Cryptography Reference
In-Depth Information
Definition 10.9 Boneh-Franklin
BasicIdent
scheme.
The Boneh-Franklin
BasicIdent
scheme is the scheme
(
)
,
where the algorithms are defined below. We let 1
k
be a security parameter which is
the input of the algorithm
Setup, Der, Enc, Dec
that generates the BDH parameters (a description of the
groups and the pairing involved).
•
G
Setup
: The algorithm runs in several steps, as follows:
on input 1
k
1. Run
G
to generate a prime
p
, two groups
G
1
,
G
2
of order
p
, and
a pairing
e
on
ˆ
(
G
1
,
G
2
)
. Choose a random generator
P
of
G
1
(i.e., a random
G
1
, where
G
1
=
element
P
←
G
1
−{
O
}
).
← Z
p
and set
P
pub
:=
2. Pick a random
s
sP
.
3. Choose cryptographic hash functions
H
1
}
∗
G
1
:{
0
,
1
→
and
H
2
:
G
2
→
n
,forsome
n
{
0
,
1
}
>
0.
n
and the ciphertext space is
G
1
×{
n
. The public
The message space is
{
0
,
1
}
0
,
1
}
system parameters are
, of which
P
pub
may be
regarded as the master public key. The master secret key is
s
(
G
1
,
G
2
,
ˆ
e
,
n
,
P
,
P
pub
,
H
1
,
H
2
)
∈ Z
p
.
}
∗
, compute:
•
Der
: Given an identity
id
∈{
0
,
1
G
1
.
2. Output the private key
D
id
:=
1.
Q
id
:=
H
1
(
id
)
∈
sQ
id
.
n
and an identity
id
, proceed as follows:
•
Enc
: On input a message
m
∈{
0
,
1
}
G
1
.
1. Compute
Q
id
:=
H
1
(
id
)
∈
← Z
p
.
3. Output the ciphertext
c
2. Choose a random
r
r
:=
(
rP
,
m
⊕
H
2
(
ˆ
e
(
Q
id
,
P
pub
)
))
.
G
1
×{
G
1
, output
n
and a private key
D
id
∈
•
Dec
: On input
c
=
(
U
,
x
)
∈
0
,
1
}
x
⊕
H
2
(
ˆ
e
(
D
id
,
U
)).
The correctness of the scheme is given by:
Proposition 10.5
If in the Boneh-Franklin IBE scheme the ciphertext c
=
(
U
,
x
)
is
n
under the identity id, the result of
decrypting c with the private key D
id
is precisely m.
∈{
,
}
obtained by encrypting the plaintext m
0
1
r
Proof
At encryption, the message
m
is Xor-ed with
H
2
(
ˆ
e
(
Q
id
,
P
pub
)
)
to obtain
x
and, during decryption,
x
is Xor-ed with
H
2
(
ˆ
to recover
m
. Thus it suffices
to show that the two elements of
G
2
to which the hash function
H
2
is applied are the
same, and this is indeed the case because, by the bilinearity of
e
(
D
id
,
U
))
e
:
ˆ
sr
r
ˆ
(
D
id
,
)
=ˆ
(
sQ
id
,
)
=ˆ
(
Q
id
,
)
=ˆ
(
Q
id
,
P
pub
)
.
e
U
e
rP
e
P
e
The security of the basic Boneh-Franklin scheme is given by the following result
for whose proof we refer to [35, Theorem 4.1]:
