Acknowledgements. Notations and abbreviations

Transcription

1

2

3 Abstract This work explains the fundamental definitions required to define and create Fuzzy Identity- Based Encryption schemes as an error-tolerant version of Identity-Based Encryption schemes, along with three different examples of such creations. These examples are Sahai-Waters FIBE, Baek et al. s EFIBE-I and EFIBE-II. The required Set-up, Key Generation, Encryption and Decryption algorithms for each scheme are formalized and the proofs of security using the Selective-ID model are introduced. Subtle differences between the three schemes are discussed, including their computational efficiency comparison. The writing is intended as a self-sufficient resource for readers, containing the schemes and background definitions. Keywords: Cryptography, Fuzzy logic, Identity-Based Encryption (IBE), Fuzzy Identity- Based Encryption (FIBE), Selective-ID model, Encryption scheme

4 Acknowledgements I would like to take the opportunity to thank my supervisor, Dr. Per-Anders Svensson, for his enthusiastic guidance throughout this work. His encouraging style of teaching in the courses I have taken with him was one of the main persuading factors for me. I am also grateful for Dr. Andrei Khrennikov s critique as the examiner of this work and his just suggestions. I also would like to thank Dr. Ola Petersson for his enlightening explanations, as well as Dr. Marcus Nilsson for reviewing the abridged version of this writing. iv

5 Contents Acknowledgements Notations and abbreviations iv vii 1 Introduction Background The aim of the study Structure of the document Author s contribution Definitions Fuzzy logic Admissible bilinear maps Identity-Based Encryption Fuzzy Identity-Based Encryption Public-Key Infrastructure Lagrange coefficient Random oracle Collusion attack Fuzzy Selective-ID model Decisional Modified Bilinear Diffie-Hellman problem Schemes Fuzzy IBE Scheme by Sahai-Waters Efficient Fuzzy IBE-I Scheme by Baek et al Efficient Fuzzy IBE-II Scheme by Baek et al The comparison of the schemes Exemplification Proof of Security Security of FIBE Scheme Security of EFIBE-I Scheme Security of EFIBE-II Scheme Other security factors v

6 5 Conclusion Results and discussion Future work References 33 vi

7 Notations and abbreviations A, B fuzzy subset. A polynomial-time adversary. A(x) membership function of fuzzy subset. B simulator. BQP Bounded-error Quantum Polynomial-time. CA Certificate Authority. d error-tolerance parameter. DBDH Decisional Bilinear Diffie-Hellman. DLP Discreet Logarithm Problem. DMBDH Decisional Modified Bilinear Diffie-Hellman. E cipher-text. e(g, h) bilinear map. EFIBE Efficient Fuzzy Identity-Based Encryption. FIBE Fuzzy Identity-Based Encryption. FIBE-RO Random Oracle version of FIBE. G 1, G 2 group of prime order p. g generator of a cyclic group. H hash function as a random oracle. IBE Identity-Based Encryption. IND-FSID-CCA Indistinguishability of encryptions under Fuzzy Selective-ID, Chosen Ciphertext Attack. vii

8 IND-FSID-CPA Indistinguishability of encryptions under Fuzzy Selective-ID, Chosen Plaintext Attack. ITU-T International Telegram Union Telecommunication Standardization Sector. i,s Lagrange coefficient. L(x) Lagrange polynomial. M message. µ random bit, µ {0, 1}. ν random bit, ν {0, 1}. PKG Private-Key Generator. PKI Public-Key Infrastructure. PMI Privilege Management Infrastructure. RO Random Oracle. ω private identity, used in decryption. ω public identity, used in encryption. viii

9 Chapter 1 Introduction As within the realm of cryptography there will never be enough research and development and the door for new, radical algorithms and schemes is always open, the time spent on the field indeed will not be spent in vain. Considering our times and the way we learn, work and educate, the ubiquitous existence of numerous digital-data-dependent infrastructure and the presence of the Internet in every single aspect of our lives, the demand for data security, whether during the transmission, or storage, is simply detrimental to us. One of the more recent theoretical advancements in the area of cryptography is the combination of fuzzy logic or fuzzy decision making with identity-based cryptography. 1.1 Background We live in an era of scandals and mistrust. Thanks to the efforts of whistle-blowers, what was a mere rumour not far ago, has become a reality now. Unfortunately, now we know for certain, that every aspect of our digital existence and our digital identity is under constant threat of being unlawfully tampered with. Cryptography used to be a specialist s field. As the threat grows, it can be seen that everyday, regular people are starting to pay attention and ask questions. Any person dealing with s, internet, or any other form of digital communication, demands assurances for their privacy and the security of their information. The science of cryptography deals with this problem. We have certainly come a long way from the days of Julius Caesar and his Caesar cipher. We have been using mathematically sophisticated cryptosystems, but as it is the feature of information age, technologies become obsolete faster than expected. Creating a good cryptosystem is harder than it is thought to be, since while a cryptosystem has to be secure, it also needs to be efficient, easy to use and easy to implement. It is much more convenient to use one s identity, in any form, to secure digital communications and it is especially convenient to use the biometric form of identity. After all, this is how we recognize people. We recognize their face, voice, or even gestures. Thus, it is convenient to generate a digital representation of a biometric attribute, to be employed for coding. The security aspect needs to be overlooked as well. Previously, cryptosystems used to be created and considered to be secure, unless someone would come up with an efficient way to break it. Nowadays, we can mathematically prove that a cryptosystem is secure enough to be trusted by today s technological standards. The chapter Proof of Security, is dedicated to 1

10 this notion. Basically, proving the security of a certain cryptosystem against a certain attack is accomplished by creating a mathematical problem using the encrypting processes of the cryptosystem and reducing it to another mathematical problem, which is known to be very hard to solve. It needs to be pointed out that hard to to solve does not mean unsolvable, but rather hard enough to be considered unsolvable by the present technological means available to us. This means that with the invention of newer and faster computers these problems might not be hard to solve in the future. Pay attention that a certain proof of security only proves the security of the cryptosystem against a particular attack, which is used to create the problem. Thus different proofs ensure security against different attacks. Considering all these facts, identity-based encryption schemes can be a viable candidate for the requirements at hand. 1.2 The aim of the study As the topic is quite recent and there is an abundance of open questions in the field, research work is done and presented in conferences on a regular basis. This document will study, explore and explain the proposed methods to create such a system. It is the author s hope to create a starting point for interested readers by gathering the required background theory, along with the bulk of the work done in this area, in one place. The bulk of the work means the first proposed scheme by Sahai-Waters [17], followed by its more efficient incarnations by Baek et al. [1]. Another goal of this work is to show how one can combine already established and rather old theories from another disciplines to create new flexible and efficient methods. It is interesting to see how fuzzy logic has been used in such a way. The next interesting fact, trying to be revealed, is the multidisciplinary nature of the field in general. The applications of fuzzy logic is already known in Computer Science and Electrical Engineering fields, but as a fundamental tool, it continues to prevail. 1.3 Structure of the document In this endeavour, we will start with explanations for basic mathematical definitions and principles used in the course of this writing. This will be the Definitions chapter, including sections such as, Fuzzy Logic, Bilinear Maps, Public-Key Infrastructure, etc. Afterwards, we will introduce three different approaches and encryption methods involving fuzzy logic theory for data encryption in a Schemes chapter. In other words, we will explain three Fuzzy Identity-Based Encryption Schemes. Basically, this will be the bulk of the work that has been done until now in this relatively young area. The Schemes chapter will end with a comparison between three major schemes, two explained within this writing, by Baek et al. [1] and one from the work done by Pirretti et al. [15], emphasising on the efficiency comparison. For the sake of easier comparability, the notation of different schemes are intentionally chosen to be as similar to each other as possible. The following chapter after Schemes includes proofs of security for the three explained schemes. The strategy of similar notations and arguments is applied for proofs of security as well. In this way we first focus on formally defining the schemes and after the conception of such understanding, we will go through the required proving to observe the 2

11 security of the schemes. A concluding chapter will finalize this writing. The collected resources for this thesis are mostly academic papers, as well as different on-line resources and books, especially in the case of mathematical definitions. 1.4 Author s contribution As well as in the text itself, I would like to mention my personal contributions and in some cases, corrections, to the reference material, here. As mentioned earlier, the notation and arguments are slightly modified to be comparable. I have also corrected errors, especially in Sahai-Waters work. These errors could have been mere typing errors, but nevertheless, it is important to be consistent in mathematical notation. I have also added a generalization to their proof of security. The last part of the proof is also changed, to calculate the proper advantage of the simulator against the DMBDH game. The original authors calculate the advantage of an adversary against the fuzzy Selective-ID game, which is not contributing to the proof. 3

12 4

13 Chapter 2 Definitions Within this chapter, we will go through some of the definitions used either in explanations of the schemes or in their respective proofs of security. The definitions presented here are relatively more advanced ones and simple mathematical expressions or rules are not included. The intention of this chapter is to make the schemes and their respective proofs of security easily understandable. 2.1 Fuzzy logic The notion of Fuzzy Logic came into existence when Lotfi A. Zadeh introduced his fuzzy set theory [23], in Fuzzy logic is a type of probabilistic logic. In classical logic, statements are allowed to have either true, or false values, having the probability of 1 or 0 respectively, whereas in probabilistic logic, statements can have a probability value (truth value) in the range [0, 1], including the values between 0 and 1 as well. When it comes to a comparison, fuzzy logic allows us to consider more complex situations, resulting in better and more accurate reasoning and decision making. Within the realm of fuzzy set theory, fuzzy rules consisting of IF-THEN statements are evaluated using approximate reasoning. There can be one fuzzy rule statement, or a block of fuzzy rule statements. The general representation of a block of fuzzy IF-THEN rules is as if x is A i, then y is B i, where 1 i N. Here, A i and B i are fuzzy subsets of universal sets X and Y, respectively. Linguistic variables can be cross-referenced with different values within fuzzy sets [7, 22]. Let us consider a block of rules for a temperature control device as an example. IF temperature IS very cold, THEN stopped fan. IF temperature IS cold, THEN slow fan. IF temperature IS normal, THEN no change. IF temperature IS hot, THEN fast fan. We call A(x), the membership function for A. We can roughly write, A(x i X) = A i. Considering the set X = {very cold, cold, normal, hot}, we can write the membership function 5

14 in detail as A(x) = { A1 very cold, A 2 cold, A 3 normal, A } 4. hot The same can be applied to B(x). The set {very cold, cold, normal, hot} includes all possible temperature values and results in membership values, A i s, according to the membership function. Also, the set {stop, slow, no change, fast} includes all possible fan speeds and results in membership values, B i s, according to the membership function. The above fuzzy rules can be formatted as implications. Letting temperature as x i and fan as y i, we can formally write (x i is A i ) (y i is B i ). The above formulation is an implication [7, 22]. As it can be evidently seen, fuzzy logic allows us to consider more accurate conditioning, resulting in a better, or more controlled decision making. 2.2 Admissible bilinear maps A Bilinear Map is defined as a linear function, mapping the combination of elements from two vector spaces to an element of a third vector space. For instance, matrix multiplication, M(m, n) M(n, p) M(m, p), is a bilinear mapping [16]. Let G 1 and G 2 be two groups of prime order p. The bilinear map e : G 1 G 1 G 2 is called admissible if the following conditions hold. e : G 1 G 1 G 2 satisfies for g, h G 1 and a, b Z. e(g a, h b ) = e(g, h) ab, e : G 1 G 1 G 2 is non-degenerate (non-singular), meaning, there exists g, h G 1, such that e(g, h) 1. As a result, for a generator g of a prime order group G 1, e(g, g) is a generator of G 2 and e(g, g) 1 [24]. The map e(g, h) can be computed efficiently for all g, h G 1. As a result of a bilinear map being admissible, we can write e(g a, g b ) = e(g, g) ab, where g is a generator of G 1 and a, b Z [6]. We can also say that in the special case of both G 1 and G 2 having g as their generator, e(g, g) = g. Let us consider the 5th roots of unity in the complex plane, creating a cyclic group of order 5 under multiplication as our example [12]. We consider G 1 as the set of solutions to z 5 = 1, or {z C z 5 = 1}. We get G 1 = {1, z 1, z 2, z 3, z 4 } = {1, z 1, z 2 1, z 3 1, z 4 1}. Let us also consider the mapping e : G 1 G 1 G 2 and consider z 1 as the generator of G 1 and z 3 as the generator of G 2. This will result in having G 2 = {1, z 3, z 2 3, z 3 3, z 4 3}, 6

15 since G 2 is also a cyclic group of order 5 consisting of the set of solutions to z 5 = 1, with the possibility of having a different generator. This setting is in fact an admissible bilinear map and we can write e(z 1, z 1 ) 1, e(z 1, z 1 ) = z 3 and e(z 2 1, z 3 1) = z 6 3 = z 1 3 = z 3. Obviously, for cryptographic purposes, the larger these cyclic groups are, the more useful they become. 2.3 Identity-Based Encryption Identity-Based Encryption (IBE) was first introduced by Adi Shamir [18]. Basically, IBE is a form of public-key encryption, in which a user s public-key is derived from attributes related to the user s identity, e.g. address. Different IBE schemes work with ASCII strings, such as the aforementioned address example, as the user s identity value (ID). A trusted third party entity acts as a Private- Key Generator (PKG). PKG generates master public and master private-keys. Any party can generate any required public-key using an intended party s ID along with the master public-key. Private-keys can only be generated by the PKG, using a master private-key along with the ID and will be distributed only to the ID itself, who is the identity owner. Let us follow the steps taken in an Alice-Bob scenario, as shown in figure 2.1 according to Adi Shamir s description [18]. Alice wants to send a protected message to Bob. Alice will encrypt the message using Bob s public-key and she will sign 1 the message with her private-key. At first, Alice queries and receives the master public-key from the PKG. Since the identity of Bob is also public, she can generate Bob s public-key and encrypt the message. For signing, she will authenticate with the PKG and receive her private-key. Upon receipt of the message by Bob, he will authenticate with the PKG and receive his private-key for the decryption. For checking the authenticity of the message, he can query the PKG for the master public-key, generate Alice s public-key using her ID and finally check the signing entity of the message. The two most efficient IBE schemes are Boneh-Franklin scheme [6] and Cocks IBE scheme [10], being built on bilinear pairings (Weil pairing) on elliptic curves and Quadratic Residuosity Problem, respectively. 2.4 Fuzzy Identity-Based Encryption Fuzzy Identity-Based Encryption (Fuzzy-IBE) is the next evolution of identity-based schemes, adding error-tolerance feature to the scheme, making it a convenient choice for IBE systems using biometric identities. The motivation derives from the fact that biometric readings are not exact and always carry an amount of noise. 1 For true protection, both concepts of encryption and signing must be employed to guarantee the secrecy and the authenticity of the message. 7

16 Figure 2.1: ID-Based Encryption diagram 2.5 Public-Key Infrastructure A Public-Key Infrastructure (PKI) is one of the comprehensive means of achieving authentication, key distribution and non-repudiation, through public-key cryptography. Simply put, what a PKI does is to provide a system for the users, guaranteeing genuineness of published public-keys. This goal is achieved by using Certificates and Certificate Authorities (CAs). A certificate includes digital information for the verification of authenticity of a public-key. A CA is the trusted entity, issuing and verifying certificates by signing them for a particular user. For instance, when Alice wants to communicate with Bob, Bob s identity certificate is available to her, publicly published. Using CA s public-key, Alice can decrypt the certificate and acquire Bob s identity information, along with Bob s public-key. Now Alice can trust the authenticity of Bob s public-key and initiate a secure connection. Everything is based on Alice trusting the CA in the first place [21]. X.509 is the standard defined by International Telegraph Union Telecommunication Standardization Sector (ITU-T) as the public-key infrastructure and Privilege Management Infrastructure (PMI). 2.6 Lagrange coefficient A polynomial of degree d, interpolating a set of d+1 distinct points can be found using Lagrange interpolation method. The resulting Lagrange polynomial is of the form L(x) = d y j l j (x), j=0 8

17 where l j is called the Lagrange Coefficient and is defined as l j (x) = Following this definition, we will have 0 m d,m j l j i (x i ) = m j x x m x j x m. x i x m x j x m = 0 and l i (x i ) = m i x i x m x i x m = 1, as the two cases for Lagrange coefficient [14]. Let us find a polynomial of degree 2, using Lagrange interpolation as an example. Consider three points given as We write This will result in (x 0, y 0 ) = (1, 1), (x 1, y 1 ) = (2, 4) and (x 2, y 2 ) = (3, 9). l 0 = x x 1 x 0 x 1 x x 2 x 0 x 2 = x x 3 1 3, l 1 = x x 0 x 1 x 0 x x 2 x 1 x 2 = x x and l 2 = x x 0 x 2 x 0 x x 1 x 2 x 1 = x x L(x) = 1 x x x x x x = x2. Thus, we get the resulting polynomial as f(x) = x 2, which can be tested using the initial points for correctness. 2.7 Random oracle A Random Oracle (RO) is a hypothetical mathematical hash function, presumed to map uniformly distributed and truly random responses to incoming queries. Since no hash function creates a truly random mapping, a random oracle is considered as a black box [8]. In cryptography, the Random Oracle Model is described as a model, providing all participating parties with access to a public RO, as proposed in the work of Bellare-Rogaway [2]. 9

18 2.8 Collusion attack Collusion attacks are discussed within the realm of digital fingerprinting. A collusion attack is the combined effort of a number of attackers (colluders), trying to remove the digital fingerprint and create a copy of the original data [25]. This kind of attack can also be applied to Identity Based Encryption schemes. 2.9 Fuzzy Selective-ID model Fuzzy Selective-ID model of security for FIBE schemes is a slightly modified version of Selective- ID model of security for IBE schemes. The original Selective-ID model was first proposed in the work of Canetti et al. [9] and was also used by Boneh-Boyen in their work [5]. The Fuzzy Selective-ID model differs in the fact that the adversary can only query for secret keys for identities having fewer than d overlaps with a target identity. The Fuzzy Selective-ID model for a FIBE scheme is defined as the following game. Initialization An adversary A, involved in the game, asks to be challenged for an identity of their choosing, α. Scheme Set-up The challenging party runs the set-up algorithm according to the scheme s definition and publishes the public parameters. Phase 1 The adversary A can query private-keys of identities, γ k, fulfilling the condition γ k α < d for all k. The attributes that γ k and α have in common has to be less than d. Challenge After Phase 1 completes by adversary s decision, two equal length messages, M 0 and M 1, are sent by them to the challenger. The challenger picks a random bit b {0, 1} and runs the scheme s Encryption algorithm for M b using identity α. The challenger sends the cipher-text to the adversary. Phase 2 Phase 1 is repeated. Guess The adversary outputs a guess b {0, 1} and wins if b = b. We define the advantage of an adversary A in the above game as Adv A = Pr[b = b ] 1. 2 Definition 1 (Fuzzy Selective-ID). A scheme is considered to be secure in the Fuzzy Selective- ID model of security under the condition that, any polynomial-time adversary participating in the above game, using the scheme, has at most a negligible advantage [17]. 10

19 2.10 Decisional Modified Bilinear Diffie-Hellman problem The Decisional Bilinear Diffie-Hellman (DBDH) problem is a variant of the Decisional Diffie- Hellman (DDH) problem [4]. DDH is the cornerstone of proof of security for many cryptographic schemes, such as ElGamal and used as a computational hardness assumption. The assumption of DBDH and the assumption of Decisional Modified Bilinear Diffie-Hellman (DMBDH) is defined as follows. DMBDH is a slightly changed version of DBDH and will be used in our proof of security. Definition 2 (Decisional Bilinear Diffie-Hellman (DBDH) Assumption). Let a, b, c, z Z p be random parameters chosen by a challenger. The DBDH assumption is that the advantage of a polynomial-time adversary A, to distinguish between tuples (A = g a, B = g b, C = g c, Z = e(g, g) abc ) and (A = g a, B = g b, C = g c, Z = e(g, g) z ) is negligible, i.e. Pr[A(g a, g b, g c, e(g, g) abc ) = 1] Pr[A(g a, g b, g c, e(g, g) z ) = 1] ɛ, for a negligible ɛ, which is the mathematical representation of the probability used by Shoup [20]. Definition 3 (Decisional Modified Bilinear Diffie-Hellman (DMBDH) Assumption). Let a, b, c, z Z p be random parameters chosen by a challenger. The DMBDH assumption is that the advantage of a polynomial-time adversary A, to distinguish between tuples (A = g a, B = g b, C = g c, Z = e(g, g) ab/c ) and (A = g a, B = g b, C = g c, Z = e(g, g) z ) is negligible, i.e. Pr[A(g a, g b, g c, e(g, g) ab/c ) = 1] Pr[A(g a, g b, g c, e(g, g) z ) = 1] ɛ, for a negligible ɛ, which is the mathematical representation of the probability used by Shoup [20]. 11

20 12

21 Chapter 3 Schemes In modern-day cryptography applications, biometric inputs play a decisive role. As every reading of any biometric identity involves a certain degree of acceptable error, the application of fuzzy logic can be an ideal solution to control this difference between readings and limit or expand error-tolerance. This fact is one of the main motivations behind creating a Fuzzy Identity-Based Encryption or simply Fuzzy IBE. It is important to mention that, for the schemes to be secure, there must be assurances about the ownership of an identity. For instance, this can be achieved by a trained operator. 3.1 Fuzzy IBE Scheme by Sahai-Waters The Fuzzy Identity-Based Encryption evolves over Identity-Based Encryption, by defining identities as a set of descriptive attributes instead of a string of characters, which is the case for IBE. In this way, the identity ω of a user can decrypt a cipher-text encrypted with the public-key ω. In this scheme ω and ω do not need to be identical, allowing the identity measurements to be error-tolerant. The scheme is especially applicable within the realm of biometric cryptography. This is due to the fact that biometric readings involve having noise within the data, causing the identities to be slightly different. Moreover, the scheme does not need to be backed by a Public-Key Infrastructure, since the biometric identity itself can be considered as a public-key for the owner [17]. Another area of application for the scheme is Attribute-Based Encryption. In attribute-based encryption, only users having the correct set of attributes will be able to decrypt a cipher-text encrypted for those attributes. We will focus on the application of the scheme in the area of biometric cryptography [17]. Description of the scheme So this is an IBE scheme in which a plain text is encrypted using ω and decrypted by ω, where ω ω d, for some error-tolerance parameter d. Let G 1 and G 2 be groups of prime order p with G 1 having the generator g and also let e : G 1 G 1 G 2 be the bilinear map. Furthermore, consider the Lagrange coefficient i,s for 13

22 i Z p and a set S Z p, such that i,s (x) = j S,j i x j i j. Each identity is a set of elements, belonging to a universe U. A unique integer in Z p represents each element of the universe. The universe is assumed to be finite for now, with the size U. Set-up The U first integers from Z p will be chosen as corresponding integers to the elements of the universe. We will have these integers as 1,..., U (mod p). We also choose t 1,..., t U and y uniformly at random from Z p. The public parameters will be in the form of T 1 = g t 1,..., T U = g t U, Y = e(g, g) y, where e is the bilinear map explained before and the master key is in the form of t 1,..., t U, y. Key Generation Consider an identity ω U, consisting of elements in the universe. The private-key is constructed using components D i for each element of the identity. We will have a set of components, (D i ) i ω, with D i = g q(i)/t i for every i ω, where q is a randomly chosen d 1 degree polynomial, such that q(0) = y. Encryption When encrypting a message M G 2 using the public-key ω, the cipher-text will be published of the form E = (ω, E = MY s, {E i = T s i } i ω ), where s Z p is a random value. 1 It is important to observe one of the strong points of the scheme, which is the state of ω being public and included in E. Decryption Given a cipher-text E, encrypted with a public-key for the identity ω and a private-key for the identity ω, with the fault tolerance parameter d, conforming to ω ω d, the decryption can be handled as follows. Picking an arbitrary set S ω ω, with d elements, we will have E / ( ) i,s (0) e(d i, E i ) i S = Me(g, g) sy / ( ) e(g q(i)/t i, g st i,s (0) i ) i S = Me(g, g) sy / ( ) e(g, g) sq(i) i,s (0). i S 1 The algorithms of different schemes are given in a modular fashion. By i ω we simply mean an attribute of ω. The notation, i, might be used in other sections, where appropriate. 14

23 From the definition of the Lagrange coefficient, we have i,s (i) = j S,j i i j i j = 1 and i,s (k i) = j S,j i k j i j = 0. Therefore, we will get { i,s (0) = 1 for i = 0 i,s (0) = 0 for i 0. Consequently, Me(g, g) sy / i S ( e(g, g) sq(i) ) i,s (0) = M. We can apply the aforementioned polynomial interpolation rules since, the polynomial sq(x) is of degree d 1 and the set S includes d elements, so sq(x) can be interpolated [17]. 3.2 Efficient Fuzzy IBE-I Scheme by Baek et al. The next scheme in our focus is the first of two schemes from Baek et al. s work. This Efficient Fuzzy IBE scheme, referred as EFIBE-I, is structurally different to FIBE and uses the random oracle model. It is intended as an efficient upgrade for FIBE scheme. The scheme has the same possible applications in attribute-based cryptography and biometric cryptography. Description of the scheme Similar to FIBE, within EFIBE-I a message is encrypted with identity ω, while decryption takes place with identity ω, where ω ω d. We also construct a bilinear map e : G 1 G 1 G 2, where G 1 and G 2 are groups of prime order p with G 1 having the generator g. The Lagrange coefficient is also defined similarly as i,s for i Z p and a set S Z p, such that i,s (x) = j S,j i x j i j. The identities are assumed to be sets of elements, represented by unique integers in Z p. Set-up Consider g 1 G 1 and y Z p, randomly chosen. Let g 2 = g y. Consider a hash function H : Z p G 1 as a random oracle. The public parameters are p, g, e, G 1, G 2, H, g 1, g 2, d, with the master key p, g, e, G 1, G 2, H, g 1, g 2, y. 15

24 Key Generation For an identity ω the private-key is constructed using components D i for each element of the identity. We will have (D i ) i ω, with D i = (γ i, δ i ) = (H(i) q(i), g q(i) ) for every i ω, where q is a randomly chosen polynomial of degree d 1, such that q(0) = y. Encryption A message M G 2 will be encrypted with identity ω and the cipher-text will be published as where s Z p is a random value. E = (ω, U = g s, {V i = (g 1 H(i)) s } i ω, E = e(g 1, g 2 ) s M), Decryption Given a cipher-text E, encrypted with a public-key for the identity ω and having a private-key for the identity ω, with the fault tolerance parameter d, where ω ω d, the decryption is explained as follows. Choosing an arbitrary set S ω ω, with d elements and considering that i = i if i S (for i ω and i ω ), we will have e( i S γ i,s(0) i, U) i S e(v i, δ i,s(0) i ) E = = = e( i S γ i,s(0) i, U) ( ) E i S e (g 1 H(i)) s, (g q(i) ) i,s(0) e( i S γ i,s(0) i, U) i S e ( (g 1 H(i)) q(i) i,s(0), g s ) E e( i S γ i,s(0) i, U) ) E i S ((g e q(i) 1 ) i,s(0) (H(i) q(i) ) i,s(0), g s e( i S = γ i,s(0) i, U) ( ) e i S (gq(i) 1 ) i,s(0), g s e( E i S γ i,s(0) i, U) 1 = e(g q(0) 1, g s ) e(g 1, g 2 ) s M 1 = e(g1, y g s ) e(g 1, g 2 ) s M 1 = e(g 1, g y ) e(g 1, g s 2 ) s M = M. Above, we have used the same statement regarding i,s (0) as in the FIBE scheme s decryption [1]. 3.3 Efficient Fuzzy IBE-II Scheme by Baek et al. The third scheme is the other Baek et al. scheme, referred to as EFIBE-II. This is a simplified version of the FIBE scheme for a large universe of attributes by Sahai-Waters, which we have 16

25 not gone through here. The difference is in the construction of the private-key. The private-key in Sahai-Waters scheme for a large universe of attributes is extracted as (g q(i) 1 H(i) r i, g r i ) ), while EFIBE-II computes it as ((g 1 H(i)) q(i), g q(i). Description of the scheme Similar to the previous routine, construct a bilinear map e : G 1 G 1 G 2, where G 1 and G 2 are groups of prime order p with G 1 having the generator g. The Lagrange coefficient is defined as before in the form of i,s (x). Set-up Consider g 1 G 1 and y Z p, randomly chosen. Let g 2 = g y. Consider a hash function H : Z p G 1 as a random oracle. The public parameters and the master key are similar to EFIBE-I and expressed as p, g, e, G 1, G 2, H, g 1, g 2, d and p, g, e, G 1, G 2, H, g 1, g 2, y, respectively. Key Generation For an) identity ω, the private-key is represented as (D i ) i ω, with D i = (γ i, δ i ) = ((g 1 H(i)) q(i), g q(i) for every i ω, where q is a randomly chosen polynomial of the degree d 1, such that q(0) = y. Encryption Given a message M G 2, an identity ω for encryption and a random value s Z p, the result of encryption will be as E = (ω, U = g s, {V i = H(i) s } i ω, E = e(g 1, g 2 ) s M). Decryption Given a cipher-text E, encrypted with a public-key for the identity ω and having a private-key for the identity ω, with the fault tolerance parameter d, where ω ω d, the decryption is explained as follows. Choosing an arbitrary set S ω ω, with d elements and 17

26 considering that i = i if i S (for i ω and i ω ), we will have i S e(v i, δ i,s(0) i ) e( i S γ i,s(0) i, U) E i S = e(h(i)s, g q(i) i,s(0) ) ( ) E i S (g 1H(i)) q(i) i,s(0), g s = = = = e i S e(h(i)q(i) i,s(0), g s ) e( i S gq(i) i,s(0) 1, g s )e( i S H(i)q(i) i,s(0), g s ) E 1 e(g q(0) 1, g s ) e(g 1, g 2 ) s M 1 e(g1, y g s ) e(g 1, g 2 ) s M 1 e(g 1, g y ) e(g 1, g s 2 ) s M = M. Above, we have used the same statement regarding i,s (0) as in the FIBE and the EFIBE-I schemes decryption [1]. 3.4 The comparison of the schemes All three schemes discussed here have similar general properties, giving them similar advantages. The major difference is in the efficiency of key generation and encryption algorithms. All three schemes can be used for biometric cryptography, as well as attribute-based cryptography. The important consideration regarding the security of any FIBE scheme in biometric applications is the fact that, an operator must be able to verify the ownership of the biometric by the user. This will prevent so called imitation attacks. The security of these schemes is dependent on this single assumption. Since a biometric is a part of the actual user, the public-key will always be at hand. Biometric attributes are unique, preventing their derived identities to have duplicates. Using fuzzy logic theory, these schemes provide a flexible level of fault tolerance. They are also secure against collusion attacks, since the components of each private-key is generated using a different polynomial, preventing the possibility of creating a new private-key out of components from many private-keys. Since both EFIBE-I and EFIBE-II use a random oracle, they can only be compared to the random oracle version of Sahai-Waters scheme (FIBE), which is presented in the work of Pirretti et al. [15], denoted here by FIBE-RO. Table 3.1, comparing the efficiency of Key Generation, Encryption and Decryption of the three schemes will follow [1]. It can be observed that the most efficient Key Generation algorithm belongs to EFIBE-I, where the most efficient Encryption algorithm is from EFIBE-II, equalling the one from FIBE-RO. EFIBE-II has better key extraction efficiency compared to FIBE-RO, making it a better scheme, overall [1]. ω an identity; ω number of elements in an identity; 18

27 EFIBE-I EFIBE-II FIBE-RO Size of parameters \ 2 G 1 2 G 1 2 G 1 {p, g, e, G 1, G 2, d} Size of (D i ) i ω 2 ω G 1 2 ω G 1 2 ω G 1 Size of E \ ω ( ω + 1) G 1 + G 2 ( ω + 1) G 1 + G 2 ( ω + 1) G 1 + G 2 Cost of Key Generation ω (T H + 2T e ) ω (T H + T m + 2T e ) ω (T H + T m + 3T e ) Cost of Encryption ω (T m + T e + T H ) ω (T e + T H ) ω (T e + T H ) +2T e + T p + T m +2T e + T p + T m +2T e + T p + T m Cost of Decryption d(t e + T m ) d(t e + T m ) d(t e + T m ) +d(t e + T p ) +d(t e + T p ) +d(t e + T p ) +T p + T i + T m +T p + T i + T m +T p + T i + T m Table 3.1: Algorithm efficiency comparison between different schemes d error tolerance parameter; T e computation time of an exponentiation in G 1 ; T H computation time of a random oracle hash function H; T m computation time of a multiplication in G 1 ; T m computation time of a multiplication in G 2 ; T p computation time of a pairing; T i computation time of an inverse operation in G 1 ; 2 T i computation time of an inverse operation in G 2 ; 3.5 Exemplification To put the theoretical elaboration into perspective, let us consider an Alice-Bob scenario, further explaining the general process of the FIBE scheme. Alice wants to send a protected message M, to Bob. Alice can encrypt the plain-text using Bob s public identity ω Bob, according to the Encryption process, resulting in the cipher-text E. The signing 3 can take place by attaching the generated private-key for Alice to M. The private-key is generated according to the Key Generation process, resulting in D i, for i ω Alice. The Decryption process will be performed by Bob, using his private-key generated through Key Generation, resulting in D j, for j ω Bob. It is important to remind that the privatekey generation uses another version (reading) of Bob s identity, fulfilling the error-tolerance condition ω Bob ω Bob d. The authenticity check can be done using the public identity ω Alice. 2 This is different than the T i used in the description of FIBE. 3 We have not mentioned any details regarding signing within the description of different schemes, but it follows the same principles of encryption. 19

28 20

29 Chapter 4 Proof of Security The approach to prove the security of all three schemes is to show that, if a polynomial-time adversary is able to break the scheme, then the scheme itself can be used to solve some problem assumed to be difficult, in polynomial-time. In short, we use Reductio ad Absurdum to show a false assumption (insecurity of a scheme) leads to an absurd result (polynomial-time solution for a hard problem), thus proving the security of the scheme. This is the general approach for such schemes, called reduction. In the case of these three schemes, we will reduce the security problem to one of the two Diffie-Hellman problems from the Definitions chapter [11]. 4.1 Security of FIBE Scheme Theorem 1. Assuming that the DMBDH problem is hard, then the FIBE scheme is secure in the Selective-ID model. In other words 1, if there exists an adversary, able to break the FIBE scheme in the Selective-ID model with a non-negligible advantage, then a simulator exists that can solve the DMBDH problem with a non-negligible advantage [17]. Proof. Let A be a polynomial-time adversary. We assume that A is able to attack the FIBE scheme in the Selective-ID model with a non-negligible advantage ɛ, when guessing. We will show that as a result of this, a simulator B can solve the DMBDH problem with a non-negligible advantage ɛ. Challenger s Side Let G 1 and G 2 be chosen with an efficient bilinear map e. Let g be a generator for G 1. The challenger flips a fair binary coin and picks a random bit µ {0, 1}. For a defined universe U and random a, b, c and z values, we will have If µ = 0, then (A, B, C, Z) = (g a, g b, g c, e(g, g) ab/c ) and If µ = 1, then (A, B, C, Z) = (g a, g b, g c, e(g, g) z ). B has no knowledge of these arrangements. Now the Selective-ID game begins. Initialization A asks B, to be challenged for an identity α. 1 p q = q p 21

30 Scheme Set-up B assigns the public parameters as Y = e(g, A) = e(g, g) a and {T i = C β i = g cβ i } i α, where {β i Z p } i α is random. Also {T i = g ω i } i U α, where {ω i Z p } i U α is random. The public parameters are returned to A. From A s point of view, these are all random and comply to the scheme s construction. Phase 1 A queries for private-keys of identities γ k, fulfilling the condition γ k α < d. Let γ be such an identity and γ α < d. Let Γ, Γ, S be three sets, such that Γ = γ α, Γ = {any set: Γ Γ γ, Γ = d 1} and S = Γ {0}. The private-key components {D i } i Γ are assigned by B as follows. If i Γ, then D i = g s i, where s i Z p is random. If i Γ Γ, then D i = g λ i/ω i, where λ i Z p is random. What motivates the above assignments is that, we are aiming for d 1 random points plus q(0) = y from the scheme s premises, which is q(0) = a here. In this way we can define a random d 1 degree polynomial, implicitly. For i Γ the polynomial is q(i) = cβ i si, since t i = cβ i. It can be simply written as g q(i) t i = g s i q(i) cβ i = s i q(i) = cβ i s i. For i Γ Γ the polynomial is q(i) = λ i, since t i = ω i. Again we write g q(i) t i = g λ i ω i q(i) ω i = λ i ω i q(i) = λ i. The values for {D i } i/ Γ can also be calculated, since discrete logarithm of {T i } i/ α is known by the simulator (ω i is known). By assigning ( if i / Γ, then D i = C j Γ ) ( β j s j j,s (i) ω i j Γ Γ ) λ j j,s (i) 0,S (i) ω g i ω Y i, the simulator essentially assigns 1 for all {D i } i/ Γ,i 0, or simply {D i } i/ S (the first two products). Here, we can rephrase the above notations in a simpler, single structure, as an alternative and as a contribution to Sahai-Waters work. We can consider the previous statement with minor corrections for D i as a generalization for all i, whether i Γ, or i Γ Γ, or i / S, or i = 0 as ( D i = C j Γ ) ( β j s j j,s (i) cβ i 22 j Γ Γ ) λ j j,s (i) a 0,S (i) ω g i ω g i.

31 It is important to remember that, {t i = cβ i } i Γ and {t i = ω i } i Γ Γ. As a result, we will get ( ) cβ j s j j,s (i) cβ if i Γ, then D i = g i = g cβ i s i cβ i = g q(i) t i q(i) = cβ i s i, j Γ if i Γ Γ, then D i = if i = 0, then D 0 = g a ω 0 if i / S, then D i = 1. ( j Γ Γ = g q(0) ω 0 ) λ j j,s (i) ω g i = g λ i ω i q(0) = a, and = g q(i) t i q(i) = λ i, Using the case of i Γ the simulator can derive q(x), by interpolation of d 1 points plus q(0) = a. Using q(x), the simulator can calculate D i = g q(i)/t i for i / Γ. Therefore, the private-key for γ can be calculated. Challenge A sends two messages M 0 and M 1. B flips a fair binary coin and picks a random bit ν {0, 1}. The cipher-text is returned as The case of µ = 0: E = (α, E = M ν Z, {E i = B β i } i α ). For µ = 0 we have Z = e(g, g) ab/c. Let r = b. We get c E = M ν Z = M ν e(g, g) ab c = M ν e(g, g) ar = M ν Y r, E i = B β i = g bβ i = g b c cβ i = g r cβ i = (T i ) r. The cipher-text is a random encryption of the message (whichever M 0, or M 1 ) using the public-key α. The case of µ = 1: For µ = 1 we have Z = e(g, g) z with z being a random value. We get E = M ν e(g, g) z. The cipher-text is a random element of G 2. A cannot retrieve any information about M ν. Phase 2 Phase 1 is repeated by B. Guess A will try to guess ν and chooses ν. If ν = ν, then the simulator knows the given tuple was a DMBDH-tuple and wins the DMBDH game. If ν ν, then the simulator considers the tuple as random. The case of µ = 0: A knows that the cipher-text is an encryption of M ν. A has the advantage ɛ to guess correctly. We get Pr[ν = ν µ = 0] = ɛ. 23

32 The case of µ = 1: A cannot retrieve any information about M ν. We get Pr[ν = ν µ = 1] = 1 2. Now we can calculate the simulator s advantage in the DMBDH game as Pr[A(g a, g b, g c, e(g, g) ab/c ) = 1] Pr[A(g a, g b, g c, e(g, g) z ) = 1] = Pr[ν = ν ] Pr[ν ν ] = 1 2 Pr[ν = ν µ = 0] Pr[ν = ν µ = 1] 1 2 Pr[ν ν µ = 0] 1 2 Pr[ν ν µ = 1] = 1 2 (1 2 + ɛ) (1 2 ɛ) 1 2 = ɛ, which is non-negligible [17]. 1 2 It must to be mentioned that, the final probability calculation done by Sahai-Waters, is actually the calculation of adversary s advantage in the Selective-ID game, while we are looking for advantage of the simulator in the DMBDH game. The proof will not be complete without showing a non-negligible advantage for the simulator, so the final part of the proof is a correction to their work. 4.2 Security of EFIBE-I Scheme Theorem 2. Assuming that the DBDH problem is hard, then the EFIBE-I scheme is secure in the Selective-ID model. In other words 2, if there exists an adversary, able to break the EFIBE-I scheme in the Selective-ID model with a non-negligible advantage, then a simulator exists that can solve the DBDH problem with a non-negligible advantage. Proof. Let A be a polynomial-time adversary. We assume that A is able to attack the EFIBE-I scheme in the Selective-ID model with a non-negligible advantage ɛ, when guessing. We will show that as a result of this, a simulator B can solve the DBDH problem with a non-negligible advantage ɛ. Challenger s Side Let G 1 and G 2 be chosen with an efficient bilinear map e. Let g be a generator for G 1. The challenger flips a fair binary coin and picks a random bit µ {0, 1}. For random a, b, c and z values, we will have If µ = 0, then (A, B, C, Z) = (g a, g b, g c, e(g, g) abc ) and If µ = 1, then (A, B, C, Z) = (g a, g b, g c, e(g, g) z ). B has no knowledge of these arrangements. Now the Selective-ID game begins. 2 p q = q p 24

33 Initialization A asks B, to be challenged for an identity α. Scheme Set-up B assigns the public parameters as g 1 = B = g b and g 2 = C = g c. H is also a random oracle used by B and defined below. For a query i to H: If i, (l, h) exists in HList, the oracle returns h. 3 Else, If i α, then h = g l /g 1, for a random l Z q. If i / α, then h = g l, for a random l Z q. Finally, the random result i, (l, h) will be added to HList and returned as the answer to the query. Here, i is an identity. Querying the random oracle for identity i will result in the return of h i. The querying process can be expressed as H(i) = h i. The list of all previous queries and their respective results is called HList and it includes tuples of the form i, (l i, h i ). Thus, every (l i, h i ) is related to an i. Phase 1 A queries for private-keys of identities γ k, fulfilling the condition γ k α < d. Let γ be such an identity and γ α < d. Let Γ, Γ, S be three sets, such that Γ = γ α, Γ = {any set: Γ Γ γ, Γ = d 1} and S = Γ {0}. The private-key components {D i } i Γ are assigned by B as follows. If i Γ, then D i = (h λ i i, gλ i ), where λ i Z p is random. By means of a query, H(i) = h i = g l i /g 1 can be calculated using the random oracle. Consequently, we can write (h q(i) i, g q(i) ) = (h λ i i, gλ i ) q(i) = λ i. The values for {D i } i/ Γ D i = Also, for i = 0, we get can also be calculated according to the following generalization, (( h j,s(i)λj i j Γ ) g 0,S(i)l i 2, ( j Γ g j,s(i)λj D 0 = (g l 0 2, g 2 ) = (g l 0c, g c ) = (H(0) c, g c ), ) g 0,S(i) 2 which simulates q(0) = c. Using the case of i Γ the simulator can derive q(x), by interpolation of d 1 points plus q(0) = c. Using q(x), the simulator can calculate D i = (h q(i) i, g q(i) ) for i / Γ. Therefore, the private-key for γ can be calculated. 3 Note that a Random Oracle returns the same exact output for repeated inputs. ). 25

34 Challenge A sends two messages M 0 and M 1. B flips a fair binary coin and picks a random bit ν {0, 1}. The cipher-text is returned as The case of µ = 0: E = (α, U = A, {V i = A l i } i α, E = M ν Z). For µ = 0 we have Z = e(g, g) abc. Let r = a. We get E = M ν Z = M ν e(g, g) abc = M ν e(g b, g c ) r = e(g 1, g 2 ) r M ν, V i = A l i = g al i = (g l i ) r = (g 1 H(i)) r U = A = g a = g r. The cipher-text is a random encryption of the message (whichever M 0, or M 1 ) using the public-key α. The case of µ = 1: and For µ = 1 we have Z = g z with z being a random value. We get E = e(g, g) z M ν. The cipher-text is a random element of G 2. A cannot retrieve any information about M ν. Phase 2 Phase 1 is repeated by B. Guess A will try to guess ν and chooses ν. If ν = ν, then the simulator knows the given tuple was a DBDH-tuple and wins the DBDH game. If ν ν, then the simulator considers the tuple as random. The case of µ = 0: A knows that the cipher-text is an encryption of M ν. A has the advantage ɛ to guess correctly. We get The case of µ = 1: Pr[ν = ν µ = 0] = ɛ. A cannot retrieve any information about M ν. We get Pr[ν = ν µ = 1] = 1 2. Now we can calculate the simulator s advantage in the DBDH game as Pr[A(g a, g b, g c, e(g, g) abc ) = 1] Pr[A(g a, g b, g c, e(g, g) z ) = 1] = Pr[ν = ν ] Pr[ν ν ] = 1 2 Pr[ν = ν µ = 0] Pr[ν = ν µ = 1] 1 2 Pr[ν ν µ = 0] 1 2 Pr[ν ν µ = 1] = 1 2 (1 2 + ɛ) (1 2 ɛ) 1 2 = ɛ, which is non-negligible [1]

35 4.3 Security of EFIBE-II Scheme Theorem 3. Assuming that the DBDH problem is hard, then the EFIBE-II scheme is secure in the Selective-ID model. In other words 4, if there exists an adversary, able to break the EFIBE-II scheme in the Selective-ID model with a non-negligible advantage, then a simulator exists that can solve the DBDH problem with a non-negligible advantage. Proof. Let A be a polynomial-time adversary. We assume that A is able to attack the EFIBE-II scheme in the Selective-ID model with a non-negligible advantage ɛ, when guessing. We will show that as a result of this, a simulator B can solve the DBDH problem with a non-negligible advantage ɛ. Challenger s Side Let G 1 and G 2 be chosen with an efficient bilinear map e. Let g be a generator for G 1. The challenger flips a fair binary coin and picks a random bit µ {0, 1}. For random a, b, c and z values, we will have If µ = 0, then (A, B, C, Z) = (g a, g b, g c, e(g, g) abc ) and If µ = 1, then (A, B, C, Z) = (g a, g b, g c, e(g, g) z ). B has no knowledge of these arrangements. Now the Selective-ID game begins. Initialization A asks B, to be challenged for an identity α. Scheme Set-up B assigns the public parameters as g 1 = B = g b and g 2 = C = g c. H is also a random oracle used by B and defined below. For a query i to H: If i, (l, h) exists in HList, the oracle returns h. 5 Else, If i α, then h = g l, for a random l Z q. If i / α, then h = g l /g 1, for a random l Z q. Finally, the random result i, (l, h) will be added to HList and returned as the answer to the query. Here, i is an identity. Querying the random oracle for identity i will result in the return of h i. The querying process can be expressed as H(i) = h i. The list of all previous queries and their respective results is called HList and it includes tuples of the form i, (l i, h i ). Thus, every (l i, h i ) is related to an i. Phase 1 A queries for private-keys of identities γ k, fulfilling the condition γ k α < d. Let γ be such an identity and γ α < d. Let Γ, Γ, S be three sets, such that Γ = γ α, Γ = {any set: Γ Γ γ, Γ = d 1} and S = Γ {0}. 4 p q = q p 5 Note that a Random Oracle returns the same exact output for repeated inputs. 27