This commit is contained in:
= 2019-12-18 04:40:11 +01:00
parent cf066d4e3e
commit 808323cc22

View File

@ -72,15 +72,21 @@ Let $p$ be a large prime number. Let $\mathbb{G}_1, \mathbb{G}_2$ be two groups
\item \emph{Non-degeneracy}: $e(g_1,g_2) \neq $The identity of $\mathbb{G}_T$ \item \emph{Non-degeneracy}: $e(g_1,g_2) \neq $The identity of $\mathbb{G}_T$
\item \emph{Computability}: For all $u \in \mathbb{G}_1$, $v \in \mathbb{G}_2$, $e(u,v)$ should be efficiently computable. \item \emph{Computability}: For all $u \in \mathbb{G}_1$, $v \in \mathbb{G}_2$, $e(u,v)$ should be efficiently computable.
\end{itemize} \end{itemize}
A bilinear map satisfying all the above three properties is said to be \emph{admissible}.
\subsection{Mathmatical Assumptions} \subsection{Mathmatical Assumptions}
All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this. All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this. We note that the \emph{Decisional Diffie-Hellman} problem is easy within the setting of bilinear maps, as, given some generator $g$ and $g^a$, $g^b$ and $g^c$ where the question is if $c = ab$, it is straightforward to check if $e(g,g^c) = e(g^a,g^b)$, which holds for the case where $c = ab$. As such, new assumptions which are difficult within this setting, are required.
\subsubsection{The BDHE Assumption} \subsubsection{The BDH Problem}
Let $\Gm$ and $\Gm_T$ be two groups of prime order $p$. Let $e : \Gm \times \Gm \ra \Gm_T$ be an admissible bilinear map and let $g$ be a generator of $\Gm$. The BDH problem is then in $(\Gm, \Gm_T, e)$ as follows: Given $(g, g^a, g^b, g^c)$ for some $a,b,c \in \mathbb{Z}^*_p$ compute $Z = e(g,g)^{abc}$.
\subsubsection{The BDHE Problem}
This is defined for a specific $m$ which could for instance be taken as a parameter. Let \G and \Gp{_T} be groups of order $p$ with a bilinear map $e: \Gm \times \Gm \rightarrow \Gmp{_T}$ and let $g \in G$ be a generator. Set $a,s \in_R \Z^*_p$ and $b \in_R \{0,1\}$. If $b=0$, then set $Z = e(g,g)^{a^{m+1} \cdot s}$; $Z \in_R \Gm_T$ otherwise. The problem is then, given $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$, what is the value of $b$? This is defined for a specific $m$ which could for instance be taken as a parameter. Let \G and \Gp{_T} be groups of order $p$ with a bilinear map $e: \Gm \times \Gm \rightarrow \Gmp{_T}$ and let $g \in G$ be a generator. Set $a,s \in_R \Z^*_p$ and $b \in_R \{0,1\}$. If $b=0$, then set $Z = e(g,g)^{a^{m+1} \cdot s}$; $Z \in_R \Gm_T$ otherwise. The problem is then, given $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$, what is the value of $b$?
\subsection{Identity-Based Encryption} \subsection{Identity-Based Encryption}
\subsubsection{The structure}
\label{sec:IBEStruct}
\textbf{Identity-Based Encryption.} \quad An Identity-Based encryption scheme is specified by four different algorithms, all containing some sort of randomness: \texttt{Setup, Extract, Encrypt, Decrypt}: \vspace{3mm} \\ \textbf{Identity-Based Encryption.} \quad An Identity-Based encryption scheme is specified by four different algorithms, all containing some sort of randomness: \texttt{Setup, Extract, Encrypt, Decrypt}: \vspace{3mm} \\
\-\hspace{5mm}\textbf{Setup:}\quad Takes some security parameter $k$ and returns the system parameters and a master-key. These system parameters include a description of a finite message space $\mathcal{M}$ as well as a description of a finite ciphertext space $\mathcal{C}$. These parameters are known publicly, wherre the master-key is known only to the trusted authority, the so called Private Key Generator (\texttt{PKF}). \vspace{3mm} \\ \-\hspace{5mm}\textbf{Setup:}\quad Takes some security parameter $k$ and returns the system parameters and a master-key. These system parameters include a description of a finite message space $\mathcal{M}$ as well as a description of a finite ciphertext space $\mathcal{C}$. These parameters are known publicly, wherre the master-key is known only to the trusted authority, the so called Private Key Generator (\texttt{PKF}). \vspace{3mm} \\
\-\hspace{5mm}\textbf{Extract:}\quad Takes the system parameters, the master-key and an arbitrary \texttt{ID} $\in \{0,1\}^*$ and returns a private key $d$. \texttt{ID} is essentially any arbitrary string which will be used a public key and $d$ is the corresponding decryption key, which can be used by the owner of the \texttt{ID}. Thus, the \texttt{extract} algorithm extracts a private key from the given public key. \vspace{3mm} \\ \-\hspace{5mm}\textbf{Extract:}\quad Takes the system parameters, the master-key and an arbitrary \texttt{ID} $\in \{0,1\}^*$ and returns a private key $d$. \texttt{ID} is essentially any arbitrary string which will be used a public key and $d$ is the corresponding decryption key, which can be used by the owner of the \texttt{ID}. Thus, the \texttt{extract} algorithm extracts a private key from the given public key. \vspace{3mm} \\
@ -89,8 +95,8 @@ This is defined for a specific $m$ which could for instance be taken as a parame
Naturally, these algorithms must satisfy that: Naturally, these algorithms must satisfy that:
$$ \forall M \in M\ :\ \text{Decrypt}(\text{params}, C, d) = M\quad \text{where}\quad C = \text{Encrypt}(\text{params}, ID, M)$$ $$ \forall M \in M\ :\ \text{Decrypt}(\text{params}, C, d) = M\quad \text{where}\quad C = \text{Encrypt}(\text{params}, ID, M)$$
\vspace{3mm} \\ \vspace{3mm} \\
\subsubsection{Security}
\textbf{Chosen Ciphertext Security.} \quad To this end, we will focus on Chosen Ciphertext Security (\texttt{IND-CPA}), as this is the standard acceptable notion of security for a public key encryption scheme \cite{security_notion}. The standard definition however, is not strong enough, as we must also require that the adversary might already know of several \texttt{ID}s and decryption keys, given by the \texttt{PKG} and these should not aid the adversary in breaking the security. We define an \emph{extraction query} to be a query which yields the decryption key for a given \ID. Furthermore, the adversary is given the choice of which \ID to be challenged on, rather than it being a random public key. \cite{WeilIBE} \textbf{Chosen Ciphertext Security.} \quad To this end, we will focus on Chosen Ciphertext Security (\texttt{IND-CPA}), as this is the standard acceptable notion of security for a public key encryption scheme \cite{security_notion}. The standard definition however, is not strong enough, as we must also require that the adversary might already know of several \texttt{ID}s and decryption keys, given by the \texttt{PKG} and these should not aid the adversary in breaking the security. We define an \emph{extraction query} to be a query which yields the decryption key for a given \ID. Furthermore, the adversary is given the choice of which \ID to be challenged on, rather than it being a random public key. \cite{WeilIBE}
An Identity-Based Encryption scheme is semantically secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CPA}) if no polynomially bounded adversary $\mathcal{A}$ has non-negligible advantage against the Challenger in the following game \adv{E}: \vspace{4mm} \\ An Identity-Based Encryption scheme is semantically secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CPA}) if no polynomially bounded adversary $\mathcal{A}$ has non-negligible advantage against the Challenger in the following game \adv{E}: \vspace{4mm} \\
\-\hspace{5mm} \textbf{Setup:} The challenger is given a security parameter $k$ and he runs the \emph{Setup} algorithm explained above. This returns the public parameters and the master-key to the Challenger, who then forwards the public parameters to the adversary. \vsp{3mm} \-\hspace{5mm} \textbf{Setup:} The challenger is given a security parameter $k$ and he runs the \emph{Setup} algorithm explained above. This returns the public parameters and the master-key to the Challenger, who then forwards the public parameters to the adversary. \vsp{3mm}
\-\hspace{5mm} \textbf{Phase 1:} The adversary is allowed to issue queries $q_1, \dots, q_l$ where query $q_i$ is one of two queries; \-\hspace{5mm} \textbf{Phase 1:} The adversary is allowed to issue queries $q_1, \dots, q_l$ where query $q_i$ is one of two queries;
@ -143,6 +149,38 @@ The advantage of \adv{A} is as expected; $Adv^{\texttt{AHBE}}_{\mathcal{A},n,N}(
% TODO: Write of the Threshold Public Key Encryption Scheme; https://www.di.ens.fr/david.pointcheval/Documents/Papers/2008_crypto.pdf % TODO: Write of the Threshold Public Key Encryption Scheme; https://www.di.ens.fr/david.pointcheval/Documents/Papers/2008_crypto.pdf
% TODO: Write up the different security definitions for BE systems, Static, Semi-Static and Adaptive % TODO: Write up the different security definitions for BE systems, Static, Semi-Static and Adaptive
\section{Identity Based Encryption}
We will cover a basic identity based encryption scheme which illustrates a basic usage of bilinear maps as well as one way to extend the \emph{Diffie-Hellman Assumption} known from Public Key Encryption. This scheme is not secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CCA}). Note that it can be extended to cover this, but this is out of the scope of this paper. We note that although this scheme is not awefully relevant for the rest of this paper, it still is something we covered throughout the semester and it offers a delicate and simple introduction to some of the mathematical concepts and encryption schemes which will be used throughout this paper, specifically that of bilinear maps and public key cryptography.
As already mentioned, an IBE-scheme is a collection of four randomized algorithms: \texttt{Setup, Extract, Encrypt, Decrypt}. $k$ is defined to be a security parameter given to the setup algorithm and $\mathcal{G}$ is a BDH parameter generator.
\subsection{A scheme}
The scheme we will focus on is that of Boneh and Franklin as described in \cite{WeilIBE}. The structure will be as defined in Section \ref{sec:IBEStruct}. We let $\lambda$ be the given security parameter given implicitly to the setup algorithm. We let $\mathcal{G}$ be a BDH parameter generator. \vsp{4mm}
\hsp{5mm}\textbf{Setup:}\quad Given $k$;
\begin{enumerate}
\item Run $\mathcal{G}$ on the input $k$ in order to generate a prime $p$ which defines the order of two groups $\Gm$ and $\Gm_T$ as well as an \emph{admissible} bilinear map $e : \Gm \times \Gm \ra \Gm_T$. Pick a random generator $g \in_R \Gm$.
\item Pick a random $s \in_R \mathbb{Z}^*_p$ and set the public key PK as such, $PK = g^s$.
\item Choose two hash functions: $H_1 : \{0,1\}^* \ra G^*$ and $H_2 : G_T \ra \{0,1\}^n$ for some $n$. Note that in the security analysis of this scheme, $H_1$ and $H_2$ will be viewed as random oracles. \\
The message space will be $\mathcal{M} = \{0,1\}^n$ and the ciphertext space is $\mathcal{C} = \Gm^{*} \times \{0,1\}^n$. Finally, the system parameters \texttt{params} are $(p, \Gm, \Gm_T, e, n, g, PK, H_1, H_2)$. The \emph{master key} (Or the systems private key), is then $s$. % TODO: Is this not the same s from the generation of the pk?
\end{enumerate}
\hsp{5mm}\textbf{Extract:}\quad For a given string \ID $\in \{0,1\}^*$ the algorithm does two things; Compute $Q_{\mathtt{ID}} = H_1(ID) \in \Gm^*$ and it sets the private key $d_{\mathtt{ID}}$ to be $d_{\mathtt{ID}} = Q_{\mathtt{ID}}^s$, for the master key $s$. \vsp{3mm}
\hsp{5mm}\textbf{Encrypt:}\quad To encrypt some $m \in \mathcal{M}$ under the public key \ID, the user does the following: Compute $Q_{\mathtt{ID}} = H_1(ID) \in \Gm^*$, choose a random $r \in_R \mathbb{Z}^*_p$ and set the final ciphertext to be:
$$C = (g^r, m \oplus H_2(g_{\mathtt{ID}}^r)\quad \text{ where }\quad g_{\mathtt{ID}} = e(Q_{\mathtt{ID}}, PK) \in \Gm^*_T$$
\hsp{5mm}\textbf{Decrypt:}\quad Parse $C = (u,v)$ as a ciphertext decrypted under the public key \texttt{ID}. Then, to decrypt $C$ using the private key $d_{\mathtt{ID}} \in \Gm^*$, compute:
$$v \oplus H_2(e(d_{\mathtt{ID}}, u)) = m$$
Correctness of the above scheme is obvious from two facts;
\begin{enumerate}
\item During encryption $m$ is bitwise XORed with the hash of: $g^r_{\mathtt{ID}}$
\item During decryption $v$ is bitwise XORed with the hash of: $e(d_{\mathtt{ID}}, u)$
\end{enumerate}
Where these masks which are used during encryption and decryption are the same as;
$$e(d_{\mathtt{ID}}, u) = e(Q_{\mathtt{ID}}^s, g^r) = e(Q_{\mathtt{ID}}, g)^{sr} = e(Q_{\mathtt{ID}}, PK)^r = g^r_{\mathtt{ID}}$$
\subsection{Security}
The scheme is showed to be semantically secure (\texttt{IND-ID-CPA}), assuming that the BDH problem is hard in the groups generated by $\mathcal{G}$.
% TODO: Consider finishing this security proof. Is it really that important? It's the last from this paper.
\section{Broadcast Encryption} \section{Broadcast Encryption}
\label{sec:BE} \label{sec:BE}
@ -364,15 +402,10 @@ $$k = BDec(S, i, d(i), Hdr, K) $$
\subsection{Attempt at reducing the AHBE instantion to BDHE-problem} \subsection{Attempt at reducing the AHBE instantion to BDHE-problem}
Seeing that the reduction had some non-salveable issues regarding the decryption keys of the target set $S^*$, we attempted to reduce their instantiation directly to the BDHE problem, which the original scheme due to Gentry and Waters was originally reduced to, to prove its Semi-static security. We recall why the original reduction worked: The values $h_1, \dots, h_n$ are originally picked completely at random from the target group of the bilinear map, $\Gm_T$, which allowed the original reduction to sample $y_1, \dots, y_n$ and lift the generator of the group $\Gm$, $g$, to specific values of $y_i$, whenever we needed to know the discrete log of $h_i$, specifically when $i \in \tilde{S}$, i.e. the set of potential receivers, $h_i = g^{y_i}$. Furthermore, for the rest of the users, $i \not\in \tilde{S}$, they generated the values of $h_i = g^{y_i + a^i}$ meaning that the adversary \adv{B} could in fact not compute the discrete log and would thus not have a chance of computing the header information, if the adversary \adv{A} decided to attack this user. Due to the semi-static nature however, this is not something they have to worry of, as \adv{A} has already commited to $\tilde{S}$. The definition of the $h_i$ for $i \not\in \tilde{S}$, means that \adv{B} can properly answer the extraction queries for these users, as \adv{B} defines the values $r_i$ in such a way, that the exponents cancels out in $d_{i,i} = g^{\alpha}h^{r_i}_i$ and we do not have to bother trying to compute the discrete log of $g^\alpha$, specically the $a^{n+1}$ part of $\alpha = y_0 \cdot a^{n+1}$. The issues then arise, as all the $h_i$ values are required for the AHBE scheme, essentially meaning we can not fake some and define some in a very specific way, as they are \emph{all} used for the different keys, regardless of the user $i$ being in the attack set $i \in \tilde{S}$, as all the users are using the same underlying KHBE scheme. This results in the algorthim \adv{B} not being capable of answering extraction queries for any user i outside of the attack set, $i \not\in \tilde{S}$, as \adv{B} also has to generate all the $h$ values in such a way that he can compute the discrete log. Seeing that the reduction had some non-salveable issues regarding the decryption keys of the target set $S^*$, we attempted to reduce their instantiation directly to the BDHE problem, which the original scheme due to Gentry and Waters was originally reduced to, to prove its Semi-static security. We recall why the original reduction worked: The values $h_1, \dots, h_n$ are originally picked completely at random from the target group of the bilinear map, $\Gm_T$, which allowed the original reduction to sample $y_1, \dots, y_n$ and lift the generator of the group $\Gm$, $g$, to specific values of $y_i$, whenever we needed to know the discrete log of $h_i$, specifically when $i \in \tilde{S}$, i.e. the set of potential receivers, $h_i = g^{y_i}$. Furthermore, for the rest of the users, $i \not\in \tilde{S}$, they generated the values of $h_i = g^{y_i + a^i}$ meaning that the adversary \adv{B} could in fact not compute the discrete log and would thus not have a chance of computing the header information, if the adversary \adv{A} decided to attack this user. Due to the semi-static nature however, this is not something they have to worry of, as \adv{A} has already commited to $\tilde{S}$. The definition of the $h_i$ for $i \not\in \tilde{S}$, means that \adv{B} can properly answer the extraction queries for these users, as \adv{B} defines the values $r_i$ in such a way, that the exponents cancels out in $d_{i,i} = g^{\alpha}h^{r_i}_i$ and we do not have to bother trying to compute the discrete log of $g^\alpha$, specically the $a^{n+1}$ part of $\alpha = y_0 \cdot a^{n+1}$. The issues then arise, as all the $h_i$ values are required for the AHBE scheme, essentially meaning we can not fake some and define some in a very specific way, as they are \emph{all} used for the different keys, regardless of the user $i$ being in the attack set $i \in \tilde{S}$, as all the users are using the same underlying KHBE scheme. This results in the algorthim \adv{B} not being capable of answering extraction queries for any user i outside of the attack set, $i \not\in \tilde{S}$, as \adv{B} also has to generate all the $h$ values in such a way that he can compute the discrete log.
We note, that it is not obvious if the value of all the different $\alpha$'s can be changed. For the AHBE scheme, every single user $i$ has their own value of $\alpha_i$ and one might be able to hide something within these values, but it is doubtful, as they have to be generated from the exponentiations of $g$ we are given through the BDHE problem, $\{g^{a^i} : i \in [0,n] \cup [n+2,2n]\}$ for the values to properly match the decision problem, whether $Z = e(g,g)^{a^{n+1} \cdot s}$. However, if this was successful, one could hide either an easily computable discrete log here or something which could cancel out with $r_i$, which would make it much easier to answer the extraction queries.
\section{Implementation of Schemes} As such, we conclude that, if there is a reduction to be found from the AHBE instantiation directly to the BDHE problem, then we were not to find this.
\subsection{Identity-Based Encryption}
I'll cover a basic identity based encryption scheme which illustrates a basic usage of bilinear maps as well as one way to extend the \emph{Diffie-Hellman Assumption} known from Public Key Encryption. This scheme is not secure against an adaptive chosen ciphertext attack (\texttt{IND-ID-CCA}). Note that it can be extended to cover this, but this is out of the scope of this paper.
As already mentioned, an IBE-scheme is a collection of four randomized algorithms: \texttt{Setup, Extract, Encrypt, Decrypt}. $k$ is defined to be a security parameter given to the setup algorithm and $\mathcal{G}$ is a BDH parameter generator.
\subsection{Adaptive Security in Broadcast Encryption Systems}
Written by \emph{Craig Gentry \& Brent Waters}.
\newpage\bibliographystyle{plain} \newpage\bibliographystyle{plain}