hibe with tight multi challenge security
play

HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich - PowerPoint PPT Presentation

Aug 04, 2023 •308 likes •997 views

HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich (Switzerland), Part of the work done at KIT (Karlsruhe, Germany) Jiaxin Pan NTNU (Trondheim, Norway) Roman Langrehr, Jiaxin Pan 2020-06-01 1 Outline (H)IBE Tight

  1. HIBE with Tight Multi-challenge Security Roman Langrehr ETH Zurich (Switzerland), Part of the work done at KIT (Karlsruhe, Germany) Jiaxin Pan NTNU (Trondheim, Norway) Roman Langrehr, Jiaxin Pan 2020-06-01 1

  2. Outline (H)IBE Tight multi-challenge security Related works The difficulty Our solution Future work Roman Langrehr, Jiaxin Pan 2020-06-01 2

  3. Identity-based encryption mpk Alice Bob • Alice needs to obtain only the usk Bob master public key • Encryption with identities (e.g. e-mail address) Trusted Third Party Roman Langrehr, Jiaxin Pan 2020-06-01 3

  4. Hierarchical Identity-based encryption k Bob Alice Bob s u mpk • Hierarchy of key generators usk Trusted Third Party Roman Langrehr, Jiaxin Pan 2020-06-01 4

  5. Key delegation Identities have the form (id 1 , . . . , id p ). ε (0 . . . 0) · · · (1 . . . 1) (0 . . . 0 , 0 . . . 0) · · · (0 . . . 0 , 1 . . . 1) (1 . . . 1 , 0 . . . 0) · · · (1 . . . 1 , 1 . . . 1) . . . . . . . . . . . . • Each user can generate keys for its children Roman Langrehr, Jiaxin Pan 2020-06-01 5

  6. Security game (IND-HID-CPA) Challenger Adversary mpk id $ b ← { 0 , 1 } • The adversary must not ask usk[id] user secret keys for prefixes of id ⋆ , m 0 , m 1 challenge identities (id ⋆ ). $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 6

  7. Security game (IND-HID-CPA) Challenger Adversary mpk id $ b ← { 0 , 1 } • The adversary must not ask usk[id] user secret keys for prefixes of id ⋆ , m 0 , m 1 challenge identities (id ⋆ ). • IND-HID-CCA is easy once $ C ⋆ ← Enc(mpk , id ⋆ , m b ) you have IND-HID-CPA. b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 6

  8. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Roman Langrehr, Jiaxin Pan 2020-06-01 7

  9. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Can be broken with Can be broken with probability ε using resources ρ . probability ε/ℓ using resources ρ . Roman Langrehr, Jiaxin Pan 2020-06-01 7

  10. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Can be broken with Can be broken with probability ε using resources ρ . probability ε/ℓ using resources ρ . Larger security loss requires larger security parameter. Security loss ℓ can depend on: • scheme parameters (e.g. maximum hierarchy depth L ) • λ : the security parameter • the attacker’s resources (e.g. # user secret key queries Q k or # challenge ciphertext queries Q c ) Roman Langrehr, Jiaxin Pan 2020-06-01 7

  11. Tight security Scheme Assumption Reduction (e.g. HIBE) (e.g. Diffie-Hellman) Can be broken with Can be broken with probability ε using resources ρ . probability ε/ℓ using resources ρ . Larger security loss requires larger security parameter. Tight security: Security loss ℓ can depend on:  • scheme parameters (e.g. maximum hierarchy depth L )   allowed • λ : the security parameter � • the attacker’s resources (e.g. # user secret key queries Q k not allowed or # challenge ciphertext queries Q c ) Roman Langrehr, Jiaxin Pan 2020-06-01 7

  12. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] id ⋆ , m 0 , m 1 $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 8

  13. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] Single-challenge security id ⋆ , m 0 , m 1 Multi-challenge security $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 8

  14. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] Single-challenge security id ⋆ , m 0 , m 1 generic: O ( Q c ) loss Multi-challenge security $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Roman Langrehr, Jiaxin Pan 2020-06-01 8

  15. Multi-challenge security Challenger Adversary mpk id $ ← { 0 , 1 } b usk[id] Single-challenge security id ⋆ , m 0 , m 1 generic: O ( Q c ) loss Multi-challenge security $ C ⋆ ← Enc(mpk , id ⋆ , m b ) b ′ b ? = b ′ Tight multi-instance security: Easy to achieve by rerandomizing the master public key. Roman Langrehr, Jiaxin Pan 2020-06-01 8

  16. History: HIBE HIBEs in prime-order pairing groups: [Wat09], [CW13], [BKP14] O ( Q k ) (single-challenge) [Lew12], [GCTC16] O ( Q k L ) (single-challenge) O ( nL 2 ) resp. O ( nL ) (single-challenge) [LP19] O ( nL 2 ) (multi-challenge) This work • Q k : # user secret key queries • L : maximum hierarchy depth • n : Bit-length of the identities Roman Langrehr, Jiaxin Pan 2020-06-01 9

  17. History: Tight IBE Tight IBEs in prime-order pairing groups: [CW13], [BKP14] O ( n ) (single-challenge) [AHY15], [GCD + 16], [GDCC16], [HJP18] O ( n ) (multi-challenge) • n : Bit-length of the identities Roman Langrehr, Jiaxin Pan 2020-06-01 10

  18. History: Tight IBE Tight IBEs in prime-order pairing groups: [CW13], [BKP14] O ( n ) (single-challenge) [AHY15], [GCD + 16], [GDCC16], [HJP18] O ( n ) (multi-challenge) • n : Bit-length of the identities ? Tight single-challenge HIBE + Tight multi-challenge IBE → Tight multi-challenge HIBE Roman Langrehr, Jiaxin Pan 2020-06-01 10

  19. IND-HID-CPA security for (H)IBE The challenge: • The reduction must answer user secret key queries for id 1 , . . . , id Q k . • The reduction must take advantage of the adversaries decryption capabilities for id ⋆ 1 , . . . , id ⋆ Q c . • The adversary adaptively chooses id 1 , . . . , id Q k and id ⋆ 1 , . . . , id ⋆ Q c . Roman Langrehr, Jiaxin Pan 2020-06-01 11

  20. Partitioning • Different parts use ”slightly different“ secret key. • A usk key from one part is not helpful for decrypting a ciphertext from a different part. Roman Langrehr, Jiaxin Pan 2020-06-01 12

  21. Partitioning • Different parts use ”slightly different“ secret key. • A usk key from one part is not helpful for decrypting a ciphertext from a different part. Initial Intermediate Final One partition Separated from Queried user secret key Challenge ciphertext Roman Langrehr, Jiaxin Pan 2020-06-01 12

  22. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  23. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  24. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  25. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  26. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  27. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  28. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  29. Query-by-query Partitioning • Typically used by non-tight (H)IBE schemes • O ( Q k ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 13

  30. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 14

  31. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss id 1 = 0 id 1 = 1 Roman Langrehr, Jiaxin Pan 2020-06-01 14

  32. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss id 2 = 0 id 2 = 1 Roman Langrehr, Jiaxin Pan 2020-06-01 14

  33. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 14

  34. Bit-by-bit Partitioning • Typically used by tight (H)IBE schemes. • One part per identity • O ( n ) security loss Roman Langrehr, Jiaxin Pan 2020-06-01 14

  35. Partitioning techniques 1. Embedding a challenge of the underlying assumption. . . – . . .in a part of the msk that appears only in user secret keys with id i = b . – . . .“reacts” with the randomness of the usk resp. ciphertext. Roman Langrehr, Jiaxin Pan 2020-06-01 15

  36. Partitioning techniques 1. Embedding a challenge of the underlying assumption. . . – . . .in a part of the msk that appears only in user secret keys with id i = b . – . . .“reacts” with the randomness of the usk resp. ciphertext. 2. Choose randomness of a subspace [GHKW16] – hides part of the msk from usk queries. Roman Langrehr, Jiaxin Pan 2020-06-01 15

  37. Usage in the single-challenge setting Tight IBE: Scheme Challenge queries usk queries [CW13],[BKP14] (information-theoretic) Embedding a challenge Roman Langrehr, Jiaxin Pan 2020-06-01 16

  38. Usage in the single-challenge setting Tight IBE: Scheme Challenge queries usk queries [CW13],[BKP14] (information-theoretic) Embedding a challenge Tight HIBE: Scheme Challenge queries usk queries [LP19] (information-theoretic) Subspace Roman Langrehr, Jiaxin Pan 2020-06-01 16

Recommend

Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale

Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale

Introduction Anonymous IBE Construction Extension to HIBE and HVE Conclusion Anonymity from Asymmetry: New Constructions for Anonymous HIBE Ducas L eo, Ecole Normale Superieure, Paris February 23, 2010 Ducas L eo, Ecole Normale

366 views • 32 slides
Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee

Tight PRF-Security of Double-block Hash-then-Sum MACs Seongkwang Kim, Byeonghak Lee , Jooyoung Lee KAIST Outline Introduction - Message Authentication Code - Double-block Hash-then-Sum paradigm Our Contribution - Tight security proof of

394 views • 24 slides
Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso,

Masking Proofs are Tight (and How to Exploit it in Security Evaluations) Vincent Grosso, Franois-Xavier Standaert Radbout University Nijmegen (The Netherlands), UCL (Belgium) EUROCRYPT 2018, Tel Aviv, Israel Motivation (side-channel security

775 views • 52 slides
On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1

On Tight Security Proofs for Schnorr Signatures Nils Fleischhacker 1 Tibor Jager 2 oder 1 Dominique Schr 1 Saarland University 2 Horst G ortz Institute for IT Security, Ruhr-University Bochum December 9, 2014 (Informal) main Result The

1.35k views • 36 slides
Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at

Proving tight security for RabinWilliams signatures D. J. Bernstein University of Illinois at Chicago Thanks to: NSF CCR9983950 NSF DMS0140542 NSF ITR0716498 Alfred P. Sloan Foundation Warning: Springer mangled the

589 views • 19 slides
Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object Tracking Origins SONAR, RADAR Given a raw stream of sensory data: Localize objects Estimate object identities over time

340 views • 16 slides
On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schge Ruhr-University Bochum EUROCRYPT 2016 1 Tight Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A

835 views • 48 slides
Multi-level modeling with MELANEE A Contribution to the MULTI2018 Challenge Arne Lange, Colin

Multi-level modeling with MELANEE A Contribution to the MULTI2018 Challenge Arne Lange, Colin

Multi-level modeling with MELANEE A Contribution to the MULTI2018 Challenge Arne Lange, Colin Atkinson The Challenge model a bicycle shop in a multi-level fashion fulfill requirements, if necessary with the help of a constraint language

753 views • 16 slides
Tight Space-Approximation Tradeoff for the Multi-Pass Streaming Set Cover Problem Sepehr Assadi

Tight Space-Approximation Tradeoff for the Multi-Pass Streaming Set Cover Problem Sepehr Assadi

Tight Space-Approximation Tradeoff for the Multi-Pass Streaming Set Cover Problem Sepehr Assadi University of Pennsylvania Sepehr Assadi (Penn) PODS 2017 The Set Cover Problem Input: A collection of m sets S 1 , . . . , S m from a universe [ n

979 views • 97 slides
Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid,

Tight Private Circuits: Achieving Probing Security with the Least Refreshing Sonia Belaid, Dahmun Goudarzi, and Matthieu Rivain dahmun.goudarzi@pqshield.com 1 Side-Channel Attacks and Higher-Order Masking in 1 in 2 in 3

655 views • 52 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound Harikrishna Narasimhan and Shivani Agarwal Department of Computer Science and Automation Indian Institute of Science, Bangalore Receiver Operating

1.12k views • 90 slides
Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing

Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing

Enabling Grids for E-sciencE Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing OSCT Security Workshop on 7 th March in Taipei www.eu-egee.org 1 Jinny Chien, ASGC Training and Dissemination

1.05k views • 39 slides
Collaborative Learning with Limited Interaction: Tight Bounds for Distributed Exploration in

Collaborative Learning with Limited Interaction: Tight Bounds for Distributed Exploration in

Collaborative Learning with Limited Interaction: Tight Bounds for Distributed Exploration in Multi-Armed Bandits Chao Tao, Qin Zhang Yuan Zhou IUB UIUC Nov. 10, 2019 FOCS 2019 1-1 Collaborative Learning One of the most important tasks in

979 views • 70 slides
Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian

History of WCS Outline Known Security Analysis Our Works Bernstein Bound is Tight Repairing Luykx-Preneel Optimal Forgeries Mridul Nandi Indian Statistical Institute, Kolkata CRYPTO 2018 History of WCS Outline Known Security Analysis Our

834 views • 57 slides
The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis

INFORMATION SECURITY The Widening Talent Gap: The greatest security challenge of our time Presented by: Experis Information Security Practice Thursday, April 14, 2016 General Information Share the webinar Questions: Submit your

420 views • 14 slides
Laser Maze Security System Laser Security System: Challenge Science North is interested in hiring

Laser Maze Security System Laser Security System: Challenge Science North is interested in hiring

Optics Challenge Laser Maze Security System Laser Security System: Challenge Science North is interested in hiring a new security team to develop a protective laser system for their rare gem collection. This collection has eight rare gems and

170 views • 5 slides
YURY CHEMERKIN I have 10+ years of experience in information security. Im a multi-skilled

YURY CHEMERKIN I have 10+ years of experience in information security. Im a multi-skilled

S TILL S ECURE . W E E MPOWER W HAT W E H ARDEN B ECAUSE W E C AN C ONCEAL YURY CHEMERKIN MULTI-SKILLED SECURITY EXPERT CJSC ADVANCED MONITORING YURY CHEMERKIN I have 10+ years of experience in information security. Im a multi-skilled

1.43k views • 76 slides
Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

The Caliber of Your Choice Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9 November 2011 Dan Nolan - Sabot 6, Inc. An Energy Security Company 1800 Diagonal Ave Ste 600 - Alexandria, VA 22314

692 views • 51 slides
Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a

Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a

Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a Tight Gas Study Proposal The Netherlands contains circa 50 discoveries with about 100 200 bcm undevelopped gas in tight reservoirs Several

726 views • 5 slides
The Technology Challenge: Privacy, I nform ation Security and Com pliance Pierce Atw ood Em

The Technology Challenge: Privacy, I nform ation Security and Com pliance Pierce Atw ood Em

The Technology Challenge: Privacy, I nform ation Security and Com pliance Pierce Atw ood Em ploym ent Group October 1 2 , 2 0 1 7 INFORMATION SECURITY Risks, Systems, Breaches, Training Presented by: Vivek J. Rao Pierce Atw ood LLP ( 2 0 7

1.38k views • 108 slides
Chapter 2 Tight-frames An Introduction 1 Outline 1. Tight-frame 1. Tight-frame 2. Matrix

Chapter 2 Tight-frames An Introduction 1 Outline 1. Tight-frame 1. Tight-frame 2. Matrix

Chapter 2 Tight-frames An Introduction 1 Outline 1. Tight-frame 1. Tight-frame 2. Matrix Representation 2. Matrix Representation 2 1 Tight Frames 3 Construction of Haar Wavelet = + 4 2 Construction of Haar Wavelet 5 Construction

450 views • 16 slides
The challenge of bounded, non-Gaussian, non- linear and multi-scale variables Craig H. Bishop

The challenge of bounded, non-Gaussian, non- linear and multi-scale variables Craig H. Bishop

The challenge of bounded, non-Gaussian, non- linear and multi-scale variables Craig H. Bishop University of Melbourne, Parkville, Victoria, Australia Some Motivation Major source of model error in weather and climate prediction models is

937 views • 69 slides
Powernightmares: The Challenge of Efficiently Using Sleep States on Multi-Core Systems Thomas

Powernightmares: The Challenge of Efficiently Using Sleep States on Multi-Core Systems Thomas

Powernightmares: The Challenge of Efficiently Using Sleep States on Multi-Core Systems Thomas Ilsche, Marcus Hhnel, Robert Schne, Mario Bielert, and Daniel Hackenberg Technische Universitt Dresden 29.08.17 5th Workshop on Runtime and

369 views • 16 slides

More recommend