from selective id to full id ibs without random oracles
play

From Selective-ID to Full-ID IBS without Random Oracles Sanjit - PowerPoint PPT Presentation

Dec 05, 2022 •881 likes •1.34k views

Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013 Overview Background The

  1. Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013

  2. Overview Background The Transformation Conclusion and Future Work Table of contents Overview Background Formal Definitions The Selective-Identity Model Construction of IBS The Transformation Objects Used The Transformation Security Conclusion and Future Work

  3. Overview Background The Transformation Conclusion and Future Work Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string, say e-mail address, can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Bob

  4. Overview Background The Transformation Conclusion and Future Work Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string, say e-mail address, can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG e k A c i l s A u Alice Bob

  5. Overview Background The Transformation Conclusion and Future Work Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string, say e-mail address, can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Alice Bob usk A Alice

  6. Overview Background The Transformation Conclusion and Future Work Identity-Based Cryptography • Introduced by Shamir in 1984. • Any arbitrary string, say e-mail address, can be used as public key. • Certificate management can be avoided. • A trusted private key generator (PKG) generates secret keys. mpk msk PKG Alice Alice Bob Bob usk A Alice usk B Bob

  7. Overview Background The Transformation Conclusion and Future Work Identity-Based Signatures • IBS is the concept of digital signatures extended to identity-based setting. PKG usk mpk id ( σ ; ( id , m )) Signer Verifier

  8. Overview Background The Transformation Conclusion and Future Work Identity-Based Signatures • IBS is the concept of digital signatures extended to identity-based setting. PKG usk mpk id ( σ ; ( id , m )) Signer Verifier • Focus of the talk: construction of IBS schemes

  9. Overview Background The Transformation Conclusion and Future Work FORMAL DEFINITIONS

  10. Overview Background The Transformation Conclusion and Future Work Public-Key Signature Consists of three PPT algorithms {K , S , V} : • Key Generation , K ( κ ) • Used by the signer to generate the key-pair ( pk , sk ) • pk is published and the sk kept secret • Signing , S sk ( m ) • Used by the signer to generate signature on some message m • The secret key sk used for signing • Verification , V pk ( σ, m ) • Used by the verifier to validate a signature • Outputs 1 if σ is a valid signature on m ; else, outputs 0

  11. Overview Background The Transformation Conclusion and Future Work Identity-Based Signature Consists of four PPT algorithms {G , E , S , V} : • Set-up , G ( κ ) • Used by PKG to generate the master key-pair ( mpk , msk ) • mpk is published and the msk kept secret • Key Extraction , E msk ( id ) • Used by PKG to generate the user secret key ( usk ) • usk is then distributed through a secure channel • Signing , S usk ( id , m ) • Used by the signer (with identity id ) to generate signature on some message m • The user secret key usk used for signing • Verification , V mpk ( σ, id , m ) • Used by the verifier to validate a signature • Outputs 1 if σ is a valid signature on m by the user with identity id ; otherwise, outputs 0

  12. Overview Background The Transformation Conclusion and Future Work STANDARD SECURITY MODELS

  13. Overview Background The Transformation Conclusion and Future Work Security Model for PKS: EU-CMA pk C A (ˆ σ ; ˆ m ) O s • Existential unforgeability under chosen-message attack • C generates key-pair ( pk , sk ) and passes pk to A . • Signature Queries: Access to a signing oracle O s • Forgery: A wins if (ˆ σ ; ˆ m ) is valid and non-trivial • Adversary’s advantage in the game Adv EU − CMA ( κ ): A � � $ $ − A O s ( pk ) Pr 1 ← V pk (ˆ σ ; ˆ m ) | ( sk , pk ) ← − K ( κ ); (ˆ σ ; ˆ m ) ←

  14. Overview Background The Transformation Conclusion and Future Work Security Model for IBS: EU-ID-CMA mpk C A σ ; ( ˆ (ˆ id , ˆ m )) O { s ,ε } • Existential unforgeability with adaptive identity under chosen-message attack • C generates key-pair ( mpk , msk ) and passes mpk to A . • Extract Queries, Signature Queries σ ; ( ˆ • Forgery: A wins if (ˆ id , ˆ m )) is valid and non-trivial • Adversary’s advantage in the game Adv EU − ID − CMA ( κ ): A � � $ − A O { s ,ε } ( mpk ) $ σ ; ( ˆ σ ; ( ˆ Pr 1 ← V mpk (ˆ id , ˆ m )) | ( msk , mpk ) ← − G ( κ ); (ˆ id , ˆ m )) ←

  15. Overview Background The Transformation Conclusion and Future Work THE SELECTIVE-IDENTITY MODEL

  16. Overview Background The Transformation Conclusion and Future Work sID Model: Salient Features • Introduced by Canetti et al. • Weaker than the full model ( EU-ID-CMA ) • However, easier to design sID -secure protocols • Adversary has to, beforehand, commit to the target identity • Target identity: the identity on which the adversary forges on • Adversary cannot extract query on the target identity ˆ id C A mpk O { s ,ε } σ ; ( ˆ (ˆ id , ˆ m ))

  17. Overview Background The Transformation Conclusion and Future Work CONSTRUCTION OF IBS

  18. Overview Background The Transformation Conclusion and Future Work Construction of IBS • Considered easier task than IBE • Folklore method: EU-ID-CMA -IBS ≡ 2( EU-CMA -PKS) • ( EU-CMA -PKS) ≡ ( EU-GCMA -PKS)+( CR -CHF) • Implies EU-ID-CMA -IBS ≡ 2(( EU-GCMA -PKS)+( CR -CHF))

  19. Overview Background The Transformation Conclusion and Future Work Construction of IBS • Considered easier task than IBE • Folklore method: EU-ID-CMA -IBS ≡ 2( EU-CMA -PKS) • ( EU-CMA -PKS) ≡ ( EU-GCMA -PKS)+( CR -CHF) • Implies EU-ID-CMA -IBS ≡ 2(( EU-GCMA -PKS)+( CR -CHF)) • From sID Model : • Random Oracle Model: guess the index of the target identity: polynomial degradation • Standard Model: guess the target identity itself: exponential degradation

  20. Overview Background The Transformation Conclusion and Future Work ...Construction of IBS... • Goal: construct ID -secure IBS from sID -secure IBS 1. without random oracles 2. with sub-exponential degradation (preferably, polynomial)

  21. Overview Background The Transformation Conclusion and Future Work ...Construction of IBS... • Goal: construct ID -secure IBS from sID -secure IBS 1. without random oracles 2. with sub-exponential degradation (preferably, polynomial) • Main result: EU-ID-CMA -IBS ≡ ( EU-sID-CMA -IBS)+( EU-GCMA -PKS)+( CR -CHF) • Further: EU-ID-CMA -IBS ≡ ( EU-wID-CMA -IBS)+( EU-GCMA -PKS)+( CR -CHF)

  22. Overview Background The Transformation Conclusion and Future Work THE TRANSFORMATION

  23. Overview Background The Transformation Conclusion and Future Work Objects used 1. Chameleon Hash Function 2. GCMA -secure PKS

  24. Overview Background The Transformation Conclusion and Future Work Chameleon Hash Function • A family of randomised trapdoor hash functions • Collision Resistant ( CR ) • “Chameleon” property: anyone with trapdoor information can efficiently generate collisions

  25. Overview Background The Transformation Conclusion and Future Work ...Chameleon Hash Function... Consists of three PPT {G , h , h − 1 } : Key Generation , G ( κ ): • Generates evaluation key ek and trapdoor key td Hash Evaluation , h ek ( m , r ): • A randomiser r used to evaluate the hash Collision Generation , h − 1 td ( m , r , m ′ ): • Outputs randomiser r ′ such that ( m , r ) and ( m ′ , r ′ ) is a collision : h ek ( m , r ) = h ek ( m ′ , r ′ )

  26. Overview Background The Transformation Conclusion and Future Work GCMA -secure PKS • Adversary has to, beforehand, commit to a set of messages ˜ M • The adversary can query with O s on any message from ˜ M • Adversary has to forge on a message not in ˜ M ˜ M C A pk , σ i O s (ˆ σ ; ˆ m )

  27. Overview Background The Transformation Conclusion and Future Work The Transformation In a nutshell • Takes as input: 1. an EU-sID-CMA -secure IBS I s := {G s , E s , S s , V s } 2. a collision-resistant CHF H := {G h , h , h − 1 } 3. a GCMA -secure PKS P := {K , S p , V p } • Outputs an EU-ID-CMA -secure IBS I := {G , E , S , V}

  28. Overview Background The Transformation Conclusion and Future Work The Transformation In a nutshell • Takes as input: 1. an EU-sID-CMA -secure IBS I s := {G s , E s , S s , V s } 2. a collision-resistant CHF H := {G h , h , h − 1 } 3. a GCMA -secure PKS P := {K , S p , V p } • Outputs an EU-ID-CMA -secure IBS I := {G , E , S , V} The idea: • CHF used to map identities between I and I s • PKS used to bind these identities

Recommend

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

318 views • 19 slides
Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis New York University Joint work with Siyao Guo (Simons Institute, UC Berkeley) Jonathan Katz (University of Maryland) Hash Functions Are Ubiquitous

650 views • 40 slides
Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of

768 views • 65 slides
Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS,

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS,

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS, Paris TU Darmstadt Backdoors 1 Backdoors It makes more sense to address any security risks by developing intercept solutions during the design

808 views • 52 slides
Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work with Alexander Russell (University of Connecticut), Moti Yung (Google & Columbia University) Hong Sheng Zhou (Virginia Commonwealth University)

578 views • 34 slides
Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD 1/9/13 Bellare, Stanford RWC Workshop 1 The work reported on here is very much work in progress. The UCE definition has evolved since this talk and

774 views • 44 slides
Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Cryptocurrencies & Security on the Blockchain Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM execution must be deterministic. Cannot rely on outside information But sometimes that

591 views • 17 slides
Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias Joint work with Andrew Lewis Institute of Software Chinese Academy of Sciences Barcelona, July 2011 Question Random data lack internal structure

191 views • 18 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the 2 Method

Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the 2 Method

Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the 2 Method Srimanta Bhattacharya and Mridul Nandi Indian Statistical Institute, Kolkata. Eurocrypt 2018 Tel Aviv, Israel 30th April, 2018 Outline 1

1.8k views • 162 slides
Selective Sampling (Realizable) Ji Xu October 2nd, 2017 Basic Settings Model: D : a

Selective Sampling (Realizable) Ji Xu October 2nd, 2017 Basic Settings Model: D : a

Selective Sampling (Realizable) Ji Xu October 2nd, 2017 Basic Settings Model: D : a distribution over X Y where X is the input space and Y = { 1 } are the possible labels. ( X , Y ) X Y be a pair of random variables with

486 views • 23 slides
Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner & Mattner Systemtechnik GmbH Berlin, Germany Overview Classification Tree Method Expected results Executable test scripts Test Oracles and

374 views • 25 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Texas Instruments & RFAB TI Information Selective Disclosure TI Information Selective

Texas Instruments & RFAB TI Information Selective Disclosure TI Information Selective

Texas Instruments & RFAB TI Information Selective Disclosure TI Information Selective Disclosure TI Information Selective Disclosure 2015 Corporate Citizenship Report Past 10 years Read more at TI.com/CCR TI Information

496 views • 13 slides
Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline Oracles, Test Automation and (Test) Models Oracles in TTCN-3 Test Automation (Oracle) Examples Test oracle as part of a test case A test

326 views • 30 slides
Random sequences Randomness of individual sequences Consider an infinite binary sequence A (0) A

Random sequences Randomness of individual sequences Consider an infinite binary sequence A (0) A

Constant compression and random weights 1 Wolfgang Merkle and Jason Teutsch Ruprecht-Karls-Universit at Heidelberg, Germany 1 presented at STACS 2012, full version will appear in Computability Random sequences Randomness of individual

403 views • 18 slides
Using selective pressure to improve protein Aude GRELAUD tridimensional structure prediction

Using selective pressure to improve protein Aude GRELAUD tridimensional structure prediction

Using selective pressure to improve protein tridimensional structure prediction Using selective pressure to improve protein Aude GRELAUD tridimensional structure prediction Context Markov random fields Aude GRELAUD 1 , 2 Jean-Michel

605 views • 28 slides
Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We

1.05k views • 28 slides
Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E A N R D U O C D O O D C N E Ralph Guderlei and Johannes Mayer rjg@mathematik.uni-ulm.de, jmayer@mathematik.uni-ulm.de

627 views • 40 slides
13/01/2016 Selective Licensing Harrow 2011 Census Project 239.000 residents a 2 year

13/01/2016 Selective Licensing Harrow 2011 Census Project 239.000 residents a 2 year

13/0 1/20 16 Housing Act 2004 (and Regs) Selective Licensing Section to. Housing Act 2004 Selective Licensing Designate the whore, part or parts of a Borough Wealdstone Re quiresa II private rented accommoda ticni area to be lcensed

358 views • 6 slides
Critical points of smooth Gaussian random fields Jonathan Taylor (Stanford) November 11, 2014

Critical points of smooth Gaussian random fields Jonathan Taylor (Stanford) November 11, 2014

Critical points of smooth Gaussian random fields Jonathan Taylor (Stanford) November 11, 2014 Two Stages A model for random sets. Critical points: Kac-Rice formula. Tube formulae. Gaussian integral geometry. Selective

845 views • 37 slides
Selective W eb Archiving at the Germ an National Library 1 | 8 | Selective Web Archiving

Selective W eb Archiving at the Germ an National Library 1 | 8 | Selective Web Archiving

Tobias Steinke Selective W eb Archiving at the Germ an National Library 1 | 8 | Selective Web Archiving | 21.04.2016 Digital Publications Legal deposit for digital publications on carriers and net publications (since 2006) On

427 views • 8 slides
Selective Prediction Binary classifications Rong Zhou November 8, 2017 Table of contents 1.

Selective Prediction Binary classifications Rong Zhou November 8, 2017 Table of contents 1.

Selective Prediction Binary classifications Rong Zhou November 8, 2017 Table of contents 1. What are selective classifiers? 2. The Realizable Setting 3. The Noisy Setting 1 What are selective classifiers? Introduction Selective

668 views • 35 slides

More recommend