Download presentation
Published byEmil Watkins Modified over 9 years ago
1
Dennis Hofheinz, Jessica Koch, Christoph Striecks
Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting Dennis Hofheinz, Jessica Koch, Christoph Striecks Karlsruhe Institute of Technology, Germany
2
Overview Identity-Based Encryption (IBE) Tight Security
Underlying IBE-Scheme by Chen and Wee - Proof Idea Result: (almost) Tight Security for Multi-Instance, Multi-Ciphertext IBE
3
Identity-Based Encryption (IBE)
4
IBE-IND-CPA Security C* for id* M0 or M1 ? succ.prob = ε1
5
Multi-Instance, Multi-Ciphertext IBE-IND-CPA Security
M0i,c or M1i,c? succ.prob = εmulti
6
Tight Security . . . . . . Ni instances Nc chall. ciphertexts
Nu user secret keys security proof = reduction to hard problem (adv. = εP) attack adv. ε1 = Nu·εP (generic) attacks potentially easier attack adv. εmulti = Ni·Nc·ε1 = Ni·Nc·Nu·εP
7
Tight Security Our goal: tight security i.e. εmulti ≈ εP
independent of Ni, Nc, Nu → smaller keys, smaller groups … recently: (somewhat) tightly secure multi-instance/multi-ciphertext PKE [HJ12, LJYP14] [Chen,Wee13]: somewhat tightly secure IBE 1 instance/1 ciphertext: ε1 ≈ Nu·εP
8
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : normal i i depends on idi = i and position
9
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* … i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 … i id|i = 1 … i same type id|i* = id|i Decryption
10
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal normal C*: type i C*: id|i* = 1*… i* normal usk: type i usk: id|i = 1 … i same type id|i* = id|i Decryption
11
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* … i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 … i id|i = 1 … i same type id|i* = id|i same type id|i* ≠ id|i Decryption
12
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* i* normal C*: id|i* = 1*… i* normal usk: type i usk: 1 i id|i = 1 … i same type id|i* = id|i same type id|i* ≠ id|i Decryption
13
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type i C*: 1* … i* normal C*: id|i* = 1*… i* normal usk: type i+1 usk: 1 … i i+1 id|i+1 = 1 … i+1 same type id|i* = id|i same type id|i* ≠ id|i different type id|i+1* = id|i+1 Decryption
14
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal normal C*: type i C*: id|i* = 1*… i* normal usk: type i+1 usk: i+1 id|i+1 = 1 … i+1 same type id|i* = id|i same type id|i* ≠ id|i different type id|i+1* = id|i+1 Decryption
15
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal type n C*: 1* … n* normal C*: id* = 1*… n* normal usk: type n usk: 1 … n id = 1 … n id* ≠ id for all usks
16
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n : start with real security game → change all usks and C* normal 1* n* normal C*: type n C*: id* = 1*… n* normal usk: type n usk: 1 n id = 1 … n id* ≠ id for all usks → usks useless for decryption → replace C* by random → Adversary can only guess
17
Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: 1* … i* i+1 test usk*: 1* … i* usk: 1 … i i+1 test C: 1 … i Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:
18
Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:
19
Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:
20
Proof Idea of Chen and Wee
Game hop: type i → type i+1 Chall. C*: i+1 test usk*: usk: i+1 test C: Simulator embeds own challenge Simulator can test on its own i+1 Game i Decryption: i+1 = i+1 Game i+1 Decryption:
21
≈ Our Approach Problem for multi-instance, multi-ciphertext:
Guessing of id*i+1: 1. for each instance → loss = 2Ni 2. different chall. ciphertexts have different id-bits → generation is not possible Our solution: distribute randomness into 2 compartments ≈
22
Our Approach Solution: no guessing id*i+1 = 0 id*i+1 = 1 Simulator
gets: no reaction no reaction i+1 i+1 C*: 1* … i* i+1 1* … i* i+1 usk: 1 … i i+1 1 … i i+1 1 … i i+1 1 … i i+1 type i = type i+1 type i ≠ type i+1 type i ≠ type i+1 type i = type i+1
23
Our Approach Solution: no guessing id*i+1 = 0 id*i+1 = 1 Simulator
gets: no reaction no reaction i+1 i+1 C*: usk: 1 … i i+1 1 … i i+1 type i = type i+1 type i ≠ type i+1 type i ≠ type i+1 type i = type i+1
24
Conclusion no guessing О(n) reductions: n = length of identity
→ loss independent of the number of ciphertexts , instances and usk-queries first fully secure multi-instance, multi-ciphertext IBE with loss О(n) for n-bit identities under a simple assumption
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.