Boneh-Franklin Identity-based Encryption Symmetric bilinear groups G = g, gp = 1 e: G G Gt Bilinear • 2 i.e. e(ua, vb) = e(u, v)ab Non-degenerate: e(g, g) generates Gt Efficiently-computable Underlying hard problem Diffie-Hellman Problem Bilinear Diffie-Hellman Problem 3 Given g, ga, gb, find gab Bilinear e: G1 G2 Gt Given g, gr, gs, gt, find e(g, g)rst Security parameters need to protect against discrete log attacks in multiple groups Boneh-Franklin IBE uses the BDHP in the most simple and straightforward way possible BasicIdent: who has what? Quantity Sender Recipient s (master secret) t r (sender random) g (public) gt (identity) gst (private key) gr (sender calculates) gs (public) grt \ Send gr to recipient to let him compute e(g, g)rst 4 Chosen-ciphertext security If we just use c = m H2 (e(grt, gs)) the system is vulnerable to a chosen-ciphertext attack 5 H2 (e(grt, gs)) not a function of the plaintext Attacker has (gr, c), decrypts (gr, c’) where c’ = c e to get m’ Then he can recover m = m’ e Fujisaki-Okamoto transform adds chosen-ciphertext security This is the scheme that we discuss in the following BF-IBE (FullIdent) Assume that identities are bit strings of arbitrary length and messages to be encrypted are of length l Also need four cryptographic hash functions H1: {0, 1}* G • H2: Gt {0, 1}l • For deriving a blinding coefficient H4: {0, 1}l {0, 1}l • 6 To XOR with a session key H3: {0, 1}l {0, 1}l Zp • For hashing an identity To XOR with plaintext BF-IBE Bohen-Franklin IBE comprises four algorithms: 7 Setup Extract Encrypt Decrypt BF-IBE: Setup 8 Select random Zp Set gpub = g Set params = (g, gpub) G2 Set maskerk = BF-IBE: Extract 9 To generate a private key dID for an identity ID {0, 1}* using the master key The trusted authority computes hID = H1(ID) and dID = (hID) in G The private key is the group element dID G BF-IBE: Encrypt To encrypt a message M {0, 1}l for a recipient with identity ID {0, 1}*, the sender does the following: 10 Picks a random s {0, 1}l Calculates r = H3(s, M) Computes hID = H1(ID) Computes yID = e(hID, gpub) Outputs ciphertext C C = (gr, s H2(yIDr), M H4(s)) G {0, 1}l {0, 1}l BF-IBE: Decrypt To decrypt a given ciphertext C = (u, v, w) using the private key dID, the recipient does the following: 11 Computes v H2(e(u, dID)) = s Computes w H4(s) = M Computes H3(s, M) = r If gr u, the ciphertext is rejected Otherwise outputs M {0, 1}las the decryption of C