Presentation is loading. Please wait.

Presentation is loading. Please wait.

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Published byJaden Lane Modified over 11 years ago

Similar presentations

Presentation on theme: "Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:"— Presentation transcript:

1 Boneh-Franklin Identity-based Encryption

2 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate: e(g, g) generates G t Efficiently-computable

3 3 Underlying hard problem Diffie-Hellman Problem Given g, g a, g b, find g ab Bilinear Diffie-Hellman Problem Bilinear e: G 1 G 2 G t Given g, g r, g s, g t, find e(g, g) rst Security parameters need to protect against discrete log attacks in multiple groups Boneh-Franklin IBE uses the BDHP in the most simple and straightforward way possible

4 4 BasicIdent: who has what? QuantitySenderRecipient s (master secret) t r (sender random) g (public) g t (identity) g st (private key) g r (sender calculates) g s (public) g rt \ Send g r to recipient to let him compute e(g, g) rst

5 5 Chosen-ciphertext security If we just use c = m Å H 2 (e(g rt, g s )) the system is vulnerable to a chosen-ciphertext attack H 2 (e(g rt, g s )) not a function of the plaintext Attacker has (g r, c), decrypts (g r, c) where c = c Å e to get m Then he can recover m = m Å e Fujisaki-Okamoto transform adds chosen-ciphertext security This is the scheme that we discuss in the following

6 6 BF-IBE (FullIdent) Assume that identities are bit strings of arbitrary length and messages to be encrypted are of length l Also need four cryptographic hash functions H 1 : {0, 1}* G For hashing an identity H 2 : G t {0, 1} l To XOR with a session key H 3 : {0, 1} l {0, 1} l Z p For deriving a blinding coefficient H 4 : {0, 1} l {0, 1} l To XOR with plaintext

7 7 BF-IBE Bohen-Franklin IBE comprises four algorithms: Setup Extract Encrypt Decrypt

8 8 BF-IBE: Setup Select random w Î Z p Set g pub = g w Set params = (g, g pub ) Î G 2 Set maskerk = w

9 9 BF-IBE: Extract To generate a private key d ID for an identity ID Î {0, 1}* using the master key w The trusted authority computes h ID = H 1 (ID) and d ID = (h ID ) w in G The private key is the group element d ID Î G

10 10 BF-IBE: Encrypt To encrypt a message M Î {0, 1} l for a recipient with identity ID Î {0, 1} *, the sender does the following: Picks a random s Î {0, 1} l Calculates r = H 3 (s, M) Computes h ID = H 1 (ID) Computes y ID = e(h ID, g pub ) Outputs ciphertext C C = (g r, s Å H 2 (y ID r ), M Å H 4 (s)) Î G {0, 1} l {0, 1} l

11 11 BF-IBE: Decrypt To decrypt a given ciphertext C = (u, v, w) using the private key d ID, the recipient does the following: Computes v Å H 2 (e(u, d ID )) = s Computes w Å H 4 (s) = M Computes H 3 (s, M) = r If g r ¹ u, the ciphertext is rejected Otherwise outputs M Î {0, 1} l as the decryption of C

Download ppt "Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Chapter3 Public-Key Cryptography and Message Authentication.

Chapter3 Public-Key Cryptography and Message Authentication.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Similar presentations

Ads by Google