Boneh-Franklin
Identity-based Encryption
Symmetric bilinear groups


G = g, gp = 1
e: G  G  Gt

Bilinear
•


2
i.e. e(ua, vb) = e(u, v)ab
Non-degenerate: e(g, g) generates Gt
Efficiently-computable
Underlying hard problem

Diffie-Hellman Problem


Bilinear Diffie-Hellman Problem




3
Given g, ga, gb, find gab
Bilinear e: G1  G2  Gt
Given g, gr, gs, gt, find e(g, g)rst
Security parameters need to protect against discrete log
attacks in multiple groups
Boneh-Franklin IBE uses the BDHP in the most
simple and straightforward way possible
BasicIdent: who has what?
Quantity
Sender
Recipient
s (master secret)
t
r (sender random)

g (public)


gt (identity)



gst (private key)
gr (sender calculates)

gs (public)

grt


\ Send gr to recipient to let him compute e(g, g)rst
4
Chosen-ciphertext security

If we just use c = m H2 (e(grt, gs)) the system is
vulnerable to a chosen-ciphertext attack





5
H2 (e(grt, gs)) not a function of the plaintext
Attacker has (gr, c), decrypts (gr, c’)
where c’ = c  e to get m’
Then he can recover m = m’  e
Fujisaki-Okamoto transform adds chosen-ciphertext
security
This is the scheme that we discuss in the following
BF-IBE (FullIdent)


Assume that identities are bit strings of arbitrary
length and messages to be encrypted are of length l
Also need four cryptographic hash functions

H1: {0, 1}*  G
•

H2: Gt  {0, 1}l
•

For deriving a blinding coefficient
H4: {0, 1}l  {0, 1}l
•
6
To XOR with a session key
H3: {0, 1}l  {0, 1}l Zp
•

For hashing an identity
To XOR with plaintext
BF-IBE

Bohen-Franklin IBE comprises four algorithms:




7
Setup
Extract
Encrypt
Decrypt
BF-IBE: Setup




8
Select random Zp
Set gpub = g
Set params = (g, gpub) G2
Set maskerk = 
BF-IBE: Extract



9
To generate a private key dID for an identity
ID {0, 1}* using the master key 
The trusted authority computes hID = H1(ID)
and dID = (hID) in G
The private key is the group element dID  G
BF-IBE: Encrypt

To encrypt a message M  {0, 1}l for a recipient
with identity ID  {0, 1}*, the sender does the
following:





10
Picks a random s  {0, 1}l
Calculates r = H3(s, M)
Computes hID = H1(ID)
Computes yID = e(hID, gpub)
Outputs ciphertext C
C = (gr, s  H2(yIDr), M  H4(s))  G  {0, 1}l  {0, 1}l
BF-IBE: Decrypt

To decrypt a given ciphertext C = (u, v, w) using the
private key dID, the recipient does the following:





11
Computes v  H2(e(u, dID)) = s
Computes w  H4(s) = M
Computes H3(s, M) = r
If gr u, the ciphertext is rejected
Otherwise outputs M  {0, 1}las the decryption of
C