WWW.THESES.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation
 
<< HOME
CONTACTS



Pages:   || 2 | 3 |

«Abstract. In this paper, we examine issues related to the construction of identity-based threshold decryption schemes and argue that it is important ...»

-- [ Page 1 ] --

Identity-Based Threshold Decryption

Joonsang Baek1 and Yuliang Zheng2

School of Network Computing, Monash University,

McMahons Road, Frankston, VIC 3199, Australia

joonsang.baek@infotech.monash.edu.au

Dept. Software and Info. Systems, UNC Charlotte, NC 28223, USA

yzheng@uncc.edu

Abstract. In this paper, we examine issues related to the construction of identity-based threshold decryption schemes and argue that it is

important in practice to design an identity-based threshold decryption scheme in which a private key associated with an identity is shared. A major contribution of this paper is to construct the first identity-based threshold decryption scheme secure against chosen-ciphertext attack. A formal proof of security of the scheme is provided in the random oracle model, assuming the Bilinear Diffie-Hellman problem is computationally hard. Another contribution of this paper is, by extending the proposed identity-based threshold decryption scheme, to construct a mediated identity-based encryption scheme secure against more powerful attacks than those considered previously.

1 Introduction Threshold decryption is particularly useful where the centralization of the power to decrypt is a concern. And the motivation of identity (ID)-based encryption originally proposed by Shamir [17] is to provide confidentiality without the need of exchanging public keys or keeping public key directories. A major advantage of ID-based encryption is that it allows one to encrypt a message by using a recipient’s identifiers such as an email address.

A combination of these two concepts will allow one to build an “ID-based threshold decryption” scheme. One possible application of such a scheme can be considered in a situation where an identity denotes the name of the group sharing a decryption key. As an example, suppose that Alice wishes to send a confidential message to a committee in an organization. Alice can first encrypt the message using the identity (name) of the committee and then send over the ciphertext. Let us assume that Bob who is the committee’s president has created the identity and hence has obtained a matching private decryption key from the Private Key Generator (PKG). Preparing for the time when Bob is away, he can share his private key out among a number of decryption servers in such a way that any committee member can successfully decrypt the ciphertext if, and only if, the committee member obtains a certain number of decryption shares from the decryption servers.

F. Bao et al. (Eds.): PKC 2004, LNCS 2947, pp. 262–276, 2004.

c International Association for Cryptologic Research 2004 Identity-BasedThreshold Decryption 263 Another application of the ID-based threshold decryption scheme is to use it as a building block to construct a mediated ID-based encryption scheme [7].

The idea is to split a private key associated with the receiver Bob’s ID into two parts, and give one share to Bob and the other to the Security Mediator (SEM).

Accordingly, Bob can decrypt a ciphertext only with the help of the SEM. As a result, instantaneous revocation of Bob’s privilege to perform decryption is possible by instructing the SEM not to help him any more.

In this paper, we deal with the problem of constructing an ID-based threshold decryption scheme which is efficient and practical while meets a strong security requirement. We also treat the problem of applying the ID-based threshold decryption scheme to design a mediated ID-based encryption scheme secure against more powerful attacks than those considered previously in the literature.

–  –  –

Throughout this paper, we will simply use the term “Bilinear map” to refer to the admissible bilinear map defined above.

The “BasicIdent” Scheme. We now describe Boneh and Franklin’s basic version of ID-based encryption scheme called “BasicIdent” which only gives semantic security (that is, indistinguishability under chosen plaintext attack).

In the setup stage, the PKG specifies a group G generated by P ∈ G ∗ and the Bilinear map e : G ×G → F. It also specifies two hash functions H1 : {0, 1}∗ → G ∗ ˆ and H2 : F → {0, 1}l, where l denotes the length of a plaintext.The PKG then picks a master key x uniformly at random from Z ∗ and computes a public Zq key YPKG = xP. The PKG publishes descriptions of the group G and F and the hash functions H1 and H2. Bob, the receiver, then contacts the PKG to get his private key DID = xQID where QID = H1 (ID). Alice, the sender, can now 264 Joonsang Baek and Yuliang Zheng

–  –  –

3 Related Work and Discussion Boneh and Franklin’s “Distributed PKG”. In order to prevent a single PKG from full possession of the master key in ID-based encryption, Boneh and Franklin [5] suggested that the PKG’s master key should be shared among a number of PKGs using the techniques of threshold cryptography, which they call “Distributed PKG”. More precisely, the PKG’s master key x is distributed into a number of PKGs in such a way that each of the PKG holds a share xi ∈ Z ∗ of a Zq Shamir’s (t, n)-secret-sharing [16] of x ∈ Z ∗ and responds to a user’s private Zq i key extraction request with DID = xi QID, where QID = H1 (ID). If the technique of [11] is used, one can ensure that the master key is jointly generated by PKGs so that the master key is not stored or computed in any single location.





As an extension of the above technique, Boneh and Franklin suggested that the distributed PKGs should function as decryption servers for threshold decryption. That is, each PKG responds to a decryption query C = (U, V ) in BasicIdent with e(xi QID, U ). However, we argue that this method is not quite ˆ practical in practice since it requires each PKG to be involved at all times (that is, on-line) in the generation of decryption shares because the value “U ” changes whenever a new ciphertext is created. Obviously, this creates a bottleneck on the PKGs and also violates one of the basic requirements of an ID-based encryption scheme, “the PKG can be closed after key generation”, which was envisioned by Shamir in his original proposal of ID-based cryptography [17]. Moreover, there is a scalability problem when the number of available distributed PKGs is not matched against the number of decryption servers required, say, there are only 3 available PKGs while a certain application requires 5 decryption servers.

Therefore, a better approach would be sharing a private key associated with an identity rather than sharing a master key of the PKG. In addition to its easy adaptability to the situation where an identity denotes a group sharing a decryption key as described in Section 1, an advantage of this approach is that one can fully utilize Boneh and Franklin’s Distributed PKG method without the above-mentioned scalability problem, dividing the role of “distributed PKGs” from that of “decryption servers”. That is, an authorized dealer (a representative of group, such as “Bob” described in Section 1, or a single PKG) may ask an identity to each of the “distributed PKGs” for a partial private key associated the identity. Having obtained enough partial private keys, the dealer can construct the whole private key and distribute it into the “decryption servers” in his domain at will while the master key remains secret from any parties.

Other Related Work on ID-Based Threshold Decryption. To our knowledge, other papers that have treated “threshold decryption” in the context of ID-based cryptography are [8] and [13]. Dodis and Yung [8] observed how threshold deIdentity-Based Threshold Decryption 265 cryption can be realized in Gentry and Silverberg [12]’s “hierarchical ID-based encryption” setting. Interestingly, their approach is to share a private key (not the master key of the PKG) obtained from a user at a higher level. Although this was inevitable in the hierarchical ID-based encryption setting and its advantage in general ID-based cryptography was not mentioned in [8], it is more sound approach than sharing the master key of the PKG as we discussed above. However, their threshold decryption scheme is very-sketched and chosen-ciphertext security for the scheme was not considered in [8]. More recently, Libert and Quisquater [13] also constructed an ID-based threshold decryption scheme. However, their approach was to share a master key of the PKG, which is different from ours. Moreover, our scheme gives chosen ciphertext security while Libert and Quisquater’s scheme does not.

4 Security Notion for ID-based Threshold Decryption

4.1 Description of Generic ID-based Threshold Decryption A generic ID-based threshold decryption scheme, which we denote by “IDT HD”, consists of algorithms GK, EX, DK, E, D, SV, and SC. Below, we describe each of the algorithms.

Like other ID-based cryptographic schemes, we assume the existence of a trusted PKG. The PKG runs the key/common parameter generation algorithm GK to generate its master/public key pair and all the necessary common parameters. The PKG’s public key and the common parameters are given to every interested party.

On receiving a user’s private key extraction request which consists of an identity, the PKG then runs the private key extraction algorithm EX to generate the private key associated with the requested identity.

An authorized dealer who possesses the private key associated with an identity can run the private key distribution algorithm DK to distribute the private key into n decryption servers. DK makes use of an appropriate secret-sharing technique to generate shares of the private key as well as verification keys that will be used for checking the validity of decryption shares. Each share of the private key and its corresponding verification key are sent to an appropriate decryption server. The decryption servers then keep their private key shares secret but publish the verification keys. It is important to note here that the entity that runs DK can vary flexibly depending on the cryptographic services that the PKG can offer. For example, if the PKG has an only functionality of issuing private keys, the authorized dealer that runs DK would be a normal user (such as Bob in the example given in Section 1) other than the PKG. However, if the PKG has other functionalities, for example, organizing threshold decryption, the PKG can run DK.

Given a user’s identity, any user that wants to encrypt a plaintext can run the encryption algorithm E to obtain a ciphertext. A legitimate user that wants to decrypt a ciphertext gives it to the decryption servers requesting decryption 266 Joonsang Baek and Yuliang Zheng shares. The decryption servers then run the decryption share generation algorithm D taking the ciphertext as input and send the resulting decryption shares to the user. Note that the validity of the shares can be checked by running the decryption share verification algorithm SV. When the user collects valid decryption shares from at least t servers, the plaintext can be reconstructed by running the share combining algorithm SC.

4.2 Chosen Ciphertext Security for ID-based Threshold Decryption We now define a security notion for the IDT HD scheme against chosen-ciphertext attack, which we call “IND-IDTHD-CCA”.

Definition 1 (IND-IDTHD-CCA). Let ACCA be an attacker assumed to be a probabilistic Turing machine. Suppose that a security parameter k is given to ACCA as input. Now, consider the following game in which the attacker ACCA interacts with the “Challenger”.

Phase 1: The Challenger runs the PKG’s key/common parameter generation algorithm taking a security parameter k as input. The Challenger gives ACCA the resulting common parameter cp which includes the PKG’s public key pkPKG. However, the Challenger keeps the master key skPKG secret from ACCA.

Phase 2: ACCA issues a number of private key extraction queries. We denote each of these queries by ID. On receiving the identity query ID, the Challenger runs the private key extraction algorithm on input ID and obtains a corresponding private key skID. Then, the Challenger returns skID to ACCA.

Phase 3: ACCA corrupts t − 1 out of n decryption servers.

Phase 4: ACCA issues a target identity query ID∗. On receiving ID∗, the Challenger runs the private key extraction algorithm to obtain a private key skID∗ associated with the target identity. The Challenger then runs the private key distribution algorithm on input skID∗ with parameter (t, n) and obtains a set of private/verification key pairs {(skID∗ i, vkID∗ i )}, where 1 ≤ i ≤ n. Next, the Challenger gives ACCA the private keys of corrupted decryption servers and the verifications keys of all the decryption servers. However, the private keys of uncorrupted servers are kept secret from ACCA.

Phase 5: ACCA issues arbitrary private key extraction queries and arbitrary decryption share generation queries to the uncorrupted decryption servers. We denote each of these queries by ID and C respectively. On receiving ID, the Challenger runs the private key extraction algorithm to obtain a private key associated with ID and returns it to ACCA. The only restriction here is that ACCA is not allowed to query the target identity ID∗ to the private key extraction algorithm. On receiving C, the Challenger runs the decryption share generation algorithm taking C and the target identity ID∗ as input to obtain a corresponding decryption share and returns it to ACCA.

Phase 6: ACCA outputs two equal-length plaintexts (M0, M1 ). Then the Challenger chooses a bit β uniformly at random and runs the encryption algorithm on input cp, Mβ and ID∗ to obtain a target ciphertext C ∗ = E(cp, ID∗, Mβ ). Finally, the Challenger gives (C ∗, ID∗ ) to ACCA.

Phase 7: ACCA issues arbitrary private key extraction queries and arbitrary decryption share generation queries. We denote each of these queries by ID and C Identity-Based Threshold Decryption 267 respectively. On receiving ID, the Challenger runs the private key extraction algorithm to obtain a private key associated with ID and returns it to ACCA. As Phase 5, the only restriction here is that ACCA is not allowed to query the target identity ID∗ to the private key extraction algorithm. On receiving C, the Challenger runs the decryption share generation algorithm on input C to obtain a corresponding decryption share and returns it to ACCA. Differently from Phase 5, the target ciphertext C ∗ is not allowed to query in this phase.

Phase 8: ACCA outputs a guess β ∈ {0, 1}.



Pages:   || 2 | 3 |


Similar works:

«MY SRK CONSULTING MEMORIES Jack A. Caldwell August 2015 SRK MEMORIES Page i MY SRK CONSULTING MEMORIES Table of Contents PREFACE INTRODUCTION PROFESSOR JENNINGS THE CONSULTING WORLD COMPETING CONSULTANTS WATERMEYER, LEGGE, PIESOLD, AND UHLMAN JONES & WAGENER OSKAR STEFFEN ANDY ROBERTSON HENDRIK KIRSTEN JOHANNESBURG THE START EUROPA HOUSE ANDERSON STREET STAFF CLIENTS CLIENT INTERACTION TUCSON TUCSON, SRK, AND THE US MINING INDUSTRY TUCSON AND PAH TUCSON & SRK DENVER THE OFFICE MANAGERS JOHN...»

«Georgia Regents University Student Organization Campus Adviser Agreement Form Questions and Concerns Regarding this Document Should Be Discussed With the Office of Student Life & Engagement Name of Student Organization: President’s Full Name _ Student Organization Adviser Adviser Full Name: _ Email Address of Adviser: _ Phone Number of Adviser: (_) Department of Adviser: Name of Adviser’s Supervisor: Phone Number of Supervisor: (_) Email Address of Supervisor: _ In signing below, you...»

«• • Antimony Manganese • • Arsenic Mercury • • Barium Molybdenum • • Cadmium Nickel • • Cesium Selenium • • Chromium Thallium • • Cobalt Tungsten • • Lead Uranium Antimony Antimony is a silvery-white metal found in the earth’s crust. Most antimony is brought into the United States from other countries for processing. Antimony is used in lead storage batteries, sheet and pipe metal, paints, ceramics, and fireworks. It is also is added to textiles and plastics to...»

«Media Release Jean Dubuffet – Metamorphoses of Landscape January 31 – May 8, 2016 The Fondation Beyeler is opening the year 2016 with the first retrospective of Jean Dubuffet’s multifaceted, imaginative oeuvre held in Switzerland in the 21st century. “Jean Dubuffet – Metamorphoses of Landscape”, which runs from 31 January to 8 May 2016, features over 100 works by the highly experimental French painter and sculptor, who provided the art world with fresh inspiration and impulses in...»

«Abstract Expressionism in Context Abstract Expressionism, the glorious American art movement of the late 1940s and1950s, is a sophisticated debate on the nature of the unconscious. In this essay, I will demonstrate why such a debate was compelling, and present the arguments that were used at the time to promote each of the three competing descriptions of the unconscious: the Jungian, the Freudian, and the Zen. I will note the appropriateness of the formal strategy chosen for each view:...»

«White Paper Consolidate Network Security to Reduce Cost and Maximise Enterprise Protection White Paper Consolidate Network Security to Reduce Cost and Maximise Enterprise Protection Table of Contents Security Consolidation 3 Application identification and control 3 User identification and control 3 Intrusion prevention 3 Denial-of-service protection 3 Web application protection 3 Network behavioural analysis 4 Network access control 4 Approaches for Network Security Consolidation 4 Cost and...»

«2013L0036 — EN — 17.07.2013 — 000.001 — 1 This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents ►B DIRECTIVE 2013/36/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (Text with EEA relevance) (OJ L...»

«Field Update – Expanded Deduplication Sizing Guidelines Oct 2015 Field Update: Expanded Deduplication Sizing Guidelines Publish Date: 10/01/2015 As part of our regular service pack updates in version 10, we have been making incremental improvements to our media and storage management capabilities. The next generation of Commvault software includes significant enhancements that allows significantly improved scalability and resiliency. In order to take advantage of these improvements as well as...»

«FDA Briefing Document Joint Meeting of Anesthetic and Analgesic Drug Products Advisory Committee and Drug Safety and Risk Management Advisory Committee May 5, 2016 1 of 158 DISCLAIMER STATEMENT The attached package contains background information prepared by the Food and Drug Administration (FDA) for the panel members of the advisory committee. The FDA background package often contains assessments and/or conclusions and recommendations written by individual FDA reviewers. Such conclusions and...»

«Robert Kalb GEOS 206 18 May 2010 Feasibility Study of Biodiesel and Waste Vegetable Oil at Williams College Figure 1, Biodiesel: fuel source of the future? http://upload.wikimedia.org/wikipedia/commons/e/e4/Biodiesel_3.jpg Introduction Biodiesel has become an integral part of the discussion of renewable energy sources particularly on American college campuses. This paper will consider used food oil as a fuel source at Williams College with a specific focus on the feasibility of either...»

«Copyright by Thomas Paul Miles C The Dissertation Committee for Thomas Paul Miles,II certifies that this is the approved version of the following dissertation: THE ETHICAL PROJECT KIERKEGAARD AND NIETZSCHE SHARE: ILLUSTRATING, ANALYZING, AND EVALUATING DIFFERENT WAYS OF LIFE Committee: Kathleen Higgins, Supervisor Joakim Garff Robert Solomon Paul Woodruff Robert Kane Philip Hopkins THE ETHICAL PROJECT KIERKEGAARD AND NIETZSCHE SHARE: ILLUSTRATING, ANALYZING, AND EVALUATING DIFFERENT WAYS...»

«1 Falling Under Gwen Hayes TRADUCCIÓN: Júlia Itziar Esther Eder Amaya Maialen Andrea Vicky Laura Angelica Marta Sofia CORRECCIÓN: Celia Eva Noemi DISEÑO: Celia Si quieren ser parte del equipo de traducción, corrección i/o diseño de Perfect Dream, no duden en unirse a nosotros enviando un mensaje a este e-mail: perfectdreamji@hotmail.com Dígannos en que quieren participar y ayúdennos en la evolución del Blog, necesitamos gente para cualquier cosa. Cuanta más gente, más libros....»





 
<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.