Threshold Identity Based Encryption Scheme without Random Oracles

Transcription

1 WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College Sun Yat-sen University Guangzhou, P.R. China Abstract The first threshold identity-based encryption scheme secure against chosen identity and ciphertext attacks is proposed in this paper. Our construction is based on the recently proposed identity-based encryption scheme of Waters in EUROCRYPT The new threshold identity-based encryption scheme is non-interactive and does not rely on the random oracle model. Key words: Threshold encryption, Identity-Based, Bilinear pairings, Provable security 1 Introduction Identity-based cryptosystem [16] is a public key cryptosystem where the public key can be an arbitrary string such as an address. A private key generator (PKG) uses a master secret key to issue private keys to identities that request them. For an Identity-Based Encryption (IBE) scheme, Alice can securely encrypt a message to Bob using Bob s identity, such as address, as the public key. Many identity-based signature schemes have been proposed such as [1,11] since shamir proposed the Identity-based cryptosystem. However, until 2001, Boneh and Franklin [7] proposed the first practical 1 This work is supported by the National Natural Science Foundation of China NO The first author is supported by KaiSi Grant 2 sysjinli@yahoo.com.cn This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

2 identity-based encryption scheme, which is provably secure in the random oracle model. Subsequently, Waters proposed the first provably secure IBE [18] without relying on the random oracle model in EUROCRYPT In a (k, n)-threshold encryption system, an entity, called the combiner, has a ciphertext C that it wishes to decrypt. The combiner sends C to the decryption servers, and receives partial decryption shares from at least k out of the n decryption servers. It then combines these k partial decryptions into a complete decryption of C. Ideally, there is no other interaction in the system, namely the servers need not talk to each other during decryption. Such threshold systems are called non-interactive. Meanwhile, often one requires that threshold decryption be robust [13, 17], namely if threshold decryption of a valid ciphertext fails, the combiner can identify the decryption servers that supplied invalid partial decryptions. In order to prevent a single PKG from full possession of the master key in identity-based encryption, Boneh and Franklin [7] suggested that the PKG s master key should be shared among a number of PKGs using the techniques of threshold cryptography, which they call distributed PKG. A (k, n)-threshold identity-based encryption (T IBE) [6] is an identity-based system where the master secret key is distributed among n PKGs so that at least k PKGs are needed for key generation. Many reductionist security proofs used the random oracle model [2]. Several papers proved that some popular cryptosystems previously proved secure in the random oracle are actually provably insecure when the random oracle is instantiated by any real-world hashing functions [3]. Therefore, provably secure T IBE scheme in the standard model attracts a great interest. The first T IBE without random oracles was proposed by Boneh et al. [6], however, it is only semantically and selective-id secure. In this paper, we propose a new T IBE scheme based on the recently proposed identity-based encryption scheme [18] by Waters. The new T IBE scheme is the first T IBE scheme that can be proved to be adaptively chosen identity and chosen ciphertext secure without relying on the random oracle model. Organization. The next section briefly gives the definition of T IBE and explains the bilinear pairing and some problems related to pairings. Section 3 shows a concrete construction of T IBE. Its security analysis is also given in this section. The paper ends with some concluding remarks. 2 Preliminaries 2.1 Security Definitions and Notions We shows the definition as follows: Definition 2.1 A (k, n)-t IBE scheme consists of algorithms (Setup, ShareKeyGen, 2

3 ShareVerify, Combine, Encrypt, ValidateCT, Decrypt). specified as follows: Li These algorithms are 1. Setup is parameter generation algorithm. Takes as input the number of decryption servers n, a threshold k where 1 k n, and a security parameter 1 λ. It outputs a triple (P K, V K, SK), where P K is called the system parameters, V K is called a verification key, and SK = (SK 1,, SK n ) is a vector of master key shares. Decryption server i is given the master key share (i, SK i ); 2. ShareKeyGen: Takes as input the system parameters P K, an identity ID, and a master key share (i, SK i ). It outputs a private key share θ i for ID. 3. ShareVerify: Takes as input the system parameters P K, the verification key V K, an identity ID, and a private key share θ i. It outputs 1 if it is valid or 1 if it is invalid. 4. Combine: Takes as input P K, V K, an identity ID and k private key shares θ 1,, θ k, it outputs d ID or. 5. Encrypt: Takes P K, an identity ID, and a message M, and outputs a ciphertext C. 6. ValidateCT: Takes as input PK, an identity ID, and a ciphertext C. It outputs 1 if it is valid or 0 if it is invalid. 7. Decrypt: Takes as input P K, ID, a private key d ID, and a ciphertext C. It outputs a message M or. Security of a T IBE is defined using two properties: security against chosen identity attacks and consistency of key generation. There are two ways to define chosen identity attacks against IBE schemes, depending on whether the adversary chooses the target identity adaptively (an adaptive-id attack [7]) or selects it in advance (a selective-id attack [5]). It only proposed a scheme secure against selective-id attack in [6]. We now define a security notion for the T IBE scheme against chosen identity and chosen-ciphertext attacks. Its formal definition is based on the following game between a challenger and a static adversary A. Both are given n, k, and a security parameter λ as input. Initialization: The adversary outputs a set S {1,, n} of k 1 decryption servers to corrupt. Setup: The challenger runs Setup to obtain a random instance (P K, V K, SK) where SK = (SK 1,, SK n ). It gives the adversary P K, V K, and all (j, SK j ) for j S. Phase 1: The adversary adaptively issues chosen identity queries (ID, i). The challenger responds with ShareKeyGen(P K, i, SK i, ID). Meanwhile, it can also issue chosen ciphertext queries (ID, C), the challenger responds with Decrypt(C, SK i, ID). 3

4 Challenge: A outputs an identity ID, and two equal length plaintexts m 0,m 1 for challenge ciphertext. The challenger chooses a random b {0, 1} and sends the challenge ciphertext C =Enc(ID, m b ) to A. Phase 2: A continues to query as in phase 1. Guess: Finally, A outputs a guess bit b. We say that A wins the game if b =b. The advantage Adv cca A (1 k ) of A is defined as the probability that it wins the game over 1 2. Definition 2.2 An T IBE scheme is secure if Adv cca A (1 λ ) is negligible for any probabilistic polynomial time (PPT) adversary A. 2.2 One-Time Signature Before we give the definition of one-time signature (OTS), we first show the definition of generic signature scheme. A signature scheme is made up of three algorithms, Gen, Sign, and Verify, for generating keys, signing, and verifying signatures, respectively. The standard notion of security for a signature scheme is called existential unforgeability under a chosen message attack [17], which is defined through the following game between a challenger C and an adversary A: 1. C runs Gen(1 λ ) and obtains a public key pk and secret key sk. The public key pk is sent to A. 2. A requests signatures on at most q S messages m i adaptively for i = 1,, q S, C returns the corresponding signature σ i which is obtained by running algorithm Sign. 3. Finally, A outputs (m, σ ), where m is a message, and σ is a signature, such that m are not equal to the inputs of any query to Sign. A wins the game if σ is a valid signature of m. A signature is called secure if A can t output such valid forged signature after the above game. The security definition of OTS is the same as signatures, except that the attacker is restricted to query the signing oracle for only one time, i.e., q S = Pairings and Problems Our scheme uses bilinear pairings on elliptic curves. We now give a brief revision on the property of pairings and some candidate hard problems from pairings that will be used later. Let G, G T be cyclic groups of prime order p, writing the group action multiplicatively. Let g be a generator of G. Definition 2.3 A map ê : G G G T is called a bilinear pairing if, for all x, y G and a, b Z p, we have ê(x a, y b ) = ê(x, y) ab, and ê(g, g) 1. Definition 2.4 (Decision Bilinear Diffie-Hellman Problem) The Decision BDH 4

5 problem is that, given g,g x, g y, g z (G) 4 for unknown x, y, z Z p, T G T, to decide if T = ê(g, g) xyz. We say that the Decision (t, ɛ)-bdh assumption holds in G if no t-time algorithm has the probability at least 1 + ɛ in solving the Decision BDH 2 problem for non-negligible ɛ. 3 The Threshold Identity-Based Encryption Scheme 3.1 Brief Review of Waters Identity-Based Encryption Let G be a bilinear group of prime order p. Given a pairing: ê : G G G T. Identities will be represented as bitstrings of length n. We can also let identities be arbitrary length and n be the output of a collision resistant hash function. Setup. To generate system parameters, the algorithm selects a random generator g G, picks a random α Z p, and sets g 1 = g α. Additionally, two random value g 2, u G and a random n-length vector U = (u i ), whose elements are chosen at random from G. The system parameters param = (g, g 1, g 2, u, U) and the master key is g α 2. Extract. Let ID=(I 1,, I n ) {0, 1} n be an n bit string representing an identity. To generate a private key for ID, the algorithm picks a random r Z p and returns S ID = (d 1, d 2 ), where d 1 = g2 α (u n i )r, d 2 = g r. Enc. To generate the ciphertertext on a plaintext M G T with respect to ID, pick s R Zp, output ciphertext C = (C 1, C 2, C 3 ), where C 1 = ê(g 1, g 2 ) s M, C 2 = g s, C 3 = (u n i )s. Dec. On input ciphertext C = (C 1, C 2, C 3 ), private key S ID ID, output the plaintex M = C 1 ê(d 2,C 3 ). ê(d 1,C 2 ) = (d 1, d 2 ) for 3.2 The Threshold Identity-Based Encryption Scheme without Random Oracles 1. Setup. To generate system parameters, select a random generator g G, picks a random α Z p, and sets g 1 = g α. Additionally, three random values g 2, h, u G and a random n-length vector U = (u i ), whose elements are chosen at random from G. Furthermore, it chooses a k 1 degree function f(x) Z p (x) such that α = f(0) and computes n master key share (i, sk i ) for 1 i n, which is defined as sk i = g f(i) 2. The public verification key VK consists of the n-tuple (g f(1),, g f(n) ). Additionally, a hash function H : {0, 1} Z p is defined. The system parameters param = (g, g 1, g 2, h, u, U, VK, H) and the master key share of server i is sk i 5

6 for 1 i n. 2. ShareKeyGen. Let ID=(I 1,, I n ) {0, 1} n be an n bit string representing an identity. Pick a random r i Z p and return d i = (sk i (u n i )r i, g r i ) for 1 i n. 3. ShareVerify. To verify if d i = (d i,1, d i,2 ) is a valid private key share for identity ID=(I 1,, I n ), let V K = (vk 1,, vk n ) where vk i = g f(i). Output 1 or 0 according to the truth of the following condition: ê(d i,1, g) =? ê(vk i, g 2 ) ê(d i,2, u n j=1 ui j j ). 4. Combine. Without loss of generality we assume that decryption servers i = 1,, k were used to generate d 1,, d k. To derive the private key for ID, let λ 1,, λ k Z p be the Lagrange coefficients so that α = f(0) = k i=0 λ if(i). Output the private key d ID =( k i=1 dλ i i,1, k i=1 dλ i i,2 )=(gα 2 (u n i )r, g r ) for some r Z p, which is the same with private key in Waters extraction algorithm. 5. Encrypt. To generate the ciphtertext on a plaintext M G T with respect to ID=(I 1,, I n ) {0, 1} n, it generates a one-time signature key pair (vk, sk) Gen(1 λ ). Then, it picks s R Z p and outputs the ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ), where c 1 = ê(g 1, g 2 ) s M, c 2 = g s, c 3 = (u n i )s, c 4 c 5 = Sign sk (c 1, c 2, c 3, c 4 ), c 6 = vk. = (g H(vk) 1 h) s, 6. ValidateCT. To validate a ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ), it checks if Verify c6 (c 5 ) = 1. If it holds, then checks if ê(c 1, u n i=1 u i) = ê(g, c 3 ) and ê(c 1, g H(c 6) 1 h) = ê(g, c 4 ). Output 1 if it holds. Otherwise, output Decrypt. Given ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ) and private key d ID =(d 1,d 2 ), it first check that ValidateCT(P K, ID, C) = 1. If check fails, output and exit. Otherwise, picks a random value r Z p and outputs a plaintext M=c 1 ê (d 2, c 3 ) ê(g r, c 4 )/ ê (d 1 (g H(c 6) 1 h) r, c 2 ). 6

7 3.3 Security Result Theorem 3.1 The T IBE system above is secure against chosen identity and chosen ciphertext attacks if the Decision BDH assumption holds and one-time signature is secure. Proof. Our algorithm C described below solves Decision BDH problem for a randomly given instance {g, X = g x, Y = g y, Z = g z, T } and asked to decide if T = e(g, g) xyz. Setup: Simulator C defines g 1 = X and g 2 = Y. Meanwhile, it runs Gen to get one-time key pair (vk, sk ). It also defines a hash function H : {0, 1} Z p and assigns h = g H(vk ) 1 g ω. It sets an integer, m = 4q E, and chooses an integer, k, uniformly at random between 0 and n. It then chooses a random n-length vector, a = (a i ), where the elements of a are chosen uniformly at random between 0 and m 1. Additionally, the simulator chooses a random b Z p and an n-length vector, b = (b i ), where the elements of b are chosen at random in Z p. These values are all kept internal to the simulator. It then assigns u = g p k m+a 1 g b and the parameter U as u i = g a i 1 g b i for 1 i n. The system parameters (g, g 1, g 2, u, U) are sent to A. To make the notation easier to follow, the following two pairs of functions are defined for an identity ID = {I 1,, I n } {0, 1} n. We define F (ID) = (p mk) + a + n i=1 ai i i. Next, we define J(ID) = b + n i=1 bi i i. Finally, we define a binary function 0, if a + n i=1 K(ID) as K(ID) = ai i i 0 (mod m); 1, otherwise. Assume w.l.o.g. that the adversary corrupted the first k 1 players S = {P 1,..., P k 1 }. Then, C generates the secret key shares for the k 1 corrupted players. To do so, C first picks k 1 random integers x 1,..., x k 1 Z p. Let f Z p [X] be the degree k 1 polynomial implicitly defined to satisfy f(0) = x and f(i) = x i for i = 1,..., k 1. (note that C does not know f since it does not know x). C gives A the k 1 secret key shares sk i = g x i 2. These keys are consistent with this polynomial f since sk i = g f(i) 2 for i = 1,..., k 1. Finally, C constructs the verification key VK, which is a n-vector (vk 1,..., vk n ) such that vk i = g f(i) for the polynomial f defined above, as follows: For i S, computing vk i is easy since f(i) is equal to one of the x 1,..., x k 1, which are known to C. Thus, vk 1,..., vk k 1 are easy to compute. For i S, C needs to compute the Lagrange coefficients λ 0,i, λ 1,i,..., λ k 1,i Z p such that f(i) = λ 0,i f(0) + k 1 j=1 λ j,if(j); these Lagrange coefficients can be easily calculated since they do not depend on f. Algorithm C then sets vk i = g λ 0,i 1 vk λ 1,i 1... vk λ k 1,i, which entails that vk i = g f(i) as required. k 1 Once it has computed all the vk i s, C gives to A the verification key VK = (vk 1,..., vk n ). 7

8 Extraction Queries: Assume the adversary asks for at most q E extraction queries. C first computes the Lagrange coefficients λ 0,i, λ 1,i,..., λ k 1,i Z p such that f(i) = λ 0,i f(0) + k 1 j=1 λ j,if(j). Given and identity ID for private key, C will abort if K(ID) = 0. Otherwise, he randomly picks r i Z p and outputs the simulated secret share as: d i = (g λ J(ID) 0,i F (ID) 2 (u n k 1 j=1 λ j,if(j) λ 0,i F (ID) i )r i g2, g2 g r i ). Let ri = r i λ 0,iy (which is not known to C), then F (ID) the correctness of the signature can be verified as follows: g λ J(ID) 0,i F (ID) 2 (u k 1 n i )r i g j=1 λ j,if(j) 2 = g λ 0,ix 2 g λ 0,iy k 1 j=1 λ j,if(j) J(ID) F (ID) 1 g2 g λ 0,i 2 (u n = g f(i) 2 (u n j=1 ui j j )r i. λ 0,i i )r i F (ID) Additionally, we have g2 g r i = g r i. So, it is a valid signature share from the view of A. Decryption Queries: A issues up to q S decryption queries to the uncorrupt servers. Let C = (c 1, c 2, c 3, c 4, c 5, c 6 ) be the ciphertext for decryption query for identity ID = (I 1,, I n ). C first checks if the ciphertext is valid. If it is not, output a distinguished symbol. Otherwise, pick random ω, r Zp and output the plaintext M=c 1 ê (g r, c 3 ) ê(g ω g H(vk ) H(vk) 2, c 4 )/ ê (u n i=1 u i) r (g H(c 6) 1 h) ω g ω(h(vk ) H(vk)) 2, c 2 ). The correctness of the decryption can be verified as follows: Let r = ω (which is not known to C), then y H(vk) H(vk ) (u n i=1 u i) r (g H(c 6) 1 h) ω g ω(h(vk ) H(vk)) 2 =g2(u x n i=1 (u i) I i ) r (g H(vk) 1 h) r. Furthermore, g ω g H(vk ) H(vk) 2 = g r. Finally, the adversary submits two messages m 0, m 1, and identity ID for challenge ciphertext. If a + n i=1 ai i i km, the challenger will abort and submit a random guess. Otherwise, we have F (ID) 0 (mod p) and the simulator will flip a fair coin, γ, and construct the ciphertext as C = (c 1, c 2, c 3, c 4, c 5, c 6) = (T m γ, Z, Z J(ID ), Z ω, Sign sk (c 1, c 2, c 3, c 4 ), vk ). It is easy to verify it is a valid simulated ciphertext. The simulator repeats the same method as above if the adversary submits extraction queries and decryption queries. Meanwhile, for the one-time signature scheme is secure, the adversary cannot submit a valid ciphertext such that c 6 = vk, otherwise, the one-time signature scheme is insecure. The simulator can simulate the decryption as above. Finally, the adversary A outputs a guess γ of γ. If γ = γ, then C decides that T = ê(g, g) xyz. Otherwise, T ê(g, g) xyz. It is easy to verify that if the advantage of A is ɛ, then C can also have an advantage ɛ to the Decision BDH problem. It remains to analyze the probability of C not aborting. For the simulation to complete without aborting, we require that all extraction queries on an 8

9 identity ID have K(ID) 0 mod m, that challenge query on an identity ID has F(ID ) 0 mod p. In fact, the probability analysis is very similar to [18]. 1 As the analysis in [18], the lower bound of not aborting is 8(n+1)q E. Meanwhile, by combining the abort and non-abort cases, we can get the probability ɛ of solving Decision BDH problem as 32(n+1)q E if the adversary success with probability ɛ. 4 Conclusion We propose the first T IBE scheme secure against chosen identity and chosen ciphertext attacks. Our construction is based on the recently proposed identity-based encryption scheme of Waters in EUROCRYPT Furthermore, the scheme is non-interactive and does not rely on random oracles. References [1] M. Bellare, C.Namprempre, and G.Neven. Security Proofs for Identity-based Identification and Signature Schemes. EuroCrypt 04, LNCS 3027, pp Springer, [2] M.Bellare, P.Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, ACM, [3] M. Bellare, A. Boldyreva, and A. Palacio. An Uninstantiable Random-Oracle- Model Scheme for a Hybrid-Encryption Problem. EUROCRYPT 2004, LNCS 3027, pages Springer, [4] D. Boneh and X. Boyen. Short Signatures Without Random Oracles. EUROCRYPT 04, Proceedings, volume 3027 of Lecture Notes in Computer Science, pages 56-73, Springer, [5] D. Boneh and X. Boyen. Efficient selective-id identity based encryption without random oracles. EUROCRYPT 04, LNCS 3027, pages Springer-Verlag, [6] D. Boneh, X. Boyen and S. Halevi. Chosen ciphertext secure public key threshold encryption without random oracles. CT-RSA 05. LNCS 3860, pp , springer, [7] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, Crypto 01, LNCS 2139, pp , Springer-Verlag, [8] D. Boneh and J. Katz. Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption. Topics in Cryptology-CT-RSA 2005, LNCS 3376, pages , springer,

10 [9] X. Boyen, Q. Mei, and B.Waters. Direct Chosen ciphertext security from identity-based techniques. CCS 05. ACM press, Full version at [10] Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryption. EUROCRYPT 04, LNCS 3027, pages , Springer-Verlag, [11] J.C. Cha and J.H. Cheon, An identity-based signature from gap Diffie-Hellman groups, PKC 03, LNCS 2567, pp , Springer-Verlag, [12] R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. Crypto 98, LNCS 1462, Springer- Verlag, pp , [13] P. Fouque and D. Pointcheval, Threshold Cryptosystems Secure Chosen- Ciphertext Attacks, Proceedings of ASIACRYPT 2001, LNCS 2248, pages , Springer-Verlag, [14] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, Secure Distributed Key Generation for Discrete-Log Based Cryptosystem, Proceedings of EUROCRYPT 99, LNCS 1592, pages , Springer-Verlag, [15] Y. Mu, V. Varadharajan, and K. Nguyen, Delegated decryption, IMA-Crypto Coding 99, LNCS 1746, pp , Springer-Verlag, [16] A.Shamir, Identity-based cryptosystems and signature schemes, Crypto 84, LNCS 196, pp.47-53, Springer-Verlag, [17] V. Shoup and R. Gennaro, Securing Threshold Cryptosystems against Chosen Ciphertext Attack, Journal of Cryptology, Vol. 15, pages 75-96, Springer-Verlag, [18] B.Waters, Efficient Identity based Encryption without random oracles. EUROCRYPT 2005, LNCS 3494, pp , Springer-Verlag,