1 / 11

Boneh-Franklin Identity-based Encryption

Boneh-Franklin Identity-based Encryption. Symmetric bilinear groups. G = á g ñ , g p = 1 e : G  G  G t Bilinear i.e. e ( u a , v b ) = e ( u , v ) ab Non-degenerate: e ( g , g ) generates G t Efficiently-computable. Underlying hard problem. Diffie-Hellman Problem

inga
Download Presentation

Boneh-Franklin Identity-based Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Boneh-FranklinIdentity-based Encryption

  2. Symmetric bilinear groups • G = ágñ, gp = 1 • e: G G  Gt • Bilinear • i.e. e(ua, vb) = e(u, v)ab • Non-degenerate: e(g, g) generates Gt • Efficiently-computable

  3. Underlying hard problem • Diffie-Hellman Problem • Given g, ga, gb, find gab • Bilinear Diffie-Hellman Problem • Bilinear e: G1 G2  Gt • Given g, gr, gs, gt, find e(g, g)rst • Security parameters need to protect against discrete log attacks in multiple groups • Boneh-Franklin IBE uses the BDHP in the most simple and straightforward way possible

  4. BasicIdent: who has what? \Send grto recipient to let him compute e(g, g)rst

  5. Chosen-ciphertext security • If we just use c = mÅ H2 (e(grt, gs)) the system is vulnerable to a chosen-ciphertext attack • H2 (e(grt, gs)) not a function of the plaintext • Attacker has (gr, c), decrypts (gr, c’) where c’ = cÅe to get m’ • Then he can recover m = m’ Åe • Fujisaki-Okamoto transform addschosen-ciphertext security • This is the scheme that we discuss in the following

  6. BF-IBE (FullIdent) • Assume that identities are bit strings of arbitrary length and messages to be encrypted are of length l • Also need four cryptographic hash functions • H1: {0, 1}*  G • For hashing an identity • H2: Gt  {0, 1}l • To XOR with a session key • H3: {0, 1}l  {0, 1}l  Zp • For deriving a blinding coefficient • H4: {0, 1}l  {0, 1}l • To XOR with plaintext

  7. BF-IBE • Bohen-Franklin IBE comprises four algorithms: • Setup • Extract • Encrypt • Decrypt

  8. BF-IBE: Setup • Select random w Î Zp • Set gpub = gw • Set params = (g, gpub) Î G2 • Set maskerk = w

  9. BF-IBE: Extract • To generate a private key dID for an identity ID Î {0, 1}* using the master key w • The trusted authority computes hID = H1(ID) and dID= (hID)w in G • The private key is the group element dIDÎG

  10. BF-IBE: Encrypt • To encrypt a message MÎ{0, 1}lfor a recipient with identity IDÎ {0, 1}*, the sender does the following: • Picks a random sÎ{0, 1}l • Calculates r = H3(s, M) • Computes hID = H1(ID) • Computes yID = e(hID, gpub) • Outputs ciphertext C C = (gr, sÅH2(yIDr), MÅH4(s)) ÎG {0, 1}l{0, 1}l

  11. BF-IBE: Decrypt • To decrypt a given ciphertext C = (u, v, w) using the private key dID, the recipient does the following: • Computes vÅH2(e(u, dID)) = s • Computes wÅH4(s) = M • Computes H3(s, M) = r • If gr¹ u, the ciphertext is rejected • Otherwise outputs MÎ{0, 1}l as the decryption of C

More Related