• No results found

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

N/A
N/A
Protected

Academic year: 2022

Share "MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC"

Copied!
29
0
0

Loading.... (view fulltext now)

Full text

(1)

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME:

1-KEY-ENCRYPT-THEN-MAC

by

Brittanney Jaclyn Amento

A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science

in Partial Fulfillment of the Requirements for the Degree of Master of Science

Florida Atlantic University Boca Raton, Florida

May 2010

(2)

Copyright by Brittanney Jaclyn Amento 2010

(3)
(4)

ACKNOWLEDGEMENTS

First, I would like to thank my advisor, Dr. Rainer Steinwandt, for always pushing and believing in me – especially during those times I wanted to give up! You have been an exceptional mentor and I am so thankful for your direction and confidence. Second, I would like to thank my mother, Neweleen Feldmar, for raising a strong minded, confident young woman. Eight years to get to this point and I couldn’t have done it without your love and support. I know I make you proud everyday! Third, I would like to thank my dear friend Lisa Greenberg. I can’t imagine how different the last two years would have been without the friendship and “math partner” we found in each other! Together, we are one half of a Ph.D girl! Last, I owe a sincere thank you to my Fusion boss of five years and friend, Melody Collins, for always finding a way to work my job around my education. I couldn’t have done any of this without each of you in my corner!

(5)

ABSTRACT

Author: Brittanney Jaclyn Amento

Title: Message Authentication in an Identity-Based Encryption Scheme: 1-Key-Encrypt-Then-MAC Institution: Florida Atlantic University

Thesis Advisor: Dr. Rainer Steinwandt

Degree: Master of Science

Year: 2010

We present an Identity-Based Encryption scheme, 1-Key-Encrypt-Then-MAC, in which we are able to verify the authenticity of messages using a MAC. We accomplish this authentication by combining an Identity-Based Encryption scheme given by Boneh and Franklin, with an Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan, and attaching a MAC. We prove the scheme is chosen plaintext secure and chosen ciphertext secure, and the MAC is existentially unforgeable.

(6)

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME:

1-KEY-ENCRYPT-THEN-MAC

1 Introduction . . . .1

2 Preliminaries . . . .3

2.1 Cryptographic Primitives . . . .3

2.2 Security Notions. . . .6

3 The Proposed Schemes . . . 11

3.1 Building on BasicIdent. . . 11

3.2 Building on FullIdent . . . 12

4 Security. . . 14

5 Conclusion . . . 22

Bibliography . . . 23

(7)

CHAPTER 1

INTRODUCTION

In this thesis, we build on the Identity-Based Encryption scheme given by Boneh and Franklin in [2] and combine it with the Identity-Based Non-Interactive Key Distribution given by Paterson and Srinivasan in [5] to create an Identity-Based Encryption scheme which authenticates messages using a MAC.

We follow Martin’s motivation in [4] to take a closer look at Identity-Based Encryp- tion. Identity-Based Encryption (IBE) was first introduced in 1984 by Adi Shamir as a way to create a public key from a user’s identity. IBE has all the benefits of a public key encryption scheme, plus additional benefits relating to keys being calculated for each re- cipient, versus being randomly generated. This relieves pre-enrollment requirements and the need to look up public keys (a huge hamper on public key cryptography). Calculating the keys also allows an IBE to have built in key recovery capability–a requirement for use in business. We can also use an IBE to communicate with someone not already enrolled in our system by calculating a public key id for the recipient and using that key to encrypt the message we send them. The recipient would then authenticate himself to the Private Key Generator (PKG) and receive his private decryption key, creating a secure channel of communication. We should mention that a main disadvantage of an IBE versus public key encryption lies with key revocation being difficult to remedy.

(8)

An IBE consists of four algorithms: Setup, which generates the system parameters and a master key; Extract, which uses the master key to extract the private key associated with an identity id ∈ {0, 1}; e.g., an email or IP address; Encrypt, which uses an identity id to encrypt messages; and Decrypt, which uses the private key associated with the identity id to decrypt messages.

An Identity-Based Non-Interactive Key Distribution (ID-NIKD) is a scheme which al- lows two parties to establish a common key without communicating. Each party receives a private key from a Trusted Authority (TA), which allows them to compute a shared key without exchanging any messages.

An ID-NIKD consists of three algorithms: Setup, which generates the system pa- rameters and a master secret key; Extract, which uses the master secret key to extract the private key associated with an identity id ∈ {0, 1}; and SharedKey, which uses an identity id and a private key to return a shared key between them.

We combine these two schemes, IBE and ID-NIKD, and ask about our ability to authenticate messages. Below, we define our 1-Key-Encrypt-Then-MAC scheme and show that we are indeed able to authenticate messages. Further, we show our scheme is chosen plaintext secure (IND-ID-CPA+MAC), chosen ciphertext secure (IND-ID-CCA+MAC), and existentially unforgeable (UF-ID-CPA+MAC).

(9)

CHAPTER 2

PRELIMINARIES

2.1 Cryptographic Primitives

We start by recalling the definition of an Identity-Based Encryption scheme as given by Boneh and Franklin in [2]:

Definition 1 (Identity-Based Encryption). An Identity-Based Encryption scheme E is specified by four polynomial time algorithms: Setup, Extract, Encrypt, Decrypt.

Setup: a probabilistic algorithm which takes a security parameter 1kand returns params (system parameters) and master key. The system parameters include a description of a finite message spaceM, and a description of a finite ciphertext space C. Intu- itively, the system parameters will be publicly known, while the master key will be known only to the “Private Key Generator” (PKG).

Extract: a probabilistic algorithm which takes as input params, master key, and an ar- bitrary id ∈ {0, 1}, and returns a private key did. Here id is an arbitrary user identity that will be used as a public key, and did is the corresponding private de- cryption key. TheExtract algorithm extracts a private key from the given identity.

Encrypt: a probabilistic algorithm which takes as input params, id, and M ∈ M. It returns a ciphertextC ∈ C.

(10)

Decrypt: a deterministic algorithm which takes as input params, C ∈ C, and a private keydid. It returnsM ∈ M or an error symbol ⊥.

These algorithms must satisfy the standard consistency constraint, namely if did is the private key generated by algorithmExtract when it is given id as the identity, then

∀M ∈ M : Decdid(C) = M where C ←− Encid(M ).

We next recall the definition of an ID-Based Non-Interactive Key Distribution scheme as given by Paterson and Srinivasan in [5]:

Definition 2 (ID-Based Non-Interactive Key Distribution (ID-NIKD)). An ID-Based Non- Interactive Key Distribution (ID-NIKD) scheme is specified by three distinct algorithms:

Setup, Extract, and SharedKey. Algorithms Setup and Extract are executed by the Trusted Authority (TA), whileSharedKey can be executed by any entity in possession of its private key and the identifier of any other entity with which it wishes to generate a shared key.

Setup: on input 1k, outputs a master public key (or system parameters) and a master secret key.

Extract: on input a master public key, a master secret key, and an id ∈ {0, 1}, returns a private key from some space of private keysSK.

SharedKey: on input a master public key, a private key didA, and an identifier idB ∈ {0, 1}, where idB 6= idA, this algorithm returns a shared key KA,B from some space of shared keysSHK specified in the master public key.

We require that, for any pair of identities idA, idB, and corresponding private keys didA

(11)

anddidB,SharedKey satisfies the constraint:

SharedKey(master public key, didA, idB) = SharedKey(master public key, didB, idA)

This ensures that entities A and B can indeed generate a shared key without any interac- tion. We will normally assume thatSHK, the space of shared keys, is {0, 1}n(k)for some functionn(k).

We next recall the definition of a Message Authentication Code (MAC) as given by Bellare, Guerin, and Rogaway in [3]:

Definition 3 (Message Authentication Code (MAC)). A Message Authentication Code (MAC) consists of three algorithms: Key Generation, Tagging, and Verification. The Tagging algorithm may be probabilistic; the Verification algorithm typically is not.

Key Generation: on parameter 1k, generates a keyc and an Ltag whereLtag is the cor- responding MAC length fork.

Tagging: on input a k-bit key c and a message M , algorithm Tagging outputs an Ltag-bit stringk called the tag, or MAC, of M .

Verfication: on input a k-bit key c, a message M , and an Ltag-bit stringτ , algorithm Verification outputs a “true” for accept and “false” for reject.

We ask for a basic validity condition, namely that authentic signatures are accepted with probability one. That is, for any keyc, message M , and tag τ which is output with positive probability byTag(c, M ), it must be the case that Verification(c, M , τ ) = true.

We combine the first three definitions and now introduce our Identity-Based Encryp- tion scheme which verifies message authentication:

(12)

Definition 4 (1-Key-Encrypt-Then-MAC). We define our 1-Key-Encrypt-Then -MAC as a septuple of algorithms (Setup, Enc, Dec, KeyExtract, Tag, Ver, SharedKey) in which we use in an Identity-Based Encryption scheme to show authenticity of messages using a MAC, as follows:

Setup: on input security parameter 1k, returns the system parameters and a master secret key. The system parameters include a description of a finite message spaceM, and a description of a finite ciphertext spaceC.

Enc: on input params, id, and M ∈ M computes a ciphertext C←− Encid(M ).

Dec: on input params, C ∈ C, and a private key didreturnsM or an error symbol ⊥.

KeyExtract: on input params, a master secret key, and an arbitrary id ∈ {0, 1}returns a private keydid.

SharedKey: on input params, a private key didA, and an idB ∈ {0, 1}, where idA 6=

idB, returnsKA,B.

Tag: on input M , idA, andidBreturns the tagTKA,B(M ) where KA,B=SharedKey(didA, idB, params) is a shared key betweenidAandidB.

Ver: on input M , tag τ , and KA,B returns “true” if τ is a valid tag for M and “false”

otherwise.

2.2 Security Notions

To formalize the security of our 1-Key-Encrypt-Then-MAC scheme, we introduce the following definitions pertaining to chosen plaintext security, chosen ciphertext security, and MAC unforgeability. We begin by defining chosen plaintext security:

(13)

Definition 5 (IND-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verifi- cation, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilis- tic polynomial time adversary. Consider the following game:

1. Challenger runsSetup on 1kand hands public params toA.

2. A is given unrestricted access to a private key extraction oracle which associates anid with its private key did, atagging oracle:

τ (M, idA, idB) −→ Tag(M, SharedKey(KA,B)),

and averification oracle:

V(M, Tag, idA, idB) −→ {true, f alse}.

3. A outputs two plaintexts m0 6= m1 of equal length and someid which was NOT previously sent to theprivate key extraction oracle.

4. Challenger choosesb ∈ {0, 1} randomly and sends A ciphertext

C = (Encid(Mb)

| {z }

=C0

, Tag(C0, KA,B))

.

5. A is again given access to the private key extraction oracle, tagging oracle, and verification oracle with the sole restriction that she cannot query the private key extraction oracle on the id, as in Step 3).

6. A guesses b0 ∈ {0, 1} and wins if b = b0.

(14)

The advantageAdvA(k) of A is defined as

P r(b = b0) − 1 2

and θ is (IND-ID-CPA+MAC) secure if AdvA(k) is negligible for all probabilistic poly- nomial time adversariesA.

Next, we define the security of our MAC in the sense of existential unforgeability:

Definition 6 (UF-ID-CPA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Verifica- tion, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a probabilistic polynomial time adversary. Consider the following game:

1. Challenger runsSetup on 1kand hands public params toA.

2. A is given unrestricted access to a private key extraction oracle which associates anid with its private key did, atagging oracle:

τ (M, idA, idB) −→ Tag(M, SharedKey(KA,B)),

and averification oracle:

V(M, Tag, idA, idB) −→ {true, f alse}.

3. A outputs a ciphertext C = (C0, idA, idB, τ ) with the restrictions that neither idAor idBwere previously submitted to theprivate key extraction oracle and (C0, idA, idB) was not previously sent to thetagging oracle. A wins if DecdidA(C) 6=⊥.

The advantageAdvA(k) of A is defined as

(15)

and θ is existentially unforgeable (UF-ID-CPA+MAC) if AdvA(k) is negligible for all probabilistic polynomial time adversariesA.

Finally, we end by defining chosen ciphertext security:

Definition 7 (IND-ID-CCA+MAC). Let θ = (Setup, Enc, Dec, KeyExtract, Tag, Ver- ification, SharedKey) be a 1-Key-Encrypt-Then-MAC scheme and let A be a proba- bilistic polynomial time adversary. Consider the following game:

1. Challenger runsSetup on 1kand hands public params toA.

2. A is given unrestricted access to a private key extraction oracle which associates anid with its private key did, atagging oracle:

τ (M, idA, idB) −→ Tag(M, SharedKey(KA,B)),

averification oracle:

V(M, Tag, idA, idB) −→ {true, f alse},

and adecryption oracle:

Dec(idi, Ci) −→ Mi or⊥ .

3. A outputs two plaintexts m0 6= m1 of equal length and someid which was NOT previously sent to theprivate key extraction oracle.

4. Challenger choosesb ∈ {0, 1} randomly and sends A the challenge ciphertext

C = (Encid(Mb)

| {z }

=C0

, Tag(C0, KA,B)).

(16)

5. A is again given access to the private key extraction oracle, tagging oracle, veri- fication oracle, and decryption oracle, with the restrictions that she cannot query theprivate key extraction oracle on the id, as in Step 3), and she cannot query the decryption oracle on the challenge ciphertext C.

6. A guesses b0 ∈ {0, 1} and wins if b = b0. The advantageAdvA(k) of A is defined as

P r(b = b0) − 1 2

andθ is (IND-ID-CCA+MAC) secure if AdvA(k) is negligible for all probabilistic poly- nomial time adversariesA.

(17)

CHAPTER 3

THE PROPOSED SCHEMES

We present our 1-Key-Encrypt-Then-MAC scheme in which we wish to use the Identity- Based Encryption schemes BasicIdent and FullIdent, as given by Boneh and Franklin in [2], along with a MAC to verify authentication of messages.

3.1 Building on BasicIdent

We first consider the scheme BasicIdent, which is given by four algorithms: Setup, Ex- tract, Encrypt, and Decrypt, which model our algorithms Setup, KeyExtract, Enc, and Dec, respectively. Further, we consider an ID-NIKD as given by Paterson and Srinivasan in [5], which also shares the Setup and Extract algorithms of BasicIdent. Let G be some BDH parameter generator.

Setup: given security parameter k ∈ Z+, run G on input 1k to generate a prime q, two cyclic groups G1and G2of order q, an admissible bilinear map ˆe : G1×G1 −→ G2, and three cryptographic hash functions H1 : {0, 1} −→ G1, H2 : G2 −→ {0, 1}n for some n, and H3 : {0, 1} −→ {0, 1}k. Choose a random s ∈ Zq where s is the master secret key and set Ppub = sP , P ∈ G1 a random generator. The system parameters also include a description of a finite message space M, and a description of a finite ciphertext space C.

(18)

KeyExtract: returns a private key didA = sH1(idA).

Enc: computes Qid = H1(idA) ∈ G1, chooses a random r ∈ Zq, and sets the ciphertext to be

C = (rP, M ⊕ H2(gidr))

where gid = ˆe(Qid, Ppub) ∈ G2and M ∈ M.

Dec: returns M or an error message ⊥ by using didA ∈ G1to compute

M ⊕ H2(gidr) ⊕ H2(ˆe(didA, rP )) = M

SharedKey: returns key KA,B = H2(ˆe(didA, H1(idB)) where idB 6= idA.

Tag: returns the tag τ = H3(M ||KA,B) where KA,B is a shared key between idA and idB.

Ver: returns “true” if τ = H3(M ||KA,B) and “false” otherwise.

3.2 Building on FullIdent

We now consider the scheme FullIdent, which is given by four algorithms: Setup, Ex- tract, Encrypt, and Decrypt. Let G be some BHD parameter generator.

Setup: as in the BasicIdent scheme. In addition, we pick a hash function H4 : {0, 1}n× {0, 1}n−→ Zq and H5 : {0, 1}n −→ {0, 1}nwhere n is the length of the message to be encrypted.

KeyExtract: as in the BasicIdent scheme.

(19)

Enc: computes Qid = H1(idA) ∈ G1, chooses a random σ ∈ {0, 1}n, sets r = H4(σ, M ), and sets the ciphertext to be

C = (rP, σ ⊕ H2(gidr), M ⊕ H5(σ))

where gid = ˆe(Qid, Ppub) ∈ G2and M ∈ M.

Dec: if rP /∈ G1, rejects the ciphertext. Otherwise, returns M or an error message ⊥ by using didA ∈ G1 to do the following: Computes

σ ⊕ H2(gidr) ⊕ H2(ˆe(didA, rP )) = σ

Then computes

M ⊕ H5(σ) ⊕ H5(σ) = M

and sets r0 = H4(σ, M ). Tests that this r0P = rP . If not, rejects the ciphertext.

Otherwise, outputs M as the decryption of C.

SharedKey: as in the BasicIdent scheme.

Tag: as in the BasicIdent scheme.

Ver: as in the BasicIdent scheme.

This completes the description of our 1-Key-Encrypt-Then-MAC scheme.

(20)

CHAPTER 4

SECURITY

We now consider the security of BasicIdent-MAC. The following theorem shows that BasicIdent-MAC is secure in the sense of Definition 5 (IND-ID-CPA+MAC).

We first follow Boneh and Franklin’s description of a random oracle model in [1]. A random oracle is a function H : X −→ Y chosen uniformly and at random from the set of all functions {h : X −→ Y } (assuming Y is a finite set). An algorithm can query the random oracle at any point x ∈ X and receive the value H(x) in response. Random oracles are used to model cryptographic hash functions such as SHA-1. Security proofs in the random oracle model prove security against attackers confined to the random oracle world.

Theorem 1. Let H1,H2, andH3 be random oracles. ThenBasicIdent-MAC is secure in the sense ofDefinition 5.

Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-ID- CPA adversary B, which attacks the Boneh-Franklin BasicIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id.

Setup: Algorithm B gets BasicIdent system parameters

(21)

and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polyno- mial upper bound on the number of id’s queried to the tag and verification oracles, say i0, and never sends this idi0 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows:

Extract Oracle queries: Algorithm A queries an idi to the extract oracle. B responds by forwarding the idi to the extract oracle as in the Boneh-Franklin scheme and responds to A with didi, the private key associated with idi. B then has the restriction that she cannot query the same ididuring the challenge.

Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id’s, say idA and idB. B chooses one of the id’s 6= idi0 uniformly and at random, say idA, and sends it to the extract oracle, receiving back private key didA. B has access to the SharedKey algorithm and runs it on params, idB, and didA, receiving back KA,B. She next appends KA,B to the message M and sends it through H3, receiving back the tag τ = H3(M ||KA,B). B sends A the tag τ .

Verification Oracle queries: Algorithm A queries the verification oracle with a message M , two id’s, say idA and idB, and a tag τ . B chooses one of the id’s 6= idi0 uniformly and at random, say idA, and sends it to the extract oracle, receiving back private key didA. B runs the SharedKey algorithm and obtains KA,B, appends KA,B to M , and runs it through H3. If τ = H3(M ||KA,B), B sends A “true.” Otherwise, B sends A “false.”

Challenge: Once algorithm A is ready to challenge, the following occurs:

1. Algorithm A outputs two plaintexts m0 6= m1 of equal length, and an id not pre- viously sent by A to the extract oracle. The challenger in the IND-ID-CPA game chooses b ∈ {0, 1} randomly. B chooses the same m0 6= m1and id as its challenge in the IND-ID-CPA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort.

(22)

Otherwise, with probability at least p(k)1 , B will be able to use the challenge id. B forwards C to A.

2. Algorithm A is again given access to the extract oracle, tag oracle, and verification oraclewith the sole restriction that she cannot query the id she is challenging.

3. Algorithm A guesses b0 ∈ {0, 1}. B outputs the same guess and wins if b = b0. Suppose the probability of algorithm A succeeding in breaking the BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the BasicIdent-MAC scheme is at least p(k)1 P r[SuccA], which is non-negligible. Then

P r[SuccB] ≥ 1

p(k)P r[SuccA]

and we have that P r[SuccB] is non-negligible. But this is a contradiction as B is a Ba- sicIdent adversary and therefore, the P r[SuccB] is proven to be negligible by Boneh- Franklin. Therefore, our BasicIdent-MAC scheme is (IND-ID-CPA+MAC) secure.

We next consider the unforgeability of the MAC in our BasicIdent-MAC scheme.

The following theorem shows that the MAC in our BasicIdent-MAC scheme is existen- tially unforgeable in the sense of Definition 6 (UF-ID-CPA+MAC).

Theorem 2. Let H1, H2, and H3 be random oracles. ThenBasicIdent-MAC is existen- tially unforgeable in the sense ofDefinition 6.

Proof. Let A be a BasicIdent-MAC adversary. We begin by constructing a new IND-SK adversary B which attacks the Paterson-Srinivasan ID-NIKD scheme. B has access to an extract oracle, random H3oracle, and test oracle, with the restriction that no query to the extract oracleis allowed on either id involved in the test oracle query.

Setup: Algorithm B gets ID-NIKD system parameters (1k, master public key) and gives

(23)

1 to p(k), where p(k) is a polynomial upper bound on the number of id’s queried to the extract oracle, say i0and i1, and never sends idi0 or idi1 to the extract oracle. B simulates the extract oracle, tag oracle, and verification oracle as follows:

Extract Oracle queries: Algorithm A queries an idi to the extract oracle. B responds by forwarding the idito the extract oracle as in the Paterson-Srinivasan scheme and responds to A with didi, the private key associated with idi. B then has the restriction that she cannot query the same ididuring the forgery.

Tag Oracle queries: Algorithm A queries the tag oracle with a message M and two id’s, say idA and idB. If idA = idi0 and idB = idi1, B chooses a random element from the space of shared keys, say SHK, and appends SHK to the message M , sends it through H3, and receives the tag τ = H3(M ||SHK). We clarify below why this will be sufficient. Otherwise, B chooses one of the id’s 6= idi0, idi1 uniformly and at random, say idA, and sends it to the extract oracle, receiving back private key didA. B has access to the SharedKey algorithm and runs it on params, idB, and didA, receiving back KA,B. She next appends KA,Bto the message M and sends it through H3, receiving back the tag τ = H3(M ||KA,B). In each case, B records the tag τ and the id’s associated with it on an H3list. B sends A the tag τ .

Verification Oracle queries: Algorithm A queries the verification oracle with a message M , two id’s, say idAand idB, and a tag τ . B checks the H3listfor the τ associated with idA, idB, and M . In the case where idA= idi0 and idB = idi1, if τ = H3(M ||SHK), B sends A “true.” Otherwise, B sends A “false.” In all other cases, if τ = H3(M ||KA,B), B sends A “true.” Otherwise, B sends A “false.”

Forgery: Once algorithm A is ready to forge a MAC, the following occurs:

1. A outputs ciphertext C = (C0, idA, idB, τ ) where τ = (C0, idA, idB). When one or both of the forgery id’s has previously been queried by B to the extract oracle, we

(24)

abort. Otherwise, with probability at least (p(k))1 2, B will be able to use the forgery id’s.

2. B queries the test oracle on idAand idBreceiving back either shared key KA,B or a random shared key SHK. B checks the H3listfor H3(M ||KA,B). If the entry exists on the H3list, B outputs “real.” Otherwise, B outputs “random.”

Suppose that the probability of algorithm A succeeding in forging the MAC in our BasicIdent-MAC scheme is non-negligible. Then the probability of algorithm B suc- ceeding in breaking the ID-NIKD scheme is at least (p(k))1 2P r[SuccA], which is non- negligible. We further consider the probability of a collision in the random oracles to be

3

X

j=1

(1 − (

qj−1

Y

i=0

(1 − i 2k)))

where qi is an upper bound on the number of queries made to random Hj oracle. There- fore, the probability of collision P r[Collision] is negligible. Last, we consider the ad- vantage AdvID−NIKD(k) to be a negligible upper bound on the probability of breaking the ID-NIKD scheme. Then

P r[SuccB] ≥ 1

(p(k))2(P r[SuccA] − P r[Collision] − AdvID−NIKD(k))

and we have that P r[SuccB] is non-negligible. But this is a contradiction as B is an ID-NIKD adversary and therefore, the P r[SuccB] is proven to be negligible by Paterson- Srinivasan. Hence, the MAC in our BasicIdent-MAC scheme is existentially unforgeable (UF-ID-CPA+MAC).

Justification of the tag oracle simulation We construct a new adversary B0 which at- tacks the Paterson-Srinivasan ID-NIKD scheme. B0 has access to an extract oracle, ran-

(25)

exactly as B above EXCEPT when A outputs a forgery on idi0 and idi1. Then, B0 queries the test oracle and receives either the true shared key Ki0,i1 or a random shared key SHK.

B0 computes the tag as B above, using the shared key received from the test oracle, and sends τ to A. Suppose the probability of the difference between the probability of al- gorithm A succeeding in forging the MAC using the true key, and the probability of algorithm A succeeding in forging the MAC using a random key, is non-negligible. Then the probability of B0succeeding in correctly solving the challenge from the test oracle is

P r[SuccB0] = 1

2(P r[SuccAtrue] − (1 − P r[SuccArandom]))

and we have that P r[SuccB0] is non-negligible. But this is a contradiction as B0 is an ID-NIKD adversary; therefore, the P r[SuccB0] is proven to be negligible by Paterson- Srinivasan. Therefore, the MAC in our BasicIdent-MAC scheme is existentially un- forgeable (UF-ID-CPA+MAC).

We now consider the security of FullIdent-MAC. The following theorem shows that FullIdent-MAC is secure in the sense of Definition 7, (IND-ID-CCA+MAC).

Theorem 3. Let H1, H2, H3, H4, andH5 be random oracles. Then FullIdent-MAC is secure in the sense ofDefinition 7 (IND-ID-CCA+MAC).

Proof. Let A be a FullIdent-MAC adversary. We begin by constructing a new IND-ID- CCA adversary B, which attacks the Boneh-Franklin FullIdent scheme. B has access to an extract oracle with the sole restriction that any id sent to the extract oracle may not be queried as the challenge id.

Setup: Algorithm B gets FullIdent system parameters

(q, G1, G2, ˆe, n, P, Ppub, H1, H2, H3, H4, H5)

(26)

and gives them to A. B chooses a random index from 1 to p(k), where p(k) is a polyno- mial upper bound on the number of id’s queried to the tag and verification oracles, say i0, and never sends this idi0 to the extract oracle. B simulates the extract oracle, tag oracle, verification oracle, and decryption oracle as follows:

Extract Oracle queries: as in the BasicIdent-MAC scheme.

Tag Oracle queries: as in the BasicIdent-MAC scheme.

Verification Oracle queries: as in the BasicIdent-MAC scheme.

Decryption Oracle queries: Algorithm A queries the decryption oracle with an id, say idA, and ciphertext CA. B responds by forwarding (idA, CA) to the decryption oracle as in the Boneh-Franklin scheme and responds to A with MAor ⊥. B then has the restriction that she cannot query the same (idA, CA) during the challenge.

Challenge: Once algorithm A is ready to challenge, the following occurs:

1. Algorithm A outputs two plaintexts m0 6= m1 of equal length, and an id not pre- viously sent by A to the extract oracle. The challenger in the IND-ID-CCA game chooses b ∈ {0, 1} randomly. B chooses the same m0 6= m1and id as its challenge in the IND-ID-CCA game and receives back corresponding ciphertext C. When the challenge id has previously been queried by B to the extract oracle, we abort.

Otherwise, with probability at least p(k)1 , B will be able to use the challenge id. B forwards C to A.

2. Algorithm A is again given access to the extract oracle, tag oracle, verification oracle, and decryption oracle with the restrictions that she cannot query the id she is challenging to the extract oracle or the challenge ciphertext and id to the decryption oracle.

3. Algorithm A guesses b0 ∈ {0, 1}. B outputs the same guess and wins if b = b0.

(27)

Suppose the probability of algorithm A succeeding in breaking the FullIdent-MAC scheme is non-negligible. Then the probability of algorithm B succeeding in breaking the FullIdent-MAC scheme is at least p(k)1 P r[SuccA], which is non-negligible. Then

P r[SuccB] ≥ 1

p(k)P r[SuccA]

and we have that P r[SuccB] is non-negligible. But this is a contradiction as B is a FullIdent adversary and therefore, the P r[SuccB] is proven to be negligible by Boneh- Franklin. Hence, our FullIdent-MAC scheme is (IND-ID-CCA+MAC) secure.

(28)

CHAPTER 5

CONCLUSION

In this thesis, we combined an Identity-Based Encryption scheme and a Non-Interactive Key Distribution scheme to achieve our goal of message authentication, while maintain- ing semantic security and unforgeability. We conclude with an open question: Can we build a compiler that takes as input an existentially unforgeable MAC and an IBE, and outputs our 1-Key-Encrypt-Then-MAC scheme, while maintaining security in the sense of indistinguishability and unforgability?

(29)

BIBLIOGRAPHY

[1] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. In J. Kilian, editor, Advances in Cryptology – CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 213–229. Springer-Verlag, 2001.

[2] D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM Journal of Computing, 32(3):586–615, 2003. Available at http://crypto.

stanford.edu/˜dabo/papers/bfibe.pdf; extended abstract in [1].

[3] R. Guerin M. Bellare and P. Rogaway. XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions. In Advances in Cryptology – CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages 15–28.

Springer Berlin-Heidelberg, 1995.

[4] L. Martin. Identity-Based Encryption: A Closer Look. The Information Systems Security Association Journal, 3(9):22–24, 2005.

[5] K. Paterson and S. Srinivasan. On the Relations Between Non-Interactive Key Dis- tribution, Identity-Based Encryption and Trapdoor Discrete Log Groups. Designs, Codes and Cryptography, 52(2):219–241, August 2009.

References

Related documents

I. Find the LCM of i. Find the LCM of I. Calculate the LCM of I.. Find the number. Seven times a number diminished by 14 is equal to the sum of three times the number and

New interpretations, relationships, and relevancies can change the narratives of collections, from formerly forgotten or misrepresented objects to cohesive collections that focus

In the appropriate box of a flight plan, for endurance, one must indicate the time corresponding to:.. #A) the total usable fuel on board. B) the required fuel for the flight. C)

Get off at “SAN NICOLA” stop, cross the CORSO FIRENZE road and take the left, following CORSO FIRENZE for 400 metres until the entrance of the public park of

With a FIFO wrapper implemented with a small amount of FPGA resource, the local buffer on the Active Buffer board has both large-size memory space and standard FIFO access ports..

(ii) Freelance writers and others who have little or no understanding of how to write SEO copy: Whether you’re new to freelance writing or internet marketing, or you know a..

In order to conciliate the multiplica- tion of self-organized control channels and the efficiency of the whole control process, we have to impose basic requirements: un- like

Purpose: The purpose of this paper is to encourage librarians to teach digital archiving practices to journalists a) as a way of giving journalists the skills they need to save their