Chosen-Ciphertext Secure Identity-Based Encryption from Computational Bilinear Diffie-Hellman
(完整版)密码编码学与网络安全第四版第二章答案翻译
第二章2.1什么是对称密码的本质成分?Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.明文加密算法密钥密文解密算法2.2 密码算法中两个基本函数式什么?Permutation and substitution.代换和置换P202.3用密码进行通信的两个人需要多少密钥?对称密码只需要一把,非对称密码要两把P202.4 分组密码和流密码的区别是什么?A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.分组密码每次输入的一组元素,相应地输出一组元素。
流密码则是连续地处理输入元素,每次输出一个元素。
P202.5攻击密码的两种一般方法是什么?Cryptanalysis and brute force.密码分析和暴力破解2.6列出并简要定力基于攻击者所知道信息的密码分析攻击类型。
Ciphertext only. One possible attack under these circumstances is the brute-force approach of trying all possible keys. If the key space is very large, this becomes impractical. Thus, the opponent must rely on an analysis of the ciphertext itself, generally applying various statistical tests to it.Known plaintext.The analyst may be able to capture one or more plaintext messages as well as their encryptions. With this knowledge, the analyst may be able to deduce the key on the basis of the way in which the known plaintext is transformed.Chosen plaintext. If the analyst is able to choose the messages to encrypt, the analyst may deliberately pick patterns that can be expected to reveal the structure of the key.惟密文已知明文选择明文2.7无条件安全密码和计算上安全密码的区别是什么?An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available. An encryption scheme is said to be computationally secure if: (1) the cost of breaking the cipher exceeds the value of the encrypted information, and (2) the time required to break the cipher exceeds the useful lifetime of the information.书本P212.8简要定义Caesar密码The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places further down the alphabet, for k in the range 1 through 25.书本P222.9简要定义单表代换密码A monoalphabetic substitution cipher maps a plaintext alphabet to a ciphertext alphabet, so that each letter of the plaintext alphabet maps to a single unique letter of the ciphertext alphabet.书本P232.10简要定义Playfair密码The Playfair algorithm is based on the use of a 5 5 matrix of letters constructed using a keyword. Plaintext is encrypted two letters at a time using this matrix.书本P262.11单表代换密码和夺标代换密码的区别是什么?A polyalphabetic substitution cipher uses a separate monoalphabetic substitution cipher for each successive letter of plaintext, depending on a key.书本P302.12一次一密的两个问题是什么?1. There is the practical problem of making large quantities of random keys. Any heavily usedsystem might require millions of random characters on a regular basis. Supplying truly random characters in this volume is a significant task.2. Even more daunting is the problem of key distribution and protection. For every message to be sent, a key of equal length is needed by both sender and receiver. Thus, a mammoth key distribution problem exists.书本P332.13什么是置换密码?A transposition cipher involves a permutation of the plaintext letters. 书本P332.14什么是隐写术?Steganography involves concealing the existence of a message.书本P362.7.3习题 2.1a.对b 的取值是否有限制?解释原因。
identity-based encryption from the weil pairing
Appears in SIAM J.of Computing,Vol.32,No.3,pp.586-615,2003.An extended abstract of this paper appears in the Proceedings of Crypto2001,volume2139of Lecture Notes in Computer Science,pages 213–229,Springer-Verlag,2001.Identity-Based Encryption from the Weil PairingDan Boneh∗Matthew Franklin†dabo@ franklin@AbstractWe propose a fully functional identity-based encryption scheme(IBE).The scheme has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie-Hellman problem.Our system is based on bilinear maps between groups.The Weil pairing onelliptic curves is an example of such a map.We give precise definitions for secure identity basedencryption schemes and give several applications for such systems.1IntroductionIn1984Shamir[41]asked for a public key encryption scheme in which the public key can be an arbitrary string.In such a scheme there are four algorithms:(1)setup generates global system parameters and a master-key,(2)extract uses the master-key to generate the private key corresponding to an arbitrary public key string ID∈{0,1}∗,(3)encrypt encrypts messages using the public key ID,and(4)decrypt decrypts messages using the corresponding private key.Shamir’s original motivation for identity-based encryption was to simplify certificate management in e-mail systems.When Alice sends mail to Bob at bob@ she simply encrypts her message using the public key string“bob@”.There is no need for Alice to obtain Bob’s public key certificate.When Bob receives the encrypted mail he contacts a third party,which we call the Private Key Generator(PKG).Bob authenticates himself to the PKG in the same way he would authenticate himself to a CA and obtains his private key from the PKG.Bob can then read his e-mail.Note that unlike the existing secure e-mail infrastructure,Alice can send encrypted mail to Bob even if Bob has not yet setup his public key certificate.Also note that key escrow is inherent in identity-based e-mail systems:the PKG knows Bob’s private key.We discuss key revocation,as well as several new applications for IBE schemes in the next section.Since the problem was posed in1984there have been several proposals for IBE schemes[11,45, 44,31,25](see also[33,p.561]).However,none of these are fully satisfactory.Some solutions require that users not collude.Other solutions require the PKG to spend a long time for each private key generation request.Some solutions require tamper resistant hardware.It is fair to say that until the results in[5]constructing a usable IBE system was an open problem.Interestingly,the related notions of identity-based signature and authentication schemes,also introduced by Shamir[41],do have satisfactory solutions[15,14].In this paper we propose a fully functional identity-based encryption scheme.The performance of our system is comparable to the performance of ElGamal encryption in F∗p.The security of our system is based on a natural analogue of the computational Diffie-Hellman assumption.Based on ∗Supported by DARPA contract F30602-99-1-0530,NSF,and the Packard Foundation.†Supported by an NSF Career Award and the Packard Foundation.this assumption we show that the new system has chosen ciphertext security in the random oracle ing standard techniques from threshold cryptography[20,22]the PKG in our scheme can be distributed so that the master-key is never available in a single location.Unlike common threshold systems,we show that robustness for our distributed PKG is free.Our IBE system can be built from any bilinear map e:G1×G1→G2between two groups G1,G2as long as a variant of the Computational Diffie-Hellman problem in G1is hard.We use the Weil pairing on elliptic curves as an example of such a map.Until recently the Weil pairing has mostly been used for attacking elliptic curve systems[32,17].Joux[26]recently showed that the Weil pairing can be used for“good”by using it for a protocol for three party one round Diffie-Hellman key exchange.Sakai et al.[40]used the pairing for key exchange and Verheul[46]used it to construct an ElGamal encryption scheme where each public key has two corresponding private keys.In addition to our identity-based encryption scheme,we show how to construct an ElGamal encryption scheme with“built-in”key escrow,i.e.,where one global escrow key can decrypt ciphertexts encrypted under any public key.To argue about the security of our IBE system we define chosen ciphertext security for identity-based encryption.Our model gives the adversary more power than the standard model for chosen ciphertext security[37,2].First,we allow the attacker to attack an arbitrary public key ID of her choice.Second,while mounting a chosen ciphertext attack on ID we allow the attacker to obtain from the PKG the private key for any public key of her choice,other than the private key for ID.This models an attacker who obtains a number of private keys corresponding to some identities of her choice and then tries to attack some other public key ID of her choice.Even with the help of such queries the attacker should have negligible advantage in defeating the semantic security of the system.The rest of the paper is organized as follows.Several applications of identity-based encryption are discussed in Section1.1.We then give precise definitions and security models in Section2.We describe bilinear maps with certain properties in Section3.Our identity-based encryption scheme is presented in Section4using general bilinear maps.Then a concrete identity based system from the Weil pairing is given in Section5.Some extensions and variations(efficiency improvements,distribution of the master-key)are considered in Section6.Our construction for ElGamal encryption with a global escrow key is described in Section7.Section8gives conclusions and some open problems.The Appendix containsa more detailed discussion of the Weil pairing.1.1Applications for Identity-Based EncryptionThe original motivation for identity-based encryption is to help the deployment of a public key infras-tructure.In this section,we show several other unrelated applications.1.1.1Revocation of Public KeysPublic key certificates contain a preset expiration date.In an IBE system key expiration can be done by having Alice encrypt e-mail sent to Bob using the public key:“bob@ current-year”. In doing so Bob can use his private key during the current year only.Once a year Bob needs to obtain a new private key from the PKG.Hence,we get the effect of annual private key expiration.Note that unlike the existing PKI,Alice does not need to obtain a new certificate from Bob every time Bob refreshes his private key.One could potentially make this approach more granular by encrypting e-mail for Bob using “bob@ current-date”.This forces Bob to obtain a new private key every day.This might be possible in a corporate PKI where the PKG is maintained by the corporation.With this approach key revocation is very simple:when Bob leaves the company and his key needs to be revoked, the corporate PKG is instructed to stop issuing private keys for Bob’s e-mail address.As a result,Bob can no longer read his email.The interesting property is that Alice does not need to communicate with any third party certificate directory to obtain Bob’s daily public key.Hence,identity based encryption is a very efficient mechanism for implementing ephemeral public keys.Also note that this approach enables Alice to send messages into the future:Bob will only be able to decrypt the e-mail on the date specified by Alice(see[38,12]for methods of sending messages into the future using a stronger security model).Managing user credentials.A simple extension to the discussion above enables us to manage user credentials using the IBE system.Suppose Alice encrypts mail to Bob using the public key:“bob@ current-year clearance=secret”.Then Bob will only be able to read the email if on the specified date he has secret clearance.Consequently,it is easy to grant and revoke user credentials using the PKG.1.1.2Delegation of Decryption KeysAnother application for IBE systems is delegation of decryption capabilities.We give two example applications.In both applications the user Bob plays the role of the PKG.Bob runs the setup algorithm to generate his own IBE system parameters params and his own master-key.Here we view params as Bob’s public key.Bob obtains a certificate from a CA for his public key params.When Alice wishes to send mail to Bob shefirst obtains Bob’s public key params from Bob’s public key certificate.Note that Bob is the only one who knows his master-key and hence there is no key-escrow with this setup.1.Delegation to a laptop.Suppose Alice encrypts mail to Bob using the current date as the IBE encryption key(she uses Bob’s params as the IBE system parameters).Since Bob has the master-key he can extract the private key corresponding to this IBE encryption key and then decrypt the message.Now,suppose Bob goes on a trip for seven days.Normally,Bob would put his private key on his laptop.If the laptop is stolen the private key is compromised.When using the IBE system Bob could simply install on his laptop the seven private keys corresponding to the seven days of the trip.If the laptop is stolen,only the private keys for those seven days are compromised.The master-key is unharmed.This is analogous to the delegation scenario for signature schemes considered by Goldreich et al.[23].2.Delegation of duties.Suppose Alice encrypts mail to Bob using the subject line as the IBE encryption key.Bob can decrypt mail using his master-key.Now,suppose Bob has several assistants each responsible for a different task(e.g.one is‘purchasing’,another is‘human-resources’,etc.).Bob gives one private key to each of his assistants corresponding to the assistant’s responsibility.Each assistant can then decrypt messages whose subject line falls within its responsibilities,but it cannot decrypt messages intended for other assistants.Note that Alice only obtains a single public key from Bob(params),and she uses that public key to send mail with any subject line of her choice.The mail can only be read by the assistant responsible for that subject.More generally,IBE can simplify security systems that manage a large number of public keys.Rather than storing a big database of public keys the system can either derive these public keys from usernames, or simply use the integers1,...,n as distinct public keys.2DefinitionsIdentity-Based Encryption.An identity-based encryption scheme E is specified by four random-ized algorithms:Setup,Extract,Encrypt,Decrypt:Setup:takes a security parameter k and returns params(system parameters)and master-key.The system parameters include a description of afinite message space M,and a description of afinite ciphertext space C.Intuitively,the system parameters will be publicly known,while the master-key will be known only to the“Private Key Generator”(PKG).Extract:takes as input params,master-key,and an arbitrary ID∈{0,1}∗,and returns a private key d.Here ID is an arbitrary string that will be used as a public key,and d is the corresponding private decryption key.The Extract algorithm extracts a private key from the given public key.Encrypt:takes as input params,ID,and M∈M.It returns a ciphertext C∈C.Decrypt:takes as input params,C∈C,and a private key d.It return M∈M.These algorithms must satisfy the standard consistency constraint,namely when d is the private key generated by algorithm Extract when it is given ID as the public key,then∀M∈M:Decrypt(params,C,d)=M where C=Encrypt(params,ID,M)Chosen ciphertext security.Chosen ciphertext security(IND-CCA)is the standard acceptable notion of security for a public key encryption scheme[37,2,13].Hence,it is natural to require that an identity-based encryption scheme also satisfy this strong notion of security.However,the definition of chosen ciphertext security must be strengthened a bit.The reason is that when an adversary attacks a public key ID in an identity-based system,the adversary might already possess the private keys of users ID1,...,ID n of her choice.The system should remain secure under such an attack.Hence,the definition of chosen ciphertext security must allow the adversary to obtain the private key associated with any identity ID i of her choice(other than the public key ID being attacked).We refer to such queries as private key extraction queries.Another difference is that the adversary is challenged on a public key ID of her choice(as opposed to a random public key).We say that an identity-based encryption scheme E is semantically secure against an adaptive chosen ciphertext attack(IND-ID-CCA)if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CCA game:Setup:The challenger takes a security parameter k and runs the Setup algorithm.It givesthe adversary the resulting system parameters params.It keeps the master-key to itself.Phase1:The adversary issues queries q1,...,q m where query q i is one of:–Extraction query ID i .The challenger responds by running algorithm Extract to gen-erate the private key d i corresponding to the public key ID i .It sends d i to theadversary.–Decryption query ID i,C i .The challenger responds by running algorithm Extract to generate the private key d i corresponding to ID i.It then runs algorithm Decrypt todecrypt the ciphertext C i using the private key d i.It sends the resulting plaintext tothe adversary.These queries may be asked adaptively,that is,each query q i may depend on the repliesto q1,...,q i−1.Challenge:Once the adversary decides that Phase1is over it outputs two equal lengthplaintexts M0,M1∈M and an identity ID on which it wishes to be challenged.The onlyconstraint is that ID did not appear in any private key extraction query in Phase1.The challenger picks a random bit b∈{0,1}and sets C=Encrypt(params,ID,M b).Itsends C as the challenge to the adversary.Phase2:The adversary issues more queries q m+1,...,q n where query q i is one of:–Extraction query ID i where ID i=ID.Challenger responds as in Phase1.–Decryption query ID i,C i = ID,C .Challenger responds as in Phase1.These queries may be asked adaptively as in Phase1.Guess:Finally,the adversary outputs a guess b ∈{0,1}and wins the game if b=b .We refer to such an adversary A as an IND-ID-CCA adversary.We define adversary A’sadvantage in attacking the scheme E as the following function of the security parameter k (k is given as input to the challenger):Adv E,A(k)= Pr[b=b ]−12 .The probability is over the random bits used by the challenger and the adversary.Using the IND-ID-CCA game we can define chosen ciphertext security for IBE schemes.As usual,we say that a function g:R→R is negligible if for any d>0we have|g(k)|<1/k d for sufficiently large k. Definition2.1.We say that the IBE system E is semantically secure against an adaptive chosen ci-phertext attack if for any polynomial time IND-ID-CCA adversary A the function Adv E,A(k)is negligible. As shorthand,we say that E is IND-ID-CCA secure.Note that the standard definition of chosen ciphertext security(IND-CCA)[37,2]is the same as above except that there are no private key extraction queries and the adversary is challenged on a random public key(rather than a public key of her choice).Private key extraction queries are related to the definition of chosen ciphertext security in the multiuser settings[7].After all,our definition involves multiple public keys belonging to multiple users.In[7]the authors show that that multiuser IND-CCA is reducible to single user IND-CCA using a standard hybrid argument.This does not hold in the identity-based settings,IND-ID-CCA,since the adversary gets to choose which public keys to corrupt during the attack.To emphasize the importance of private key extraction queries we note that our IBE system can be easily modified(by removing one of the hash functions)into a system which has chosen ciphertext security when private extraction queries are disallowed.However,the scheme is completely insecure when extraction queries are allowed.Semantically secure identity based encryption.The proof of security for our IBE system makes use of a weaker notion of security known as semantic security(also known as semantic security against a chosen plaintext attack)[24,2].Semantic security is similar to chosen ciphertext security(IND-ID-CCA)except that the adversary is more limited;it cannot issue decryption queries while attacking the challenge public key.For a standard public key system(not an identity based system)semantic security is defined using the following game:(1)the adversary is given a random public key generated by the challenger,(2)the adversary outputs two equal length messages M0and M1and receives the encryption of M b from the challenger where b is chosen at random in{0,1},(3)the adversary outputs b and wins the game if b=b .The public key system is said to be semantically secure if no polynomial time adversary can win the game with a non-negligible advantage.As shorthand we say that a semantically secure public key system is IND-CPA secure.Semantic security captures our intuition that given a ciphertext the adversary learns nothing about the corresponding plaintext.To define semantic security for identity based systems(denoted IND-ID-CPA)we strengthen the standard definition by allowing the adversary to issue chosen private key extraction queries.Similarly, the adversary is challenged on a public key ID of her choice.We define semantic security for identity based encryption schemes using an IND-ID-CPA game.The game is identical to the IND-ID-CCA game defined above except that the adversary cannot make any decryption queries.The adversary can only make private key extraction queries.We say that an identity-based encryption scheme E is semantically secure(IND-ID-CPA)if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CPA game:Setup:The challenger takes a security parameter k and runs the Setup algorithm.It givesthe adversary the resulting system parameters params.It keeps the master-key to itself.Phase1:The adversary issues private key extraction queries ID1,...,ID m.The challengerresponds by running algorithm Extract to generate the private key d i corresponding tothe public key ID i.It sends d i to the adversary.These queries may be asked adaptively.Challenge:Once the adversary decides that Phase1is over it outputs two equal lengthplaintexts M0,M1∈M and a public key ID on which it wishes to be challenged.Theonly constraint is that ID did not appear in any private key extraction query in Phase1.The challenger picks a random bit b∈{0,1}and sets C=Encrypt(params,ID,M b).Itsends C as the challenge to the adversary.Phase2:The adversary issues more extraction queries ID m+1,...,ID n.The only constraintis that ID i=ID.The challenger responds as in Phase1.Guess:Finally,the adversary outputs a guess b ∈{0,1}and wins the game if b=b .We refer to such an adversary A as an IND-ID-CPA adversary.As we did above,theadvantage of an IND-ID-CPA adversary A against the scheme E is the following function of the security parameter k:Adv E,A(k)= Pr[b=b ]−12 .The probability is over the random bits used by the challenger and the adversary.Definition2.2.We say that the IBE system E is semantically secure if for any polynomial time IND-ID-CPA adversary A the function Adv E,A(k)is negligible.As shorthand,we say that E is IND-ID-CPA secure.One way identity-based encryption.One can define an even weaker notion of security called one-way encryption(OWE)[16].Roughly speaking,a public key encryption scheme is a one-way encryption if given the encryption of a random plaintext the adversary cannot produce the plaintext in its entirety. One way encryption is a weak notion of security since there is nothing preventing the adversary from, say,learning half the bits of the plaintext.Hence,one-way encryption schemes do not generally provide secure encryption.In the random oracle model one-way encryption schemes can be used for encrypting session-keys(the session-key is taken to be the hash of the plaintext).We note that one can extend the notion of one-way encryption to identity based systems by adding private key extraction queries to the definition.We do not give the full definition here since in this paper we use semantic security as the weakest notion of security.See[5]for the full definition of identity based one-way encryption,and its use as part of an alternative proof strategy for our main result.Random oracle model.To analyze the security of certain natural cryptographic constructions Bel-lare and Rogaway introduced an idealized security model called the random oracle model[3].Roughlyspeaking,a random oracle is a function H:X→Y chosen uniformly at random from the set of all functions{h:X→Y}(we assume Y is afinite set).An algorithm can query the random oracle at any point x∈X and receive the value H(x)in response.Random oracles are used to model crypto-graphic hash functions such as SHA-1.Note that security in the random oracle model does not imply security in the real world.Nevertheless,the random oracle model is a useful tool for validating natural cryptographic constructions.Security proofs in this model prove security against attackers that are confined to the random oracle world.Notation.From here on we use Z q to denote the group{0,...,q−1}under addition modulo q.For a group G of prime order we use G∗to denote the set G∗=G\{O}where O is the identity element in the group G.We use Z+to denote the set of positive integers.3Bilinear maps and the Bilinear Diffie-Hellman AssumptionLet G1and G2be two groups of order q for some large prime q.Our IBE system makes use of a bilinear mapˆe:G1×G1→G2between these two groups.The map must satisfy the following properties: 1.Bilinear:We say that a mapˆe:G1×G1→G2is bilinear ifˆe(aP,bQ)=ˆe(P,Q)ab for all P,Q∈G1 and all a,b∈Z.2.Non-degenerate:The map does not send all pairs in G1×G1to the identity in G2.Observe that since G1,G2are groups of prime order this implies that if P is a generator of G1thenˆe(P,P)is a generator of G2.putable:There is an efficient algorithm to computeˆe(P,Q)for any P,Q∈G1.A bilinear map satisfying the three properties above is said to be an admissible bilinear map.In Section5we give a concrete example of groups G1,G2and an admissible bilinear map between them. The group G1is a subgroup of the additive group of points of an elliptic curve E/F p.The group G2is asubgroup of the multiplicative group of afinitefield F∗p2.Therefore,throughout the paper we view G1as an additive group and G2as a multiplicative group.As we will see in Section5.1,the Weil pairing can be used to construct an admissible bilinear map between these two groups.The existence of the bilinear mapˆe:G1×G1→G2as above has two direct implications to these groups.The MOV reduction:Menezes,Okamoto,and Vanstone[32]show that the discrete log problem in G1is no harder than the discrete log problem in G2.To see this,let P,Q∈G1be an instance of the discrete log problem in G1where both P,Q have order q.We wish tofind anα∈Z q such that Q=αP.Let g=ˆe(P,P)and h=ˆe(Q,P).Then,by bilinearity ofˆe we know that h=gα.By non-degeneracy ofˆe both g,h have order q in G2.Hence,we reduced the discrete log problem in G1to a discrete log problem in G2.It follows that for discrete log to be hard in G1we must choose our security parameter so that discrete log is hard in G2(see Section5).Decision Diffie-Hellman is Easy:The Decision Diffie-Hellman problem(DDH)[4]in G1is to dis-tinguish between the distributions P,aP,bP,abP and P,aP,bP,cP where a,b,c are random in Z∗q and P is random in G∗1.Joux and Nguyen[28]point out that DDH in G1is easy.To see this,observe that given P,aP,bP,cP∈G∗1we havec=ab mod q⇐⇒ˆe(P,cP)=ˆe(aP,bP).The Computational Diffie-Hellman problem(CDH)in G1can still be hard(CDH in G1is tofind abP given random P,aP,bP ).Joux and Nguyen[28]give examples of mappingsˆe:G1×G1→G2where CDH in G1is believed to be hard even though DDH in G1is easy.3.1The Bilinear Diffie-Hellman Assumption(BDH)Since the Decision Diffie-Hellman problem(DDH)in G1is easy we cannot use DDH to build cryp-tosystems in the group G1.Instead,the security of our IBE system is based on a variant of the Computational Diffie-Hellman assumption called the Bilinear Diffie-Hellman Assumption(BDH). Bilinear Diffie-Hellman Problem.Let G1,G2be two groups of prime order q.Letˆe:G1×G1→G2be an admissible bilinear map and let P be a generator of G1.The BDH problem in G1,G2,ˆe is as follows:Given P,aP,bP,cP for some a,b,c∈Z∗q compute W=ˆe(P,P)abc∈G2.An algorithm A has advantage in solving BDH in G1,G2,ˆe ifPr A(P,aP,bP,cP)=ˆe(P,P)abc ≥where the probability is over the random choice of a,b,c in Z∗q,the random choice of P∈G∗1,and the random bits of A.BDH Parameter Generator.We say that a randomized algorithm G is a BDH parameter generator if(1)G takes a security parameter k∈Z+,(2)G runs in polynomial time in k,and(3)G outputs a prime number q,the description of two groups G1,G2of order q,and the description of an admissible bilinear mapˆe:G1×G1→G2.We denote the output of G by G(1k)= q,G1,G2,ˆe .The security parameter k is used to determine the size of q;for example,one could take q to be a random k-bit prime.For i=1,2we assume that the description of the group G i contains polynomial time(in k) algorithms for computing the group action in G i and contains a generator of G i.The generator of G i enables us to generate uniformly random elements in G i.Similarly,we assume that the description of ˆe contains a polynomial time algorithm for computingˆe.We give an example of a BDH parameter generator in Section5.1.BDH Assumption.Let G be a BDH parameter generator.We say that an algorithm A has advan-tage (k)in solving the BDH problem for G if for sufficiently large k:Adv G,A(k)=Pr A(q,G1,G2,ˆe,P,aP,bP,cP)=ˆe(P,P)abc q,G1,G2,ˆe ←G(1k),P←G∗1,a,b,c←Z∗q ≥ (k) We say that G satisfies the BDH assumption if for any randomized polynomial time(in k)algorithm A we have that Adv G,A(k)is a negligible function.When G satisfies the BDH assumption we say that BDH is hard in groups generated by G.In Section5.1we give some examples of BDH parameter generators that are believed to satisfy the BDH assumption.We note that Joux[26](implicitly)used the BDH assumption to construct a one-round three party Diffie-Hellman protocol.The BDH assumption is also needed for constructions in[46,40].Hardness of BDH.It is interesting to study the relationship of the BDH problem to other hard problems used in cryptography.Currently,all we can say is that the BDH problem in G1,G2,ˆe is no harder than the CDH problem in G1or G2.In other words,an algorithm for CDH in G1or G2is sufficient for solving BDH in G1,G2,ˆe .The converse is currently an open problem:is an algorithm for BDH sufficient for solving CDH in G1or in G2?We refer to a survey by Joux[27]for a more detailed analysis of the relationship between BDH and other standard problems.We note that in all our examples(in Section5.1)the isomorphisms from G1to G2induced by the bilinear map are believed to be one-way functions.More specifically,for a point Q∈G∗1define the isomorphism f Q:G1→G2by f Q(P)=ˆe(P,Q).If any one of these isomorphisms turns out to be invertible then BDH is easy in G1,G2,ˆe .Fortunately,an efficient algorithm for inverting f Q for some fixed Q would imply an efficient algorithm for deciding DDH in the group G2.In all our examples DDH is believed to be hard in the group G2.Hence,all the isomorphisms f Q:G1→G2induced by the bilinear map are believed to be one-way functions.4Our Identity-Based Encryption SchemeWe describe our scheme in stages.First we give a basic identity-based encryption scheme which is not secure against an adaptive chosen ciphertext attack.The only reason for describing the basic scheme is to make the presentation easier to follow.Our full scheme,described in Section4.2,extends the basic scheme to get security against an adaptive chosen ciphertext attack(IND-ID-CCA)in the random oracle model.In Section4.3we relax some of the requirements on the hash functions.The presentation in this section uses an arbitrary BDH parameter generator G satisfying the BDH assumption.In Section5we describe a concrete IBE system using the Weil pairing.4.1BasicIdentTo explain the basic ideas underlying our IBE system we describe the following simple scheme,called BasicIdent.We present the scheme by describing the four algorithms:Setup,Extract,Encrypt,Decrypt. We let k be the security parameter given to the setup algorithm.We let G be some BDH parameter generator.Setup:Given a security parameter k∈Z+,the algorithm works as follows:Step1:Run G on input k to generate a prime q,two groups G1,G2of order q,and an admissible bilinear mapˆe:G1×G1→G2.Choose a random generator P∈G1.Step2:Pick a random s∈Z∗q and set P pub=sP.Step3:Choose a cryptographic hash function H1:{0,1}∗→G∗1.Choose a cryptographic hash function H2:G2→{0,1}n for some n.The security analysis will view H1,H2as random oracles. The message space is M={0,1}n.The ciphertext space is C=G∗1×{0,1}n.The system parameters are params= q,G1,G2,ˆe,n,P,P pub,H1,H2 .The master-key is s∈Z∗q.Extract:For a given string ID∈{0,1}∗the algorithm does:(1)computes Q ID=H1(ID)∈G∗1,and (2)sets the private key d ID to be d ID=sQ ID where s is the master key.Encrypt:To encrypt M∈M under the public key ID do the following:(1)compute Q ID=H1(ID)∈,(2)choose a random r∈Z∗q,and(3)set the ciphertext to beG∗1) where g ID=ˆe(Q ID,P pub)∈G∗2C= rP,M⊕H2(g rID。
信息系统安全工程_密码学基础和古典加密_软件
密码分析的攻击条件
根据密码分析者对明文、密文等信息掌握的多 少,可将密码分析分为以下四种情形(强度依 次递增 ):
1、唯密文攻击(Ciphertext Only Attack):破译 者仅有待破译的密文。 2、已知明文攻击(Known Plaintext Attack):破 译者拥有一定数量的密文和对应的明文。 3、选择明文攻击(Chosen Plaintext Attack): 破译者可以选定一些明文,并获得对应的密文。 4、选择密文攻击(Chosen Ciphertext Attack): 破译者可以选定一些密文,并获得对应的明文。
密钥空间:26
对移位密码的强行攻击
由于移位密码的可能密钥只有 26 个,因此可以对密 钥进行穷举尝试,将每一个密钥带入解密规则,直到 获得一个“有意义”的明文串 例如对于前面凯撒密码的例子进行强行攻击如下(唯 密文攻击):
Key P H H W P H D I W H U W K H W R J D S D U W B 1 2 3 o g g v o g c h v g t v j g v q i c r c t v a n f f u n f b g u f s u i f u p h b q b s u z m e e t m e a f t e r t h e t o g a p a r t y
2、可证明安全性
3、无条件安全性
2、密码体制分类
按通信双方使用的密钥,分为单钥密码体制 和公钥密码体制 按对明文数据的处理方式,分为分组密码体 制和流密码体制
单钥体制和公钥体制
单钥体制
也叫对称加密体制或常规加密体制 同一次加解密中发送者和接收者使用相同的密 钥(或虽然不同,但容易从一个密钥推出另一 个密钥)
素数无限证明及对RSA攻击描述
1、证明素数为无限的用反证法证明。
假设素数只有有限的n个,从小到大依次排列为p1,p2,...,pn,则x = (p1·p2·...·pn)+1 显然是不能被p1,p2,...,pn中的任何一个素数整除的,因此x也是一个素数,这和只有n个素数矛盾,所以素数是无限多的。
2、针对RSA的攻击潜在攻击的分类:(1)因数分解攻击(Factorization Attack)RSA的安全性基于这么一种想法,那就是模要足够大以至于在适当的时间内把它分解是不可能的。
乙选择p和q,并且计算出n = p×q。
虽然n是公开的,但p和q是保密的。
如果甲能分解n并获得p和q,她就可以计算出。
然后,因为e是公开的,甲还可以计算出。
私密指数d是甲可以用来对任何加密信息进行解密的暗门。
有许多种因数分解算法,但是没有一种可以分解带有多项式时间复杂度的大整数。
为了安全,目前的RSA要求n必须大于300个十进制数位,这就是说模必须最小是1024比特。
即使运用现在最大最快的计算机,分解这么大的整数所要花费的时间也是不可想象的。
这就表明只要还没有发现更有效的因数分解算法,RSA就是安全的。
(2)选择密文攻击(chosen-Ciphertext attack)针对RSA的潜在攻击都基于RSA的乘法特性,我们假定丙创建了密文C = Pe mod n并且把C发送给乙。
我们也假定乙要对甲的任意密文解密,而不是只解密C。
甲拦截C并运用下列步骤求出P:(1) 甲选择中的一个随机整数X。
(2) 甲计算出。
(3) 为了解密甲把Y发送给乙并得到;这个步骤就是选择密文攻击的一个例子。
(4) 甲能够很容易地得到P,因为甲运用扩展的欧几里得算法求X的乘法逆,并最终求得。
(3)对加密指数的攻击为了缩短加密时间,使用小的加密指数e是非常诱人的。
普通的e值是e = 3(第二个素数)。
不过有几种针对低加密指数的潜在攻击,在这里我们只作简单的讨论。
《信息安全原理与技术》试题与答案
《信息安全原理与技术》试题与答案《信息安全原理与技术》试题与答案⼀、写出下⾯术语的中⽂名称Block Cipher 分组密码Ciphertext 密⽂(密码:Cipher)Known-Plaintext Attack 已知明⽂攻击Encryption 加密Non-Repudiation 不可否认性Key Distribution Center 秘钥分配中⼼Denial of Service拒绝服务Data Integrity数据完整性AES ⾼级加密标准(Advanced encryption Standards)Authorization 认证;授权Relpay Attack 重放攻击One-way Function 单向函数Brute Force Search 穷举攻击Stream Cipher 流密码Symmetric Encryption 对称加密Asymmetric Encryption ⾮对称密码体制Ciphertext-only Attack 唯密⽂攻击Known-Plaintext Attack 已知明⽂攻击Chosen-Plaintext Attack 选择明⽂攻击Man-in-the-Middle Attack 中间⼈攻击Message Authentication Code 消息认证码Hashed Message Authentication Code 散列消息认证码Digital Signature 数字签名Secure Socket Layer 安全套接字层(SSL)⼆、选择题1.如果m表⽰明⽂,c表⽰密⽂,E代表加密变换,D代表解密变换,则下列表达式中描述加密过程的是( A )A、c=E(m)B、c=D(m)C、m=E(c)D、m=D(c)2.将获得的信息再次发送以在⾮授权情况下进⾏传输,这属于(D )A 窃听B篡改C 伪装D 重放3. DES加密过程⽤以下形式交换,其中正确的是( B )A、Li-1=Ri-1 Ri-1=Li-1⊕f(R i,Ki) i=1,2,3, (16)B、Li=Ri-1 Ri=Li-1⊕f(Ri-1,Ki) i=1,2,3, (16)C、Li-1=Ri+1 Ri=Li+1⊕f(Ri-1,Ki) i=1,2,3, (16)D、Li-1=Ri-1 Ri=Li+1⊕f(Ri-1,Ki) i=0,1,2,3, (15)4. 在不知道密钥的情况下,通过获取密⽂⽽恢复明⽂的⽅法是。
无证书签密的通用可组合机制
UNIVERSALLYCOMPOSABLEMECHANISM FORCERTIFICATELESSSIGNCRYPTION
WangLinjie1,2 TianYouliang2,3
1(SchoolofDataScience,TongrenUniversity,Tongren554300,Guizhou,China) 2(CollegeofComputerScienceandTechnology,GuizhouUniversity,Guiyang550025,Guizhou,China)
收稿日期:2019-09-25。国家自然科学基金项目(61962009,61772008);贵州省科技重大专项计划项目(20183001);贵州省科 技计划项目([2019]1098,ZK[2021]-325);贵州省高层次创新人才项目([2020]6008);贵州省研究生基金项目(yjscxjh2019101); 铜仁市科技计划项目([2020]78号)。王琳杰,副教授,主研领域:网络信息安全。田有亮,教授。
1.2 无证书签密协议
定义 3[12] 一个无证书的签密方案是由系统初始 化、部分密钥生成、私钥生成、签密算法和解签密算法 五个多项式时间算法组成。该方案的合法参与者有签 密者 P、签密消息接受者 R和密钥生成中心 PKG。
1)系统初始化(Setup):PKG输入安全参数 1λ,生 成输 出 主 密 钥 s和 系 统 参 数 params,保 密 s,公 开 params。
318
计算机应用与软件
2021年
(Identitydocument,ID),它 们 都 保 存 在 一 个 称 为 可 信 中心(CA)的机构里面。如果想要与网络中某人通信 就要到 CA中查找相应人员的 ID,但是在实际的运行 中发现有不可信的 CA进行伪造或者修改过期 ID的 操作,为此密码界的学者想方设法解决不可信 CA的 问题。1984年,Shamir[4]在基于身份的公钥加密体制 方案中提出了一个密钥管理问题,而 ALRiyami等[5] 为了解决上述密钥管理问题,于 2003年首次提出一种 无证书的公钥密码体制,其中用户的私钥是由用户在 KGC生成的主密钥的基础上随机选取秘密值生成的, 由此克服了传统公钥密码体制中密钥托管问题。
信息安全工程师教程内1.5节专业英语翻译
Cryptography is the practice and study of hiding information. In modern times, cryptography is considered a branch of both mathematics and computer science, and is affiliated closely with information theory,computer security, and engineering. Cryptography is used in applications present in technologically advanced societies; examples include the security of ATM cards, computer passwords,and electronic commerce, which all depend on cryptography.密码学是信息隐藏的实践与研究。
现代密码学被认为是数学和计算机科学的一个分支,它与信息论、计算机安全和工程密切相关。
密码技术被应用于技术先进的社会中,例如A TM卡、计算机密码和电子商务的安全,这些都依赖于密码学。
(1 )TerminologyUntil modem times, cryptography referred almost exclusively to encryption, the process of converting ordinary information (plaintext) into unintelligible gibberish (i.e., ciphertext). Decryption is the reverse, moving from unintelligible ciphertext to plaintext. A cipher (or cypher) is a pair of algorithms which creates the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and, in each instance, by a key. This is a secret parameter (ideal以known only to the communicants) for a specific message exchange context. Keys are important, as ciphers without variable keys are trivially breakable and therefore less than useful for most purposes. Historically, ciphers were often used directly for encryption or decryption, without additional procedures such as authentication or integrity checks.直到近代,加密提到几乎完全加密,普通的转换过程的信息(明文)到不知所云胡言乱语(即密文)。
02 古典密码及分析
已知明文攻击,known plaintext
选择明文攻击,chosen plaintext
选择密文攻击,chosen ciphertext
选择文本攻击,chosen text
西安电子科技大学计算机学院
7
基于密码分析的攻击
Cryptanalytic Attacks
An algorithm that meets one or both of the following criteria:
An encryption scheme is said to be computationally secure if either of the foregoing two criteria are met.
unconditionally secure
8
西安电子科技大学计算机学院
穷举攻击
Key Size (bits)
西安电子科技大学计算机学院
15
对称密码模型
(Symmetric Cipher Model)
西安电子科技大学计算机学院
16
西安电子科技大学计算机学院
17
对称密码安全的两个必备条件:
加密算法必须是足够强的 a strong encryption algorithm 惟有发送者和接收者知道的秘密密钥 a secret key known only to sender / receiver C = EK(P) P = DK(C)
10
密码学的发展历史
第1阶段:1949年以前
1949年以前的密码技术可以说是一种艺术,而不是一种科 学,那时的密码专家是凭直觉和信念来进行密码设计和分 析的,而不是靠推理证明。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Chosen-Ciphertext Secure Identity-BasedEncryption from Computational BilinearDiffie-HellmanDavid GalindoUniversity of Luxembourgdavid.galindo@uni.luAbstract.We extend a technique by Hanaoka and Kurosawa that pro-vides efficient chosen-ciphertext secure public key encryption based onthe Computational Diffie-Hellman assumption to the identity-based en-cryption setting.Our main result is an efficient chosen-ciphertext secureidentity-based encryption scheme with constant-size ciphertexts underthe Computational Bilinear Diffie-Hellman assumption in the standardmodel.Keywords:standard model,identity-based encryption,computationalbilinear Diffie-Hellman assumption,hardcore bits.1IntroductionDesigning efficient public key encryption schemes with chosen-ciphertext security under widely accepted hardness assumptions has been a challenging research direction in modern cryptography.Thefirst breakthrough in this area was the scheme by Cramer and Shoup[5],which had security based on the Decisional Diffie-Hellman assumption in the standard model.It is not until very recently that schemes with similar properties based on the Computational Diffie-Hellman assumption have been proposed by Cash,Kiltz and Shoup[4],Hanaoka and Kurosawa[9]and Haralambiev,Jager,Kiltz and Shoup[10].Identity-based encryption(IBE)[11,3]provides a public key encryption mech-anism where public keys are arbitrary strings id such as an email address or any other distinguished user identifier.In this work we extend the technique by Hanaoka and Kurosawa to the identity-based setting and provide an effi-cient chosen-ciphertext secure identity-based key encapsulation mechanism with constant-size ciphertexts under the Computational Bilinear Diffie-Hellman as-sumption in the standard model.2PreliminariesWe introduce some basic notation.If S is a set then s1,...,s n$←S denotes the operation of picking n elements s i of S independently and uniformly at random.M.Joye,A.Miyaji,and A.Otsuka(Eds.):Pairing2010,LNCS6487,pp.367–376,2010.c Springer-Verlag Berlin Heidelberg2010368 D.GalindoWe write A(x,y,...)to indicate that A is an algorithm with inputs x,y,...and by z←A(x,y,...)we denote the operation of running A with inputs(x,y,...) and letting z be the output.Throughout this paper we use the term“algorithm”as equivalent to“probabilistic polynomial-time algorithm”.If st1,st2are strings, then st1||st2denotes the concatenation.2.1Identity-Based Encryption and Identity-Based KeyEncapsulationA IBE schemeΠfor identities id∈Z∗p is specified by four algorithms(Setup, KeyGen,Encrypt,Decrypt)[3]:–Setup is a randomized algorithm which takes as input security parameter 1k and returns a master public key P K and a master secret key SK.The master public key includes the description of a set of admissible messages and ciphertexts M P K,C P K respectively,and a prime integer p.SK is kept secret by the trusted authority,while P K is publicly available and we consider it to be an implicit input to the rest of the algorithms.–KeyGen takes as input SK and an identity id∈Z∗p.It outputs a user secret key sk[id].–Encrypt takes as input an identity id∈Z∗p and M∈M P K.It returns a ciphertext C.–Decrypt takes as inputs a private key sk[id]and a ciphertext C,and it re-turns M∈M P K or the special symbol⊥indicating a decryption failure.In particular⊥is returned if C/∈C P K.These algorithms must satisfy a natural consistency constraint,namely that for any security parameter1k,identity id∈Z∗p and message M∈M P K it holds that M←Decrypt(sk[id],Encrypt(id,M))where sk[id]←KeyGen(SK,id)and (P K,SK)←Setup(1k).An IBE scheme can be obtained by combining an identity-based key en-capsulation mechanism(IB-KEM)and a symmetric encryption scheme[6,1]. The IB-KEM is run to produce a symmetric encryption key that is later used to encrypt a message with the given symmetric encryption scheme.Formally, an IB-KEM for identities id∈Z∗p is specified by four algorithms(KEM.Setup, KEM.KeyGen,KEM.Encap,KEM.Decap):–KEM.Setup is a randomized algorithm that takes as inputs a security pa-rameter1k and a positive integerκ.It works almost exactly as the Setup algorithm of an IBE scheme,except that no set of admissible plaintexts is output.The integerκdenotes the bit-length of the symmetric encryption keys output by the IB-KEM and is returned as part of P K.–KEM.KeyGen takes as input SK and an identity id∈Z∗p.It outputs a user secret key sk[id].–KEM.Encap takes as input an identity id∈Z∗p and outputs a symmetric key K∈{0,1}κand a ciphertext C.Chosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman369–KEM.Decap takes as inputs a private key sk[id]and a ciphertext C,and it returns K or the special symbol⊥indicating a decryption failure.In particular⊥is returned if C/∈C P K.Similarly to IBE,any IB-KEM must satisfy natural consistency constraints, namely that for any security parameter1k,integerκand identity id∈Z∗p it holds that K←KEM.Decap(sk[id],C)where(K,C)←KEM.Encap(id,M),sk[id]←KEM.KeyGen(SK,id)and(P K,SK)←KEM.Setup(1k,κ).Selective-identity chosen-ciphertext security.[3,1]Let us consider the fol-lowing game:Initialization.The adversary outputs a security parameter1k,a positive inte-gerκand an identity id it wants to attack.κmust be polynomially-bounded in k.Setup.The challenger runs(P K,SK)←KEM.Setup(1k,κ).The challenger sets (K ,C )←KEM.Encap(P K,id ).It picksβ$←{0,1}and sends C to the adversary,together with K ifβ=1or a fresh key K†$←{0,1}κifβ=0.It gives P K to the adversary and keeps SK to itself.Find.The adversary makes a polynomial number of queries of the following types:–User secret key.The adversary asks the challenger to run and deliver sk[id]←KEM.KeyGen(SK,id)for adversarial input id=id .–Decryption query.The adversary asks the challenger to output the result of KEM.Decap(sk[id],C)for adversarial input(id,C)=(id ,C ). Guess.The adversary outputs a guessβ ∈{0,1}.The advantage of such an adversary A is defined asAdv sID−CCAIBKEM,A (1k)=Pr[A(K ,C )=1]−Pr[A(K†,C )=1].Definition1.An identity-based key encapsulation mechanism IBKEM is secure under selective-identity and chosen-ciphertext attacks if for any IND-sID-CCA adversary A the function Adv IND−sID−CCAIBKEM,A(1k)is negligible.2.2Diffie-Hellman Assumptions on Pairing GroupsLet G1= g1 and G2= g2 be(cyclic)groups of order p prime.A map e:G1×G2→G3to a group G3is called a bilinear map,if it satisfies the following two properties:Bilinearity:e(g a1,g b2)=e(g1,g2)ab for all integers a,bNon-Degenerate:e(g1,g2)has order p in G3.We assume there exists an efficient bilinear pairing instance generator al-gorithm IG that on input a security parameter1k outputs the description of e,G1,G2,G3,g1,g2,p ,with p a k-bit length prime.370 D.GalindoDefinition 2(BDH assumption).Let e,G 1,G 2,G 3,p,g 1,g 2 ←IG (1k ).Let us define Z ← e,G 1,G 2,G 3,p,g 1,g 2,g a 1,g a 2,g b 1,g b 2,g c 1 where a,b,c $←Z p .We say that IG satisfies the Computational Bilinear Diffie-Hellman assumption ifAdv BDH IG ,A (k ):=Pr[A (Z )=e (g 1,g 2)abc ]is negligible in k .The probabilities are computed over the internal random coins of A ,IG and the random coins of the inputs.Our definition of bilinear pairings and BDH assumption encompasses all pairing-type categories arising from elliptic curves as classified by Galbraith,Paterson and Smart [8],and hence it is as general as possible.Definition 3(BDH hardcore predicate).Let e,G 1,G 2,G 3,p,g 1,g 2 ←IG (1k ).Let us define Z ← e,G 1,G 2,G 3,p,g 1,g 2,g a 1,g a 2,g b 1,g b 2,g c 1where a,b,c $←Z p .Let h :G 3→{0,1}be a function and considerAdv h IG ,A (k ):= Pr A Z ,h,h (e (g 1,g 2)abc ) =1 −Pr [A (Z ,h,β)=1] where β$←{0,1}.We say that h is a BDH hardcore predicate if the the BDH assumption for IG implies that Adv h IG ,A (k )is negligible.The probabilities are computed over the internal random coins of A ,IG and the random coins of the inputs.2.3Lagrange Interpolation Let f (x )= 0≤l ≤t b l x l be a polynomial over Z p with degree t and (x 0,f (x 0)),...,(x t ,f (x t )) be t +1distinct points where f (x )has been evaluated over Z ∗p .Then one can recover f (x )as f (x )=f (x 0)λx 0(x )+...+f (x 0)λx 0(x ),where λx j (x )∈Z p [x ]for 0≤l ≤t are called Lagrange coefficients and are defined asλx l (x )=(x −x 0)(x −x 1)···(x −x l −1)(x −x l +1)···(x −x t )(x l −x 0)(x l −x 1)···(x l −x l −1)(x l −x l +1)···(x j −x t ).It can be seen that given g 1,(g x 01,g f (x 0)1),...,(g x t 1,g f (x t )1) it is possible to com-pute any g b l 1for 0≤l ≤t thanks to the Lagrange coefficients,where G 1= g 1 has prime order p .Similarly,giveng 1,g b 01,...,g b j −11,(x 0,f (x 0)),...,(x t −j ,f (x t −j )) it is possible to reconstruct any g b l 1for j ≤l ≤t .These facts are used in our scheme and in its security reduction.Chosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman371 3Chosen-Ciphertext Secure IB-KEM from the BDH Assumption in the Standard ModelIn this section we describe a new IB-KEM which is obtained by extending the techniques that Hanaoka and Kurosawa[9]applied to ElGamal encryption scheme[7].The new IB-KEM is the result of applying these extended techniques to Boneh and Boyen’s identity-based encryption scheme[2]and it has security based on the Computational BDH assumption.We assume the existence of global pairing parameters e,G1,G2,G3,p,g1,g2 ←IG(1k)known to all the parties. Our IB-KEM is defined as follows:–KEM.Setup(1k,κ)chooses a,γ$←Z∗p and sets u0←g a1,v0←g a2,u−1←gγ1,v−1←gγ2.Next,it randomly picks b0,b1,...,bκ+2$←Z∗p and defines the polynomial f(x)=b0+b1x1+...+bκ+2xκ+2∈Z p[x].It computes y l=g b l1,Y l=e(u0,g b l2)for l=0,...,κ+2.It chooses a target collision resistant hash function TCR:G1×{0,1}→Z∗p,as well as a BDH hardcore predicate h:G3→{0,1}.It defines the functions H1:Z∗p→G1that maps id→u id0u−1and H2:Z∗p→G2that maps id→v id0v−1.Finally,let C P K be G41andP K← e,G1,G2,G3,p,g1,g2,u0,v0,u−1,v−1,y0,...,yκ+2,Y0,...,Yκ−1,H1 andSK← a,b0,...,bκ+2,H2 .–KEM.KeyGen(SK,id)outputs(sk0[id],...,skκ−1[id]),wheresk l[id]←g ab l2H2(id)r l,g r l2∈G22and r l$←Z∗p for0≤l≤κ−1–KEM.Encap(P K,id)computesC←g r1,g r·f(t)1,g r·f(t)1,H1(id)r∈G41,K←h(Y r0)||...||h(Y rκ−1)∈{0,1}κ,where t=TCR(g r1,0)and t=TCR(g r1,1).It outputs(K,C).–KEM.Decap takes as inputs a user key sk[id]=(sk0[id],...,skκ−1[id]),anda ciphertext C=(C0,C1,C2,C3).Itfirst checks if e(C0,g f(t)1)=e(g1,C1)and e(C0,g f(t)1)=e(g1,C2).If not it returns⊥.Otherwise it parses sk l[id]as(A l,B l)for l=0,...,κ−1and it returnsK←he(C0,A0)e(C3,B0)...he(C0,Aκ−1)e(C3,Bκ−1)372 D.GalindoThe above scheme is consistent since for a honestly generated ciphertext,we have e (C 0,A l )e (C 3,B l )=e g r 1,g ab l 2H 2(id )r l e H 1(id )r ,g r l 2 =e (g r 1,g ab l 2)·e g r 1,H 2(id )r l e H 1(id )r ,g r l 2 ==Y r l ·e g r 1,g r l (a ·id +γ)2 e g r (a ·id +γ)1,g r l 2=Y r l for l =0,...,κ−1Theorem 1.Let h be a BDH hardcore predicate and TCR be a target collision-resistant hash function.Then the above IB-KEM scheme is secure against selective-identity and chosen-ciphertext attacks if IG is an instance generator algorithm for which the Bilinear Diffie-Hellman assumption holds.Proof.An adversary starts by outputting a security parameter 1k ,a key length κand a target identity id ∈Z ∗p .Given a BDH instanceZ ← e,G 1,G 2,G 3,g 1,g 2,p,g a 1,g a 2,g b 1,g b 2,g c 1and a successful adversary A against the IND-sID-CCA security of our IB-KEM,we construct an algorithm B distinguishing h e (g 1,g 2)abc from random with non-negligible advantage.To do so we need to apply a hybrid argument that we explain next.Assume that for challenge ciphertext C = g c 1,g c ·f (t )1,g c ·f (t )1,H 1(id )c ,where t =TCR (g c 1,0)and t =TCR (g c 1,1),there exists an adversary A which distinguishes h (Y c 0)||...||h (Y c κ−1)from random (thus breaking the IB-KEM security).Then,there exists another adversary A that for some j such that 0≤j ≤κ−1distinguishes h (Y c 0)||...||h (Y c j )||rand κ−j −1from h (Y c 0)||...||h (Y c j −1)||rand κ−j ,where rand l denotes a l -bit uniformly random string.Therefore we can assume the existence of such an adversary A .We use itto constructan algorithm B that given (g 1,g 2,g a 1,g a 2,g b 1,g b 2,g c 1)distinguishes h e (g 1,g 2)abc from random.B is defined as follows:Generate system parameters.B starts by setting e,G 1,G 2,G 3,p,g 1,g 2 to be the global parameters of the system.It continues by simulating the master public key of the IB-KEM and the challenge encapsulation to A :1.It sets u 0←g a 1,v 0←g a 2and u −1←u −id 0g δ1,v −1←v −id 0g δ2for random δ$←Z ∗p .2.It sets t =TCR (g c 1,0)and t =TCR (g c 1,1).3.It sets y j ←g b 1∈G 1and z j ←g b 2∈G 2and picks randomrnd j ,...,rnd κ−1$←Z ∗p \{t ,t}Additionally it choosesu t ,u t ,b 0,...,b j −1,u j ,...,u κ−1$←Z ∗pChosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman3734.It sets y l =g b l 1∈G 1and z l =g b l 2∈G 2for 0≤l ≤j −1.5.By using Lagrange interpolation,it computes y j +1,...,y κ+2such that for a function F 1(x )= 0≤l ≤κ+2y x l l it holds that F 1(t )=g u t 1,F 1(t )=g u t 1,and F 1(rnd j )=g u j 1,...,F 1(rnd κ−1)=g u κ−11.6.By using Lagrange interpolation,it computes z j +1,...,z κ+2such that for a function F 2(x )= 0≤l ≤κ+2z x l l it holds that F 2(t )=g u t 2,F 2(t )=g u t 2,and F 2(rnd j )=g u j 2,...,F 2(rnd κ−1)=g u κ−12.7.It sets Y l =e (g a 1,z l )for l =0,...,κ−1.8.Let C P K be G 41.9.B sets the master public key to be P K ← e,G 1,G 2,G 3,p,g 1,g 2,u 0,v 0,u −1,v −1,y 0,...,y κ+2,Y 0,...,Y κ−1,H 1 ,the challenge ciphertextC ←(g c 1,(g c 1)u t ,(g c 1)u t ,(g c 1)δ)and the challenge keyK = h (e (g c 1,g a 2)b 0)||h (e (g c 1,g a 2)b 1)||...||h (e (g c 1,g a 2)b j −1)||β||rand k −j −1 ,where β$←{0,1}.Finally B initializes A with P K and (K ,C ).Notice that,because of the prop-erties of Lagrange interpolation,the distribution of the resulting master public key is statistically-close to the distribution of a honestly generated key.B answers the queries by A in the following way:Create user secret key queries.For a secret key query with id =id ,it com-putes sk l [id ]← z −δid −id l H 2(id )r l ,z −1id −id l g r l 2 ,where r l $←Z ∗p for l =0,...,κ−1.To see that this is a valid random user secret key,let us write z l =g b l 2for b l ∈Z ∗p and let s l =r l −b l /(id −id ).Notice that b l is unknown to B for j ≤l ≤κ+2,and thus s l is not defined explicitly but implicitly.It turns out thatz −δid −id l H 2(id )r l =g −δb l id −id2 g a (id −id )2g δ2 r l ==g ab l 2 g a (id −id )2g δ2 r l −−b l id −id =g ab l 2H 2(id )s l and z −1id −id l g r l 2=g sj 2.Decryption queries.For decryption queries of the form (id,C )for id =id ,it first checks whether C ∈C P K .If not,it answers ⊥.Otherwise it obtains sk [id ]by running the user key generation algorithm and returns KEM .Decap (sk [id ],C ).374 D.GalindoFor decryption queries (id ,C ),it parses C as (C 0,C 1,C 2,C 3)and it proceeds as follows:1.If C 0=g c 1it answers ⊥.2.If C 0=g c 1and the intersection{TCR (C 0,0),TCR (C 0,1)}∩{t ,t,rnd j ,...,rnd κ−1}is non-empty then B aborts and outputs a random bit β .3.If C 0=g c 1and the intersection{TCR (C 0,0),TCR (C 0,1)}∩{t ,t ,rnd j ,...,rnd κ−1}is empty,it first checks if e (C 0,g f (t )1)=e (g 1,C 1)and e (C 0,g f (t )1)=e (g 1,C 2),where t =TCR (C 0,0),t =TCR (C 0,1).If not B outputs ⊥indicating de-cryption failure.Otherwise B computes C u t 0,C u t 0,C u j 0,...,C u κ−10.Let f 1∈Z p [x ]be a polynomial of degree κ+2whose coefficients for the terms x l are b l for 0≤l ≤j −1.Additionally,f 1satisfies thatf 1(t ),f 1(t ),f 1(t ),f 1(t ),f 1(rnd j +1),...,f 1(rnd κ−1) = log C 0C 1,log C 0C 2,u t ,u t ,u j +1,...,u κ−1Next by using Lagrange interpolation it computes C b 1,l 0for j ≤l ≤κ−1,where b 1,l ∈Z p denote the coefficients of the x l term of the polynomial f 1respectively.Then it answers the decryption query (id,C )withh (e (C b 00,g a 2))||...||h (e (C b j −10,g a 2))||h (e (C b 1,j 0,g a 2))||...||h (e (C b 1,κ−10,g a 2)).Guess.At some point A outputs a guess β ∈{0,1}and B outputs the same guess for h (e (g 1,g 2)abc ).Success analysis of algorithm B .Let us define a series of events:–Win denotes the event that A correctly distinguishesh (Y c 0)||...||h (Y c j )||rand κ−j −1from h (Y c 0)||...||h (Y c j −1)||rand κ−j–Abort is the event that A makes a decryption query (id ,(C 0,C 1,C 2,C 3))such that C 0=g c 1and the intersection {TCR (C 0,0),TCR (C 0,1)}∩{t ,t ,rnd j ,...,rnd κ−1}is non-empty –Invalid denotes the event that A makes a decryption query of the form(id ,(C 0,C 1,C 2,C 3))such that e (C 0,g f (t )1)=e (g 1,C 1)and e (C 0,g f (t )1)=e (g 1,C 2)but B ’s decryption answer is incorrectThen,analogously to [9],B ’s advantage in distinguishing h (e (g 1,g 2)abc )from a random bit βis bounded as followsChosen-Ciphertext Secure IBE from Computational Bilinear Diffie-Hellman375Adv h IG,B(k)=PrBZ,h,h(e(g1,g2)abc)=1−Pr[B(Z,h,β)=1]≥Pr[Win|Abort∧Invalid]Pr[Abort∧Invalid]−1/2≥|Pr[Win]−Pr[Abort]−Pr[Invalid]|Lemmas3and4in[9]imply that the probabilities Pr[Abort]and Pr[Invalid]arenegligible.Finally Pr[Win]=1κ·Adv sID−CCAIBKEM,Adue to the hybrid argument.4ExtensionsThe IB-KEM presented in the last section admits several extensions.Identity-based encryption.Coupling our IB-KEM with a chosen ciphertext secure symmetric key encryption scheme yields an IBE scheme with IND-sID-CCA security based on the BDH assumption.The resulting IBE scheme is fairly efficient and has constant size ciphertexts.Identity-based encryption with adaptive-identity security.It is straight-forward to upgrade our IBE scheme to have adaptive-identity security by replac-ing the function H1(and H2accordingly)by the function used by Waters[12] to attain adaptive-identity security.Hierarchical identity-based encryption.Our modification to the IBE scheme by Boneh and Boyen can also be applied to the hierarchical IBE scheme pre-sented by the same authors in[2],and results in an hierarchical IBE scheme with IND-sID-CCA security based on the BDH assumption.For example,the resulting hierarchical IB-KEM scheme has a ciphertext for a -level hierarchical identity(id1,...,id )with the formg r1,g r·f(t)1,g r·f(t)1,H11(id)r,...,H 1(id)r∈G3+1,where H11,...,H 1are independent instances of the function H1and t= TCR(g r1,0),t=TCR(g r1,1).The key K←h(Y r0)||...||h(Y rκ−1)∈{0,1}κre-mains unchanged.References1.Bentahar,K.,Farshim,P.,Malone-Lee,J.,Smart,N.P.:Generic Constructions ofIdentity-Based and Certificateless KEMs.J.Cryptology21(2),178–199(2008) 2.Boneh,D.,Boyen,X.:Efficient Selective-ID Secure Identity Based EncryptionWithout Random Oracles.In:Cachin,C.,Camenisch,J.L.(eds.)EUROCRYPT 2004.LNCS,vol.3027,pp.223–238.Springer,Heidelberg(2004)3.Boneh,D.,Franklin,M.K.:Identity-Based Encryption From The Weil Pairing.In:Kilian,J.(ed.)CRYPTO2001.LNCS,vol.2139,pp.213–229.Springer,Heidelberg (2001)376 D.Galindo4.Cash,D.,Kiltz,E.,Shoup,V.:The Twin Diffie-Hellman Problem and Applications.In:Smart,N.P.(ed.)EUROCRYPT2008.LNCS,vol.4965,pp.127–145.Springer, Heidelberg(2008)5.Cramer,R.,Shoup,V.:A Practical Public Key Cryptosystem Provably SecureAgainst Adaptive Chosen Ciphertext Attack.In:Krawczyk,H.(ed.)CRYPTO 1998.LNCS,vol.1462,pp.13–25.Springer,Heidelberg(1998)6.Cramer,R.,Shoup,V.:Design and analysis of practical public-key encryptionschemes secure against adaptive chosen ciphertext attack.SIAM Journal of Com-puting33(1),167–226(2004)7.El Gamal,T.:A Public Key Cryptosystem and a Signature Scheme Based onDiscrete Logarithms.In:Blakely,G.R.,Chaum,D.(eds.)CRYPTO1984.LNCS, vol.196,pp.10–18.Springer,Heidelberg(1985)8.Galbraith,S.D.,Paterson,K.G.,Smart,N.P.:Pairings for cryptographers.DiscreteApplied Mathematics156(16),3113–3121(2008)9.Hanaoka,G.,Kurosawa,K.:Efficient Chosen Ciphertext Secure Public Key En-cryption under the Computational Diffie-Hellman Assumption.In:Pieprzyk,J.(ed.)ASIACRYPT2008.LNCS,vol.5350,pp.308–325.Springer,Heidelberg (2008)10.Haralambiev,K.,Jager,T.,Kiltz,E.,Shoup,V.:Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model.In: Nguyen,P.Q.,Pointcheval, D.(eds.)PKC2010.LNCS,vol.6056,pp.1–18.Springer,Heidelberg(2010)11.Shamir,A.:Identity-based cryptosystems and signature schemes.In:Blakely,G.R.,Chaum,D.(eds.)CRYPTO1984.LNCS,vol.196,pp.47–53.Springer,Heidelberg (1985)12.Waters, B.:Efficient Identity-Based Encryption Without Random Oracles.In:Cramer,R.(ed.)EUROCRYPT2005.LNCS,vol.3494,pp.114–127.Springer, Heidelberg(2005)。