(Hierarchical) Identity-Based Encryption from Affine Message - - PowerPoint PPT Presentation

hierarchical identity based encryption from affine
SMART_READER_LITE
LIVE PREVIEW

(Hierarchical) Identity-Based Encryption from Affine Message - - PowerPoint PPT Presentation

Mar 29, 2023 290 likes •881 views

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier Blazy Eike Kiltz Jiaxin Pan Horst Grtz Institute for IT Security Ruhr-University Bochum 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4

slide-1
SLIDE 1

(Hierarchical) Identity-Based Encryption from Affine Message Authentication

Crypto 2014, Olivier Blazy Eike Kiltz Jiaxin Pan Horst Görtz Institute for IT Security Ruhr-University Bochum

slide-2
SLIDE 2

1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

(H)IBE from Affine MAC | HGI | Crypto 2014 2/24

slide-3
SLIDE 3

Outline

1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

slide-4
SLIDE 4

Identity-Based Encryption IBE

Alice Bob C = Encrypt(’Bob’, M) − − − − − − − − − − − − − − − − → M M = Decrypt(uskBob, C)

(H)IBE from Affine MAC | HGI | Crypto 2014 4/24

slide-5
SLIDE 5

History of IBE

◮ Shamir 84

(H)IBE from Affine MAC | HGI | Crypto 2014 5/24

slide-6
SLIDE 6

History of IBE

◮ Shamir 84 ◮ Boneh-Franklin, Cocks

(H)IBE from Affine MAC | HGI | Crypto 2014 5/24

slide-7
SLIDE 7

History of IBE

◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05

(H)IBE from Affine MAC | HGI | Crypto 2014 5/24

slide-8
SLIDE 8

History of IBE

◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05 ◮ Waters 09, Chen-Wee

(H)IBE from Affine MAC | HGI | Crypto 2014 5/24

slide-9
SLIDE 9

History of IBE

◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05 ◮ Waters 09, Chen-Wee ◮ . . .

(H)IBE from Affine MAC | HGI | Crypto 2014 5/24

slide-10
SLIDE 10

History of IBE

◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05 ◮ Waters 09, Chen-Wee ◮ . . .

Open Problem

???? Generic − − − − − − − − − − − − − − − → IBE

(H)IBE from Affine MAC | HGI | Crypto 2014 5/24

slide-11
SLIDE 11

More about History

Signature IBE MAC

(H)IBE from Affine MAC | HGI | Crypto 2014 6/24

slide-12
SLIDE 12

More about History

Signature IBE MAC Naor

(H)IBE from Affine MAC | HGI | Crypto 2014 6/24

slide-13
SLIDE 13

More about History

Signature IBE MAC Naor + NIZK ([BelGol89])

(H)IBE from Affine MAC | HGI | Crypto 2014 6/24

slide-14
SLIDE 14

More about History

Signature IBE MAC Naor + NIZK ([BelGol89]) [DKPW12]

(H)IBE from Affine MAC | HGI | Crypto 2014 6/24

slide-15
SLIDE 15

More about History

Signature IBE MAC Naor + NIZK ([BelGol89]) [DKPW12] ????

(H)IBE from Affine MAC | HGI | Crypto 2014 6/24

slide-16
SLIDE 16

MAC + NIZK → Signature

Signature

◮ sk := (skMAC, y); pk := Commit(skMAC; y) ◮ Sig(sk, m) :

τ

$

← Tag(skMAC, m), π

$

← Prove(’τ is valid’)

◮ Ver := VerNIZK

NIZK Proof

NIZK := (Prove, VerNIZK) for L: {(τ, m, pk) : ∃sk, y s.t. Ver(sk, τ, m) = 1 ∧ pk = Commit(sk; y)}

(H)IBE from Affine MAC | HGI | Crypto 2014 7/24

slide-17
SLIDE 17

MAC + NIZK

?

→ IBE

IBE

◮ sk := (skMAC, y); pk := Commit(skMAC; y) ◮ Sig(sk, m) :

τ

$

← Tag(skMAC, m), π

$

← Prove(’τ is valid’)

◮ Ver := VerNIZK

NIZK Proof

NIZK := (Prove, VerNIZK) for L: {(τ, m, pk) : ∃sk, y s.t. Ver(sk, τ, m) = 1 ∧ pk = Commit(sk; y)}

(H)IBE from Affine MAC | HGI | Crypto 2014 7/24

slide-18
SLIDE 18

MAC + NIZK

?

→ IBE

IBE

◮ sk := (skMAC, y); pk := Commit(skMAC; y) ◮

USKGen : τ

$

← Tag(skMAC, m), π

$

← Prove(’τ is valid’)

◮ Ver := VerNIZK

NIZK Proof

NIZK := (Prove, VerNIZK) for L: {(τ, m, pk) : ∃sk, y s.t. Ver(sk, τ, m) = 1 ∧ pk = Commit(sk; y)}

(H)IBE from Affine MAC | HGI | Crypto 2014 7/24

slide-19
SLIDE 19

MAC + NIZK

?

→ IBE

IBE

◮ sk := (skMAC, y); pk := Commit(skMAC; y) ◮

USKGen : τ

$

← Tag(skMAC, m), π

$

← Prove(’τ is valid’)

◮ Enc := ???? ◮ Dec := ????

  • VerNIZK

NIZK Proof

NIZK := (Prove, VerNIZK) for L: {(τ, m, pk) : ∃sk, y s.t. Ver(sk, τ, m) = 1 ∧ pk = Commit(sk; y)}

(H)IBE from Affine MAC | HGI | Crypto 2014 7/24

slide-20
SLIDE 20

MAC + NIZK

?

→ IBE

IBE

◮ sk := (skMAC, y); pk := Commit(skMAC; y) ◮

USKGen : τ

$

← Tag(skMAC, m), π

$

← Prove(’τ is valid’)

◮ Enc := ???? ◮ Dec := ????

  • VerNIZK

Our Work

◮ Use the verification algorithm to define Enc and Dec

(H)IBE from Affine MAC | HGI | Crypto 2014 7/24

slide-21
SLIDE 21

MAC + NIZK

?

→ IBE

IBE

◮ sk := (skMAC, y); pk := Commit(skMAC; y) ◮

USKGen : τ

$

← Tag(skMAC, m), π

$

← Prove(’τ is valid’)

◮ Enc := ???? ◮ Dec := ????

  • VerNIZK

Our Work

◮ Use the verification algorithm to define Enc and Dec ◮ Exploit the underlying structure of the MAC + NIZK

(H)IBE from Affine MAC | HGI | Crypto 2014 7/24

slide-22
SLIDE 22

Our Contributions

(H)IBE = Affine MAC + Pairings

◮ Affine MAC: Affine Equations ◮ Pairings: Groth-Sahai Proofs, Affine Verification

(H)IBE from Affine MAC | HGI | Crypto 2014 8/24

slide-23
SLIDE 23

Our Contributions

(H)IBE = Affine MAC + Pairings

◮ Affine MAC: Affine Equations ◮ Pairings: Groth-Sahai Proofs, Affine Verification

The affine properties allow to define Enc and Dec.

(H)IBE from Affine MAC | HGI | Crypto 2014 8/24

slide-24
SLIDE 24

Outline

1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

slide-25
SLIDE 25

Matrix Notation

◮ Considering (G, g, q) and A =

    a11 . . . a1m ... an1 . . . anm     ∈ Zn×m

q

Implicit Representation

[A] :=     ga11 . . . ga1m ... gan1 . . . ganm     ∈ Gn×m.

(H)IBE from Affine MAC | HGI | Crypto 2014 10/24

slide-26
SLIDE 26

Affine MAC – Intuition

MAC := (GenMAC, Tag, Ver). Tag(sk, m) →(      . . . t . . .     , [u])

Affine MAC

◮ t: Random Part ◮ u: Message-depending Affine Part

(H)IBE from Affine MAC | HGI | Crypto 2014 11/24

slide-27
SLIDE 27

Affine MAC – Formal Definition

◮ GenMAC(par) :

sk := ( x0 , . . . , xℓ , x′

0, . . . , x′ ℓ′)

(H)IBE from Affine MAC | HGI | Crypto 2014 12/24

slide-28
SLIDE 28

◮ Tag(sk, m) $

→ τ := ([t], [u]) t u = fi(m)x⊤

i

t + f′

i(m)x′ i ∈ Zq

(∗) Public functions, fi, f′

i : M → Zq, define different implementations. ◮ Ver(sk, m, ([t], [u])) → 0/1:

Check if ([t], [u]) satisfies Eq. (∗)

(H)IBE from Affine MAC | HGI | Crypto 2014 13/24

slide-29
SLIDE 29

PR-CMA Security PR-CMA

◮ Decisional Variant of EUF-CMA.

(H)IBE from Affine MAC | HGI | Crypto 2014 14/24

slide-30
SLIDE 30

Construction I: Naor-Reingold Approach Ideas

Randomized and affine version of Naor-Reingold PRF.

◮ Security from standard assumption: k-Lin. ◮ Generalized to any Matrix DH assumption [EHKRV13].

(H)IBE from Affine MAC | HGI | Crypto 2014 15/24

slide-31
SLIDE 31

Construction I: Naor-Reingold Approach Ideas

Randomized and affine version of Naor-Reingold PRF.

◮ Security from standard assumption: k-Lin. ◮ Generalized to any Matrix DH assumption [EHKRV13].

Tag(sk, m)

$

→ τ := ([t], [u]) t $ ← Zk

q, u = (|m| i=1 x⊤ i,mi)t + x′ 0 ∈ Zq

(H)IBE from Affine MAC | HGI | Crypto 2014 15/24

slide-32
SLIDE 32

Construction I: Naor-Reingold Approach Ideas

Randomized and affine version of Naor-Reingold PRF.

◮ Security from standard assumption: k-Lin. ◮ Generalized to any Matrix DH assumption [EHKRV13].

Tag(sk, m)

$

→ τ := ([t], [u]) t $ ← Zk

q, u = (|m| i=1 x⊤ i,mi)t + x′ 0 ∈ Zq ◮ Implicit in Chen-Wee13

✓ Tight Reduction ✗ Linear Size Parameters

(H)IBE from Affine MAC | HGI | Crypto 2014 15/24

slide-33
SLIDE 33

Construction II: Hash Proof System Approach Ideas

◮ [DKPW12] shows HPS implies EUF-CMA MAC.

(H)IBE from Affine MAC | HGI | Crypto 2014 16/24

slide-34
SLIDE 34

Construction II: Hash Proof System Approach Ideas

◮ This work shows k-Lin based HPS implies PR-CMA Affine MAC.

(H)IBE from Affine MAC | HGI | Crypto 2014 16/24

slide-35
SLIDE 35

Construction II: Hash Proof System Approach Ideas

◮ This work shows k-Lin based HPS implies PR-CMA Affine MAC. ◮ Security from standard assumption: k-Lin. ◮ Generalized to any Matrix DH assumption.

(H)IBE from Affine MAC | HGI | Crypto 2014 16/24

slide-36
SLIDE 36

Construction II: Hash Proof System Approach Ideas

◮ This work shows k-Lin based HPS implies PR-CMA Affine MAC. ◮ Security from standard assumption: k-Lin. ◮ Generalized to any Matrix DH assumption.

Tag(sk, m)

$

→ τ := ([t], [u]) t $

  • Zk+1

q

, u = (x⊤

0 + m · x⊤ 1 )t + x′ 0 ∈ Zq

(H)IBE from Affine MAC | HGI | Crypto 2014 16/24

slide-37
SLIDE 37

Construction II: Hash Proof System Approach Ideas

◮ This work shows k-Lin based HPS implies PR-CMA Affine MAC. ◮ Security from standard assumption: k-Lin. ◮ Generalized to any Matrix DH assumption.

Tag(sk, m)

$

→ τ := ([t], [u]) t $

  • Zk+1

q

, u = (x⊤

0 + m · x⊤ 1 )t + x′ 0 ∈ Zq

✗ Loose Reduction ✓ Constant Parameters.

(H)IBE from Affine MAC | HGI | Crypto 2014 16/24

slide-38
SLIDE 38

Outline

1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

slide-39
SLIDE 39

Overview of Transformation to IBE

◮ GenIBE(par) :

skMAC = Rand = x0 y0 , . . . , , . . . , xℓ yℓ , , x′ y′ , . . . , , . . . , x′

ℓ′

y′

ℓ′

(H)IBE from Affine MAC | HGI | Crypto 2014 18/24

slide-40
SLIDE 40

Overview of Transformation to IBE

◮ GenIBE(par) :

skMAC = Rand = x0 y0 , . . . , , . . . , xℓ yℓ , , x′ y′ , . . . , , . . . , x′

ℓ′

y′

ℓ′

z0 = Commit(x0; y0)

(H)IBE from Affine MAC | HGI | Crypto 2014 18/24

slide-41
SLIDE 41

Overview of Transformation to IBE

◮ GenIBE(par) :

skMAC = Rand = x0 y0 , . . . , , . . . , xℓ yℓ , , x′0 y′ , . . . , , . . . , x′ℓ′ y′

ℓ′

pk := ([zi]1, [z′i]1)

(H)IBE from Affine MAC | HGI | Crypto 2014 18/24

slide-42
SLIDE 42

◮ USKGen(sk, id) $

→ ([t]2, [u]2, [v]2)

  • t

// Affine MAC

  • u = fi(id)x⊤

i t + f ′ i(id)x′ i

// Affine MAC

  • v = fi(id)yit + f ′

i(id)y′ i

// ’NIZK’ Proof

(H)IBE from Affine MAC | HGI | Crypto 2014 19/24

slide-43
SLIDE 43

◮ USKGen(sk, id) $

→ ([t]2, [u]2, [v]2)

  • t
  • u = Fx(id; t) + F ′

x′(id; 1)

  • v = Fy(id; t) + F ′

y′(id; 1)

(H)IBE from Affine MAC | HGI | Crypto 2014 19/24

slide-44
SLIDE 44

◮ USKGen(sk, id) $

→ ([t]2, [u]2, [v]2)

  • t
  • u = Fx(id; t) + F ′

x′(id; 1)

  • v = Fy(id; t) + F ′

y′(id; 1)

◮ Enc(pk, id, [M]T ) $

→ ([C]1, [K ⊕ M]T )

  • s ← $
  • C = Fz(id; s), K = F ′

z′(id; s)

(H)IBE from Affine MAC | HGI | Crypto 2014 19/24

slide-45
SLIDE 45

◮ USKGen(sk, id) $

→ ([t]2, [u]2, [v]2)

  • t
  • u = Fx(id; t) + F ′

x′(id; 1)

  • v = Fy(id; t) + F ′

y′(id; 1)

◮ Enc(pk, id, [M]T ) $

→ ([C]1, [K ⊕ M]T )

  • s ← $
  • C = Fz(id; s), K = F ′

z′(id; s)

◮ Dec(usk[id1], C[id2]) → [M]T

If id1 = id2, the F∗(id) will cancel out and leave K = F ′

z′(id; s)

(H)IBE from Affine MAC | HGI | Crypto 2014 19/24

slide-46
SLIDE 46

Outline

1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

slide-47
SLIDE 47

Summary

IBE = Affine MAC + Pairings

(H)IBE from Affine MAC | HGI | Crypto 2014 21/24

slide-48
SLIDE 48

Summary

IBE = Affine MAC + Pairings Proven under k-MDDH (e.g. k-Lin)

(H)IBE from Affine MAC | HGI | Crypto 2014 21/24

slide-49
SLIDE 49

Summary

IBE = Affine MAC + Pairings Proven under k-MDDH (e.g. k-Lin) Tight Reduction: MACNR + ’Pairings’ Compact Construction: MACHPS + ’Pairings’

(H)IBE from Affine MAC | HGI | Crypto 2014 21/24

slide-50
SLIDE 50

Efficiency Comparison Tight Schemes

SXDH |pk| |usk| |C| Loss CW13 4λ + 3 4 4 O(λ) IBENR 2λ + 2 3 3 O(λ)

(H)IBE from Affine MAC | HGI | Crypto 2014 22/24

slide-51
SLIDE 51

Efficiency Comparison Tight Schemes

SXDH |pk| |usk| |C| Loss CW13 4λ + 3 4 4 O(λ) IBENR λ + 3 3 3 O(λ)

(H)IBE from Affine MAC | HGI | Crypto 2014 22/24

slide-52
SLIDE 52

Efficiency Comparison Tight Schemes

SXDH |pk| |usk| |C| Loss CW13 4λ + 3 4 4 O(λ) IBENR λ + 3 3 3 O(λ)

Compact Schemes

SXDH |pk| |usk| |C| Loss CLL+12 9 4 4 O(Q) JR13 7 5 4 O(Q) IBEHPS 7 4 4 O(Q)

(H)IBE from Affine MAC | HGI | Crypto 2014 22/24

slide-53
SLIDE 53

Extension and Open Problem Extension

◮ Tight Signatures,

(H)IBE from Affine MAC | HGI | Crypto 2014 23/24

slide-54
SLIDE 54

Extension and Open Problem Extension

◮ Tight Signatures, ◮ Anonymity,

(H)IBE from Affine MAC | HGI | Crypto 2014 23/24

slide-55
SLIDE 55

Extension and Open Problem Extension

◮ Tight Signatures, ◮ Anonymity, ◮ HIBE,

(H)IBE from Affine MAC | HGI | Crypto 2014 23/24

slide-56
SLIDE 56

Extension and Open Problem Extension

◮ Tight Signatures, ◮ Anonymity, ◮ HIBE, ◮ ID-HPS.

(H)IBE from Affine MAC | HGI | Crypto 2014 23/24

slide-57
SLIDE 57

Extension and Open Problem Extension

◮ Tight Signatures, ◮ Anonymity, ◮ HIBE, ◮ ID-HPS.

Open Problem

Affine MAC with Tight Security and constant-size sk

(H)IBE from Affine MAC | HGI | Crypto 2014 23/24

slide-58
SLIDE 58

Thank you!

◮ Full version: eprint 2014/581

(H)IBE from Affine MAC | HGI | Crypto 2014 24/24