Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 - PowerPoint PPT Presentation

The People Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Receiver has identity I The Awards Example: I = bob@example.com PKE cert I cert I Sender Receiver Trusted Alice M C Bob Authority Receiver generates her own key pair (pk,sk) Trusted authority (CA), given pk , provides receiver with a certificate cert I Sender needs Receiver’s certificate before she can encrypt IBE I sk I Sender Receiver Trusted Alice M C Bob Authority Receiver generates nothing a priori Sender only needs receiver’s identity I before she can encrypt Trusted authority (CA), given I , provides receiver with a decryption key 3 Mihir Bellare, UCSD 4 Mihir Bellare, UCSD

Syntax of an IBE scheme Security of an IBE scheme IBE = ( P , K , E , D ) algorithm msk sk mpk P K mpk parameter generation P A M = ? I C ← $ E ( mpk , I, M ) K key generation I E encryption sk 0 ← $ K ( mpk , msk , I 0 ) D decryption E for any I 0 6 = I M IBE = ( P , K , E , D ) is an IBE scheme. mpk master public key C Adversary A should be unable to figure out a message M encrypted to identity I , even msk master secret key given I identity D • The master public key mpk M sk secret (decryption) key for I • The identity I • The ciphertext C M message The correct decryption requirement • AND: Secret key sk 0 for any identity I 0 6 = I for identity I and message M asks that C ciphertext Pr[ D ( mpk , K ( mpk , msk , I ) , E ( mpk , I, M )) = M ] = 1 5 Mihir Bellare, UCSD 6 Mihir Bellare, UCSD IBE = ( P , K , E , D ) is an IBE scheme. Security of an IBE scheme Building an IBE scheme Let A be an adversary. It is hard to find a way to build an IND-CPA-secure IBE Game IND-CPA IBE Adv ind - cpa ( A ) = 2 Pr[IND-CPA A IBE ⇒ true ] − 1 scheme based on conventional number theory. IBE Initialize ( mpk , msk ) ← $ P ; b ← $ { 0 , 1 } b Challenge bit ExI ← ∅ ; ChI ← ∅ With RSA, let ExI Set of exposed identities Return mpk ChI Set of challenge identities • mpk = (N,e) b 0 A ’s output, guess of b • msk = (N,d) Expose ( I ) • sk = ? If ( I ∈ ChI) then return ⊥ • C = ? ExI ← ExI ∪ { I } Security requires that adversary can’t figure out whether left sk ← $ K ( mpk , msk , I ) ( b =0) or right ( b =1) messages are encrypted for challenge Return sk identities. LR ( I, M 0 , M 1 ) Even when it is allowed to obtain the secret keys of non- If ( I ∈ ExI) then return ⊥ challenge identities. IBE = ( P , K , E , D ) is an IBE scheme. ChI ← ChI ∪ { I } C ← $ E ( mpk , I, M b ) Return C Finalize ( b 0 ) Return ( b = b 0 ) 7 Mihir Bellare, UCSD 8 Mihir Bellare, UCSD

Pairings Let e : G × G → G T be a function, where G , G T are groups whose order p is a prime. Let g be a generator of G . We say that e is a pairing if the following are true: • Bi-linearity: e ( g x , g y ) = e ( g, g ) xy for all x, y ∈ Z p • Non-degeneracy: e ( g, g ) is a generator of G T . Game BDH e ,g Finalize ( Z ) Initialize a, b, c ← $ Z p Return ( Z = e ( g, g ) abc ) Return g a , g b , g c Adv bdh e ,g ( A ) = Pr[BDH A e ,g ⇒ true ] Pairings that appear to be BDH-secure can be built from the Weil and Tate pairings over elliptic curves. 9 Mihir Bellare, UCSD 10 Mihir Bellare, UCSD Boneh-Franklin IBE scheme Algorithm P msk ← $ Z p ; mpk ← g msk Return ( mpk , msk ) IBE features Algorithm K ( mpk , msk , I ) e : G × G → G T a BDH-secure pairing sk ← H ( I ) msk ; Return sk g a generator of G p the order of G , G T Sender only needs receiver’s identity I before she can encrypt Algorithm E ( mpk , I, M ) Identity I ∈ { 0 , 1 } ∗ ``Trusted’’ authority can decrypt all ciphertexts for all identities r ← $ Z p ; R ← g r ; K ← e ( mpk , H ( I ) r ) Message M ∈ { 0 , 1 } m Revocation is a pain W ← G ( K ) ⊕ M ; Return ( R, W ) Function H : { 0 , 1 } ∗ → G Function G : G T → { 0 , 1 } m Algorithm D ( mpk , sk , ( R, W )) L ← e ( R, sk ) ; M ← G ( L ) ⊕ W ; Return M Proof of correct decryption L = e ( R, sk ) from decryption algorithm IBE issues requirement: = e ( g r , H ( I ) msk ) from encryption algorithm Let I ∈ { 0 , 1 } ∗ be an identity. = e ( g r , g i · msk ) because H(I) = g i Let M ∈ { 0 , 1 } m be a message ``Trusted’’ authority can decrypt all ciphertexts for all identities = e ( g, g ) ri · msk Let sk = K ( mpk , msk , I ) = H ( I ) msk bi-linearity Compromise of server storing msk can result in adversary decrypting all ciphertexts for Let ( R, W ) ← $ E ( mpk , I, M ) all identities = e ( g msk , g ir ) bi-linearity We show that D ( mpk , sk , ( R, W )) = M = e ( mpk , H ( I ) r ) A secure channel is needed to communicate sk from trusted authority to receiver = K from encryption algorithm Revocation is a pain Let i be such that H ( I ) = g i 11 Mihir Bellare, UCSD 12 Mihir Bellare, UCSD

13 Mihir Bellare, UCSD