MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Size: px
Start display at page:

Download "MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC"

Transcription

1 MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial Fulfillment of the Requirements for the Degree of Master of Science Florida Atlantic University Boca Raton, Florida May 2010

2 Copyright by Brittanney Jaclyn Amento 2010 ii

3

4 ACKNOWLEDGEMENTS First, I would like to thank my advisor, Dr. Rainer Steinwandt, for always pushing and believing in me especially during those times I wanted to give up! You have been an exceptional mentor and I am so thankful for your direction and confidence. Second, I would like to thank my mother, Neweleen Feldmar, for raising a strong minded, confident young woman. Eight years to get to this point and I couldn t have done it without your love and support. I know I make you proud everyday! Third, I would like to thank my dear friend Lisa Greenberg. I can t imagine how different the last two years would have been without the friendship and math partner we found in each other! Together, we are one half of a Ph.D girl! Last, I owe a sincere thank you to my Fusion boss of five years and friend, Melody Collins, for always finding a way to work my job around my education. I couldn t have done any of this without each of you in my corner! iv

5 ABSTRACT Author: Title: Institution: Thesis Advisor: Degree: Brittanney Jaclyn Amento Message Authentication in an Identity-Based Encryption Scheme: 1-Key-Encrypt-Then-MAC Florida Atlantic University Dr. Rainer Steinwandt Master of Science Year: 2010 We present an Identity-Based Encryption scheme, 1-Key-Encrypt-Then-MAC, in which we are able to verify the authenticity of messages using a MAC. We accomplish this authentication by combining an Identity-Based Encryption scheme given by Boneh and Franklin, with an Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan, and attaching a MAC. We prove the scheme is chosen plaintext secure and chosen ciphertext secure, and the MAC is existentially unforgeable. v

6 MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC 1 Introduction Preliminaries Cryptographic Primitives Security Notions The Proposed Schemes Building on BasicIdent Building on FullIdent Security Conclusion Bibliography vi

7 CHAPTER 1 INTRODUCTION In this thesis, we build on the Identity-Based Encryption scheme given by Boneh and Franklin in [2] and combine it with the Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan in [5] to create an Identity-Based Encryption scheme which authenticates messages using a MAC. We follow Martin s motivation in [4] to take a closer look at Identity-Based Encryption. Identity-Based Encryption (IBE) was first introduced in 1984 by Adi Shamir as a way to create a public key from a user s identity. IBE has all the benefits of a public key encryption scheme, plus additional benefits relating to keys being calculated for each recipient, versus being randomly generated. This relieves pre-enrollment requirements and the need to look up public keys (a huge hamper on public key cryptography). Calculating the keys also allows an IBE to have built in key recovery capability a requirement for use in business. We can also use an IBE to communicate with someone not already enrolled in our system by calculating a public key id for the recipient and using that key to encrypt the message we send them. The recipient would then authenticate himself to the Private Key Generator (PKG) and receive his private decryption key, creating a secure channel of communication. We should mention that a main disadvantage of an IBE versus public key encryption lies with key revocation being difficult to remedy. 1

8 An IBE consists of four algorithms: Setup, which generates the system parameters and a master key; Extract, which uses the master key to extract the private key associated with an identity id {0, 1} ; e.g., an or IP address; Encrypt, which uses an identity id to encrypt messages; and Decrypt, which uses the private key associated with the identity id to decrypt messages. An Identity-Based Non-Interactive Key Distribution (ID-NIKD) is a scheme which allows two parties to establish a common key without communicating. Each party receives a private key from a Trusted Authority (TA), which allows them to compute a shared key without exchanging any messages. An ID-NIKD consists of three algorithms: Setup, which generates the system parameters and a master secret key; Extract, which uses the master secret key to extract the private key associated with an identity id {0, 1}; and SharedKey, which uses an identity id and a private key to return a shared key between them. We combine these two schemes, IBE and ID-NIKD, and ask about our ability to authenticate messages. Below, we define our 1-Key-Encrypt-Then-MAC scheme and show that we are indeed able to authenticate messages. Further, we show our scheme is chosen plaintext secure (IND-ID-CPA+MAC), chosen ciphertext secure (IND-ID-CCA+MAC), and existentially unforgeable (UF-ID-CPA+MAC). 2

9 CHAPTER 2 PRELIMINARIES 2.1 Cryptographic Primitives We start by recalling the definition of an Identity-Based Encryption scheme as given by Boneh and Franklin in [2]: Definition 1 (Identity-Based Encryption). An Identity-Based Encryption scheme E is specified by four polynomial time algorithms: Setup, Extract, Encrypt, Decrypt. Setup: a probabilistic algorithm which takes a security parameter 1 k and returns params (system parameters) and master key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. Intuitively, the system parameters will be publicly known, while the master key will be known only to the Private Key Generator (PKG). Extract: a probabilistic algorithm which takes as input params, master key, and an arbitrary id {0, 1}, and returns a private key d id. Here id is an arbitrary user identity that will be used as a public key, and d id is the corresponding private decryption key. The Extract algorithm extracts a private key from the given identity. Encrypt: a probabilistic algorithm which takes as input params, id, and M M. It returns a ciphertext C C. 3

10 Decrypt: a deterministic algorithm which takes as input params, C C, and a private key d id. It returns M M or an error symbol. These algorithms must satisfy the standard consistency constraint, namely if d id is the private key generated by algorithm Extract when it is given id as the identity, then M M : Dec did (C) = M where C Enc id (M). We next recall the definition of an ID-Based Non-Interactive Key Distribution scheme as given by Paterson and Srinivasan in [5]: Definition 2 (ID-Based Non-Interactive Key Distribution (ID-NIKD)). An ID-Based Non- Interactive Key Distribution (ID-NIKD) scheme is specified by three distinct algorithms: Setup, Extract, and SharedKey. Algorithms Setup and Extract are executed by the Trusted Authority (TA), while SharedKey can be executed by any entity in possession of its private key and the identifier of any other entity with which it wishes to generate a shared key. Setup: on input 1 k, outputs a master public key (or system parameters) and a master secret key. Extract: on input a master public key, a master secret key, and an id {0, 1}, returns a private key from some space of private keys SK. SharedKey: on input a master public key, a private key d ida, and an identifier id B {0, 1}, where id B id A, this algorithm returns a shared key K A,B from some space of shared keys SHK specified in the master public key. We require that, for any pair of identities id A, id B, and corresponding private keys d ida 4

11 and d idb, SharedKey satisfies the constraint: SharedKey(master public key, d ida, id B ) = SharedKey(master public key, d idb, id A ) This ensures that entities A and B can indeed generate a shared key without any interaction. We will normally assume that SHK, the space of shared keys, is {0, 1} n(k) for some function n(k). We next recall the definition of a Message Authentication Code (MAC) as given by Bellare, Guerin, and Rogaway in [3]: Definition 3 (Message Authentication Code (MAC)). A Message Authentication Code (MAC) consists of three algorithms: Key Generation, Tagging, and Verification. The Tagging algorithm may be probabilistic; the Verification algorithm typically is not. Key Generation: on parameter 1 k, generates a key c and an L tag where L tag is the corresponding MAC length for k. Tagging: on input a k-bit key c and a message M, algorithm Tagging outputs an L tag -bit string k called the tag, or MAC, of M. Verfication: on input a k-bit key c, a message M, and an L tag -bit string τ, algorithm Verification outputs a true for accept and false for reject. We ask for a basic validity condition, namely that authentic signatures are accepted with probability one. That is, for any key c, message M, and tag τ which is output with positive probability by Tag(c, M), it must be the case that Verification(c, M, τ) = true. We combine the first three definitions and now introduce our Identity-Based Encryption scheme which verifies message authentication: 5

12 Definition 4 (1-Key-Encrypt-Then-MAC). We define our 1-Key-Encrypt-Then -MAC as a septuple of algorithms (Setup, Enc, Dec, KeyExtract, Tag, Ver, SharedKey) in which we use in an Identity-Based Encryption scheme to show authenticity of messages using a MAC, as follows: Setup: on input security parameter 1 k, returns the system parameters and a master secret key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. Enc: on input params, id, and M M computes a ciphertext C Enc id (M). Dec: on input params, C C, and a private key d id returns M or an error symbol. KeyExtract: on input params, a master secret key, and an arbitrary id {0, 1} returns a private key d id. SharedKey: on input params, a private key d ida, and an id B {0, 1}, where id A id B, returns K A,B. Tag: on input M, id A, and id B returns the tag T KA,B (M) where K A,B = SharedKey(d ida, id B, params) is a shared key between id A and id B. Ver: on input M, tag τ, and K A,B returns true if τ is a valid tag for M and false otherwise. 2.2 Security Notions To formalize the security of our 1-Key-Encrypt-Then-MAC scheme, we introduce the following definitions pertaining to chosen plaintext security, chosen ciphertext security, and MAC unforgeability. We begin by defining chosen plaintext security: 6

13 Definition 5 (IND-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), and a verification oracle: V(M, Tag, id A, id B ) {true, false}. 3. A outputs two plaintexts m 0 m 1 of equal length and some id which was NOT previously sent to the private key extraction oracle. 4. Challenger chooses b {0, 1} randomly and sends A ciphertext. C = (Enc id (M b ) } {{ } =C, Tag(C, K A,B)) 5. A is again given access to the private key extraction oracle, tagging oracle, and verification oracle with the sole restriction that she cannot query the private key extraction oracle on the id, as in Step 3). 6. A guesses b {0, 1} and wins if b = b. 7

14 The advantage Adv A (k) of A is defined as P r(b = b ) 1 2 and θ is (IND-ID-CPA+MAC) secure if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. Next, we define the security of our MAC in the sense of existential unforgeability: Definition 6 (UF-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), and a verification oracle: V(M, Tag, id A, id B ) {true, false}. 3. A outputs a ciphertext C = (C, id A, id B, τ) with the restrictions that neither id A or id B were previously submitted to the private key extraction oracle and (C, id A, id B ) was not previously sent to the tagging oracle. A wins if Dec dida (C). The advantage Adv A (k) of A is defined as P r[dec dida (C)] 8

15 and θ is existentially unforgeable (UF-ID-CPA+MAC) if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. Finally, we end by defining chosen ciphertext security: Definition 7 (IND-ID-CCA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), a verification oracle: V(M, Tag, id A, id B ) {true, false}, and a decryption oracle: Dec(id i, C i ) M i or. 3. A outputs two plaintexts m 0 m 1 of equal length and some id which was NOT previously sent to the private key extraction oracle. 4. Challenger chooses b {0, 1} randomly and sends A the challenge ciphertext C = (Enc id (M b ) } {{ } =C, Tag(C, K A,B)). 9

16 5. A is again given access to the private key extraction oracle, tagging oracle, verification oracle, and decryption oracle, with the restrictions that she cannot query the private key extraction oracle on the id, as in Step 3), and she cannot query the decryption oracle on the challenge ciphertext C. 6. A guesses b {0, 1} and wins if b = b. The advantage Adv A (k) of A is defined as P r(b = b ) 1 2 and θ is (IND-ID-CCA+MAC) secure if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. 10

17 CHAPTER 3 THE PROPOSED SCHEMES We present our 1-Key-Encrypt-Then-MAC scheme in which we wish to use the Identity- Based Encryption schemes BasicIdent and FullIdent, as given by Boneh and Franklin in [2], along with a MAC to verify authentication of messages. 3.1 Building on BasicIdent We first consider the scheme BasicIdent, which is given by four algorithms: Setup, Extract, Encrypt, and Decrypt, which model our algorithms Setup, KeyExtract, Enc, and Dec, respectively. Further, we consider an ID-NIKD as given by Paterson and Srinivasan in [5], which also shares the Setup and Extract algorithms of BasicIdent. Let G be some BDH parameter generator. Setup: given security parameter k Z +, run G on input 1 k to generate a prime q, two cyclic groups G 1 and G 2 of order q, an admissible bilinear map ê : G 1 G 1 G 2, and three cryptographic hash functions H 1 : {0, 1} G 1, H 2 : G 2 {0, 1} n for some n, and H 3 : {0, 1} {0, 1} k. Choose a random s Z q where s is the master secret key and set P pub = sp, P G 1 a random generator. The system parameters also include a description of a finite message space M, and a description of a finite ciphertext space C. 11

18 KeyExtract: returns a private key d ida = sh 1 (id A ). Enc: computes Q id = H 1 (id A ) G 1, chooses a random r Z q, and sets the ciphertext to be C = (rp, M H 2 (g r id)) where g id = ê(q id, P pub ) G 2 and M M. Dec: returns M or an error message by using d ida G 1 to compute M H 2 (g r id) H 2 (ê(d ida, rp )) = M SharedKey: returns key K A,B = H 2 (ê(d ida, H 1 (id B )) where id B id A. Tag: returns the tag τ = H 3 (M K A,B ) where K A,B is a shared key between id A and id B. Ver: returns true if τ = H 3 (M K A,B ) and false otherwise. 3.2 Building on FullIdent We now consider the scheme FullIdent, which is given by four algorithms: Setup, Extract, Encrypt, and Decrypt. Let G be some BHD parameter generator. Setup: as in the BasicIdent scheme. In addition, we pick a hash function H 4 : {0, 1} n {0, 1} n Z q and H 5 : {0, 1} n {0, 1} n where n is the length of the message to be encrypted. KeyExtract: as in the BasicIdent scheme. 12

19 Enc: computes Q id = H 1 (id A ) G 1, chooses a random σ {0, 1} n, sets r = H 4 (σ, M), and sets the ciphertext to be C = (rp, σ H 2 (g r id), M H 5 (σ)) where g id = ê(q id, P pub ) G 2 and M M. Dec: if rp / G 1, rejects the ciphertext. Otherwise, returns M or an error message by using d ida G 1 to do the following: Computes σ H 2 (g r id) H 2 (ê(d ida, rp )) = σ Then computes M H 5 (σ) H 5 (σ) = M and sets r = H 4 (σ, M). Tests that this r P = rp. If not, rejects the ciphertext. Otherwise, outputs M as the decryption of C. SharedKey: as in the BasicIdent scheme. Tag: as in the BasicIdent scheme. Ver: as in the BasicIdent scheme. This completes the description of our 1-Key-Encrypt-Then-MAC scheme. 13

20 CHAPTER 4 SECURITY We now consider the security of BasicIdent-MAC. The following theorem shows that BasicIdent-MAC is secure in the sense of Definition 5 (IND-ID-CPA+MAC). We first follow Boneh and Franklin s description of a random oracle model in [1]. A random oracle is a function H : X Y chosen uniformly and at random from the set of all functions {h : X Y } (assuming Y is a finite set). An algorithm can query the random oracle at any point x X and receive the value H(x) in response. Random oracles are used to model cryptographic hash functions such as SHA-1. Security proofs in the random oracle model prove security against attackers confined to the random oracle world. Theorem 1. Let H 1, H 2, and H 3 be random oracles. Then BasicIdent-MAC is secure in the sense of Definition 5. Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-ID- CPA adversary B, which attacks the Boneh-Franklin BasicIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id. Setup: Algorithm B gets BasicIdent system parameters (q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3 ) 14

21 and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the tag and verification oracles, say i 0, and never sends this id i0 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows: Extract Oracle queries: Algorithm A queries an id i to the extract oracle. B responds by forwarding the id i to the extract oracle as in the Boneh-Franklin scheme and responds to A with d idi, the private key associated with id i. B then has the restriction that she cannot query the same id i during the challenge. Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id s, say id A and id B. B chooses one of the id s id i0 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B has access to the SharedKey algorithm and runs it on params, id B, and d ida, receiving back K A,B. She next appends K A,B to the message M and sends it through H 3, receiving back the tag τ = H 3 (M K A,B ). B sends A the tag τ. Verification Oracle queries: Algorithm A queries the verification oracle with a message M, two id s, say id A and id B, and a tag τ. B chooses one of the id s id i0 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B runs the SharedKey algorithm and obtains K A,B, appends K A,B to M, and runs it through H 3. If τ = H 3 (M K A,B ), B sends A true. Otherwise, B sends A false. Challenge: Once algorithm A is ready to challenge, the following occurs: 1. Algorithm A outputs two plaintexts m 0 m 1 of equal length, and an id not previously sent by A to the extract oracle. The challenger in the IND-ID-CPA game chooses b {0, 1} randomly. B chooses the same m 0 m 1 and id as its challenge in the IND-ID-CPA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort. 15

22 1 Otherwise, with probability at least, B will be able to use the challenge id. B p(k) forwards C to A. 2. Algorithm A is again given access to the extract oracle, tag oracle, and verification oracle with the sole restriction that she cannot query the id she is challenging. 3. Algorithm A guesses b {0, 1}. B outputs the same guess and wins if b = b. Suppose the probability of algorithm A succeeding in breaking the BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the BasicIdent-MAC scheme is at least 1 p(k) P r[succa ], which is non-negligible. Then P r[succ B ] 1 p(k) P r[succa ] and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is a BasicIdent adversary and therefore, the P r[succ B ] is proven to be negligible by Boneh- Franklin. Therefore, our BasicIdent-MAC scheme is (IND-ID-CPA+MAC) secure. We next consider the unforgeability of the MAC in our BasicIdent-MAC scheme. The following theorem shows that the MAC in our BasicIdent-MAC scheme is existentially unforgeable in the sense of Definition 6 (UF-ID-CPA+MAC). Theorem 2. Let H 1, H 2, and H 3 be random oracles. Then BasicIdent-MAC is existentially unforgeable in the sense of Definition 6. Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-SK adversary B which attacks the Paterson-Srinivasan ID-NIKD scheme. B has access to an extract oracle, random H 3 oracle, and test oracle, with the restriction that no query to the extract oracle is allowed on either id involved in the test oracle query. Setup: Algorithm B gets ID-NIKD system parameters (1 k, master public key) and gives them to A, keeping the master secret key to herself. B chooses two random indices from 16

23 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the extract oracle, say i 0 and i 1, and never sends id i0 or id i1 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows: Extract Oracle queries: Algorithm A queries an id i to the extract oracle. B responds by forwarding the id i to the extract oracle as in the Paterson-Srinivasan scheme and responds to A with d idi, the private key associated with id i. B then has the restriction that she cannot query the same id i during the forgery. Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id s, say id A and id B. If id A = id i0 and id B = id i1, B chooses a random element from the space of shared keys, say SHK, and appends SHK to the message M, sends it through H 3, and receives the tag τ = H 3 (M SHK). We clarify below why this will be sufficient. Otherwise, B chooses one of the id s id i0, id i1 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B has access to the SharedKey algorithm and runs it on params, id B, and d ida, receiving back K A,B. She next appends K A,B to the message M and sends it through H 3, receiving back the tag τ = H 3 (M K A,B ). In each case, B records the tag τ and the id s associated with it on an H list 3. B sends A the tag τ. Verification Oracle queries: Algorithm A queries the verification oracle with a message M, two id s, say id A and id B, and a tag τ. B checks the H list 3 for the τ associated with id A, id B, and M. In the case where id A = id i0 and id B = id i1, if τ = H 3 (M SHK), B sends A true. Otherwise, B sends A false. In all other cases, if τ = H 3 (M K A,B ), B sends A true. Otherwise, B sends A false. Forgery: Once algorithm A is ready to forge a MAC, the following occurs: 1. A outputs ciphertext C = (C, id A, id B, τ) where τ = (C, id A, id B ). When one or both of the forgery id s has previously been queried by B to the extract oracle, we 17

24 abort. Otherwise, with probability at least 1 (p(k)) 2, B will be able to use the forgery id s. 2. B queries the test oracle on id A and id B receiving back either shared key K A,B or a random shared key SHK. B checks the H list 3 for H 3 (M K A,B ). If the entry exists on the H list 3, B outputs real. Otherwise, B outputs random. Suppose that the probability of algorithm A succeeding in forging the MAC in our BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the ID-NIKD scheme is at least 1 (p(k)) 2 P r[succ A ], which is nonnegligible. We further consider the probability of a collision in the random oracles to be q 3 j 1 (1 ( (1 i 2 ))) k j=1 i=0 where q i is an upper bound on the number of queries made to random H j oracle. Therefore, the probability of collision P r[collision] is negligible. Last, we consider the advantage Adv ID NIKD (k) to be a negligible upper bound on the probability of breaking the ID-NIKD scheme. Then P r[succ B ] 1 (p(k)) 2 (P r[succa ] P r[collision] Adv ID NIKD (k)) and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is an ID-NIKD adversary and therefore, the P r[succ B ] is proven to be negligible by Paterson- Srinivasan. Hence, the MAC in our BasicIdent-MAC scheme is existentially unforgeable (UF-ID-CPA+MAC). Justification of the tag oracle simulation We construct a new adversary B which attacks the Paterson-Srinivasan ID-NIKD scheme. B has access to an extract oracle, random H 3 oracle, and a test oracle. B simulates the tag oracle and verification oracle 18

25 exactly as B above EXCEPT when A outputs a forgery on id i0 and id i1. Then, B queries the test oracle and receives either the true shared key K i0,i 1 or a random shared key SHK. B computes the tag as B above, using the shared key received from the test oracle, and sends τ to A. Suppose the probability of the difference between the probability of algorithm A succeeding in forging the MAC using the true key, and the probability of algorithm A succeeding in forging the MAC using a random key, is non-negligible. Then the probability of B succeeding in correctly solving the challenge from the test oracle is P r[succ B ] = 1 2 (P r[succa true] (1 P r[succ A random])) and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is an ID-NIKD adversary; therefore, the P r[succ B ] is proven to be negligible by Paterson- Srinivasan. Therefore, the MAC in our BasicIdent-MAC scheme is existentially unforgeable (UF-ID-CPA+MAC). We now consider the security of FullIdent-MAC. The following theorem shows that FullIdent-MAC is secure in the sense of Definition 7, (IND-ID-CCA+MAC). Theorem 3. Let H 1, H 2, H 3, H 4, and H 5 be random oracles. Then FullIdent-MAC is secure in the sense of Definition 7 (IND-ID-CCA+MAC). Proof. Let A be a FullIdent-MAC adversary. We begin by constructing a new IND-ID- CCA adversary B, which attacks the Boneh-Franklin FullIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id. Setup: Algorithm B gets FullIdent system parameters (q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3, H 4, H 5 ) 19

26 and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the tag and verification oracles, say i 0, and never sends this id i0 to the extract oracle. B simulates the extract oracle, tag oracle, verification oracle, and decryption oracle as follows: Extract Oracle queries: as in the BasicIdent-MAC scheme. Tag Oracle queries: as in the BasicIdent-MAC scheme. Verification Oracle queries: as in the BasicIdent-MAC scheme. Decryption Oracle queries: Algorithm A queries the decryption oracle with an id, say id A, and ciphertext C A. B responds by forwarding (id A, C A ) to the decryption oracle as in the Boneh-Franklin scheme and responds to A with M A or. B then has the restriction that she cannot query the same (id A, C A ) during the challenge. Challenge: Once algorithm A is ready to challenge, the following occurs: 1. Algorithm A outputs two plaintexts m 0 m 1 of equal length, and an id not previously sent by A to the extract oracle. The challenger in the IND-ID-CCA game chooses b {0, 1} randomly. B chooses the same m 0 m 1 and id as its challenge in the IND-ID-CCA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort. 1 Otherwise, with probability at least, B will be able to use the challenge id. B p(k) forwards C to A. 2. Algorithm A is again given access to the extract oracle, tag oracle, verification oracle, and decryption oracle with the restrictions that she cannot query the id she is challenging to the extract oracle or the challenge ciphertext and id to the decryption oracle. 3. Algorithm A guesses b {0, 1}. B outputs the same guess and wins if b = b. 20

27 Suppose the probability of algorithm A succeeding in breaking the FullIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the FullIdent-MAC scheme is at least 1 p(k) P r[succa ], which is non-negligible. Then P r[succ B ] 1 p(k) P r[succa ] and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is a FullIdent adversary and therefore, the P r[succ B ] is proven to be negligible by Boneh- Franklin. Hence, our FullIdent-MAC scheme is (IND-ID-CCA+MAC) secure. 21

28 CHAPTER 5 CONCLUSION In this thesis, we combined an Identity-Based Encryption scheme and a Non-Interactive Key Distribution scheme to achieve our goal of message authentication, while maintaining semantic security and unforgeability. We conclude with an open question: Can we build a compiler that takes as input an existentially unforgeable MAC and an IBE, and outputs our 1-Key-Encrypt-Then-MAC scheme, while maintaining security in the sense of indistinguishability and unforgability? 22

29 BIBLIOGRAPHY [1] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. In J. Kilian, editor, Advances in Cryptology CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages Springer-Verlag, [2] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM Journal of Computing, 32(3): , Available at stanford.edu/ dabo/papers/bfibe.pdf; extended abstract in [1]. [3] R. Guerin M. Bellare and P. Rogaway. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. In Advances in Cryptology CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages Springer Berlin-Heidelberg, [4] L. Martin. Identity-Based Encryption: A Closer Look. The Information Systems Security Association Journal, 3(9):22 24, [5] K. Paterson and S. Srinivasan. On the Relations Between Non-Interactive Key Distribution, Identity-Based Encryption and Trapdoor Discrete Log Groups. Designs, Codes and Cryptography, 52(2): , August

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Identity based cryptography

Identity based cryptography Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

Threshold Identity Based Encryption Scheme without Random Oracles

Threshold Identity Based Encryption Scheme without Random Oracles WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Lecture 25: Pairing-Based Cryptography

Lecture 25: Pairing-Based Cryptography 6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

More information

Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

More information

Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

encryption Presented by NTU Singapore

encryption Presented by NTU Singapore A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before

More information

CryptoVerif Tutorial

CryptoVerif Tutorial CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

More information

Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

More information

ID-based Cryptography and Smart-Cards

ID-based Cryptography and Smart-Cards ID-based Cryptography and Smart-Cards Survol des techniques cryptographiques basées sur l identité et implémentation sur carte à puce The Need for Cryptography Encryption! Transform a message so that only

More information

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009 Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity

More information

A Performance Analysis of Identity-Based Encryption Schemes

A Performance Analysis of Identity-Based Encryption Schemes A Performance Analysis of Identity-Based Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Authenticated encryption

Authenticated encryption Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

Talk announcement please consider attending!

Talk announcement please consider attending! Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

More information

Universally Composable Identity-Based Encryption

Universally Composable Identity-Based Encryption All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Some Identity Based Strong Bi-Designated Verifier Signature Schemes Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,

More information

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

More information

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

More information

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

Lecture 2: Complexity Theory Review and Interactive Proofs

Lecture 2: Complexity Theory Review and Interactive Proofs 600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

More information

Message Authentication Codes 133

Message Authentication Codes 133 Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

More information

Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12. Digital signatures. 12.1 Digital signature schemes Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Key Refreshing in Identity-based Cryptography and its Application in MANETS

Key Refreshing in Identity-based Cryptography and its Application in MANETS Key Refreshing in Identity-based Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

More information

Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Motivation Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

More information

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 174 CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Anonymity and Time in Public-Key Encryption

Anonymity and Time in Public-Key Encryption Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics

More information

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI

More information

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1 Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

More information

Symmetric Crypto MAC. Pierre-Alain Fouque

Symmetric Crypto MAC. Pierre-Alain Fouque Symmetric Crypto MAC Pierre-Alain Fouque Birthday Paradox In a set of D elements, by picking at random D elements, we have with high probability a collision two elements are equal D=365, about 23 people

More information

Identity Based Undeniable Signatures

Identity Based Undeniable Signatures Identity Based Undeniable Signatures Benoît Libert Jean-Jacques Quisquater UCL Crypto Group Place du Levant, 3. B-1348 Louvain-La-Neuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.

More information

SECURITY IN NETWORKS

SECURITY IN NETWORKS SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

More information

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure

More information

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar Privacy-Providing Signatures and Their Applications PhD Thesis Author: Somayeh Heidarvand Advisor: Jorge L. Villar Privacy-Providing Signatures and Their Applications by Somayeh Heidarvand In fulfillment

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

Democratic Group Signatures on Example of Joint Ventures

Democratic Group Signatures on Example of Joint Ventures Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

Ciphertext-Auditable Identity-based Encryption

Ciphertext-Auditable Identity-based Encryption International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 Ciphertext-Auditable Identity-based Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and Chin-Chen Chang 4,5 (Corresponding

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

More information

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

More information

Introduction to Cryptography

Introduction to Cryptography Introduction to Cryptography Part 3: real world applications Jean-Sébastien Coron January 2007 Public-key encryption BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key Authentication

More information

Modular Security Proofs for Key Agreement Protocols

Modular Security Proofs for Key Agreement Protocols Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.

More information

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies

More information

Public Key Encryption with keyword Search

Public Key Encryption with keyword Search Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching

More information

Oblivious Signature-Based Envelope

Oblivious Signature-Based Envelope Oblivious Signature-Based Envelope Ninghui Li Department of Computer Science Stanford University Gates 4B Stanford, CA 94305-9045 ninghui.li@cs.stanford.edu Wenliang Du Department of Electrical Engineering

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Identity-Based Encryption from the Weil Pairing Dan Boneh 1, and Matt Franklin 2 1 Computer Science Department, Stanford University, Stanford CA 94305-9045 dabo@cs.stanford.edu 2 Computer Science Department,

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

More information

Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

More information

9 Digital Signatures: Definition and First Constructions. Hashing.

9 Digital Signatures: Definition and First Constructions. Hashing. Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

More information

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,

More information

Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

More information

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

More information

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012 Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

More information

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

INTERACTIVE TWO-CHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVE-COLLISION RESISTANT HASH FUNCTIONS

INTERACTIVE TWO-CHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVE-COLLISION RESISTANT HASH FUNCTIONS INTERACTIVE TWO-CHANNEL MESSAGE AUTHENTICATION BASED ON INTERACTIVE-COLLISION RESISTANT HASH FUNCTIONS ATEFEH MASHATAN 1 AND DOUGLAS R STINSON 2 Abstract We propose an interactive message authentication

More information

Public Key Encryption with keyword Search

Public Key Encryption with keyword Search Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching

More information

Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

More information

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using HMAC in NIST SP 800-90 Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

More information

Hierarchical ID-Based Cryptography

Hierarchical ID-Based Cryptography Hierarchical ID-Based Cryptography Craig Gentry 1 and Alice Silverberg 2 1 DoCoMo USA Labs San Jose, CA, USA cgentry@docomolabs-usa.com 2 Department of Mathematics Ohio State University Columbus, OH, USA

More information

Provably Secure Timed-Release Public Key Encryption

Provably Secure Timed-Release Public Key Encryption Provably Secure Timed-Release Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota - Twin Cities A timed-release

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Message Authentication Codes. Lecture Outline

Message Authentication Codes. Lecture Outline Message Authentication Codes Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Message Authentication Code Lecture Outline 1 Limitation of Using Hash Functions for Authentication Require an authentic

More information