1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
2 Private Key Generator (PKG) BobAlice Authentication (ID Bob ) KR IDBob (params, ID Bob )KR IDBob ID Bob is arbitrary and meaningful ex: or Setup generate params and master key Extract generate KR IDBob by ID Bob and master key Encrypt Verify or Decrypt Sign or
3 Outline Introduction Identity-Based Encryption Scheme Chosen Ciphertext Security Bilinear map Bilinear Diffie-Hellman Assumption BasicIdent Conclusion References
4 Introduction (1/2) Identity-Based Encryption Scheme (IBE) has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie-Hellman problem.
5 Introduction (1/2) The system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map, and definition for secure identity based encryption schemes and give several applications for such systems.
6 Identity-Based Encryption Scheme (1/4) IBE Scheme ε Setup Extract Encrypt Decrypt
7 Identity-Based Encryption Scheme (2/4) Setup takes a security parameter k and returns params (system parameters) and master- key. The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator" (PKG).
8 Identity-Based Encryption Scheme (3/4) Extract takes as input params, master-key, and an arbitrary ID {0,1}*, and returns a private key d. Extract algorithm extracts a private key from the given public key.
9 Identity-Based Encryption Scheme (4/4) Encrypt takes as input params, ID, and M M. It returns a ciphertext C C. Decrypt takes as input params, C C, and a private key d. It returns M M.
10 Chosen Ciphertext Security (1/6) ε is semantically secure against an adaptive chosen ciphertext attack (IND- ID-CCA) if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CCA game
11 Chosen Ciphertext Security (2/6) adversary A challenger C Setup C take security parameter k, and runs Setup Algorithm. C keep master-key, and A get system parameter params.
12 Chosen Ciphertext Security (3/6) Phase 1 A issues query q i, i = 1 ~ m Extraction query (ID i ) C responds by running algorithm Extract to generate the private key d i corresponding to the public key (ID i ). It sends d i to the A. Decryption query (ID i, C i ) C responds by running algorithm Extract to generate the private key d i corresponding to ID i. It then runs algorithm Decrypt to decrypt the ciphertext C i using the private key d i. It sends the resulting plaintext to the A.
13 Chosen Ciphertext Security (4/6) Challenge Once the A decides that Phase 1 is over it outputs two equal length plaintexts M 0,M 1 M and an identity ID on which it wishes to be challenged. The only constraint is that ID did not appear in any private key extraction query in Phase 1. The C picks a random bit b {0,1} and sets C = Encrypt(params, ID,M b ). It sends C as the C to the adversary.
14 Chosen Ciphertext Security (5/6) Phase2 A issues query q i, i = m+1 ~ n Extraction query (ID i ) where ID i ≠ID. C respends as in Phase1. Decryption query (ID i, C i ) where (ID i, C i ) ≠ (ID, C ). C respends as in Phase1. These queries may be asked adaptively as in Phase1.
15 Chosen Ciphertext Security (6/6) Guess Finally, the A outputs a guess b’ {0,1} and wins the game if b = b’. We define A A's advantage in attacking the scheme ε as the following function of the security parameter k (k is given as input to the challenger): Advε, A (k) = | Pr [ b = b’ ] - 1/2 |
16 Bilinear map(1/4) Let G 1 and G 2 be two groups of order q for some large prime q. bilinear map e : G 1 ╳ G 1 →G 2 between these two groups.
17 Bilinear map(2/4) Bilinear We say that a map e : G 1 ╳ G 1 →G 2 is bilinear if e(aP; bQ) = e(P;Q) ab for all P,Q G 1 and all a, b Z. Computable There is an efficient algorithm to compute e(P,Q) for any P,Q G 1.
18 Bilinear map(3/4) Non-degenerate The map does not send all pairs in G 1 ╳ G 1 to the identity in G 2. Observe that since G 1,G 2 are groups of prime order this implies that if P is a generator of G 1 then e(P,P) is a generator of G 2.
19 Bilinear map(4/4) G = Z 19 * = { 1, 2, …, 18} n=18, generator g = 2
20 Bilinear Diffie-Hellman Assumption (1/2) Given P, aP, bP, cP G 1, compute e(P, P) abc is HARD ! The MOV reduction Menezes, Okamoto, and Vanstone
21 Bilinear Diffie-Hellman Assumption (2/2) show that the discrete log problem in G 1 is no harder than the discrete log problem in G 2. To see this, let P,Q G 1 be an instance of the discrete log problem in G 1 where both P,Q have order q. We wish to find an α Z q such that Q =αP. Let g = e(P, P) and h = e(Q,P). Then, by bilinearity of e we know that h = g α. By non-degeneracy of e both g,h have order q in G 2. Hence, we reduced the discrete log problem in G 1 to a discrete log problem in G 2.
22 BasicIdent The basic idea underlying our IBE system we describe the following simple scheme, called BasicIdent. Setup, Extract, Encrypt, Decrypt Claim | Pr [ c = c’ ] - 1/2 | ≧ ε, random c {0,1}
23 Conclusion Dan Boneh, 2001 Zhe Wu,…, 2007
24 References Identity-Based Encryption from the Weil Pairing, %E9%A6%96%E9%A1%B5&variant=zh- tw %E9%A6%96%E9%A1%B5&variant=zh- tw 008/note.htm 008/note.htm