boneh-franklin identity-based encryption. 2 symmetric bilinear groups g = ágñ, g p = 1 e: g g g t...
TRANSCRIPT
Boneh-FranklinIdentity-based Encryption
2
Symmetric bilinear groupsSymmetric bilinear groups
= g, gp = 1 e: t
Bilinear• i.e. e(ua, vb) = e(u, v)ab
Non-degenerate: e(g, g) generates t
Efficiently-computable
3
Underlying hard problemUnderlying hard problem
Diffie-Hellman Problem Given g, ga, gb, find gab
Bilinear Diffie-Hellman Problem Bilinear e: 1 2 t
Given g, gr, gs, gt, find e(g, g)rst
Security parameters need to protect against discrete log attacks in multiple groups
Boneh-Franklin IBE uses the BDHP in the most simple and straightforward way possible
4
BasicIdent: who has what?BasicIdent: who has what?
Quantity Sender Recipient
s (master secret)
t
r (sender random)
g (public)
gt (identity)
gst (private key)
gr (sender calculates)
gs (public)
grt
Send gr to recipient to let him compute e(g, g)rst
5
Chosen-ciphertext securityChosen-ciphertext security
If we just use c = m H2 (e(grt, gs)) the system is vulnerable to a chosen-ciphertext attack H2 (e(grt, gs)) not a function of the plaintext
Attacker has (gr, c), decrypts (gr, c’)
where c’ = c to get m’ Then he can recover m = m’ Fujisaki-Okamoto transform addschosen-ciphertext
security This is the scheme that we discuss in the following
6
BF-IBE (FullIdent)BF-IBE (FullIdent)
Assume that identities are bit strings of arbitrary length and messages to be encrypted are of length
Also need four cryptographic hash functions H1: {0, 1}*
• For hashing an identity
H2: t {0, 1}• To XOR with a session key
H3: {0, 1} {0, 1} p • For deriving a blinding coefficient
H4: {0, 1} {0, 1} • To XOR with plaintext
7
BF-IBEBF-IBE
Bohen-Franklin IBE comprises four algorithms: Setup Extract Encrypt Decrypt
8
BF-IBE: SetupBF-IBE: Setup
Select random p
Set gpub = g
Set params = (g, gpub) 2
Set maskerk =
9
BF-IBE: ExtractBF-IBE: Extract
To generate a private key dID for an identity
ID {0, 1}* using the master key The trusted authority computes hID = H1(ID)
and dID = (hID) in The private key is the group element dID
10
BF-IBE: EncryptBF-IBE: Encrypt
To encrypt a message M {0, 1}for a recipient with identity ID {0, 1}*, the sender does the following: Picks a random s {0, 1} Calculates r = H3(s, M)
Computes hID = H1(ID)
Computes yID = e(hID, gpub)
Outputs ciphertext C
C = (gr, s H2(yIDr), M H4(s)) {0, 1} {0, 1}
11
BF-IBE: DecryptBF-IBE: Decrypt
To decrypt a given ciphertext C = (u, v, w) using the private key dID, the recipient does the following: Computes v H2(e(u, dID)) = s
Computes w H4(s) = M
Computes H3(s, M) = r
If gr u, the ciphertext is rejected Otherwise outputs M {0, 1}as the decryption of C