One embodiment of the disclosure relates to cryptography, and more specifically, to identity-based encryption, where any easy-to-remember identifier (such as a phone number) can serve as a public key in order to alleviate the need for digital certificates.
This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present disclosure that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present disclosure. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
Identity-based encryption (or IBE, which is a widespread acronym) allows a sender to encrypt a message to a receiver using only the receiver's identity and a set of master public parameters publicized by a trusted authority (or TA), which is an electronic device that is supposed to be secure. For systems involving a number n≧1 of independent trusted authorities, it is known that any IBE scheme which is secure in the single authority setting is also secure in the multi-authority setting. Indeed, in the article “Security and Anonymity of Identity-Based Encryption with Multiple Trusted Authorities”, by K. Paterson et al., published in the proceedings of the conference Pairing 2008, it was shown that, if an IBE system is secure and receiver-anonymous in the single authority setting, it is also secure and receiver anonymous in the multi-authority setting (where n>1).
However, the security bound in the random oracle model is linearly affected by the number n of distinct trusted authorities in a multi-TA setting. With the generic result of the previous mentioned article, the number n of trusted authorities tends to linearly affect the security bound: if an adversary has advantage at most Adv1 in the single authority setting, its advantage function can only be bounded by Advn≦n·Adv1 in an environment with n trusted authorities. The reason is that, in the security proof, the reduction has to guess upfront (with probability 1/n) the trusted authority for which the adversary will ask the challenger to generate the challenge ciphertext.
So far, no IBE scheme that simultaneously provides semantic security, anonymity and TA-anonymity with security bounds that are independent of n is known.
Therefore, there is a need to find out an IBE scheme with a tighter security proof (in the random oracle model) in the multi-authority setting, which is also independent of the number n. Indeed, obtaining a tighter security is interesting due to the fact that it has an impact on the size of the parameters: it enables a device to select smaller parameters which in turn improves the efficiency of the scheme.
One goal of one embodiment of the disclosure is to propose an IBE scheme that provides both semantic security and receiver anonymity, with a security reduction that does not depend on the number n of trusted authorities in the system. More precisely, one goal of one embodiment of the disclosure is to provide an IBE scheme for which the reduction does not depend on the number n of distinct trusted authorities in the system, and to provide an IBE scheme that does not only hide the encrypted message, but also the receiver's identity and the trusted authority under which the ciphertext was generated.
References in the specification to “one embodiment”, “an embodiment”, “an example embodiment”, indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
The present disclosure is directed to a method for ciphering digital data M being an element of a group T, said group T being part of a bilinear group (, , T) of prime order p, the method being executed by an electronic device. The method is remarkable in that it comprises:
In a preferred embodiment, the method for ciphering is remarkable in that said master public key comprises K(K+1) elements belonging to said group , said K(K+1) elements being derived from said 2K generators.
In a preferred embodiment, the method for ciphering is remarkable in that said integer value K is equal to one.
In a preferred embodiment, the method for ciphering is remarkable in that said first part of said ciphertext of said digital data M is (Cz,Cr)=(gzθ, grθ) with gz and gr being said 2 generators of said group , and θ is said one random element belonging to p.
In a preferred embodiment, the method for ciphering is remarkable in that said second part of said ciphertext of said digital data M is M·Πj=12e(gjθ,Hj), where H1 and H2 correspond to an output of applying a hash function, g1, g2 correspond to said master public key, defined as follows gj=gzχ
In another embodiment, the method for ciphering is remarkable in that said integer value K is equal to two.
In a preferred embodiment, such method for ciphering is remarkable in that said first part of said ciphertext of said digital data M is (Cr,Cu,Cz)=(grθ
In a preferred embodiment, such method for ciphering is remarkable in that said second part of said ciphertext of said digital data M is M·Πj=13e(gjθ
In another embodiment, it is proposed a method for deciphering a ciphertext, said ciphertext comprising a first part and a second part. Such method for deciphering can be executed on an electronic device, and is remarkable in that it comprises:
In a preferred embodiment, the method for deciphering is remarkable in that each element of said private key associated to said identity is equal to Πj=1K+1Hj−u
In a preferred embodiment, the method for deciphering is remarkable in that said integer value K is equal to one.
In a preferred embodiment, the method for deciphering is remarkable in that said private key is dID=(zID,rID)=(Πj=12Hj−χ
In a preferred embodiment, the method for deciphering is remarkable in that said determining a product corresponds to obtaining D·e(Cz,zID)·e(Cr,rID) where the couple (Cz,Cr) is said first part of said ciphertext, and D is said second part of said ciphertext.
In another embodiment, the method for deciphering is remarkable in that said integer value K is equal to two.
In a preferred embodiment, such method for deciphering is remarkable in that said private key is dID=(zID,rID,uID)=(Πj=13Hj−χ
In a preferred embodiment, such method for deciphering is remarkable in that said determining a product corresponds to obtaining D·e(Cr,rID)·e(Cu,uID)·e(Cz,zID) where the triplet (Cr,Cu,Cz) is said first part of said ciphertext, and D is said second part of said ciphertext.
It should also be noticed that the results described in the article “Building Key-Private Public-Key Encryption Schemes”, by K. G. Paterson et al., published in the proceedings of the conference ACISP 2009, can be applied to at least one embodiment of the disclosure in order to generically construct a chosen-ciphertext-secure key private public-key encryption scheme with a tighter security proof in the multi-user setting, contrary to the results of Bellare et al., in the article “Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements”, published in the proceedings of the conference Eurocrypt 00, that only consider semantic security and chosen-ciphertext security. In particular, they do not provide a method for building receiver-anonymous (a.k.a. key-private) chosen ciphertext-secure public-key encryption schemes where the security reductions are not affected by the number of users in the system.
According to an exemplary implementation, the different steps of the method are implemented by a computer software program or programs, this software program comprising software instructions designed to be executed by a data processor of a relay module according to the disclosure and being designed to control the execution of the different steps of this method.
Consequently, an aspect of the disclosure also concerns a program liable to be executed by a computer or by a data processor, this program comprising instructions to command the execution of the steps of a method as mentioned here above.
This program can use any programming language whatsoever and be in the form of a source code, object code or code that is intermediate between source code and object code, such as in a partially compiled form or in any other desirable form.
The disclosure also concerns an information medium readable by a data processor and comprising instructions of a program as mentioned here above.
The information medium can be any entity or device capable of storing the program. For example, the medium can comprise a storage means such as a ROM (which stands for “Read Only Memory”), for example a CD-ROM (which stands for “Compact Disc-Read Only Memory”) or a microelectronic circuit ROM or again a magnetic recording means, for example a floppy disk or a hard disk drive.
Furthermore, the information medium may be a transmissible carrier such as an electrical or optical signal that can be conveyed through an electrical or optical cable, by radio or by other means. The program can be especially downloaded into an Internet-type network.
Alternately, the information medium can be an integrated circuit into which the program is incorporated, the circuit being adapted to executing or being used in the execution of the method in question.
According to one embodiment, an embodiment of the disclosure is implemented by means of software and/or hardware components. From this viewpoint, the term “module” can correspond in this document both to a software component and to a hardware component or to a set of hardware and software components.
A software component corresponds to one or more computer programs, one or more sub-programs of a program, or more generally to any element of a program or a software program capable of implementing a function or a set of functions according to what is described here below for the module concerned. One such software component is executed by a data processor of a physical entity (terminal, server, etc.) and is capable of accessing the hardware resources of this physical entity (memories, recording media, communications buses, input/output electronic boards, user interfaces, etc.).
Similarly, a hardware component corresponds to any element of a hardware unit capable of implementing a function or a set of functions according to what is described here below for the module concerned. It may be a programmable hardware component or a component with an integrated circuit for the execution of software, for example an integrated circuit, a smart card, a memory card, an electronic board for executing firmware etc. In a variant, the hardware component comprises a processor that is an integrated circuit such as a central processing unit, and/or a microprocessor, and/or an Application-specific integrated circuit (ASIC), and/or an Application-specific instruction-set processor (ASIP), and/or a graphics processing unit (GPU), and/or a physics processing unit (PPU), and/or a digital signal processor (DSP), and/or an image processor, and/or a coprocessor, and/or a floating-point unit, and/or a network processor, and/or an audio processor, and/or a multi-core processor. Moreover, the hardware component can also comprise a baseband processor (comprising for example memory units, and a firmware) and/or radio electronic circuits (that can comprise antennas) which receive or transmit radio signals. In one embodiment, the hardware component is compliant with one or more standards such as ISO/IEC 18092/ECMA-340, ISO/IEC 21481/ECMA-352, GSMA, StoLPaN, ETSI/SCP (Smart Card Platform), GlobalPlatform (i.e. a secure element). In a variant, the hardware component is a Radio-frequency identification (RFID) tag. In one embodiment, a hardware component comprises circuits that enable Bluetooth communications, and/or Wi-fi communications, and/or Zigbee communications, and/or USB communications and/or Firewire communications and/or NFC (for Near Field) communications.
Let's also remark that a step of obtaining an element/value in the present document can be viewed either as a step of reading such element/value in a memory unit of an electronic device or a step of receiving such element/value from another electronic device via communication means.
In another embodiment, it is proposed an electronic device for ciphering digital data M being an element of a group T, said group T being part of a bilinear group (, , T) of prime order p. The electronic device is remarkable in that it comprises:
In another embodiment, it is proposed an electronic device for deciphering a ciphertext, said ciphertext comprising a first part and a second part, the electronic device being characterized in that it comprises:
In one embodiment, these means can correspond to hardware modules as previously mentioned.
The above and other aspects of the disclosure will become more apparent by the following detailed description of exemplary embodiments thereof with reference to the attached drawings in which:
More precisely, the common setup generation process, referenced 100, takes as input a security parameter λ which corresponds to a bit-length.
In a step, referenced 101, the electronic device chooses or selects or obtains a bilinear group (, , T) of prime order p>2λ, with a efficiently computable isomorphism ψ:→.
In a step referenced 102, the electronic device obtains (or chooses) several random generators from the group (in this embodiment, the number of random generators is equal to four): gz,gr,hz,hu.
In a step referenced 103, the electronic device chooses an identifier associated to a hash function H: {0,1}*→3, that is modeled as a random oracle in the security analysis. The plaintext space is =T, and the ciphertext space is :=3×T.
The electronic device then provides the common public parameters params to other electronic devices that either propagates it, or use it. The common public parameters params is defined as being params=((, , T),ψ,gz,gr,hz,hu,H,,). It should be noted that the elements comprised in params can be transmitted either one by one in a sequentially way, or they can also be transmitted in a unique packet, or also they can be transmitted in parallel.
More precisely, the master key generation process, referenced 200, takes as input a common public parameters params as the one obtained via the execution of the process 100.
In a step, referenced 201, the electronic device obtains 9 elements belonging to the group p. Indeed, for j=1 to 3, the electronic device obtains χj,γj,δjp. The master secret key is defined as msk={(χj,γj,δj)}j=13.
Then, in a step referenced 202, it determines gj=gzχ
Then, it outputs the master secret key msk, which is kept in a secure memory of an electronic device, and the master public key mpk, which is then transmitted to other electronic devices. As described below, the master secret key msk is used only to perform a private key generation from a public identifier (or an identity). However, the master public key mpk is used in all other processes (i.e. the key generation process, the encryption or ciphering process, and the decryption or deciphering process).
More precisely, the private key generation process, referenced 300, takes as input a common public parameters params as the one obtained via the execution of the process 100, and the master secret key msk, as the one obtained via the execution of the process 200.
In a step referenced 301, the electronic device, that could be a trusted authority (TA), determines from a given identity ID, a triple (H1,H2,H3)=H(ID)∈3. In another embodiment, the electronic device can obtain it from another electronic device.
Then, in a step referenced 302, the electronic device uses the components of the master secret key msk={(χj,γj,δj)}j=13 in order to determine a private key associated to the given identity ID as follows: dID=(zID,rID,uID)=(Πj=13Hj−χ
The electronic device provides the determined secret key dID to the electronic device associated to the given identity ID, enabling it to perform ciphering as detailed in the
More precisely, the method of ciphering, referenced 400, takes as input a common public parameters params as the one obtained via the execution of the process 100, the master public key mpk, as the one obtained via the execution of the process 200, a message M to encrypt/cipher, and an identity ID (corresponding to the one of the receiver that is to decipher the output of the method of ciphering 400).
The electronic device obtains, in a step referenced 401, random elements θ1,θ2 belonging to the group p: θ1,θ2p.
It also determines, in a step referenced 402, from the identity ID and the information related to the hash function H to be used, the value of H(ID)=(H1,H2,H3)∈3 Obviously, the order of execution of the steps 401 and 402 can be modified (and they can be done in parallel).
Then, in a step referenced 403, the electronic device performs several exponentiations and pairing computations in order to obtain:
More precisely, the method of deciphering, referenced 500, takes as input a common public parameters params as the one obtained via the execution of the process 100, the master public key mpk, as the one obtained via the execution of the process 200, a ciphertext C to be decrypted, and a private key dID associated to the given identity, as the one obtained via the execution of the process 300.
The electronic device parses, in a step referenced 501, the ciphertext C to be decrypted in the same way as an expected ciphertext obtained via the execution of the method 400. Therefore we have C=(Cr,Cu,Cz,D).
It also parses, in a step referenced 502, the private key dID in the same way as an expected private key (or a decryption key) obtained via the execution of the method 300. Therefore we have dID=(zID,rID,uID).
Then, the decrypted message M is obtained, in a step referenced 503, by determining D·e(Cr,rID))·e(Cu,uID)·e(Cz,zID)). Indeed, it is due to the fact that M=D·e(Cr,rID))·e(Cu,uID)·e(Cz,zID)). The correctness can be verified by observing that for a decryption key dID=(zID,rID,uID), the two following relations are satisfied: e(gz,zID)·e(gr,rID))=Πj=13e(gj,Hj)−1 and e(hz,zID)·e(hu,uID)=Πj=13e(hj,Hj)−1. Then, by raising these two equations to the powers θ1 and θ2 respectively, and if we multiply the two resulting equations, we have e(gzθ
The following scheme (comprising the methods of
We can prove the following result, which shows that the exact security of the scheme does not depend on the number n of authorities in the system. It can also be remarked that, as a consequence of this result, ciphertexts are computationally indistinguishable from a sequence of random group elements in :=×T. This implies that these ciphertexts computationally hide the message, the identity of the receiver and the specific master public key mpk under which they are generated.
For reminders, an IBE system (or scheme) is AI-secure in the multi-TA setting (or m-AI-ID-CPA secure) if no PPT (i.e. no polynomial) adversary has non-negligible advantage in this game:
The above definition captures that ciphertexts should be indistinguishable from random elements of the ciphertext space, which is common to all authorities. As a result, ciphertexts computationally hide the identity of the receiver (and thus provide key-privacy in the identity-based setting) and the specific master public key that was used to create them.
The property of hiding the trusted authority (TA) that the receiver depends on is called TA anonymity in the article “Building Key-Private Public-Key Encryption Schemes”, by K. Paterson, and published in the proceedings of the conference ACISP 2009. It was proved in this article that any TA-anonymous IBE scheme implies a keyprivate public-key encryption scheme which is secure against chosen-ciphertext attacks.
The idea of this article was simply to apply the Canetti-Halevi-Katz transformation (described in the article “Chosen-Ciphertext Security from Identity-Based Encryption” by R. Canetti et al., and published in the proceedings of the conference Eurocrypt 2004) to the underlying TA-anonymous IBE. As a consequence, any IBE scheme satisfying the above definition implies a chosen-ciphertext-secure key-private public-key encryption scheme.
The following theorem can be stated: the scheme disclosed in
Advm-AI-ID-CPA()≦3·e·(q+1)·AdvDLIN(), where e is the base for the natural logarithm and q is the maximal number of private key queries per authority.
The proof of such statement can be done via the following sequence of games, which starts with a game where the challenger's hidden bit is d=0 and ends with a game where d=1. In each game i, Si denotes the event that the challenger outputs d′=1.
Game 0: This is the real game captured by Definition 2. Throughout the game, all random oracle queries are answered by returning a uniformly random value in the appropriate range. Of course, the adversary consistently receives the same answer when a given query is made more than once. When chooses to corrupt some authority i∈{1, . . . , n}, the challenger hands over the master secret key mski={(χi,j,γi,j,δi,j)}j=13. At each private key query, the challenger computes a tuple of the form dID=(zID,rID,uID) as specified by the process 300. To answer such a query, the challenger invokes the random oracle H for itself in order to define the hash value H(ID)∈3 if it has not been defined yet. At the end of the game, the adversary outputs a bit d′∈{0,1} and the challenger outputs 1 if d′=0. The latter event is noted S0.
Game 1: In this game, the generation of the challenge ciphertext is modified C*=(Cr*,Cu*,Cz*,D*). The modification is that D* is computed using the private key, instead of the encryption exponents θ1*,θ2*∈p. Specifically, when the adversary announces its target (i*,ID*) in the challenge phase, the challenger first computes (H1*,H2*,H3*)=H(ID*) and the private key dID*=(zID*,rID*,uID*)=(Πj=13Hj−χ
The ciphertext C*=(Cr*,Cu*,Cz*,D*) is then returned to the adversary . It is easy to see that this change is only conceptual since the challenge C* has the same distribution as previously. Consequently, Pr[S1]=Pr[S0].
Game 2: This game is identical to Game 1 with the following difference. For each random oracle query H(ID), the challenger flips a biased coin υID∈{0,1} that takes the value 1 with probability 1/(q+1) and the value 0 with probability q/(q+1). At the end of the game, considers the event E that either of the following conditions holds:
Game 3: In this game, we modify the treatment of random oracle queries. At the outset of the game, the challenger picks random group elements ĝ,{circumflex over (f)},ĥ3. Then, at each H-query involving an identity ID, responds as follows:
Game 4: In this game, we bring another modification to the generation of the challenge ciphertext C*=(Cr*,Cu*,Cz*,D*). Instead of drawing the triple (Cr*,Cu*,Cz*)=(grθ
Game 5: In this game, we modify again the treatment of random oracle queries. Here, at each hash query H(ID), the challenger returns a completely random tuple (H1,H2,H3)3, instead of a vector in a two-dimensional subspace. The challenge ciphertext (Cr*,Cu*,Cz*,D*) is generated as a random vector of 4, as in Game 4. The same arguments as in the transition from Game 2 to Game 3 show that this change should remain unnoticed as long as the DLIN assumption holds in . We have |Pr[S5]−Pr[S4]|≦AdvDLIN().
Game 6: This game is identical to Game 5 with the difference that the challenger does not abort any longer when event E occurs. We thus have Pr[S6]=e(q+1)·Pr[S5].
Indeed, the Lemma 2 can be proven as follows: towards a contradiction, let us assume that a PPT adversary can cause the challenger to output 1 with noticeably different probabilities in Game 4 and Game 3. Using , we build a distinguisher as follows. Algorithm takes as input a DLIN instance (ĝ,{circumflex over (f)},ĥ,{circumflex over (f)}θ
Cr*=ψ({circumflex over (f)}θ
We remark that the scheme can also work without an efficiently computable isomorphism ψ: →. In this case, the security proof has to rely on the DLIN assumption in both and , and not only . In order to secure the scheme against chosen-ciphertext attacks (where the adversary is granted access to a decryption oracle), several generic methods can be applied. For example, the Fujisaki-Okamoto transformation (described in the article “How to Enhance the Security of Public-Key Encryption at Minimum Cost” by E. Fujisaki et al., and published in the proceedings of the conference PKC 1999) immediately provides chosen-ciphertext security in the random oracle model and also preserves anonymity.
More precisely, the common setup generation process, referenced 600, takes as input a security parameter λ.
In a step, referenced 601, the electronic device chooses or selects or obtains a bilinear group (, , T) of prime order p>2λ, without an efficient isomorphism ψ: →.
In a step referenced 602, the electronic device obtains (or chooses) several random generators from the group (in this embodiment, the number of random generators is equal to four): gz,gr.
In a step referenced 603, the electronic device chooses an identifier associated to a hash function H:{0,1}*→2, that is modeled as a random oracle in the security analysis. The plaintext space is :=T, and the ciphertext space is :=2×T.
The electronic device then provides the common public parameters params to other electronic devices that either propagates it, or use it. The common public parameters params is defined as being params=((,,T),ψ,gz,gr,H,,). It should be noted that the elements comprised in params can be transmitted either one by one in a sequentially way, or they can also be transmitted in a unique packet, or also they can be transmitted in parallel.
More precisely, the master key generation process, referenced 700, takes as input a common public parameters params as the one obtained via the execution of the process 600.
In a step, referenced 701, the electronic device obtains 4 elements belonging to the group p. Indeed, for j=1 to 2, the electronic device obtains χj,γj,p. The master secret key is defined as msk={(χj,γj)}j=12.
Then, in a step referenced 702, it determines gj=gzχj·grγj for j=1 to 2. The master public key associated to the master secret key corresponds to mpk={gj}j=12.
Then, it outputs the master secret key msk, which is kept in a secure memory of an electronic device, and the master public key mpk, which is then transmitted to other electronic devices. As described below, the master secret key msk is used only to perform a private key generation from a public identifier (or an identity). However, the master public key mpk is used in all other processes (i.e. the key generation process, the encryption or ciphering process, and the decryption or deciphering process).
More precisely, the private key generation process, referenced 800, takes as input a common public parameters params as the one obtained via the execution of the process 600, and the master secret key msk, as the one obtained via the execution of the process 700.
In a step referenced 801, the electronic device, that is a Trusted Authority (TA), determines from a given identity ID, a triple (H1,H2)=H(ID)∈2. In another embodiment, the electronic device can obtain it from another electronic device.
Then, in a step referenced 802, the electronic device uses the components of the master secret key msk={(χj,γj)}j=12 in order to determine a private key associated to the given identity ID as follows: dID=(zID,rID)=(Πj=12Hj−χ
The electronic device provides the determined secret key dID to the electronic device associated to the given identity ID, enabling it to perform ciphering as detailed in the
More precisely, the method of ciphering, referenced 900, takes as input a common public parameters params as the one obtained via the execution of the process 600, the master public key mpk, as the one obtained via the execution of the process 700, a message M to encrypt/cipher, and an identity ID (corresponding to the one of the receiver that is to decipher the output of the method of ciphering 900).
The electronic device obtains, in a step referenced 901, a random element θ1 belonging to the group p:θ1p.
It also determines, in a step referenced 902, from the identity ID and the information related to the hash function H to be used, the value of H(ID)=(H1,H2)∈2. Obviously, the order of execution of the steps 901 and 902 can be modified (and they can be done in parallel).
Then, in a step referenced 903, the electronic device performs several exponentiations and pairing computations in order to obtain:
Then, the ciphertext C=(Cz,Cr,D) determined by the electronic device is transmitted.
More precisely, the method of deciphering, referenced 1000, takes as input a common public parameters params as the one obtained via the execution of the process 600, the master public key mpk, as the one obtained via the execution of the process 700, a ciphertext C to be decrypted, and a private key dID associated to the given identity, as the one obtained via the execution of the process 800.
The electronic device parses, in a step referenced 1001, the ciphertext C to be decrypted in the same way as an expected ciphertext obtained via the execution of the method 900. Therefore we have C=(Cz,Cr,D).
It also parses, in a step referenced 1002, the private key dID in the same way as an expected private key (or a decryption key) obtained via the execution of the method 800. Therefore we have dID=(zID,rID).
Then, the decrypted message M is obtained, in a step referenced 1003, by determining D·e(Cz,zID)·e(Cr,rID). Indeed, it is due to the fact that M=D·e(Cz,zID)·e(Cr,rID). The correctness can be verified by observing that for a decryption key dID=(zID,rID), the following relation is satisfied: e(gz,zID)·e(gr,rID)=Πj=12e(gj,Hj)−1. Then, by raising this equation to the power θi, we have e(gzθ
The following result can be proved in the same way as in the first embodiment.
The following theorem can be stated: the scheme disclosed in
Concretely, for any m-AI-ID-CPA adversary , there exists a DDH distinguishers 1 and 2, in the groups and , respectively, such that
Advm-AI-ID-CPA()≦e·(q+1)·(AdvDDH
The first advantage of the two schemes is to simultaneously provide: (i) semantic security and receiver anonymity in the sense of a strong definition, where ciphertexts are basically pseudorandom: they computationally hide both the receiver's identity and the master public key under which the message was encrypted; (ii) security proofs with tighter reductions (in the random oracle model) in the multi-authority setting: namely, the multiplicative gap between the adversary's advantage and the probability to break a decisional assumption does not depend on the number of authorities.
To our knowledge, the two constructions are the first IBE schemes that provably combine properties (i) and (ii).
In addition, the two schemes can easily be adapted to a setting with distributed authorities described in the article “Distributed Private-Key Generators for Identity-Based Cryptography” by A. Kate et al., published in the proceedings of the conference SCN 2010. Using techniques from threshold cryptography described in the article “Threshold Cryptosystems” by Y. Desmedt et al., and published in the proceedings of the conference CRYPRO 1989, the master secret key can be shared in a t-out-of-n fashion. In order to avoid storing the entire master secret (which is a very sensitive piece of information in IBE systems) in one location, each TA is split into n distinct sub-authorities, each of which holds a share of the master secret key, so that users have to receive partial identity-based private keys from at least t sub-authorities to obtain an effective decryption key. This was already possible in the Boneh-Franklin IBE, for example. However, in distributed variants of our systems, we can prove security in an adaptive corruption setting, where the adversary can dynamically choose which sub-authorities it wants to corrupt. In existing threshold variants of the Boneh-Franklin IBE, security can only be proved against a static adversary, that chooses which parties it wants to corrupt at the beginning of the attack, before seeing the master public key.
Such device referenced 1100 comprises a computing unit (for example a CPU, for “Central Processing Unit”), referenced 1101, and one or several memory units (for example a RAM (for “Random Access Memory”) block in which intermediate results can be stored temporarily during the execution of instructions a computer program, or a ROM block in which, among other things, computer programs are stored, or an EEPROM (“Electrically-Erasable Programmable Read-Only Memory”) block, or a flash block) referenced 1102. Computer programs are made of instructions that can be executed by the computing unit. Such device 1100 can also comprise a dedicated unit, referenced 1103, constituting an input-output interface to allow the device 1100 to communicate with other devices. In particular, this dedicated unit 1103 can be connected with an antenna (in order to perform communication without contacts), or with serial ports (to carry communications “contact”). Let's remark that the arrows in
In an alternative embodiment, some or all of the steps of the method previously described, can be implemented in hardware in a programmable FPGA (“Field Programmable Gate Array”) component or ASIC (“Application-Specific Integrated Circuit”) component.
In an alternative embodiment, some or all of the steps of the method previously described, can be executed on an electronic device comprising memory units and processing units as the one disclosed in the
At last, to summarize, one embodiment of the disclosure proposes to use the linearly homomorphic signatures (as obtained through the technique described in the article “Linearly Homomorphic Structure-Preserving Signatures and their Applications. Linearly Homomorphic Structure-Preserving Signatures and their Applications”, by B. Libert et al., and published in the proceedings of the conference CRYPTO 2013) as private keys in an IBE system (recall that any IBE implies a signature scheme because IBE private keys can always be used as signatures, as noted in the article “Identity-Based Encryption from the Weil Pairing”, by D. Boneh et al., published in the proceedings of the conference CRYPTO 2001). In the IBE setting, we do not need the homomorphic property, which will be eliminated by hashing the identities before signing them in order to generate a private key for these identities. When proving the security of the scheme, we will take advantage of the fact that, in the security proofs of the linearly homomorphic signatures detailed in the article “Linearly Homomorphic Structure-Preserving Signatures and their Applications. Linearly Homomorphic Structure-Preserving Signatures and their Applications”, by B. Libert et al., and published in the proceedings of the conference
CRYPTO 2013, the reduction always knows the signer's private key. Since these signers' private keys will be used as authorities' master secret keys in the multi-authority setting, this will allow the reduction to correctly answer authority corruption queries made by the adversary. Since all master secret keys are known to the reduction at any time, the reduction can always consistently answer when the adversary adaptively decides to corrupt some authority.
As detailed previously, the idea of the security proof is as follows. The reduction “programs” the random oracle in such a way that, for any identity ID for which private keys are obtained by the adversary from the target authority i*, the resulting hash value (H1,H2,H3)∈3 always falls in a two dimensional subspace: by doing so, it can be guaranteed that the adversary only obtains redundant information about the master secret key mski*={(χi*,j,γi*,jδi*,j)}j=13. At the end of the game, mski* will remain information-theoretically undetermined after a polynomial number of private key queries involving the i*-th authority. At the same time, for the specific identity ID* involved in the challenge phase, the hash value (H1*,H2*,H3*)=H(ID*) will fall outside the two dimensional subspace if the reduction is lucky. As a consequence the vector (H1*,H2*,H3*) will be linearly independent of the vectors (H1,H2,H3)=H(ID) for which the adversary obtains private keys from the i*-th authority. This implies that the adversary obtains no information about the private key (zID*,rID*,uID*) that the reduction can compute for itself for the target authority-identity pair (i*,ID*). The reduction can thus use (zID,rID*,uID*) to generate the challenge ciphertext, which allows us to apply an information-theoretic argument to argue that the encrypted message is independent of the adversary's view at a certain step of the proof.
Number | Date | Country | Kind |
---|---|---|---|
14306108.3 | Jul 2014 | EP | regional |