identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext...
TRANSCRIPT
1
Identity-based encryption with (almost) tight security in the multi-instance,
multi-ciphertext setting
Dennis Hofheinz, Jessica Koch, Christoph Striecks
Karlsruhe Institute of Technology, Germany
2
Overview
• Identity-Based Encryption (IBE)
• Tight Security
• Underlying IBE-Scheme by Chen and Wee - Proof Idea
• Result: (almost) Tight Security for Multi-Instance, Multi-Ciphertext IBE
3
Identity-Based Encryption (IBE)
4
IBE-IND-CPA Security
C* for id*
M0 or M1 ? succ.prob = + ε1
5
Multi-Instance, Multi-Ciphertext IBE-IND-CPA Security
M0i,c or M1
i,c?succ.prob = + εmulti
6
Tight Security. . .
. . .
Ni instances
Nc chall. ciphertexts
Nu user secret keyssecurity proof = reduction to hard problem (adv. = εP)
attack adv. ε1 = Nu·εP (generic)
attack adv. εmulti = Ni·Nc·ε1 = Ni·Nc·Nu·εP
attacks potentiallyeasier
7
Tight Security
• Our goal: tight security i.e. εmulti ≈ εP
independent of Ni, Nc, Nu
→ smaller keys, smaller groups …• recently: (somewhat) tightly secure multi-
instance/multi-ciphertext PKE [HJ12, LJYP14]• [Chen,Wee13]: somewhat tightly secure IBE 1 instance/1 ciphertext: ε1 ≈ Nu·εP
8
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
depends on idi = i and position
ii
9
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type i C*: 1* … i*
type i usk: 1 … i
id|i* = 1*… i*
id|i = 1 … i
same typeid|i* = id|i
Decryption
start with real security game → change all usks and C*
10
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type i C*:
type i usk:
id|i* = 1*… i*
id|i = 1 … i
same typeid|i* = id|i
Decryption
start with real security game → change all usks and C*
11
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type i C*:
type i usk:
id|i* = 1*… i*
id|i = 1 … i
same typeid|i* = id|i
same typeid|i* ≠ id|i
Decryption
1* … i*
1 … i
start with real security game → change all usks and C*
12
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type i C*:
type i usk:
id|i* = 1*… i*
id|i = 1 … i
same typeid|i* = id|i
same typeid|i* ≠ id|i
Decryption
1* i*
1 i
start with real security game → change all usks and C*
13
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type i C*:
i+1type i+1 usk:
id|i* = 1*… i*
id|i+1 = 1 … i+1
same typeid|i* = id|i
same typeid|i* ≠ id|i
different typeid|i+1* = id|i+1
Decryption
1* … i*
1 … i
start with real security game → change all usks and C*
14
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type i C*:
type i+1 usk:
id|i* = 1*… i*
id|i+1 = 1 … i+1
same typeid|i* = id|i
same typeid|i* ≠ id|i
different typeid|i+1* = id|i+1
Decryption
i+1
start with real security game → change all usks and C*
15
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type n C*:
type n usk:
id* = 1*… n*
id = 1 … n
1* … n*
1 … n
start with real security game → change all usks and C*
id* ≠ id for all usks
16
Proof Idea of Chen and WeeSequence of games depending on n-bit identity id = 1…n :
normal
normal C*:
normal usk:
type n C*:
type n usk:
id* = 1*… n*
id = 1 … n
1* n*
1 n
start with real security game → change all usks and C*
→ usks useless for decryption → replace C* by random → Adversary can only guess
id* ≠ id for all usks
17
Proof Idea of Chen and WeeGame hop: type i → type i+1
1* … i* i+1
1 … i1 … i i+1
Chall. C*:
usk:
=
Simulator embeds own challenge
i+1
i+1
Game i
Game i+1
Simulator can test on its own
1* … i*test usk*:
test C:
i+1Decryption:
Decryption:
18
Proof Idea of Chen and WeeGame hop: type i → type i+1
i+1
i+1
Chall. C*:
usk:
=
Simulator embeds own challenge
i+1
i+1
Game i
Game i+1
Simulator can test on its own
test usk*:
test C:
i+1Decryption:
Decryption:
19
Proof Idea of Chen and WeeGame hop: type i → type i+1
Chall. C*:
usk:
=
Simulator embeds own challenge
i+1
i+1
Game i
Game i+1
Simulator can test on its own
test usk*:
test C:
i+1Decryption:
Decryption:
i+1
i+1
20
Proof Idea of Chen and WeeGame hop: type i → type i+1
Chall. C*:
usk:
=
Simulator embeds own challenge
i+1
i+1
Game i
Game i+1
Simulator can test on its own
test usk*:
test C:
i+1Decryption:
Decryption:
i+1
i+1
21
Our ApproachProblem for multi-instance, multi-ciphertext:
Guessing of id*i+1: 1. for each instance → loss = 2Ni
2. different chall. ciphertexts have different id-bits
→ generation is not possible
Our solution: distribute randomness into 2 compartments
≈
22
Our ApproachSolution: no guessing
id*i+1 = 0 id*i+1 = 1Simulatorgets:
i+1
C*: 1* … i* i+1
usk: 1 … i i+1 1 … i
i+1 i+1
1* … i* i+1
1 … i1 … i i+1
type i = type i+1
type i = type i+1
i+1
noreaction
noreaction
type i ≠ type i+1 type i ≠ type i+1
23
Our ApproachSolution: no guessing
id*i+1 = 0 id*i+1 = 1Simulatorgets:
i+1
C*:
usk: 1 … i
i+1 i+1
1 … i i+1
type i = type i+1
type i = type i+1
noreaction
noreaction
type i ≠ type i+1 type i ≠ type i+1
24
Conclusion
• first fully secure multi-instance, multi-ciphertext IBE with loss О(n) for n-bit identities under a simple assumption
• no guessing
• О(n) reductions: n = length of identity → loss independent of the number of ciphertexts , instances and usk-queries
25