Cryptography Reference
In-Depth Information
G
1
then reject the ciphertext.
2. Compute
∈
1. If
U
σ
:=
⊕
H
2
(
ˆ
(
D
id
,
))
x
e
U
.
3. Compute
m
:=
y
⊕
H
4
(σ )
.
4. Compute
r
:=
H
3
(σ,
m
)
and check whether
U
=
rP
. If not, reject the ciphertext.
5. Output
m
.
Remark 10.4
Observe that, in accordance with the description of the Fujisaki-
Okamoto transformation given above, the encryption algorithm of
FullIdent
basically uses the encryption algorithm of
BasicIdent
to encrypt the random
value
which is then used to mask the message
m
. Correctness of the scheme fol-
lows easily from the correctness of
BasicIdent
and from the fact that the same
value of
r
is used both at encryption and at decryption.
σ
The security result is then the following (cf. [35, Theorem4.4] and also [83], where
a bug in the original reduction was fixed). The proof combines the Fujisaki-Okamoto
result with a translation of the reduction to the identity-based setting.
Theorem 10.3
Suppose that the hash functions H
1
,H
2
,H
3
and H
4
are random
oracles and the BDH problem is hard in the groups generated by
G
. Then
FullIdent
is IND-ID-CCA secure.
Our description of the Boneh-Franklin IBE scheme has been rather abstract
because we have simply assumed the existence of a pairing relative to which the
BDH assumption must hold for the scheme to be secure. We have not given any
details about the pairings that can possibly be used to build the scheme because the
only pairings known so far that appear to satisfy the cryptographic requirements are
based on elliptic curves. We will treat elliptic curves in the next chapter and provide
sufficient background to allow the interested reader to initiate study of the pairings
which are suitable for IBE, namely the Weil pairing and the Tate pairing.
10.5 Final Remarks on Identity-Based Cryptography
In this chapter we have attempted to give a brief introduction to the most salient
features of identity-based cryptography and, in particular, of identity-based encryp-
tion. This field is relatively new and is undergoing much development. An interesting
research direction is that of
hierarchical identity-based encryption
in which ordered
identity tuples are considered, giving rise to a hierarchy of PKGs that allows key
delegation by an entity to the lower level entities. Another interesting recent devel-
opment is the introduction of IBE schemes that go beyond the ones we have seen
regarding security, since they have security reductions without randomoracles. There
are many more interesting subjects in this expanding field and we refer the interested
reader to [153, 107] for advanced discussions of these aspects and also to [136] for
an elementary introduction to IBE schemes.
