1

Identity-Based Encryption form the Weil Pairing

Author： Dan Boneh

Matthew Franklin

Presentered by Chia Jui Hsu Date： 2008-06-03

2

Private Key Generator(PKG)

BobAlice

Authentication(IDBob)KRIDBob

(params, IDBob) KRIDBob

IDBob is arbitrary and meaningfulex: Bob@hitmail.com or 0912345678

Setup generate params and master key

Extract generate KRIDBob by IDBob and master key

Encrypt

Verify

or

Decrypt

Sign

or

3

Outline

IntroductionIdentity-Based Encryption SchemeChosen Ciphertext SecurityBilinear mapBilinear Diffie-Hellman Assumption BasicIdentConclusionReferences

4

Introduction (1/2)

Identity-Based Encryption Scheme (IBE) has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie-Hellman problem.

5

Introduction (1/2)

The system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map, and definition for secure identity based encryption schemes and give several applications for such systems.

6

Identity-Based Encryption Scheme (1/4)

IBE Scheme εSetupExtractEncryptDecrypt

7

Identity-Based Encryption Scheme (2/4)

Setup takes a security parameter k and returns par

ams (system parameters) and master-key.The system parameters will be publicly kno

wn, while the master-key will be known only to the “Private Key Generator" (PKG).

8

Identity-Based Encryption Scheme (3/4)

Extract takes as input params, master-key, and an arb

itrary ID {0,1}*, and returns a private key d. Extract algorithm extracts a private key from th

e given public key.

9

Identity-Based Encryption Scheme (4/4)

Encrypt takes as input params, ID, and M M. It return

s a ciphertext C C. Decrypt

takes as input params, C C, and a private key d. It returns M M.

10

Chosen Ciphertext Security (1/6)

ε is semantically secure against an adaptive chosen ciphertext attack (IND-ID-CCA) if no polynomially bounded adversary A has a non-negligible advantage against the Challenger in the following IND-ID-CCA game

11

Chosen Ciphertext Security (2/6)

adversary A challenger CSetup

C take security parameter k, and runs Setup Algorithm.

C keep master-key, and A get system parameter params.

12

Chosen Ciphertext Security (3/6)

Phase 1A issues query qi, i = 1～m

Extraction query (IDi) C responds by running algorithm Extract to generate t

he private key di corresponding to the public key (IDi). It sends di to the A.

Decryption query (IDi,Ci) C responds by running algorithm Extract to generate t

he private key di corresponding to IDi. It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the A.

13

Chosen Ciphertext Security (4/6)

Challenge Once the A decides that Phase 1 is over it ou

tputs two equal length plaintexts M0,M1 M and an identity ID on which it wishes to be challenged. The only constraint is that ID did not appear in any private key extraction query in Phase 1.

The C picks a random bit b {0,1} and sets C = Encrypt(params, ID,Mb). It sends C as the C to the adversary.

14

Chosen Ciphertext Security (5/6)

Phase2A issues query qi, i = m+1～ n

Extraction query (IDi) where IDi≠ID. C respends as in Phase1.

Decryption query (IDi,Ci) where (IDi,Ci) ≠ (ID,C). C respends as in Phase1.

These queries may be asked adaptively as in Phase1.

15

Chosen Ciphertext Security (6/6)

Guess Finally, the A outputs a guess b’ {0,1} and wi

ns the game if b = b’. We define A A's advantage in attacking the sc

heme ε as the following function of the security parameter k (k is given as input to the challenger):

Advε,A(k) = | Pr [ b = b’ ] - 1/2 |

16

Bilinear map(1/4)

Let G1 and G2 be two groups of order q for some large prime q.

bilinear map e : G1 G╳ 1→G2 between these two groups.

17

Bilinear map(2/4)

Bilinear We say that a map e : G1 G╳ 1→G2 is bilinear if

e(aP; bQ) = e(P;Q)ab for all P,Q G1 and all a, b Z.

Computable There is an efficient algorithm to compute e(P,

Q) for any P,Q G1.

18

Bilinear map(3/4)

Non-degenerateThe map does not send all pairs in G1 G╳ 1 t

o the identity in G2. Observe that since G1,G

2 are groups of prime order this implies that if P is a generator of G1 then e(P,P) is a generator of G2.

19

Bilinear map(4/4)

G = Z19*= { 1, 2, …, 18}

n=18, generator g = 2i123456789ig2481613714918

10 11 12 13 14 15 16 17 18

17 15 11 3 6 12 5 10 1

20

Bilinear Diffie-Hellman Assumption (1/2)

Given P, aP, bP, cP G1, compute e(P, P)abc is HARD！

The MOV reductionMenezes, Okamoto, and Vanstone

21

Bilinear Diffie-Hellman Assumption (2/2)

show that the discrete log problem in G1 is no harder than the discrete log problem in G2. To see this, let P,Q G1 be an instance of the discrete log problem in G1 where both P,Q have order q. We wish to find an α Zq such that Q =αP. Let g = e(P, P) and h = e(Q,P). Then, by bilinearity of e we know that h = gα. By non-degeneracy of e both g,h have order q in G2.

Hence, we reduced the discrete log problem in G1 to a discrete log problem in G2.

22

BasicIdent

The basic idea underlying our IBE system we describe the following simple scheme, called BasicIdent.

Setup, Extract, Encrypt, Decrypt Claim

| Pr [ c = c’ ] - 1/2 | ε, random c {0,1}≧

23

Conclusion

Dan Boneh, 2001

Zhe Wu,…, 2007

24

References

Identity-Based Encryption from the Weil Pairing, 2001

http://zh.wikipedia.org/w/index.php?title=%E9%A6%96%E9%A1%B5&variant=zh-tw

http://www.cs.nctu.edu.tw/~rjchen/ECC2008/note.htm