120 likes | 333 Views
Boneh-Franklin Identity-based Encryption. Symmetric bilinear groups. G = á g ñ , g p = 1 e : G G G t Bilinear i.e. e ( u a , v b ) = e ( u , v ) ab Non-degenerate: e ( g , g ) generates G t Efficiently-computable. Underlying hard problem. Diffie-Hellman Problem
E N D
Symmetric bilinear groups • G = ágñ, gp = 1 • e: G G Gt • Bilinear • i.e. e(ua, vb) = e(u, v)ab • Non-degenerate: e(g, g) generates Gt • Efficiently-computable
Underlying hard problem • Diffie-Hellman Problem • Given g, ga, gb, find gab • Bilinear Diffie-Hellman Problem • Bilinear e: G1 G2 Gt • Given g, gr, gs, gt, find e(g, g)rst • Security parameters need to protect against discrete log attacks in multiple groups • Boneh-Franklin IBE uses the BDHP in the most simple and straightforward way possible
BasicIdent: who has what? \Send grto recipient to let him compute e(g, g)rst
Chosen-ciphertext security • If we just use c = mÅ H2 (e(grt, gs)) the system is vulnerable to a chosen-ciphertext attack • H2 (e(grt, gs)) not a function of the plaintext • Attacker has (gr, c), decrypts (gr, c’) where c’ = cÅe to get m’ • Then he can recover m = m’ Åe • Fujisaki-Okamoto transform addschosen-ciphertext security • This is the scheme that we discuss in the following
BF-IBE (FullIdent) • Assume that identities are bit strings of arbitrary length and messages to be encrypted are of length l • Also need four cryptographic hash functions • H1: {0, 1}* G • For hashing an identity • H2: Gt {0, 1}l • To XOR with a session key • H3: {0, 1}l {0, 1}l Zp • For deriving a blinding coefficient • H4: {0, 1}l {0, 1}l • To XOR with plaintext
BF-IBE • Bohen-Franklin IBE comprises four algorithms: • Setup • Extract • Encrypt • Decrypt
BF-IBE: Setup • Select random w Î Zp • Set gpub = gw • Set params = (g, gpub) Î G2 • Set maskerk = w
BF-IBE: Extract • To generate a private key dID for an identity ID Î {0, 1}* using the master key w • The trusted authority computes hID = H1(ID) and dID= (hID)w in G • The private key is the group element dIDÎG
BF-IBE: Encrypt • To encrypt a message MÎ{0, 1}lfor a recipient with identity IDÎ {0, 1}*, the sender does the following: • Picks a random sÎ{0, 1}l • Calculates r = H3(s, M) • Computes hID = H1(ID) • Computes yID = e(hID, gpub) • Outputs ciphertext C C = (gr, sÅH2(yIDr), MÅH4(s)) ÎG {0, 1}l{0, 1}l
BF-IBE: Decrypt • To decrypt a given ciphertext C = (u, v, w) using the private key dID, the recipient does the following: • Computes vÅH2(e(u, dID)) = s • Computes wÅH4(s) = M • Computes H3(s, M) = r • If gr¹ u, the ciphertext is rejected • Otherwise outputs MÎ{0, 1}l as the decryption of C