hibe with tight multi challenge security
play

HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich - PowerPoint PPT Presentation

Aug 04, 2023 •308 likes •997 views

HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich (Switzerland), Part of the work done at KIT (Karlsruhe, Germany) Jiaxin Pan NTNU (Trondheim, Norway) Roman Langrehr, Jiaxin Pan 2020-06-01 1 Outline (H)IBE Tight

  1. HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich (Switzerland), Part of the work done at KIT (Karlsruhe, Germany) Jiaxin Pan NTNU (Trondheim, Norway) Roman Langrehr, Jiaxin Pan 2020-06-01 1

  2. Outline (H)IBE Tight multi-challenge security Related works The difficulty Our solution Future work Roman Langrehr, Jiaxin Pan 2020-06-01 2

  3. Identity-based encryption mpk Alice Bob • Alice needs to obtain only the usk Bob master public key • Encryption with identities (e.g. e-mail address) Trusted Third Party Roman Langrehr, Jiaxin Pan 2020-06-01 3

  4. Hierarchical Identity-based encryption k Bob Alice Bob s u mpk • Hierarchy of key generators usk Trusted Third Party Roman Langrehr, Jiaxin Pan 2020-06-01 4

  5. Key delegation Identities have the form (id 1 , . . . , id p ). ε (0 . . . 0) · · · (1 . . . 1) (0 . . . 0 , 0 . . . 0) · · · (0 . . . 0 , 1 . . . 1) (1 . . . 1 , 0 . . . 0) · · · (1 . . . 1 , 1 . . . 1) . . . . . . . . . . . . • Each user can generate keys for its children Roman Langrehr, Jiaxin Pan 2020-06-01 5

  6. Security game (IND-HID-CPA) Challenger Adversary mpk id $ b ← { 0 , 1 } • The adversary must not ask usk[id] user secret keys for prefixes of id ⋆ , m 0 , m 1 challenge identities (id ⋆ ). $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 6

  7. Security game (IND-HID-CPA) Challenger Adversary mpk id $ b ← { 0 , 1 } • The adversary must not ask usk[id] user secret keys for prefixes of id ⋆ , m 0 , m 1 challenge identities (id ⋆ ). • IND-HID-CCA is easy once $ C ⋆ ← Enc(mpk , id ⋆ , m b ) you have IND-HID-CPA. b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 6

  8. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Roman Langrehr, Jiaxin Pan 2020-06-01 7

  9. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Can be broken with Can be broken with probability ε using resources ρ . probability ε/ℓ using resources ρ . Roman Langrehr, Jiaxin Pan 2020-06-01 7

  10. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Can be broken with Can be broken with probability ε using resources ρ . probability ε/ℓ using resources ρ . Larger security loss requires larger security parameter. Security loss ℓ can depend on: • scheme parameters (e.g. maximum hierarchy depth L ) • λ : the security parameter • the attacker’s resources (e.g. # user secret key queries Q k or # challenge ciphertext queries Q c ) Roman Langrehr, Jiaxin Pan 2020-06-01 7

  11. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Can be broken with Can be broken with probability ε using resources ρ . probability ε/ℓ using resources ρ . Larger security loss requires larger security parameter. Tight security: Security loss ℓ can depend on:  • scheme parameters (e.g. maximum hierarchy depth L )   allowed • λ : the security parameter � • the attacker’s resources (e.g. # user secret key queries Q k not allowed or # challenge ciphertext queries Q c ) Roman Langrehr, Jiaxin Pan 2020-06-01 7

  12. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] id ⋆ , m 0 , m 1 $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 8

  13. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] Single-challenge security id ⋆ , m 0 , m 1 Multi-challenge security $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 8

  14. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] Single-challenge security id ⋆ , m 0 , m 1 generic: O ( Q c ) loss Multi-challenge security $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 8

  15. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] Single-challenge security id ⋆ , m 0 , m 1 generic: O ( Q c ) loss Multi-challenge security $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Tight multi-instance security: Easy to achieve by rerandomizing the master public key. Roman Langrehr, Jiaxin Pan 2020-06-01 8

  16. History: HIBE HIBEs in prime-order pairing groups: [Wat09], [CW13], [BKP14] O ( Q k ) (single-challenge) [Lew12], [GCTC16] O ( Q k L ) (single-challenge) O ( nL 2 ) resp. O ( nL ) (single-challenge) [LP19] O ( nL 2 ) (multi-challenge) This work • Q k : # user secret key queries • L : maximum hierarchy depth • n : Bit-length of the identities Roman Langrehr, Jiaxin Pan 2020-06-01 9

  17. History: Tight IBE Tight IBEs in prime-order pairing groups: [CW13], [BKP14] O ( n ) (single-challenge) [AHY15], [GCD + 16], [GDCC16], [HJP18] O ( n ) (multi-challenge) • n : Bit-length of the identities Roman Langrehr, Jiaxin Pan 2020-06-01 10

  18. History: Tight IBE Tight IBEs in prime-order pairing groups: [CW13], [BKP14] O ( n ) (single-challenge) [AHY15], [GCD + 16], [GDCC16], [HJP18] O ( n ) (multi-challenge) • n : Bit-length of the identities ? Tight single-challenge HIBE + Tight multi-challenge IBE → Tight multi-challenge HIBE Roman Langrehr, Jiaxin Pan 2020-06-01 10

  19. IND-HID-CPA security for (H)IBE The challenge: • The reduction must answer user secret key queries for id 1 , . . . , id Q k . • The reduction must take advantage of the adversaries decryption capabilities for id ⋆ 1 , . . . , id ⋆ Q c . • The adversary adaptively chooses id 1 , . . . , id Q k and id ⋆ 1 , . . . , id ⋆ Q c . Roman Langrehr, Jiaxin Pan 2020-06-01 11

  20. Partitioning • Different parts use ”slightly different“ secret key. • A usk key from one part is not helpful for decrypting a ciphertext from a different part. Roman Langrehr, Jiaxin Pan 2020-06-01 12

  21. Partitioning • Different parts use ”slightly different“ secret key. • A usk key from one part is not helpful for decrypting a ciphertext from a different part. Initial Intermediate Final One partition Separated from Queried user secret key Challenge ciphertext Roman Langrehr, Jiaxin Pan 2020-06-01 12

  22. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  23. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  24. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  25. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  26. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  27. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  28. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  29. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  30. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 14

  31. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss id 1 = 0 id 1 = 1 Roman Langrehr, Jiaxin Pan 2020-06-01 14

  32. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss id 2 = 0 id 2 = 1 Roman Langrehr, Jiaxin Pan 2020-06-01 14

  33. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 14

  34. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 14

  35. Partitioning techniques 1. Embedding a challenge of the underlying assumption. . . – . . .in a part of the msk that appears only in user secret keys with id i = b . – . . .“reacts” with the randomness of the usk resp. ciphertext. Roman Langrehr, Jiaxin Pan 2020-06-01 15

  36. Partitioning techniques 1. Embedding a challenge of the underlying assumption. . . – . . .in a part of the msk that appears only in user secret keys with id i = b . – . . .“reacts” with the randomness of the usk resp. ciphertext. 2. Choose randomness of a subspace [GHKW16] – hides part of the msk from usk queries. Roman Langrehr, Jiaxin Pan 2020-06-01 15

  37. Usage in the single-challenge setting Tight IBE: Scheme Challenge queries usk queries [CW13],[BKP14] (information-theoretic) Embedding a challenge Roman Langrehr, Jiaxin Pan 2020-06-01 16

  38. Usage in the single-challenge setting Tight IBE: Scheme Challenge queries usk queries [CW13],[BKP14] (information-theoretic) Embedding a challenge Tight HIBE: Scheme Challenge queries usk queries [LP19] (information-theoretic) Subspace Roman Langrehr, Jiaxin Pan 2020-06-01 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale

Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale Superieure, Paris February 23, 2010 Ducas L eo, Ecole Normale

366 views • 32 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

1.35k views • 36 slides
Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at Chicago Thanks to: NSF CCR9983950 NSF DMS0140542 NSF ITR0716498 Alfred P. Sloan Foundation Warning: Springer mangled the

589 views • 19 slides
Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object Tracking Origins SONAR, RADAR Given a raw stream of sensory data: Localize objects Estimate object identities over time

340 views • 16 slides
On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schge Ruhr-University Bochum EUROCRYPT 2016 1 Tight Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A

835 views • 48 slides
Multi-level modeling with MELANEE A Contribution to the MULTI2018 Challenge Arne Lange, Colin

Multi-level modeling with MELANEE A Contribution to the MULTI2018 Challenge Arne Lange, Colin

Multi-level modeling with MELANEE A Contribution to the MULTI2018 Challenge Arne Lange, Colin Atkinson The Challenge model a bicycle shop in a multi-level fashion fulfill requirements, if necessary with the help of a constraint language

753 views • 16 slides
Tight Space-Approximation Tradeoff for the Multi-Pass Streaming Set Cover Problem Sepehr Assadi

Tight Space-Approximation Tradeoff for the Multi-Pass Streaming Set Cover Problem Sepehr Assadi

Tight Space-Approximation Tradeoff for the Multi-Pass Streaming Set Cover Problem Sepehr Assadi University of Pennsylvania Sepehr Assadi (Penn) PODS 2017 The Set Cover Problem Input: A collection of m sets S 1 , . . . , S m from a universe [ n

979 views • 97 slides
Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com 1 Side-Channel Attacks and Higher-Order Masking in 1 in 2 in 3

655 views • 52 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound Harikrishna Narasimhan and Shivani Agarwal Department of Computer Science and Automation Indian Institute of Science, Bangalore Receiver Operating

1.12k views • 90 slides
Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing

Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing

Enabling Grids for E-sciencE Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing OSCT Security Workshop on 7 th March in Taipei www.eu-egee.org 1 Jinny Chien, ASGC Training and Dissemination

1.05k views • 39 slides
Collaborative Learning with Limited Interaction: Tight Bounds for Distributed Exploration in

Collaborative Learning with Limited Interaction: Tight Bounds for Distributed Exploration in

Collaborative Learning with Limited Interaction: Tight Bounds for Distributed Exploration in Multi-Armed Bandits Chao Tao, Qin Zhang Yuan Zhou IUB UIUC Nov. 10, 2019 FOCS 2019 1-1 Collaborative Learning One of the most important tasks in

979 views • 70 slides
Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

History of WCS Outline Known Security Analysis Our Works Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018 History of WCS Outline Known Security Analysis Our

834 views • 57 slides
The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

INFORMATION SECURITY The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis Information Security Practice Thursday, April 14, 2016 General Information Share the webinar Questions: Submit your

420 views • 14 slides
2/10/20 L.O To use Roman numerals -I can think of examples where Roman numerals will be used

2/10/20 L.O To use Roman numerals -I can think of examples where Roman numerals will be used

2/10/20 L.O To use Roman numerals -I can think of examples where Roman numerals will be used L.O To use Roman numerals 2/10/20 Starter Where might you see Roman numerals used? L.O To use Roman numerals 2/10/20 For this lesson I am looking

167 views • 15 slides
Comparing weighting models for monolingual information retrieval Gianni Amati, Claudio Carpineto,

Comparing weighting models for monolingual information retrieval Gianni Amati, Claudio Carpineto,

Comparing weighting models for monolingual information retrieval Gianni Amati, Claudio Carpineto, and Gianni Romano Gianni Amati, Claudio Carpineto, and Gianni Romano Fondazione Ugo Bordoni Fondazione Ugo Bordoni Roma Roma romano@fub.it

222 views • 19 slides
X. The Sermon on the Mount Matthew 5 7, Luke 6:17 42 A. Introduction 1. The Sermon on

X. The Sermon on the Mount Matthew 5 7, Luke 6:17 42 A. Introduction 1. The Sermon on

X. The Sermon on the Mount Matthew 5 7, Luke 6:17 42 A. Introduction 1. The Sermon on the Mount is the Lords explanation of the Law . 2. It is IMPORTANT to understand that the Sermon on the Mount was specifically to Israel. While

449 views • 33 slides
Where your treasure is, there will your heart be also Matthew 6:21 NIV Bible For you

Where your treasure is, there will your heart be also Matthew 6:21 NIV Bible For you

Where your treasure is, there will your heart be also Matthew 6:21 NIV Bible For you know the grace of our Lord Jesus Christ, that though He was rich, yet for your sake He became poor, that you through His poverty might become rich

408 views • 23 slides
Romans Series Lesson #59 May 3, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Romans Series Lesson #59 May 3, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L.

Romans Series Lesson #59 May 3, 2012 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Epistle to the ROMANS Justification and Reconciliation Romans 5:1011 Rom. 5:10, For if when we were enemies we were reconciled

284 views • 24 slides
A Lee-Wick Extension of the Standard Model Benjamin Grinstein Indirect Searches for New Physics

A Lee-Wick Extension of the Standard Model Benjamin Grinstein Indirect Searches for New Physics

A Lee-Wick Extension of the Standard Model Benjamin Grinstein Indirect Searches for New Physics at the time of LHC - Conference GGI Florence, March 23, 2010 Work mostly with Donal OConnell and Mark Wise Incomplete list of references Phys.

792 views • 62 slides
Luthers Great Discovery The ALONEs of the Gospel! How Do Imperfect People Get Right With

Luthers Great Discovery The ALONEs of the Gospel! How Do Imperfect People Get Right With

11/28/2017 Luthers Great Discovery The ALONEs of the Gospel! How Do Imperfect People Get Right With The Perfect God? By GRACE alone through FAITH alone in CHRIST alone! Why Grace Alone? In order to be right with God and get into heaven,

209 views • 5 slides
A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E.

A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E.

Overview of SLEPc Restarted Lanczos Bidiagonalization Evaluation A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E. Roman Universidad Polit ecnica de Valencia, Spain (joint work with V.

829 views • 60 slides

More recommend