Efficient Selective-ID IBE Without Random Oracle

1
Efficient Selective-ID IBE Without Random Oracle
Dan Boneh Stanford University
Xavier Boyen Voltage Security
2
Identity Based Encryption (IBE)

• IBE Public key encryption scheme where public
  key is an arbitrary string (ID).
• Examples users e-mail address, current-date,

CA/PKG
master-key
3
IBE System

• IBE system is made up of 4 algorithms
• setup generate params and master-key, MK.
• keygen given pub-key ID and master-key output
  priv-key, dID
• Encrypt using pub-key ID (and params)
• Decrypt using priv-key.
• Main use of IBE
• reduce need for online pub-key directory.

4
Semantic Secure IBE systems BF01

• Semantic security when attacker has few private
  keys.
• Def Alg. A ?-breaks IBE sem. sec. if
  Prbb gt ½ ?
• (t,?)-security no t-time alg. can ?-break IBE
  sem. sec.

Challenger
Attacker
RunSetup
, ID2 , ID3 , , IDn
RunKeyGen
, dID2 , dID3 , , dIDn
b?0,1
IDi ? ID
5
Selective-ID Secure IBE CHK03

• Def Alg. A ?-breaks IBE sem. sec. if
  Prbb gt ½ ?

Challenger
Attacker
RunSetup
, ID2 , ID3 , , IDn
RunKeyGen
, dID2 , dID3 , , dIDn
,
ID
b?0,1
IDi ? ID
6
Known Results

• BF01 Full sem. sec. IBE system in RO model.
• Based on Comp. Bilinear-DH assumption.
• Extends to provide CCA2 in RO model.
• CHK03 Selective-ID Secure IBE without RO.
• Based on Decision Bilinear-DH assumption.
• Problem bilinear map per bit of ID.
• Current (two) efficient Selective-ID secure
  IBE.
• No Random oracles.
• Based on Decision Bilinear-DH assumption.
• 0 pairings for enc. 2 pairings for dec.

7
Bilinear maps (abstractly)

• G , G1 finite cyclic groups of prime order q.
• Def An admissible bilinear map e G?G ? G1
  is
• Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
  g?G
• Non-degenerate g generates G ?
  e(g,g) generates G1 .
• Efficiently computable.
• Currently examples from algebraic
  geometry where Dlog in G believed to be hard.

8
Bilinear Diffie-Hellman Problems

• Def Alg. A ?-solves Bilinear-DH in group G
  if
• Pr A(g,h,gx,gy) e(g,h)xy gt ?
• where g,h ? G and x,y ? 1,,q-1.
• Def Alg. A ?-solves Bilinear-DDH in group
  G if
• Pr A(g,h,gx,gy, e(g,h)xy) 1 - Pr
  A(g,h,gx,gy, e(g,h)r) 1 gt ?
• where g,h ? G and x,y,r ? 1,,q-1.

9
Selective-ID IBE system

• Setup params (g, g1gx, g2, h) ?G1
  MK g2x
• KeyGen (ID, MK) given pub-key ID?1,,q
  do
• r?1,,q-1 dID ( MK?(g1ID h)r
  , gr )
• Encrypt ( m, ID, (g,g1,g2,h) )
• s?1,,q-1 C ( m?e(g1,g2)s ,
  gs , (g1ID h)s )
• Decrypt (C, dID) C (C0 , C1 , C2) using
  dID (d1, d2)
• observe e(C1 , d1) / e(C2, d2) e(g1,
  g2)s

10
Security Theorem

• Thm
• ? t-time alg. that ?-breaks IBE sem. sec. in G
• ?
• ? t-time alg. that ?-solves bilinear-DDH in G.

11
Proof
Algorithm for Bilinear-DDH
(g, g1, g2gx, g3gy, Re(g,g1)z )
Attacker
Unknown MK g1x
d0g2-?/(ID-ID)(g1ID?h)r , d1
g2-1/(ID-ID)?gr
12
Proof
Algorithm for Bilinear-DDH
(g, g1, g2gx, g3gy, Re(g,g1)z )
Attacker
13
Applications

• Our IBE CHK04 ? efficient CCA2 public-key
  system w/o Random Oracles from Bilinear-DDH
• Enc 3 exp. (4 exp. in CS)
• Dec two pairings 2exp. (2 exp. in CS)
• CT size 3?G one-time-sig. (4?G in CS)
• Comparable to Cramer-Shoup (but a bit worse).
• Shorter CT using BB04 short sigs w/o R.O.
• 2nd system one fewer bilinear maps for dec.
• Gives more efficient CCA2 public-key system.

14
Extensions

• Hierarchical IBE LH02, GS02
• System extends to give an efficient
  Selective-ID H-IBE without R.O.
• 2-HIBE CHK04 ? Efficient CCA2
  Selective-ID IBE without R.O.
• 2nd system more efficient Selective-ID IBE.
• one fewer bilinear maps for dec.
• But, based on stronger assumption
  (DH-Inversion).
• Recently BB04
• Full-IBE with no RO based on Bilinear-DDH.