Identity-based Encryption with Efficient Revocation. Ziyang Liu May 12,2015

Transcription

1 Identity-based Encryption with Efficient Revocation Ziyang Liu May 12,2015

2 Overview Identity-based encryption How IBE works Simple Solution of Revocation Revocable IBE Fuzzy IBE Binary tree data structure Reference

3 Identity-based encryption Identity-based encryption, or ID-based encryption(ibe), is an important primitive of ID-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user (e.g. a user's address). IBE eliminates the need for a PKI that make publicly available the mapping between identities and public keys. The private keys of the users are issued by a trusted third party called the private key generator(pkg).

4 How IBE works

5 Simple Solution of Revocation In PKI settings, the revocation mechanism must be provided from the system which can revoke user's private keys. Users renew their private keys periodically, e.g. every week, and senders use the receivers' identities concatenated with the current time period. This means that all users, regardless of whether their keys have been exposed or not, have to regularly get in contact with the PKG, prove their identity and get new private keys. To avoid the need for interaction and secure channel, the PKG may encrypt the new keys of non-revoked users under their identities and the previous time period and send the ciphertexts to these users.

6 Revocable IBE The idea is to combine Fuzzy IBE construction with the binary tree data structure. Fuzzy IBE primitive provides some sort of error-tolerance Binary tree data structure used to improve efficiency of revocation

7 Revocable IBE Definition -- An identity-based encryption with Revocable IBE scheme RIBE = (S; SK;KU;DK; E;D;R) is defined by seven algorithms and has associated message space M, identity space I and time space T. Setup algorithm S Key authority Security parameter 1 k, number of users n Public parameter pk, master key mk, revocation list rl, state st Private key generation SK Key authority Public parameter pk, master key mk, identity w, state st Private key sk w, updated state st (Sk w,st) SK(pk,mk,w,st)

8 RIBE scheme Key update generation KU Key authority pk, mk, t, rl, st Key update ku t ku t KU(pk,mk,t,rl,st) Deterministic decryption key generation DK Receiver sk w, ku t Decryption key dk w,t dk w,t Dk(Sk w, ku t )

9 RIBE scheme Encryption E Sender pk, w, encryption time t, message m Ciphertext c c E(pk,w,t,m) Deterministic decryption D Receiver Dk w,t,, c m Revocation R Key authority w, revocation time t, rl, st Updated revocation list rl

10 Fuzzy IBE Basic idea-- user s key can decrypt a particular ciphertext only if some number of attributes match between the ciphertext and the key. Attributes for encryption and decryption Identity of the receiver and time period. Split the decryption key in two components to private key and key update. Both the private key and key update will be used to decrypt a ciphertext.

11 Binary tree data structure Reduce the number of key updates that key authority needs to compute Construct a binary tree of height h. Associate each user to a unique leaf node. Every user gets keys compute of all nodes on the path from leaf node to corresponding root node.

12 Binary tree data structure KUNodes(T,rl,t) X,Y (v i,t i ) rl if t i t then add Path(v i ) to X x X if x l X then add x l to Y if x r X then add x r to Y If Y = then add root to Y Return Y

13 Efficiency of RIBE Analyze communication and time complexity of key authority in computing and publishing key updates as a function of the number of users n and number of revoked users r. Significant improvement for small values of r. r=0 1< r n/2 n/2 < r n BF-IBE O(n) O(n-r) O(n-r) Revocable IBE O(1) O(r log (n/r)) O(n-r)

14 Efficiency of RIBE In terms of encryption and decryption, RIBE scheme is less efficient than the existing IBE schemes. Decryption Encryption Waters 2 3 Boneh 2 4 RIBE 4 4

15 Reference D. Boneh and M. K. Franklin. Identity-based encryption from the Weil pairing. In CRYPTO, pages , A. Sahai and B. Waters. Fuzzy identity-based encryption. In EUROCRYPT, pages , A. Boldyreva, V. Goyaly and V. Kumarz. Identity-based Encryption with Efficient Revocation. In the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press,