more
This commit is contained in:
=
parent
f7c7140f07
commit
0e1bd75301
59
refs.bib
59
refs.bib
|
|
@ -11,4 +11,61 @@ link={https://www.oxfordlearnersdictionaries.com/definition/english/encrypt}
|
|||
title = {Relations among Notions of Security for Public-Key Encryption Schemes},
|
||||
howpublished = {Cryptology ePrint Archive, Report 1998/021},
|
||||
year = 1998
|
||||
}
|
||||
}
|
||||
|
||||
@InProceedings{WeilIBE,
|
||||
author="Boneh, Dan
|
||||
and Franklin, Matt",
|
||||
editor="Kilian, Joe",
|
||||
title="Identity-Based Encryption from the Weil Pairing",
|
||||
booktitle="Advances in Cryptology --- CRYPTO 2001",
|
||||
year="2001",
|
||||
publisher="Springer Berlin Heidelberg",
|
||||
address="Berlin, Heidelberg",
|
||||
pages="213--229",
|
||||
abstract="We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem. Our system is based on the Weil pairing. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.",
|
||||
isbn="978-3-540-44647-7"
|
||||
}
|
||||
|
||||
@InProceedings{ExtractionDef,
|
||||
author="Bellare, Mihir
|
||||
and Boldyreva, Alexandra
|
||||
and Micali, Silvio",
|
||||
editor="Preneel, Bart",
|
||||
title="Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements",
|
||||
booktitle="Advances in Cryptology --- EUROCRYPT 2000",
|
||||
year="2000",
|
||||
publisher="Springer Berlin Heidelberg",
|
||||
address="Berlin, Heidelberg",
|
||||
pages="259--274",
|
||||
abstract="This paper addresses the security of public-key cryptosystems in a ``multi-user'' setting, namely in the presence of attacks involving the encryption of related messages under different public keys, as exemplified by H{\aa}stad's classical attacks on RSA. We prove that security in the single-user setting implies security in the multi-user setting as long as the former is interpreted in the strong sense of ``indistinguishability,'' thereby pin-pointing many schemes guaranteed to be secure against H{\aa}stad-type attacks. We then highlight the importance, in practice, of considering and improving the concrete security of the general reduction, and present such improvements for two Diffie-Hellman based schemes, namely El Gamal and Cramer-Shoup.",
|
||||
isbn="978-3-540-45539-4"
|
||||
}
|
||||
|
||||
@InProceedings{BEDef,
|
||||
author="Fiat, Amos
|
||||
and Naor, Moni",
|
||||
editor="Stinson, Douglas R.",
|
||||
title="Broadcast Encryption",
|
||||
booktitle="Advances in Cryptology --- CRYPTO' 93",
|
||||
year="1994",
|
||||
publisher="Springer Berlin Heidelberg",
|
||||
address="Berlin, Heidelberg",
|
||||
pages="480--491",
|
||||
abstract="We introduce new theoretical measures for the qualitative and quantitative assessment of encryption schemes designed for broadcast transmissions. The goal is to allow a central broadcast site to broadcast secure transmissions to an arbitrary set of recipients while minimizing key management related transmissions. We present several schemes that allow a center to broadcast a secret to any subset of privileged users out of a universe of size n so that coalitions of k users not in the privileged set cannot learn the secret. The most interesting scheme requires every user to store O(k log k log n) keys and the center to broadcast O(k2 log2k log n) messages regardless of the size of the privileged set. This scheme is resilient to any coalition of k users. We also present a scheme that is resilient with probability p against a random subset of k users. This scheme requires every user to store O(log k log(1/p)) keys and the center to broadcast O(k log2k log(1/p)) messages.",
|
||||
isbn="978-3-540-48329-8"
|
||||
}
|
||||
|
||||
@InProceedings{GentryWaters,
|
||||
author="Gentry, Craig
|
||||
and Waters, Brent",
|
||||
editor="Joux, Antoine",
|
||||
title="Adaptive Security in Broadcast Encryption Systems (with Short Ciphertexts)",
|
||||
booktitle="Advances in Cryptology - EUROCRYPT 2009",
|
||||
year="2009",
|
||||
publisher="Springer Berlin Heidelberg",
|
||||
address="Berlin, Heidelberg",
|
||||
pages="171--188",
|
||||
abstract="We present new techniques for achieving adaptive security in broadcast encryption systems. Previous work on fully collusion resistant broadcast encryption systems with very short ciphertexts was limited to considering only static security.",
|
||||
isbn="978-3-642-01001-9"
|
||||
}
|
||||
|
|
|
|||
77
report.tex
77
report.tex
|
|
@ -8,9 +8,18 @@
|
|||
\usepackage{seqsplit}
|
||||
\usepackage[autostyle]{csquotes}
|
||||
\usepackage{xspace}
|
||||
\usepackage[margin=1.25in]{geometry}
|
||||
|
||||
\newcommand{\horrule}[1]{\rule{\linewidth}{#1}} % Create horizontal rule command with 1 argument of height
|
||||
\newcommand{\ID}{\texttt{ID}\xspace}
|
||||
\newcommand{\vsp}[1]{\vspace{#1} \\}
|
||||
\newcommand{\hsp}[1]{\-\hspace{#1}}
|
||||
\newcommand{\adv}[1]{$\mathcal{#1}$\xspace}
|
||||
\newcommand{\G}{$\mathbb{G}$\xspace}
|
||||
\newcommand{\Gp}[1]{$\mathbb{G}#1$\xspace}
|
||||
\newcommand{\Z}{\mathbb{Z}}
|
||||
\newcommand{\Gm}{\mathbb{G}}
|
||||
\newcommand{\Gmp}[1]{\mathbb{G}#1}
|
||||
|
||||
\author{Alexander Munch-Hansen \\ 201505956}
|
||||
|
||||
|
|
@ -49,11 +58,77 @@ Full blown functional encryption is however quite a mouthful to implement in an
|
|||
Naturally, these algorithms must satisfy that:
|
||||
$$ \forall M \in M\ :\ \text{Decrypt}(\text{params}, C, d) = M\quad \text{where}\quad C = \text{Encrypt}(\text{params}, ID, M)$$
|
||||
\vspace{3mm} \\
|
||||
\textbf{Chosen Ciphertext Security.} \quad We will focus on Chosen Ciphertext Security (\texttt{IND-CPA}), as this is the standard acceptable notion of security for a public key encryption scheme \cite{security_notion}. The standard definition however, is not strong enough, as we must also require that the adversary might already know of several \texttt{ID}s and decryption keys, given by the \texttt{PKG} and these should not aid the adversary in breaking the security. We define an \emph{extraction query} to be a query which yields the decryption key for a given \ID.
|
||||
\textbf{Chosen Ciphertext Security.} \quad To this end, we will focus on Chosen Ciphertext Security (\texttt{IND-CPA}), as this is the standard acceptable notion of security for a public key encryption scheme \cite{security_notion}. The standard definition however, is not strong enough, as we must also require that the adversary might already know of several \texttt{ID}s and decryption keys, given by the \texttt{PKG} and these should not aid the adversary in breaking the security. We define an \emph{extraction query} to be a query which yields the decryption key for a given \ID. Furthermore, the adversary is given the choice of which \ID to be challenged on, rather than it being a random public key. \cite{WeilIBE}
|
||||
|
||||
An Identity-Based Encryption scheme is semantically secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CPA}) if no polynomially bounded adversary $\mathcal{A}$ has non-negligible advantage against the Challenger in the following game \adv{E}: \vspace{4mm} \\
|
||||
\-\hspace{5mm} \textbf{Setup:} The challenger is given a security parameter $k$ and he runs the \emph{Setup} algorithm explained above. This returns the public parameters and the master-key to the Challenger, who then forwards the public parameters to the adversary. \vsp{3mm}
|
||||
\-\hspace{5mm} \textbf{Phase 1:} The adversary is allowed to issue queries $q_1, \dots, q_l$ where query $q_i$ is one of two queries;
|
||||
\begin{itemize}
|
||||
\item An extraction query run on $\ID_i$. The challenger responds by running the \emph{Extract} algorithm on the given $\ID_i$, returning the decryption key $d_i$ corresponding to the \ID. $d_i$ is sent to the adversary.
|
||||
\item A decryption query run on $\ID_i$ and some ciphertext $C_i$. First the challenger runs the \emph{Extract} algorithm to get the decryption key $d_i$ corresponding to the given $\ID_i$. The Challenger then runs the \emph{Decrypt} algorithm on $d_i$ and $C_i$, resulting in a plaintext. This plaintext is returned to the adversary.
|
||||
\end{itemize}
|
||||
\hsp{6mm} These queries may be run \emph{adaptively}, hence the name of the security definition, thus, each query $q_i$ may depend on the previous queries $q_1,\dots,q_{i-1}$, if the adversary so desires. \vsp{3mm}
|
||||
\hsp{5mm} \textbf{Challenge:} Once the adversary deems that Phase 1 is over, he outputs two plaintexts of equal length; $M_0, M_1 \in \mathcal{M}$, as well as an \ID on which he desires to be challenged. The single constraint, is that the adversary is not allowed to have queried this \ID before, in Phase 1. The Challenger then picks a bit $b \in_R \{0,1\}$ and sets $C = Encrypt(params, \ID, M_b)$. $C$ is then send to the adversary. \vsp{3mm}
|
||||
\hsp{5mm} \textbf{Phase 2:} The adversary is allowed to issue additional $n-l$ queries; $q_{l+1},\dots,q_n$, where query $q_i$ is either of:
|
||||
\begin{itemize}
|
||||
\item An extraction query run on $\ID_i$. The same query, except $\ID_i \neq \ID$, where \ID is the \ID of the challenge.
|
||||
\item A decryption query run on $\ID_i$ and some ciphertext $C_i$. The same query, except $\ID_i \neq \ID$ and $C_i \neq C$, where $C$ is the ciphertext of the challenge.
|
||||
\end{itemize}
|
||||
\hsp{6mm} These queries may be run adaptively, as in Phase 1. \vsp{3mm}
|
||||
\hsp{5mm} \textbf{Guess:} The adversary outputs a guess bit $b' \in \{0,1\}$ and he will win the game if $b' = b$. \vsp{3mm}
|
||||
\hsp{5mm} An adversary \adv{A} as defined above, is refered to as an \texttt{IND-ID-CPA} adversary. The advantage of \adv{A} in defeating the Challenger in the scheme \adv{E}, is defined as a function of the security parameter $k$, $Adv_{\mathcal{E}, \mathcal{A}} = |Pr(b=b') - \frac{1}{2}|$.
|
||||
|
||||
This definition closely resembles the standard definition of \texttt{IND-CPA} but extended with the addition of extraction queries and that the challenger is now challenged on an \ID picked by the adversary. The addition of the extraction queries is supported by \cite{ExtractionDef}, when the scheme is to support multiple users, which is likely the case for any IBE scheme. Furthermore, the weaker notion of security known as \emph{Semantic Security} (\texttt{IND-ID-CPA}) can be defined based on \texttt{IND-ID-CCA}, except now the adversary is not allowed to issue any decryption queries, i.e. he is only allowed extraction queries.
|
||||
|
||||
% TODO: Finish this section on the security definition of IBE as well as Bilinear Maps and BDH
|
||||
% TODO: Write up all of the mathematical assumptions
|
||||
% TODO: Write of the Threshold Public Key Encryption Scheme; https://www.di.ens.fr/david.pointcheval/Documents/Papers/2008_crypto.pdf
|
||||
% TODO: Write up the different security definitions for BE systems, Static, Semi-Static and Adaptive
|
||||
|
||||
\subsection{Mathmatical Assumptions}
|
||||
All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this.
|
||||
|
||||
\subsubsection{The BDHE Assumption}
|
||||
This is defined for a specific $m$ which could for instance be taken as a parameter. Let \G and \Gp{_T} be groups of order $p$ with a bilinear map $e: \Gm \times \Gm \rightarrow \Gmp{_T}$ and let $g \in G$ be a generator. Set $a,s \in_R \Z^*_p$ and $b \in_R \{0,1\}$. If $b=0$, then set $Z = e(g,g)^{a^{m+1} \cdot s}$; $Z \in_R \Gm_T$ otherwise. The problem is then, given $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$, what is the value of $b$?
|
||||
|
||||
|
||||
\section{Broadcast Encryption}
|
||||
Broadcast Encryption systems \cite{BEDef} in a nutshell, allows one sender to send to a subset $S \subseteq [n]$ of users with a single message. Traditionally, the user would have to encrypt this message once per user in a horribly inefficient manner. This is fixed, by defining the encryption key in such a way to allow for any user within the $S$ to decrypt the message, while not allowing anyone outside of $S$ to do so. It is preferable for this kind of schem to be \emph{public key based}, rather than symmetric. This allows any user to encrypt. It should allow \emph{stateless receivers} s.t. users won't need to keep any state such as updating a private key, and the system should be \emph{fully collusion resistant}, i.e. not allow decryption even if everybody outside of the set $S$ cooperated.
|
||||
|
||||
In a sense, Broadcast Encryption Systems can be related to notion of \emph{Threshold Public Key Encryption Systems} (\texttt{TPKE}) if we define the authorized set of the \texttt{TPKE} system to be equal to $S$ and the threshold parameter $t$ is set to be $1$. This is only true however, for the specific value of $t=1$, thus, specialized systems can be designed for the purpose of being broadcast encryption systems. In this paper we will focus on a scheme due to Gentry and Waters \cite{GentryWaters}.
|
||||
|
||||
|
||||
% TODO, maybe new page this
|
||||
\subsection{Their construction}
|
||||
\label{GentryWatersConst}
|
||||
Let $GroupGen(\lambda,n)$ be an algorithm which generates a group \G and \Gp{_T} of prime order $p = poly(\lambda, n) > n$ with a bilinear map $e : \mathbb{G} \times \mathbb{G} \rightarrow \mathbb{G}_T$, based on a security parameter $\lambda$. \vsp{5mm}
|
||||
\-\hspace{5mm}\textbf{Setup$(n,n)$:}\quad Run $(\mathbb{G}, \mathbb{G}_T, e) \xleftarrow{R} GroupGen(\lambda, n)$. Set $\alpha \in_R \Z_p$ and $g,h_1,\dots,h_n \in_R \mathbb{G}^{n+1}$. Finally, set $PK = (\mathbb{G}, \mathbb{G}_T, e), g, e(g,g)^\alpha, h_1, \dots, h_n$. The secret key is $SK = g^\alpha$. The result is the pair $(PK, SK)$. \vspace{3mm} \\
|
||||
\-\hspace{5mm}\textbf{KeyGen$(i, SK)$:}\quad Set $r_i \in_R \Z_p$ and output; $$d_i \leftarrow (d_{i,0},\dots,d_{i,n}) \quad \text{ where } \quad d_{i,0} = g^{-r_i}, \quad d_{i,i} = g^\alpha h^{r_i}_i, \quad d_{i,j \text{ for } i\neq j} h^{r_i}_j$$ \vspace{3mm} \\
|
||||
\-\hspace{5mm}\textbf{Encrypt$(S, PK)$:}\quad Set $t \in_R \Z_p$ and $$Hdr = (C_1,C_2), \quad \text{ where }\quad C_1 = g^t, \quad C_2 = (\prod_{i \in S}h_i)^t $$ Finally, set $K = e(g,g)^{t\cdot \alpha}$. Output $(K, Hdr)$. \vspace{3mm} \\
|
||||
\-\hspace{5mm}\textbf{Decrypt$(S,i,d_i,\text{Hdr}, PK)$:}\quad Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2)$, output $$k =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ \vsp{3mm}
|
||||
\hsp{5mm} \textbf{Correctness:}\quad Correctness is given by;
|
||||
\begin{align*}
|
||||
K &= e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2) \\
|
||||
&= e(g^{\alpha}h^{r_i}_i \cdot (\prod_{j \in S \setminus \{i\}} h_j)^{r_i}, g^t) \cdot e(g^{-r_i}, (\prod_{i \in S}h_i)^t) \\
|
||||
&= e(g^{\alpha}h^{r_i}_i \cdot (\prod_{j \in S} h_j)^{r_i}, g^t) \cdot e(g^{-r_i}, (\prod_{i \in S}h_i)^t) \\
|
||||
&= e(g,g)^{t \cdot \alpha}
|
||||
\end{align*}
|
||||
|
||||
\subsection{Proof of security}
|
||||
The proof is a reduction from their construction to the \emph{BDHE}-problem. The scheme is proven secure in the semi-static model. We note that the proof in the original paper does not hold, likely due to a typo, but we'll emphasize the fix.
|
||||
|
||||
We wish to build an algorithm \adv{B}, which will use an adversary \adv{A} of the system described in \ref{GentryWatersConst}, to break the \emph{BDHE} problem. \vsp{4mm}
|
||||
\hsp{5mm} \adv{B} receives a problem instance which contains $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$. \vsp{3mm}
|
||||
\hsp{5mm} \textbf{Init:}\quad \adv{A} commits to a set $\tilde{S} \subseteq[n]$. \vsp{3mm}
|
||||
\hsp{5mm} \textbf{Setup:}\quad \adv{B} generates $y_0,\dots,y_n \in_R \Z_p$. \adv{B} sets:
|
||||
$$
|
||||
h_i =
|
||||
\begin{cases}
|
||||
g^{y_i} & \text{ for } i \in \tilde{S} \\
|
||||
g^{y_i + a^{i}} & \text{ for } i \in [1,n] \setminus \tilde{S}
|
||||
\end{cases}
|
||||
$$
|
||||
\adv{B} then sets $\alpha = y_0 \cdot a^{n+1}$. $PK$ is then defined as the scheme dictates where the only oddity is $e(g,g)^\alpha$, which can be computed as $e(g^a,g^{a^{n}})^{y_0}$ due to the definition of $\alpha$. $PK$ is sent to \adv{A}.
|
||||
|
||||
\section{Implementation of Schemes}
|
||||
\subsection{Identity-Based Encryption}
|
||||
|
|
|
|||
Loading…
Reference in New Issue