Identity Based Encryption Based on a paper by Dan Boneh and Matthew Franklin Presented by: Saar Ron
Outline Introduction to IBE Applications of IBE Definition of IBE Security Properties The Boneh-Franklin IBE Scheme
Outline Introduction to IBE Applications of IBE Definition of IBE Security Properties The Boneh-Franklin IBE Scheme
What is IBE? IBE is a public-key encryption system in which an arbitrary string can be used as the public key
History of IBE The concept was formulated by Adi Shamir in 1984 First usable IBE schemes in 2001 Boneh and Franklin [crypto 2001, SIAM J. of computing 2003] Cocks [IMA International Conference on Cryptography and Coding 2001]
email encrypted using public key: I am “alice@hotmail.com” An example of IBE email encrypted using public key: “alice@hotmail.com” I am “alice@hotmail.com” Private key CA/PKG master-key
Outline Introduction to IBE Applications of IBE Definition of IBE Security Properties The Boneh-Franklin IBE Scheme
Applications of IBE Bob encrypts mail with pub-key = “alice@hotmail” Easy to use: no need for Bob to lookup Alice’s cert Bob can send mail to Alice even if Alice has no cert Bob encrypts with pub-key = “alice@hotmail || current-date” Short lived private keys: revocation + mobility Bob can send mail to be read at future date Credentials: embed user credentials in public key Encrypt with: “alice@hotmail || date || clearance=secret” Alice can decrypt only if she has secret clearance on given date Easy to grant and revoke credentials at PKG
Outline Introduction to IBE Applications of IBE Definition of IBE Security Properties The Boneh-Franklin IBE Scheme
Definition of IBE (1) Setup Extract input: a security parameter t output: params and master-key Extract input: params, master-key, and ID∈{0,1}* output: dID
Definition of IBE (2) Encrypt Decrypt input: params, ID∈{0,1}*, M∈M output: C Decrypt input: params, dID, C ∈C output: M
Is the following RSA based IBE scheme correct? Setup (t) randomly picks two t-bit primes p, q params = 〈n=pq, H〉 master-key = 〈p,q〉 Encrypt (〈n,H 〉,ID,M) = MH(ID) mod n Extract (〈n,H〉, 〈p,q〉, ID) = dID such that dID H(ID) = (p-1)(q-1) mod n Decrypt (〈n,H〉,ID,C) = CdID mod n
Outline Introduction to IBE Applications of IBE Definition of IBE Security Properties The Boneh-Franklin IBE Scheme
Security properties of Crypto schemes Formalization of the notion that no algorithm breaks a crypto system defined via a game between an Adversary and a Challenger no polynomially bound Adversary wins the game with non-negligible advantage
Security demands for IBE Semantic security against an adaptive chosen ciphertext attack No polynomially bound adversary wins the following game with non-negligible advantage
The Game (1) The Challenger The Adversary issues m queries chooses a security parameter t and runs Setup keeps the master-key gives the Adversary params The Adversary issues m queries extraction query 〈IDi〉 decryption query 〈IDi , Ci〉
The Game (2) The Adversary picks M0, M1 and a public key ID The Challenger picks a random b∈{0,1} and sends C=Encrypt(params, ID, Mb) The Adversary issues n additional queries extraction query 〈IDi〉 decryption query 〈IDi , Ci 〉
The Game (3) The Adversary outputs b’ The Adversary wins if b=b’ | P (the attacker wins) – ½ | should be negligible
A weaker notion: Semantic Security Almost the same game, but with a small difference: The adversary is not allowed to use decryption queries
Outline Introduction to IBE Applications of IBE Definition of IBE Security Properties The Boneh-Franklin IBE Scheme
Bilinear maps (1) e : G1× G1 → G2 Bilinear Map G1 and G2 are cyclic groups of prime order p Bilinear Map for all x, y ∈ G1 and for all a, b ∈ Zp e(ax,by) = e(x,y)ab
Bilinear maps (2) Non-Degenerate Computable There exists x,y ∈ G1 such that e(x,y) ≠ 1G2 Computable computing e(x,y) for any x,y ∈ G1 is efficient
The Boneh-Franklin IBE Scheme (1) Setup (t) uses t to generate a prime q generates cyclic groups G1, G2 of order q, and a bilinear map e: G1×G1 → G2 chooses an arbitrary generator g∈G1 picks a random s∈Zq* and set P= sg picks two crypto hash functions: H1:{0,1}* →G1* and H2:G2 → {0,1}n
The Boneh-Franklin IBE Scheme (2) Setup (t) M = {0,1}n C = G1* × {0,1}n params = q, G1, G2, e, n, g, P, H1, H2 master-key = s Extract (ID) dID=s H1(ID)
The Boneh-Franklin IBE Scheme (3) Encrypt (M) chooses a random r∈Zq* C=〈rg, M⊕H2(e(H1(ID),P)r〉 Decrypt(C=(U,V)) V ⊕ H2(e(dID,U)) e(sH1(ID), rg) = e(H1(ID), g)sr = e(H1(ID), sg)r = e(H1(ID),P)r
The security assumption Bilinear Diffie-Hellman Problem (BDHP) in 〈G1, G2, e〉 given a generator g of G1 and three elements ag, bg, cg ∈ G1 for random a, b, c in Zp, compute e(g,g)abc Security Assumption: BDHP is hard
The security of BF-IBE It can be shown that there is a reduction between breaking the BF-IBE in the Semantic Security model and the BDHP problem The question: How can we improve BF-IBE so this will be true in the Semantic Security Against an Adaptive Chosen Ciphertext Attack model?
The answer: The Fujisaki-Okamoto technique εpk(M) – The encryption of M using the public key pk Fujisaki-Okamoto: If εpk(M) is a one-way encryption scheme, the hybrid scheme εpkhy(M) = <εpk(σ;H3(σ,M)),H4(σ)⊕M> is secure in the Semantic Security Against an Adaptive Chosen Ciphertext Attack model
Improving BF-IBE (1) Setup (t) Extract (ID) As before params = q, G1, G2, e, n, g, P, H1, H2, H3, H4 Extract (ID)
Improving BF-IBE (2) Encrypt (M) Decrypt(C=(U,V,W)) Chooses a random σ∈{0,1}n r = H3(σ,M) C = <rP, σ⊕H2(e(H1(ID),P)r, M⊕H4(σ(> Decrypt(C=(U,V,W)) σ = V ⊕ H2(e(dID,U)) M = W ⊕ H4(σ)
Open issues Authentication of the message receiver to the PKG (Private Key Generator) The IBE system is an escrowed system Key Revocation
That's all, folks