Anonymity from Asymmetry: New Constructions for Anonymous HIBE - - PowerPoint PPT Presentation

anonymity from asymmetry new constructions for anonymous
SMART_READER_LITE
LIVE PREVIEW

Anonymity from Asymmetry: New Constructions for Anonymous HIBE - - PowerPoint PPT Presentation

Dec 04, 2022 46 likes •371 views

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale Superieure, Paris February 23, 2010 Ducas L eo, Ecole Normale

slide-1
SLIDE 1

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L´ eo, Ecole Normale Superieure, Paris February 23, 2010

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-2
SLIDE 2

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Plan

1 Introduction 2 Anonymous IBE Construction 3 Extension to HIBE and HVE 4 Conclusion

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-3
SLIDE 3

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

1 Introduction 2 Anonymous IBE Construction 3 Extension to HIBE and HVE 4 Conclusion

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-4
SLIDE 4

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Identity Based Encryption

IBE (Identity Based Encryption System) : any string ca be used as a public key, (knowing some public parameters) HIBE (Hierarchical Identity Based Encryption System) :

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-5
SLIDE 5

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Identity Based Encryption

IBE (Identity Based Encryption System) : any string ca be used as a public key, (knowing some public parameters) corresponding private keys are derived from a master secret HIBE (Hierarchical Identity Based Encryption System) :

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-6
SLIDE 6

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Identity Based Encryption

IBE (Identity Based Encryption System) : any string ca be used as a public key, (knowing some public parameters) corresponding private keys are derived from a master secret HIBE (Hierarchical Identity Based Encryption System) : Public keys are lists of strings, forming a tree

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-7
SLIDE 7

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Identity Based Encryption

IBE (Identity Based Encryption System) : any string ca be used as a public key, (knowing some public parameters) corresponding private keys are derived from a master secret HIBE (Hierarchical Identity Based Encryption System) : Public keys are lists of strings, forming a tree A private key for a node allow derivation of private key for all children nodes

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-8
SLIDE 8

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Anonymity for (H)IBE

Anonymity : Ciphertext should not reveal information about the public Key used to encrypt Building blocks for search on encrypted data systems. Generalizable to Hidden Vector Encryption systems.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-9
SLIDE 9

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

(H)IBE construction using pairing

Non-anonymous constructions : Boneh & Franklin [BF03] (Bilinear-DH assumption, ROM) Boneh & Boyen [BB04] a.k.a. BB1 (Bilinear-DH assumption) Waters [Wat05] (Bilinear-DH assumption) Boneh, Boyen & Goh [BBG05] (Bilinear-DH Exponent assumption) Anonymous construction : Boyen & Waters [BW06] (linear assumption) Shi & Waters [SW08] (Composite DH assumption) Seo et al. [SKOS09] (composite DH assumption)

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-10
SLIDE 10

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Non-anonymity of BB1

Given a bilinear map e : G × G → Gt, and a generator g ∈ G. Setup Choose random α, β, γ, δ ∈ Zp, set g1 = gα, g2 = gβ, h = gγ, f = gδ. Output PP = (g, g1, g2, h), mk = gα β

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-11
SLIDE 11

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Non-anonymity of BB1

Given a bilinear map e : G × G → Gt, and a generator g ∈ G. Setup Choose random α, β, γ, δ ∈ Zp, set g1 = gα, g2 = gβ, h = gγ, f = gδ. Output PP = (g, g1, g2, h), mk = gα β Extract(I) Choose random r ∈ Zp. Output dI =

  • mk · (hI · f )r, gr

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-12
SLIDE 12

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Non-anonymity of BB1

Given a bilinear map e : G × G → Gt, and a generator g ∈ G. Setup Choose random α, β, γ, δ ∈ Zp, set g1 = gα, g2 = gβ, h = gγ, f = gδ. Output PP = (g, g1, g2, h), mk = gα β Extract(I) Choose random r ∈ Zp. Output dI =

  • mk · (hI · f )r, gr

Encrypt(M,I) To encrypt M ∈ G, choose s ∈ Zp and compute C = (M · e(g1, g2)s, gs, (hI · f )s)

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-13
SLIDE 13

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Non-anonymity of BB1

Given a bilinear map e : G × G → Gt, and a generator g ∈ G. Setup Choose random α, β, γ, δ ∈ Zp, set g1 = gα, g2 = gβ, h = gγ, f = gδ. Output PP = (g, g1, g2, h), mk = gα β Extract(I) Choose random r ∈ Zp. Output dI =

  • mk · (hI · f )r, gr

Encrypt(M,I) To encrypt M ∈ G, choose s ∈ Zp and compute C = (M · e(g1, g2)s, gs, (hI · f )s) e(gs, hI ′f ) = e(g, (hIf )s) iff I = I ′. With symmetric pairing anonymity is broken

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-14
SLIDE 14

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Contribution

Tweak on BB1 [BB04] IBE to make it provably anonymous with asymmetric pairing. Adapt to the Hierarchical version, giving also an Hidden Vector Encryption System The tweak is also applicable to [BBG05] constructions, giving efficiency trade-off alternative for anonymous HIBE.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-15
SLIDE 15

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

1 Introduction 2 Anonymous IBE Construction 3 Extension to HIBE and HVE 4 Conclusion

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-16
SLIDE 16

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Assumption

Given a bilinear map e : G × ˆ G → Gt, and a generators g ∈ G, ˆ g ∈ ˆ G. Our assumption : For randoms a, b, c ∈ Zp and T ∈ G It is hard to distinguish between DN :=

  • g , ga , gab, gc , ˆ

g , ˆ ga , ˆ gb , gabc ∈ G4 × ˆ G3 × G DR :=

  • g , ga , gab, gc , ˆ

g , ˆ ga , ˆ gb , T

  • ∈ G4 × ˆ

G3 × G Composition of two classic assumption : decisional-BDH and decisional-XDH

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-17
SLIDE 17

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

The tweak

Setup Choose random α, β, γ, δ, η ∈ Zp, set g1 = gα, g2 = gβ, h = gγ, f = gδ, t = gη and analogues g1 = ˆ gα . . . . Output PP =

  • g, g1, h , f , t , ˆ

g, ˆ g2, ˆ h

  • ∈ G5 × ˆ

G3 and mk = (ˆ g0 = ˆ gαβ, ˆ f , ˆ t) ∈ ˆ G3

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-18
SLIDE 18

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

The tweak

Setup Choose random α, β, γ, δ, η ∈ Zp, set g1 = gα, g2 = gβ, h = gγ, f = gδ, t = gη and analogues g1 = ˆ gα . . . . Output PP =

  • g, g1, h , f , t , ˆ

g, ˆ g2, ˆ h

  • ∈ G5 × ˆ

G3 and mk = (ˆ g0 = ˆ gαβ, ˆ f , ˆ t) ∈ ˆ G3 Extract(I) Choose random r, R ∈ Zp. Output dI =

  • ˆ

g0 (ˆ hI ˆ f )r ˆ tR, ˆ gr, ˆ gR

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-19
SLIDE 19

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

The tweak

Setup Choose random α, β, γ, δ, η ∈ Zp, set g1 = gα, g2 = gβ, h = gγ, f = gδ, t = gη and analogues g1 = ˆ gα . . . . Output PP =

  • g, g1, h , f , t , ˆ

g, ˆ g2, ˆ h

  • ∈ G5 × ˆ

G3 and mk = (ˆ g0 = ˆ gαβ, ˆ f , ˆ t) ∈ ˆ G3 Extract(I) Choose random r, R ∈ Zp. Output dI =

  • ˆ

g0 (ˆ hI ˆ f )r ˆ tR, ˆ gr, ˆ gR Encrypt(M,I) To encrypt M ∈ G, choose s ∈ Zp and compute C =

  • M · e(g1, ˆ

g2)s, gs, (hI f )s, ts

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-20
SLIDE 20

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Heuristic security proof

Random exponent to protect secrets during extraction : ˆ g0 · (ˆ hI ˆ f )r · ˆ tR, ˆ gr, ˆ gR (semantic security, similar to BB1) Proof in a sequence of 4 games.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-21
SLIDE 21

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Heuristic security proof

Random exponent to protect secrets during extraction : ˆ g0 · (ˆ hI ˆ f )r · ˆ tR, ˆ gr, ˆ gR (semantic security, similar to BB1) ˆ g0 · (ˆ hI ˆ f )r · ˆ tR, ˆ gr, ˆ gR Proof in a sequence of 4 games.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-22
SLIDE 22

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Heuristic security proof

Random exponent to protect secrets during extraction : ˆ g0 · (ˆ hI ˆ f )r · ˆ tR, ˆ gr, ˆ gR (semantic security, similar to BB1) ˆ g0 · (ˆ hI ˆ f )r · ˆ tR, ˆ gr, ˆ gR ˆ g0 · (ˆ hI ˆ f )r · ˆ tR, ˆ gr, ˆ gR Proof in a sequence of 4 games.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-23
SLIDE 23

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

1 Introduction 2 Anonymous IBE Construction 3 Extension to HIBE and HVE 4 Conclusion

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-24
SLIDE 24

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Problem

HIBE from [BBG05] : different hi for each level i of the

  • hierarchy. In this IBE, h and ˆ

h are public ⇒ direct adaptation

  • f the tweak.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-25
SLIDE 25

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Problem

HIBE from [BBG05] : different hi for each level i of the

  • hierarchy. In this IBE, h and ˆ

h are public ⇒ direct adaptation

  • f the tweak.

Hierarchical BB1 : different fi for each level i of the hierarchy. Problem : f is public, ˆ f is secret, but ˆ fi+1 would be needed to delegate from level i to level i + 1.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-26
SLIDE 26

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Solution

For a 2-level HIBE, and without re-randomization.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-27
SLIDE 27

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Efficiency of non-anonymous HIBE

d : depth, k : key size, m : ciphertext size, h : hypothesis size

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-28
SLIDE 28

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Efficiency of anonymous HIBE

d : depth, k : key size, m : ciphertext size, h : hypothesis size

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-29
SLIDE 29

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

1 Introduction 2 Anonymous IBE Construction 3 Extension to HIBE and HVE 4 Conclusion

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-30
SLIDE 30

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Comparison with other anonymous constructions

group order assumption key size cipher size BB1 based IBE prime P-BDH 3 4 BB1 based dHVE prime P-BDH ∼ ℓ2 ℓ + 3 BBG based HIBE prime Pℓ-BDH ∼ 3ℓ 4 Hybrid BBG-based HIBE prime P⌈

√ ℓ⌉-BDH

∼ ℓ ∼ √ ℓ HIBE from [BW06] prime linear-BDH ∼ 2ℓ2 ∼ 2ℓ dHVE from [SW08] composite composite-BDH ∼ ℓ2 ∼ ℓ HIBE from [SKOS09] composite composite-BDH ∼ 3ℓ 4 Sizes are expressed in group elements.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-31
SLIDE 31

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Acknowledgments

This work was done while the author was visiting Stanford

  • University. I would like to express my gratitude to Dan Boneh, who

gave me precious advice all along this work. Stanford University staff also deserves some thanks for welcoming me at the Computer Science lab for this internship. Finally, I would like to thank the anonymous reviewers for their wise comments on this paper.

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE

slide-32
SLIDE 32

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion

Bibliography

Dan Boneh and Xavier Boyen. Efficient selective-ID identity based encryption without random oracles. In Advances in Cryptology—EUROCRYPT 2004, 2004. Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption with constant size ciphertext. In Advances in Cryptology—EUROCRYPT 2005, LNCS, 2005. Dan Boneh and Matt Franklin. Identity-based encryption from the Weil pairing. SIAM Journal of Computing, 32(3), 2003. Preliminary version in Crypto’01. Xavier Boyen and Brent Waters. Anonymous hierarchical identity-based encryption (without random oracles). In Advances in Cryptology—CRYPTO 2006, 2006. Jae Hong Seo, Tetsutaro Kobayashi, Miyako Ohkubo, and Koutarou Suzuki. Anonymous hierarchical identity-based encryption with constant size ciphertexts. In Irvine: Proceedings of the 12th International Conference on Practice and Theory in Public Key Cryptography, 2009. Elaine Shi and Brent Waters. Delegating capabilities in predicate encryption systems. In ICALP ’08: Proceedings of the 35th international colloquium on Automata,

Ducas L´ eo, Ecole Normale Superieure, Paris Anonymity from Asymmetry: New Constructions for Anonymous HIBE