52 Things: Number 51: What is the security model for ID-based encryption, and describe one IBE scheme.

52 Things: Number 51: What is the security model for ID-based encryption, and describe one IBE scheme.

52件事:第51件:基于ID的加密的安全模型是什么,并描述一个IBE方案。

 
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This week we introduce Identity-Based Encryption.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生在做密码学时应该知道的52件事”:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。本周我们将介绍基于身份的加密。


In public key cryptography, if Alice wants to send a message to Bob, she needs his public key. Typically this will be some very long bitstring (encoding, for example, the product of two large primes).
在公钥密码学中,如果Alice想向Bob发送消息,她需要他的公钥。通常,这将是一些非常长的比特串(例如,编码两个大素数的乘积)。


Suppose instead that Alice could use Bob's name, or email address, as his public key. Practically speaking, this is very convenient: there are no very long strings for Alice to obtain and remember and she doesn't need to verify that some seemingly random string is in fact Bob's public key (and not, for example, Charlie's public key). But to facilitate this, one needs Identity Based Encryption, or IBE.
相反,假设Alice可以使用Bob的姓名或电子邮件地址作为他的公钥。实际上,这是非常方便的:Alice不需要很长的字符串来获取和记忆,她也不需要验证一些看似随机的字符串实际上是Bob的公钥(例如,不是Charlie的公钥)。但为了促进这一点,需要基于身份的加密(IBE)。


In IBE, there is an entity called the Private Key Generator, or PKG. The PKG is able to compute Bob's private key using his ID (e.g. his email address) and a master key. Once Bob has authenticated himself to the PKG, he can ask for his private key and then, once he has it, he can decrypt any messages that have been encrypted under his ID.
在IBE中,有一个名为私钥生成器(PKG)的实体。PKG能够使用Bob的ID(例如,他的电子邮件地址)和主密钥来计算他的私钥。一旦Bob向PKG验证了自己的身份,他就可以索要自己的私钥,然后,一旦他有了私钥,就可以解密任何用他的ID加密的消息。


There is an issue here, though. With the master key, the PKG can generate private keys for any agent it likes. Therefore the PKG can decrypt any messages intended for any agent. This is called key escrow, and it means that you must either trust the PKG not to read your encrypted messages or else not care that it does. In a company, though, senior management often has the right to read your (work) emails, and so IBE can be an appropriate solution for internal correspondence.
不过,这里有一个问题。有了主密钥,PKG可以为它喜欢的任何代理生成私钥。因此,PKG可以解密旨在给任何代理的任何消息。这被称为密钥托管,这意味着你必须相信PKG不会读取你的加密消息,否则就不在乎它会读取。然而,在一家公司,高级管理层通常有权阅读你的(工作)电子邮件,因此IBE可以成为内部通信的合适解决方案。


Formally, an IBE scheme consists of four algorithms: setup, extract, encrypt and decrypt.
形式上,IBE方案由四种算法组成:设置、提取、加密和解密。


Setup takes a security parameter and outputs the (secret) master key and the (public) system parameters, such as the message and ciphertext spaces.
安装程序获取一个安全参数,并输出(秘密)主密钥和(公共)系统参数,如消息和密文空间。


Extract takes an ID and a master key and returns a private key corresponding to the ID.
Extract获取一个ID和一个主密钥,并返回与该ID对应的私钥。


Encrypt takes a message and an ID, and returns a ciphertext.
Encrypt获取一条消息和一个ID,并返回一个密文。


Decrypt takes a ciphertext and a private key, and returns a message.
Decrypt获取一个密文和一个私钥,并返回一条消息。


Boneh and Franklin gave an IBE scheme in this 2003 paper. They prove, under an assumption similar to assuming that the CDH problem is hard, that their scheme is IND-ID-CCA secure in the Random Oracle Model. This means that (assuming all hash functions are random oracles), any attacker, running in polynomial-time with respect to the security parameter, wins the following security game with probability that is only negligibly (with respect to the security parameter) more than 1/2:
Boneh和Franklin在这篇2003年的论文中给出了一个IBE方案。在类似于假设CDH问题很难的假设下,他们证明了他们的方案在随机Oracle模型中是IND-ID-CCA安全的。这意味着(假设所有哈希函数都是随机预言机),任何攻击者在相对于安全参数的多项式时间内运行,都会以仅可忽略的(相对于安全参数)大于1/2的概率赢得以下安全游戏:


First, the attacker 首先,攻击者
  • can request the private keys corresponding to any ID
    可以请求任何ID对应的私钥
  • can request decryptions of any ciphertexts under any ID.
    可以请求对任何ID下的任何密文进行解密。
Then, the attacker chooses two messages m0,m1 and an ID ID that does not occur in the list of IDs for which he has requested the corresponding private key. The attacker then receives the encryption c of mb under ID (where the bit b is chosen uniformly at random). Then the attacker
然后,攻击者选择两条消息 m0,m1 和一个ID ID ,这两条消息不出现在他请求相应私钥的ID列表中。然后,攻击者在#4下接收#3的加密#2(其中比特 b 是均匀随机选择的)。然后攻击者

  • can request the private keys corresponding to any ID apart from ID
    可以请求与#0以外的任何ID对应的私钥#
  • can request decryptions of any ciphertexts under any ID apart from (c,ID)
    可以请求解密除#0以外的任何ID下的任何密文#
and outputs a bit b. We say the attacker wins if b=b.
并输出比特 b 。我们说,如果 b=b ,攻击者获胜。


The scheme given by Boneh and Franklin relies on a non-degenerate bilinear map e:G1×G1G2, where G1 is a group of prime order q, which we write additively, and G2 is a group, also of order q, which we write multiplicatively. They instantiate this map with the Weil pairing on elliptic curves, but we omit details here. All that matters is bilinearitye(aP,bQ)=e(P,Q)ab for any a,bZq.
Boneh和Franklin给出的方案依赖于一个非退化双线性映射 e:G1×G1G2 ,其中 G1 是一个素数阶为#2的群,我们加性地写它,而#3是一个群,也是素数阶为#4,我们乘性地写。他们用椭圆曲线上的威尔配对实例化了这个映射,但我们在这里省略了细节。所有重要的是双线性:任何 a,bZq 都有 e(aP,bQ)=e(P,Q)ab 。


There's not enough space here to describe the scheme in full, but essentially the master key is some non-zero sZq and the private key corresponding to ID is sH(ID), where H is a hash function sending bitstrings to elements of G1. There are public generators P and Ppub=sP of G1.
这里没有足够的空间来完整描述该方案,但本质上主密钥是一些非零的 sZq ,与 ID 相对应的私钥是 sH(ID) ,其中 H 是向#4的元素发送比特串的哈希函数。有 G1 的 P 和 Ppub=sP 公共发电机。


To encrypt m under ID, one selects a random string σ and XORs m with a hash of σ, creating cm. Then M and σ are hashed together, giving a non-zero element rZq. Finally one computes the pairing e(H(ID),Ppub), raises it to the power r, hashes this and XORs with σ, creating cID. The triple (rP,cID,cm) is the ciphertext.
要在 ID 下加密 m ,可以选择一个随机字符串 σ ,并用 σ 的哈希对 m 进行XOR,从而创建 cm 。然后 M 和 σ 被散列在一起,给出非零元素 rZq 。最后,计算配对 e(H(ID),Ppub) ,将其提升到 r 的幂,对其进行散列,并与 σ 进行异或,创建 cID 。三元组 (rP,cID,cm) 是密文。


With the private key d=sH(ID), one decrypts the triple (U,V,W) as follows: compute e(d,U), which, by bilinearity, will equal e(H(ID),Ppub)r if the ciphertext was genuine. So one XORs V with the hash of the pairing to obtain σ. Then XORing W with the hash of σ will give m. To check that this is the intended message, one verifies that σ and m hashed together gives r such that U=rP.
使用私钥 d=sH(ID) ,按如下方式解密三元组 (U,V,W) :计算 e(d,U) ,如果密文是真的,则通过双线性性,计算#2将等于 e(H(ID),Ppub)r 。因此,我们将#4与配对的哈希进行异或,以获得 σ 。然后将 W 与 σ 的散列进行异或运算,得到 m 。为了检查这是否是预期的消息,我们验证 σ 和 m 散列在一起会产生 r ,从而产生 U=rP 。
posted @ 2024-04-13 13:39  3cH0_Nu1L  阅读(21)  评论(0编辑  收藏  举报