Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Based Encryption

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Based Encryption"— Presentation transcript:

1 Identity Based Encryption
Based on a paper by Dan Boneh and Matthew Franklin Presented by: Saar Ron

2 Outline Introduction to IBE Applications of IBE Definition of IBE
Security Properties The Boneh-Franklin IBE Scheme

3 Outline Introduction to IBE Applications of IBE Definition of IBE
Security Properties The Boneh-Franklin IBE Scheme

4 What is IBE? IBE is a public-key encryption system in which an arbitrary string can be used as the public key

5 History of IBE The concept was formulated by Adi Shamir in 1984
First usable IBE schemes in 2001 Boneh and Franklin [crypto 2001, SIAM J. of computing 2003] Cocks [IMA International Conference on Cryptography and Coding 2001]

6 email encrypted using public key: I am “alice@hotmail.com”
An example of IBE encrypted using public key: I am Private key CA/PKG master-key

7 Outline Introduction to IBE Applications of IBE Definition of IBE
Security Properties The Boneh-Franklin IBE Scheme

8 Applications of IBE Bob encrypts mail with pub-key = “alice@hotmail”
Easy to use: no need for Bob to lookup Alice’s cert Bob can send mail to Alice even if Alice has no cert Bob encrypts with pub-key = || current-date” Short lived private keys: revocation + mobility Bob can send mail to be read at future date Credentials: embed user credentials in public key Encrypt with: || date || clearance=secret” Alice can decrypt only if she has secret clearance on given date Easy to grant and revoke credentials at PKG

9 Outline Introduction to IBE Applications of IBE Definition of IBE
Security Properties The Boneh-Franklin IBE Scheme

10 Definition of IBE (1) Setup Extract input: a security parameter t
output: params and master-key Extract input: params, master-key, and ID∈{0,1}* output: dID

11 Definition of IBE (2) Encrypt Decrypt input: params, ID∈{0,1}*, M∈M
output: C Decrypt input: params, dID, C ∈C output: M

12 Is the following RSA based IBE scheme correct?
Setup (t) randomly picks two t-bit primes p, q params = 〈n=pq, H〉 master-key = 〈p,q〉 Encrypt (〈n,H 〉,ID,M) = MH(ID) mod n Extract (〈n,H〉, 〈p,q〉, ID) = dID such that dID H(ID) = (p-1)(q-1) mod n Decrypt (〈n,H〉,ID,C) = CdID mod n

13 Outline Introduction to IBE Applications of IBE Definition of IBE
Security Properties The Boneh-Franklin IBE Scheme

14 Security properties of Crypto schemes
Formalization of the notion that no algorithm breaks a crypto system defined via a game between an Adversary and a Challenger no polynomially bound Adversary wins the game with non-negligible advantage

15 Security demands for IBE
Semantic security against an adaptive chosen ciphertext attack No polynomially bound adversary wins the following game with non-negligible advantage

16 The Game (1) The Challenger The Adversary issues m queries
chooses a security parameter t and runs Setup keeps the master-key gives the Adversary params The Adversary issues m queries extraction query 〈IDi〉 decryption query 〈IDi , Ci〉

17 The Game (2) The Adversary picks M0, M1 and a public key ID
The Challenger picks a random b∈{0,1} and sends C=Encrypt(params, ID, Mb) The Adversary issues n additional queries extraction query 〈IDi〉 decryption query 〈IDi , Ci 〉

18 The Game (3) The Adversary outputs b’ The Adversary wins if b=b’
| P (the attacker wins) – ½ | should be negligible

19 A weaker notion: Semantic Security
Almost the same game, but with a small difference: The adversary is not allowed to use decryption queries

20 Outline Introduction to IBE Applications of IBE Definition of IBE
Security Properties The Boneh-Franklin IBE Scheme

21 Bilinear maps (1) e : G1× G1 → G2 Bilinear Map
G1 and G2 are cyclic groups of prime order p Bilinear Map for all x, y ∈ G1 and for all a, b ∈ Zp e(ax,by) = e(x,y)ab

22 Bilinear maps (2) Non-Degenerate Computable
There exists x,y ∈ G1 such that e(x,y) ≠ 1G2 Computable computing e(x,y) for any x,y ∈ G1 is efficient

23 The Boneh-Franklin IBE Scheme (1)
Setup (t) uses t to generate a prime q generates cyclic groups G1, G2 of order q, and a bilinear map e: G1×G1 → G2 chooses an arbitrary generator g∈G1 picks a random s∈Zq* and set P= sg picks two crypto hash functions: H1:{0,1}* →G1* and H2:G2 → {0,1}n

24 The Boneh-Franklin IBE Scheme (2)
Setup (t) M = {0,1}n C = G1* × {0,1}n params = q, G1, G2, e, n, g, P, H1, H2 master-key = s Extract (ID) dID=s H1(ID)

25 The Boneh-Franklin IBE Scheme (3)
Encrypt (M) chooses a random r∈Zq* C=〈rg, M⊕H2(e(H1(ID),P)r〉 Decrypt(C=(U,V)) V ⊕ H2(e(dID,U)) e(sH1(ID), rg) = e(H1(ID), g)sr = e(H1(ID), sg)r = e(H1(ID),P)r

26 The security assumption
Bilinear Diffie-Hellman Problem (BDHP) in 〈G1, G2, e〉 given a generator g of G1 and three elements ag, bg, cg ∈ G1 for random a, b, c in Zp, compute e(g,g)abc Security Assumption: BDHP is hard

27 The security of BF-IBE It can be shown that there is a reduction between breaking the BF-IBE in the Semantic Security model and the BDHP problem The question: How can we improve BF-IBE so this will be true in the Semantic Security Against an Adaptive Chosen Ciphertext Attack model?

28 The answer: The Fujisaki-Okamoto technique
εpk(M) – The encryption of M using the public key pk Fujisaki-Okamoto: If εpk(M) is a one-way encryption scheme, the hybrid scheme εpkhy(M) = <εpk(σ;H3(σ,M)),H4(σ)⊕M> is secure in the Semantic Security Against an Adaptive Chosen Ciphertext Attack model

29 Improving BF-IBE (1) Setup (t) Extract (ID) As before
params = q, G1, G2, e, n, g, P, H1, H2, H3, H4 Extract (ID)

30 Improving BF-IBE (2) Encrypt (M) Decrypt(C=(U,V,W))
Chooses a random σ∈{0,1}n r = H3(σ,M) C = <rP, σ⊕H2(e(H1(ID),P)r, M⊕H4(σ(> Decrypt(C=(U,V,W)) σ = V ⊕ H2(e(dID,U)) M = W ⊕ H4(σ)

31 Open issues Authentication of the message receiver to the PKG (Private Key Generator) The IBE system is an escrowed system Key Revocation

32 That's all, folks

Download ppt "Identity Based Encryption"

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter:

New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter:
7. Asymmetric encryption-

7. Asymmetric encryption-
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Similar presentations

Ads by Google