hierarchical identity based encryption from affine
play

(Hierarchical) Identity-Based Encryption from Affine Message - PowerPoint PPT Presentation

Mar 29, 2023 •290 likes •880 views

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier Blazy Eike Kiltz Jiaxin Pan Horst Grtz Institute for IT Security Ruhr-University Bochum 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4

  1. (Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier Blazy Eike Kiltz Jiaxin Pan Horst Görtz Institute for IT Security Ruhr-University Bochum

  2. 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion (H)IBE from Affine MAC | HGI | Crypto 2014 2/24

  3. Outline 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

  4. Identity-Based Encryption IBE Alice Bob C = Encrypt ( ’Bob’ , M ) − − − − − − − − − − − − − − − − → M M = Decrypt ( usk Bob , C ) (H)IBE from Affine MAC | HGI | Crypto 2014 4/24

  5. History of IBE ◮ Shamir 84 (H)IBE from Affine MAC | HGI | Crypto 2014 5/24

  6. History of IBE ◮ Shamir 84 ◮ Boneh-Franklin, Cocks (H)IBE from Affine MAC | HGI | Crypto 2014 5/24

  7. History of IBE ◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05 (H)IBE from Affine MAC | HGI | Crypto 2014 5/24

  8. History of IBE ◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05 ◮ Waters 09, Chen-Wee (H)IBE from Affine MAC | HGI | Crypto 2014 5/24

  9. History of IBE ◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05 ◮ Waters 09, Chen-Wee ◮ . . . (H)IBE from Affine MAC | HGI | Crypto 2014 5/24

  10. History of IBE ◮ Shamir 84 ◮ Boneh-Franklin, Cocks ◮ Boneh-Boyen, Waters 05 ◮ Waters 09, Chen-Wee ◮ . . . Open Problem Generic ???? − − − − − − − − − − − − − − − → IBE (H)IBE from Affine MAC | HGI | Crypto 2014 5/24

  11. More about History Signature IBE MAC (H)IBE from Affine MAC | HGI | Crypto 2014 6/24

  12. More about History Signature Naor IBE MAC (H)IBE from Affine MAC | HGI | Crypto 2014 6/24

  13. More about History Signature + NIZK ([BelGol89]) Naor IBE MAC (H)IBE from Affine MAC | HGI | Crypto 2014 6/24

  14. More about History Signature + NIZK ([BelGol89]) Naor [DKPW12] IBE MAC (H)IBE from Affine MAC | HGI | Crypto 2014 6/24

  15. More about History Signature + NIZK ([BelGol89]) Naor [DKPW12] IBE MAC ???? (H)IBE from Affine MAC | HGI | Crypto 2014 6/24

  16. MAC + NIZK → Signature Signature ◮ sk := ( sk MAC , y ) ; pk := Commit ( sk MAC ; y ) ◮ Sig ( sk , m ) : $ $ τ ← Tag ( sk MAC , m ) , π ← Prove ( ’ τ is valid’ ) ◮ Ver := Ver NIZK NIZK Proof NIZK := ( Prove , Ver NIZK ) for L : { ( τ, m , pk ) : ∃ sk , y s.t. Ver ( sk , τ, m ) = 1 ∧ pk = Commit ( sk ; y ) } (H)IBE from Affine MAC | HGI | Crypto 2014 7/24

  17. ? MAC + NIZK → IBE IBE ◮ sk := ( sk MAC , y ) ; pk := Commit ( sk MAC ; y ) ◮ Sig ( sk , m ) : $ $ τ ← Tag ( sk MAC , m ) , π ← Prove ( ’ τ is valid’ ) ◮ Ver := Ver NIZK NIZK Proof NIZK := ( Prove , Ver NIZK ) for L : { ( τ, m , pk ) : ∃ sk , y s.t. Ver ( sk , τ, m ) = 1 ∧ pk = Commit ( sk ; y ) } (H)IBE from Affine MAC | HGI | Crypto 2014 7/24

  18. ? MAC + NIZK → IBE IBE ◮ sk := ( sk MAC , y ) ; pk := Commit ( sk MAC ; y ) USKGen : ◮ $ $ τ ← Tag ( sk MAC , m ) , π ← Prove ( ’ τ is valid’ ) ◮ Ver := Ver NIZK NIZK Proof NIZK := ( Prove , Ver NIZK ) for L : { ( τ, m , pk ) : ∃ sk , y s.t. Ver ( sk , τ, m ) = 1 ∧ pk = Commit ( sk ; y ) } (H)IBE from Affine MAC | HGI | Crypto 2014 7/24

  19. ? MAC + NIZK → IBE IBE ◮ sk := ( sk MAC , y ) ; pk := Commit ( sk MAC ; y ) USKGen : ◮ $ $ τ ← Tag ( sk MAC , m ) , π ← Prove ( ’ τ is valid’ ) ◮ Enc := ???? � Ver NIZK ◮ Dec := ???? NIZK Proof NIZK := ( Prove , Ver NIZK ) for L : { ( τ, m , pk ) : ∃ sk , y s.t. Ver ( sk , τ, m ) = 1 ∧ pk = Commit ( sk ; y ) } (H)IBE from Affine MAC | HGI | Crypto 2014 7/24

  20. ? MAC + NIZK → IBE IBE ◮ sk := ( sk MAC , y ) ; pk := Commit ( sk MAC ; y ) USKGen : ◮ $ $ τ ← Tag ( sk MAC , m ) , π ← Prove ( ’ τ is valid’ ) ◮ Enc := ???? � Ver NIZK ◮ Dec := ???? Our Work ◮ Use the verification algorithm to define Enc and Dec (H)IBE from Affine MAC | HGI | Crypto 2014 7/24

  21. ? MAC + NIZK → IBE IBE ◮ sk := ( sk MAC , y ) ; pk := Commit ( sk MAC ; y ) USKGen : ◮ $ $ τ ← Tag ( sk MAC , m ) , π ← Prove ( ’ τ is valid’ ) ◮ Enc := ???? � Ver NIZK ◮ Dec := ???? Our Work ◮ Use the verification algorithm to define Enc and Dec ◮ Exploit the underlying structure of the MAC + NIZK (H)IBE from Affine MAC | HGI | Crypto 2014 7/24

  22. Our Contributions (H)IBE = Affine MAC + Pairings ◮ Affine MAC: Affine Equations ◮ Pairings: Groth-Sahai Proofs, Affine Verification (H)IBE from Affine MAC | HGI | Crypto 2014 8/24

  23. Our Contributions (H)IBE = Affine MAC + Pairings ◮ Affine MAC: Affine Equations ◮ Pairings: Groth-Sahai Proofs, Affine Verification The affine properties allow to define Enc and Dec . (H)IBE from Affine MAC | HGI | Crypto 2014 8/24

  24. Outline 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

  25. Matrix Notation   a 11 . . . a 1 m ...    ∈ Z n × m ◮ Considering ( G , g, q ) and A =   q  a n 1 . . . a nm Implicit Representation  g a 11 g a 1 m  . . . ...  ∈ G n × m .   [ A ] :=    g a n 1 g a nm . . . (H)IBE from Affine MAC | HGI | Crypto 2014 10/24

  26. Affine MAC – Intuition MAC := ( Gen MAC , Tag , Ver ) . .   . .   t Tag ( sk , m ) → (  , [ u ])     .  . . Affine MAC ◮ t : Random Part ◮ u : Message-depending Affine Part (H)IBE from Affine MAC | HGI | Crypto 2014 11/24

  27. Affine MAC – Formal Definition ◮ Gen MAC ( par ) : , . . . , , x ′ 0 , . . . , x ′ sk := ( x 0 x ℓ ℓ ′ ) (H)IBE from Affine MAC | HGI | Crypto 2014 12/24

  28. $ ◮ Tag ( sk , m ) → τ := ([ t ] , [ u ]) t � f i ( m ) x ⊤ i � f ′ u t i ( m ) x ′ = + i ∈ Z q ( ∗ ) Public functions, f i , f ′ i : M → Z q , define different implementations. ◮ Ver ( sk , m , ([ t ] , [ u ])) → 0 / 1 : Check if ([ t ] , [ u ]) satisfies Eq. ( ∗ ) (H)IBE from Affine MAC | HGI | Crypto 2014 13/24

  29. PR-CMA Security PR-CMA ◮ Decisional Variant of EUF-CMA. (H)IBE from Affine MAC | HGI | Crypto 2014 14/24

  30. Construction I: Naor-Reingold Approach Ideas Randomized and affine version of Naor-Reingold PRF. ◮ ◮ Security from standard assumption: k -Lin. ◮ Generalized to any Matrix DH assumption [EHKRV13]. (H)IBE from Affine MAC | HGI | Crypto 2014 15/24

  31. Construction I: Naor-Reingold Approach Ideas Randomized and affine version of Naor-Reingold PRF. ◮ ◮ Security from standard assumption: k -Lin. ◮ Generalized to any Matrix DH assumption [EHKRV13]. $ Tag ( sk , m ) → τ := ([ t ] , [ u ]) t $ q , u = ( � | m | i =1 x ⊤ i, m i ) t + x ′ ← Z k 0 ∈ Z q (H)IBE from Affine MAC | HGI | Crypto 2014 15/24

  32. Construction I: Naor-Reingold Approach Ideas Randomized and affine version of Naor-Reingold PRF. ◮ ◮ Security from standard assumption: k -Lin. ◮ Generalized to any Matrix DH assumption [EHKRV13]. $ Tag ( sk , m ) → τ := ([ t ] , [ u ]) t $ q , u = ( � | m | i =1 x ⊤ i, m i ) t + x ′ ← Z k 0 ∈ Z q ◮ Implicit in Chen-Wee13 ✓ Tight Reduction ✗ Linear Size Parameters (H)IBE from Affine MAC | HGI | Crypto 2014 15/24

  33. Construction II: Hash Proof System Approach Ideas ◮ [DKPW12] shows HPS implies EUF-CMA MAC. (H)IBE from Affine MAC | HGI | Crypto 2014 16/24

  34. Construction II: Hash Proof System Approach Ideas ◮ This work shows k -Lin based HPS implies PR-CMA Affine MAC. (H)IBE from Affine MAC | HGI | Crypto 2014 16/24

  35. Construction II: Hash Proof System Approach Ideas ◮ This work shows k -Lin based HPS implies PR-CMA Affine MAC. ◮ Security from standard assumption: k -Lin. ◮ Generalized to any Matrix DH assumption. (H)IBE from Affine MAC | HGI | Crypto 2014 16/24

  36. Construction II: Hash Proof System Approach Ideas ◮ This work shows k -Lin based HPS implies PR-CMA Affine MAC. ◮ Security from standard assumption: k -Lin. ◮ Generalized to any Matrix DH assumption. $ Tag ( sk , m ) → τ := ([ t ] , [ u ]) t $ Z k +1 , u = ( x ⊤ 0 + m · x ⊤ 1 ) t + x ′ 0 ∈ Z q � q (H)IBE from Affine MAC | HGI | Crypto 2014 16/24

  37. Construction II: Hash Proof System Approach Ideas ◮ This work shows k -Lin based HPS implies PR-CMA Affine MAC. ◮ Security from standard assumption: k -Lin. ◮ Generalized to any Matrix DH assumption. $ Tag ( sk , m ) → τ := ([ t ] , [ u ]) t $ Z k +1 , u = ( x ⊤ 0 + m · x ⊤ 1 ) t + x ′ 0 ∈ Z q � q ✗ Loose Reduction ✓ Constant Parameters. (H)IBE from Affine MAC | HGI | Crypto 2014 16/24

  38. Outline 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4 Conclusion

  39. Overview of Transformation to IBE ◮ Gen IBE ( par ) : x ′ x ′ sk MAC = , . . . , , , . . . , x 0 x ℓ 0 ℓ ′ y ′ y ′ Rand = , . . . , , , . . . , y 0 y ℓ 0 ℓ ′ (H)IBE from Affine MAC | HGI | Crypto 2014 18/24

  40. Overview of Transformation to IBE ◮ Gen IBE ( par ) : x ′ x ′ sk MAC = , . . . , , , . . . , x ℓ x 0 0 ℓ ′ y ′ y ′ Rand = , . . . , y ℓ , , . . . , y 0 0 ℓ ′ z 0 = Commit ( x 0 ; y 0 ) (H)IBE from Affine MAC | HGI | Crypto 2014 18/24

  41. Overview of Transformation to IBE ◮ Gen IBE ( par ) : sk MAC = , . . . , , , . . . , x ′ 0 x ′ ℓ ′ x 0 x ℓ Rand = , . . . , , , . . . , y ′ y ′ y 0 y ℓ 0 ℓ ′ pk := ([ z i ] 1 , [ z ′ i ] 1 ) (H)IBE from Affine MAC | HGI | Crypto 2014 18/24

Recommend

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption

655 views • 38 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name no PKI necessary

815 views • 24 slides
Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The

Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The

Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The first IBE from lattices Our IBE from lattices Ring-LWE construction Implementation 1 Identity Based Encryption Private Key Generator ( mpk ,

621 views • 31 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption In PKE, KeyGen produces a random

1.47k views • 114 slides
gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

Identity-Based Encryption gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen sk M C M Enc Dec Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow to encrypt based

584 views • 10 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based Encryption Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair

1.65k views • 115 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
T-IBE-T Identity-Based Encryption for Inter-Tile Communication 12th European Workshop on Systems

T-IBE-T Identity-Based Encryption for Inter-Tile Communication 12th European Workshop on Systems

T-IBE-T Identity-Based Encryption for Inter-Tile Communication 12th European Workshop on Systems Security (EuroSec 19) 2019-03-25, Dresden, Germany Alexander Wrstlein, Wolfgang Schrder-Preikschat Friedrich-Alexander-Universitt

440 views • 14 slides
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Bguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable Security 2011.10.17 Verifiable Security

457 views • 41 slides
Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Receiver

Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Receiver

The People Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Receiver has identity I The Awards Example: I = bob@example.com PKE cert I cert I Sender Receiver Trusted Alice M C Bob Authority Receiver

380 views • 4 slides
Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based

Contents Background Key Escrow free Identity-based Identity-based Cryptosystem Cryptosystem Identity-based Signature Conclusion Manik Lal Das DA-IICT, Gandhinagar, India About DA-IICT and Our Group DA-IICT is a private university,

563 views • 35 slides
Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski,

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski,

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan Identity-Based Encryption [Sha84, BF03, Coc01] Identity-Based Encryption [Sha84, BF03, Coc01]

1.01k views • 64 slides
Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian

Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian

Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 1 / 22 Structure of the

489 views • 38 slides
SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL Mark Zhandry Stanford University Random Oracle Model (ROM) Sometimes, we cant prove a scheme secure in the standard model. Instead, model a hash function as a

509 views • 38 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

1 Message Encryption- see Table 11.1 in the book Message Encryption if public-key encryption

Message Authentication CPE 542: CRYPTOGRAPHY & NETWORK SECURITY message authentication is concerned with: protecting the integrity of a message Chapter 11 Message Authentication and validating identity of originator Hash

462 views • 6 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Proving (Un)decidability of Certain Affine Geometries Based on J.A. Makowsky Can one design a

Proving (Un)decidability of Certain Affine Geometries Based on J.A. Makowsky Can one design a

ICLA 2019 March 3, 2019 Proving (Un)decidability of Certain Affine Geometries Based on J.A. Makowsky Can one design a geometry engine? On the (un)decidability of affine Euclidean geometries Annals of Mathematics and Artificial Intelligence

909 views • 65 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
Using Hierarchical Modeling to Assist Using Hierarchical Modeling to Assist Effects Based

Using Hierarchical Modeling to Assist Using Hierarchical Modeling to Assist Effects Based

Using Hierarchical Modeling to Assist Using Hierarchical Modeling to Assist Effects Based Planning and Assessment Effects Based Planning and Assessment Lt Col Dave Doc Denhard, PhD Maj Robert Dagwood Umstead Air Force Institute of

791 views • 17 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides

More recommend