Cryptography Reference
In-Depth Information
23.3.2 Identity-based encryption
Section
22.4
briefly mentioned identity-based signatures. Recall that in identity-based
cryptography a user's public key is defined to be a function of their “identity” (for example,
their email address). There is a master public key. Each user obtains their private key from
a key generation center (which possesses the master secret).
In this section we sketch the
basic Boneh-Franklin scheme
[
75
] (the word “basic”
refers to the fact that this scheme only has security against a chosen plaintext attack). The
scheme uses pairing groups (see Definition
22.2.14
and Chapter
26
). Hence, let
G
1
,
G
2
and
G
T
be groups of prime order
r
and let
e
:
G
1
×
G
2
→
G
T
be a non-degenerate bilinear
pairing.
The first task is to determine the master keys, which are created by the key generation
center. Let
g
∈
G
2
have order
r
. The key generation center chooses 1
≤
s<r
and computes
g
=
g
s
. The master public key is (
g,g
) and the master private key is
s
. The scheme also
requires hash functions
H
1
:
}
∗
→
l
(where
l
depends on the
{
0
,
1
G
1
and
H
2
:
G
T
→{
0
,
1
}
l
and the ciphertext space will be
security parameter). The message space will be
{
0
,
1
}
l
.
The public key of a user with identity
id
G
2
×{
0
,
1
}
}
∗
is
Q
id
=
∈{
0
,
1
H
1
(
id
)
∈
G
1
. With over-
whelming probability
Q
id
=
1, in which case
e
(
Q
id
,g
)
=
1. The user obtains the private
key
Q
id
=
H
1
(
id
)
s
from the key generation center.
To encrypt a message
m
l
to the user with identity
id
one obtains the master key
∈{
0
,
1
}
(
g,g
), computes
Q
id
=
g
k
,
c
2
=
H
1
(
id
), chooses a random 1
≤
k<r
and computes
c
1
=
H
2
(
e
(
Q
id
,g
)
k
). The ciphertext is (
c
1
,
c
2
).
To decrypt the ciphertext (
c
1
,
c
2
) the user with private key
Q
id
computes
⊕
m
H
2
(
e
(
Q
id
,
c
1
))
.
=
c
2
⊕
m
This completes the description of the basic Boneh-Franklin scheme.
Exercise 23.3.6
Show that the Decrypt algorithm does compute the correct message when
(
c
1
,
c
2
) are the outputs of the Encrypt algorithm.
Exercise 23.3.7
Show that the basic Boneh-Franklin scheme does not have IND-CCA
security.
The security model for identity-based encryption takes into account that an adversary can
ask for private keys on various identities. Hence, the IND security game allows an adversary
to output a challenge identity
id
∗
and two challenge messages
m
0
,
m
1
. The adversary is not
permitted to know the private key for identity
id
∗
(though it can receive private keys for
any other identities of its choice). The adversary then receives an encryption with respect
to identity
id
∗
of
m
b
for randomly chosen
b
∈{
0
,
1
}
and must output a guess for
b
.