Download presentation

Presentation is loading. Please wait.

Published byJaden Lane Modified over 3 years ago

1
Boneh-Franklin Identity-based Encryption

2
2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate: e(g, g) generates G t Efficiently-computable

3
3 Underlying hard problem Diffie-Hellman Problem Given g, g a, g b, find g ab Bilinear Diffie-Hellman Problem Bilinear e: G 1 G 2 G t Given g, g r, g s, g t, find e(g, g) rst Security parameters need to protect against discrete log attacks in multiple groups Boneh-Franklin IBE uses the BDHP in the most simple and straightforward way possible

4
4 BasicIdent: who has what? QuantitySenderRecipient s (master secret) t r (sender random) g (public) g t (identity) g st (private key) g r (sender calculates) g s (public) g rt \ Send g r to recipient to let him compute e(g, g) rst

5
5 Chosen-ciphertext security If we just use c = m Å H 2 (e(g rt, g s )) the system is vulnerable to a chosen-ciphertext attack H 2 (e(g rt, g s )) not a function of the plaintext Attacker has (g r, c), decrypts (g r, c) where c = c Å e to get m Then he can recover m = m Å e Fujisaki-Okamoto transform adds chosen-ciphertext security This is the scheme that we discuss in the following

6
6 BF-IBE (FullIdent) Assume that identities are bit strings of arbitrary length and messages to be encrypted are of length l Also need four cryptographic hash functions H 1 : {0, 1}* G For hashing an identity H 2 : G t {0, 1} l To XOR with a session key H 3 : {0, 1} l {0, 1} l Z p For deriving a blinding coefficient H 4 : {0, 1} l {0, 1} l To XOR with plaintext

7
7 BF-IBE Bohen-Franklin IBE comprises four algorithms: Setup Extract Encrypt Decrypt

8
8 BF-IBE: Setup Select random w Î Z p Set g pub = g w Set params = (g, g pub ) Î G 2 Set maskerk = w

9
9 BF-IBE: Extract To generate a private key d ID for an identity ID Î {0, 1}* using the master key w The trusted authority computes h ID = H 1 (ID) and d ID = (h ID ) w in G The private key is the group element d ID Î G

10
10 BF-IBE: Encrypt To encrypt a message M Î {0, 1} l for a recipient with identity ID Î {0, 1} *, the sender does the following: Picks a random s Î {0, 1} l Calculates r = H 3 (s, M) Computes h ID = H 1 (ID) Computes y ID = e(h ID, g pub ) Outputs ciphertext C C = (g r, s Å H 2 (y ID r ), M Å H 4 (s)) Î G {0, 1} l {0, 1} l

11
11 BF-IBE: Decrypt To decrypt a given ciphertext C = (u, v, w) using the private key d ID, the recipient does the following: Computes v Å H 2 (e(u, d ID )) = s Computes w Å H 4 (s) = M Computes H 3 (s, M) = r If g r ¹ u, the ciphertext is rejected Otherwise outputs M Î {0, 1} l as the decryption of C

Similar presentations

OK

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google