HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich - - PowerPoint PPT Presentation

hibe with tight multi challenge security
SMART_READER_LITE
LIVE PREVIEW

HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich - - PowerPoint PPT Presentation

Aug 04, 2023 308 likes •997 views

HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich (Switzerland), Part of the work done at KIT (Karlsruhe, Germany) Jiaxin Pan NTNU (Trondheim, Norway) Roman Langrehr, Jiaxin Pan 2020-06-01 1 Outline (H)IBE Tight

slide-1
SLIDE 1

HIBE with Tight Multi-challenge Security

Roman Langrehr ETH Zurich (Switzerland), Part of the work done at KIT (Karlsruhe, Germany) Jiaxin Pan NTNU (Trondheim, Norway)

Roman Langrehr, Jiaxin Pan 2020-06-01 1

slide-2
SLIDE 2

Outline

(H)IBE Tight multi-challenge security Related works The difficulty Our solution Future work

Roman Langrehr, Jiaxin Pan 2020-06-01 2

slide-3
SLIDE 3

Identity-based encryption

Alice Bob Trusted Third Party mpk uskBob

  • Alice needs to obtain only the

master public key

  • Encryption with identities (e.g.

e-mail address)

Roman Langrehr, Jiaxin Pan 2020-06-01 3

slide-4
SLIDE 4

Hierarchical Identity-based encryption

Alice Bob Trusted Third Party mpk u s kBob usk

  • Hierarchy of key generators

Roman Langrehr, Jiaxin Pan 2020-06-01 4

slide-5
SLIDE 5

Key delegation

Identities have the form (id1, . . . , idp).

ε (0 . . . 0) · · · (1 . . . 1) (0 . . . 0, 0 . . . 0) · · · (0 . . . 0, 1 . . . 1) (1 . . . 1, 0 . . . 0) · · · (1 . . . 1, 1 . . . 1) . . . . . . . . . . . .

  • Each user can generate keys for its children

Roman Langrehr, Jiaxin Pan 2020-06-01 5

slide-6
SLIDE 6

Security game (IND-HID-CPA)

Challenger Adversary mpk id usk[id] id⋆, m0, m1 C⋆

$

← Enc(mpk, id⋆, mb) b′ b

$

← {0, 1} b ? = b′

  • The adversary must not ask

user secret keys for prefixes of challenge identities (id⋆).

Roman Langrehr, Jiaxin Pan 2020-06-01 6

slide-7
SLIDE 7

Security game (IND-HID-CPA)

Challenger Adversary mpk id usk[id] id⋆, m0, m1 C⋆

$

← Enc(mpk, id⋆, mb) b′ b

$

← {0, 1} b ? = b′

  • The adversary must not ask

user secret keys for prefixes of challenge identities (id⋆).

  • IND-HID-CCA is easy once

you have IND-HID-CPA.

Roman Langrehr, Jiaxin Pan 2020-06-01 6

slide-8
SLIDE 8

Tight security

Scheme (e.g. HIBE) Assumption (e.g. Diffie-Hellman) Reduction

Roman Langrehr, Jiaxin Pan 2020-06-01 7

slide-9
SLIDE 9

Tight security

Scheme (e.g. HIBE) Assumption (e.g. Diffie-Hellman) Reduction Can be broken with probability ε using resources ρ. Can be broken with probability ε/ℓ using resources ρ.

Roman Langrehr, Jiaxin Pan 2020-06-01 7

slide-10
SLIDE 10

Tight security

Scheme (e.g. HIBE) Assumption (e.g. Diffie-Hellman) Reduction Can be broken with probability ε using resources ρ. Can be broken with probability ε/ℓ using resources ρ. Larger security loss requires larger security parameter. Security loss ℓ can depend on:

  • scheme parameters (e.g. maximum hierarchy depth L)
  • λ: the security parameter
  • the attacker’s resources (e.g. # user secret key queries Qk
  • r # challenge ciphertext queries Qc)

Roman Langrehr, Jiaxin Pan 2020-06-01 7

slide-11
SLIDE 11

Tight security

Scheme (e.g. HIBE) Assumption (e.g. Diffie-Hellman) Reduction Can be broken with probability ε using resources ρ. Can be broken with probability ε/ℓ using resources ρ. Larger security loss requires larger security parameter. Security loss ℓ can depend on:

  • scheme parameters (e.g. maximum hierarchy depth L)
  • λ: the security parameter
  • the attacker’s resources (e.g. # user secret key queries Qk
  • r # challenge ciphertext queries Qc)

Tight security:

   allowed

  • not allowed

Roman Langrehr, Jiaxin Pan 2020-06-01 7

slide-12
SLIDE 12

Multi-challenge security

Challenger Adversary mpk id usk[id] id⋆, m0, m1 C⋆

$

← Enc(mpk, id⋆, mb) b′ b

$

← {0, 1} b ? = b′

Roman Langrehr, Jiaxin Pan 2020-06-01 8

slide-13
SLIDE 13

Multi-challenge security

Challenger Adversary mpk id usk[id] id⋆, m0, m1 C⋆

$

← Enc(mpk, id⋆, mb) b′ b

$

← {0, 1} b ? = b′

Single-challenge security Multi-challenge security

Roman Langrehr, Jiaxin Pan 2020-06-01 8

slide-14
SLIDE 14

Multi-challenge security

Challenger Adversary mpk id usk[id] id⋆, m0, m1 C⋆

$

← Enc(mpk, id⋆, mb) b′ b

$

← {0, 1} b ? = b′

Single-challenge security Multi-challenge security generic: O(Qc) loss

Roman Langrehr, Jiaxin Pan 2020-06-01 8

slide-15
SLIDE 15

Multi-challenge security

Challenger Adversary mpk id usk[id] id⋆, m0, m1 C⋆

$

← Enc(mpk, id⋆, mb) b′ b

$

← {0, 1} b ? = b′

Single-challenge security Multi-challenge security generic: O(Qc) loss Tight multi-instance security: Easy to achieve by rerandomizing the master public key.

Roman Langrehr, Jiaxin Pan 2020-06-01 8

slide-16
SLIDE 16

History: HIBE

HIBEs in prime-order pairing groups: [Wat09], [CW13], [BKP14] O(Qk) (single-challenge) [Lew12], [GCTC16] O(QkL) (single-challenge) [LP19] O(nL2) resp. O(nL) (single-challenge) This work O(nL2) (multi-challenge)

  • Qk: # user secret key queries
  • L: maximum hierarchy depth
  • n: Bit-length of the identities

Roman Langrehr, Jiaxin Pan 2020-06-01 9

slide-17
SLIDE 17

History: Tight IBE

Tight IBEs in prime-order pairing groups: [CW13], [BKP14] O(n) (single-challenge) [AHY15], [GCD+16], [GDCC16], [HJP18] O(n) (multi-challenge)

  • n: Bit-length of the identities

Roman Langrehr, Jiaxin Pan 2020-06-01 10

slide-18
SLIDE 18

History: Tight IBE

Tight IBEs in prime-order pairing groups: [CW13], [BKP14] O(n) (single-challenge) [AHY15], [GCD+16], [GDCC16], [HJP18] O(n) (multi-challenge)

  • n: Bit-length of the identities

Tight single-challenge HIBE + Tight multi-challenge IBE

?

→ Tight multi-challenge HIBE

Roman Langrehr, Jiaxin Pan 2020-06-01 10

slide-19
SLIDE 19

IND-HID-CPA security for (H)IBE

The challenge:

  • The reduction must answer user secret key queries for id1, . . . , idQk.
  • The reduction must take advantage of the adversaries decryption capabilities for

id⋆

1, . . . , id⋆ Qc.

  • The adversary adaptively chooses id1, . . . , idQk and id⋆

1, . . . , id⋆ Qc.

Roman Langrehr, Jiaxin Pan 2020-06-01 11

slide-20
SLIDE 20

Partitioning

  • Different parts use ”slightly different“ secret key.
  • A usk key from one part is not helpful for decrypting

a ciphertext from a different part.

Roman Langrehr, Jiaxin Pan 2020-06-01 12

slide-21
SLIDE 21

Partitioning

  • Different parts use ”slightly different“ secret key.
  • A usk key from one part is not helpful for decrypting

a ciphertext from a different part. Initial Intermediate Final One partition Separated from Queried user secret key Challenge ciphertext

Roman Langrehr, Jiaxin Pan 2020-06-01 12

slide-22
SLIDE 22

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-23
SLIDE 23

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-24
SLIDE 24

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-25
SLIDE 25

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-26
SLIDE 26

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-27
SLIDE 27

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-28
SLIDE 28

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-29
SLIDE 29

Query-by-query Partitioning

  • Typically used by non-tight (H)IBE schemes
  • O(Qk) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 13

slide-30
SLIDE 30

Bit-by-bit Partitioning

  • Typically used by tight (H)IBE schemes.
  • One part per identity
  • O(n) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 14

slide-31
SLIDE 31

Bit-by-bit Partitioning

  • Typically used by tight (H)IBE schemes.
  • One part per identity
  • O(n) security loss

id1 = 0 id1 = 1

Roman Langrehr, Jiaxin Pan 2020-06-01 14

slide-32
SLIDE 32

Bit-by-bit Partitioning

  • Typically used by tight (H)IBE schemes.
  • One part per identity
  • O(n) security loss

id2 = 0 id2 = 1

Roman Langrehr, Jiaxin Pan 2020-06-01 14

slide-33
SLIDE 33

Bit-by-bit Partitioning

  • Typically used by tight (H)IBE schemes.
  • One part per identity
  • O(n) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 14

slide-34
SLIDE 34

Bit-by-bit Partitioning

  • Typically used by tight (H)IBE schemes.
  • One part per identity
  • O(n) security loss

Roman Langrehr, Jiaxin Pan 2020-06-01 14

slide-35
SLIDE 35

Partitioning techniques

  • 1. Embedding a challenge of the underlying assumption. . .

– . . .in a part of the msk that appears only in user secret keys with idi = b. – . . .“reacts” with the randomness of the usk resp. ciphertext.

Roman Langrehr, Jiaxin Pan 2020-06-01 15

slide-36
SLIDE 36

Partitioning techniques

  • 1. Embedding a challenge of the underlying assumption. . .

– . . .in a part of the msk that appears only in user secret keys with idi = b. – . . .“reacts” with the randomness of the usk resp. ciphertext.

  • 2. Choose randomness of a subspace [GHKW16]

– hides part of the msk from usk queries.

Roman Langrehr, Jiaxin Pan 2020-06-01 15

slide-37
SLIDE 37

Usage in the single-challenge setting

Tight IBE: Scheme Challenge queries usk queries [CW13],[BKP14] (information-theoretic) Embedding a challenge

Roman Langrehr, Jiaxin Pan 2020-06-01 16

slide-38
SLIDE 38

Usage in the single-challenge setting

Tight IBE: Scheme Challenge queries usk queries [CW13],[BKP14] (information-theoretic) Embedding a challenge Tight HIBE: Scheme Challenge queries usk queries [LP19] (information-theoretic) Subspace

Roman Langrehr, Jiaxin Pan 2020-06-01 16

slide-39
SLIDE 39

Usage in the multi-challenge setting

Tight IBE: Scheme Challenge queries usk queries [GDCC16], [HJP18] Subspace Embedding a challenge

Roman Langrehr, Jiaxin Pan 2020-06-01 17

slide-40
SLIDE 40

[BKP14] (single-challenge IBE) [GDCC16], [HJP18] (multi-challenge IBE) [LP19] (single-challenge HIBE) Use [GHKW16] for the challenge queries Use [GHKW16] for the usk queries

Roman Langrehr, Jiaxin Pan 2020-06-01 18

slide-41
SLIDE 41

[BKP14] (single-challenge IBE) [GDCC16], [HJP18] (multi-challenge IBE) [LP19] (single-challenge HIBE) Use [GHKW16] for the challenge queries Use [GHKW16] for the usk queries New tight multi-challenge HIBE?

Roman Langrehr, Jiaxin Pan 2020-06-01 18

slide-42
SLIDE 42

[BKP14] (single-challenge IBE) [GDCC16], [HJP18] (multi-challenge IBE) [LP19] (single-challenge HIBE) Use [GHKW16] for the challenge queries Use [GHKW16] for the usk queries New tight multi-challenge HIBE? Doesn’t work

Roman Langrehr, Jiaxin Pan 2020-06-01 18

slide-43
SLIDE 43

Simplified version of BKP-like schemes

  • Master secret key:

For every bit position i ∈ {1, . . . , n · L} and bit b ∈ {0, 1}: Xi,b

Roman Langrehr, Jiaxin Pan 2020-06-01 19

slide-44
SLIDE 44

Simplified version of BKP-like schemes

  • Master secret key:

For every bit position i ∈ {1, . . . , n · L} and bit b ∈ {0, 1}: Xi,b

  • User secret key for id:

|id|

i

Xi,id[i] t usk randomness

Roman Langrehr, Jiaxin Pan 2020-06-01 19

slide-45
SLIDE 45

Simplified version of BKP-like schemes

  • Master secret key:

For every bit position i ∈ {1, . . . , n · L} and bit b ∈ {0, 1}: Xi,b

  • User secret key for id:

|id|

i

Xi,id[i] t

  • Challenge ciphertext for id⋆:

h⊤

|id⋆|

i

Xi,id⋆[i] ct randomness

Roman Langrehr, Jiaxin Pan 2020-06-01 19

slide-46
SLIDE 46

The difficulty

Use the [GHKW16] subspace technique for the user secret keys [LP19]. In a suitable (hidden) basis: ct randomness msk usk randomness ⋆ Half of the entropy is hidden. ✓

Roman Langrehr, Jiaxin Pan 2020-06-01 20

slide-47
SLIDE 47

The difficulty

Use the [GHKW16] subspace technique for the challenge ciphertexts [GDCC16, HJP18]. In a suitable (hidden) basis: ct randomness msk usk randomness ⋆ Half of the entropy is hidden. ✓

Roman Langrehr, Jiaxin Pan 2020-06-01 20

slide-48
SLIDE 48

The difficulty

Use the [GHKW16] subspace technique for both usks and cts. In a suitable (hidden) basis: ct randomness msk usk randomness ⋆ ⋆ Only one quarter of the entropy is hidden. ✗

Roman Langrehr, Jiaxin Pan 2020-06-01 20

slide-49
SLIDE 49

Our solution

New technique to randomize multiple challenge ciphertexts. . .

  • . . .based on the “Embedding a challenge” approach.
  • . . .achieves the same efficiency.
  • . . .compatible with [LP19]

Roman Langrehr, Jiaxin Pan 2020-06-01 21

slide-50
SLIDE 50

Our solution

Previous work (only IBE) Scheme Challenge queries usk queries [GDCC16], [HJP18] Subspace Embedding a challenge This work (also HIBE) Scheme Challenge queries usk queries This work Embedding a challenge Subspace

Roman Langrehr, Jiaxin Pan 2020-06-01 22

slide-51
SLIDE 51

Our solution

MDDH challenge In a suitable (hidden) basis: ct randomness msk usk randomness ⋆

Roman Langrehr, Jiaxin Pan 2020-06-01 23

slide-52
SLIDE 52

Our solution – More details

MDDH challenge: D f f ∈ Span(D) or f is uniformly random In a suitable (hidden) basis: ct randomness msk usk randomness ⋆

Roman Langrehr, Jiaxin Pan 2020-06-01 23

slide-53
SLIDE 53

Our solution – More details

MDDH challenge: D f f f ∈ Span(D) or f is uniformly random In a suitable (hidden) basis: ct randomness msk usk randomness

  • DD

−1 ⊤

Roman Langrehr, Jiaxin Pan 2020-06-01 23

slide-54
SLIDE 54

Our solution – More details

MDDH challenge: D f f f ∈ Span(D) or f is uniformly random In a suitable (hidden) basis: ct randomness msk usk randomness

  • DD

−1 ⊤

⋆ ·

Roman Langrehr, Jiaxin Pan 2020-06-01 23

slide-55
SLIDE 55

Our solution – More details

MDDH challenge: D f f f ∈ Span(D) or f is uniformly random In a suitable (hidden) basis: ct randomness msk usk randomness

  • DD

−1 ⊤

⋆ · But sometimes we have to embed the same challenge in multiple ciphertexts!

Roman Langrehr, Jiaxin Pan 2020-06-01 23

slide-56
SLIDE 56

Our solution – More details

MDDH challenge: D F F In a suitable (hidden) basis: ct randomness msk usk randomness ⋆ ⋆

Roman Langrehr, Jiaxin Pan 2020-06-01 23

slide-57
SLIDE 57

Comparison of HIBEs (in prime-order pairing groups)

Scheme |mpk| |usk| |C| Loss MC Assumption [Wat05] O(nL) O(nL) O(p) O(nQk)L ✗ DBDH [Wat09] O(L) O(p) O(p) O(Qk) ✗ 2-LIN [Lew12] O(1) O(p) O(p) O(Qk) ✗ 2-LIN [CW13] O(L) O(L) O(1) O(Qk) ✗ SXDH [BKP14] O(L) O(L) O(1) O(Qk) ✗ SXDH [GCTC16] O(1) O(p) O(p) O(Qk) ✗ SXDH [LP19]1 O(nL2) O(nL2) O(1) O(nL2) ✗ SXDH [LP19]H

1

O(γL) O(γL) O(1) O(γL) ✗ SXDH [LP19]2 O(nL2) O(p) O(p) O(nL) ✗ SXDH [LP19]H

2

O(γL) O(p) O(p) O(γ) ✗ SXDH Ours1 O(nL2) O(nL2) O(1) O(nL2) ✓ SXDH OursH

1

O(γL) O(γL) O(1) O(γL) ✓ SXDH Ours2 O(nL2) O(p) O(p) O(nL2) ✓ SXDH OursH

2

O(γL) O(p) O(p) O(γL) ✓ SXDH

  • L: maximum hierarchy depth
  • p: actual hierarchy depth
  • n: bit-length of identities
  • γ: bit-length of hashes
  • Qk: # user secret key

queries

Roman Langrehr, Jiaxin Pan 2020-06-01 24

slide-58
SLIDE 58

Future work: Beyond bit-by-bit partitioning

[AHY15] achieved a trade-off between mpk and usk/C size for IBE: Parameter c ∈ [0, 1] Scheme |mpk| |usk| |C| Loss [AHY15] O

n1−c

O(nc) O(nc) O(n)

Roman Langrehr, Jiaxin Pan 2020-06-01 25

slide-59
SLIDE 59

Future work: Beyond bit-by-bit partitioning

[AHY15] achieved a trade-off between mpk and usk/C size for IBE: Parameter c ∈ [0, 1] Scheme |mpk| |usk| |C| Loss [AHY15] O

n1−c

O(nc) O(nc) O(n) [CGW17] achieved constant size mpk (and tighter security loss) in composite-order pairing groups (4 factors): Scheme |mpk| |usk| |C| Loss [CGW17] 3 1 1 O(log(Qk))

Roman Langrehr, Jiaxin Pan 2020-06-01 25

slide-60
SLIDE 60

References I

Nuttapong Attrapadung, Goichiro Hanaoka, and Shota Yamada. A framework for identity-based encryption with almost tight security. In Tetsu Iwata and Jung Hee Cheon, editors, ASIACRYPT 2015, Part I, volume 9452 of LNCS, pages 521–549. Springer, Heidelberg, November / December 2015. doi:10.1007/978-3-662-48797-6_22. Olivier Blazy, Eike Kiltz, and Jiaxin Pan. (Hierarchical) identity-based encryption from affine message authentication. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 408–425. Springer, Heidelberg, August 2014. doi:10.1007/978-3-662-44371-2_23.

Roman Langrehr, Jiaxin Pan 2020-06-01 26

slide-61
SLIDE 61

References II

Jie Chen, Junqing Gong, and Jian Weng. Tightly secure IBE under constant-size master public key. In Serge Fehr, editor, PKC 2017, Part I, volume 10174 of LNCS, pages 207–231. Springer, Heidelberg, March 2017. doi:10.1007/978-3-662-54365-8_9. Jie Chen and Hoeteck Wee. Fully, (almost) tightly secure IBE and dual system groups. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS, pages 435–460. Springer, Heidelberg, August 2013. doi:10.1007/978-3-642-40084-1_25.

Roman Langrehr, Jiaxin Pan 2020-06-01 27

slide-62
SLIDE 62

References III

Junqing Gong, Jie Chen, Xiaolei Dong, Zhenfu Cao, and Shaohua Tang. Extended nested dual system groups, revisited. In Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano, and Bo-Yin Yang, editors, PKC 2016, Part I, volume 9614 of LNCS, pages 133–163. Springer, Heidelberg, March 2016. doi:10.1007/978-3-662-49384-7_6. Junqing Gong, Zhenfu Cao, Shaohua Tang, and Jie Chen. Extended dual system group and shorter unbounded hierarchical identity based encryption. Designs, Codes and Cryptography, 80(3):525–559, Sep 2016. doi:10.1007/s10623-015-0117-z.

Roman Langrehr, Jiaxin Pan 2020-06-01 28

slide-63
SLIDE 63

References IV

Junqing Gong, Xiaolei Dong, Jie Chen, and Zhenfu Cao. Efficient IBE with tight reduction to standard assumption in the multi-challenge setting. In Jung Hee Cheon and Tsuyoshi Takagi, editors, ASIACRYPT 2016, Part II, volume 10032 of LNCS, pages 624–654. Springer, Heidelberg, December 2016. doi:10.1007/978-3-662-53890-6_21. Romain Gay, Dennis Hofheinz, Eike Kiltz, and Hoeteck Wee. Tightly CCA-secure encryption without pairings. In Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, Part I, volume 9665 of LNCS, pages 1–27. Springer, Heidelberg, May 2016. doi:10.1007/978-3-662-49890-3_1.

Roman Langrehr, Jiaxin Pan 2020-06-01 29

slide-64
SLIDE 64

References V

Dennis Hofheinz, Dingding Jia, and Jiaxin Pan. Identity-based encryption tightly secure under chosen-ciphertext attacks. In Thomas Peyrin and Steven Galbraith, editors, ASIACRYPT 2018, Part II, volume 11273 of LNCS, pages 190–220. Springer, Heidelberg, December 2018. doi:10.1007/978-3-030-03329-3_7. Allison B. Lewko. Tools for simulating features of composite order bilinear groups in the prime order setting. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 318–335. Springer, Heidelberg, April 2012. doi:10.1007/978-3-642-29011-4_20.

Roman Langrehr, Jiaxin Pan 2020-06-01 30

slide-65
SLIDE 65

References VI

Roman Langrehr and Jiaxin Pan. Tightly secure hierarchical identity-based encryption. In Dongdai Lin and Kazue Sako, editors, PKC 2019, Part I, volume 11442 of LNCS, pages 436–465. Springer, Heidelberg, April 2019. doi:10.1007/978-3-030-17253-4_15. Brent R. Waters. Efficient identity-based encryption without random oracles. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 114–127. Springer, Heidelberg, May 2005. doi:10.1007/11426639_7.

Roman Langrehr, Jiaxin Pan 2020-06-01 31

slide-66
SLIDE 66

References VII

Brent Waters. Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions. In Shai Halevi, editor, CRYPTO 2009, volume 5677 of LNCS, pages 619–636. Springer, Heidelberg, August 2009. doi:10.1007/978-3-642-03356-8_36.

Roman Langrehr, Jiaxin Pan 2020-06-01 32

slide-67
SLIDE 67

Pictures

Alice, Bob, Trusted Party: freepik.com Encrypted Mail: Icon made by SimpleIcon from www.flaticon.com

Roman Langrehr, Jiaxin Pan 2020-06-01 33