Download presentation

Presentation is loading. Please wait.

Published byJaden Lane Modified over 4 years ago

1
Boneh-Franklin Identity-based Encryption

2
2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate: e(g, g) generates G t Efficiently-computable

3
3 Underlying hard problem Diffie-Hellman Problem Given g, g a, g b, find g ab Bilinear Diffie-Hellman Problem Bilinear e: G 1 G 2 G t Given g, g r, g s, g t, find e(g, g) rst Security parameters need to protect against discrete log attacks in multiple groups Boneh-Franklin IBE uses the BDHP in the most simple and straightforward way possible

4
4 BasicIdent: who has what? QuantitySenderRecipient s (master secret) t r (sender random) g (public) g t (identity) g st (private key) g r (sender calculates) g s (public) g rt \ Send g r to recipient to let him compute e(g, g) rst

5
5 Chosen-ciphertext security If we just use c = m Å H 2 (e(g rt, g s )) the system is vulnerable to a chosen-ciphertext attack H 2 (e(g rt, g s )) not a function of the plaintext Attacker has (g r, c), decrypts (g r, c) where c = c Å e to get m Then he can recover m = m Å e Fujisaki-Okamoto transform adds chosen-ciphertext security This is the scheme that we discuss in the following

6
6 BF-IBE (FullIdent) Assume that identities are bit strings of arbitrary length and messages to be encrypted are of length l Also need four cryptographic hash functions H 1 : {0, 1}* G For hashing an identity H 2 : G t {0, 1} l To XOR with a session key H 3 : {0, 1} l {0, 1} l Z p For deriving a blinding coefficient H 4 : {0, 1} l {0, 1} l To XOR with plaintext

7
7 BF-IBE Bohen-Franklin IBE comprises four algorithms: Setup Extract Encrypt Decrypt

8
8 BF-IBE: Setup Select random w Î Z p Set g pub = g w Set params = (g, g pub ) Î G 2 Set maskerk = w

9
9 BF-IBE: Extract To generate a private key d ID for an identity ID Î {0, 1}* using the master key w The trusted authority computes h ID = H 1 (ID) and d ID = (h ID ) w in G The private key is the group element d ID Î G

10
10 BF-IBE: Encrypt To encrypt a message M Î {0, 1} l for a recipient with identity ID Î {0, 1} *, the sender does the following: Picks a random s Î {0, 1} l Calculates r = H 3 (s, M) Computes h ID = H 1 (ID) Computes y ID = e(h ID, g pub ) Outputs ciphertext C C = (g r, s Å H 2 (y ID r ), M Å H 4 (s)) Î G {0, 1} l {0, 1} l

11
11 BF-IBE: Decrypt To decrypt a given ciphertext C = (u, v, w) using the private key d ID, the recipient does the following: Computes v Å H 2 (e(u, d ID )) = s Computes w Å H 4 (s) = M Computes H 3 (s, M) = r If g r ¹ u, the ciphertext is rejected Otherwise outputs M Î {0, 1} l as the decryption of C

Similar presentations

OK

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google