Identity-Based Encryption

Transcription

1 Identity-Based ryption Gregory Neven IBM Zurich Research Laboratory gone WILD Public-key encryption PKI pk KeyGen sk M Dec M Sender (pk) Receiver (sk) 2 1

2 Identity-based encryption (IBE) [S84] Goal: Allow to encrypt based solely on the receiver s identity Key distribution center (msk) Setup msk KeyDer mpk ID sk ID ID, M Dec M Sender (mpk) Receiver (sk ID ) 3 Bilinear maps oncept of IBE due to Shamir (1984) First efficient implementations [SK01, BF01] based on bilinear maps, aka pairings: Elliptic-curve groups G = (g), G T of prime order p Bilinear map e : G G G T so that e(g a,g b ) = e(g,g) ab = e(g ab,g) = e(g,g ab ) = e(g a,g) b = DDH problem in G is easy: Given (g a,g b?,z), decide Z = g ab : e(g a,g b? ) = e(g,z) Bilinear DDH still assumed to be hard: Given (g a, g b, g c?, Z), decide Z = e(g,g) abc 4 2

3 Applications of IBE rypt to ID = [email protected] Temporary keys, key revocation: ID = [email protected], 2007 User credentials: ID = [email protected], role=adminstrator redential is a decryption key cryptographic policy enforcement rypting to the future: ID = release-date Trusted clock publishes sk date on date Searchable encryption 5 Searchable encryption (SE) [BDOP04] PKI pk KeyGen sk W Test t W Trapd W W =W? Sender (pk) Mail server Receiver (sk) high bandwidth low bandwidth 6 3

4 Searchable encryption from IBE [BDOP04, AB+05] Generic construction of SE from IBE: SE.KeyGen = IBE.Setup SE.Trapd = IBE.KeyDer so t W = sk ID=W SE.(W) = ( M, IBE.(ID=W,M) ) for random M SE.Test(t W, (M,)) = ( IBE.Dec(t W,) = M ) Security relies on anonymity of IBE meaning ciphertext does not reveal ID? 7 Hierarchical IBE (HIBE) [GS02] Root (msk) msk KeyDer ID 1 sk (ID1) ID 1 Receiver 1 (sk ID1 ) KeyDer ID 2 sk (ID1,ID2) ID 2 Receiver 2 (sk (ID1,ID2) ) Dec M mpk, (ID 1,ID 2 ), M Sender (mpk) 8 4

5 Application to encrypted addresses as hierarchical identities = (edu, univ, cs, bob) (edu, univ) can derive keys (edu, univ, cs) can derive keys 9 Temporarily searchable encryption [AB+05] Restrict validity of trapdoor in time Trivial solution: encrypt to ID = W time ; t W = (sk W 1,, sk W n ) Logarithmic-size construction from HIBE: = t W valid for time periods 1,..,7 encrypt to ID = (W,, i) t W[1,7] W W

6 ERYPT publications Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. M. Abdalla, M. Bellare, D. atalano, E. Kiltz, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. rypto 2005, Journal of ryptology 2008 Institutions involved: ENS, USD, DTU, U. Bristol, KUL, Gemalto 11 IBE with wildcards (WIBE) [AD+05] Allow wildcards in recipient identity E.g., send encrypted to entire entire all computer all heads of department: the 12 6

7 WIBE constructions Generic WIBE from any HIBE: Dedicated wildcard string any WIBE.sk (ID1,ID2) = ( HIBE.sk (ID1,ID2), HIBE.sk ( any,id2), HIBE.sk (ID1, any ), HIBE.sk ( any, any ) ) WIBE.((ID 1, ), M) = HIBE.((ID 1, any ), M) WIBE.Dec : select correct sk (.,.) and HIBE.Dec Disadvantage: WIBE.sk = O(2 L ) Direct constructions with WIBE.sk = O(L) 13 ERYPT publications Identity-based encryption gone wild. M. Abdalla, D. atalano, A. Dent, J. Malone-Lee, G. Neven, and N. Smart. IALP 2006 Efficient chosen-ciphertext secure identity-based encryption with wildcards. J. Birkett, A. Dent, G. Neven, and J. Schuldt. AISP 2007 Institutions involved: ENS, RHUL, U. Bristol, KUL 14 7

8 Wicked IBE [AKN07] IBE with wildcard key derivation = WKD-IBE = wicked IBE dual of WIBE with wildcards in decryption keys e.g., derive keys for entire all system admininstrators: [email protected] Applications to identity-based broadcast encryption ombination: wildcards in keys and ciphertext 15 ERYPT publications Generalized key delegation for hierarchical identity-based encryption. Michel Abdalla, Eike Kiltz and Gregory Neven. ESORIS 2007 Institutions involved: ENS, WI, KUL 16 8

9 Identity-based traitor tracing [ADM+07] Key distribution center (msk) Sender (mpk) KeyDer msk Setup mpk List 1, M List 1,ID 1 sk ID1 List 1 List 2 Dec M Receiver DecID 1 M (sk ID1 ) Receiver ID 2 (sk ID2 ) Receiver ID 3 (sk ID3 ) 17 Identity-based traitor tracing [ADM+07] Key distribution center (msk) Sender (mpk) KeyDer msk Setup mpk List 1, M List 1,ID 1 sk ID1 List 1 List 2 Dec M Receiver DecID 1 M (sk ID1 ) Receiver ID 2 (sk ID2 ) Trace ID 2,ID 3 Receiver ID 3 (sk ID3 ) 18 9

10 ERYPT publications Identity-based traitor tracing. M. Abdalla, A. Dent, J. Malone-Lee, G. Neven, D. Phan, and N. Smart. PK 2007 Institutions involved: ENS, RHUL, U. Bristol, KUL, France Télécom 19 onclusions Several extensions to identity-based encryption searchable encryption wildcards traitor tracing Research retreats work top-level research international collaborations 20 10