Biometric identity-based encryption (Bio-IBE) is a kind of fuzzy identity-based encryption (fuzzy IBE) where a ciphertext encrypted under an identity w' can be decrypted using a secret key corresponding to the identity w which is close to w' as measured by some metric. Recently, Yang et al. proposed a constant-size Bio-IBE scheme and proved that it is secure against adaptive chosen-ciphertext attack (CCA2) in the random oracle model. Unfortunately, in this paper, we will show that their Bio-IBE scheme is even not chosen-plaintext secure. Specifically, user w using his secret key is able to decrypt any ciphertext encrypted under an identity w' even though w is not close to w'.
Deep Dive into Security of a biometric identity-based encryption scheme.
Biometric identity-based encryption (Bio-IBE) is a kind of fuzzy identity-based encryption (fuzzy IBE) where a ciphertext encrypted under an identity w’ can be decrypted using a secret key corresponding to the identity w which is close to w’ as measured by some metric. Recently, Yang et al. proposed a constant-size Bio-IBE scheme and proved that it is secure against adaptive chosen-ciphertext attack (CCA2) in the random oracle model. Unfortunately, in this paper, we will show that their Bio-IBE scheme is even not chosen-plaintext secure. Specifically, user w using his secret key is able to decrypt any ciphertext encrypted under an identity w’ even though w is not close to w'.
To simplify the certificate management in traditional public key infrastructure, Shamir [1] first introduced the concept of identity-based cryptography in 1984. In this scenario, a user's public key is derived from his identity, e.g., his e-mail address, and his secret key is generated by a trusted third party called private key generator (PKG) who has knowledge of a master secret key. In 2001, the first two practical identity-based encryption (IBE) schemes were presented in [2] and [3], respectively.
The notion of fuzzy identity-based encryption (fuzzy IBE) was introduced by Sahai and Waters [4] in 2005, where each identity is viewed as a set of descriptive attributes. A fuzzy IBE scheme is very similar to a standard IBE scheme except that a ciphertext encrypted under an identity w ′ can be decrypted using the secret key associated with the identity w which is close to w ′ as judged by some metric. The error-tolerance property of fuzzy IBE enables biometric attributes to be used in a standard IBE scheme. In 2007, Burnett et al. [5] proposed the first biometric identity-based signature (Bio-IBS) scheme, where they used biometric information to construct the identity of a user. The first biometric identity-based encryption (Bio-IBE) scheme was proposed by Sarier [6] in 2008. It absorbed the advantage of Burnett et al.’s Bio-IBS scheme. Subsequently, Sarier [7] presented an improved Bio-IBE scheme which is secure against a new type of denial of service attack. Recently, Yang et al. [8] presented a constant-size Bio-IBE scheme and proved that it is secure against adaptive chosen-ciphertext attack (CCA2) in the random oracle model. Unfortunately, in this paper, we will show that their scheme is even not chosen-plaintext secure.
The rest of this paper is organized as follows. Section 2 introduces some preliminaries required in this paper. In Section 3, we review Yang et al.’s Bio-IBE scheme. In section 4, we present an attack on their Bio-IBE scheme. Finally, we conclude the paper in Section 5.
Let G and G T be two groups with the same prime order p. A map e : G×G → G T is called a bilinear map if it satisfies the following three properties.
- Bilinearity: For all a, b ∈ Z p and u, v ∈ G, we have e(u a , v b ) = e(u, v) ab . 2. Non-degeneracy: There exists u, v ∈ G such that e(u, v) = 1. 3. Computability: There is an efficient algorithm to compute e(u, v) for any u, v ∈ G.
As mentioned above, a Bio-IBE scheme is essentially a fuzzy IBE scheme, with the only difference that it uses a set of biometric attributes as a user’s identity. Therefore, a Bio-IBE scheme also consists of the following four algorithms [4]:
-Setup: Given a security parameter k, the PKG generates a master secret key M SK and the public parameters P P which contains a threshold d. The PKG publishes the public parameters P P and keeps the master key M SK secret. -Extract: Given the public parameters P P , the master secret key M SK and a user’s biometric attribute set w = (µ 1 , • • • , µ n ), the PKG generates a secret key sk w for the user. -Encrypt: On input the public parameters P P , a message m and a user’s biometric attribute set
-Decrypt: On input the public parameters P P , a secret key sk w corresponding to the user w, and a ciphertext C ′ encrypted under the set of attributes w ′ , it outputs the message if and only if |w ′ w| ≥ d.
The security notion for Bio-IBE proposed by Yang et al. [8] is indistinguishability of ciphertext under adaptive chosen ciphertext attack (IND-sID-CCA2). A weaker security notion proposed in [4] is indistinguishability of ciphertext under chosen plaintext attack (IND-sID-CPA). Its formal definition is based on the following game played between a challenger C and an adversary A.
-Init. The adversary A outputs a target attribute set w The advantage of an adversary A in this game is defined as |P r[b ′ = b]-1/2|. Definition 1. A Bio-IBE scheme is IND-sID-CPA secure if there is no polynomialtime adversary that succeeds in the above game with a non-negligible advantage.
Fuzzy extraction process is essential for many Bio-IBE schemes such as [6,7,8]. Let M = {0, 1} k be a finite dimensional metric space with a distance function dis : M × M -→ Z + . An (M, l, t) fuzzy extractor consists of the following two functions Gen and Rep: For two biometric attribute sets w and w ′ , we assume that dis(b, b ′ ) ≤ t if |w ′ w| ≥ d and thus we have ID = ID ′ , where (b, ID) and (b ′ , ID ′ ) are extracted from w and w ′ , respectively.
Let ∆ i,S (x) = j∈S,j =i
x-j i-j denote the Lagrange coefficient for i ∈ Z * p and a set S of elements in Z * p . The Yang et al.’s Bio-IBE [8] is specified as follows. Setup: Given a security parameter k, the PKG does:
Choose two groups G and G T with the same prime order p, a bilinear map e : G × G → G T and a generator g of G.
Pick s ∈ Z * p and g 1 ∈ G uniformly at random, and set g 2 = g s . 4. The public parameters are P P = (G, G T , e, g, g 1 , g 2 , d, H, H 1 ) and
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
