1. 1 Efficient Selective-ID IBE Without Random Oracle Dan Boneh Stanford University Xavier Boyen Voltage Security

2. 2 Identity Based Encryption ( IBE )  IBE: Public key encryption scheme where public key is an arbitrary string ( ID ).  Examples: user’s e-mail address, current-date, … email encrypted using public key: “alice@stanford.edu” I am “alice@stanford.edu” Private key master-key CA/PKG

3. 3 IBE System u IBE system is made up of 4 algorithms: setup:generate params and master-key, MK. keygen:given pub-key ID and master-key output priv-key, d ID Encrypt:using pub-key ID (and params ) Decrypt:using priv-key.  Main use of IBE: reduce need for online pub-key directory.

4. 4 Semantic Secure IBE systems [BF’01]  Semantic security when attacker has few private keys.  Def: Alg. A  -breaks IBE sem. sec. if Pr[b=b’] > ½ +   (t,  )-security: no t-time alg. can  -break IBE sem. sec. Challenger Run Setup Attacker params ID *, m 0, m 1  G b’  {0,1} C * = Enc( m b, ID *, params ) b  {0,1}, d ID2, d ID3, …, d IDn, ID 2, ID 3, …, ID n d ID1 Run KeyGen ID 1 ID i  ID *

5. 5 Selective-ID Secure IBE [CHK’03]  Def: Alg. A  -breaks IBE sem. sec. if Pr[b=b’] > ½ +  Challenger Run Setup Attacker params m 0, m 1  G b’  {0,1} C * = Enc( m b, ID *, params ) b  {0,1}, d ID2, d ID3, …, d IDn, ID 2, ID 3, …, ID n d ID1 Run KeyGen ID 1 ID i  ID * : pub-key to attack ID *,

6. 6 Known Results  BF’01: Full sem. sec. IBE system in RO model. Based on Comp. Bilinear-DH assumption. Extends to provide CCA2 in RO model.  CHK’03: Selective-ID Secure IBE without RO. Based on Decision Bilinear-DH assumption. Problem: bilinear map per bit of ID.  Current: ( two ) efficient Selective-ID secure IBE. No Random oracles. Based on Decision Bilinear-DH assumption. 0 pairings for enc. 2 pairings for dec.

7. 7 Bilinear maps (abstractly)  G, G 1 : finite cyclic groups of prime order q.  Def: An admissible bilinear map e: G  G  G 1 is: Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G Non-degenerate: g generates G  e(g,g) generates G 1. “Efficiently” computable.  Currently: examples from algebraic geometry where Dlog in G believed to be hard.

8. 8 Bilinear Diffie-Hellman Problems  Def: Alg. A  -solves Bilinear-DH in group G if: Pr[ A(g,h,g x,g y ) = e (g,h) xy ] >  where g,h  G and x,y  {1,…,q-1}.  Def: Alg. A  -solves Bilinear-DDH in group G if: Pr[ A(g,h,g x,g y, e (g,h) xy ) = 1 ] - Pr[ A(g,h,g x,g y, e (g,h) r ) = 1 ] | >  where g,h  G and x,y,r  {1,…,q-1}.

9. 9 Selective-ID IBE system  Setup: params = (g, g 1 =g x, g 2, h)  G 1 ; MK = g 2 x  KeyGen ( ID, MK ): given pub-key ID  {1,…,q} do: r  {1,…,q-1} ; d ID = ( MK  (g 1 ID h) r, g r )  Encrypt ( m, ID, ( g,g 1,g 2,h ) ): s  {1,…,q-1} ; C = ( m  e(g 1,g 2 ) s, g s, (g 1 ID h) s )  Decrypt (C, d ID ): C = (C 0, C 1, C 2 ) using d ID = (d 1, d 2 ) observe: e(C 1, d 1 ) / e(C 2, d 2 ) = e(g 1, g 2 ) s

10. 10 Security Theorem  Thm:  t-time alg. that  -breaks IBE sem. sec. in G   t-time alg. that  -solves bilinear-DDH in G. ~

11. 11 Proof Attacker ( g, g 1, g 2 =g x, g 3 =g y, R=e(g,g 1 ) z ) 1 if z=xy 0 if z rand Algorithm for Bilinear-DDH ID *  {1,…,q} params = ( g, g 1, g 2, h=g 1 -ID *  g  ) ID *  ID  {1,…,q} d ID = ( d 0, d 1 ) m 0, m 1  G C * = ( m b R, g 3, g 3  ) b’  {0,1} Unknown: MK = g 1 x d 0 =g 2 -  /(ID-ID * ) ( g 1 ID  h ) r, d 1 = g 2 -1/(ID-ID * )  g r

12. 12 Proof Attacker ( g, g 1, g 2 =g x, g 3 =g y, R=e(g,g 1 ) z ) Algorithm for Bilinear-DDH ID *  {1,…,q} params = ( g, g 1, g 2, h=g 1 -ID *  g  ) ID *  ID  {1,…,q} d ID = ( d 0, d 1 ) m 0, m 1  G C * = ( m b R, g 3, g 3  ) b’  {0,1} 1 if b=b’ 0 otherwise

13. 13 Applications  Our IBE + CHK’04  efficient CCA2 public-key system w/o Random Oracles from Bilinear-DDH: Enc: 3 exp.(4 exp. in CS) Dec: two pairings + 2exp.(2 exp. in CS) CT size: 3  |G| + one-time-sig.(4  |G| in CS)  Comparable to Cramer-Shoup (but a bit worse). Shorter CT using BB’04 short sigs w/o R.O.  2 nd system: one fewer bilinear maps for dec. Gives more efficient CCA2 public-key system.

14. 14 Extensions  Hierarchical IBE [LH’02, GS’02] System extends to give an efficient Selective-ID H-IBE without R.O. 2- HIBE + CHK’04  Efficient CCA2 Selective-ID IBE without R.O.  2 nd system: more efficient Selective-ID IBE. one fewer bilinear maps for dec. But, based on stronger assumption (DH-Inversion).  Recently [BB’04]: Full- IBE with no RO based on Bilinear-DDH.