Title: Efficient IdentityBased Encryption Without Random Oracles
1Efficient Identity-BasedEncryption Without
Random Oracles
- Brent Waters
- Stanford Universtiy
Additional slides contributed by Dan Boneh.
2Identity-Based Encryption (IBE)
- IBE Public key encryption scheme where public
key is an arbitrary string (ID). - Examples users e-mail address, current-date,
CA/PKG
master-key
3Brief History of IBE
- Shamir 84
- Challenged community with IBE concept
- BF01
- Pairing-based cryptography
- Proof uses Random Oracles
- CHK03
- Introduced weaker Selective-ID model
- Proof without Random Oracles
- Ciphertext element per bit of identity
4Brief History of IBE
- BB04 Eurocrypt
- Efficient system in Selective-ID model
- BB04 (Crypto)
- Proof in full model w/o Random Oracles
- Not practical system
- This work
- Practical system with proof in full model w/o
Random Oracles - Mathematically similar to BB04 (Eurocrypt)
5IBE System
- Setup
- Generate public parameters
- Key Gen
- Generate a private key
- Encrypt
- Encrypt message M for given identity, ID
- Decrypt
- Decrypt a ciphertext if have private key for
identity
6IBE Semantic Security
Challenger
Attacker
Setup
, ID2 , ID3 , , IDm
KeyGen
, dID2 , dID3 , , dIDm
b?0,1
IDi ? ID
- Def Alg. A ?-breaks IBE sem. sec. if
Prbb gt ½ ? - (t,?)-security no t-time alg. can ?-break IBE
sem. sec.
7Bilinear Maps
- G , G1 finite cyclic groups of prime order p.
- Def An admissible bilinear map e G?G ? G1
is - Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
g?G - Non-degenerate g generates G ?
e(g,g) generates G1 . - Efficiently computable.
8Complexity Assumption
- Def Alg. A ?-solves Bilinear-DDH in group
G if - Pr A(g,ga,gb,gc, e(g,g)abc) 1 -
Pr A(g,ga,gb,gc, e(g,g)z) 1 gt ? - where g ? G and a,b,c,z ? 1,,p-1.
9Our Scheme
- Setup
- Key Gen(v)
- Encrypt(v,M)
- Decrypt(d,CC0,C1,C2)
g,g1ga , g2, u, Uu1, un 2 G MKg2a
dg2a(uÕi 2 Vui)r ,gr
Vi vi 1
e(g1,g2)tM, gt, (uÕi 2 Vui)t
Observe e(d1,C1)/e(d2,C2) e(g1,g2)t
10Comparison to BB04
- Setup
- Key Gen(v)
- Encrypt(v,M)
- Decrypt(d,CC0,C1,C2)
g,g1ga , g2, u, Uu1, ,un 2 G MKga
dg2a(uÕi 2 Vui)r ,gr
Vi vi 1
e(g1,g2)tM, gt, (uÕi 2 Vui)t
Observe e(d1,C1)/e(d2,C2) e(g1,g2)t
11Comparison to BB04
- Setup
- Key Gen(v)
- Encrypt(v,M)
- Decrypt(d,CC0,C1,C2)
g,g1ga , g2, h 2 G MKga
dg2a(g1vh)r ,gr
e(g1,g2)tM, gt, (g1vh)t
Observe e(d1,C1)/e(d2,C2) e(g1,g2)t
12Proof Idea
- Commit to parameters
- Identities can either generate keys for them or
use as a challenge
- Must abort if adversarys actions dont match
- Difficulty is in bounding abort probability
13Bounding abort probability
- Limit dependencies
- Bob in Private Key set gt
- Alice in Private Key Set
- Pairwise independence is enough
- If v and v differ in at least 1 bit
- uÕi 2 Vui and uÕi 2 Vui differ in at least
one element - Prnot abort gt 1/(8(n1)q) q- is max of
queries
14Signature Scheme
- Transformation from IBE scheme into signature
scheme (IBE keys sigs) - Efficient signature scheme relies on
Computational-DH assumption - ..., but has somewhat large public key
15Conclusions Open Problems
- Presented fully secure and efficient IBE scheme
in standard model - Can we reduce public parameter size?
- Get tight bounds?
16(No Transcript)
17Proof Idea
Set m4q (q-max number of queries) Guess k from 0
to n Choose random y,y1, ... yn 2 Zp Choose
random x,x1,...xn 2 0,m-1 Set ugyg1p-kmx
uigyi g1xi For a given identity, v, we
have uÕi 2 Vuigyå yi g1 pkmxå xi In
challenge set if xåi 2 V xikm (BB04)
18Proof Idea
- xåi 2 V xikm
- Can construct private key if xåi 2 V xi ¹ 0
mod m - Use as challenge otherwise (and k guessed
correctly) - Since identities differ by at least one bit, get
pairwise independence - Bound probability of aborting as 1/(8(n1)q)