MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial Fulfillment of the Requirements for the Degree of Master of Science Florida Atlantic University Boca Raton, Florida May 2010

Copyright by Brittanney Jaclyn Amento 2010 ii

ACKNOWLEDGEMENTS First, I would like to thank my advisor, Dr. Rainer Steinwandt, for always pushing and believing in me especially during those times I wanted to give up! You have been an exceptional mentor and I am so thankful for your direction and confidence. Second, I would like to thank my mother, Neweleen Feldmar, for raising a strong minded, confident young woman. Eight years to get to this point and I couldn t have done it without your love and support. I know I make you proud everyday! Third, I would like to thank my dear friend Lisa Greenberg. I can t imagine how different the last two years would have been without the friendship and math partner we found in each other! Together, we are one half of a Ph.D girl! Last, I owe a sincere thank you to my Fusion boss of five years and friend, Melody Collins, for always finding a way to work my job around my education. I couldn t have done any of this without each of you in my corner! iv

ABSTRACT Author: Title: Institution: Thesis Advisor: Degree: Brittanney Jaclyn Amento Message Authentication in an Identity-Based Encryption Scheme: 1-Key-Encrypt-Then-MAC Florida Atlantic University Dr. Rainer Steinwandt Master of Science Year: 2010 We present an Identity-Based Encryption scheme, 1-Key-Encrypt-Then-MAC, in which we are able to verify the authenticity of messages using a MAC. We accomplish this authentication by combining an Identity-Based Encryption scheme given by Boneh and Franklin, with an Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan, and attaching a MAC. We prove the scheme is chosen plaintext secure and chosen ciphertext secure, and the MAC is existentially unforgeable. v

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC 1 Introduction...1 2 Preliminaries...3 2.1 Cryptographic Primitives...3 2.2 Security Notions...6 3 The Proposed Schemes... 11 3.1 Building on BasicIdent... 11 3.2 Building on FullIdent... 12 4 Security... 14 5 Conclusion... 22 Bibliography... 23 vi

CHAPTER 1 INTRODUCTION In this thesis, we build on the Identity-Based Encryption scheme given by Boneh and Franklin in [2] and combine it with the Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan in [5] to create an Identity-Based Encryption scheme which authenticates messages using a MAC. We follow Martin s motivation in [4] to take a closer look at Identity-Based Encryption. Identity-Based Encryption (IBE) was first introduced in 1984 by Adi Shamir as a way to create a public key from a user s identity. IBE has all the benefits of a public key encryption scheme, plus additional benefits relating to keys being calculated for each recipient, versus being randomly generated. This relieves pre-enrollment requirements and the need to look up public keys (a huge hamper on public key cryptography). Calculating the keys also allows an IBE to have built in key recovery capability a requirement for use in business. We can also use an IBE to communicate with someone not already enrolled in our system by calculating a public key id for the recipient and using that key to encrypt the message we send them. The recipient would then authenticate himself to the Private Key Generator (PKG) and receive his private decryption key, creating a secure channel of communication. We should mention that a main disadvantage of an IBE versus public key encryption lies with key revocation being difficult to remedy. 1

An IBE consists of four algorithms: Setup, which generates the system parameters and a master key; Extract, which uses the master key to extract the private key associated with an identity id {0, 1} ; e.g., an email or IP address; Encrypt, which uses an identity id to encrypt messages; and Decrypt, which uses the private key associated with the identity id to decrypt messages. An Identity-Based Non-Interactive Key Distribution (ID-NIKD) is a scheme which allows two parties to establish a common key without communicating. Each party receives a private key from a Trusted Authority (TA), which allows them to compute a shared key without exchanging any messages. An ID-NIKD consists of three algorithms: Setup, which generates the system parameters and a master secret key; Extract, which uses the master secret key to extract the private key associated with an identity id {0, 1}; and SharedKey, which uses an identity id and a private key to return a shared key between them. We combine these two schemes, IBE and ID-NIKD, and ask about our ability to authenticate messages. Below, we define our 1-Key-Encrypt-Then-MAC scheme and show that we are indeed able to authenticate messages. Further, we show our scheme is chosen plaintext secure (IND-ID-CPA+MAC), chosen ciphertext secure (IND-ID-CCA+MAC), and existentially unforgeable (UF-ID-CPA+MAC). 2

CHAPTER 2 PRELIMINARIES 2.1 Cryptographic Primitives We start by recalling the definition of an Identity-Based Encryption scheme as given by Boneh and Franklin in [2]: Definition 1 (Identity-Based Encryption). An Identity-Based Encryption scheme E is specified by four polynomial time algorithms: Setup, Extract, Encrypt, Decrypt. Setup: a probabilistic algorithm which takes a security parameter 1 k and returns params (system parameters) and master key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. Intuitively, the system parameters will be publicly known, while the master key will be known only to the Private Key Generator (PKG). Extract: a probabilistic algorithm which takes as input params, master key, and an arbitrary id {0, 1}, and returns a private key d id. Here id is an arbitrary user identity that will be used as a public key, and d id is the corresponding private decryption key. The Extract algorithm extracts a private key from the given identity. Encrypt: a probabilistic algorithm which takes as input params, id, and M M. It returns a ciphertext C C. 3

Decrypt: a deterministic algorithm which takes as input params, C C, and a private key d id. It returns M M or an error symbol. These algorithms must satisfy the standard consistency constraint, namely if d id is the private key generated by algorithm Extract when it is given id as the identity, then M M : Dec did (C) = M where C Enc id (M). We next recall the definition of an ID-Based Non-Interactive Key Distribution scheme as given by Paterson and Srinivasan in [5]: Definition 2 (ID-Based Non-Interactive Key Distribution (ID-NIKD)). An ID-Based Non- Interactive Key Distribution (ID-NIKD) scheme is specified by three distinct algorithms: Setup, Extract, and SharedKey. Algorithms Setup and Extract are executed by the Trusted Authority (TA), while SharedKey can be executed by any entity in possession of its private key and the identifier of any other entity with which it wishes to generate a shared key. Setup: on input 1 k, outputs a master public key (or system parameters) and a master secret key. Extract: on input a master public key, a master secret key, and an id {0, 1}, returns a private key from some space of private keys SK. SharedKey: on input a master public key, a private key d ida, and an identifier id B {0, 1}, where id B id A, this algorithm returns a shared key K A,B from some space of shared keys SHK specified in the master public key. We require that, for any pair of identities id A, id B, and corresponding private keys d ida 4

and d idb, SharedKey satisfies the constraint: SharedKey(master public key, d ida, id B ) = SharedKey(master public key, d idb, id A ) This ensures that entities A and B can indeed generate a shared key without any interaction. We will normally assume that SHK, the space of shared keys, is {0, 1} n(k) for some function n(k). We next recall the definition of a Message Authentication Code (MAC) as given by Bellare, Guerin, and Rogaway in [3]: Definition 3 (Message Authentication Code (MAC)). A Message Authentication Code (MAC) consists of three algorithms: Key Generation, Tagging, and Verification. The Tagging algorithm may be probabilistic; the Verification algorithm typically is not. Key Generation: on parameter 1 k, generates a key c and an L tag where L tag is the corresponding MAC length for k. Tagging: on input a k-bit key c and a message M, algorithm Tagging outputs an L tag -bit string k called the tag, or MAC, of M. Verfication: on input a k-bit key c, a message M, and an L tag -bit string τ, algorithm Verification outputs a true for accept and false for reject. We ask for a basic validity condition, namely that authentic signatures are accepted with probability one. That is, for any key c, message M, and tag τ which is output with positive probability by Tag(c, M), it must be the case that Verification(c, M, τ) = true. We combine the first three definitions and now introduce our Identity-Based Encryption scheme which verifies message authentication: 5

Definition 4 (1-Key-Encrypt-Then-MAC). We define our 1-Key-Encrypt-Then -MAC as a septuple of algorithms (Setup, Enc, Dec, KeyExtract, Tag, Ver, SharedKey) in which we use in an Identity-Based Encryption scheme to show authenticity of messages using a MAC, as follows: Setup: on input security parameter 1 k, returns the system parameters and a master secret key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. Enc: on input params, id, and M M computes a ciphertext C Enc id (M). Dec: on input params, C C, and a private key d id returns M or an error symbol. KeyExtract: on input params, a master secret key, and an arbitrary id {0, 1} returns a private key d id. SharedKey: on input params, a private key d ida, and an id B {0, 1}, where id A id B, returns K A,B. Tag: on input M, id A, and id B returns the tag T KA,B (M) where K A,B = SharedKey(d ida, id B, params) is a shared key between id A and id B. Ver: on input M, tag τ, and K A,B returns true if τ is a valid tag for M and false otherwise. 2.2 Security Notions To formalize the security of our 1-Key-Encrypt-Then-MAC scheme, we introduce the following definitions pertaining to chosen plaintext security, chosen ciphertext security, and MAC unforgeability. We begin by defining chosen plaintext security: 6

Definition 5 (IND-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), and a verification oracle: V(M, Tag, id A, id B ) {true, false}. 3. A outputs two plaintexts m 0 m 1 of equal length and some id which was NOT previously sent to the private key extraction oracle. 4. Challenger chooses b {0, 1} randomly and sends A ciphertext. C = (Enc id (M b ) } {{ } =C, Tag(C, K A,B)) 5. A is again given access to the private key extraction oracle, tagging oracle, and verification oracle with the sole restriction that she cannot query the private key extraction oracle on the id, as in Step 3). 6. A guesses b {0, 1} and wins if b = b. 7

The advantage Adv A (k) of A is defined as P r(b = b ) 1 2 and θ is (IND-ID-CPA+MAC) secure if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. Next, we define the security of our MAC in the sense of existential unforgeability: Definition 6 (UF-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), and a verification oracle: V(M, Tag, id A, id B ) {true, false}. 3. A outputs a ciphertext C = (C, id A, id B, τ) with the restrictions that neither id A or id B were previously submitted to the private key extraction oracle and (C, id A, id B ) was not previously sent to the tagging oracle. A wins if Dec dida (C). The advantage Adv A (k) of A is defined as P r[dec dida (C)] 8

and θ is existentially unforgeable (UF-ID-CPA+MAC) if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. Finally, we end by defining chosen ciphertext security: Definition 7 (IND-ID-CCA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game: 1. Challenger runs Setup on 1 k and hands public params to A. 2. A is given unrestricted access to a private key extraction oracle which associates an id with its private key d id, a tagging oracle: τ(m, id A, id B ) Tag(M, SharedKey(K A,B )), a verification oracle: V(M, Tag, id A, id B ) {true, false}, and a decryption oracle: Dec(id i, C i ) M i or. 3. A outputs two plaintexts m 0 m 1 of equal length and some id which was NOT previously sent to the private key extraction oracle. 4. Challenger chooses b {0, 1} randomly and sends A the challenge ciphertext C = (Enc id (M b ) } {{ } =C, Tag(C, K A,B)). 9

5. A is again given access to the private key extraction oracle, tagging oracle, verification oracle, and decryption oracle, with the restrictions that she cannot query the private key extraction oracle on the id, as in Step 3), and she cannot query the decryption oracle on the challenge ciphertext C. 6. A guesses b {0, 1} and wins if b = b. The advantage Adv A (k) of A is defined as P r(b = b ) 1 2 and θ is (IND-ID-CCA+MAC) secure if Adv A (k) is negligible for all probabilistic polynomial time adversaries A. 10

CHAPTER 3 THE PROPOSED SCHEMES We present our 1-Key-Encrypt-Then-MAC scheme in which we wish to use the Identity- Based Encryption schemes BasicIdent and FullIdent, as given by Boneh and Franklin in [2], along with a MAC to verify authentication of messages. 3.1 Building on BasicIdent We first consider the scheme BasicIdent, which is given by four algorithms: Setup, Extract, Encrypt, and Decrypt, which model our algorithms Setup, KeyExtract, Enc, and Dec, respectively. Further, we consider an ID-NIKD as given by Paterson and Srinivasan in [5], which also shares the Setup and Extract algorithms of BasicIdent. Let G be some BDH parameter generator. Setup: given security parameter k Z +, run G on input 1 k to generate a prime q, two cyclic groups G 1 and G 2 of order q, an admissible bilinear map ê : G 1 G 1 G 2, and three cryptographic hash functions H 1 : {0, 1} G 1, H 2 : G 2 {0, 1} n for some n, and H 3 : {0, 1} {0, 1} k. Choose a random s Z q where s is the master secret key and set P pub = sp, P G 1 a random generator. The system parameters also include a description of a finite message space M, and a description of a finite ciphertext space C. 11

KeyExtract: returns a private key d ida = sh 1 (id A ). Enc: computes Q id = H 1 (id A ) G 1, chooses a random r Z q, and sets the ciphertext to be C = (rp, M H 2 (g r id)) where g id = ê(q id, P pub ) G 2 and M M. Dec: returns M or an error message by using d ida G 1 to compute M H 2 (g r id) H 2 (ê(d ida, rp )) = M SharedKey: returns key K A,B = H 2 (ê(d ida, H 1 (id B )) where id B id A. Tag: returns the tag τ = H 3 (M K A,B ) where K A,B is a shared key between id A and id B. Ver: returns true if τ = H 3 (M K A,B ) and false otherwise. 3.2 Building on FullIdent We now consider the scheme FullIdent, which is given by four algorithms: Setup, Extract, Encrypt, and Decrypt. Let G be some BHD parameter generator. Setup: as in the BasicIdent scheme. In addition, we pick a hash function H 4 : {0, 1} n {0, 1} n Z q and H 5 : {0, 1} n {0, 1} n where n is the length of the message to be encrypted. KeyExtract: as in the BasicIdent scheme. 12

Enc: computes Q id = H 1 (id A ) G 1, chooses a random σ {0, 1} n, sets r = H 4 (σ, M), and sets the ciphertext to be C = (rp, σ H 2 (g r id), M H 5 (σ)) where g id = ê(q id, P pub ) G 2 and M M. Dec: if rp / G 1, rejects the ciphertext. Otherwise, returns M or an error message by using d ida G 1 to do the following: Computes σ H 2 (g r id) H 2 (ê(d ida, rp )) = σ Then computes M H 5 (σ) H 5 (σ) = M and sets r = H 4 (σ, M). Tests that this r P = rp. If not, rejects the ciphertext. Otherwise, outputs M as the decryption of C. SharedKey: as in the BasicIdent scheme. Tag: as in the BasicIdent scheme. Ver: as in the BasicIdent scheme. This completes the description of our 1-Key-Encrypt-Then-MAC scheme. 13

CHAPTER 4 SECURITY We now consider the security of BasicIdent-MAC. The following theorem shows that BasicIdent-MAC is secure in the sense of Definition 5 (IND-ID-CPA+MAC). We first follow Boneh and Franklin s description of a random oracle model in [1]. A random oracle is a function H : X Y chosen uniformly and at random from the set of all functions {h : X Y } (assuming Y is a finite set). An algorithm can query the random oracle at any point x X and receive the value H(x) in response. Random oracles are used to model cryptographic hash functions such as SHA-1. Security proofs in the random oracle model prove security against attackers confined to the random oracle world. Theorem 1. Let H 1, H 2, and H 3 be random oracles. Then BasicIdent-MAC is secure in the sense of Definition 5. Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-ID- CPA adversary B, which attacks the Boneh-Franklin BasicIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id. Setup: Algorithm B gets BasicIdent system parameters (q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3 ) 14

and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the tag and verification oracles, say i 0, and never sends this id i0 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows: Extract Oracle queries: Algorithm A queries an id i to the extract oracle. B responds by forwarding the id i to the extract oracle as in the Boneh-Franklin scheme and responds to A with d idi, the private key associated with id i. B then has the restriction that she cannot query the same id i during the challenge. Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id s, say id A and id B. B chooses one of the id s id i0 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B has access to the SharedKey algorithm and runs it on params, id B, and d ida, receiving back K A,B. She next appends K A,B to the message M and sends it through H 3, receiving back the tag τ = H 3 (M K A,B ). B sends A the tag τ. Verification Oracle queries: Algorithm A queries the verification oracle with a message M, two id s, say id A and id B, and a tag τ. B chooses one of the id s id i0 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B runs the SharedKey algorithm and obtains K A,B, appends K A,B to M, and runs it through H 3. If τ = H 3 (M K A,B ), B sends A true. Otherwise, B sends A false. Challenge: Once algorithm A is ready to challenge, the following occurs: 1. Algorithm A outputs two plaintexts m 0 m 1 of equal length, and an id not previously sent by A to the extract oracle. The challenger in the IND-ID-CPA game chooses b {0, 1} randomly. B chooses the same m 0 m 1 and id as its challenge in the IND-ID-CPA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort. 15

1 Otherwise, with probability at least, B will be able to use the challenge id. B p(k) forwards C to A. 2. Algorithm A is again given access to the extract oracle, tag oracle, and verification oracle with the sole restriction that she cannot query the id she is challenging. 3. Algorithm A guesses b {0, 1}. B outputs the same guess and wins if b = b. Suppose the probability of algorithm A succeeding in breaking the BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the BasicIdent-MAC scheme is at least 1 p(k) P r[succa ], which is non-negligible. Then P r[succ B ] 1 p(k) P r[succa ] and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is a BasicIdent adversary and therefore, the P r[succ B ] is proven to be negligible by Boneh- Franklin. Therefore, our BasicIdent-MAC scheme is (IND-ID-CPA+MAC) secure. We next consider the unforgeability of the MAC in our BasicIdent-MAC scheme. The following theorem shows that the MAC in our BasicIdent-MAC scheme is existentially unforgeable in the sense of Definition 6 (UF-ID-CPA+MAC). Theorem 2. Let H 1, H 2, and H 3 be random oracles. Then BasicIdent-MAC is existentially unforgeable in the sense of Definition 6. Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-SK adversary B which attacks the Paterson-Srinivasan ID-NIKD scheme. B has access to an extract oracle, random H 3 oracle, and test oracle, with the restriction that no query to the extract oracle is allowed on either id involved in the test oracle query. Setup: Algorithm B gets ID-NIKD system parameters (1 k, master public key) and gives them to A, keeping the master secret key to herself. B chooses two random indices from 16

1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the extract oracle, say i 0 and i 1, and never sends id i0 or id i1 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows: Extract Oracle queries: Algorithm A queries an id i to the extract oracle. B responds by forwarding the id i to the extract oracle as in the Paterson-Srinivasan scheme and responds to A with d idi, the private key associated with id i. B then has the restriction that she cannot query the same id i during the forgery. Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id s, say id A and id B. If id A = id i0 and id B = id i1, B chooses a random element from the space of shared keys, say SHK, and appends SHK to the message M, sends it through H 3, and receives the tag τ = H 3 (M SHK). We clarify below why this will be sufficient. Otherwise, B chooses one of the id s id i0, id i1 uniformly and at random, say id A, and sends it to the extract oracle, receiving back private key d ida. B has access to the SharedKey algorithm and runs it on params, id B, and d ida, receiving back K A,B. She next appends K A,B to the message M and sends it through H 3, receiving back the tag τ = H 3 (M K A,B ). In each case, B records the tag τ and the id s associated with it on an H list 3. B sends A the tag τ. Verification Oracle queries: Algorithm A queries the verification oracle with a message M, two id s, say id A and id B, and a tag τ. B checks the H list 3 for the τ associated with id A, id B, and M. In the case where id A = id i0 and id B = id i1, if τ = H 3 (M SHK), B sends A true. Otherwise, B sends A false. In all other cases, if τ = H 3 (M K A,B ), B sends A true. Otherwise, B sends A false. Forgery: Once algorithm A is ready to forge a MAC, the following occurs: 1. A outputs ciphertext C = (C, id A, id B, τ) where τ = (C, id A, id B ). When one or both of the forgery id s has previously been queried by B to the extract oracle, we 17

abort. Otherwise, with probability at least 1 (p(k)) 2, B will be able to use the forgery id s. 2. B queries the test oracle on id A and id B receiving back either shared key K A,B or a random shared key SHK. B checks the H list 3 for H 3 (M K A,B ). If the entry exists on the H list 3, B outputs real. Otherwise, B outputs random. Suppose that the probability of algorithm A succeeding in forging the MAC in our BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the ID-NIKD scheme is at least 1 (p(k)) 2 P r[succ A ], which is nonnegligible. We further consider the probability of a collision in the random oracles to be q 3 j 1 (1 ( (1 i 2 ))) k j=1 i=0 where q i is an upper bound on the number of queries made to random H j oracle. Therefore, the probability of collision P r[collision] is negligible. Last, we consider the advantage Adv ID NIKD (k) to be a negligible upper bound on the probability of breaking the ID-NIKD scheme. Then P r[succ B ] 1 (p(k)) 2 (P r[succa ] P r[collision] Adv ID NIKD (k)) and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is an ID-NIKD adversary and therefore, the P r[succ B ] is proven to be negligible by Paterson- Srinivasan. Hence, the MAC in our BasicIdent-MAC scheme is existentially unforgeable (UF-ID-CPA+MAC). Justification of the tag oracle simulation We construct a new adversary B which attacks the Paterson-Srinivasan ID-NIKD scheme. B has access to an extract oracle, random H 3 oracle, and a test oracle. B simulates the tag oracle and verification oracle 18

exactly as B above EXCEPT when A outputs a forgery on id i0 and id i1. Then, B queries the test oracle and receives either the true shared key K i0,i 1 or a random shared key SHK. B computes the tag as B above, using the shared key received from the test oracle, and sends τ to A. Suppose the probability of the difference between the probability of algorithm A succeeding in forging the MAC using the true key, and the probability of algorithm A succeeding in forging the MAC using a random key, is non-negligible. Then the probability of B succeeding in correctly solving the challenge from the test oracle is P r[succ B ] = 1 2 (P r[succa true] (1 P r[succ A random])) and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is an ID-NIKD adversary; therefore, the P r[succ B ] is proven to be negligible by Paterson- Srinivasan. Therefore, the MAC in our BasicIdent-MAC scheme is existentially unforgeable (UF-ID-CPA+MAC). We now consider the security of FullIdent-MAC. The following theorem shows that FullIdent-MAC is secure in the sense of Definition 7, (IND-ID-CCA+MAC). Theorem 3. Let H 1, H 2, H 3, H 4, and H 5 be random oracles. Then FullIdent-MAC is secure in the sense of Definition 7 (IND-ID-CCA+MAC). Proof. Let A be a FullIdent-MAC adversary. We begin by constructing a new IND-ID- CCA adversary B, which attacks the Boneh-Franklin FullIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id. Setup: Algorithm B gets FullIdent system parameters (q, G 1, G 2, ê, n, P, P pub, H 1, H 2, H 3, H 4, H 5 ) 19

and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polynomial upper bound on the number of id s queried to the tag and verification oracles, say i 0, and never sends this id i0 to the extract oracle. B simulates the extract oracle, tag oracle, verification oracle, and decryption oracle as follows: Extract Oracle queries: as in the BasicIdent-MAC scheme. Tag Oracle queries: as in the BasicIdent-MAC scheme. Verification Oracle queries: as in the BasicIdent-MAC scheme. Decryption Oracle queries: Algorithm A queries the decryption oracle with an id, say id A, and ciphertext C A. B responds by forwarding (id A, C A ) to the decryption oracle as in the Boneh-Franklin scheme and responds to A with M A or. B then has the restriction that she cannot query the same (id A, C A ) during the challenge. Challenge: Once algorithm A is ready to challenge, the following occurs: 1. Algorithm A outputs two plaintexts m 0 m 1 of equal length, and an id not previously sent by A to the extract oracle. The challenger in the IND-ID-CCA game chooses b {0, 1} randomly. B chooses the same m 0 m 1 and id as its challenge in the IND-ID-CCA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort. 1 Otherwise, with probability at least, B will be able to use the challenge id. B p(k) forwards C to A. 2. Algorithm A is again given access to the extract oracle, tag oracle, verification oracle, and decryption oracle with the restrictions that she cannot query the id she is challenging to the extract oracle or the challenge ciphertext and id to the decryption oracle. 3. Algorithm A guesses b {0, 1}. B outputs the same guess and wins if b = b. 20

Suppose the probability of algorithm A succeeding in breaking the FullIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the FullIdent-MAC scheme is at least 1 p(k) P r[succa ], which is non-negligible. Then P r[succ B ] 1 p(k) P r[succa ] and we have that P r[succ B ] is non-negligible. But this is a contradiction as B is a FullIdent adversary and therefore, the P r[succ B ] is proven to be negligible by Boneh- Franklin. Hence, our FullIdent-MAC scheme is (IND-ID-CCA+MAC) secure. 21

CHAPTER 5 CONCLUSION In this thesis, we combined an Identity-Based Encryption scheme and a Non-Interactive Key Distribution scheme to achieve our goal of message authentication, while maintaining semantic security and unforgeability. We conclude with an open question: Can we build a compiler that takes as input an existentially unforgeable MAC and an IBE, and outputs our 1-Key-Encrypt-Then-MAC scheme, while maintaining security in the sense of indistinguishability and unforgability? 22

BIBLIOGRAPHY [1] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. In J. Kilian, editor, Advances in Cryptology CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213 229. Springer-Verlag, 2001. [2] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM Journal of Computing, 32(3):586 615, 2003. Available at http://crypto. stanford.edu/ dabo/papers/bfibe.pdf; extended abstract in [1]. [3] R. Guerin M. Bellare and P. Rogaway. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. In Advances in Cryptology CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages 15 28. Springer Berlin-Heidelberg, 1995. [4] L. Martin. Identity-Based Encryption: A Closer Look. The Information Systems Security Association Journal, 3(9):22 24, 2005. [5] K. Paterson and S. Srinivasan. On the Relations Between Non-Interactive Key Distribution, Identity-Based Encryption and Trapdoor Discrete Log Groups. Designs, Codes and Cryptography, 52(2):219 241, August 2009. 23