Efficient Selective-ID IBE Without Random Oracle Dan Boneh Xavier Boyen Stanford University Voltage Security 1 Identity Based Encryption (IBE) IBE: Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address, current-date, … email encrypted using public key: “[email protected]” CA/PKG master-key 2 IBE System IBE system is made up of 4 algorithms: setup: generate params and master-key, MK. keygen: given pub-key ID and master-key output priv-key, dID Encrypt: using pub-key ID (and params) Decrypt: using priv-key. Main use of IBE: • reduce need for online pub-key directory. 3 Semantic Secure IBE systems [BF’01] Semantic security when attacker has few private keys. Run Setup ID1 , ID2 , ID3 , …, IDn dID1 , dID2 , dID3 , …, dIDn ID* , m0, m1 G b{0,1} C* = Enc( mb , ID* , params) b’ {0,1} Attacker Challenger Run KeyGen params IDi ID* Def: Alg. A -breaks IBE sem. sec. if Pr[b=b’] > ½ + (t,)-security: no t-time alg. can -break IBE sem. sec. 4 Selective-ID Secure IBE [CHK’03] : pub-key to attack Run Setup ID1 , ID2 , ID3 , …, IDn dID1 , dID2 , dID3 , …, dIDn ID* , m0, m1 G b{0,1} C* = Enc( mb , ID* , params) b’ {0,1} Def: Alg. A -breaks IBE sem. sec. if Attacker Challenger Run KeyGen params IDi ID* Pr[b=b’] > ½ + 5 Known Results BF’01: Full sem. sec. IBE system in RO model. • Based on Comp. Bilinear-DH assumption. • Extends to provide CCA2 in RO model. CHK’03: Selective-ID Secure IBE without RO. • Based on Decision Bilinear-DH assumption. • Problem: bilinear map per bit of ID. Current: (two) efficient Selective-ID secure IBE. • No Random oracles. • Based on Decision Bilinear-DH assumption. • 0 pairings for enc. 2 pairings for dec. 6 Bilinear maps (abstractly) G , G1 : finite cyclic groups of prime order q. Def: An admissible bilinear map • Bilinear: e(ga, gb) = e(g,g)ab • Non-degenerate: g generates G e: GG G1 is: a,bZ, gG e(g,g) generates G1 . • “Efficiently” computable. Currently: examples from algebraic geometry where Dlog in G believed to be hard. 7 Bilinear Diffie-Hellman Problems Def: Alg. A -solves Bilinear-DH in group G if: Pr[ A(g,h,gx,gy) = e(g,h)xy ] > where g,h G and x,y {1,…,q-1}. Def: Alg. A -solves Bilinear-DDH in group G if: Pr[ A(g,h,gx,gy, e(g,h)xy) = 1 ] Pr[ A(g,h,gx,gy, e(g,h)r) = 1 ] | > where g,h G and x,y,r {1,…,q-1}. 8 Selective-ID IBE system Setup: params = (g, g1=gx, g2, h) G1 ; KeyGen (ID, MK): r{1,…,q-1} given pub-key ID{1,…,q} do: dID = ( MK(g1ID h)r , gr ) ; Encrypt ( m, ID, (g,g1,g2,h) ): s{1,…,q-1} Decrypt (C, dID): observe: MK = g2x ; s C = ( me(g1,g2) , gs , (g1ID h)s ) C = (C0 , C1 , C2) using dID = (d1, d2) s e(C1 , d1) / e(C2, d2) = e(g1, g2) 9 Security Theorem Thm: t-time alg. that -breaks IBE sem. sec. in G ~ t-time alg. that -solves bilinear-DDH in G. 10 Proof (g, g1, g2 =gx, g3 R=e(g,g1 =gy, )z Algorithm for Bilinear-DDH ID* {1,…,q} ) Unknown: MK = g1x params = (g, g1, g2, h=g1 ID* -ID* g ) ID {1,…,q} r r d0=g2-/(ID-ID*)(g1IDh) , d1 = g2-1/(ID-ID*)g m0, m1 G Attacker dID = ( d0 , d1 ) 1 if z=xy 0 if z rand C* = ( mbR , g3 , g3 ) b’ {0,1} 11 Proof (g, g1, g2 =gx, g3 R=e(g,g1 =gy, )z Algorithm for Bilinear-DDH ID* {1,…,q} ) params = (g, g1, g2, h=g1 ID* -ID* g ) ID {1,…,q} Attacker dID = ( d0 , d1 ) m0, m1 G C* = ( mbR , g3 , g3 ) 1 if b=b’ 0 otherwise b’ {0,1} 12 Applications Our IBE + CHK’04 efficient CCA2 public-key system w/o Random Oracles from Bilinear-DDH: • Enc: 3 exp. (4 exp. in CS) • Dec: two pairings + 2exp. (2 exp. in CS) • CT size: 3|G| + one-time-sig. (4|G| in CS) Comparable to Cramer-Shoup (but a bit worse). • Shorter CT using BB’04 short sigs w/o R.O. 2nd system: one fewer bilinear maps for dec. • Gives more efficient CCA2 public-key system. 13 Extensions Hierarchical IBE [LH’02, GS’02] • System extends to give an efficient Selective-ID H-IBE without R.O. • 2-HIBE + CHK’04 Efficient CCA2 Selective-ID IBE without R.O. 2nd system: more efficient Selective-ID IBE. • one fewer bilinear maps for dec. • But, based on stronger assumption (DH-Inversion). Recently [BB’04]: • Full-IBE with no RO based on Bilinear-DDH. 14
© Copyright 2026 Paperzz