Identity based and CCA-secure encrytion By Ilia Lotosh Based on [BF 03], [BCHK 07]
Agenda Definition of ID-based encrytion Possible alications CCA-secure encrytion based on IBE Boneh-Franklin construction Possible imlementations of BF constructions Boneh-Franklin IBE scheme
Definition of ID-based encrytion Standard Public-Key Encrytion: Certificate-Authority Send message encryted with Bob s ublic key Alice Bob 3 Problems with this aroach: There is a need in central certificate-authority that will rovide ublic key associated with Bob Alice needs a way to validate Bob s certificate to make sure message is being sent to Bob The system is tightly-couled: messages can be sent only after Bob registers his ublic key, and Alice has to know about this before sending the message
Definition of ID-based encrytion Identity-based encrytion roosed by Shamir in 84: PKG Message encoded with arbitrary string as ublic key Alice Bob 4 Messages can be encoded with any ublic key There is a central authority that generates rivate keys for ublic keys Sender s and receiver s actions are indeendent and can be done in any order Authorization against PKG is done like with regular CA
Formal definition IBE scheme consists of 4 randomized algorithms: Setu: Takes a security arameter k and returns mk and msk. The arameters include a descrition of a finite message sace M, and a descrition of a finite cihertext sace C. ID {0,1} Extract: Takes as inut mk, msk, and an arbitrary, and returns a rivate key SK ID. Here ID is an arbitrary string that will be used as a ublic key, and SK ID is the corresonding rivate decrytion key. Encryt: Takes as inut mk, ID and m M. It returns a cihertext cc. Decryt: Takes as inut mk, cc, and a rivate key SK ID. It returns m M 5 These algorithm must satisfy the standard consistency constraint, namely when SK ID is the rivate key generated by algorithm Extract when it is given ID as the ublic key, then mm: Decryt(mk,c,SK ID)=m where c=encryt(mk,id,m)
Security notions IND-ID-CPA IBE scheme is semantically secure against an adative chosen laintext attack if no oly-bounded adversary A has non-negligible advantage against Challenger in the following IND-ID-CPA game: Setu: The challenger takes a security arameter k and runs the Setu algorithm. It gives the adversary the resulting mk. It kees the msk for itself. Phase 1: The adversary issues queries q 1, q,,q m where q i is extraction query: Extraction query <ID i >. The challenger resonds the rivate key d i corresonding to the ublic key <ID i >. Challenge: The adversary oututs two equal length messages m0, m1 M and an identity ID that did not aear in any extraction query. The challenger icks a random b and sets C = Encryt(arams, ID, M b ). It sends C as a challenge to the adversary Phase : Adversary issues more queries as in hase 1 (but not about the challenge) Guess: Adversary oututs a guess b and with the game if b=b 6
Security notions selective IBE Even weaker security notion can be obtained if we require adversary to choose ID he wants to comromise before seeing ublic system arameters generated by the challenger. Selective IBE IND-ID-CPA game will be the following: ID Selection: The adversary chooses identity ID and asses it to the challenger Setu: The challenger takes a security arameter k and runs the Setu algorithm. It gives the adversary the resulting arams. It kees the master-key for itself. Phase 1: The adversary issues queries q 1, q,,q m where q i is extraction query (not on ID): Extraction query <ID i >. The challenger resonds the rivate key d i corresonding to the ublic key <ID i >. Challenge: The adversary oututs two equal length messages m0, m1 M. The challenger icks a random b and sets C = Encryt(arams, ID, M b ). It sends C as a challenge to the adversary Phase : Adversary issues more queries as in hase 1 (but not about the challenge) Guess: Adversary oututs a guess b and with the game if b=b 7
A little bit of history 1984 001 005 Scheme definition by Shamir IBE in random-oracle Model, using Weil-Pairing By Boneh-Franklin IBE using Factoring By Cocks IBE in standard model using bilinear mas By Waters 8
Possible alications First and trivial to overcome PKE scheme roblems we ve discussed 9
Possible alications In addition, ability to use an arbitrary string as ublic key allows following usages: Revocation of Public Keys Keys of form bob@comany.com year There is a cororate PKG which will give Bob rivate key valid for a year Managing user credentials Keys of form bob@comany.com year clearance Bob will be able to read messages only if he has aroriate clearance on the secified date Delegation to a lato Bob knows rivate master-key and creates temorary rivate keys to be used on his lato during vacation Delegation of duties Suose Bob has several assistants for different subjects, then he can create different rivate keys for each subject, and having master key will allow him to read all the mail. 10
Possible alications Finally, identity based encrytion can be used to construct CCA-secure encrytion. We will see such construction now. 11
Recall CCA security CCA or adative chosen cihertext attack security means that there is no oly-time adversary A that can win IND-CCA game with robability non-negligibly greater than half. The IND-CCA game is defined as follows: Setu: The challenger takes a security arameter k and runs the GEN algorithm. It gives the adversary the resulting ublic key. It kees the rivate key for itself. Phase 1: The adversary issues queries q 1, q,,q m where q i : Decrytion query <C i >. The challenger resonds by decryting C i using the rivate key. It sends resulting laintext to the adversary. Challenge: The adversary oututs two equal length messages m0, m1 M that did not aear in any decrytion query. The challenger icks a random b and sets C = Encryt(rivate-key, M b ). It sends C as a challenge to the adversary Phase : Adversary issues more queries as in hase 1 (but not about the challenge) Guess: Adversary oututs a guess b and with the game if b=b 1
Constructing CCA-secure scheme 13 We will construct now a ublic-key encrytion scheme that is based on IBE scheme which is selective-id secure against chosen-laintext attacks One-time signature which is strongly unforgeable (which means that an adversary should not be able to forge a new signature even on a reviously-signed message). Examle of such scheme: Lamort scheme: Let f be a one-way-function. Then to sign a message of n bits, do: The signing key is n random elements in the domain of f: X { x, x },{ x, x },...{ x, x } 10 11 0 1 n0 n1 The ublic verification key is the images of X under f : Y { y, y },{ y, y },...{ y, y }, where i, j : y f ( x ) 10 11 0 1 n0 n1 i, j i, j To sing a message m m m... m outut the n values x, x,..., x 0 1 n 1m m nm 1m m nm 1 1 To verify a signature x, x,..., x on message m, with ublic key Y, verify that for each i, y f ( x ) im i im i n n
Constructing CCA-secure scheme The construction is by Canetti, Halevi and Katz, and goes as following: 14 Let '=(Setu,Extract,Encode',Decode') be an IBE scheme and Sig=(G, Sign, Verify) be a one-time signature scheme. Our ublic encrytion scheme =(Gen,Encode,Decode) will work as follows: Gen on 1 k k Runs Setu(1 ) to obtain ( PK, msk). The ublic key is PK and the secret key is msk. Encrytion k To encryt message m using ublic key PK, the sender first runs G(1 ) to obtain verification key vk and signing key sk. The sender then comutes c Encode'( PK, vk, m) (i.e. sender uses vk as an identity) and Sign( sk, c). The final cihertext is ( vk, c, ). Decrytion To decryt cihertext ( vk, c, ) using secret key msk, the receiver first checks whether Verify( vk, c, ) 1. If not, the receiver simly oututs. Otherwise, the receiver comutes SK Extract( msk, vk) and oututs Decode'( SK, vk, c) m. vk It is clear that this scheme is indeed a correct ublic-key encrytion scheme. vk?
Proof of CCA-security Intuition for the roof (informal): Let ( vk, c, ) be the challenge cihertext. It is clear that without any decrytion oracle queries, the laintext corresonding to the cihertext remains "hidden" to the adversary; this is so because c is outut by ' which is CPA-secure (and the additional comonents of the cihertext rovide no additional hel). Decrytion oracle queries can't further hel the adversary. On one hand, if the adversary submits to the oracle a cihertext ( vk ', c ', ') that is different from the challenge cihertext but with vk ' vk then the decrytion oracle will rely with since the adversary is unable to forge new, valid signatures with resect to vk. On the other hand, if vk ' vk then the decrytion query will not hel the adversary since the eventual decrytion using Decryt' will be done with resect to a different "identity" vk '. 15
Proof of CCA-security 16 Formal roof: Assume we are given a oly-time adversary A attacking in an adative chosen-cihertext attack. Say a cihertext ( vk, c, ) is valid if Verify( vk, c, ) 1. Let ( vk, c, ) denote the challenge cihertext received by A during a articular run of the game, and let Forge denote the event that A vk c submits a valid cihertext (,, ). We rove the following claims: Claim 1: Pr [ Forge] is negligible. PKE A, PKE 1 PKE 1 Claim : Pr A, [ Success Forge] Pr A, [ Forge] is negligible. Now from these two claims we get: PKE 1 Pr A, [ Success] 1 1 Pr [ Success Forge] Pr [ Forge] + Pr [ Success Forge] Pr PKE PKE 1 PKE 1 Pr A, [ Forge] Pr A, [ Success Forge] Pr A, [ Forge] which is negligible given the stated claims. PKE PKE PKE PKE A, A, A, A, 1 [ Forge]
Proof of CCA-security Proof of claim 1: We construct a oly-time forger F who forges a signature with resect to signature scheme Sig with robability exactly Pr [ Forge]. Security of Sig imlies the claim. PKE A, k k F is defined as follows: given inut 1 and verification key vk, F first runs Setu(1 ) to obtain k (PK, msk), and then runs A(1, PK). Note that F can answer any decrytion queries of A. If A haens to submit a valid cihertext ( v k, c, ) to its decrytion oracle before requesting the challenge cihertext, then F simle oututs the forgery ( c, ) and stos. Otherwise, when A oututs messages m0, m1, forger F roceeds as follows: chooses a random bit b, comutes c Encryt '( vk, m b ) and obtains from its signing oracle a signature on the message c. Finally, F hands ( vk, c, ) to A. If A submits a valid cihertext ( vk, c, ) to its decrytion oracle, note that we must have ( c, ) ( c, ). In this case, F simly oututs ( c, ) as its forgery. It is easy to see that F's success robability is exactly Pr [ Forge]. PKE A, 17
Proof of CCA-security 18 Proof of claim : We use A to construct a oly-time adversary A' which attacks the IBE scheme ' in selective IND-ID-CPA game. Define adversary A' as follows: 1. '(1 k k A ) runs G(1 ) to generate ( vk, sk ), and oututs the "t arget" identity ID k. A' is given a master ublic key PK. Adversary A', in turn, runs A(1, PK). 3. When A makes a decrytion oracle query Decode( vk, c, ), adversary A' roceeds as follows: (a) If vk vk then A' checks whether Verify( vk, c, ) 1. If so, A' aborts and oututs a random bit. Otherwise, it simly resonds with. (b) If vk vk and Verify( vk, c, ) 0 then A' resonds w ith. (c) If vk vk and Verify( vk, c, ) 1 then A' makes the oracle query Extract( msk, vk) to obtain SK. It then comutes m Decode( SK, vk, c) and resonds with m. vk vk 4. At some oint A oututs two messages m, m. These messages are outut by A' as well. In return, A' 0 1 is given a challenge cihertext c ; adversary A' then comutes Sign( sk, c ) and returns ( vk, c, ) to A. 5. A may continue to make decrytion queries and these are answered as before 6. Finally, A oututs a guess b'; this same guess is outut by A'. vk
Proof of CCA-security Proof of claim, continued: Note that A' reresents a legal adversarial strategy for attacking '; in articular, A' never requests the secret key corresonding to the "target" identity vk. Furthermore, A' rovides a erfect simulation for A until event Forge occurs (in such event A' oututs a random bit). And thus: IBE 1 PKE 1 PKE 1 Pr A', ' [ Success] Pr A, [ Success Forge] Pr A, [ Success Forge] And the left side of the above is negligible by the assumed security of '. 19
0 Boneh-Franklin construction
Bilinear mas Let G and G be two grous of order q. We say that a ma e:g ˆ G G between 1 1 1 these two grous is bilinear if it satisfies the following roerties: a b 1. Bilinear: for all P, Q G and a, b eˆ( P, Q ) eˆ( P, Q) 1. Non-degenerate: The ma does not send all airs in G G to the identity in G. 1 1 3. Comutable: There is an efficient algorithm to comute eˆ ( P, Q) for any P, Q G. A bilinear ma satisfying the three roerties above is said to be an admissible bilinear ma. The existence of such a ma has two direct imlications to these grous, we will see them next. ab 1 1
Bilinear mas MOV reduction Named after Menezes, Okamoto and Vanstone Shows that the discrete log roblem in G 1 is no harder than the discrete log roblem in G. Let P, Q G, where both P, Q have order q. We wish to find such that Q P. 1 bilinearity Let g eˆ( P, P) and h eˆ( Q, P) h g By non-degeneracy of eˆ both g, h have order q in G Hence, we reduced the discrete log roblem in G 1 to a discrete log roblem in G.
Bilinear mas DDH is easy The Decision Diffie-Hellman roblem in G 1 is to distinguish between the distributions (P, P a, P b, P ab )and (P, P a, P b, P c ) where a,b,c are random in Z q \{0} and P is random in G 1 \{0}: a b c Given P, P, P, P G we have: c a b c ab mod q eˆ( P, P ) eˆ( P, P ). 1 3
Bilinear Diffie-Hellman Problem BDH roblem: Let G, G be two grous of rime order q. Let eˆ : G G G be an admissible bilinear ma and let P be a generator of G. 1 1 1 1 The BDH roblem in (G, G, eˆ ) is: 1 abc P P P P a b c W eˆ( P, P) G. An algorithm A has advantage in solving BDH a b c Given (,,, ) for some,, q comute a b c abc in (G, G, eˆ) if Pr[ A( P, P, P, P ) eˆ( P, P) ] 1 BDH arameter Generator: A randomized algorithm G is a BDH arameter generator if: 1) G takes security arameter k ) G runs in time olynomial in k 3) G oututs rime number q, descrition of two grous G, G of order q and the descrition of admissible bilinear ma eˆ : G G G 1 1 1 4 BDH assumtion: Let G be a BDH arameter generator. We say that an algorithm A has advantage ( k) in solving BDH roblem for G if: ( q, G, G, eˆ ) G(1 ), Adv ( k) Pr[ A( q, G, G, e, P, P, P, P ) e( P, P) ] ( k) k GA, 1 a b c abc 1 ˆ ˆ P G1, a, b, c q We say that G satisfies the BDH assumtion if for any randomized olynomial time (in k) algorithm A we have that Adv GA, ( k) is a negliglible function.
Possible construction for generator satisfying BDH assumtion Ellitic curves 3 A curve defined by the equation y x ax b over some field. We will talk about ellitic curve E defined by the equation 3 y x E r = +1 over field F where is a rime satisfying mod 3. Let ( F ) denote the grou of oints on E defined over F r. Some facts from number theory regarding E Fact 1 3 : x 1 is a ermutation on F E( F) contains 1 oints. Let O denote a oint at infinity, let P E( F ) be a oint of order q and let G be the subgrou generated by P. 1/3 Fact : For any y F there is a unique oint ( x, y ) on E( F ), namely x ( y 1) F. Hence, if ( x, y) is a 0 0 0 0 0 random non-zero oint on E( F ) then y is uniform in F. Fact 3: Let 1 be a solution of 3 F x F 1 0 in. Then the ma ( x, y) ( x, y) is an automorhism of the grou of oints on E. Note that for any oint Q ( x, y) E( F ) we have that ( Q) E( F ), but ( Q) E( F ). Hence, QE( F ) is linearly indeendent of ( Q) E( F ). Fact 4: Since the oints PG and ( P) are linearly indeendent they generate a grou isomorhic to. We denote this grou of oints by E[ q]. 1 1 q q 5
Possible construction for generator satisfying BDH assumtion 6 Some basic concets In the following we let P and Q be arbitrary oints in E( F ) : Divisors A divisor is a formal sum of oints on the curve E( F ). We write divisors as A = a ( P) where a and P E( F ). We will only consider divisors A = a ( P) where a 0. Functions A function f on the curve E( F ) can be viewed as a rational function f ( x, y) E( F ). For any oint P ( x, y) E( F ) we define f ( P) f ( x, y). Divisors of functions Let f be a function on the curve E( F ). We define its divisor, denoted by ( f ), as P P ( f ) ord ( f ) ( P). Here ord ( f ) is the order of the zero that f has at oint P. P P P Princial divisors Let A be a divisor. If there exists a function f such that ( f) A then we say that A is a rincial divisor. We know that a divisor A = a ( P) is rincial if and only if a 0 and a P O. Furthemore, given a rincial divisor A there exists a unique function f such that ( f) A. P P P P P P P P Equivalence of divisors We say that two divisors A, B are equivalent is their difference A - B is a rincial divisor. We know that any divisor A = a ( P) (with a 0) is equivalent to a divisor of the form A ' ( Q) - ( O). a Notation Given a function f and a divisor A = a ( P) we define f ( A ) as f ( A ) f ( P) P. P P P P P P P P P P
Possible construction for generator satisfying BDH assumtion Weil airing We will define now the Weil airing of two oints P, Q E[ n]. Let A be some divisor equivalent to the divisor ( P) ( O). We know that na is a rincial divisor (it is equivalent to n( P) - n( O)). P Hence, there exists a function f such that ( f ) na. Define A and f analogously. The Weil airing of P and Q is defined as: e( P, Q) f f P Q ( A ) Q ( A ) P P P Q Q It's clear that this ma is bilinear, since: e( P P, Q) e( P, Q) e( P, Q) and e( P, Q Q ) e( P, Q ) e( P, Q ) 1 1 But, it's degenerate, since for all P E[ n] we have e( P, P) 1. P 1 1 7
Possible construction for generator satisfying BDH assumtion Modified Weil airing To overcome the roblem of degeneracy we modify Weil airing. Modified Weil airing eˆ : G G G is defined as follows: 1 1 eˆ( P, Q) e( P, ( Q)) Recall: Let 1 3 F be a solution of 1 0 in. Then the ma (, ) (, ) is an automorhism of the grou x F x y x y of oints on E. Note that for any oint Q ( x, y) E( F ) we have that ( Q) E( F ), but ( Q) E( F ). Hence, Q E( F ) is linearly indeendent of ( Q) E( F ). G G 1 Subgrou of oints in E( F ) generated by the oint P of order q Subgrou of F of order q 8
Possible construction for generator satisfying BDH assumtion Modified Weil airing To overcome the roblem of degeneracy we modify Weil airing. Modified Weil airing eˆ : G G G is defined as follows: 1 1 eˆ( P, Q) e( P, ( Q)) Modified Weil airing satisfy the following roerties: 1. Bilinear (follows from bilinearity of Weil airing). Non-degenerate: Obvious 3. Comutable: There is an efficient algorithm to comute the value of the ma 9 Generator built basing on this ma is believed to satisfy BDH assumtion asymtotically. However, there is still the question of what values of and q can be used in ractice to make the BDH roblem sufficiently hard.
Boneh-Franklin IBE scheme Let G be some BDH arameter generator (for examle the one we saw before). Setu: Given a security arameter k, the algorithm works as follows: Ste 1: Run G on inut k to generate a rime q, two grous G, G of order q, and an 1 admissible ma eˆ : G G G. Choose a random generator PG. s Ste : Pick a random s q and set Pub P. 1 1 1 Ste 3: Choose a crytograhic hash function H :{0,1} G. Choose a crytograhic n hash function H : G {0,1} for some n. 1 ub 1 1 1 n n The message sace is M {0,1}. The cihertext sace is C G {0,1}. The system arameters are mk ( q, G, G, eˆ, n, P, P, H, H ). The msk is s q. 1 30
Boneh-Franklin IBE scheme Extract : For a given string ID {0,1} the algorithm does: 1) Comutes Q H ( ID) G ID 1 1 s ) Sets the rivate key d to be d Q, where s is the master key. ID ID ID 31
Boneh-Franklin IBE scheme Encryt: To encryt m M under the ublic key ID do the following: (1) comute Q H ( ID) G ID 1 1 () choose a random r (3) set the cihertext to be q r C ( P, m H ( g )) where g eˆ ( Q, P ) G r ID ID ID ub 3
Boneh-Franklin IBE scheme Decryt: Let c ( U, V ) C be a cihertext encyted using the ublic key ID. To decryt c using the rivate key d ID ID G V H ( eˆ ( d, U)) m 1 comute: 33
Boneh-Franklin IBE scheme Consistency: 1. During encrytion m is bitwise xored with the hash of:. During decrytion V is bitwise xored with the hash of: eˆ( did, U) These masks used during encrytion and decrytion are the same since: eˆ ( d, U) eˆ ( Q, P ) eˆ ( Q, P) eˆ ( Q, P ) g s r sr r r ID ID ID ID ub ID r g ID 34
BF IBE scheme security Selective IND-ID-CPA security under standard model We will rove now that resented scheme is selective IND-ID-CPA secure in the standard model. Reminder: In selective IND-ID-CPA game the adversary first tells challenger which ID he wants to be challenged on, then he receives ublic setu and is allowed to issue key extraction queries 35
BF IBE scheme security Selective IND-ID-CPA security under standard model a Decisional BDH: To distinguish between ( P, P, P, P, P ) and ( P, P, P, P, P ) which is equal to distinguish between ( P, P, P, P, eˆ ( P) ) and ( P, P, P, P, r) for random r Theorem: If there exists a oly-time adversary A that gains advantage in selective IND-ID-CPA game, then there exists a oly-time adversary B that solves Decisional BDH with robability. We are going to use a family of hash functions H ={ H } that satisfy the following roerties: 1. H :{0,1} k G 1. {0,1}, G1! s.t. k ( ) x y k H x y 3. Such k is easy to find G k 36
BF IBE scheme security Selective IND-ID-CPA security under standard model 37 Algorithm B: 1. Gets q, G, G, eˆ and ( P, Q P, U P, R P, r G ) 1 B has to answer 1 if eˆ ( P, P) = r and 0 otherwise. B starts to execute A and on a first ste receives ID 3. B chooses random s, and finds s 1 q s B chooses hash function H H such that H ( ID) P, and another hash 1 1 n function H : G {0,1} for some n without any restriction. 4. B rovides A with ublic setu ( q, G, G, eˆ, n, Q, Q, H, H ) So master-key is s and ublic key is P 1 s 1 1 5. B answers A's extraction queries in a standard way 6. When A ready for a challenge it gives B two messages m, m B chooses bit b at random and gives A C ( R, m H ( r)) 7. B answers 1 if A was correct s b 0 1
BF IBE scheme security Selective IND-ID-CPA security under standard model 38 Analysis of algorithm B: - Algorithm B runs the same time as A - In the last stage: 1 - If eˆ( P, P) r then H ( r) H ( g ), since g eˆ( P, P ) s s ID ID and thus ( P, H ( r) m ) is a valid encrytion of m, and hence Pr[ A answers correctly] b - Otherwise, ( ) is a random uniform string and thus ( ) is a H r H r m b 1 random uniform string, and hence Pr[ A answers correctly] - Thus B answers correctly with robability at least b
BF IBE scheme security IND-ID-CPA security under random oracle model Now we will see how to show that BF IBE scheme is IND-ID-CPA secure in random oracle model. Reminder: In random oracle model crytograhic hash functions are relaced by truly random functions. Our benefit in this model is that we can build our random oracle on the fly according to adversary actions 39
BF IBE scheme security IND-ID-CPA security under random oracle model First, we will show a reduction from BF IBE scheme to the following ublic-key scheme, called BasicPub, this scheme is defined by the following algorithms: 40 keygen: Given a security arameter k, the algorithm works as follows: Ste 1: Generate two rime order grous G, G and a bilinear ma eˆ : G G G. Let q be the order of,. C 1 1 1 G1 G hoose a random generator P G1. Ste : Pick a random k and set P P. Pick a random Q s q ub id G 1 n Ste 3: Choose a crytograhic hash function H : G {0,1} for some n Ste 4: The ublic key is ( q, G, G, eˆ, n, P, P, Q, H ) the rivate key is d Q encryt s 1 ub id id id n : To encryt m{0,1} choose a random r q and set the cithertext to be: r C ( P, m H ( g )) where g eˆ ( Q, P ) G r id ub decryt: Let C ( U, V ) be a cihertext created using the ublic key above. To decryt C using a rivate key d comute: V H ( eˆ ( d, U )) m id id
BF IBE scheme security IND-ID-CPA security under random oracle model Now, if there is a olytime adversary A that wins IND-ID-CPA game against BF IBE scheme with non-negligible, then there is a olytime adversary B that wins IND-CPA game against BasicPub, with non-negligible robability. Proof: Algorithm B is given ublic key K ( q, G, G, eˆ, n, P, P, Q, H ). setu ub 1 ub id B gives A system arameters ( q, G, G, eˆ, n, P, P, H, H ). H is a random oracle controlled by B in the following way: 1 ub 1 1 list B maintains a list of tules ( ID, Q, b, c ) we call it H, the list is initially emty. When asked on ID : j j j j 1 i 1. If the query already aears on the in a tule (,,, ) then resonds with H ( ID ) Q list IDi H1 IDi Qi bi ci B 1. Otherwise B generates a random coin{0,1} so that Pr[ coin 0] b b 3. B icks a random b q. If coin 0 Qi P, otherwise Qi Qid 4. B adds the tule ( IDi, Qi, bi, ci ) to the list and resonds with Qi i i 41
BF IBE scheme security key-extraction IND-ID-CPA security under random oracle model Let ID be a rivate key extraction query issued by algorithm A. Algorithm B do the following: 1. Obtain Q using the revious algorithm, let ( ID, Q, b, c ) be corresonding tule. If coin i i i i i i i 1 then B reorts failure and terminates. bi bi bi s s 3. Otherwise we know that Q P. Define d P. Observe that d P Q, and i i ub i i therefore d is the rivate key associated to the ublic key ID. Give i i di to algorithm A. 4
BF IBE scheme security IND-ID-CPA security under random oracle model Challenge Once algorithm A decides to begin the challenge, it oututs a ublic key ID and two messages, m, m 1. Algorithm B gives its challenger the messages m, m. The challenger resonds with cihertext C ( U, V ) 0 1 such that C is the encrytion of m for a random c {0,1}. c. Next, B obtains tule corresonding to ID : ( ID, Q, b, coin). If coin 0 then B reorts failure and terminates. s 3. We know coin 1 and therefore Q Q. Recall that when C ( U, V ) we have U G 1 ch ch b 1 Set C ' ( U, V ), where b is the inverse of b mod q. Algorithm B resonds to A with C'. Note: 1 1 1 b b sb s eˆ( U, d ) eˆ( U, sq) eˆ ( U, Q ) eˆ ( U, Q ) eˆ ( U, d ) ch Hence, the BF IBE decrytion of C' using d ID ch ID ID ch 1 0 1 is the same as the BasicPub decrytion of C using d ID 43
BF IBE scheme security IND-ID-CPA security under random oracle model After the challenge being set algorithm A may continue issuing key extraction queries, algorithm B will resond as before. Eventually, algorithm A will outut its answer b, algorithm B will outut the same answer. If algorithm B does not abort, A s view is identical to its view in the real attack, and thus if A answers correctly so does B. B does not abort with non-negligible robability. And thus B wins IND-CPA game against BasicPub scheme with non-negligible robability. 44
BF IBE scheme security IND-ID-CPA security under random oracle model As a final ste we will show a reduction from BasicPub IND-CPA game to BDH roblem, and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA secure. To show this, let s assume by contradiction that there is a oly-time algorithm A that wins IND-CPA game against BasicPub with non-negligible robability. We will show an algorithm B that solves BDH roblem with non-negligible robability. Algorithm B is given as inut the BDH arameters ( q, G, G, eˆ ) and a random instance 1 3 1 a b c ( P, P, P, P ) ( P, P, P, P )of the BDH roblem for these arameters. abc Let D eˆ ( P, P) G be the solution to this BDH roblem. 45
BF IBE scheme security IND-ID-CPA security under random oracle model setu Algorithm B creates the BasicPub ublic key K ( q, G, G, eˆ, n, P, P, Q, H ) by setting P P ub 1 ub ID ub 1 and Q P. Here H is a random oracle controlled by B as described below. Algorithm B gives A K ID s ab The (unknown) rivate key associated to K is d Q P. At any time algorithm A may issue queries to the random oracle H, to resond to them: B maintains a list of tules ( X, H ) we call it H j j ub ID ID list list i i i i i, the list is initially emty. When asked on X : 1. If the query X already aears on the H in a tule ( X, H ) then B resonds with H ( X ) H n list. Otherwise B generates just icks a random string H {0,1} and adds the tule ( X, H ) to the H. It resonds to A with H i i i i i ub. 46
BF IBE scheme security IND-ID-CPA security under random oracle model challenge n Algorithm A oututs two messages m, m. Algorithms B icks a random string R {0,1} and defines c 3 0 1 to be the cihertext c ( P, R). Algorithm B gives c as the challenge to A. Observe that, by definition, the decrytion of C is R H ( eˆ ( P, d )) R H ( D). 3 ID 47
BF IBE scheme security IND-ID-CPA security under random oracle model guess Algorithm A oututs its guess c ' {0,1}. At this oint B icks a random tule ( X, H ) from the H and oututs X j as the solution. j j list Proof of correctness: B simulates a real attack environment for A, and thus we exect A to be correct with nonnegligible robability (if given correct encrytion in last stage). And thus robability of A asking for H (D) is not negligible (since otherwise the decrytion of C is indeendent of A s view and thus A can t answer correctly with robability greater than half). So we have D in our list with robability, and since it s length is olynomial, icking entry at random will rovide correct answer with non-negligible robability. 48
References Identity based encrytion from the Weil airing D. Boneh and M. Franklin SIAM J. of Comuting, Vol. 3, No. 3,. 586-615, 003. Chosen-Cihertext Security from Identity-Based Encrytion. D. Boneh, R. Canetti, S. Halevi, and J. Katz. SIAM J. Comut., 36(5): 1301-138 (007) 49