verifiable security of boneh franklin identity based
play

Verifiable Security of Boneh-Franklin Identity-Based Encryption - PowerPoint PPT Presentation

Oct 19, 2022 •47 likes •457 views

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Bguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable Security 2011.10.17 Verifiable Security

  1. Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable Security 2011.10.17 Verifiable Security of Boneh-Franklin,Identity-Based Encryption 1 / 21

  2. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Verifiable Security of Boneh-Franklin,Identity-Based Encryption 2 / 21

  3. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key Verifiable Security of Boneh-Franklin,Identity-Based Encryption 2 / 21

  4. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key Alice Bob

  5. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key 1 Encrypt with public key bob@comp.com Alice Bob

  6. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key PKG 2 1 Bob authenticates Encrypt with public key bob@comp.com Alice Bob

  7. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key PKG 2 1 Bob authenticates Encrypt with public key bob@comp.com “ bob@comp.com ” ’s private key 3 Alice Bob Verifiable Security of Boneh-Franklin,Identity-Based Encryption 2 / 21

  8. Should we rely on IBE schemes? Shamir Boneh & Franklin Galindo 1984 2001 2002 2003 2004 2005 Gentry & Silverberg, Horwitz & Lynn, Al-Riyami & Peterson, Yao et al, Cheng & Comely 1984: Conception of identity-based cryptography 2001: First practical provably-secure IBE scheme. 2002-2005: Used as building block for many other protocols 2005: Security proof is flawed (but can be patched) Verifiable Security of Boneh-Franklin,Identity-Based Encryption 3 / 21

  9. Improving the security argument Verifiable security paradigm Use formal methods to build certified security proofs of cryp- tographic systems Gives strong evidence of correctness of security arguments Enables automation in proofs Demonstrated applicability and effectiveness Verifiable Security of Boneh-Franklin,Identity-Based Encryption 4 / 21

  10. Outline 1 The provably-secure BasicIdent scheme 2 CertiCrypt framework 3 Machine-checked proof of BasicIdent security 4 Summary and perspectives Verifiable Security of Boneh-Franklin,Identity-Based Encryption 5 / 21

  11. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: Setup Encrypt Decrypt Extract

  12. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: sec. param Setup Encrypt Decrypt Extract

  13. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params sec. param Setup Encrypt public params Decrypt Extract public public params params

  14. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params sec. param Setup Encrypt master key public params Decrypt Extract public public params params

  15. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params plaintext sec. param ciphertext Setup Encrypt master key ID public params ciphertext plaintext Decrypt Extract secret key public public params params

  16. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params plaintext sec. param ciphertext Setup Encrypt master key ID public params ciphertext ID secret key plaintext Decrypt Extract master key secret key public public params params Verifiable Security of Boneh-Franklin,Identity-Based Encryption 6 / 21

  17. Boneh-Franklin’s recipe 1 Extend the notions of IND-CPA and IND-CCA to IBE schemes 2 Build an IND-CPA-secure IBE scheme BasicIdent 3 Apply a variant of Fujisaki-Okamoto transformation to turn BasicIdent into an IND-CCA-secure IBE scheme Verifiable Security of Boneh-Franklin,Identity-Based Encryption 7 / 21

  18. The BasicIdent scheme (definition) Consider G 1 and G 2 , two cyclic groups of prime order q , ˆ e : G 1 × G 1 → G 2 , an efficiently computable bilinear map e ( P , Q ) ab e ( aP , bQ ) = ˆ ˆ � P � = G 1 = ⇒ � ˆ e ( P , P ) � = G 2 Two hash functions H 1 : { 0 , 1 } ⋆ → G + 1 H 2 : G 2 → { 0 , 1 } n The BasicIdent IBE -scheme is defined as ← G + ← Z + Setup ( k ) : P 1 ; mk q ; P pub ← mk · P ; return (( P , P pub ) , mk ) $ $ Extract ( mk , ID ) : Q ID ← H 1 ( ID ); return mk · Q ID q ; m ′ ← H 2 ( e ( Q ID , P pub ) c ); ← Z + Encrypt ( ID , m ) : Q ID ← H 1 ( ID ); c $ return ( c · P , m ⊕ m ′ ) Decrypt ( sk , ( u , v )) : return v ⊕ H 2 (ˆ e ( sk , u )) Verifiable Security of Boneh-Franklin,Identity-Based Encryption 8 / 21

  19. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) Consider a computational assumption Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � � � � �� A breaks B solves the Pr ≤ F Pr the scheme hard problem Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  20. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) ➥ Indistinguishability under Chosen Plaintext Attack Strengthened notion of PKE IND-CPA for IBE Consider a computational assumption Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � A breaks � � � B solves the �� ≤ F Pr Pr the scheme hard problem Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  21. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) ➥ Indistinguishability under Chosen Plaintext Attack Strengthened notion of PKE IND-CPA for IBE Consider a computational assumption ➥ Bilinear Diffie-Hellman assumption e ( P , P ) abc given a random tuple ( P , a · It is hard to compute ˆ P , b · P , c · P ) . Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � A breaks � � � B solves the �� ≤ F Pr Pr the scheme hard problem Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  22. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) ➥ Indistinguishability under Chosen Plaintext Attack Strengthened notion of PKE IND-CPA for IBE Consider a computational assumption ➥ Bilinear Diffie-Hellman assumption e ( P , P ) abc given a random tuple ( P , a · It is hard to compute ˆ P , b · P , c · P ) . Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � � � � �� A breaks B solves the Pr ≤ F Pr the scheme hard problem exp ( 1 ) q H 2 ( 1 + q EX ) Adv A IND-ID-CPA ≤ Adv B ➥ BDH 2 Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  23. Tidying the proof up The game-playing technique Security Goal Reduction Game G 0 Game G 1 Game G n . . . . . . . . . . . . . . . ← A ( ) . . . . . . ← B ( ) . . . . . . . . . � � ≤ . . . ≤ f n � � Pr G 0 [ S 0 ] ≤ f 1 Pr G 1 [ S 1 ] Pr G n [ S n ] Verifiable Security of Boneh-Franklin,Identity-Based Encryption 10 / 21

  24. CertiCrypt: machine-checked crypto proofs Certified framework for building and verifying crypto proofs in the Coq proof assistant Combination of programming language techniques and cryptographic-specific tools Game-based methodology, natural to cryptographers Several case studies: Encryption schemes: ElGamal, Hashed ElGamal, OAEP Signature schemes: FDH, BLS Zero-Knowledge protocols: Schnorr, Okamoto, Diffie-Hellman, Fiat-Shamir Verifiable Security of Boneh-Franklin,Identity-Based Encryption 11 / 21

  25. Inside CertiCrypt (language syntax) Language-based proofs Formalize security definitions, assumptions and games using a probabilistic programming language. pWhile: a probabilistic programming language C ::= skip nop | C ; C sequence | V ← E assignment | V ← D random sampling $ | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call x ← d : sample the value of x according to distribution d $ The language of expressions ( E ) and distribution expressions ( D ) admits user-defined extensions Verifiable Security of Boneh-Franklin,Identity-Based Encryption 12 / 21

  26. Inside CertiCrypt (standard tools) Observational equivalence = c 1 ≃ I | O c 2 Example ← { 0 , 1 } k ; y ← x ⊕ z ≃ { z } ← { 0 , 1 } k ; x ← y ⊕ z | = x { x , y , z } y $ $ Useful to relate probabilities = c 1 ≃ I fv ( A ) ⊆ O | O c 2 m 1 = I m 2 Pr [ c 1 , m 1 : A ] = Pr [ c 2 , m 2 : A ] Verifiable Security of Boneh-Franklin,Identity-Based Encryption 13 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University

NutMiC19, June, 2019 Verifiable Delay Functions: How to Slow Things Down (Verifiably) Dan Boneh Stanford University What is a VDF? (verifiable delay function) Intuition: a function X Y that (1) takes time T to evaluate, even with

694 views • 30 slides
VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things

Confrence de lancement de l'ANR Ciao, Fvrier 2020, Bordeaux, France VERIFIABLE DELAY FUNCTIONS Benjamin Wesolowski VERIFIABLE DELAY FUNCTIONS How to slow things down VERIFIABLE DELAY FUNCTIONS [Boneh, Bonneau, Bnz, Fisch 2018] A VDF is

616 views • 32 slides
Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1

Verifiable Delay Functions Dan Boneh, Joe Bonneau, Benedikt Bnz, Ben Fisch Crypto 2018 1 What is a VDF? Verifier 2 What is a VDF? Setup( , T ) public parameters pp pp specify domain X and range Y Eval( pp , x )

638 views • 37 slides
Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry

Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry

Scaling Verifiable Computation Using Efficient Set Accumulators USENIX Security, 2020 Alex Ozdemir* , Riad Wahby*, Barry Whitehat^, Dan Boneh* *Stanford ^Unaffiliated Problem: Verifiable Storage Represent a large storage (e.g. array)

759 views • 27 slides
Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove

Verifiable Delay Functions Joe Netti Overview of VDFs (Boneh, Bonneau, et al. 2019) Goal: Prove the passage of time VDF Properties: 1. slow to calculate (delay), fast to verify (polynomial time). 2. Parallelization does not speed up

185 views • 15 slides
Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing Gildas A VOINE & Serge V

Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing Gildas A VOINE & Serge V

COLE POLYTECHNIQUE FDRALE DE LAUSANNE Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing Gildas A VOINE & Serge V AUDENAY EPFL The 9th Australasian Conference on Information Security and Privacy 13-15 July 2004,

856 views • 52 slides
Web Security: Authentication & UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication & UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication & UI-based attacks CS 161: Computer Security Prof. Raluca Ada Popa April 12, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Authentication &

1.11k views • 73 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca Ada Popa November 15, 2016 Contains new slides, slides from past CS 161 offerings and slides from Dan Boneh Announcements Last core lecture,

2.06k views • 100 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian

Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Florian Tramr (joint work with Dan Boneh) Intel, Santa Clara August 30 th 2018 Trusted execution of ML: 3 motivating scenarios 1. Outsourced ML Data

781 views • 21 slides
Distributed ledgers finally brought me a usable digital identity! Richard Esplin

Distributed ledgers finally brought me a usable digital identity! Richard Esplin

Distributed ledgers finally brought me a usable digital identity! Richard Esplin https://creativecommons.org/lic enses/by-sa/4.0/ February 2019 Agenda What is self-sovereign identity Verifiable credentials Hyperledger Indy

768 views • 42 slides
Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter

Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter

Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Yoshi Kohno, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for

785 views • 35 slides
Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of

Verifiable Random Functions and Verifiable Delay Functions Caleb Smith University of Virginia Why do these matter? Alternative consensus protocols Applications to public randomness generation Leader election Bitcoin Proof of Work

355 views • 19 slides
How Merkle trees enable the decentralized Web! @taravancil taravancil.com RESOURCES Host-based

How Merkle trees enable the decentralized Web! @taravancil taravancil.com RESOURCES Host-based

How Merkle trees enable the decentralized Web! @taravancil taravancil.com RESOURCES Host-based addressing youtube.com/myvideo Host-based addressing youtube.com/myvideo -> vimeo.com/myvideo Content addressing - hash functions Content

618 views • 25 slides
Giving USA 2020: Issues & Trends Join the conversation! @npquarterly #GivingUSA2020NPQ

Giving USA 2020: Issues & Trends Join the conversation! @npquarterly #GivingUSA2020NPQ

Giving USA 2020: Issues & Trends Join the conversation! @npquarterly #GivingUSA2020NPQ LOGISTICS Session being recorded Use Q&A box for questions Join us on social media #GivingUSA2020NPQ PANELISTS Dr. Patrick Rooney Laura

627 views • 26 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
TEACHERS PERSPECTIVE ON STUDENTS ASSESSMENT Carla Matoso Agrupamento de Escolas D. Dinis

TEACHERS PERSPECTIVE ON STUDENTS ASSESSMENT Carla Matoso Agrupamento de Escolas D. Dinis

UNIVERSIDADE DE LISBOA INSTITUTO DE EDUCAO BLACK TIDE - OIL IN THE WATER: A TEACHERS PERSPECTIVE ON STUDENTS ASSESSMENT Carla Matoso Agrupamento de Escolas D. Dinis Odivelas, Portugal SAILS Case Study Topic : Black tide oil in the

827 views • 20 slides
Y X

Y X

!

174 views • 4 slides
eFLINT - An action-based language for reasoning about norms L. Thomas van Binsbergen 1 Tom van

eFLINT - An action-based language for reasoning about norms L. Thomas van Binsbergen 1 Tom van

eFLINT - An action-based language for reasoning about norms L. Thomas van Binsbergen 1 Tom van Engers 2 1 Centrum Wiskunde & Informatica l.t.van.binsbergen@cwi.nl 2 University of Amsterdam 17, March 2020 Context & Motivation

365 views • 33 slides
Foreign Derived Intangible Income December 19, 2019 Panelists John Bates, Deloitte

Foreign Derived Intangible Income December 19, 2019 Panelists John Bates, Deloitte

Foreign Derived Intangible Income December 19, 2019 Panelists John Bates, Deloitte Professor Karen Brown, George Washington University School of Law Michael DiFronzo, PwC (Moderator) Kenneth Jeruchim, Office of Associate Chief

632 views • 37 slides
Genotyping structural variants in pangenome graphs using the vg toolkit Jean Monlong November 7,

Genotyping structural variants in pangenome graphs using the vg toolkit Jean Monlong November 7,

Genotyping structural variants in pangenome graphs using the vg toolkit Jean Monlong November 7, 2019 Genome Informatics Pangenome graphs and variant-aware read mapping Linear reference genome A C A T T G G C Seq. reads T G G G C

471 views • 27 slides

More recommend