Mihir Bellare, UCSD1

Identity-Based Encryptionand Pairings

Mihir Bellare, UCSD2

The People

Mihir Bellare, UCSD3

The Awards

Mihir Bellare, UCSD4

Example: I = bob@example.comReceiver has identity I

Receiver Bob

Sender Alice

Trusted Authority

certI

CM

certI

Receiver Bob

Sender Alice

Trusted Authority

skI

CM

I

PKE

IBE

Sender needs Receiver’s certificate before she can encryptTrusted authority (CA), given pk, provides receiver with a certificate certIReceiver generates her own key pair (pk,sk)

Sender only needs receiver’s identity I before she can encryptTrusted authority (CA), given I, provides receiver with a decryption key

Receiver generates nothing a priori

Mihir Bellare, UCSD5

P K

E

D

mpkmsk

M

C

sk

I

M

algorithmparameter generation

key generation

encryption

decryption

IBE = (P,K, E ,D)Syntax of an IBE scheme

mpk master public key

msk master secret key

I identity

sk secret (decryption) key for I

M message

C ciphertext

P

K

E

D

The correct decryption requirementfor identity I and message M asks that

Pr[D(mpk,K(mpk,msk, I), E(mpk, I,M)) = M ] = 1

Mihir Bellare, UCSD6

Security of an IBE scheme

IBE = (P,K, E ,D) is an IBE scheme.

AC $ E(mpk, I,M)

I

mpk

sk0 $ K(mpk,msk, I 0)

for any I 0 6= I

M = ?

Adversary A should be unable to figure out a message M encrypted to identity I, evengiven

• The master public key mpk

• The identity I

• The ciphertext C

• AND: Secret key sk0 for any identity I 0 6= I

Mihir Bellare, UCSD7

Security of an IBE scheme IBE = (P,K, E ,D) is an IBE scheme.

Let A be an adversary.

Advind-cpaIBE (A) = 2Pr[IND-CPAA

IBE ) true]� 1

b Challenge bitExI Set of exposed identitiesChI Set of challenge identitiesb0 A’s output, guess of b

Security requires that adversary can’t figure out whether left (b=0) or right (b=1) messages are encrypted for challenge identities.

Even when it is allowed to obtain the secret keys of non-challenge identities.

Game IND-CPAIBE

Initialize

(mpk,msk) $ P ; b $ {0, 1}ExI ; ; ChI ;Return mpk

Expose(I)

If (I 2 ChI) then return ?ExI ExI [ {I}sk $ K(mpk,msk, I)Return sk

LR(I,M0,M1)

If (I 2 ExI) then return ?ChI ChI [ {I}C $ E(mpk, I,Mb)Return C

Finalize(b0)

Return (b = b0)

Mihir Bellare, UCSD8

Building an IBE scheme

IBE = (P,K, E ,D) is an IBE scheme.

It is hard to find a way to build an IND-CPA-secure IBE scheme based on conventional number theory.

With RSA, let• mpk = (N,e)• msk = (N,d)• sk = ?• C = ?

Mihir Bellare, UCSD9

Pairings

We say that e is a pairing if the following are true:

• Bi-linearity: e(gx, gy) = e(g, g)xy for all x, y 2 Zp

• Non-degeneracy: e(g, g) is a generator of GT .

Let e : G⇥G ! GT be a function, where G,GT are groups whose order p is a prime. Letg be a generator of G.

Game BDHe,g

Initialize

a, b, c $ Zp

Return ga, gb, gc

Finalize(Z)

Return (Z = e(g, g)abc)

Advbdhe,g (A) = Pr[BDH

Ae,g ) true]

Pairings that appear to be BDH-secure can be built from the Weil and Tate pairings over elliptic curves.

Mihir Bellare, UCSD10

Mihir Bellare, UCSD11

Boneh-Franklin IBE scheme Algorithm Pmsk $ Zp ; mpk gmsk

Return (mpk,msk)

e : G⇥G ! GT a BDH-secure pairing

g a generator of Gp the order of G,GT

Identity I 2 {0, 1}⇤Message M 2 {0, 1}mFunction H : {0, 1}⇤ ! GFunction G : GT ! {0, 1}m

Let i be such that H(I) = gi

Proof of correct decryption requirement: from decryption algorithm

from encryption algorithm

because H(I) = gi

bi-linearity

from encryption algorithm

bi-linearity

Algorithm E(mpk, I,M)

r $ Zp ; R gr ; K e(mpk, H(I)r)

W G(K)�M ; Return (R,W )

Algorithm D(mpk, sk, (R,W ))

L e(R, sk) ; M G(L)�W ; Return M

Algorithm K(mpk,msk, I)

sk H(I)msk ; Return sk

Let I 2 {0, 1}⇤ be an identity.Let M 2 {0, 1}m be a messageLet sk = K(mpk,msk, I) = H(I)msk

Let (R,W ) $ E(mpk, I,M)We show that D(mpk, sk, (R,W )) = M

L = e(R, sk)

= e(gr, H(I)msk)

= e(gr, gi·msk)

= e(g, g)ri·msk

= e(gmsk, g

ir)

= e(mpk, H(I)r)

= K

Mihir Bellare, UCSD12

IBE features

Sender only needs receiver’s identity I before she can encrypt

``Trusted’’ authority can decrypt all ciphertexts for all identities

IBE issues

``Trusted’’ authority can decrypt all ciphertexts for all identities

A secure channel is needed to communicate sk from trusted authority to receiverRevocation is a pain

Compromise of server storing msk can result in adversary decrypting all ciphertexts for all identities

Mihir Bellare, UCSD13