Security And Anonymity Of Identity-based Encryption With ...prai175/PresentationPairing2008.pdf · Security And Anonymity Of Identity-based Encryption With Multiple Trusted Authorities

IntroductionIdentity Based Encryption

Multi-TA IBEExtending the Fujisaki-Okamoto Conversion to Multi-TA IBE schemes

Security And Anonymity Of Identity-basedEncryption With Multiple Trusted Authorities

or Alphabetti Spaghetti

K.G. Paterson and S. Srinivasan

RHUL

September 3, 2008/ Pairing 2008

K.G. Paterson and S. Srinivasan Multi-TA IBE



Outline of the talk

We formally consider new notions of security for IBE in thesetting of multiple TAs.

We give a modified Fujisaki-Okamoto conversion in the contextof multiple TAs.We apply this modified conversion to multi-TA versions of somewell known IBE schemes and analyse the results.




Outline of the talk

We formally consider new notions of security for IBE in thesetting of multiple TAs.We give a modified Fujisaki-Okamoto conversion in the contextof multiple TAs.

We apply this modified conversion to multi-TA versions of somewell known IBE schemes and analyse the results.




Outline of the talk

We formally consider new notions of security for IBE in thesetting of multiple TAs.We give a modified Fujisaki-Okamoto conversion in the contextof multiple TAs.We apply this modified conversion to multi-TA versions of somewell known IBE schemes and analyse the results.




Why?

The standard notion of security is indistinguishability based.

but “Key Privacy” is also desired.i.e an adversary should be unable to determine which key wasused to create the ciphertext.




Why?

The standard notion of security is indistinguishability based.but “Key Privacy” is also desired.

i.e an adversary should be unable to determine which key wasused to create the ciphertext.




Why?

The standard notion of security is indistinguishability based.but “Key Privacy” is also desired.i.e an adversary should be unable to determine which key wasused to create the ciphertext.




Why?

In IBE with single TAs, the analogous property of “RecipientAnonymity” is desired.

i.e an adversary should be unable to determine which identitywas used in creating the ciphertext.




Why?

In IBE with single TAs, the analogous property of “RecipientAnonymity” is desired.i.e an adversary should be unable to determine which identitywas used in creating the ciphertext.




Why?

Multiple TAs are a natural extension to systems with single TAs.

Multiple TAs may even share common parameters.In such a setting the concept of TA anonymity arises naturally.i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.




Why?

Multiple TAs are a natural extension to systems with single TAs.Multiple TAs may even share common parameters.

In such a setting the concept of TA anonymity arises naturally.i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.




Why?

Multiple TAs are a natural extension to systems with single TAs.Multiple TAs may even share common parameters.In such a setting the concept of TA anonymity arises naturally.

i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.




Why?

Multiple TAs are a natural extension to systems with single TAs.Multiple TAs may even share common parameters.In such a setting the concept of TA anonymity arises naturally.i.e an adversary should be unable to determine which TA’s publicparameters were used in creating the ciphertext.




May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.

However, we feel the treatment is not concrete.Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.Resistance against traffic analysis.




May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.However, we feel the treatment is not concrete.

Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.Resistance against traffic analysis.




May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.However, we feel the treatment is not concrete.Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.

Resistance against traffic analysis.




May have practical benefitConcepts which essentially mirror TA anonymity have beenmentioned in some papers on Digital Credentials.However, we feel the treatment is not concrete.Our work provides the rigourous treatment required to addressthese (and possibly other applications) formally.Resistance against traffic analysis.




Identity Based EncryptionIBE Security

Identity Based Encryption

(mpk ,msk)← Setup(1k ).

uskid ← KeyDer(mpk ,msk , id).c ← Enc(mpk , id ,m).m← Dec(mpk ,uskid , c).






(mpk ,msk)← Setup(1k ).uskid ← KeyDer(mpk ,msk , id).

c ← Enc(mpk , id ,m).m← Dec(mpk ,uskid , c).






(mpk ,msk)← Setup(1k ).uskid ← KeyDer(mpk ,msk , id).c ← Enc(mpk , id ,m).

m← Dec(mpk ,uskid , c).






(mpk ,msk)← Setup(1k ).uskid ← KeyDer(mpk ,msk , id).c ← Enc(mpk , id ,m).m← Dec(mpk ,uskid , c).





IND-CCA security for IBE

Experiment ExpIND-CCA-bA (k)

(mpk ,msk)← Setup(1k )

IDSet ← ∅, CSet ← ∅(id ,m0,m1, state)← AKeyDer,Dec(find,mpk)

c∗ ← Enc(mpk , id ,mb)

b′ ← AKeyDer,Dec(guess, c∗, state)

If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If id /∈ IDSet and (id , c∗) /∈ CSet then return b′ else return 0





IND-CCA security for IBE

Oracle KeyDer(id)IDSet ← IDSet ∪ {id}uskid ← KeyDer(msk , id)Return uskid

Oracle Dec(id , c)CSet ← CSet ∪ (id , c)uskid ← KeyDer(msk , id)m← Dec(mpk ,uskid , c)Return m




Multi-TA IBEMulti-TA BasicIdentMulti-TA Security

Multi-TA IBE

params ← CommonSetup(1k ).

T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.KeyDer, Enc, Dec: These are all as per a normal IBE scheme.





Multi-TA IBE

params ← CommonSetup(1k ).T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.

(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.KeyDer, Enc, Dec: These are all as per a normal IBE scheme.





Multi-TA IBE

params ← CommonSetup(1k ).T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.

KeyDer, Enc, Dec: These are all as per a normal IBE scheme.





Multi-TA IBE

params ← CommonSetup(1k ).T A = {tai : 1 ≤ i ≤ n} will represent the set of (labels of) TAs,where n = n(k) ∈ N.(mpk ,msk)← TASetup(params).TASetup is randomized and executed independently for each TAin T A.KeyDer, Enc, Dec: These are all as per a normal IBE scheme.





Multi-TA BasicIdent

CommonSetup(1k ):(G,GT ,e,q,P)← PairingGen(1k ).Output params = (G,GT ,e,q,P,H1,H2,n)where H1 : {0,1}∗ → G, H2 : GT → {0,1}n for some n = n(k).MsgSp = {0,1}n, CtSp = G1 × {0,1}n, RSp = Zq .

TASetup(params)

Set s $← Zq ,Q = sP.Set mpk = (params,Q).Set msk = s.Output (mpk ,msk ).





Multi-TA BasicIdent

KeyDer(ta, id):Set uskid ,ta = mskta · H1(id).

Output uskid ,ta.

Enc(ta, id ,m):Parse mpkta as (params,Qta).

Set r $← Zq .Set T = e(H1(id),Qta)r .Output c = (rP,m ⊕ H2(T )).

Dec(ta,uskid ,ta, c):

Parse c as (U,V ).Set T = e(uskid ,ta,U).

Output m = V ⊕ H2(T ).





Multi-TA : IND-CCA security

Experiment Expm-IND-CCA-bA (k)

params ← CommonSetup(1k )

TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)

IDSetta ← ∅, CSetta ← ∅(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )

c∗ ← Enc(mpkta, id ,mb)

b′ ← ACorrupt,KeyDer,Dec(guess, c∗, state)

If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′

else return 0













else return 0








TASet ← ∅

∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params)





else return 0













else return 0









IDSetta ← ∅, CSetta ← ∅

(ta, id ,m0,m1, state)← ACorrupt,KeyDer,Dec(find,MPK )




else return 0













else return 0













else return 0













else return 0












If {m0,m1} * MsgSp or |m0| 6= |m1| or m0 = m1 then return 0

If ta /∈ TASet , id /∈ IDSetta and (id , c∗) /∈ CSetta then return b′

else return 0













else return 0






Oracle Corrupt(ta)TASet ← TASet ∪ {ta}Return mskta

Oracle KeyDer(ta, id)IDSetta ← IDSetta ∪ {id}uskid ,ta ← KeyDer(mskta, id)

Return uskid ,ta

Oracle Dec(ta, id , c)CSetta ← CSetta ∪ (id , c)uskid ,ta ← KeyDer(mskta, id)

m← Dec(mpkta,uskid ,ta, c)

Return m





Results

We know the BasicIdent and Sakai-Kasahara IBE schemes areIND-CPA secure.

We show that the multi-TA IBE schemes based on theseschemes are m-IND-CPA secure.





Results

We know the BasicIdent and Sakai-Kasahara IBE schemes areIND-CPA secure.We show that the multi-TA IBE schemes based on theseschemes are m-IND-CPA secure.





Multi-TA : RA-CCA security

Experiment Expm-RA-CCA-bA (k)



IDSetta ← ∅ and CSetta ← ∅

(ta, id0, id1,m, state)← ACorrupt,KeyDer,Dec(find,MPK )

c∗ ← Enc(mpkta, idb,m)


If m /∈ MsgSp or id0 = id1 then return 0If ta /∈ TASet , id0 /∈ IDSetta, id1 /∈ IDSetta, (id0, c∗) /∈ CSetta and(id1, c∗) /∈ CSetta then return b′ else return 0









IDSetta ← ∅ and CSetta ← ∅(ta, id0, id1,m, state)← ACorrupt,KeyDer,Dec(find,MPK )
































Results

No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.

In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.





Results

No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.

We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.





Results

No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.

We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.





Results

No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.

We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.





Results

No concrete mention of the recipient anonymity of theSakai-Kasahara IBE scheme.In fact some results stating (informally) that it is not.We show that the Sakai-Kasahara IBE scheme is RA-CPA.We show that the scheme with multiple TAs based on it, meetsthe m-RA-CPA notion.We show that the scheme with multiple TAs based on theBasicIdent scheme meets the m-RA-CPA notion.





Multi-TA : TAA-CCA security

Experiment Expm-TAA-CCA-bA (k)




(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )

c∗ ← Enc(mpktab, id ,m)


If m /∈ MsgSp or ta0 = ta1 then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id /∈ IDSet ta0 , id /∈ IDSet ta1 ,(id , c∗) /∈ CSetta0

and (id , c∗) /∈ CSetta1then return b′ else

return 0









IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )





return 0














return 0














return 0





Multi-TA : TAA-RE-CCA security



TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params),IDSetta ← ∅ and CSetta ← ∅

(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )

m′ $← MsgSp with |m′| = |m|c∗ ← Enc(mpktab

, id ,m′)




return 0








TASet ← ∅∀ta ∈ T A, (mpk ta,msk ta)← TASetup(params),IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id ,m, state)← ACorrupt,KeyDer,Dec(find,MPK )


, id ,m′)




return 0









m′ $← MsgSp with |m′| = |m|

c∗ ← Enc(mpktab, id ,m′)




return 0










, id ,m′)




return 0










, id ,m′)




return 0





Lemma

Let m-IBE be a multi-TA IBE scheme that is m-IND-atk-secure andm-TAA-RE-atk-secure. Then m-IBE is also m-TAA-atk-secure. Hereatk ∈ {CPA,CCA}.





Results

We show that the schemes with multiple TAs based on theBasicIdent and Sakai-Kasahara IBE schemes, meet them-TAA-CPA notion.





Multi-TA : IND-RA-TAA-CCA security

Experiment Expm-IND-RA-TAA-CCA-bA (k)




(ta0, ta1, id0, id1,m0,m1, state)

← ACorrupt,KeyDer,Dec(find,MPK )

c∗ ← Enc(mpktab, idb,mb)


If {m0,m1} * MsgSp or |m0| 6= |m1| then return 0If (ta0 = ta1 and id0 = id1 and m0 = m1) then return 0If ta0 /∈ TASet , ta1 /∈ TASet , id0 /∈ IDSetta0

, id1 /∈ IDSetta1,

(id0, c∗) /∈ CSetta0and (id1, c∗) /∈ CSetta1

then return b′ elsereturn 0









IDSetta ← ∅ and CSetta ← ∅(ta0, ta1, id0, id1,m0,m1, state)












































LemmaLet m-IBE be a multi-TA IBE scheme that is m-IND-atk-secure,m-RA-atk-secure and m-TAA-atk-secure. Then m-IBE is alsom-IND-RA-TAA-atk-secure. Here atk ∈ {CPA,CCA}.





Results

Using all the above results, we can show that the schemes withmultiple TAs based on the BasicIdent and Sakai-Kasahara IBEschemes, meet the m-IND-RA-TAA-CPA notion.




γ-Uniformity for Multi-TA IBE

DefinitionLet Π be a multi-TA IBE scheme with space of randomness RSp.Then Π is said to be γ-uniform if, for any fixed choice of c ∈ CtSp,m ∈ MsgSp, id ∈ {0,1}∗ and ta ∈ T A, we have:

Pr[c = Enc(mpkta, id ,m; r) : r $← RSp

]≤ γ.




The Modified Fujisaki-Okamoto Conversion

Let Π = {CommonSetup,TASetup,KeyDer,Enc,Dec} be amulti-TA IBE scheme.Then Π′ = {CommonSetup′,TASetup′,KeyDer′,Enc′,Dec′}denotes a new multi-TA IBE scheme with algorithms defined asfollows.





CommonSetup′: As in CommonSetup, but in addition, we pick ahash function H : {0,1}∗ × {0,1}∗ × {0,1}l0 × {0,1}l1 → RSp.TASetup′: As in TASetup.KeyDer′: As in KeyDer.





Enc′: This algorithm takes as input mpk ta for ta ∈ T A,id ∈ {0,1}∗, and a message m ∈ {0,1}l0 . Its output is:

Enc′(mpkta, id ,m) = Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ))

where σ $← {0,1}l1 . So Π′ has randomness space {0,1}l1 .





Dec′: Let c denote a ciphertext to be decrypted using a privatekey uskid ,ta issued by TA ta with master public key mpkta foridentity id . This algorithm works as follows:

Compute m′ = Dec(mpkta, uskid ,ta, c).

Let m = [m′]l0 and σ = [m′]l1 where [a]b and [a]b denote the firstand last b bits of a string a respectively.Test if Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ)) = c. If not output ⊥;otherwise output m as the decryption of c.






Compute m′ = Dec(mpkta, uskid ,ta, c).Let m = [m′]l0 and σ = [m′]l1 where [a]b and [a]b denote the firstand last b bits of a string a respectively.

Test if Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ)) = c. If not output ⊥;otherwise output m as the decryption of c.






Compute m′ = Dec(mpkta, uskid ,ta, c).Let m = [m′]l0 and σ = [m′]l1 where [a]b and [a]b denote the firstand last b bits of a string a respectively.Test if Enc(mpkta, id ,m||σ; H(mpk ta, id ,m, σ)) = c. If not output ⊥;otherwise output m as the decryption of c.




TheoremModelling H as a random oracle, if Π is a multi-TA IBE scheme that ism-IND-RA-TAA-CPA-secure and γ-uniform for some negligible γ, thenΠ′ is m-IND-RA-TAA-CCA-secure.




Results

To our knowledge no mention has been made of the anonymityproperties of IND-CCA schemes resulting from the application ofFO to BasicIdent i.e FullIdent like schemes.

Our results show that applying the modified Fujisaki-Okamototransform to m-IND-RA-TAA-CPA secure schemes based on theBasicIdent and Sakai-Kasahara schemes results in schemes thatare m-IND-RA-TAA-CCA secure.




Results

To our knowledge no mention has been made of the anonymityproperties of IND-CCA schemes resulting from the application ofFO to BasicIdent i.e FullIdent like schemes.Our results show that applying the modified Fujisaki-Okamototransform to m-IND-RA-TAA-CPA secure schemes based on theBasicIdent and Sakai-Kasahara schemes results in schemes thatare m-IND-RA-TAA-CCA secure.




Open Problems

Investigate RA of various IBE schemes both in the regular settingand setting of Multiple TAs.

Investigate TAA of multi-TA versions of IBE schemes.Standard Model schemes that satisfy TAA.




Open Problems

Investigate RA of various IBE schemes both in the regular settingand setting of Multiple TAs.Investigate TAA of multi-TA versions of IBE schemes.

Standard Model schemes that satisfy TAA.




Open Problems

Investigate RA of various IBE schemes both in the regular settingand setting of Multiple TAs.Investigate TAA of multi-TA versions of IBE schemes.Standard Model schemes that satisfy TAA.




Thank you for listening.

Thanks to anonymous referees.Questions?




Thank you for listening.Thanks to anonymous referees.

Questions?




Thank you for listening.Thanks to anonymous referees.Questions?


Documents

Security And Anonymity Of Identity-based Encryption With ...prai175/PresentationPairing2008.pdf · Security And Anonymity Of Identity-based Encryption With Multiple Trusted Authorities