identity based cryptographymath.fau.edu › ~pbudhath › bfencryptionscheme.pdfidentity based...
TRANSCRIPT
Boneh-Franklin Identity Based Encryption Scheme
Parshuram BudhathokiDepartment of Mathematics
Florida Atlantic University
28 March, 2013
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice wants to send a message to Bob.
Securely
Alice Bob
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice Bob
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Alice Bob
Private Key Cryptography
AES DES
Motivation:
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Alice Bob
Private Key Cryptography
Limitation: The Key-Distribution Problem. Key Storage and Secrecy. Problem in Open Systems.
Motivation:
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice Bob
Public Key Cryptography
In 1976, Whitfield Diffie and Martin Hellman
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice Bob
Public Key Cryptography
Public Key Private Key
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice Bob
Public Key Cryptography
Public Key
AAAAB3NzaC1yc2EAAAABJQAAAQB/nAmOjTmezNUDKYvEeIRf2YnwM9/uUG1d0BYsc8/tRtx+RGi7N2lUbp728MXGwdnL9od4cItzky/zVdLZE2cycOa18xBK9cOWmcKS0A8FYBxEQWJ/q9YVUgZbFKfYGaGQxsER+A0w/fX8ALuk78ktP31K69LcQgxIsl7rNzxsoOQKJ/CIxOGMMxczYTiEoLvQhapFQMs3FL96didKr/QbrfB1WT6s3838SEaXfgZvLef1YB2xmfhbT9OXFE3FXvh2UPBfN+ffE7iiayQf/2XR+8j4N4bW30DiPtOQLGUrH1y5X/rpNZNlWW2+jGIxqZtgWg7lTy3mXy5x836Sj/6L
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice
Public Key Cryptography
Before starting communication:o Alice has to get Bob’s Public key o She has to verify that this Public Key is correct one.o So, she needs chain of certificates.
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice Bob
In 1984 Adi Shamir suggested
Identity Based Cryptography
Public Key 1. email id : [email protected]. phone : 561297-0bob3. Address : 777 Glades Road
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Motivation:
Alice Bob
In 1984 Adi Shamir suggested
Identity Based Cryptography
Public Key 1. email id : [email protected]. phone : 561297-0bob3. Address : 777 Glades Road
In 2001 Dan Boneh and Matthew Franklin proposed an encryption scheme.
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Outline
• Identity Based Cryptography• Pairing• Hash functions• Bilinear Diffie - Hellman problem.• BF encryption scheme.
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Identity Based Cryptography
1. Setup 2. Extract
Encryption Scheme
4. Encrypt5. Decrypt
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Identity Based Cryptography
Encryption Scheme:
1. Setup
Public Parameter
Master Key
2. Extract
Security Parameter
Identity, Master Key, params
Private Key
3. EncryptMessage and params
Trust Authority
Ciphertext
4. Decrypt Private Key, Ciphertext, and params Message
params
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Secure ID-based encryption scheme:
Adversary
GAME
Challenger uses Setup algorithm to generates params and Master key
Challenger
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Secure ID-based encryption scheme:
Adversary
GAME
params
Master Key
Challenger
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Secure Id-based encryption scheme:
Challenger Adversary
GAMEparams Master Key
• The Adversary issues m queries- extraction query for < Idi >- decryption query <Idi , Ci >
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Secure Id-based encryption scheme:
Adversary
GAMEparams
• The Adversary picks M0 , M1 and a public key ID
• The Challenger picks a random b ∈ { 0, 1 } and sends C = Encrypt( params , ID, Mb )
Challenger
Master Key
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Secure Id-based encryption scheme:
Adversary
GAMEparamsMaster Key
• The Adversary issues m additional queries - extraction query < Idi >- decryption query < Idi , Ci >
Challenger
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Secure Id-based encryption scheme:
Adversary
GAMEparamsMaster Key
• The Adversary outputs b’ • The Adversary wins if b = b’
|P ( the adversary wins ) – 1/2| should be negligible.
• Semantic security against an adaptive chosen ciphertext and Id attackIND-ID-CCA
Challenger
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Domain
G1
Domain
G2
Range
V
P
Q
e
e(P,Q)
Domain
G
Domain
G
Pairing
Asymmetric
Symmetric
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
1) Bilinearity : ∀ P, Q , R ∈ G we have
e(P+R, Q)= e(P,Q) e(R,Q)and
e(P, R+Q)= e(P,R) e(P,Q)
2) Non-degeneracy : There exists P, Q ∈ G such that e(P,Q) ≠1.
3) e is efficiently computable.
Pairing
Let (G,+) and (V, ∙ ) denote cyclic groups of prime order q ,P ∈ G, a generator of G and a pairing e: G x G V is a map which satisfies the following properties:
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Important property of bilinearity:∀ P, R ∈ G and any integer n we have
e(nP, R) = e(P + P + … + P, R ) = e(P, R) e(P, R) … e(P, R)= e(P, R)n
= e( P, nR)
Pairing
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Hash Functions:
H
Domain
x
Range
Fixed size
H(x)
Any size
No Inverse
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Hash Function:
• One way transformation
• Input := Any size, Output:= Fixed size
• H(x1 ) ≠ H(x2) for x1 ≠ x2 , Collision free
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Bilinear Diffie-Hellman Problem:
Let G1 and G2 be two groups of prime order q. Let e: G1 × G1 G2
be a pairing and let P be a generator of G1 . The BDH problem in <G1 , G2 , e > is a computation ofe(P, P ) abc , by using <P, aP, bP, cP > for some a, b, c ∈ Z*
q
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Alice
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
params : <G1 , G2 ,P, Ppub , e, H1 , H2 , … >
Alice
Public
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Alice Bob
params : <G1 , G2 ,P, Ppub , e, H1 , H2 , … >
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BobTrust Authority [email protected]
params : <G1 , G2 ,P, Ppub , e, H1 , H2 , … >
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BobTrust Authority
params : <G1 , G2 ,P, Ppub , e, H1 , H2 , … >
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Bob
params : <G1 , G2 ,P, Ppub , e, H1 , H2 , … >
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Bob
Any One
params : <G1 , G2 ,P, Ppub , e, H1 , H2 , … >
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
params : <G1 , G2 ,P, Ppub , e, n, H1 , H2 >
Bob
Identity Based Encryption Scheme :
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
Setup Master Key:= s ∈ Z*
qk ∈ Z+
Trust Authority
BF Identity based encryption scheme :
Ppub = sP
Assume H1 : {0,1}* G1* and H2 : G2 {0,1}n
Message space = {0,1}n
Ciphertext space = G1* × {0, 1}n
params : <G1 , G2 ,P, Ppub ,q, e, n, H1 , H2 >
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BF Identity Based Encryption Scheme :
Encrypt
Alice
To encrypt message M 1. Compute QID = H1 ( ID)2. choose random r ∈ Z*
q
3. Ciphertext C := < rP , M ⨁ H2 ( grID ) >
Where gID = e( QID , Ppub ) ∈ G2*
params : <G1 , G2 ,P, Ppub ,q, e, n, H1 , H2 >
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BF Identity Based Encryption Scheme :
Alice
params : <G1 , G2 ,P, Ppub , e, q, n, H1 , H2 >
Bob
C := < rP , M ⨁ H2 ( grID ) >
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BF Identity Based Encryption Scheme :
params : <G1 , G2 ,P, Ppub , e, n, q, H1 , H2 >
Bob
C
Trust Authority
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BF Identity Based Encryption Scheme :
params : <G1 , G2 ,P, Ppub , e, q, n, H1 , H2 >
Trust Authority
Extract
After getting ID ∈{0,1}*
1. Compute QID = H1 ( ID ) ∈G1*
2. Private Key = dID = s QID
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BF Identity Based Encryption Scheme :
params : <G1 , G2 ,P, Ppub , e, q, n, H1 , H2 >
Trust Authority
Extract
Bob03/28/2013
Graduate Student Seminar, Department of Mathematics, FAU
BF Identity Based Encryption Scheme :
params : <G1 , G2 ,P, Ppub , e, q, n, H1 , H2 >
Bob
Decrypt
Let C = <U, V>, then by using private key dID :
V ⨁ H2 ( e(dID , U) = M
C := < rP , M ⨁ H2 ( grID ) >
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
BF Identity Based Encryption Scheme :
params : <G1 , G2 ,P, Ppub , e, q, n, H1 , H2 >
Bob
Correctness of Decryption
H2 ( e(dID , U) = H2 ( e ( s H1 ( ID ) , rP))
= H2 ( e(H1 (ID) , P)sr )
= H2 ( e( H1 (ID) , sP)r )
= H2 ( (gID )r )
V ⨁ H2 ( e(dID , U) = M ⨁ H2 ( (gID )r ) ⨁ H2 ( (gID )r )
= M
C := < rP , M ⨁ H2 ( grID ) >
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU
03/28/2013Graduate Student Seminar, Department of
Mathematics, FAU