Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group"— Presentation transcript:

1 Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group a.dent@rhul.ac.uk

2 This is joint work with… Benoit Libert UCL, Belgium Kenny Paterson Royal Holloway

3 Table of Contents Certificateless encryption (7 slides) A theoretical construction (4 slides) A practical construction (1 slide) Conclusions (2 slides)

4 Certificateless Encryption

5 Public-key encryption –Receivers generate their own keys –Senders are required to download certificates Identity-based encryption –KGC generates decryption keys –Inherent key escrow problem –Senders not required to download certificates –Revocation could be a problem

6 Certificateless Encryption Certificateless encryption –Each user generates their own public key from a randomly generated “secret value”. –KGC provides a partial private key for a user’s identity. –Encryption requires the user’s public key and the user’s identity. –Decryption requires a private key based on the user’s secret value and partial private key.

7 Certificateless Encryption Certificateless encryption –Senders not required to download certificates –No inherent key escrow problem –Revocation potentially still a problem Two security models: –Security against an outsider attacker –Security against a KGC

8 Certificateless Encryption (ID*, m 0, m 1 )C* Encryption oracle Extract partial private key ID d ID Extract full private key ID sk ID Request public key ID pk ID Replace public key (ID, pk ID ) Decrypt Cm

9 Certificateless Encryption Assume queries that trivially win the game are not allowed: –E.g. finding the full private key for ID*. –E.g. finding the partial private key for ID* and replacing the challenge public key. –E.g. finding the decryption of C*. Similar model for the KGC. Attacker is given the KGC’s master private key.

10 Certificateless Encryption How do we define the decrypt oracle? –Original paper defined the decryption oracle as decrypting ciphertexts using the private key associated with the current public key. –Known as strong decryption oracle. –Doesn’t appear to reflect any realistic attack. –Several schemes secure in the random oracle model using strong decryption oracles. –We provide the first standard-model schemes.

11 Certificateless Encryption Why is this an interesting problem? –The original security model. –Intellectual challenge: several papers and informal conversations have suggested that the community thinks this can’t be achieved. –Model with non-polynomial-time challenger. –Proves security in weaker models.

12 Theoretical Construction

13 We use a Naor-Yung/Sahai construction. Use multiple passively secure encryption schemes and a NIZK proof system. One passively secure certificateless encryption scheme: CE. Two instances of a passively secure public-key encryption schemes: E.

14 Theoretical Construction ID and pk are the user’s identity and public key. mpk 1 and mpk 2 are part of the system parameters Decryption process uses the certificateless encryption scheme CEEE m C1C1 C3C3 C2C2 ID pk mpk 1 mpk 2 NIZK proof that (C 1,C 2,C 3 ) are all encryptions of the same message. +

15 Theoretical Construction Two independent instances of the public- key encryption scheme required for strong decryption oracles. This could be replaced with one instance of an IND-CCA2 secure public-key encryption scheme. One instance of the public-key encryption scheme is sufficient for weaker models.

16 Theoretical Construction Passively secure certificateless encryption schemes can be constructed from passively secure public-key encryption and identity-based encryption [LQ06]. Passively secure public-key encryption schemes can be constructed from trapdoor one-way functions [GL89]. NIZK can be constructed from trapdoor one-way permutations [FLS99,BY96,S99].

17 Practical Construction

18 Based on a 2-level Waters HIBE. Chosen ciphertext security achieved using Boyen-Mei-Waters techniques. Underlying assumptions: –3-Party DDH assumption in a pairing group: “Given randomly chosen (g x, g y, g z ), distinguish g xyz from a random element”. –Collision resistant hash functions.

19 Conclusions

20 It is possible to build certificateless encryption schemes that are secure with strong decryption oracles in the standard model. –Is it really necessary to improve on the constructions? –Intellectual challenge: is it possible to prove security in a model where the KGC is allowed to pick the system parameters adversarially?

21 Conclusions Certificateless encryption schemes exist providing that trapdoor one-way permutations exist and passively secure identity-based encryption exist. –We are unaware of any proof that gives minimal conditions for identity-based encryption to exist. –Can we find minimal assumptions for the existence of certificateless encryption?

22 Questions?

Download ppt "Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group"

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Dennis Hofheinz, Jessica Koch, Christoph Striecks

Dennis Hofheinz, Jessica Koch, Christoph Striecks
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Identity Based Encryption

Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Similar presentations

Ads by Google