330 likes | 717 Views
Identity-Based Encryption form the Weil Pairing. Author : Dan Boneh Matthew Franklin. Presentered by Chia Jui Hsu Date : 2008-06-03. Setup generate params and master key. ID Bob is arbitrary and meaningful ex: Bob@hitmail.com or 0912345678.
E N D
Identity-Based Encryption form the Weil Pairing Author:Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date:2008-06-03
Setup generate params and master key IDBob is arbitrary and meaningful ex: Bob@hitmail.com or 0912345678 Private Key Generator (PKG) Extract generate KRIDBob by IDBob and master key Authentication (IDBob) KRIDBob Alice Bob (params, IDBob) KRIDBob Encrypt Decrypt or or Verify Sign
Outline • Introduction • Identity-Based Encryption Scheme • Chosen Ciphertext Security • Bilinear map • Bilinear Diffie-Hellman Assumption • BasicIdent • Conclusion • References
Introduction (1/2) • Identity-Based Encryption Scheme (IBE) has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie-Hellman problem.
Introduction (1/2) • The system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map, and definition for secure identity based encryption schemes and give several applications for such systems.
Identity-Based Encryption Scheme (1/4) • IBE Scheme ε • Setup • Extract • Encrypt • Decrypt
Identity-Based Encryption Scheme (2/4) • Setup • takes a security parameter k and returns params (system parameters) and master-key. • The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator" (PKG).
Identity-Based Encryption Scheme (3/4) • Extract • takes as input params, master-key, and an arbitrary ID {0,1}*, and returns a private key d. • Extract algorithm extracts a private key from the given public key.
Identity-Based Encryption Scheme (4/4) • Encrypt • takes as input params, ID, and M M. It returns a ciphertext C C. • Decrypt • takes as input params, C C, and a private key d. It returns M M.
Chosen Ciphertext Security (1/6) • ε is semantically secure against an adaptive chosen ciphertext attack (IND-ID-CCA) if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CCA game
Chosen Ciphertext Security (2/6) • adversary A challenger C • Setup • C take security parameter k, and runs Setup Algorithm. • C keep master-key, and A get system parameter params.
Chosen Ciphertext Security (3/6) • Phase 1 • A issues query qi, i = 1~m • Extraction query (IDi) • C responds by running algorithm Extract to generate the private key di corresponding to the public key (IDi). It sends dito the A. • Decryption query (IDi,Ci) • C responds by running algorithm Extract to generate the private key di corresponding to IDi. It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the A.
Chosen Ciphertext Security (4/6) • Challenge • Once the A decides that Phase 1 is over it outputs two equal length plaintexts M0,M1 M and an identity ID on which it wishes to be challenged. The only constraint is that ID did not appear in any private key extraction query in Phase 1. • The C picks a random bit b {0,1} and sets C = Encrypt(params, ID,Mb). It sends C as the C to the adversary.
Chosen Ciphertext Security (5/6) • Phase2 • A issues query qi, i = m+1~n • Extraction query (IDi) where IDi≠ID. C respends as in Phase1. • Decryption query (IDi,Ci) where (IDi,Ci) ≠ (ID,C). C respends as in Phase1. • These queries may be asked adaptively as in Phase1.
Chosen Ciphertext Security (6/6) • Guess • Finally, the A outputs a guess b’ {0,1} and wins the game if b = b’. • We define A A's advantage in attacking the scheme ε as the following function of the security parameter k (k is given as input to the challenger): • Advε,A(k) = | Pr [ b = b’ ] - 1/2 |
Bilinear map(1/4) • Let G1 and G2 be two groups of order q for some large prime q. • bilinear map e : G1╳G1→G2 between these two groups.
Bilinear map(2/4) • Bilinear • We say that a map e : G1╳G1→G2 is bilinear if e(aP; bQ) = e(P;Q)ab for all P,Q G1 and all a, b Z. • Computable • There is an efficient algorithm to compute e(P,Q) for any P,Q G1.
Bilinear map(3/4) • Non-degenerate • The map does not send all pairs in G1╳G1 to the identity in G2. Observe that since G1,G2 are groups of prime order this implies that if P is a generator of G1 then e(P,P) is a generator of G2.
Bilinear map(4/4) • G = Z19*= { 1, 2, …, 18}n=18, generator g = 2
Bilinear Diffie-Hellman Assumption (1/2) • Given P, aP, bP, cP G1, compute e(P, P)abc is HARD! • The MOV reduction • Menezes, Okamoto, and Vanstone
Bilinear Diffie-Hellman Assumption (2/2) • show that the discrete log problem in G1 is no harder than the discrete log problem in G2. To see this, let P,Q G1 be an instance of the discrete log problem in G1 where both P,Q have order q. We wish to find an α Zq such that Q =αP. Let g = e(P, P) and h = e(Q,P). Then, by bilinearity of e we know that h = gα. By non-degeneracy of e both g,h have order q in G2. • Hence, we reduced the discrete log problem in G1 to a discrete log problem in G2.
BasicIdent • The basic idea underlying our IBE system we describe the following simple scheme, called BasicIdent. • Setup, Extract, Encrypt, Decrypt • Claim • | Pr [ c = c’ ] - 1/2 | ≧ε, random c {0,1}
Conclusion • Dan Boneh, 2001 • Zhe Wu,…, 2007
References • Identity-Based Encryption from the Weil Pairing, 2001 • http://zh.wikipedia.org/w/index.php?title=%E9%A6%96%E9%A1%B5&variant=zh-tw • http://www.cs.nctu.edu.tw/~rjchen/ECC2008/note.htm