Download presentation
Presentation is loading. Please wait.
1
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group a.dent@rhul.ac.uk
2
This is joint work with… Benoit Libert UCL, Belgium Kenny Paterson Royal Holloway
3
Table of Contents Certificateless encryption (7 slides) A theoretical construction (4 slides) A practical construction (1 slide) Conclusions (2 slides)
4
Certificateless Encryption
5
Public-key encryption –Receivers generate their own keys –Senders are required to download certificates Identity-based encryption –KGC generates decryption keys –Inherent key escrow problem –Senders not required to download certificates –Revocation could be a problem
6
Certificateless Encryption Certificateless encryption –Each user generates their own public key from a randomly generated “secret value”. –KGC provides a partial private key for a user’s identity. –Encryption requires the user’s public key and the user’s identity. –Decryption requires a private key based on the user’s secret value and partial private key.
7
Certificateless Encryption Certificateless encryption –Senders not required to download certificates –No inherent key escrow problem –Revocation potentially still a problem Two security models: –Security against an outsider attacker –Security against a KGC
8
Certificateless Encryption (ID*, m 0, m 1 )C* Encryption oracle Extract partial private key ID d ID Extract full private key ID sk ID Request public key ID pk ID Replace public key (ID, pk ID ) Decrypt Cm
9
Certificateless Encryption Assume queries that trivially win the game are not allowed: –E.g. finding the full private key for ID*. –E.g. finding the partial private key for ID* and replacing the challenge public key. –E.g. finding the decryption of C*. Similar model for the KGC. Attacker is given the KGC’s master private key.
10
Certificateless Encryption How do we define the decrypt oracle? –Original paper defined the decryption oracle as decrypting ciphertexts using the private key associated with the current public key. –Known as strong decryption oracle. –Doesn’t appear to reflect any realistic attack. –Several schemes secure in the random oracle model using strong decryption oracles. –We provide the first standard-model schemes.
11
Certificateless Encryption Why is this an interesting problem? –The original security model. –Intellectual challenge: several papers and informal conversations have suggested that the community thinks this can’t be achieved. –Model with non-polynomial-time challenger. –Proves security in weaker models.
12
Theoretical Construction
13
We use a Naor-Yung/Sahai construction. Use multiple passively secure encryption schemes and a NIZK proof system. One passively secure certificateless encryption scheme: CE. Two instances of a passively secure public-key encryption schemes: E.
14
Theoretical Construction ID and pk are the user’s identity and public key. mpk 1 and mpk 2 are part of the system parameters Decryption process uses the certificateless encryption scheme CEEE m C1C1 C3C3 C2C2 ID pk mpk 1 mpk 2 NIZK proof that (C 1,C 2,C 3 ) are all encryptions of the same message. +
15
Theoretical Construction Two independent instances of the public- key encryption scheme required for strong decryption oracles. This could be replaced with one instance of an IND-CCA2 secure public-key encryption scheme. One instance of the public-key encryption scheme is sufficient for weaker models.
16
Theoretical Construction Passively secure certificateless encryption schemes can be constructed from passively secure public-key encryption and identity-based encryption [LQ06]. Passively secure public-key encryption schemes can be constructed from trapdoor one-way functions [GL89]. NIZK can be constructed from trapdoor one-way permutations [FLS99,BY96,S99].
17
Practical Construction
18
Based on a 2-level Waters HIBE. Chosen ciphertext security achieved using Boyen-Mei-Waters techniques. Underlying assumptions: –3-Party DDH assumption in a pairing group: “Given randomly chosen (g x, g y, g z ), distinguish g xyz from a random element”. –Collision resistant hash functions.
19
Conclusions
20
It is possible to build certificateless encryption schemes that are secure with strong decryption oracles in the standard model. –Is it really necessary to improve on the constructions? –Intellectual challenge: is it possible to prove security in a model where the KGC is allowed to pick the system parameters adversarially?
21
Conclusions Certificateless encryption schemes exist providing that trapdoor one-way permutations exist and passively secure identity-based encryption exist. –We are unaware of any proof that gives minimal conditions for identity-based encryption to exist. –Can we find minimal assumptions for the existence of certificateless encryption?
22
Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.