Identity Based Encryption

1
Identity Based Encryption

• Based on a paper by Dan Boneh and Matthew
  Franklin
• Presented by Saar Ron

2
Outline

• Introduction to IBE
• Applications of IBE
• Definition of IBE
• Security Properties
• The Boneh-Franklin IBE Scheme

3
Outline

• Introduction to IBE
• Applications of IBE
• Definition of IBE
• Security Properties
• The Boneh-Franklin IBE Scheme

4
What is IBE?

• IBE is a public-key encryption system in which an
  arbitrary string can be used as the public key

5
History of IBE

• The concept was formulated by Adi Shamir in 1984
• First usable IBE schemes in 2001
• Boneh and Franklin crypto 2001, SIAM J. of
  computing 2003
• Cocks IMA International Conference on
  Cryptography and Coding 2001

6
An example of IBE
CA/PKG
master-key
7
Outline

• Introduction to IBE
• Applications of IBE
• Definition of IBE
• Security Properties
• The Boneh-Franklin IBE Scheme

8
Applications of IBE

• Bob encrypts mail with pub-key alice_at_hotmail
• Easy to use no need for Bob to lookup Alices
  cert
• Bob can send mail to Alice even if Alice has no
  cert
• Bob encrypts with pub-key alice_at_hotmail
  current-date
• Short lived private keys revocation mobility
• Bob can send mail to be read at future date
• Credentials embed user credentials in public key
• Encrypt with alice_at_hotmail date
  clearancesecret
• Alice can decrypt only if she has secret
  clearance on given date
• Easy to grant and revoke credentials at PKG

9
Outline

• Introduction to IBE
• Applications of IBE
• Definition of IBE
• Security Properties
• The Boneh-Franklin IBE Scheme

10
Definition of IBE (1)

• Setup
• input a security parameter t
• output params and master-key
• Extract
• input params, master-key,and ID?0,1
• output dID

11
Definition of IBE (2)

• Encrypt
• input params, ID?0,1, M?M
• output C
• Decrypt
• input params, dID, C ?C
• output M

12
Is the following RSA based IBE scheme correct?

• Setup (t)
• randomly picks two t-bit primes p, q
• params ltnpq, Hgt
• master-key ltp,qgt
• Encrypt (ltn,H gt,ID,M) MH(ID) mod n
• Extract (ltn,Hgt, ltp,qgt, ID) dID
• such that dID H(ID) (p-1)(q-1) mod n
• Decrypt (ltn,Hgt,ID,C) CdID mod n

13
Outline

• Introduction to IBE
• Applications of IBE
• Definition of IBE
• Security Properties
• The Boneh-Franklin IBE Scheme

14
Security properties of Crypto schemes

• Formalization of the notion that no algorithm
  breaks a crypto system
• defined via a game between an Adversary and a
  Challenger
• no polynomially bound Adversary wins the game
  with non-negligible advantage

15
Security demands for IBE

• Semantic security against an adaptive chosen
  ciphertext attack
• No polynomially bound adversary wins the
  following game with non-negligible advantage

16
The Game (1)

• The Challenger
• chooses a security parameter t andruns Setup
• keeps the master-key
• gives the Adversary params
• The Adversary issues m queries
• extraction query ltIDigt
• decryption query ltIDi , Cigt

17
The Game (2)

• The Adversary picks M0, M1 and a public key ID
• The Challenger picks a random b?0,1 and sends
  CEncrypt(params, ID, Mb)
• The Adversary issues n additional queries
• extraction query ltIDigt
• decryption query ltIDi , Ci gt

18
The Game (3)

• The Adversary outputs b
• The Adversary wins if bb
• P (the attacker wins) ½ should be
  negligible

19
A weaker notionSemantic Security

• Almost the same game, but with a small
  difference
• The adversary is not allowed to use decryption
  queries

20
Outline

• Introduction to IBE
• Applications of IBE
• Definition of IBE
• Security Properties
• The Boneh-Franklin IBE Scheme

21
Bilinear maps (1)

• e G1 G1 ? G2
• G1 and G2 are cyclic groups of prime order p
• Bilinear Map
• for all x, y ? G1 and for all a, b ? Zp
• e(ax,by) e(x,y)ab

22
Bilinear maps (2)

• Non-Degenerate
• There exists x,y ? G1 such that e(x,y) ? 1G2
• Computable
• computing e(x,y) for any x,y ? G1 is efficient

23
The Boneh-FranklinIBE Scheme (1)

• Setup (t)
• uses t to generate a prime q
• generates cyclic groups G1, G2 of order q, and a
  bilinear map e G1G1 ? G2
• chooses an arbitrary generator g?G1
• picks a random s?Zq and set P sg
• picks two crypto hash functions H10,1 ?G1
  and H2G2 ? 0,1n

24
The Boneh-FranklinIBE Scheme (2)

• Setup (t)
• M 0,1n
• C G1 0,1n
• params q, G1, G2, e, n, g, P, H1, H2
• master-key s
• Extract (ID)
• dIDs H1(ID)

25
The Boneh-FranklinIBE Scheme (3)

• Encrypt (M)
• chooses a random r?Zq
• Cltrg, M?H2(e(H1(ID),P)rgt
• Decrypt(C(U,V))
• V ? H2(e(dID,U))
• e(sH1(ID), rg) e(H1(ID), g)sr e(H1(ID), sg)r
  e(H1(ID),P)r

26
The security assumption

• Bilinear Diffie-Hellman Problem (BDHP) in ltG1,
  G2, egt
• given a generator g of G1 and three elements ag,
  bg, cg ? G1 for random a, b, c in Zp, compute
  e(g,g)abc
• Security Assumption BDHP is hard

27
The security of BF-IBE

• It can be shown that there is a reduction between
  breaking the BF-IBE in the Semantic Security
  model and the BDHP problem
• The question How can we improve BF-IBE so this
  will be true in the Semantic Security Against an
  Adaptive Chosen Ciphertext Attack model?

28
The answer TheFujisaki-Okamoto technique

• epk(M) The encryption of M using the public key
  pk
• Fujisaki-Okamoto If epk(M) is a one-way
  encryption scheme, the hybrid scheme epkhy(M)
  ltepk(sH3(s,M)),H4(s)?Mgtis secure in the
  Semantic Security Against an Adaptive Chosen
  Ciphertext Attack model

29
Improving BF-IBE (1)

• Setup (t)
• As before
• params q, G1, G2, e, n, g, P, H1, H2,
  H3, H4
• Extract (ID)
• As before

30
Improving BF-IBE (2)

• Encrypt (M)
• Chooses a random s?0,1n
• r H3(s,M)
• C ltrP, s?H2(e(H1(ID),P)r, M?H4(s(gt
• Decrypt(C(U,V,W))
• s V ? H2(e(dID,U))
• M W ? H4(s)

31
Open issues

• Authentication of the message receiver to the PKG
  (Private Key Generator)
• The IBE system is an escrowed system
• Key Revocation

32
That's all, folks