Identity-based encryption with (almost)
tight security in the multi-instance,
multi-ciphertext setting
Dennis Hofheinz, Jessica Koch, Christoph Striecks
Karlsruhe Institute of Technology, Germany
1
Overview
• Identity-Based Encryption (IBE)
• Tight Security
• Underlying IBE-Scheme by Chen and Wee
- Proof Idea
• Result: (almost) Tight Security for MultiInstance, Multi-Ciphertext IBE
2
Identity-Based Encryption (IBE)
3
IBE-IND-CPA Security
C* for id*
M0 or
M1 ?
1
2
succ.prob = + ε1
4
Multi-Instance, Multi-Ciphertext
IBE-IND-CPA Security
M0i,c or M1i,c?
1
succ.prob = + εmulti
2
5
Tight Security
...
Ni instances
...
Nc chall. ciphertexts
Nu user secret keys
security proof = reduction to hard problem (adv. = εP)
attack adv. ε1 = Nu·εP (generic)
attack adv. εmulti = Ni·Nc·ε1 = Ni·Nc·Nu·εP
attacks
potentially
easier
6
Tight Security
• Our goal: tight security i.e. εmulti ≈ εP
independent of Ni, Nc, Nu
→ smaller keys, smaller groups …
• recently: (somewhat) tightly secure multiinstance/multi-ciphertext PKE [HJ12, LJYP14]
• [Chen,Wee13]: somewhat tightly secure IBE
1 instance/1 ciphertext:
ε1 ≈ Nu·εP
7
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
normal
i
i
depends on idi = i and position
8
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type i C*:
1*
…
i*
id|i* = 1*… i*
normal usk:
type i usk:
1
…
i
id|i = 1 … i
same type
id|i* = id|i
Decryption
9
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type i C*:
normal usk:
type i usk:
id|i* = 1*… i*
id|i = 1 … i
same type
id|i* = id|i
Decryption
10
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type i C*:
1*
…
i*
id|i* = 1*… i*
normal usk:
type i usk:
1
…
i
id|i = 1 … i
same type
id|i* = id|i
same type
id|i* ≠ id|i
Decryption
11
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type i C*:
1*
i*
id|i* = 1*… i*
normal usk:
type i usk:
1
i
id|i = 1 … i
same type
id|i* = id|i
same type
id|i* ≠ id|i
Decryption
12
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type i C*:
1*
…
i*
normal usk:
type i+1 usk:
1
…
i
same type
id|i* = id|i
same type
id|i* ≠ id|i
id|i* = 1*… i*
i+1
id|i+1 = 1 … i+1
different type
id|i+1* = id|i+1
Decryption
13
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type i C*:
normal usk:
type i+1 usk:
same type
id|i* = id|i
id|i* = 1*… i*
i+1
same type
id|i* ≠ id|i
id|i+1 = 1 … i+1
different type
id|i+1* = id|i+1
Decryption
14
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type n C*:
1*
…
n*
id* = 1*… n*
normal usk:
type n usk:
1
…
n
id = 1 … n
id* ≠ id for all usks
15
Proof Idea of Chen and Wee
Sequence of games depending on n-bit identity id = 1…n :
start with real security game → change all usks and C*
normal
normal C*:
type n C*:
1*
n*
id* = 1*… n*
normal usk:
type n usk:
1
n
id = 1 … n
id* ≠ id for all usks
→ usks useless for decryption → replace C* by random
→ Adversary can only guess
16
Proof Idea of Chen and Wee
Game hop: type i → type i+1
Chall. C*:
1*
…
i*
i+1
test usk*:
1*
…
i*
usk:
1
…
i
i+1
test C:
1
…
i
Simulator embeds own challenge
Simulator can test on its own
i+1
Game i
Decryption:
i+1
Game i+1
Decryption:
i+1 =
17
Proof Idea of Chen and Wee
Game hop: type i → type i+1
Chall. C*:
i+1
test usk*:
usk:
i+1
test C:
Simulator embeds own challenge
Simulator can test on its own
i+1
Game i
Decryption:
i+1
Game i+1
Decryption:
i+1 =
18
Proof Idea of Chen and Wee
Game hop: type i → type i+1
Chall. C*:
i+1
test usk*:
usk:
i+1
test C:
Simulator embeds own challenge
Simulator can test on its own
i+1
Game i
Decryption:
i+1
Game i+1
Decryption:
i+1 =
19
Proof Idea of Chen and Wee
Game hop: type i → type i+1
Chall. C*:
i+1
test usk*:
usk:
i+1
test C:
Simulator embeds own challenge
Simulator can test on its own
i+1
Game i
Decryption:
i+1
Game i+1
Decryption:
i+1 =
20
Our Approach
Problem for multi-instance, multi-ciphertext:
Guessing of id*i+1: 1. for each instance → loss = 2Ni
2. different chall. ciphertexts have different id-bits
→ generation is not possible
Our solution:
distribute randomness into 2 compartments
≈
21
Our Approach
Solution: no guessing
id*i+1 = 0
Simulator
gets:
id*i+1 = 1
no
reaction
i+1
no
reaction
i+1
C*:
1*
…
i*
i+1
1*
…
i*
i+1
usk:
1
…
i
i+1
1
…
i
i+1
1
…
i
i+1
1
…
i
i+1
type i = type i+1
type i ≠ type i+1
type i ≠ type i+1
type i = type i+1
22
Our Approach
Solution: no guessing
id*i+1 = 0
Simulator
gets:
id*i+1 = 1
no
reaction
i+1
no
reaction
i+1
C*:
usk:
1
1
…
i
…
i
i+1
i+1
type i = type i+1
type i ≠ type i+1
type i ≠ type i+1
type i = type i+1
23
Conclusion
• no guessing
• О(n) reductions: n = length of identity
→ loss independent of the number of
ciphertexts , instances and usk-queries
• first fully secure multi-instance, multi-ciphertext
IBE with loss О(n) for n-bit identities under a simple
assumption
24
25