Identity Based Encryption Cosc 6111/6121 Presentation York University Dusty Phillips November 8, 2005

Overview Review Public Key Encryption Introduce Identity Based Encryption Identity Based Encryption Basics Examples Algorithm Details

Public Key Encryption Setup Algorithm creates two randomized keys One key made public, one made secret Encrypt with public, Decrypt with secret Problems: Public Key Distribution Key is long random string

Introduction to IBE Proposed by Adi Shamir in 1984 Viable Design in 2001 by Boneh and Franklin Public Key is arbitrary string (ie: e-mail) Third party server distributes private keys Advantages: Memorable public key Encryption before key generation

IBE Basics Four Algorithms Setup Extract Generates master key for PKG Generates public parameters Extract Extracts private key for arbitrary public key Run on PKG Encrypt with arbitrary public key and parameters Decrypt with PKG-generated private key

Encryption Example PKG calls setup to create master secret key s – kept secret parameters params – made public Alice sending encrypted message to Bob Alice gets params from PKG (if necessary) Encrypt message M using params and Bob's ID

Decryption Example Bob receives cyphertext C Bob retrieves params from PKG (if necessary) Bob authenticates to PKG (if necessary) PKG runs extract on ID Returns private key d Bob applies d and params to C and gets M

Setup Algorithm Secret key s is a random integer (< q) Public params are: q: a random prime G1, G2: Two groups, order q e: Bilinear map G1 × G1 → G2 P: Random generator of G1 Ppub created by s⋅P H1, H2: Crypto hashes: string → G1, G2 → string

The Bilinear Map e: G1 × G1 → G2 Definition of Bilinear: e(aP,bQ) = e(P,Q)ab a,b are integers P,Q ∈ G1 e(P,Q), e(aP,bQ) ∈ G2 Other definitions map that satisfies the distributive law map is a linear combination in both directions

Extraction Given a string public key ID Hash ID to Q ∈ G1 using H1 PKG has master key s return private key d = s⋅Q

Encryption Given string public key ID, message M Hash ID to Q ∈ G1 using H1 Map (Q, Ppub) to g ∈ G2 using e Choose random integer r < q Hash gr to a string X using H2 return ciphertext C = (r⋅P, M ⊕ X) = (U, V)

Decryption Given a private key d and ciphertext, C=(U,V) Map (d,U) to x ∈ G2 using e Hash x to a string X using H2 Return M = X ⊕ V

Why It Works Cryptography seems like magic! In encryption, M is xor'd with hash of gr In decryption, V is xor'd with hash of e(d, U) If gr = e(d, U) then xoring the xor gives original

e(d, U) = gr In extraction, d is set to s⋅Q In encryption U is set to r⋅P So e(d, U) = e(s⋅Q, r⋅P) By bilinearity of e: e(d,U) = e(Q,P)sr In encryption, g is set to e(Q, Ppub) In setup, Ppub is set to s⋅P So gr = e(Q, s⋅P)r By bilinearity of e: gr = e(Q,P)sr

References D. Boneh, M. Franklin, B. Lynn, M. Pauker, R. Kacker, G. Tsudik. "IBE Secure E-mail". 2002. http://crypto.stanford.edu/ibe/ D. Boneh, M. Franklin. "Identity-Based Encryption from the Weil Pairing". 2003. SIAM Journal of Computing. Vol 32, No 3. pp. 586-615. "Group Theory." http://en.wikipedia.org/wiki/Group_Theory "Elliptic Curves" http://en.wikipedia.org/wiki/Elliptical_curve R. Dean. "Elements of Abstract Algebra" `1966. John Wiley & Sons, Inc.