ID-Based Encryption for ID-Based Encryption for Complex Hierarchies with Complex Hierarchies with Applications to Forward Applications to Forward Security and Broadcast Security and Broadcast Encryption Encryption Danfeng Yao Danfeng Yao Nelly Fazio Nelly Fazio Brown University Brown University New York University New York University Yevgeniy Dodis Yevgeniy Dodis Anna Lysyanskaya Anna Lysyanskaya New York University New York University Brown University Brown University
16
Embed
ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Brown University New.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ID-Based Encryption for Complex ID-Based Encryption for Complex Hierarchies with Applications to Forward Hierarchies with Applications to Forward
Security and Broadcast EncryptionSecurity and Broadcast Encryption
Danfeng YaoDanfeng Yao Nelly FazioNelly Fazio
Brown UniversityBrown University New York UniversityNew York University
Yevgeniy DodisYevgeniy Dodis Anna LysyanskayaAnna Lysyanskaya
New York UniversityNew York University Brown UniversityBrown University
Identity-based Encryption (IBE) and Identity-based Encryption (IBE) and Hierarchical IBE (HIBE)Hierarchical IBE (HIBE)
HIBE is used in public-key broadcast encryption [Dodis Fazio 02]HIBE is used in public-key broadcast encryption [Dodis Fazio 02] Forward security is especially important in BEForward security is especially important in BE
Multiple HIBE: Encryption scheme for users with multiple rolesMultiple HIBE: Encryption scheme for users with multiple roles
Forward-secure Public-Key EncryptionForward-secure Public-Key Encryption fs-PKE (Canetti, Halevi, and Katz 2003) fs-PKE (Canetti, Halevi, and Katz 2003)
Used to protect the private key of one userUsed to protect the private key of one user Based on Gentry-Silverberg HIBEBased on Gentry-Silverberg HIBE A time period is a binary stringA time period is a binary string Private key contains decryption key and future secretsPrivate key contains decryption key and future secrets Erase past secrets in algorithm Erase past secrets in algorithm UpdateUpdate
Users can join at any timeUsers can join at any time Joining-time obliviousnessJoining-time obliviousness Collusion resistanceCollusion resistance Security Security Do naïve combinations of Do naïve combinations of
fs-PKE and HIBE work?fs-PKE and HIBE work?
JohnEve Bob
School
Alice
Math CS
User 1 User 2
Each entity node maintains one treeEach entity node maintains one tree For computing children’s private keysFor computing children’s private keys For the forward security of itselfFor the forward security of itself
Not joining-time-obliviousNot joining-time-oblivious CS joins at (0 1) with public key CS joins at (0 1) with public key
((School, 0, 1, CSSchool, 0, 1, CS)) Bob joins at (1 0) with public key Bob joins at (1 0) with public key
((School, 0, 1, CS, 1, 0, BobSchool, 0, 1, CS, 1, 0, Bob)) Sender needs to know when CS and Sender needs to know when CS and
Bob joinedBob joined
School
0 1
0 1
CS
Bob
An fs-HIBE attemptAn fs-HIBE attempt
0 1
10 10
10
Another fs-HIBE attemptAnother fs-HIBE attempt
Each node maintains two subtreesEach node maintains two subtrees Left subtree for forward security and right subtree for adding childrenLeft subtree for forward security and right subtree for adding children
Does not work eitherDoes not work either
0 1
0 1
School
CS
0 1
Math
Bob0 1
0 1 0 1
Overview of our fs-HIBE schemeOverview of our fs-HIBE scheme
Based on HIBE [Gentry Silverberg 02] and fs-PKE (Canetti Based on HIBE [Gentry Silverberg 02] and fs-PKE (Canetti Halevi Katz 03] schemesHalevi Katz 03] schemes
Security based on Bilinear Diffie-Hellman assumption [BF Security based on Bilinear Diffie-Hellman assumption [BF 01] and random oracle model [Bellare Rogaway 93]01] and random oracle model [Bellare Rogaway 93]
Chosen-ciphertext secure against adaptive-chosen-(ID-tuple, Chosen-ciphertext secure against adaptive-chosen-(ID-tuple, time) adversarytime) adversary
fs-HIBE Root setupfs-HIBE Root setup Similar to key derivation of fs-PKE Similar to key derivation of fs-PKE Private key for time (0 0) contains Private key for time (0 0) contains
decryption key for (0 0), and future decryption key for (0 0), and future secretssecrets
Generates Generates paramsparams, decryption key, , decryption key, and future secrets and future secrets
S(School,00)
0
0 0 1 1
1
an intermediate secret decryption key for time (0 0) secrets for future keys
|| String concatenation+ Group addition operation Group multiplication operation
• Pick random secrets s and s’
• = s H (0 || School)
• = s H (1 || School)
• = + s’ H (0 0 || School)• = + s’ H (0 1 || School)
• Erase , s and s’
Random secret s
fs-HIBE algorithms cont’dfs-HIBE algorithms cont’d Lower-level setup Lower-level setup is used by is used by
a node at time t to compute a node at time t to compute keys for its childrenkeys for its children
Similar to Similar to Root setupRoot setup Computes both decryption key Computes both decryption key
at time at time tt, and future secrets, and future secrets UpdateUpdate
Similar as in fs-PKESimilar as in fs-PKE Encrypt Encrypt
With time (0 0) and ID-tuple With time (0 0) and ID-tuple (School, CS, Bob)(School, CS, Bob)
DecryptDecrypt Decryption key is usedDecryption key is used
SchoolIntermediatesecrets
0 0
Suppose CS and Bob join at time period (0 0).
BobCS
School CS Bob
0 0
Components of ciphertext
Intermediate
HIBE in broadcast encryptionHIBE in broadcast encryption
Public-key BE by Dodis and FazioPublic-key BE by Dodis and Fazio Uses HIBE to implement a subset-cover framework [Naor Naor Lotspiech 01] Uses HIBE to implement a subset-cover framework [Naor Naor Lotspiech 01]
A scalable fs-BE scheme A scalable fs-BE scheme Dynamic joins and joining-time obliviousnessDynamic joins and joining-time obliviousness Users update secret keys autonomouslyUsers update secret keys autonomously
Security of fs-HIBESecurity of fs-HIBE ““Security definitions”Security definitions”
Secure for past communications of compromised nodesSecure for past communications of compromised nodes Secure for ancestor nodesSecure for ancestor nodes Secure for sibling nodesSecure for sibling nodes
Security based on hardness of BDH problem and random oracle modelSecurity based on hardness of BDH problem and random oracle model TheoremTheorem Suppose there is an adaptive adversary A Suppose there is an adaptive adversary A
:: advantage against one-way secure fs-HIBE advantage against one-way secure fs-HIBE hh:: level of some target ID-tuple level of some target ID-tuple l = logl = log22NN and and N N is theis the total number of time periodstotal number of time periods
HH11, , HH22:: random oracles random oracles
qqH2H2:: number of hash queries made to hash function H number of hash queries made to hash function H22
qqEE:: number of hash queries made to lower-level setup queries number of hash queries made to lower-level setup queries then there exists an algorithm B that solves BDH problem with advantagethen there exists an algorithm B that solves BDH problem with advantage