1. 1 Identity-Based Encryption form the Weil Pairing Author ： Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date ： 2008-06-03

2. 2 Private Key Generator (PKG) BobAlice Authentication (ID Bob ) KR IDBob (params, ID Bob )KR IDBob ID Bob is arbitrary and meaningful ex: Bob@hitmail.com or 0912345678 Setup generate params and master key Extract generate KR IDBob by ID Bob and master key Encrypt Verify or Decrypt Sign or

3. 3 Outline Introduction Identity-Based Encryption Scheme Chosen Ciphertext Security Bilinear map Bilinear Diffie-Hellman Assumption BasicIdent Conclusion References

4. 4 Introduction (1/2) Identity-Based Encryption Scheme (IBE) has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie-Hellman problem.

5. 5 Introduction (1/2) The system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map, and definition for secure identity based encryption schemes and give several applications for such systems.

6. 6 Identity-Based Encryption Scheme (1/4) IBE Scheme ε Setup Extract Encrypt Decrypt

7. 7 Identity-Based Encryption Scheme (2/4) Setup takes a security parameter k and returns params (system parameters) and master- key. The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator" (PKG).

8. 8 Identity-Based Encryption Scheme (3/4) Extract takes as input params, master-key, and an arbitrary ID {0,1}*, and returns a private key d. Extract algorithm extracts a private key from the given public key.

9. 9 Identity-Based Encryption Scheme (4/4) Encrypt takes as input params, ID, and M M. It returns a ciphertext C C. Decrypt takes as input params, C C, and a private key d. It returns M M.

10. 10 Chosen Ciphertext Security (1/6) ε is semantically secure against an adaptive chosen ciphertext attack (IND- ID-CCA) if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CCA game

11. 11 Chosen Ciphertext Security (2/6) adversary A challenger C Setup C take security parameter k, and runs Setup Algorithm. C keep master-key, and A get system parameter params.

12. 12 Chosen Ciphertext Security (3/6) Phase 1 A issues query q i, i = 1 ～ m Extraction query (ID i ) C responds by running algorithm Extract to generate the private key d i corresponding to the public key (ID i ). It sends d i to the A. Decryption query (ID i, C i ) C responds by running algorithm Extract to generate the private key d i corresponding to ID i. It then runs algorithm Decrypt to decrypt the ciphertext C i using the private key d i. It sends the resulting plaintext to the A.

13. 13 Chosen Ciphertext Security (4/6) Challenge Once the A decides that Phase 1 is over it outputs two equal length plaintexts M 0,M 1 M and an identity ID on which it wishes to be challenged. The only constraint is that ID did not appear in any private key extraction query in Phase 1. The C picks a random bit b {0,1} and sets C = Encrypt(params, ID,M b ). It sends C as the C to the adversary.

14. 14 Chosen Ciphertext Security (5/6) Phase2 A issues query q i, i = m+1 ～ n Extraction query (ID i ) where ID i ≠ID. C respends as in Phase1. Decryption query (ID i, C i ) where (ID i, C i ) ≠ (ID, C ). C respends as in Phase1. These queries may be asked adaptively as in Phase1.

15. 15 Chosen Ciphertext Security (6/6) Guess Finally, the A outputs a guess b’ {0,1} and wins the game if b = b’. We define A A's advantage in attacking the scheme ε as the following function of the security parameter k (k is given as input to the challenger): Advε, A (k) = | Pr [ b = b’ ] - 1/2 |

16. 16 Bilinear map(1/4) Let G 1 and G 2 be two groups of order q for some large prime q. bilinear map e : G 1 ╳ G 1 →G 2 between these two groups.

17. 17 Bilinear map(2/4) Bilinear We say that a map e : G 1 ╳ G 1 →G 2 is bilinear if e(aP; bQ) = e(P;Q) ab for all P,Q G 1 and all a, b Z. Computable There is an efficient algorithm to compute e(P,Q) for any P,Q G 1.

18. 18 Bilinear map(3/4) Non-degenerate The map does not send all pairs in G 1 ╳ G 1 to the identity in G 2. Observe that since G 1,G 2 are groups of prime order this implies that if P is a generator of G 1 then e(P,P) is a generator of G 2.

19. 19 Bilinear map(4/4) G = Z 19 * = { 1, 2, …, 18} n=18, generator g = 2

20. 20 Bilinear Diffie-Hellman Assumption (1/2) Given P, aP, bP, cP  G 1, compute e(P, P) abc is HARD ！ The MOV reduction Menezes, Okamoto, and Vanstone

21. 21 Bilinear Diffie-Hellman Assumption (2/2) show that the discrete log problem in G 1 is no harder than the discrete log problem in G 2. To see this, let P,Q G 1 be an instance of the discrete log problem in G 1 where both P,Q have order q. We wish to find an α Z q such that Q =αP. Let g = e(P, P) and h = e(Q,P). Then, by bilinearity of e we know that h = g α. By non-degeneracy of e both g,h have order q in G 2. Hence, we reduced the discrete log problem in G 1 to a discrete log problem in G 2.

22. 22 BasicIdent The basic idea underlying our IBE system we describe the following simple scheme, called BasicIdent. Setup, Extract, Encrypt, Decrypt Claim | Pr [ c = c’ ] - 1/2 | ≧ ε, random c {0,1}

23. 23 Conclusion Dan Boneh, 2001 Zhe Wu,…, 2007

24. 24 References Identity-Based Encryption from the Weil Pairing, 2001 http://zh.wikipedia.org/w/index.php?title= %E9%A6%96%E9%A1%B5&variant=zh- tw http://zh.wikipedia.org/w/index.php?title= %E9%A6%96%E9%A1%B5&variant=zh- tw http://www.cs.nctu.edu.tw/~rjchen/ECC2 008/note.htm http://www.cs.nctu.edu.tw/~rjchen/ECC2 008/note.htm