Efficient IdentityBased Encryption Without Random Oracles高效的基于身份的加密无随机预言机.pptVIP

Efficient Identity-BasedEncryption Without Random Oracles Brent Waters Stanford Universtiy Identity-Based Encryption (IBE) IBE: Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address, current-date, … Brief History of IBE Shamir ’84 Challenged community with IBE concept BF’01 Pairing-based cryptography Proof uses Random Oracles CHK’03 Introduced weaker “Selective-ID” model Proof without Random Oracles Ciphertext element per bit of identity Brief History of IBE BB’04 Eurocrypt Efficient system in Selective-ID model BB’04 (Crypto) Proof in full model w/o Random Oracles Not practical system This work Practical system with proof in full model w/o Random Oracles Mathematically similar to BB’04 (Eurocrypt) IBE System Setup Generate public parameters Key Gen Generate a private key Encrypt Encrypt message M for given identity, ID Decrypt Decrypt a ciphertext if have private key for identity IBE Semantic Security Bilinear Maps Complexity Assumption Our Scheme Setup Key Gen(v) Encrypt(v,M) Decrypt(d,C=C0,C1,C2) Comparison to BB’04 Setup Key Gen(v) Encrypt(v,M) Decrypt(d,C=C0,C1,C2) Comparison to BB’04 Setup Key Gen(v) Encrypt(v,M) Decrypt(d,C=C0,C1,C2) Proof Idea Commit to parameters Identities can either generate keys for them or use as a challenge Bounding abort probability Limit dependencies “Bob” in Private Key set = “Alice” in Private Key Set Pairwise independence is enough If v and v’ differ in at least 1 bit u’?i 2 Vui and u’?i 2 V’ui differ in at least one element Pr[not abort] 1/(8(n+1)q) q- is max # of queries Signature Scheme Transformation from IBE scheme into signature scheme (IBE keys =sigs) Efficient signature scheme relies on Computational-DH assumption ..., but has somewhat large public key Conclusions + Open Problems Presented fully secure and efficient IBE scheme in standard model Can we reduce public parameter size? Get tight bounds? Proof Idea Proof Idea x’+?i