MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME:
1-KEY-ENCRYPT-THEN-MAC
by
Brittanney Jaclyn Amento
A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science
in Partial Fulfillment of the Requirements for the Degree of Master of Science
Florida Atlantic University Boca Raton, Florida
May 2010
Copyright by Brittanney Jaclyn Amento 2010
ACKNOWLEDGEMENTS
First, I would like to thank my advisor, Dr. Rainer Steinwandt, for always pushing and believing in me – especially during those times I wanted to give up! You have been an exceptional mentor and I am so thankful for your direction and confidence. Second, I would like to thank my mother, Neweleen Feldmar, for raising a strong minded, confident young woman. Eight years to get to this point and I couldn’t have done it without your love and support. I know I make you proud everyday! Third, I would like to thank my dear friend Lisa Greenberg. I can’t imagine how different the last two years would have been without the friendship and “math partner” we found in each other! Together, we are one half of a Ph.D girl! Last, I owe a sincere thank you to my Fusion boss of five years and friend, Melody Collins, for always finding a way to work my job around my education. I couldn’t have done any of this without each of you in my corner!
ABSTRACT
Author: Brittanney Jaclyn Amento
Title: Message Authentication in an Identity-Based Encryption Scheme: 1-Key-Encrypt-Then-MAC Institution: Florida Atlantic University
Thesis Advisor: Dr. Rainer Steinwandt
Degree: Master of Science
Year: 2010
We present an Identity-Based Encryption scheme, 1-Key-Encrypt-Then-MAC, in which we are able to verify the authenticity of messages using a MAC. We accomplish this authentication by combining an Identity-Based Encryption scheme given by Boneh and Franklin, with an Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan, and attaching a MAC. We prove the scheme is chosen plaintext secure and chosen ciphertext secure, and the MAC is existentially unforgeable.
MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME:
1-KEY-ENCRYPT-THEN-MAC
1 Introduction . . . .1
2 Preliminaries . . . .3
2.1 Cryptographic Primitives . . . .3
2.2 Security Notions. . . .6
3 The Proposed Schemes . . . 11
3.1 Building on BasicIdent. . . 11
3.2 Building on FullIdent . . . 12
4 Security. . . 14
5 Conclusion . . . 22
Bibliography . . . 23
CHAPTER 1
INTRODUCTION
In this thesis, we build on the Identity-Based Encryption scheme given by Boneh and Franklin in [2] and combine it with the Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan in [5] to create an Identity-Based Encryption scheme which authenticates messages using a MAC.
We follow Martin’s motivation in [4] to take a closer look at Identity-Based Encryp- tion. Identity-Based Encryption (IBE) was first introduced in 1984 by Adi Shamir as a way to create a public key from a user’s identity. IBE has all the benefits of a public key encryption scheme, plus additional benefits relating to keys being calculated for each re- cipient, versus being randomly generated. This relieves pre-enrollment requirements and the need to look up public keys (a huge hamper on public key cryptography). Calculating the keys also allows an IBE to have built in key recovery capability–a requirement for use in business. We can also use an IBE to communicate with someone not already enrolled in our system by calculating a public key id for the recipient and using that key to encrypt the message we send them. The recipient would then authenticate himself to the Private Key Generator (PKG) and receive his private decryption key, creating a secure channel of communication. We should mention that a main disadvantage of an IBE versus public key encryption lies with key revocation being difficult to remedy.
An IBE consists of four algorithms: Setup, which generates the system parameters and a master key; Extract, which uses the master key to extract the private key associated with an identity id ∈ {0, 1}∗; e.g., an email or IP address; Encrypt, which uses an identity id to encrypt messages; and Decrypt, which uses the private key associated with the identity id to decrypt messages.
An Identity-Based Non-Interactive Key Distribution (ID-NIKD) is a scheme which al- lows two parties to establish a common key without communicating. Each party receives a private key from a Trusted Authority (TA), which allows them to compute a shared key without exchanging any messages.
An ID-NIKD consists of three algorithms: Setup, which generates the system pa- rameters and a master secret key; Extract, which uses the master secret key to extract the private key associated with an identity id ∈ {0, 1}; and SharedKey, which uses an identity id and a private key to return a shared key between them.
We combine these two schemes, IBE and ID-NIKD, and ask about our ability to authenticate messages. Below, we define our 1-Key-Encrypt-Then-MAC scheme and show that we are indeed able to authenticate messages. Further, we show our scheme is chosen plaintext secure (IND-ID-CPA+MAC), chosen ciphertext secure (IND-ID-CCA+MAC), and existentially unforgeable (UF-ID-CPA+MAC).
CHAPTER 2
PRELIMINARIES
2.1 Cryptographic Primitives
We start by recalling the definition of an Identity-Based Encryption scheme as given by Boneh and Franklin in [2]:
Definition 1 (Identity-Based Encryption). An Identity-Based Encryption scheme E is specified by four polynomial time algorithms: Setup, Extract, Encrypt, Decrypt.
Setup: a probabilistic algorithm which takes a security parameter 1kand returns params (system parameters) and master key. The system parameters include a description of a finite message spaceM, and a description of a finite ciphertext space C. Intu- itively, the system parameters will be publicly known, while the master key will be known only to the “Private Key Generator” (PKG).
Extract: a probabilistic algorithm which takes as input params, master key, and an ar- bitrary id ∈ {0, 1}∗, and returns a private key did. Here id is an arbitrary user identity that will be used as a public key, and did is the corresponding private de- cryption key. TheExtract algorithm extracts a private key from the given identity.
Encrypt: a probabilistic algorithm which takes as input params, id, and M ∈ M. It returns a ciphertextC ∈ C.
Decrypt: a deterministic algorithm which takes as input params, C ∈ C, and a private keydid. It returnsM ∈ M or an error symbol ⊥.
These algorithms must satisfy the standard consistency constraint, namely if did is the private key generated by algorithmExtract when it is given id as the identity, then
∀M ∈ M : Decdid(C) = M where C ←− Encid(M ).
We next recall the definition of an ID-Based Non-Interactive Key Distribution scheme as given by Paterson and Srinivasan in [5]:
Definition 2 (ID-Based Non-Interactive Key Distribution (ID-NIKD)). An ID-Based Non- Interactive Key Distribution (ID-NIKD) scheme is specified by three distinct algorithms:
Setup, Extract, and SharedKey. Algorithms Setup and Extract are executed by the Trusted Authority (TA), whileSharedKey can be executed by any entity in possession of its private key and the identifier of any other entity with which it wishes to generate a shared key.
Setup: on input 1k, outputs a master public key (or system parameters) and a master secret key.
Extract: on input a master public key, a master secret key, and an id ∈ {0, 1}∗, returns a private key from some space of private keysSK.
SharedKey: on input a master public key, a private key didA, and an identifier idB ∈ {0, 1}∗, where idB 6= idA, this algorithm returns a shared key KA,B from some space of shared keysSHK specified in the master public key.
We require that, for any pair of identities idA, idB, and corresponding private keys didA
anddidB,SharedKey satisfies the constraint:
SharedKey(master public key, didA, idB) = SharedKey(master public key, didB, idA)
This ensures that entities A and B can indeed generate a shared key without any interac- tion. We will normally assume thatSHK, the space of shared keys, is {0, 1}n(k)for some functionn(k).
We next recall the definition of a Message Authentication Code (MAC) as given by Bellare, Guerin, and Rogaway in [3]:
Definition 3 (Message Authentication Code (MAC)). A Message Authentication Code (MAC) consists of three algorithms: Key Generation, Tagging, and Verification. The Tagging algorithm may be probabilistic; the Verification algorithm typically is not.
Key Generation: on parameter 1k, generates a keyc and an Ltag whereLtag is the cor- responding MAC length fork.
Tagging: on input a k-bit key c and a message M , algorithm Tagging outputs an Ltag-bit stringk called the tag, or MAC, of M .
Verfication: on input a k-bit key c, a message M , and an Ltag-bit stringτ , algorithm Verification outputs a “true” for accept and “false” for reject.
We ask for a basic validity condition, namely that authentic signatures are accepted with probability one. That is, for any keyc, message M , and tag τ which is output with positive probability byTag(c, M ), it must be the case that Verification(c, M , τ ) = true.
We combine the first three definitions and now introduce our Identity-Based Encryp- tion scheme which verifies message authentication:
Definition 4 (1-Key-Encrypt-Then-MAC). We define our 1-Key-Encrypt-Then -MAC as a septuple of algorithms (Setup, Enc, Dec, KeyExtract, Tag, Ver, SharedKey) in which we use in an Identity-Based Encryption scheme to show authenticity of messages using a MAC, as follows:
Setup: on input security parameter 1k, returns the system parameters and a master secret key. The system parameters include a description of a finite message spaceM, and a description of a finite ciphertext spaceC.
Enc: on input params, id, and M ∈ M computes a ciphertext C←− Encid(M ).
Dec: on input params, C ∈ C, and a private key didreturnsM or an error symbol ⊥.
KeyExtract: on input params, a master secret key, and an arbitrary id ∈ {0, 1}∗returns a private keydid.
SharedKey: on input params, a private key didA, and an idB ∈ {0, 1}∗, where idA 6=
idB, returnsKA,B.
Tag: on input M , idA, andidBreturns the tagTKA,B(M ) where KA,B=SharedKey(didA, idB, params) is a shared key betweenidAandidB.
Ver: on input M , tag τ , and KA,B returns “true” if τ is a valid tag for M and “false”
otherwise.
2.2 Security Notions
To formalize the security of our 1-Key-Encrypt-Then-MAC scheme, we introduce the following definitions pertaining to chosen plaintext security, chosen ciphertext security, and MAC unforgeability. We begin by defining chosen plaintext security:
Definition 5 (IND-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verifi- cation, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilis- tic polynomial time adversary. Consider the following game:
1. Challenger runsSetup on 1kand hands public params toA.
2. A is given unrestricted access to a private key extraction oracle which associates anid with its private key did, atagging oracle:
τ (M, idA, idB) −→ Tag(M, SharedKey(KA,B)),
and averification oracle:
V(M, Tag, idA, idB) −→ {true, f alse}.
3. A outputs two plaintexts m0 6= m1 of equal length and someid which was NOT previously sent to theprivate key extraction oracle.
4. Challenger choosesb ∈ {0, 1} randomly and sends A ciphertext
C = (Encid(Mb)
| {z }
=C0
, Tag(C0, KA,B))
.
5. A is again given access to the private key extraction oracle, tagging oracle, and verification oracle with the sole restriction that she cannot query the private key extraction oracle on the id, as in Step 3).
6. A guesses b0 ∈ {0, 1} and wins if b = b0.
The advantageAdvA(k) of A is defined as
P r(b = b0) − 1 2
and θ is (IND-ID-CPA+MAC) secure if AdvA(k) is negligible for all probabilistic poly- nomial time adversariesA.
Next, we define the security of our MAC in the sense of existential unforgeability:
Definition 6 (UF-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verifica- tion, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game:
1. Challenger runsSetup on 1kand hands public params toA.
2. A is given unrestricted access to a private key extraction oracle which associates anid with its private key did, atagging oracle:
τ (M, idA, idB) −→ Tag(M, SharedKey(KA,B)),
and averification oracle:
V(M, Tag, idA, idB) −→ {true, f alse}.
3. A outputs a ciphertext C = (C0, idA, idB, τ ) with the restrictions that neither idAor idBwere previously submitted to theprivate key extraction oracle and (C0, idA, idB) was not previously sent to thetagging oracle. A wins if DecdidA(C) 6=⊥.
The advantageAdvA(k) of A is defined as
and θ is existentially unforgeable (UF-ID-CPA+MAC) if AdvA(k) is negligible for all probabilistic polynomial time adversariesA.
Finally, we end by defining chosen ciphertext security:
Definition 7 (IND-ID-CCA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Ver- ification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a proba- bilistic polynomial time adversary. Consider the following game:
1. Challenger runsSetup on 1kand hands public params toA.
2. A is given unrestricted access to a private key extraction oracle which associates anid with its private key did, atagging oracle:
τ (M, idA, idB) −→ Tag(M, SharedKey(KA,B)),
averification oracle:
V(M, Tag, idA, idB) −→ {true, f alse},
and adecryption oracle:
Dec(idi, Ci) −→ Mi or⊥ .
3. A outputs two plaintexts m0 6= m1 of equal length and someid which was NOT previously sent to theprivate key extraction oracle.
4. Challenger choosesb ∈ {0, 1} randomly and sends A the challenge ciphertext
C = (Encid(Mb)
| {z }
=C0
, Tag(C0, KA,B)).
5. A is again given access to the private key extraction oracle, tagging oracle, veri- fication oracle, and decryption oracle, with the restrictions that she cannot query theprivate key extraction oracle on the id, as in Step 3), and she cannot query the decryption oracle on the challenge ciphertext C.
6. A guesses b0 ∈ {0, 1} and wins if b = b0. The advantageAdvA(k) of A is defined as
P r(b = b0) − 1 2
andθ is (IND-ID-CCA+MAC) secure if AdvA(k) is negligible for all probabilistic poly- nomial time adversariesA.
CHAPTER 3
THE PROPOSED SCHEMES
We present our 1-Key-Encrypt-Then-MAC scheme in which we wish to use the Identity- Based Encryption schemes BasicIdent and FullIdent, as given by Boneh and Franklin in [2], along with a MAC to verify authentication of messages.
3.1 Building on BasicIdent
We first consider the scheme BasicIdent, which is given by four algorithms: Setup, Ex- tract, Encrypt, and Decrypt, which model our algorithms Setup, KeyExtract, Enc, and Dec, respectively. Further, we consider an ID-NIKD as given by Paterson and Srinivasan in [5], which also shares the Setup and Extract algorithms of BasicIdent. Let G be some BDH parameter generator.
Setup: given security parameter k ∈ Z+, run G on input 1k to generate a prime q, two cyclic groups G1and G2of order q, an admissible bilinear map ˆe : G1×G1 −→ G2, and three cryptographic hash functions H1 : {0, 1}∗ −→ G∗1, H2 : G2 −→ {0, 1}n for some n, and H3 : {0, 1}∗ −→ {0, 1}k. Choose a random s ∈ Z∗q where s is the master secret key and set Ppub = sP , P ∈ G1 a random generator. The system parameters also include a description of a finite message space M, and a description of a finite ciphertext space C.
KeyExtract: returns a private key didA = sH1(idA).
Enc: computes Qid = H1(idA) ∈ G∗1, chooses a random r ∈ Z∗q, and sets the ciphertext to be
C = (rP, M ⊕ H2(gidr))
where gid = ˆe(Qid, Ppub) ∈ G∗2and M ∈ M.
Dec: returns M or an error message ⊥ by using didA ∈ G∗1to compute
M ⊕ H2(gidr) ⊕ H2(ˆe(didA, rP )) = M
SharedKey: returns key KA,B = H2(ˆe(didA, H1(idB)) where idB 6= idA.
Tag: returns the tag τ = H3(M ||KA,B) where KA,B is a shared key between idA and idB.
Ver: returns “true” if τ = H3(M ||KA,B) and “false” otherwise.
3.2 Building on FullIdent
We now consider the scheme FullIdent, which is given by four algorithms: Setup, Ex- tract, Encrypt, and Decrypt. Let G be some BHD parameter generator.
Setup: as in the BasicIdent scheme. In addition, we pick a hash function H4 : {0, 1}n× {0, 1}n−→ Z∗q and H5 : {0, 1}n −→ {0, 1}nwhere n is the length of the message to be encrypted.
KeyExtract: as in the BasicIdent scheme.
Enc: computes Qid = H1(idA) ∈ G∗1, chooses a random σ ∈ {0, 1}n, sets r = H4(σ, M ), and sets the ciphertext to be
C = (rP, σ ⊕ H2(gidr), M ⊕ H5(σ))
where gid = ˆe(Qid, Ppub) ∈ G∗2and M ∈ M.
Dec: if rP /∈ G∗1, rejects the ciphertext. Otherwise, returns M or an error message ⊥ by using didA ∈ G∗1 to do the following: Computes
σ ⊕ H2(gidr) ⊕ H2(ˆe(didA, rP )) = σ
Then computes
M ⊕ H5(σ) ⊕ H5(σ) = M
and sets r0 = H4(σ, M ). Tests that this r0P = rP . If not, rejects the ciphertext.
Otherwise, outputs M as the decryption of C.
SharedKey: as in the BasicIdent scheme.
Tag: as in the BasicIdent scheme.
Ver: as in the BasicIdent scheme.
This completes the description of our 1-Key-Encrypt-Then-MAC scheme.
CHAPTER 4
SECURITY
We now consider the security of BasicIdent-MAC. The following theorem shows that BasicIdent-MAC is secure in the sense of Definition 5 (IND-ID-CPA+MAC).
We first follow Boneh and Franklin’s description of a random oracle model in [1]. A random oracle is a function H : X −→ Y chosen uniformly and at random from the set of all functions {h : X −→ Y } (assuming Y is a finite set). An algorithm can query the random oracle at any point x ∈ X and receive the value H(x) in response. Random oracles are used to model cryptographic hash functions such as SHA-1. Security proofs in the random oracle model prove security against attackers confined to the random oracle world.
Theorem 1. Let H1,H2, andH3 be random oracles. ThenBasicIdent-MAC is secure in the sense ofDefinition 5.
Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-ID- CPA adversary B, which attacks the Boneh-Franklin BasicIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id.
Setup: Algorithm B gets BasicIdent system parameters
and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polyno- mial upper bound on the number of id’s queried to the tag and verification oracles, say i0, and never sends this idi0 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows:
Extract Oracle queries: Algorithm A queries an idi to the extract oracle. B responds by forwarding the idi to the extract oracle as in the Boneh-Franklin scheme and responds to A with didi, the private key associated with idi. B then has the restriction that she cannot query the same ididuring the challenge.
Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id’s, say idA and idB. B chooses one of the id’s 6= idi0 uniformly and at random, say idA, and sends it to the extract oracle, receiving back private key didA. B has access to the SharedKey algorithm and runs it on params, idB, and didA, receiving back KA,B. She next appends KA,B to the message M and sends it through H3, receiving back the tag τ = H3(M ||KA,B). B sends A the tag τ .
Verification Oracle queries: Algorithm A queries the verification oracle with a message M , two id’s, say idA and idB, and a tag τ . B chooses one of the id’s 6= idi0 uniformly and at random, say idA, and sends it to the extract oracle, receiving back private key didA. B runs the SharedKey algorithm and obtains KA,B, appends KA,B to M , and runs it through H3. If τ = H3(M ||KA,B), B sends A “true.” Otherwise, B sends A “false.”
Challenge: Once algorithm A is ready to challenge, the following occurs:
1. Algorithm A outputs two plaintexts m0 6= m1 of equal length, and an id not pre- viously sent by A to the extract oracle. The challenger in the IND-ID-CPA game chooses b ∈ {0, 1} randomly. B chooses the same m0 6= m1and id as its challenge in the IND-ID-CPA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort.
Otherwise, with probability at least p(k)1 , B will be able to use the challenge id. B forwards C to A.
2. Algorithm A is again given access to the extract oracle, tag oracle, and verification oraclewith the sole restriction that she cannot query the id she is challenging.
3. Algorithm A guesses b0 ∈ {0, 1}. B outputs the same guess and wins if b = b0. Suppose the probability of algorithm A succeeding in breaking the BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the BasicIdent-MAC scheme is at least p(k)1 P r[SuccA], which is non-negligible. Then
P r[SuccB] ≥ 1
p(k)P r[SuccA]
and we have that P r[SuccB] is non-negligible. But this is a contradiction as B is a Ba- sicIdent adversary and therefore, the P r[SuccB] is proven to be negligible by Boneh- Franklin. Therefore, our BasicIdent-MAC scheme is (IND-ID-CPA+MAC) secure.
We next consider the unforgeability of the MAC in our BasicIdent-MAC scheme.
The following theorem shows that the MAC in our BasicIdent-MAC scheme is existen- tially unforgeable in the sense of Definition 6 (UF-ID-CPA+MAC).
Theorem 2. Let H1, H2, and H3 be random oracles. ThenBasicIdent-MAC is existen- tially unforgeable in the sense ofDefinition 6.
Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-SK adversary B which attacks the Paterson-Srinivasan ID-NIKD scheme. B has access to an extract oracle, random H3oracle, and test oracle, with the restriction that no query to the extract oracleis allowed on either id involved in the test oracle query.
Setup: Algorithm B gets ID-NIKD system parameters (1k, master public key) and gives
1 to p(k), where p(k) is a polynomial upper bound on the number of id’s queried to the extract oracle, say i0and i1, and never sends idi0 or idi1 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows:
Extract Oracle queries: Algorithm A queries an idi to the extract oracle. B responds by forwarding the idito the extract oracle as in the Paterson-Srinivasan scheme and responds to A with didi, the private key associated with idi. B then has the restriction that she cannot query the same ididuring the forgery.
Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id’s, say idA and idB. If idA = idi0 and idB = idi1, B chooses a random element from the space of shared keys, say SHK, and appends SHK to the message M , sends it through H3, and receives the tag τ = H3(M ||SHK). We clarify below why this will be sufficient. Otherwise, B chooses one of the id’s 6= idi0, idi1 uniformly and at random, say idA, and sends it to the extract oracle, receiving back private key didA. B has access to the SharedKey algorithm and runs it on params, idB, and didA, receiving back KA,B. She next appends KA,Bto the message M and sends it through H3, receiving back the tag τ = H3(M ||KA,B). In each case, B records the tag τ and the id’s associated with it on an H3list. B sends A the tag τ .
Verification Oracle queries: Algorithm A queries the verification oracle with a message M , two id’s, say idAand idB, and a tag τ . B checks the H3listfor the τ associated with idA, idB, and M . In the case where idA= idi0 and idB = idi1, if τ = H3(M ||SHK), B sends A “true.” Otherwise, B sends A “false.” In all other cases, if τ = H3(M ||KA,B), B sends A “true.” Otherwise, B sends A “false.”
Forgery: Once algorithm A is ready to forge a MAC, the following occurs:
1. A outputs ciphertext C = (C0, idA, idB, τ ) where τ = (C0, idA, idB). When one or both of the forgery id’s has previously been queried by B to the extract oracle, we
abort. Otherwise, with probability at least (p(k))1 2, B will be able to use the forgery id’s.
2. B queries the test oracle on idAand idBreceiving back either shared key KA,B or a random shared key SHK. B checks the H3listfor H3(M ||KA,B). If the entry exists on the H3list, B outputs “real.” Otherwise, B outputs “random.”
Suppose that the probability of algorithm A succeeding in forging the MAC in our BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B suc- ceeding in breaking the ID-NIKD scheme is at least (p(k))1 2P r[SuccA], which is non- negligible. We further consider the probability of a collision in the random oracles to be
3
X
j=1
(1 − (
qj−1
Y
i=0
(1 − i 2k)))
where qi is an upper bound on the number of queries made to random Hj oracle. There- fore, the probability of collision P r[Collision] is negligible. Last, we consider the ad- vantage AdvID−NIKD(k) to be a negligible upper bound on the probability of breaking the ID-NIKD scheme. Then
P r[SuccB] ≥ 1
(p(k))2(P r[SuccA] − P r[Collision] − AdvID−NIKD(k))
and we have that P r[SuccB] is non-negligible. But this is a contradiction as B is an ID-NIKD adversary and therefore, the P r[SuccB] is proven to be negligible by Paterson- Srinivasan. Hence, the MAC in our BasicIdent-MAC scheme is existentially unforgeable (UF-ID-CPA+MAC).
Justification of the tag oracle simulation We construct a new adversary B0 which at- tacks the Paterson-Srinivasan ID-NIKD scheme. B0 has access to an extract oracle, ran-
exactly as B above EXCEPT when A outputs a forgery on idi0 and idi1. Then, B0 queries the test oracle and receives either the true shared key Ki0,i1 or a random shared key SHK.
B0 computes the tag as B above, using the shared key received from the test oracle, and sends τ to A. Suppose the probability of the difference between the probability of al- gorithm A succeeding in forging the MAC using the true key, and the probability of algorithm A succeeding in forging the MAC using a random key, is non-negligible. Then the probability of B0succeeding in correctly solving the challenge from the test oracle is
P r[SuccB0] = 1
2(P r[SuccAtrue] − (1 − P r[SuccArandom]))
and we have that P r[SuccB0] is non-negligible. But this is a contradiction as B0 is an ID-NIKD adversary; therefore, the P r[SuccB0] is proven to be negligible by Paterson- Srinivasan. Therefore, the MAC in our BasicIdent-MAC scheme is existentially un- forgeable (UF-ID-CPA+MAC).
We now consider the security of FullIdent-MAC. The following theorem shows that FullIdent-MAC is secure in the sense of Definition 7, (IND-ID-CCA+MAC).
Theorem 3. Let H1, H2, H3, H4, andH5 be random oracles. Then FullIdent-MAC is secure in the sense ofDefinition 7 (IND-ID-CCA+MAC).
Proof. Let A be a FullIdent-MAC adversary. We begin by constructing a new IND-ID- CCA adversary B, which attacks the Boneh-Franklin FullIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id.
Setup: Algorithm B gets FullIdent system parameters
(q, G1, G2, ˆe, n, P, Ppub, H1, H2, H3, H4, H5)
and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polyno- mial upper bound on the number of id’s queried to the tag and verification oracles, say i0, and never sends this idi0 to the extract oracle. B simulates the extract oracle, tag oracle, verification oracle, and decryption oracle as follows:
Extract Oracle queries: as in the BasicIdent-MAC scheme.
Tag Oracle queries: as in the BasicIdent-MAC scheme.
Verification Oracle queries: as in the BasicIdent-MAC scheme.
Decryption Oracle queries: Algorithm A queries the decryption oracle with an id, say idA, and ciphertext CA. B responds by forwarding (idA, CA) to the decryption oracle as in the Boneh-Franklin scheme and responds to A with MAor ⊥. B then has the restriction that she cannot query the same (idA, CA) during the challenge.
Challenge: Once algorithm A is ready to challenge, the following occurs:
1. Algorithm A outputs two plaintexts m0 6= m1 of equal length, and an id not pre- viously sent by A to the extract oracle. The challenger in the IND-ID-CCA game chooses b ∈ {0, 1} randomly. B chooses the same m0 6= m1and id as its challenge in the IND-ID-CCA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort.
Otherwise, with probability at least p(k)1 , B will be able to use the challenge id. B forwards C to A.
2. Algorithm A is again given access to the extract oracle, tag oracle, verification oracle, and decryption oracle with the restrictions that she cannot query the id she is challenging to the extract oracle or the challenge ciphertext and id to the decryption oracle.
3. Algorithm A guesses b0 ∈ {0, 1}. B outputs the same guess and wins if b = b0.
Suppose the probability of algorithm A succeeding in breaking the FullIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the FullIdent-MAC scheme is at least p(k)1 P r[SuccA], which is non-negligible. Then
P r[SuccB] ≥ 1
p(k)P r[SuccA]
and we have that P r[SuccB] is non-negligible. But this is a contradiction as B is a FullIdent adversary and therefore, the P r[SuccB] is proven to be negligible by Boneh- Franklin. Hence, our FullIdent-MAC scheme is (IND-ID-CCA+MAC) secure.
CHAPTER 5
CONCLUSION
In this thesis, we combined an Identity-Based Encryption scheme and a Non-Interactive Key Distribution scheme to achieve our goal of message authentication, while maintain- ing semantic security and unforgeability. We conclude with an open question: Can we build a compiler that takes as input an existentially unforgeable MAC and an IBE, and outputs our 1-Key-Encrypt-Then-MAC scheme, while maintaining security in the sense of indistinguishability and unforgability?
BIBLIOGRAPHY
[1] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. In J. Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer-Verlag, 2001.
[2] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM Journal of Computing, 32(3):586–615, 2003. Available at http://crypto.
stanford.edu/˜dabo/papers/bfibe.pdf; extended abstract in [1].
[3] R. Guerin M. Bellare and P. Rogaway. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. In Advances in Cryptology – CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages 15–28.
Springer Berlin-Heidelberg, 1995.
[4] L. Martin. Identity-Based Encryption: A Closer Look. The Information Systems Security Association Journal, 3(9):22–24, 2005.
[5] K. Paterson and S. Srinivasan. On the Relations Between Non-Interactive Key Dis- tribution, Identity-Based Encryption and Trapdoor Discrete Log Groups. Designs, Codes and Cryptography, 52(2):219–241, August 2009.