Fuzzy Identity-Based Encryption

January 31, 2010

based on the paper of Amit Sahai and Brent Waters

Author: Guido Simon

Contents

I Introduction 1Abstract / Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Standard IBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Using biometrics in IBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Naming-Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

II Key Construction 4Shamir's Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Bilinear Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Key Generation (master key) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Key Generation (private key) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Collusion attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

III En- / Decryption 7Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Explanation & Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Key Construction 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Encryption 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Decryption 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

IV Security 10Decisional Bilinear Di�e-Hellman (BDH) . . . . . . . . . . . . . . . . . . . . . . 10

Decisional Modi�ed Bilinear Di�e-Hellman (MBDH) . . . . . . . . . . . . . . . 10

Fuzzy Selective-ID model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Proof (for small universe scheme) . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Proof (for big universe scheme) . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

V Conclusion 12

Part I

IntroductionAbstract / Motivation

The goal of this document is to introduce the reader to a new type of Identity-Based Encryption(IBE), that is called �Fuzzy Identity-Based Encryption� (FIBE). The Major di�erence betweenIBE and FIBE is, that in FIBE the identity is a set of attributes. For a ciphertext, encryptedfor an identity ω this scheme allows to decrypt with an identity ω′ if and only if the identitiesω and ω′ are close enough to each other. The metric that is used here is called �set overlap� -distance metric. So there is an error tolerance, later called d.

This construction makes the scheme suitable for biometric usage, because each time a bio-metric identity is sampled, there will be di�erences in each sample, but if enough attributes areequal, two identities can be considered to be the same. In addition, this can also be used in ascenario called �attribute-based encryption�, whick makes only people with a certain set of at-tributes able to decrypt the ciphertext. For example in a company someone wants to encrypt amessage to people that have the following attributes: {�IT-Department�, �Human Ressources�,�Administration�}, and only people, that own enough of attributes according to d can decryptthe message. Here it is a challenge to avoid collusion attacks, where a group of people decidesto combine their attributes in order to have a set of attributes, that is suitable to decrypt amessage, that they should not be able to read.

Standard IBE

The given paper argues in the context of the IBE scheme, that was de�ned many years before.So let's do a brief introduction on this scheme:

Identity-based encryption was proposed by Adi Shamir in 1984. It is a type of public-keyencryption, in which the public key of a user is any unique information about the identity ofthe user, like an email address for example. The scheme allows any party to generate a publickey from an identity. Then there has to be a trusted third party (a Server) that will generatethe private keys. This server is also called Private Key Generator (PKG). In detail, the PKG�rst publishes a master public key, and stores the corresponding master private key (masterkey). With the master public key, any party can compute a public key for an identity ID bycombining the master public key with the identity value. To receive the corresponding privatekey, the recipient ID authorizes to the PKG, which uses the master private key to generate theprivate key for the ID.

As a result, parties can encrypt messages with no prior distribution of keys between par-ticipants. This is extremely useful in cases where pre-distribution of authenticated keys is

1

inconvenient or infeasible. However, to decrypt messages, the authorized user must obtain theappropriate private key from the PKG. As a consequence the PKG must be highly trusted, asit is capable of generating any user's private key and may therefore decrypt messages withoutauthorization.

It is an advantage, that the prior key download has only to be done once, because of thatthe server may be an o�ine server, for example in a very secure environment.

The following diagram shows a visual description of the steps that are done:

1

Using biometrics in IBE

Using biometrics as unique identities in an IBE scheme has many advantages. First of all theprocess of receiving the private key to decrypt a message is very natural, because authentica-tion against the PKG-Server does not need any additional certi�cates or keys, but only thebiometrics which a user always has with himself. It is also a unique property of each person(if a suitable biometric was chosen), that's why it �ts very good to IBE schemes. Of coursethe biometric as identity is not kept secret - It is used as public key - thats why there mustbe a way to ensure that someone, who authenticates against the PKG does not use a forgedbiometric. Thats why a user must demonstrate ownership of the biometric to a well trainedoperator. The operator must be able to detect imitation attacks. Then the security of thisphase is only limited by the quality of the biometric that is used.

1source: Wikipedia

2

Naming-Conventions

Before looking at the details, we should have an overview over the used symbols and theirmeanings.

3

Symbol Meaning

ω identity used for encryption key generationω′ identity used for decryptiond error tolerance on |ω ∩ ω′|

q(x) User's random polnomial of degree d− 1G1 bilinear group of prime order p with generator g

e : G1 → G2 bilinear mapκ security parameter (size of groups)U Universe of Attributes, ID's will be subsets|U | for simplicity the �rst |U|elements of Zp

ti, y private keyTi, Y public keyS d-element subset of ω ∩ ω′s randomly chosen integer

lower case characters ∈ G1

upper case characters ∈ G2

Part II

Key Construction

The primary goal is to construct the user's private key as a set of key components. Onecomponent for each attribute of the user's identity. For that the scheme utilizes Shamir'sSecret Sharing to distribute shares of a master secret in the exponents of the user's private keycomponents. This gives the scheme the property of being error-tolerant, because only a subsetof the priovate key components are needed to decrypt a message. To make the scheme resistantagainst collusion attacks, just di�erent random polynomials are used per user, in that way agroup of users will not be able to combine their private key components in any useful way.

4

Shamir's Secret Sharing

Shamir's Secret Sharing2 was invented by Adi Shamir in 1979. It is used to split a secret onseveral instances, of which a de�ned subset is neccessary to reconstruct the secret. In detail,there is a dealer, who owns the secret to share. He chooses a polynomial of degree t− 1 , andthe absolute part of the polynomial is the secret. Now he computes n, n ≥ t points of thepolynomial and distributes them over the secret-holders. To reconstruct a polynomial of degreet − 1 at least t points are needed. So with the parameter t the dealer can decide how manyshareholders are needed to reconstruct the secret, and n for the count of possible shareholders.

For reconstruction usually Lagrange-Interpolation is used:

g(x) =∑

si ·∏i 6=j

x− xjxi − xj

Bilinear Maps

Let G1, G2 be groups of prime order p, and g a generator of G1.

2source: Wikipedia

5

G1 has a bilinear map e : G1 → G2, into G2 if the following conditions hold:

1. ∀a, b : e(ga, gb) = e(g, g)ab

2. e(g, g) 6= 1

Lagrange Coe�cient

For the decryption step the Lagrange coe�cient 4i,S is needed. For i ∈ Zp, ans a set S ⊂ Zp

it is de�ned as follows:

4i,S(x) =∏

j∈S,j 6=i

x− ji− j

Key Generation (master key)

First a Universe U of identity-attributes needs to be de�ned. To get a unique mapping toeach element of the universe we simply take the �rst |U| elements of Z∗p. This are the integers1, ..., |U| (mod p). Then we chose t1, ..., t|U| uniformly at random from Zp. Now a y is chosenrandomly from Zp. Then the published public parameters are: T1 = gt1 , ..., T|U| = gt|U| , Y =e(g, g)y.

The master key is: t1, ..., t|U|, y.

Key Generation (private key)

For the encrypted message E and a public key ω′ we need to have a private key for the identityω with |ω ∩ ω′| ≥ d.

To generate the key from ω the following steps are taken: A polynomial q of degree d − 1is chosen randomly with the only constraint, that q(0)=y. Then the private key consists of

(Di)i∈ω where Di = gq(i)ti for each i ∈ ω.

Meaning that there is one private key for each attribute of the identity. This is also theplace where we would revoke keys, if something irregular had happened to our key.

6

Collusion attacks

A collusion attack would now be possible, if two or more user with di�erent attributes combinetheir identities in order to get an identity that contains all attributes, that where used forencryption. To avoid that danger, it is neccessary to use a di�erent polynomial q for each userin the system, then the attribute-keys of the users will not �t together.

Example

Lets say the universe is {student = 1, computerscience = 2, crypto = 3,male = 4, female = 5}then we choose the ti at random for each element of the universe. {t1 = 3, t2 = 5, t3 = 1, t4 =7, t5 = 9}. Let's say the generator g = 2, and p = 23. The public parameters are computed asfollows: T1 = 23, T2 = 25, T3 = 21, T4 = 27, T5 = 29.

The private parameters are computed by choosing a random polynomial q(x) = y+2x+3x2

and then computing the private key components Di = {D1 = 27/3, D2 = 218/5...}.

Part III

En- / Decryption

Encryption

Input: public identity ω′ , Message M ∈ G2

s ∈ Zp is chosen randomly.

Then the ciphertext E is de�ned as: E = (ω′, E ′, {Ei = T si }i∈ω′). With E ′ = MY s.

7

Decryption

Now choose any d-element subset of ω ∩ ω′ and call it S.

E ′/∏i∈S

(e(Di, Ei))4i,S(0)

= Me(g, g)sy/∏i∈S

(e(gq(i)/ti , gsti)

)4i,S(0)

= Me(g, g)sy/∏i∈S

(e(g, g)sq(i)

)4i,S(0)

= M

Explanation & Comments

E ′ = MY s and Y = e(g, g)y → E ′ = Me(g, g)sy

4i,S(x) =∏

j∈S,j 6=i

x− ji− j

→4i,S(0) =∏

j∈S,j 6=i

−ji− j

Me(g, g)sy/∏i∈S

(e(gq(i)/ti , gsti)

)4i,S(0)

use bilinear maps definition−−−−−−−−−−−−−−−−−−−−−−→∀a, b : e(ga, gb) = e(g, g)ab

Me(g, g)sy/∏i∈S

(e(g, g)

q(i)

�tis�ti)4i,S(0)

= Me(g, g)sy/∏i∈S

(e(g, g)q(i)s

)4i,S(0)

use that :∏i∈N

xi = x∑

i∈N i

−−−−−−−−−−−−−−−−−−→

= Me(g, g)sy/e(g, g)s∑

i∈S q(i)4i,S(0)

Now the polynomial interpolation takes place in the exponent:

8

∑i∈S

q(i)∏j∈S

−ji− j

→ q(0)→ y

insert into above−−−−−−−−−−−−→

Me����(g, g)sy

e����(g, g)sy= M �

In this construction the size of the public parameters (Universe and t's) grow linearly withthe number of possible attributes in the universe. There is a second proposed scheme, that willclean up this disadvantege. Now the scheme uses all elements of Z∗p as the universe and it onlygrows in parameter n which denotes the maximum size identity we can use for encryption. Asan additional e�ect the usage of this large universe will allow us to use any string as attribute.For that we only need to apply a collision resistant hash-function H : {0, 1}∗ → Z∗p to map astring to the universe. The rest of the construction is similar to the one before:

Key Construction 2

Identities will be sets of n elements of Z∗p (or strings as described above). Then choose g1 =gy, g2 ∈ G1. Then choose t1, ..., tn+1 uniformly at random from G1. LetN be the set {1, ..., n+1}and a function T is de�ned as:

T (x) = gxn

2

n+1∏i=1

t4i,N(x)

i

The function T (x) can be understood as the function gxn

2 gh(x) for some polynomial h ofdegree n. Then the server's public key is: g1, g2, t1, ..., tn+1 and the server's private key is y.

Now to generate a private key for an identity ω the following steps need to be taken:Randomly generate a polynomial q of degree d−1 which is, as before, q(0)=y. And the private

key exists of two sets, the �rst set {Di}i∈ω is constructed by Di = gq(i)2 T (i)ri , where ri is a

random from Zp for each i ∈ ω.The second set is ,{di}i∈ω constructed by di = gri .

Encryption 2

For encryption again a public key ω′ and a message M ∈ G2 are given. Then a random values ∈ Zp is chosen and the ciphertext is:

E = (ω′, E ′ = Me(g1, g2)s, E ′′ = gs, {Ei = T (i)s}i∈ω′

9

Decryption 2

Preparation for decryption is the same as before, but now

M = E ′∏i∈S

(e(di, Ei)

e(Di, E ′′)

)4i,S(0)

= Me(g1, g2)s∏i∈S

(e(gri , T (i)s)

e(gq(i)2 T (i)ri , gs)

)4i,S(0)

= Me(g1, g2)s∏i∈S

(e(gri , T (i)s)

e(gq(i)2 , gs)e(T (i)ri , gs)

)4i,S(0)

= Me(g, g2)ys∏i∈S

(1

e(g, g2)q(i)s4i,S(0)

)

= M

Part IV

SecurityThe Fuzzy IBE scheme is proven by reducing it to the hardness of the Decisional MBDHassumption in a Selective-ID model. To understand the proof we need a few de�nitions:

Decisional Bilinear Di�e-Hellman (BDH)

Suppose a challenger chooses a, b, c, z ∈ Zp at random. The Decisional BDH assumption is thatno polynomial-time adversary is able to distinguish the tuple (A = ga, B = gb, C = gc, Z =e(g, g)abc) from the tuple (A = ga, B = gb, C = gc, Z = e(g, g)z) with more than a negligibleadvantage.

Decisional Modi�ed Bilinear Di�e-Hellman (MBDH)

Suppose a challenger chooses a, b, c, z ∈ Zp at random. The Decisional BDH assumption is thatno polynomial-time adversary is able to distinguish the tuple (A = ga, B = gb, C = gc, Z =

e(g, g)abc ) from (A = ga, B = gb, C = gc, Z = e(g, g)z) with more than a negligible advantage.

10

Fuzzy Selective-ID model

Init The adversary declares the identity, α, that he wishes to be challanged upon.

Setup The challenger runs the setup phase of the algorithm and tells the adversay the publicparameters.

Phase:1 The adversary is allowed to issue queries for private keys for many identities, γj,where |γj ∩ α| < d for all j.

Challenge The adversary submits two equal length messages M0,M1. The challenger �ips arandom coin, b, and encrypts Mb with α. The ciphertext is passed to the adversary.

Phase:2 Phase 1 is repeated.

Guess The adversary outputs a guess b′ of b.

The advantage of an adverary A in this game is de�ned as Pr[b′ = b]− 12.

Proof (for small universe scheme)

Suppose there exists a polynomial-time adversaryA that can attack out scheme in the Selective-ID model with advantage ε. We build a simulator B that can play the Decisional MBDH gamewith advantage ε

2. The simulation proceeds as follows:

We �rst let the challenger set the groups G1 and G2 with an e�cient bilinear map, e andgenerator g. The challenger �ips a fair binary coin, µ outside of B's view. If µ = 0, the challengersets (A,B,C, Z) = (ga, gb, gc, e(g, g)

abc ) otherwise he sets (A,B,C, Z) = (ga, gb, gc, e(g, g)z) for

random a, b, c, z. We assume the universe U is de�ned.

Then the Fuzzy Selective-ID model is played as visualized below, and one can proof thatthere is only an advantage of ε for an adversary, which is only of a marginal size. And followingby this the scheme can be considered secure. For more Information see full proof3.

3See page 8 of the paper

11

Proof (for big universe scheme)

As above, but the challenger sets (A,B,C, Z) = (ga, gb, gc, e(g, g)abc) if µ = 0 , otherwise(A,B,C, Z) = (ga, gb, gc, e(g, g)z) for random a, b, c, z4.

Part V

ConclusionWe have seen a scheme, that is capable to encrypt messages for people without prior keyexchange. The only information needed, is the other user's public identity. Identities arelimited by the requirement, that it has to be unique per user. Further the identity consists ofattributes, which may be arbitrary strings, but they are also suitable to be used with biometricattributes, because an error tolerance is included in the scheme. Error tolerance means, thatthe identity that was used for encryption is not needed to be exactly the same as the one used

4See page 12 of the paper

12

for decryption, but they have to be equal in �su�cient many� attributes. The scheme relies onthe standard IBE scheme by Shamir and so there has to be a fully trusted server for private keygeneration and distribution, calles PKG. A user has to authenticate to the PKG in order to getthe private key that is needed to decrypt messages. But how to authenticate securely with abiometric, that is anyway a public information? Unfortunately the authors do not have explicitproposals to solve this problem, the only require an �o�cer� to control the identi�cation process.This o�cer must be well trained and he must be able to detect any attempt of manipulationor imitation of identities. This is also a problem for the standard IBE, where secret keys,certi�cates or passwords have to be used. In contrast to this the real advantage of fuzzy IBE is,that �ngerprints (or other biometrics) are very handy to use, and available at any time. Usingattribute-values instead of biometric attributes, the error tolerance allows to make informationavailable for identities, that have d of n attributes with d < n. There is also not really madeclear which operations take place on server side, and which on client side. This has to bedecided by comparison to standard IBE.

Security is proven the selective-ID model, which can be viewed as a modi�ed version of theBilinear Decisional Di�e-Hellman assumption.

Open questions on the scheme are how to make it capable of having attributes that comefrom di�erent authorities. In a biometric use case there will be propably only one authority,but in attribute-based systems there might be di�erent authorities (like organisations within acompany) that can issue attributes on an identity.

The paper talks about two metrics to measure the distance between identities: Set overlapand Hamming distance. It is still an open problem to build other Fuzzy-IBE schemes that usedi�erent distance metrics for identities.

13