Identity Based Encryption

1. Identity Based Encryption Based on a paper by Dan Boneh and Matthew Franklin Presented by: Saar Ron

2. Outline • Introduction to IBE • Applications of IBE • Definition of IBE • Security Properties • The Boneh-Franklin IBE Scheme

3. Outline • Introduction to IBE • Applications of IBE • Definition of IBE • Security Properties • The Boneh-Franklin IBE Scheme

4. What is IBE? IBE is a public-key encryption system in which an arbitrary string can be used as the public key

5. History of IBE • The concept was formulated by Adi Shamir in 1984 • First usable IBE schemes in 2001 • Boneh and Franklin [crypto 2001, SIAM J. of computing 2003] • Cocks [IMA International Conference on Cryptography and Coding 2001]

6. I am“alice@hotmail.com” email encrypted using public key: “alice@hotmail.com” Private key An example of IBE CA/PKG master-key

7. Outline • Introduction to IBE • Applications of IBE • Definition of IBE • Security Properties • The Boneh-Franklin IBE Scheme

8. Applications of IBE • Bob encrypts mail with pub-key = “alice@hotmail” • Easy to use: no need for Bob to lookup Alice’s cert • Bob can send mail to Alice even if Alice has no cert • Bob encrypts with pub-key = “alice@hotmail || current-date” • Short lived private keys: revocation + mobility • Bob can send mail to be read at future date • Credentials: embed user credentials in public key • Encrypt with: “alice@hotmail || date || clearance=secret” • Alice can decrypt only if she has secret clearance on given date • Easy to grant and revoke credentials at PKG

9. Outline • Introduction to IBE • Applications of IBE • Definition of IBE • Security Properties • The Boneh-Franklin IBE Scheme

10. Definition of IBE (1) • Setup • input: a security parameter t • output: params and master-key • Extract • input: params, master-key,and ID∈{0,1}* • output: dID

11. Definition of IBE (2) • Encrypt • input: params, ID∈{0,1}*, M∈M • output: C • Decrypt • input: params, dID, C ∈C • output: M

12. Is the following RSA based IBE scheme correct? • Setup (t) • randomly picks two t-bit primes p, q • params = 〈n=pq, H〉 • master-key = 〈p,q〉 • Encrypt (〈n,H 〉,ID,M) = MH(ID)mod n • Extract (〈n,H〉, 〈p,q〉, ID) = dID • such that dID H(ID) = (p-1)(q-1) mod n • Decrypt (〈n,H〉,ID,C) = CdIDmod n

13. Outline • Introduction to IBE • Applications of IBE • Definition of IBE • Security Properties • The Boneh-Franklin IBE Scheme

14. Security properties of Crypto schemes • Formalization of the notion that no algorithm breaks a crypto system • defined via a game between an Adversary and a Challenger • no polynomially bound Adversary wins the game with non-negligible advantage

15. Security demands for IBE • Semantic security against an adaptive chosen ciphertext attack • No polynomially bound adversary wins the following game with non-negligible advantage

16. The Game (1) • The Challenger • chooses a security parameter t andruns Setup • keeps the master-key • gives the Adversary params • The Adversary issues m queries • extraction query 〈IDi〉 • decryption query 〈IDi , Ci〉

17. The Game (2) • The Adversary picks M0, M1and a public key ID • The Challenger picks a random b∈{0,1} and sends C=Encrypt(params, ID, Mb) • The Adversary issues n additional queries • extraction query 〈IDi〉 • decryption query 〈IDi , Ci 〉

18. The Game (3) • The Adversary outputs b’ • The Adversary wins if b=b’ | P (the attacker wins) – ½ | should be negligible

19. A weaker notion:Semantic Security • Almost the same game, but with a small difference: • The adversary is not allowed to use decryption queries

20. Outline • Introduction to IBE • Applications of IBE • Definition of IBE • Security Properties • The Boneh-Franklin IBE Scheme

21. Bilinear maps (1) • e : G1× G1 → G2 • G1 and G2 are cyclic groups of prime order p • Bilinear Map • for all x, y ∈ G1 and for all a, b ∈ Zp e(ax,by) = e(x,y)ab

22. Bilinear maps (2) • Non-Degenerate • There exists x,y ∈ G1 such that e(x,y) ≠ 1G2 • Computable • computing e(x,y) for any x,y ∈ G1 is efficient

23. The Boneh-FranklinIBE Scheme (1) • Setup (t) • uses t to generate a prime q • generates cyclic groups G1, G2 of order q, and a bilinear map e: G1×G1 → G2 • chooses an arbitrary generator g∈G1 • picks a random s∈Zq* and set P= sg • picks two crypto hash functions: H1:{0,1}* →G1* and H2:G2 → {0,1}n

24. The Boneh-FranklinIBE Scheme (2) • Setup (t) • M = {0,1}n • C = G1* × {0,1}n • params = q, G1, G2, e, n, g, P, H1, H2 • master-key = s • Extract (ID) • dID=s H1(ID)

25. The Boneh-FranklinIBE Scheme (3) • Encrypt (M) • chooses a random r∈Zq* • C=〈rg, M⊕H2(e(H1(ID),P)r〉 • Decrypt(C=(U,V)) • V ⊕ H2(e(dID,U)) • e(sH1(ID), rg) = e(H1(ID), g)sr=e(H1(ID), sg)r= e(H1(ID),P)r

26. The security assumption • Bilinear Diffie-Hellman Problem (BDHP) in 〈G1, G2, e〉 • given a generator g of G1 and three elements ag, bg, cg ∈ G1 for random a, b, c in Zp, compute e(g,g)abc • Security Assumption: BDHP is hard

27. The security of BF-IBE • It can be shown that there is a reduction between breaking the BF-IBE in the Semantic Security model and the BDHP problem • The question: How can we improve BF-IBE so this will be true in the Semantic Security Against an Adaptive Chosen Ciphertext Attack model?

28. The answer: TheFujisaki-Okamoto technique • εpk(M) – The encryption of M using the public key pk • Fujisaki-Okamoto: If εpk(M) is a one-way encryption scheme, the hybrid scheme εpkhy(M) = <εpk(σ;H3(σ,M)),H4(σ)⊕M>is secure in the Semantic Security Against an Adaptive Chosen Ciphertext Attack model

29. Improving BF-IBE (1) • Setup (t) • As before • params = q, G1, G2, e, n, g, P, H1, H2, H3, H4 • Extract (ID) • As before

30. Improving BF-IBE (2) • Encrypt (M) • Chooses a random σ∈{0,1}n • r = H3(σ,M) • C = <rP, σ⊕H2(e(H1(ID),P)r, M⊕H4(σ(> • Decrypt(C=(U,V,W)) • σ = V ⊕ H2(e(dID,U)) • M = W ⊕H4(σ)

31. Open issues • Authentication of the message receiver to the PKG (Private Key Generator) • The IBE system is an escrowed system • Key Revocation

32. That's all, folks