Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Security And Anonymity Of Identity-basedEncryption With Multiple Trusted Authorities
or Alphabetti Spaghetti
K.G. Paterson and S. Srinivasan
RHUL
September 3, 2008/ Pairing 2008
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Outline of the talk
We formally consider new notions of security for IBE in thesetting of multiple TAs.
We give a modified Fujisaki-Okamoto conversion in the contextof multiple TAs.We apply this modified conversion to multi-TA versions of somewell known IBE schemes and analyse the results.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Outline of the talk
We formally consider new notions of security for IBE in thesetting of multiple TAs.We give a modified Fujisaki-Okamoto conversion in the contextof multiple TAs.
We apply this modified conversion to multi-TA versions of somewell known IBE schemes and analyse the results.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Outline of the talk
We formally consider new notions of security for IBE in thesetting of multiple TAs.We give a modified Fujisaki-Okamoto conversion in the contextof multiple TAs.We apply this modified conversion to multi-TA versions of somewell known IBE schemes and analyse the results.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
The standard notion of security is indistinguishability based.
but “Key Privacy” is also desired.i.e an adversary should be unable to determine which key wasused to create the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
The standard notion of security is indistinguishability based.but “Key Privacy” is also desired.
i.e an adversary should be unable to determine which key wasused to create the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
The standard notion of security is indistinguishability based.but “Key Privacy” is also desired.i.e an adversary should be unable to determine which key wasused to create the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
In IBE with single TAs, the analogous property of “RecipientAnonymity” is desired.
i.e an adversary should be unable to determine which identitywas used in creating the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
In IBE with single TAs, the analogous property of “RecipientAnonymity” is desired.i.e an adversary should be unable to determine which identitywas used in creating the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
Multiple TAs are a natural extension to systems with single TAs.
Multiple TAs may even share common parameters.In such a setting the concept of TA anonymity arises naturally.i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
Multiple TAs are a natural extension to systems with single TAs.Multiple TAs may even share common parameters.
In such a setting the concept of TA anonymity arises naturally.i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
Multiple TAs are a natural extension to systems with single TAs.Multiple TAs may even share common parameters.In such a setting the concept of TA anonymity arises naturally.
i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Why?
Multiple TAs are a natural extension to systems with single TAs.Multiple TAs may even share common parameters.In such a setting the concept of TA anonymity arises naturally.i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.
However, we feel the treatment is not concrete.Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.Resistance against traffic analysis.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.However, we feel the treatment is not concrete.
Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.Resistance against traffic analysis.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.However, we feel the treatment is not concrete.Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.
Resistance against traffic analysis.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.However, we feel the treatment is not concrete.Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.Resistance against traffic analysis.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Identity Based EncryptionIBE Security
Identity Based Encryption
(mpk ,msk)← Setup(1k ).
uskid ← KeyDer(mpk ,msk , id).c ← Enc(mpk , id ,m).m← Dec(mpk ,uskid , c).
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Identity Based EncryptionIBE Security
Identity Based Encryption
(mpk ,msk)← Setup(1k ).uskid ← KeyDer(mpk ,msk , id).
c ← Enc(mpk , id ,m).m← Dec(mpk ,uskid , c).
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Identity Based EncryptionIBE Security
Identity Based Encryption
(mpk ,msk)← Setup(1k ).uskid ← KeyDer(mpk ,msk , id).c ← Enc(mpk , id ,m).
m← Dec(mpk ,uskid , c).
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Identity Based EncryptionIBE Security
Identity Based Encryption
(mpk ,msk)← Setup(1k ).uskid ← KeyDer(mpk ,msk , id).c ← Enc(mpk , id ,m).m← Dec(mpk ,uskid , c).
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Identity Based EncryptionIBE Security
IND-CCA security for IBE
Experiment ExpIND-CCA-bA (k)
(mpk ,msk)← Setup(1k )
IDSet ← ∅, CSet ← ∅(id ,m0,m1, state)← AKeyDer,Dec(find,mpk)
c∗ ← Enc(mpk , id ,mb)
b′ ← AKeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If id /∈ IDSet and (id , c∗) /∈ CSet then return b′ else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Identity Based EncryptionIBE Security
IND-CCA security for IBE
Oracle KeyDer(id)IDSet ← IDSet ∪ {id}uskid ← KeyDer(msk , id)Return uskid
Oracle Dec(id , c)CSet ← CSet ∪ (id , c)uskid ← KeyDer(msk , id)m← Dec(mpk ,uskid , c)Return m
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA IBE
params ← CommonSetup(1k ).
T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.KeyDer, Enc, Dec: These are all as per a normal IBE scheme.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA IBE
params ← CommonSetup(1k ).T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.
(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.KeyDer, Enc, Dec: These are all as per a normal IBE scheme.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA IBE
params ← CommonSetup(1k ).T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.
KeyDer, Enc, Dec: These are all as per a normal IBE scheme.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA IBE
params ← CommonSetup(1k ).T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.KeyDer, Enc, Dec: These are all as per a normal IBE scheme.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA BasicIdent
CommonSetup(1k ):(G,GT ,e,q,P)← PairingGen(1k ).Output params = (G,GT ,e,q,P,H1,H2,n)where H1 : {0,1}∗ → G, H2 : GT → {0,1}n for some n = n(k).MsgSp = {0,1}n, CtSp = G1 × {0,1}n, RSp = Zq .
TASetup(params)
Set s $← Zq ,Q = sP.Set mpk = (params,Q).Set msk = s.Output (mpk ,msk ).
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA BasicIdent
KeyDer(ta, id):Set uskid ,ta = mskta · H1(id).
Output uskid ,ta.
Enc(ta, id ,m):Parse mpkta as (params,Qta).
Set r $← Zq .Set T = e(H1(id),Qta)r .Output c = (rP,m ⊕ H2(T )).
Dec(ta,uskid ,ta, c):
Parse c as (U,V ).Set T = e(uskid ,ta,U).
Output m = V ⊕ H2(T ).
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅
∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅
(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0
If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Experiment Expm-IND-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, id ,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′
else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-CCA security
Oracle Corrupt(ta)TASet ← TASet ∪ {ta}Return mskta
Oracle KeyDer(ta, id)IDSetta ← IDSetta ∪ {id}uskid ,ta ← KeyDer(mskta, id)
Return uskid ,ta
Oracle Dec(ta, id , c)CSetta ← CSetta ∪ (id , c)uskid ,ta ← KeyDer(mskta, id)
m← Dec(mpkta,uskid ,ta, c)
Return m
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
We know the BasicIdent and Sakai-Kasahara IBE schemes areIND-CPA secure.
We show that the multi-TA IBE schemes based on theseschemes are m-IND-CPA secure.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
We know the BasicIdent and Sakai-Kasahara IBE schemes areIND-CPA secure.We show that the multi-TA IBE schemes based on theseschemes are m-IND-CPA secure.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : RA-CCA security
Experiment Expm-RA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅
(ta, id0, id1,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, idb,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or id0 = id1 then return 0If ta /∈ TASet , id0 /∈ IDSetta, id1 /∈ IDSetta, (id0, c∗) /∈ CSetta and(id1, c∗) /∈ CSetta then return b′ else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : RA-CCA security
Experiment Expm-RA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta, id0, id1,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, idb,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or id0 = id1 then return 0If ta /∈ TASet , id0 /∈ IDSetta, id1 /∈ IDSetta, (id0, c∗) /∈ CSetta and(id1, c∗) /∈ CSetta then return b′ else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : RA-CCA security
Experiment Expm-RA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta, id0, id1,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, idb,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or id0 = id1 then return 0If ta /∈ TASet , id0 /∈ IDSetta, id1 /∈ IDSetta, (id0, c∗) /∈ CSetta and(id1, c∗) /∈ CSetta then return b′ else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : RA-CCA security
Experiment Expm-RA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta, id0, id1,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpkta, idb,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or id0 = id1 then return 0If ta /∈ TASet , id0 /∈ IDSetta, id1 /∈ IDSetta, (id0, c∗) /∈ CSetta and(id1, c∗) /∈ CSetta then return b′ else return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.
In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.
We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.
We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.
We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅
(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, id ,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, id ,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, id ,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, id ,m)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-RE-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params),IDSetta ← ∅ and CSetta ← ∅
(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
m′ $← MsgSp with |m′| = |m|c∗ ← Enc(mpktab
, id ,m′)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-RE-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params),IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
m′ $← MsgSp with |m′| = |m|c∗ ← Enc(mpktab
, id ,m′)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-RE-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params),IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
m′ $← MsgSp with |m′| = |m|
c∗ ← Enc(mpktab, id ,m′)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-RE-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params),IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
m′ $← MsgSp with |m′| = |m|c∗ ← Enc(mpktab
, id ,m′)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : TAA-RE-CCA security
Experiment Expm-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params),IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
m′ $← MsgSp with |m′| = |m|c∗ ← Enc(mpktab
, id ,m′)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0
and (id , c∗) /∈ CSetta1then return b′ else
return 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Lemma
Let m-IBE be a multi-TA IBE scheme that is m-IND-atk-secure andm-TAA-RE-atk-secure. Then m-IBE is also m-TAA-atk-secure. Hereatk ∈ {CPA,CCA}.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
We show that the schemes with multiple TAs based on theBasicIdent and Sakai-Kasahara IBE schemes, meet them-TAA-CPA notion.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-RA-TAA-CCA security
Experiment Expm-IND-RA-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅
(ta0, ta1, id0, id1,m0,m1, state)
← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, idb,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| then return 0If (ta0 = ta1 and id0 = id1 and m0 = m1) then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id0 /∈ IDSetta0
, id1 /∈ IDSetta1,
(id0, c∗) /∈ CSetta0and (id1, c∗) /∈ CSetta1
then return b′ elsereturn 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-RA-TAA-CCA security
Experiment Expm-IND-RA-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id0, id1,m0,m1, state)
← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, idb,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| then return 0If (ta0 = ta1 and id0 = id1 and m0 = m1) then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id0 /∈ IDSetta0
, id1 /∈ IDSetta1,
(id0, c∗) /∈ CSetta0and (id1, c∗) /∈ CSetta1
then return b′ elsereturn 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-RA-TAA-CCA security
Experiment Expm-IND-RA-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id0, id1,m0,m1, state)
← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, idb,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| then return 0If (ta0 = ta1 and id0 = id1 and m0 = m1) then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id0 /∈ IDSetta0
, id1 /∈ IDSetta1,
(id0, c∗) /∈ CSetta0and (id1, c∗) /∈ CSetta1
then return b′ elsereturn 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Multi-TA : IND-RA-TAA-CCA security
Experiment Expm-IND-RA-TAA-CCA-bA (k)
params ← CommonSetup(1k )
TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)
IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id0, id1,m0,m1, state)
← ACorrupt,KeyDer,Dec(find,MPK )
c∗ ← Enc(mpktab, idb,mb)
b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)
If {m0,m1} * MsgSp or |m0| 6= |m1| then return 0If (ta0 = ta1 and id0 = id1 and m0 = m1) then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id0 /∈ IDSetta0
, id1 /∈ IDSetta1,
(id0, c∗) /∈ CSetta0and (id1, c∗) /∈ CSetta1
then return b′ elsereturn 0
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
LemmaLet m-IBE be a multi-TA IBE scheme that is m-IND-atk-secure,m-RA-atk-secure and m-TAA-atk-secure. Then m-IBE is alsom-IND-RA-TAA-atk-secure. Here atk ∈ {CPA,CCA}.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Multi-TA IBEMulti-TA BasicIdentMulti-TA Security
Results
Using all the above results, we can show that the schemes withmultiple TAs based on the BasicIdent and Sakai-Kasahara IBEschemes, meet the m-IND-RA-TAA-CPA notion.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
γ-Uniformity for Multi-TA IBE
DefinitionLet Π be a multi-TA IBE scheme with space of randomness RSp.Then Π is said to be γ-uniform if, for any fixed choice of c ∈ CtSp,m ∈ MsgSp, id ∈ {0,1}∗ and ta ∈ T A, we have:
Pr[c = Enc(mpkta, id ,m; r) : r $← RSp
]≤ γ.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
The Modified Fujisaki-Okamoto Conversion
Let Π = {CommonSetup,TASetup,KeyDer,Enc,Dec} be amulti-TA IBE scheme.Then Π′ = {CommonSetup′,TASetup′,KeyDer′,Enc′,Dec′}denotes a new multi-TA IBE scheme with algorithms defined asfollows.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
The Modified Fujisaki-Okamoto Conversion
CommonSetup′: As in CommonSetup, but in addition, we pick ahash function H : {0,1}∗ × {0,1}∗ × {0,1}l0 × {0,1}l1 → RSp.TASetup′: As in TASetup.KeyDer′: As in KeyDer.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
The Modified Fujisaki-Okamoto Conversion
Enc′: This algorithm takes as input mpk ta for ta ∈ T A,id ∈ {0,1}∗, and a message m ∈ {0,1}l0 . Its output is:
Enc′(mpkta, id ,m) = Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ))
where σ $← {0,1}l1 . So Π′ has randomness space {0,1}l1 .
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
The Modified Fujisaki-Okamoto Conversion
Dec′: Let c denote a ciphertext to be decrypted using a privatekey uskid ,ta issued by TA ta with master public key mpkta foridentity id . This algorithm works as follows:
Compute m′ = Dec(mpkta, uskid ,ta, c).
Let m = [m′]l0 and σ = [m′]l1 where [a]b and [a]b denote the firstand last b bits of a string a respectively.Test if Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ)) = c. If not output ⊥;otherwise output m as the decryption of c.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
The Modified Fujisaki-Okamoto Conversion
Dec′: Let c denote a ciphertext to be decrypted using a privatekey uskid ,ta issued by TA ta with master public key mpkta foridentity id . This algorithm works as follows:
Compute m′ = Dec(mpkta, uskid ,ta, c).Let m = [m′]l0 and σ = [m′]l1 where [a]b and [a]b denote the firstand last b bits of a string a respectively.
Test if Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ)) = c. If not output ⊥;otherwise output m as the decryption of c.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
The Modified Fujisaki-Okamoto Conversion
Dec′: Let c denote a ciphertext to be decrypted using a privatekey uskid ,ta issued by TA ta with master public key mpkta foridentity id . This algorithm works as follows:
Compute m′ = Dec(mpkta, uskid ,ta, c).Let m = [m′]l0 and σ = [m′]l1 where [a]b and [a]b denote the firstand last b bits of a string a respectively.Test if Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ)) = c. If not output ⊥;otherwise output m as the decryption of c.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
TheoremModelling H as a random oracle, if Π is a multi-TA IBE scheme that ism-IND-RA-TAA-CPA-secure and γ-uniform for some negligible γ, thenΠ′ is m-IND-RA-TAA-CCA-secure.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Results
To our knowledge no mention has been made of the anonymityproperties of IND-CCA schemes resulting from the application ofFO to BasicIdent i.e FullIdent like schemes.
Our results show that applying the modified Fujisaki-Okamototransform to m-IND-RA-TAA-CPA secure schemes based on theBasicIdent and Sakai-Kasahara schemes results in schemes thatare m-IND-RA-TAA-CCA secure.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Results
To our knowledge no mention has been made of the anonymityproperties of IND-CCA schemes resulting from the application ofFO to BasicIdent i.e FullIdent like schemes.Our results show that applying the modified Fujisaki-Okamototransform to m-IND-RA-TAA-CPA secure schemes based on theBasicIdent and Sakai-Kasahara schemes results in schemes thatare m-IND-RA-TAA-CCA secure.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Open Problems
Investigate RA of various IBE schemes both in the regular settingand setting of Multiple TAs.
Investigate TAA of multi-TA versions of IBE schemes.Standard Model schemes that satisfy TAA.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Open Problems
Investigate RA of various IBE schemes both in the regular settingand setting of Multiple TAs.Investigate TAA of multi-TA versions of IBE schemes.
Standard Model schemes that satisfy TAA.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Open Problems
Investigate RA of various IBE schemes both in the regular settingand setting of Multiple TAs.Investigate TAA of multi-TA versions of IBE schemes.Standard Model schemes that satisfy TAA.
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Thank you for listening.
Thanks to anonymous referees.Questions?
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Thank you for listening.Thanks to anonymous referees.
Questions?
K.G. Paterson and S. Srinivasan Multi-TA IBE
IntroductionIdentity Based Encryption
Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes
Thank you for listening.Thanks to anonymous referees.Questions?
K.G. Paterson and S. Srinivasan Multi-TA IBE