strongly secure certificateless encryption alexander w. dent information security group...
Post on 21-Dec-2015
236 views
TRANSCRIPT
Strongly Secure Certificateless Encryption
Alexander W. Dent
Information Security Group
This is joint work with…
Benoit LibertUCL, Belgium
Kenny PatersonRoyal Holloway
Table of Contents
• Certificateless encryption (7 slides)
• A theoretical construction (4 slides)
• A practical construction (1 slide)
• Conclusions (2 slides)
Certificateless Encryption
Certificateless Encryption
• Public-key encryption– Receivers generate their own keys– Senders are required to download certificates
• Identity-based encryption– KGC generates decryption keys– Inherent key escrow problem– Senders not required to download certificates– Revocation could be a problem
Certificateless Encryption
• Certificateless encryption– Each user generates their own public key
from a randomly generated “secret value”.– KGC provides a partial private key for a user’s
identity.– Encryption requires the user’s public key and
the user’s identity.– Decryption requires a private key based on
the user’s secret value and partial private key.
Certificateless Encryption
• Certificateless encryption– Senders not required to download certificates– No inherent key escrow problem– Revocation potentially still a problem
• Two security models:– Security against an outsider attacker– Security against a KGC
Certificateless Encryption
(ID*, m0 , m1) C*
Encryption oracle
Extract partial private key
IDdID
Extract full private key ID
skID
Request public key
ID
pkID
Replace public key
(ID , pkID)
Decrypt
C m
Certificateless Encryption
• Assume queries that trivially win the game are not allowed:– E.g. finding the full private key for ID*.– E.g. finding the partial private key for ID* and
replacing the challenge public key.– E.g. finding the decryption of C*.
• Similar model for the KGC. Attacker is given the KGC’s master private key.
Certificateless Encryption
• How do we define the decrypt oracle?– Original paper defined the decryption oracle
as decrypting ciphertexts using the private key associated with the current public key.
– Known as strong decryption oracle.– Doesn’t appear to reflect any realistic attack.– Several schemes secure in the random oracle
model using strong decryption oracles.– We provide the first standard-model schemes.
Certificateless Encryption
• Why is this an interesting problem?– The original security model.– Intellectual challenge: several papers and
informal conversations have suggested that the community thinks this can’t be achieved.
– Model with non-polynomial-time challenger.– Proves security in weaker models.
Theoretical Construction
Theoretical Construction
• We use a Naor-Yung/Sahai construction.
• Use multiple passively secure encryption schemes and a NIZK proof system.
• One passively secure certificateless encryption scheme: CE.
• Two instances of a passively secure public-key encryption schemes: E.
Theoretical Construction
• ID and pk are the user’s identity and public key.
• mpk1 and mpk2 are part of the system parameters
• Decryption process uses the certificateless encryption scheme
CE E E
m
C1 C3C2
IDpk mpk1 mpk2
NIZK proof that (C1,C2,C3) are all encryptions of the same message.
+
Theoretical Construction
• Two independent instances of the public-key encryption scheme required for strong decryption oracles.
• This could be replaced with one instance of an IND-CCA2 secure public-key encryption scheme.
• One instance of the public-key encryption scheme is sufficient for weaker models.
Theoretical Construction
• Passively secure certificateless encryption schemes can be constructed from passively secure public-key encryption and identity-based encryption [LQ06].
• Passively secure public-key encryption schemes can be constructed from trapdoor one-way functions [GL89].
• NIZK can be constructed from trapdoor one-way permutations [FLS99,BY96,S99].
Practical Construction
Practical Construction
• Based on a 2-level Waters HIBE.
• Chosen ciphertext security achieved using Boyen-Mei-Waters techniques.
• Underlying assumptions:– 3-Party DDH assumption in a pairing group:
“Given randomly chosen (gx, gy, gz), distinguish gxyz from a random element”.
– Collision resistant hash functions.
Conclusions
Conclusions
• It is possible to build certificateless encryption schemes that are secure with strong decryption oracles in the standard model.– Is it really necessary to improve on the
constructions?– Intellectual challenge: is it possible to prove
security in a model where the KGC is allowed to pick the system parameters adversarially?
Conclusions
• Certificateless encryption schemes exist providing that trapdoor one-way permutations exist and passively secure identity-based encryption exist.– We are unaware of any proof that gives
minimal conditions for identity-based encryption to exist.
– Can we find minimal assumptions for the existence of certificateless encryption?
Questions?