Efficient Identity-Based
Encryption Without Random
Oracles
Brent Waters
Stanford Universtiy
Additional slides contributed by Dan Boneh.
Identity-Based Encryption (IBE)
IBE: Public key encryption scheme where
public key
is an arbitrary string (ID).
 Examples: user’s e-mail address, current-date, …
email encrypted using public key:
“[email protected]”
CA/PKG
master-key
Brief History of IBE
• Shamir ’84
– Challenged community with IBE concept
• BF’01
– Pairing-based cryptography
– Proof uses Random Oracles
• CHK’03
– Introduced weaker “Selective-ID” model
– Proof without Random Oracles
– Ciphertext element per bit of identity
Brief History of IBE
• BB’04 Eurocrypt
– Efficient system in Selective-ID model
• BB’04 (Crypto)
– Proof in full model w/o Random Oracles
– Not practical system
• This work
– Practical system with proof in full model w/o
Random Oracles
– Mathematically similar to BB’04 (Eurocrypt)
IBE System
• Setup
– Generate public parameters
• Key Gen
– Generate a private key
• Encrypt
– Encrypt message M for given identity, ID
• Decrypt
– Decrypt a ciphertext if have private key for identity
IBE Semantic Security
Setup
params
KeyGen
Attacker
Challenger
ID1 , ID2 , ID3 , …, IDm
dID1 , dID2 , dID3 , …, dIDm
ID* , m0, m1  G
b{0,1}
C* = Enc( mb , ID* ,
b’  {0,1}
params)
IDi  ID*
• Def: Alg. A -breaks IBE sem. sec. if
Pr[b=b’] > ½ + 
• (t,)-security: no t-time alg. can -break IBE sem.
sec.
Bilinear Maps
• G , G1 : finite cyclic groups of prime order p.
• Def: An admissible bilinear map
is:
– Bilinear:
e(ga, gb) = e(g,g)ab
– Non-degenerate:
g generates G

– Efficiently computable.
e: GG  G1
a,bZ, gG
e(g,g) generates G1 .
Complexity Assumption
•Def:
Alg. A -solves Bilinear-DDH in group G if:
| Pr[ A(g,ga,gb,gc, e(g,g)abc) = 1 ]
Pr[ A(g,ga,gb,gc, e(g,g)z) = 1 ]
-
|
> 
where g  G and a,b,c,z  {1,…,p-1}.
Our Scheme
• Setup
g,g1=ga , g2, u’, U=u1, …un 2 G
MK=g2a
• Key Gen(v)
d=g2a(u’i 2 Vui)r ,gr
• Encrypt(v,M)
V´{i : vi =1}
e(g1,g2)tM, gt, (u’i 2 Vui)t
• Decrypt(d,C=C0,C1,C2)
Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t
Comparison to BB’04
• Setup
g,g1=ga , g2, u’, U=u1, …,un 2 G
MK=ga
• Key Gen(v)
d=g2a(u’i 2 Vui)r ,gr
• Encrypt(v,M)
V´{i : vi =1}
e(g1,g2)tM, gt, (u’i 2 Vui)t
• Decrypt(d,C=C0,C1,C2)
Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t
Comparison to BB’04
• Setup
g,g1=ga , g2, h 2 G
MK=ga
• Key Gen(v)
d=g2a(g1vh)r ,gr
• Encrypt(v,M)
e(g1,g2)tM, gt, (g1vh)t
• Decrypt(d,C=C0,C1,C2)
Observe: e(d1,C1)/e(d2,C2)= e(g1,g2)t
Proof Idea
• Commit to parameters
– Identities can either generate keys for them or
use as a challenge
Private Key Set
“[email protected]”
“Peter Clarke”
Challenge Set
“Madonna”
“Carleton Kingsford III”
“Artist Formerly Known As Prince”
“David Bowie”
•Must abort if adversary’s actions don’t match
•Difficulty is in bounding abort probability
Bounding abort probability
• Limit dependencies
– “Bob” in Private Key set =>
“Alice” in Private Key Set
• Pairwise independence is enough
– If v and v’ differ in at least 1 bit
u’i 2 Vui and u’i 2 V’ui differ in at least one element
• Pr[not abort] > 1/(8(n+1)q) q- is max # of queries
Signature Scheme
• Transformation from IBE scheme into
signature scheme (IBE keys =sigs)
• Efficient signature scheme relies on
Computational-DH assumption
• ..., but has somewhat large public key
Conclusions + Open Problems
• Presented fully secure and efficient IBE
scheme in standard model
• Can we reduce public parameter size?
• Get tight bounds?
Proof Idea
Set m=4q (q-max number of queries)
Guess k from 0 to n
Choose random y’,y1, ... yn 2 Zp
Choose random x’,x1,...xn 2 [0,m-1]
Set u’=gy’g1p-km+x’
ui=gy g1x
i
i
For a given identity, v, we have
u’i 2 Vui=gy’+ y g1 p+km+x’ x
i
i
In challenge set if x’+i 2 V xi=km (BB’04)
Proof Idea
• x’+i 2 V xi=km
Can construct private key if x’+i 2 V xi  0 mod m
Use as challenge otherwise (and k guessed correctly)
Since identities differ by at least one bit, get pairwise
independence
Bound probability of aborting as 1/(8(n+1)q)