Cryptography Reference
In-Depth Information
identity
id
in the public key of the standard scheme and including the user private
key corresponding to
id
in the private key. For more details about the SS-2-IBS
construction and related questions we refer to [17].
The SS-2-IBS construction is by no means the only generic construction of IBS
schemes. This and other generic constructions are analyzed in the survey article
[111], which gives a nice overview of IBS and also includes other IBS schemes that
are constructed directly, without being derived from any of these constructions.
10.3 Identity-Based Encryption
We have seen that IBS schemes are easily obtained from standard signature schemes
but the situation regarding IBE schemes is very different, for no generic constructions
are known to transform a standard public-key encryption scheme into an IBE scheme.
We have also seen that a naive approach such as that based on the use of an RSA
common modulus does not work. However, fully functional IBE schemes have been
constructed in recent years. In order to present some of them, we start with the formal
definition of an IBE scheme.
10.3.1 IBE Definition
Definition 10.4
An
IBE scheme
is a 4-tuple
of
polynomial-time algorithms such that the first three of them are probabilistic and
Dec
is deterministic, satisfying the following conditions:
•
E
=
(
Setup
,
Der
,
Enc
,
Dec
)
Setup
is run by the PKG and, on input a security parameter 1
k
, outputs a master key
mk
. The master public key
mpk
is published as a system parameter.
There may be additional system parameters such as descriptions of the message
space, the ciphertext space and the identity space, all of which are public and may
be used as inputs by the remaining algorithms.
=
(
mpk, msk
)
}
∗
of
•
Der
is run by the PKG and, on input
msk
and the identity string
id
∈{
0
,
1
a user, outputs the user's private key
usk
←
Der
(
msk, id
)
which is then securely
transmitted to the user with identity
id
.
•
The
encryption algorithm
Enc
takes as input the master public key
mpk
, an identity
id
, and a message
m
, and outputs a ciphertext
c
, written
c
←
Enc
(
mpk, id
,
m
)
.
•
The
decryption algorithm
Dec
takes as input the master public key, a user private
key
usk
and a ciphertext
c
(and, possibly, an identity
id
) and outputs either a
plaintext
m
, or a symbol
⊥
denoting failure. We write
m
:=
Dec
(
mpk, usk
,
c
)
.
•
There exists a negligible function
negl
such that, for every
k
,every
(
mpk, msk
)
←
1
k
Setup
(
)
,every
usk
←
Der
(
msk, id
)
and every message
m
:
(
(
,
(
,
))
=
)
≤
negl
(
).
Pr
Dec
mpk, usk
Enc
mpk, id
m
m
k