ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Brown University New York University Yevgeniy Dodis Anna Lysyanskaya Change the title Change the names
Identity-based Encryption (IBE) and Hierarchical IBE (HIBE) IBE [Shamir 84] [Boneh Frankline 01] [Cocks 01] [Canetti Halevi Katz 03] [Boneh Boyen 04] [Waters 04] HIBE [Horwitz Lynn 02] [Gentry Silverberg 02] [Boneh Boyen 04] Register as Bob@Brown PKG params, secret s Private Key SBob@Brown Bob Math Alice School CS s Ciphertext C = (M, Bob@Brown, params) ID-tuple!!! References!!! State that this will be the running example of the talk. Public key corresponds to identity, e.g. email address Shamir 1984 Simplify public key certificate management A Private Key Generator (PKG) generates the private keys for each user in its domain Also chooses a set of public parameters A HIBE scheme by Gentry-Silverberg Based on Boneh-Frankline IBE Root PKG Has a root secret s Lower-level PKGs Obtain private keys from parent PKG Bob’s public key is the ID-tuple (School, CS, Bob); his private key is computed by CS
Why need forward-secure HIBE? In HIBE, exposure of parent private keys compromises children’s keys Forward security [Gunther 89] [Diffie Oorschot Wiener 92] [Anderson 97] [Bellare Miner 99] [Malkin Micciancio Miner 02] [Canetti Halevi Katz 03] Secret keys are evolved with time Compromising current key does NOT compromise past communications Forward-secure HIBE mitigates key exposure s School Math CS Bob Alice In a forward-secure public key encryption scheme, the private key is evolved with time Safe Time Compromise
Applications of fs-HIBE Forward-secure public-key broadcast encryption (fs-BE) BE schemes: [Fiat Naor 93] [Luby Staddon 98] [Garay Staddon Wool 00] [Naor Naor Lotspiech 01] [Halevy Shamir 02] [Kim Hwang Lee 03] [Goodrich Sun Tamassia 04] [Gentry Ramzan 04] HIBE is used in public-key broadcast encryption [Dodis Fazio 02] Forward security is especially important in BE Multiple HIBE: Encryption scheme for users with multiple roles Hibe in BE. (references, RBAC references) Separate slides for MHIBE, examples. Time Safe Key compromised
Hierarchical IBE HIBE [Horwitz Lynn 02] [Gentry Silverberg 02] [Boneh Boyen 04] Root setup Encrypt (bob@cs.school) Params, SSchool Lower-level setup SMath SCS Lower-level setup (School, Math) (School, CS) (School, CS, Bob) Decrypt(SBob) SBob
Forward-secure Public-Key Encryption fs-PKE (Canetti, Halevi, and Katz 2003) Used to protect the private key of one user Based on Gentry-Silverberg HIBE A time period is a binary string Private key contains decryption key and future secrets Erase past secrets in algorithm Update secret s Total time periods: 4 Period 1: (0 0) Period 2: (0 1) Period 3: (1 0) Period 4: (1 1) 1 s0 s1 Speak slowly here, each leaf is a time period. For example, January, etc. pick a random secret for the root, use lower-level of hibe to compute ... in order to preserve security of past communications, past secret keys are erases at the end of a time period. so s00 will be erased. at a give time period, a user needs to have not only a decryption key corresponding to the current time period, but also secret for computing future keys. Use current private key to compute future private keys Separate slide introducing HIBE (references), then separate for Fs-PKE, stating the connections. Brute force way of forward security Encrypt(params, 0 0) s00 s01
fs-HIBE requirements Dynamic joins Joining-time obliviousness Users can join at any time Joining-time obliviousness Collusion resistance Do naïve combinations of fs-PKE and HIBE work? School Math CS Alice Rectangle->parallelogram Against breaking parent’s keys for past time periods Against parent’s keys for future time periods Against children’s keys for past time periods User 1 User 2 John Bob Eve
An fs-HIBE attempt Each entity node maintains one tree School Each entity node maintains one tree For computing children’s private keys For the forward security of itself Not joining-time-oblivious CS joins at (0 1) with public key (School, 0, 1, CS) Bob joins at (1 0) with public key (School, 0, 1, CS, 1, 0, Bob) Sender needs to know when CS and Bob joined 1 1 1 CS 1 Add some animations to bring nodes in . Forward-secure, but not joining-time obli… Fundamentally conflict the concept of IBE, the sender just needs to know the identity. Bob
Overview of our fs-HIBE scheme Based on HIBE [Gentry Silverberg 02] and fs-PKE (Canetti Halevi Katz 03] schemes Scalable, efficient, and provable secure Forward security Dynamic joins Joining-time obliviousness Collusion resistance Security based on Bilinear Diffie-Hellman assumption [BF 01] and random oracle model [Bellare Rogaway 93] Chosen-ciphertext secure against adaptive-chosen-(ID-tuple, time) adversary BDH reference
fs-HIBE algorithm definitions Root setup (t = 0 0) Encrypt (bob@cs.brown, 28.Oct.2004) SSchool, 00 Lower-level setup Update SMath, t SCS, t Lower-level setup Decrypt(SBob, 28.Oct.2004) Add time to private keys!!! Time consistency in the example, joining time Encrypt( bob@cs.brown-university, 28.oct.2004) SBob, t’ Update
fs-HIBE Root setup S(School,00) Similar to key derivation of fs-PKE Private key for time (0 0) contains decryption key for (0 0), and future secrets Generates params, decryption key, and future secrets = s H (0 || School) = s H (1 || School) = + s’ H (0 0 || School) = + s’ H (0 1 || School) Erase , s and s’ 1 1 1 Group operations +, * Change the shapes. Adaptation to gs-hibe scheme, generalize to 2-d. not exactly the same, but similar. S(School,00) || String concatenation + Group addition operation Group multiplication operation
fs-HIBE algorithms cont’d S(School, 00) Lower-level setup is used by a node at time t to compute keys for its children Generalization of Root setup Computes both decryption key at time t, and future secrets Update Similar as in fs-PKE Encrypt Ciphertext: O(h log(N)) Decrypt Bob’s decryption key is used S(CS,00) S(Bob,00) = + s2 H (0 || School CS) = + s2’ H (0 0 || School CS) = + s3 H (0 0 || School CS Bob) = + s3’ H (0 0 || School CS Bob) Erase intermediate secrets Time ->
HIBE in broadcast encryption Center Connection between HIBE and BE, no details!!! Subset cover framework uses HIBE to construct. In Enc, broadcast center covers valid users using subsets Subset-cover framework [NNL01] Each subset has a public key Center encrypts messages under session key K K is encrypted with public keys of all subsets in the cover User decrypts K with secret keys obtained at Reg May need to derive secret keys (e.g. Subset Difference Method [DF02]) Valid user Revoked user
Forward-secure broadcast encryption Public-key BE by Dodis and Fazio Uses HIBE to implement a subset-cover framework [Naor Naor Lotspiech 01] A scalable fs-BE scheme Dynamic joins and joining-time obliviousness Users update secret keys autonomously Algorithms: KeyGen, Reg, Upd, Enc, Dec KeyGen (t = 0) SCenter,0 Want to join at t Dec(Su, t) Su, t Reg Enc(M, t) Update
Security of fs-HIBE / (( ) ) “Security definitions” Security based on hardness of BDH problem and random oracle model Theorem Suppose there is an adaptive adversary A that has advantage against one-way secure fs-HIBE targeting some time and ID-tuple at level h, and that makes qH2 hash queries to hash function H2 and qE lower-level setup queries. Let N be total number of time, l = log2N. If H1, H2 are random oracles, then exists an algorithm B that solves BDH problem with advantage (h+l)/2 h + l 1 (( ) – ) / qH2 . e(2lqE + h + l) 2n Define and prove, throw the security theorem. Access control mhibe delegation
fs-HIBE attempt II Each entity maintains HIBE and fs-PKE trees separately An entity obtains a forward-secure key and a HIBE key from parent Forward-secure keys are shared by all users Decryption requires HIBE key and fs-PKE key Not forward-secure Adversary first breaks in Alice at time (0 0), obtains s00, s01, s1 Then breaks in Bob and gets sBob at time (0 1) Adversary can decrypt Bob’s past messages of time (0 0) Bob CS School Math sBob Alice 1 s1 sAlice s00 s01