verifiable security of boneh franklin identity based
play

Verifiable Security of Boneh-Franklin Identity-Based Encryption - PowerPoint PPT Presentation

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Bguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable Security 2011.10.17 Verifiable Security


  1. Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable Security 2011.10.17 Verifiable Security of Boneh-Franklin,Identity-Based Encryption 1 / 21

  2. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Verifiable Security of Boneh-Franklin,Identity-Based Encryption 2 / 21

  3. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key Verifiable Security of Boneh-Franklin,Identity-Based Encryption 2 / 21

  4. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key Alice Bob

  5. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key 1 Encrypt with public key bob@comp.com Alice Bob

  6. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key PKG 2 1 Bob authenticates Encrypt with public key bob@comp.com Alice Bob

  7. Identity-Based Encryption ( IBE ) Problem of standard PKE : key management is involved and troublesome Proposed solution by Shamir: to use recipient’s ID as public key PKG 2 1 Bob authenticates Encrypt with public key bob@comp.com “ bob@comp.com ” ’s private key 3 Alice Bob Verifiable Security of Boneh-Franklin,Identity-Based Encryption 2 / 21

  8. Should we rely on IBE schemes? Shamir Boneh & Franklin Galindo 1984 2001 2002 2003 2004 2005 Gentry & Silverberg, Horwitz & Lynn, Al-Riyami & Peterson, Yao et al, Cheng & Comely 1984: Conception of identity-based cryptography 2001: First practical provably-secure IBE scheme. 2002-2005: Used as building block for many other protocols 2005: Security proof is flawed (but can be patched) Verifiable Security of Boneh-Franklin,Identity-Based Encryption 3 / 21

  9. Improving the security argument Verifiable security paradigm Use formal methods to build certified security proofs of cryp- tographic systems Gives strong evidence of correctness of security arguments Enables automation in proofs Demonstrated applicability and effectiveness Verifiable Security of Boneh-Franklin,Identity-Based Encryption 4 / 21

  10. Outline 1 The provably-secure BasicIdent scheme 2 CertiCrypt framework 3 Machine-checked proof of BasicIdent security 4 Summary and perspectives Verifiable Security of Boneh-Franklin,Identity-Based Encryption 5 / 21

  11. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: Setup Encrypt Decrypt Extract

  12. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: sec. param Setup Encrypt Decrypt Extract

  13. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params sec. param Setup Encrypt public params Decrypt Extract public public params params

  14. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params sec. param Setup Encrypt master key public params Decrypt Extract public public params params

  15. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params plaintext sec. param ciphertext Setup Encrypt master key ID public params ciphertext plaintext Decrypt Extract secret key public public params params

  16. An IBE Scheme An identity-based encryption scheme is specified by four polynomial algorithms: public params plaintext sec. param ciphertext Setup Encrypt master key ID public params ciphertext ID secret key plaintext Decrypt Extract master key secret key public public params params Verifiable Security of Boneh-Franklin,Identity-Based Encryption 6 / 21

  17. Boneh-Franklin’s recipe 1 Extend the notions of IND-CPA and IND-CCA to IBE schemes 2 Build an IND-CPA-secure IBE scheme BasicIdent 3 Apply a variant of Fujisaki-Okamoto transformation to turn BasicIdent into an IND-CCA-secure IBE scheme Verifiable Security of Boneh-Franklin,Identity-Based Encryption 7 / 21

  18. The BasicIdent scheme (definition) Consider G 1 and G 2 , two cyclic groups of prime order q , ˆ e : G 1 × G 1 → G 2 , an efficiently computable bilinear map e ( P , Q ) ab e ( aP , bQ ) = ˆ ˆ � P � = G 1 = ⇒ � ˆ e ( P , P ) � = G 2 Two hash functions H 1 : { 0 , 1 } ⋆ → G + 1 H 2 : G 2 → { 0 , 1 } n The BasicIdent IBE -scheme is defined as ← G + ← Z + Setup ( k ) : P 1 ; mk q ; P pub ← mk · P ; return (( P , P pub ) , mk ) $ $ Extract ( mk , ID ) : Q ID ← H 1 ( ID ); return mk · Q ID q ; m ′ ← H 2 ( e ( Q ID , P pub ) c ); ← Z + Encrypt ( ID , m ) : Q ID ← H 1 ( ID ); c $ return ( c · P , m ⊕ m ′ ) Decrypt ( sk , ( u , v )) : return v ⊕ H 2 (ˆ e ( sk , u )) Verifiable Security of Boneh-Franklin,Identity-Based Encryption 8 / 21

  19. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) Consider a computational assumption Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � � � � �� A breaks B solves the Pr ≤ F Pr the scheme hard problem Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  20. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) ➥ Indistinguishability under Chosen Plaintext Attack Strengthened notion of PKE IND-CPA for IBE Consider a computational assumption Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � A breaks � � � B solves the �� ≤ F Pr Pr the scheme hard problem Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  21. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) ➥ Indistinguishability under Chosen Plaintext Attack Strengthened notion of PKE IND-CPA for IBE Consider a computational assumption ➥ Bilinear Diffie-Hellman assumption e ( P , P ) abc given a random tuple ( P , a · It is hard to compute ˆ P , b · P , c · P ) . Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � A breaks � � � B solves the �� ≤ F Pr Pr the scheme hard problem Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  22. The BasicIdent scheme (security proof) Proof by reduction (in the random oracle model) Define security goal (and adversarial model) ➥ Indistinguishability under Chosen Plaintext Attack Strengthened notion of PKE IND-CPA for IBE Consider a computational assumption ➥ Bilinear Diffie-Hellman assumption e ( P , P ) abc given a random tuple ( P , a · It is hard to compute ˆ P , b · P , c · P ) . Reduce the security of the scheme to the intractability assumption. B Problem instance Solution A � � � � �� A breaks B solves the Pr ≤ F Pr the scheme hard problem exp ( 1 ) q H 2 ( 1 + q EX ) Adv A IND-ID-CPA ≤ Adv B ➥ BDH 2 Verifiable Security of Boneh-Franklin,Identity-Based Encryption 9 / 21

  23. Tidying the proof up The game-playing technique Security Goal Reduction Game G 0 Game G 1 Game G n . . . . . . . . . . . . . . . ← A ( ) . . . . . . ← B ( ) . . . . . . . . . � � ≤ . . . ≤ f n � � Pr G 0 [ S 0 ] ≤ f 1 Pr G 1 [ S 1 ] Pr G n [ S n ] Verifiable Security of Boneh-Franklin,Identity-Based Encryption 10 / 21

  24. CertiCrypt: machine-checked crypto proofs Certified framework for building and verifying crypto proofs in the Coq proof assistant Combination of programming language techniques and cryptographic-specific tools Game-based methodology, natural to cryptographers Several case studies: Encryption schemes: ElGamal, Hashed ElGamal, OAEP Signature schemes: FDH, BLS Zero-Knowledge protocols: Schnorr, Okamoto, Diffie-Hellman, Fiat-Shamir Verifiable Security of Boneh-Franklin,Identity-Based Encryption 11 / 21

  25. Inside CertiCrypt (language syntax) Language-based proofs Formalize security definitions, assumptions and games using a probabilistic programming language. pWhile: a probabilistic programming language C ::= skip nop | C ; C sequence | V ← E assignment | V ← D random sampling $ | if E then C else C conditional | while E do C while loop | V ← P ( E , . . . , E ) procedure call x ← d : sample the value of x according to distribution d $ The language of expressions ( E ) and distribution expressions ( D ) admits user-defined extensions Verifiable Security of Boneh-Franklin,Identity-Based Encryption 12 / 21

  26. Inside CertiCrypt (standard tools) Observational equivalence = c 1 ≃ I | O c 2 Example ← { 0 , 1 } k ; y ← x ⊕ z ≃ { z } ← { 0 , 1 } k ; x ← y ⊕ z | = x { x , y , z } y $ $ Useful to relate probabilities = c 1 ≃ I fv ( A ) ⊆ O | O c 2 m 1 = I m 2 Pr [ c 1 , m 1 : A ] = Pr [ c 2 , m 2 : A ] Verifiable Security of Boneh-Franklin,Identity-Based Encryption 13 / 21

Recommend


More recommend