec ex (ID, C, K ) answers with m j = XVer(K, T). If (C, K ) is an encryption of 1, then m j = XVer(K, T) matches the decryption algorithm. If C is an encryption of 0, then K is random, and XVer(K, T) = 0 except with probability Adv sub XAC (κ). Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 29 / 34

61 Security Proof: Hybrid Argument B KeyGen ex,dec ex (ID, C, K ) answers A s queries his own oracles KeyGen ex ( ), Dec ex ( ) except A s Dec query for CT = ( C 1,..., C l, T ) under ID and C j = C. In this case B KeyGen ex,dec ex (ID, C, K ) answers with m j = XVer(K, T). If (C, K ) is an encryption of 1, then m j = XVer(K, T) matches the decryption algorithm. If C is an encryption of 0, then K is random, and XVer(K, T) = 0 except with probability Adv sub XAC (κ). unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 29 / 34

62 Security Proof: Hybrid Argument B KeyGen ex,dec ex (ID, C, K ) answers A s queries his own oracles KeyGen ex ( ), Dec ex ( ) except A s Dec query for CT = ( C 1,..., C l, T ) under ID and C j = C. In this case B KeyGen ex,dec ex (ID, C, K ) answers with m j = XVer(K, T). If (C, K ) is an encryption of 1, then m j = XVer(K, T) matches the decryption algorithm. If C is an encryption of 0, then K is random, and XVer(K, T) = 0 except with probability Adv sub XAC (κ). unzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 29 / 34

63 Security Proof: Hybrid Argument Since CT CT (i) for i [n], then we have T T (i), due to the collision resistance of H and semi-unique property of XAC. The Resamplable property of XAC ensures that K is not disclosed during the corruption. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 30 / 34

64 Construction of extractable 1SPO-IBEs We construct two one-bit 1SPO-IBEs, one based on the anonymous extension of Lewko-Waters IBE scheme by De Caro, Iovino and Persiano and the other based on the Boyen-Waters anonymous IBE. Both schemes rely on a pairing e : G G G T. The 1SPO property of the two one-bit IBE schemes is guaranteed by the fact that G is an efficiently samplable and explainable domain, which is characterized by two PPT algorithms Sample and Sample 1 for group G. The IND-ID-CCA2 security of extractable 1SPO-IBEs makes use of 2-hierarchical IBE technique. The construction of XAC follows that in [FKHW10]. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 31 / 34

65 Conclusion We introduced a new primitive extractable IBE, defined its IND- ID-CCA security, and proposed two instantications; Combined with strengthened Cross Authentication Code, we construct the first IBE with SIM-SO-CCA2 security. Junzuo Lai, Robert H. Deng, Shengli Liu, JianIdentity-Based Weng, and Yunlei Encryption Zhao (SJTU-CIS) Secure Against Chosen-Ciphertext Selective Opening Attack 32 / 34