Fuzzy Identity-Based Encryption

Transcription

1 Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013

2 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

3 Motivation Classic public-key cryptography Public-key cryptography Some User A wants to communicate with B Requests public key for B to encrypt message Encrypted message User A Public key for B User B Request public key

4 Motivation Identity-Based Encryption Identity-Based Encryption (IBE) Messages encrypted for an Identity User only needs to know identity of recipient e.g. Encrypted message with identity of B User A User B

5 Motivation Fuzzy IBE Fuzzy Identity-Based Encryption View identity as a set of attributes Assign attributes to every user Encrypt message with attribute set One user can decrypt message attribute overlap between identity and message d Allows error tolerance

6 Motivation Application example Application example: Biometric eye scan Interpret features of the iris as attributes Identity of a user = iris of his eye User can authorize in system with his iris Advantages: Easy authorization process User always has public key available Error tolerance allows noise during eye scan

7 Fuzzy IBE Fuzzy Identity-Based Encryption

8 Fuzzy IBE Definition Definition Let U be a universe of attributes Identity ω U. Identity overlap d Decryption for identity ω possible iff ω ω d

9 Fuzzy IBE Definition The algorithms A fuzzy identity-based encryption scheme Π consists of four ppts: Π = (Setup, Key-Gen, Enc, Dec). Setup(U, d): Initializes a cryptographic system with attribute universe U and a threshold d publish public parameters Key-Gen(ω): Generate a private key k ω for identity ω U. Obviously, it should hold that ω d. Enc(m, ω ): Encrypt a message m with the identity ω using the public parameters.

10 Fuzzy IBE Definition The algorithms Dec(c, k ω ): Decrypt the ciphertext c with the private key k ω that has been generated for the identity ω. Correctness ω denotes the identity that has been used to encrypt c If ω ω d then Dec(Enc(m, ω ), k ω ) = m for all m

11 Fuzzy IBE Security Security (informal) Fuzzy IBE must be secure against Collusion Attacks Group of users with identities ω1,..., ω n Every user has private key k ωi Ciphertext c that has been encrypted with identity ω No user is able to decrypt c, i.e. ω i ω < d for all i = 1,... n Not possible to encrypt c by combining the keys k ω1,..., k ωn

12 Fuzzy IBE Security Fuzzy Selective-ID game Sel-ID col A,Π(λ) A a ppt, Π a fuzzy IBE encryption scheme. 1. A chooses an identity α. 2. Challenger initializes cryptographic system; gives public parameters to A. 3. A can query private keys for identities ω i with ω i α < d. 4. A outputs m 0, m 1. Challenger encrypts m b, b {0, 1} and gives ciphertext c to A. 5. The same as step A outputs guess b. A wins the game iff b = b.

13 Fuzzy IBE Security Security (formal) A Fuzzy IBE scheme Π is secure against collusion attacks if for every ppt adversary A there exists a negligible function µ such that Pr[Sel-ID col A,Π (λ) = 1] µ(λ). Adversary gets public parameters Security against collusion attacks implies cpa security

14

15 Idea Idea Encrypt plaintext with a secret and attributes In decryption, reconstruct the secret using a d-element subset of the attributes Use Shamir s secret sharing scheme

16 Idea Polynomials A polynomial q(x) of degree d 1 can be constructed with d points. y q(x) x Example shows polynomial of degree 3 and 6 points Every subset of 4 points is sufficient to reconstruct q

17 Ingredients Ingredients I Bilinear maps G 1, G 2 groups of prime order p, g generator of G 1 Bilinear map e : G 1 G 1 G 2 e(g a, g b ) = e(g, g) ab e(g, g) 1

18 Ingredients Ingredients II Lagrange Coefficient S Z finite set of numbers Lagrange coefficient i,s defined as: for i Z i,s (x) = j S,j i x j i j

19 Ingredients Ingredients II Lagrange Coefficient and polynomials Let q be a polynomial of degree d 1 and let S Z, S = d. q can also be written as: q(x) = q(i) i,s (x) i S In other words: We can directly calculate every point from q by using d other points

20 Construction Construction of the scheme Restriction: Let n be fixed size of an identity, For every identity ω it holds that ω n Universe of attributes: U = Z p, p prime number G 1 group of prime order p g generator of G 1 e : G 1 G 1 G 2 bilinear map

21 Construction The algorithms Setup(n, d): Run bilinear Diffie-Hellman parameter generator G to obtain p, G 1, G 2. Choose y G 1. Set g 1 = g y, g 2 G 1, N := {1,..., n + 1} Define function T : t 1,..., t n+1 G 1 T (x) = g x n 2 Publish g1, g 2, t 1,..., t n+1 y is master key n+1 i=1 t i,n (x) i

22 Construction The algorithms Key-Gen(ω): Choose polynomial q with degree d 1 uniformly at random with q(0) = y For i ω set: D i = g q(i) 2 T (i) r i, r i Z p di = g r i Private key k ω = {{D i } i ω, {d i } i ω }

23 Output C = (ω, c, g s, {T (i) s } i ω ) Fuzzy Identity-Based Encryption Construction The algorithms Enc(ω, m): Choose s Z p Ciphertext c = m e(g 1, g 2 ) s Dec(C, k ω ): Choose S ω ω, S = d m = c i S ( e(di, T (i) s ) ) i,s(0) e(d i, g s )

24 Construction Correctness Plug in definitions Use linearity of e ) i,s (0) m = c ( e(di, T (i) s ) i S e(d i, g s ) = m e(g y, g 2 ) s ( e(g r i, T (i) s ) i S e(g q(i) 2 T (i) r i, g s ) = m e(g, g 2 ) sy ( e(g, T (i)) r i s e(g 2, g) q(i)s e(t (i), g) r i s i S ) i,s (0) ) i,s (0)

25 Construction e(g, T (i)) r i s cancels out Use lagrange coefficient to reconstruct y m e(g, g 2 ) sy ( e(g, T (i)) r i s i S e(g 2, g) q(i)s e(t (i), g) r i s = m e(g, g 2 ) sy ( ) 1 i,s (0) i S e(g 2, g) q(i)s ( ) q(i) = m e(g, g 2 ) sy 1 i,s (0)s i S e(g 2, g) ( ) = m e(g, g 2 ) sy 1 ys = m e(g 2, g) ) i,s (0)

26 Security assumption Security Decisional bilinear Diffie-Hellman (BDH) assumption: Let a, b, c, z Z p. The decisional Diffie-Hellman assumption is that every ppt A can not distinguish the tuple (g a, g b, g c, e(g, g) z ) from the tuple (g a, g b, g c, e(g, g) abc ) with success probability µ(x) where µ is a negligible function.

27 Security assumption Security proof If there exists an adversary that can break the security scheme then there is an adversary that can decide the bilinear Diffie-Hellman problem. Formally: If a ppt A can win the Fuzzy Selective-ID game with probability ε(λ) then there is an adversary that can decide for the tuple (g a, g b, g c, e(g, g) z ) whether z = abc with probability ε(λ) 2.

28 Security assumption Security proof (Outline) Adversary A Sel-Id with Pr[Sel-ID col A Sel-Id,Π (λ) = 1] = ε(λ) ε(λ) not negligible Construct adversary A BDH for BDH assumption Receives tuple (g a, g b, g c, e(g, g) z ) A BDH will simulate encryption scheme for A Sel-Id Use elements of tuple for construction

29 Security assumption Security proof (Outline) Simulating an encryption scheme Set g 1 = g a, g 2 = g b Most difficult: Answer private key request correctly Core idea: On receive of messages m 1, m 2 : Encrypt m i, i {0, 1} with c = m i g z If z = abc: ciphertext distribution as in real scheme Else: c is random element of G2 If A Sel-Id wins the game: Guess that z = abc. Otherwise, guess that z is a random element.

30 Security assumption Security proof (Outline) Pr[A BDH wins z abc] = Pr[A Sel-Id does not win] = 1 2 because c is a uniformly distributed element. Pr[A BDH wins] = Pr[A BDH wins z = abc] Pr[z = abc] +Pr[A BDH wins z abc] Pr[z abc] ( ) 1 = 2 + ε(λ) = ε(λ) 2

31 Extensions Extensions I Arbitrary attributes Use a hash function H to has arbitrary attributes (e.g. strings) into Z p. Replace T with hash function Use a hash function instead of T. Advantages: Faster computation (one hash instead of n + 1 exponentitions) Use arbitrary number of attributes for encryption Security proof uses random oracle

32 Extensions Extensions II Decyption optimization Encrypt a ciphertext c = m e(g 1, g 2 ) s with c ( ) e d i,s (0) i, T (i) s i S m = ( ) e D i,s (0) i, g s i S Bilinear map operations reduce from 2k to k + 1 Exponentiations increase from k to 2k

33 Thank you for your attention Extensions Thank you for your attention