Identity-BasedEncryptionfromtheWeilPairing.ppt资源-CSDN文库

共2个文件

pdf：1个

ppt：1个

Identity

Based

Encryption

需积分: 35 46 浏览量 2015-05-21 21:16:05 上传评论收藏 833KB RAR 举报

资源推荐

资源详情

资源评论

收起资源包目录

Identity-Based Encryption from the Weil Pairing.rar （2个子文件）

Identity-Based Encryption from the Weil Pairing

[2003]Identity-Based Encryption from the Weil Pairing.pdf 286KB

Identity-Based Encryption from the Weil Pairing哈工大創新中心範本3.ppt 729KB

Identity-Based Encryption from the Weil Pairing

Dan Boneh

∗

Matthew Franklin

†

dabo@cs.stanford.edu franklin@cs.ucdavis.edu

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this

paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

213–229, Springer-Verlag, 2001.

Abstract

We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen

ciphertext security in the random oracle model assuming a variant of the computational Diﬃe-

Hellman problem. Our system is based on bilinear maps between groups. The Weil pairing on

elliptic curves is an example of such a map. We give precise deﬁnitions for secure identity based

encryption schemes and give several applications for such systems.

1 Introduction

In 1984 Shamir [41] asked for a public key encryption scheme in which the public key can be an arbitrary

string. In such a scheme there are four algorithms: (1) setup generates global system parameters and

a master-key, (2) extract uses the master-key to generate the private key corresponding to an arbitrary

public key string ID ∈ {0, 1}

∗

, (3) encrypt encrypts messages using the public key ID, and (4) decrypt

decrypts messages using the corresponding private key.

Shamir’s original motivation for identity-based encryption was to simplify certiﬁcate management

in e-mail systems. When Alice sends mail to Bob at bob@company.com she simply encrypts her message

using the public key string “bob@company.com”. There is no need for Alice to obtain Bob’s public key

certiﬁcate. When Bob receives the encrypted mail he contacts a third party, which we call the Private

Key Generator (PKG). Bob authenticates himself to the PKG in the same way he would authenticate

himself to a CA and obtains his private key from the PKG. Bob can then read his e-mail. Note that

unlike the existing secure e-mail infrastructure, Alice can send encrypted mail to Bob even if Bob

has not yet setup his public key certiﬁcate. Also note that key escrow is inherent in identity-based

e-mail systems: the PKG knows Bob’s private key. We discuss key revocation, as well as several new

applications for IBE schemes in the next section.

Since the problem was posed in 1984 there have been several proposals for IBE schemes [11, 45,

44, 31, 25] (see also [33, p. 561]). However, none of these are fully satisfactory. Some solutions require

that users not collude. Other solutions require the PKG to spend a long time for each private key

generation request. Some solutions require tamper resistant hardware. It is fair to say that until

the results in [5] constructing a usable IBE system was an open problem. Interestingly, the related

notions of identity-based signature and authentication schemes, also introduced by Shamir [41], do

have satisfactory solutions [15, 14].

In this paper we propose a fully functional identity-based encryption scheme. The performance

of our system is comparable to the performance of ElGamal encryption in F

∗

. The security of our

system is based on a natural analogue of the computational Diﬃe-Hellman assumption. Based on

∗

Supported by DARPA contract F30602-99-1-0530, NSF, and the Packard Foundation.

†

Supported by an NSF Career Award and the Packard Foundation.

this assumption we show that the new system has chosen ciphertext security in the random oracle

model. Using standard techniques from threshold cryptography [20, 22] the PKG in our scheme can

be distributed so that the master-key is never available in a single location. Unlike common threshold

systems, we show that robustness for our distributed PKG is free.

Our IBE system can be built from any bilinear map e : G

×G

→ G

between two groups G

, G

long as a variant of the Computational Diﬃe-Hellman problem in G

is hard. We use the Weil pairing

on elliptic curves as an example of such a map. Until recently the Weil pairing has mostly been used for

attacking elliptic curve systems [32, 17]. Joux [26] recently showed that the Weil pairing can be used

for “good” by using it for a protocol for three party one round Diﬃe-Hellman key exchange. Sakai et

al. [40] used the pairing for key exchange and Verheul [46] used it to construct an ElGamal encryption

scheme where each public key has two corresponding private keys. In addition to our identity-based

encryption scheme, we show how to construct an ElGamal encryption scheme with “built-in” key

escrow, i.e., where one global escrow key can decrypt ciphertexts encrypted under any public key.

To argue about the security of our IBE system we deﬁne chosen ciphertext security for identity-

based encryption. Our model gives the adversary more power than the standard model for chosen

ciphertext security [37, 2]. First, we allow the attacker to attack an arbitrary public key ID of her

choice. Second, while mounting a chosen ciphertext attack on ID we allow the attacker to obtain from

the PKG the private key for any public key of her choice, other than the private key for ID. This models

an attacker who obtains a number of private keys corresponding to some identities of her choice and

then tries to attack some other public key ID of her choice. Even with the help of such queries the

attacker should have negligible advantage in defeating the semantic security of the system.

The rest of the paper is organized as follows. Several applications of identity-based encryption are

discussed in Section 1.1. We then give precise deﬁnitions and security models in Section 2. We describe

bilinear maps with certain properties in Section 3. Our identity-based encryption scheme is presented

in Section 4 using general bilinear maps. Then a concrete identity based system from the Weil pairing is

given in Section 5. Some extensions and variations (eﬃciency improvements, distribution of the master-

key) are considered in Section 6. Our construction for ElGamal encryption with a global escrow key is

described in Section 7. Section 8 gives conclusions and some open problems. The Appendix contains

a more detailed discussion of the Weil pairing.

1.1 Applications for Identity-Based Encryption

The original motivation for identity-based encryption is to help the deployment of a public key infras-

tructure. In this section, we show several other unrelated applications.

1.1.1 Revocation of Public Keys

Public key certiﬁcates contain a preset expiration date. In an IBE system key expiration can be done by

having Alice encrypt e-mail sent to Bob using the public key: “bob@company.com k current-year”.

In doing so Bob can use his private key during the current year only. Once a year Bob needs to obtain

a new private key from the PKG. Hence, we get the eﬀect of annual private key expiration. Note

that unlike the existing PKI, Alice does not need to obtain a new certiﬁcate from Bob every time Bob

refreshes his private key.

One could potentially make this approach more granular by encrypting e-mail for Bob using

“bob@company.com k current-date”. This forces Bob to obtain a new private key every day.

This might be possible in a corporate PKI where the PKG is maintained by the corporation. With this

approach key revocation is very simple: when Bob leaves the company and his key needs to be revoked,

the corporate PKG is instructed to stop issuing private keys for Bob’s e-mail address. As a result, Bob

can no longer read his email. The interesting property is that Alice does not need to communicate with

any third party certiﬁcate directory to obtain Bob’s daily public key. Hence, identity based encryption

is a very eﬃcient mechanism for implementing ephemeral public keys. Also note that this approach

enables Alice to send messages into the future: Bob will only be able to decrypt the e-mail on the date

speciﬁed by Alice (see [38, 12] for methods of sending messages into the future using a stronger security

model).

Managing user credentials. A simple extension to the discussion above enables us to manage

user credentials using the IBE system. Suppose Alice encrypts mail to Bob using the public key:

“bob@company.com k current-year k clearance=secret”. Then Bob will only be able to read

the email if on the speciﬁed date he has secret clearance. Consequently, it is easy to grant and revoke

user credentials using the PKG.

1.1.2 Delegation of Decryption Keys

Another application for IBE systems is delegation of decryption capabilities. We give two example

applications. In both applications the user Bob plays the role of the PKG. Bob runs the setup algorithm

to generate his own IBE system parameters params and his own master-key. Here we view params as

Bob’s public key. Bob obtains a certiﬁcate from a CA for his public key params. When Alice wishes to

send mail to Bob she ﬁrst obtains Bob’s public key params from Bob’s public key certiﬁcate. Note that

Bob is the only one who knows his master-key and hence there is no key-escrow with this setup.

1. Delegation to a laptop. Suppose Alice encrypts mail to Bob using the current date as the IBE

encryption key (she uses Bob’s params as the IBE system parameters). Since Bob has the master-

key he can extract the private key corresponding to this IBE encryption key and then decrypt the

message. Now, suppose Bob goes on a trip for seven days. Normally, Bob would put his private key

on his laptop. If the laptop is stolen the private key is compromised. When using the IBE system

Bob could simply install on his laptop the seven private keys corresponding to the seven days of the

trip. If the laptop is stolen, only the private keys for those seven days are compromised. The master-

key is unharmed. This is analogous to the delegation scenario for signature schemes considered by

Goldreich et al. [23].

2. Delegation of duties. Suppose Alice encrypts mail to Bob using the subject line as the IBE

encryption key. Bob can decrypt mail using his master-key. Now, suppose Bob has several assistants

each responsible for a diﬀerent task (e.g. one is ‘purchasing’, another is ‘human-resources’, etc.). Bob

gives one private key to each of his assistants corresponding to the assistant’s responsibility. Each

assistant can then decrypt messages whose subject line falls within its responsibilities, but it cannot

decrypt messages intended for other assistants. Note that Alice only obtains a single public key from

Bob (params), and she uses that public key to send mail with any subject line of her choice. The

mail can only be read by the assistant responsible for that subject.

More generally, IBE can simplify security systems that manage a large number of public keys. Rather

than storing a big database of public keys the system can either derive these public keys from usernames,

or simply use the integers 1, . . . , n as distinct public keys.

2 Deﬁnitions

Identity-Based Encryption. An identity-based encryption scheme E is speciﬁed by four random-

ized algorithms: Setup, Extract, Encrypt, Decrypt:

Setup: takes a security parameter k and returns params (system parameters) and master-key. The

system parameters include a description of a ﬁnite message space M, and a description of a ﬁnite

ciphertext space C. Intuitively, the system parameters will be publicly known, while the master-key

will be known only to the “Private Key Generator” (PKG).

Extract: takes as input params, master-key, and an arbitrary ID ∈ {0, 1}

∗

, and returns a private key

d. Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private

decryption key. The Extract algorithm extracts a private key from the given public key.

Encrypt: takes as input params, ID, and M ∈ M. It returns a ciphertext C ∈ C.

Decrypt: takes as input params, C ∈ C, and a private key d. It return M ∈ M.

These algorithms must satisfy the standard consistency constraint, namely when d is the private key

generated by algorithm Extract when it is given ID as the public key, then

∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M)

Chosen ciphertext security. Chosen ciphertext security (IND-CCA) is the standard acceptable

notion of security for a public key encryption scheme [37, 2, 13]. Hence, it is natural to require that an

identity-based encryption scheme also satisfy this strong notion of security. However, the deﬁnition of

chosen ciphertext security must be strengthened a bit. The reason is that when an adversary attacks

a public key ID in an identity-based system, the adversary might already possess the private keys of

users ID

, . . . , ID

of her choice. The system should remain secure under such an attack. Hence, the

deﬁnition of chosen ciphertext security must allow the adversary to obtain the private key associated

with any identity ID

of her choice (other than the public key ID being attacked). We refer to such

queries as private key extraction queries. Another diﬀerence is that the adversary is challenged on a

public key ID of her choice (as opposed to a random public key).

We say that an identity-based encryption scheme E is semantically secure against an adaptive

chosen ciphertext attack (IND-ID-CCA) if no polynomially bounded adversary A has a non-negligible

advantage against the Challenger in the following IND-ID-CCA game:

Setup: The challenger takes a security parameter k and runs the Setup algorithm. It gives

the adversary the resulting system parameters params. It keeps the master-key to itself.

Phase 1: The adversary issues queries q

, . . . , q

where query q

is one of:

– Extraction query hID

i. The challenger responds by running algorithm Extract to gen-

erate the private key d

corresponding to the public key hID

i. It sends d

to the

adversary.

– Decryption query hID

, C

i. The challenger responds by running algorithm Extract to

generate the private key d

corresponding to ID

. It then runs algorithm Decrypt to

decrypt the ciphertext C

using the private key d

. It sends the resulting plaintext to

the adversary.

These queries may be asked adaptively, that is, each query q

may depend on the replies

to q

, . . . , q

i−1

Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length

plaintexts M

, M

∈ M and an identity ID on which it wishes to be challenged. The only

constraint is that ID did not appear in any private key extraction query in Phase 1.

The challenger picks a random bit b ∈ {0, 1} and sets C = Encrypt(params, ID, M

). It

sends C as the challenge to the adversary.

Phase 2: The adversary issues more queries q

m+1

, . . . , q

where query q

is one of:

– Extraction query hID

i where ID

6= ID. Challenger responds as in Phase 1.

– Decryption query hID

, C

i 6= hID, Ci. Challenger responds as in Phase 1.

These queries may be asked adaptively as in Phase 1.

Guess: Finally, the adversary outputs a guess b

∈ {0, 1} and wins the game if b = b

We refer to such an adversary A as an IND-ID-CCA adversary. We deﬁne adversary A’s

advantage in attacking the scheme E as the following function of the security parameter k

(k is given as input to the challenger): Adv

E,A

(k) =



Pr[b = b

] −



The probability is over the random bits used by the challenger and the adversary.

Using the IND-ID-CCA game we can deﬁne chosen ciphertext security for IBE schemes. As usual, we

say that a function g : R → R is negligible if for any d > 0 we have |g(k)| < 1/k

for suﬃciently large k.

Deﬁnition 2.1. We say that the IBE system E is semantically secure against an adaptive chosen ci-

phertext attack if for any polynomial time IND-ID-CCA adversary A the function Adv

E,A

(k) is negligible.

As shorthand, we say that E is IND-ID-CCA secure.

Note that the standard deﬁnition of chosen ciphertext security (IND-CCA) [37, 2] is the same as

above except that there are no private key extraction queries and the adversary is challenged on a

random public key (rather than a public key of her choice). Private key extraction queries are related

to the deﬁnition of chosen ciphertext security in the multiuser settings [7]. After all, our deﬁnition

involves multiple public keys belonging to multiple users. In [7] the authors show that that multiuser

IND-CCA is reducible to single user IND-CCA using a standard hybrid argument. This does not hold

in the identity-based settings, IND-ID-CCA, since the adversary gets to choose which public keys to

corrupt during the attack. To emphasize the importance of private key extraction queries we note that

our IBE system can be easily modiﬁed (by removing one of the hash functions) into a system which

has chosen ciphertext security when private extraction queries are disallowed. However, the scheme is

completely insecure when extraction queries are allowed.

Semantically secure identity based encryption. The proof of security for our IBE system makes

use of a weaker notion of security known as semantic security (also known as semantic security against

a chosen plaintext attack) [24, 2]. Semantic security is similar to chosen ciphertext security (IND-ID-

CCA) except that the adversary is more limited; it cannot issue decryption queries while attacking the

challenge public key. For a standard public key system (not an identity based system) semantic security

is deﬁned using the following game: (1) the adversary is given a random public key generated by the

challenger, (2) the adversary outputs two equal length messages M

and M

and receives the encryption

of M

from the challenger where b is chosen at random in {0, 1}, (3) the adversary outputs b

and wins

the game if b = b

. The public key system is said to be semantically secure if no polynomial time

adversary can win the game with a non-negligible advantage. As shorthand we say that a semantically

secure public key system is IND-CPA secure. Semantic security captures our intuition that given a

ciphertext the adversary learns nothing about the corresponding plaintext.

评论收藏

内容反馈

依若zlh

粉丝: 9
资源: 11

Identity-Based Encryption from the Weil Pairing.ppt

最新资源

Identity-Based Encryption from the Weil Pairing.ppt

ibe.tar.gz_Identity_encryption_ibe java_pairing _weil

身份基加密IBE1

加密算法的新发展-基于Pairing的密码技术(SM9算法)研究与应用

Identity-Based-Encryption-master.zip_IBE-master_Identity_entireb

Integrating Ciphertext-policy Attribute-Based Encryption with Identity-Based Ring Signature to Enhance Security and Privacy in Wireless Body Area Networks

Identity-Based Functional Encryption for Quadratic Functions from Lattices

Practical chosen-ciphertext secure Hierarchical Identity-Based Broadcast Encryption

Efficient Identity-Based Encryption Without Random Oracles.

论文研究-基于身份和Weil对的聚合签名方案.pdf

Hash key-based video encryption scheme for H.264AVC.pdf

Multi-use unidirectional identity-based proxy re-encryption from hierarchical identity-based encryption

Ciphertext-Policy Attribute-Based Encryption

A Stateful Multicast Key Distribution Protocol Based on Identity-based Encryption

2005fuzzy_identity_based_encryption.pdf

scrt-sfx-9.1.0-2579.ubuntu20-64.x86_64.deb

Identity-based encryption framework

论文研究-An Efficient Ciphertext-Policy Attribute-Based Encryption Scheme with Attribute Adjunction/Revocation in Data Sharing System.pdf

PyPI 官网下载 | dynamodb-encryption-sdk-3.1.0.tar.gz

PyPI 官网下载 | kms-encryption-toolbox-0.0.4.tar.gz

Block Cipher Modes of Operation-Methods for Format-Preserving Encryption.pdf

「安全活动」Downgradable_Identity-based_Encryption_and_Applications

An Improved Cloud-Based Revocable Identity-Based Proxy Re-encryption Scheme

论文研究-Design and Implementation of the HDFS-based Cloud Storage Encryption Access Network.pdf

最新版ISO/IEC 27001:2022、ISO 27002:2022中英文合集

Goby红队版-win-x64-2.4.7版本

Chrome Header Editor 插件

ISO SAE 21434-2021 中文版.pdf

HCL.AppScan.Standard v10.5.0

最新资源