Post on 12-Sep-2021
Identity based cryptographyThe case of encryption schemes
David Galindo
d.galindo@cs.ru.nl
Security of Systems
Department of Computer Science
Radboud Universiteit Nijmegen
Identity based cryptography – p. 1/25
Outline
Motivation
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEs
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEsBilinear maps and problems
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEsBilinear maps and problems
Schemes2001 Boneh&Franklin scheme (ROM)2004 Waters scheme (standard model)
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEsBilinear maps and problems
Schemes2001 Boneh&Franklin scheme (ROM)2004 Waters scheme (standard model)
Future research
Identity based cryptography – p. 2/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
Identity based cryptography – p. 3/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
A Certification Authority (CA) issues certificates:
U user’s identity
PK public key
D1 issue date
D2 expiration date
Identity based cryptography – p. 3/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
A Certification Authority (CA) issues certificates:
U user’s identity
PK public key
D1 issue date
D2 expiration date
Certificate(U, PK)SigCA(U, PK,D1, D2)
Identity based cryptography – p. 4/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
A Certification Authority (CA) issues certificates:
U user’s identity
PK public key
D1 issue date
D2 expiration date
Certificate(U, PK)SigCA(U, PK,D1, D2)
Certificate Revocation Problem
Identity based cryptography – p. 4/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Identity based cryptography – p. 5/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Easy for signature schemes. User U sends the certificatealong with its signature on a message m
(Certificate(U, PK), SigPK(m),m)
Identity based cryptography – p. 5/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Easy for signature schemes. User U sends the certificatealong with its signature on a message m
(Certificate(U, PK), SigPK(m),m)
Difficult for encryption schemes. Before sending a messagem to user U, we should know if it is in possession of a validcertificate.
Identity based cryptography – p. 5/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Easy for signature schemes. User U sends the certificatealong with its signature on a message m
(Certificate(U, PK), SigPK(m),m)
Difficult for encryption schemes. Before sending a messagem to user U, we should know if it is in possession of a validcertificate.
We would like to perform the public operationwithout extra communication.
Identity based cryptography – p. 5/25
Identity Based Encryption (IBE)
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
ExtractPrivateKey Takes as inputs params, master-key andID ∈ {0, 1}∗ and outputs a private decryption key dID.
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
ExtractPrivateKey Takes as inputs params, master-key andID ∈ {0, 1}∗ and outputs a private decryption key dID.
Decrypt Takes as inputs params, private key dID andmessage C and outputs a message M .
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
Certificate revocation problem can be “avoided” usingID = bob@company.com||year||month||day
Identity based cryptography – p. 7/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Guess A outputs a bit b′ and wins if b′ = b.
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Guess A outputs a bit b′ and wins if b′ = b.
Identity based cryptography – p. 9/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Computational Diffie-Hellman problem on G GivenP, aP, bP ← G as input, compute abP ∈ G, wherea← Z
∗
p.
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Computational Diffie-Hellman problem on G GivenP, aP, bP ← G as input, compute abP ∈ G, wherea← Z
∗
p.
Decisional Diffie-Hellman problem on G Given P, aP, bP, cP ← G
as input, output yes if c = ab and no otherwise, wherea, b← Z
∗
p.
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Computational Diffie-Hellman problem on G GivenP, aP, bP ← G as input, compute abP ∈ G, wherea← Z
∗
p.
Decisional Diffie-Hellman problem on G Given P, aP, bP, cP ← G
as input, output yes if c = ab and no otherwise, wherea, b← Z
∗
p.
(P, aP, bP, cP ) is a DH tuple iff t̂(aP, bP ) = t̂(P, abP ).
Identity based cryptography – p. 10/25
BDH problems
Identity based cryptography – p. 11/25
BDH problems
Bilinear Diffie-Hellman (BDH) Problem on G. GivenP, aP, bP, cP ← G as input, compute W = t̂(P, P )abc ∈ GT .
Identity based cryptography – p. 11/25
BDH problems
Bilinear Diffie-Hellman (BDH) Problem on G. GivenP, aP, bP, cP ← G as input, compute W = t̂(P, P )abc ∈ GT .
Decision Bilinear Diffie-Hellman (DBDH) Problem on G. GivenP, aP, bP, cP ← G as input, and T ← GT ,; output yes ifT = t̂(P, P )abc and no otherwise.
Identity based cryptography – p. 11/25
Boneh-Franklin identity basedencryption scheme
Identity based cryptography – p. 12/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗ and H2 : GT → {0, 1}n.
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗ and H2 : GT → {0, 1}n.
SetM = {0, 1}n and C = G∗ × {0, 1}n.
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗ and H2 : GT → {0, 1}n.
SetM = {0, 1}n and C = G∗ × {0, 1}n.
params = 〈p, G, GT , t̂, P, Ppub, H1, H2〉.
The master-key is s ∈ Z∗p.
Identity based cryptography – p. 13/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Identity based cryptography – p. 14/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗2.
Choose r ← Z∗p
Set C = 〈rP, M ⊕H2(grID
)〉 where gID = t̂(Ppub, QID) ∈ GT .
Identity based cryptography – p. 14/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗2.
Choose r ← Z∗p
Set C = 〈rP, M ⊕H2(grID
)〉 where gID = t̂(Ppub, QID) ∈ GT .
Decrypt.
C = 〈U, V 〉 ∈ C
Compute V ⊕H2(t̂(U, dID)) = M.
Identity based cryptography – p. 14/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗2.
Choose r ← Z∗p
Set C = 〈rP, M ⊕H2(grID
)〉 where gID = t̂(Ppub, QID) ∈ GT .
Decrypt.
C = 〈U, V 〉 ∈ C
Compute V ⊕H2(t̂(U, dID)) = M.
t̂(U, dID) = t̂(rP, sQID) = t̂(P, QID)sr = t̂(Ppub, QID)r = grID
Identity based cryptography – p. 14/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
Identity based cryptography – p. 15/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
FO conversion If we denote by Epk(M, r) the encryption of M
using randomness r under public key pk
Identity based cryptography – p. 15/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
FO conversion If we denote by Epk(M, r) the encryption of M
using randomness r under public key pk
Ehypk
(M) = 〈Epk(σ,H3(σ,M)), H4(σ)⊕M〉
where σ ← {0, 1}n.
Identity based cryptography – p. 15/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
FO conversion If we denote by Epk(M, r) the encryption of M
using randomness r under public key pk
Ehypk
(M) = 〈Epk(σ,H3(σ,M)), H4(σ)⊕M〉
where σ ← {0, 1}n.
This adds n bits to the resulting ciphertext
Identity based cryptography – p. 15/25
Full scheme (ii)
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗, H2 : GT → {0, 1}n,
H3 : {0, 1}n × {0, 1}n → Z∗p, H4 : {0, 1}n → {0, 1}n.
SetM = {0, 1}n and C = G∗ × {0, 1}n × {0, 1}n.
params = 〈p, G, GT , t̂, P, Ppub, H1, H2,H3, H4〉.
The master-key is s ∈ Z∗p.
Identity based cryptography – p. 16/25
Full scheme (iii)
Extract.
Just as before, dID = sH1(ID) ∈ G∗.
Identity based cryptography – p. 17/25
Full scheme (iii)
Extract.
Just as before, dID = sH1(ID) ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗.
Choose σ ← {0, 1}n
Set C = 〈rP, σ ⊕H2(grID
, M ⊕H4(σ))〉 where
gID = t̂(Ppub, QID) ∈ GT , and r = H3(σ, M).
Identity based cryptography – p. 17/25
Full scheme (iii)
Extract.
Just as before, dID = sH1(ID) ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗.
Choose σ ← {0, 1}n
Set C = 〈rP, σ ⊕H2(grID
, M ⊕H4(σ))〉 where
gID = t̂(Ppub, QID) ∈ GT , and r = H3(σ, M).
Decrypt.
C = 〈U, V, W 〉 ∈ C
Compute V ⊕H2(t̂(U, dID)) = M and W ⊕H4(σ) = M.
Set r = H3(σ, M). Check that U = rP. If not reject.Identity based cryptography – p. 17/25
Security result
Theorem Let A an IND-ID-CCA adversary running in time t andwith advantage ε against FullIdent making at most qE privatekey extraction queries, qD decryption queries and qH hashqueries. Then there is an algorithm B running in timeroughly t that has advantage at least ε
q2
HqD
against BDH
problem in G.
Identity based cryptography – p. 18/25
Security result
Theorem Let A an IND-ID-CCA adversary running in time t andwith advantage ε against FullIdent making at most qE privatekey extraction queries, qD decryption queries and qH hashqueries. Then there is an algorithm B running in timeroughly t that has advantage at least ε
q2
HqD
against BDH
problem in G.
Bilinear Diffie-Hellman (BDH) Problem on G. GivenP, aP, bP, cP ← G as input, compute W = t̂(P, P )abc ∈ GT .
Identity based cryptography – p. 18/25
Waters IBE scheme in the standardmodel
Identity based cryptography – p. 19/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Identity based cryptography – p. 20/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Choose Q′ ← G∗ and a random n-length vector U = (Qi) with
Qi ← G∗.
Identity based cryptography – p. 20/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Choose Q′ ← G∗ and a random n-length vector U = (Qi) with
Qi ← G∗.
SetM = GT , C = GT ×G∗ ×G
∗ and ID = {0, 1}n.
Identity based cryptography – p. 20/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Choose Q′ ← G∗ and a random n-length vector U = (Qi) with
Qi ← G∗.
SetM = GT , C = GT ×G∗ ×G
∗ and ID = {0, 1}n.
params = 〈p, G, GT , t̂, P, P1, P2, Q′, U〉.
The master-key is sP2.
Identity based cryptography – p. 20/25
Waters scheme (ii)
Extract.
Let IDi denote the i-th bit of ID and V ⊂ {0, . . . , n} the set of i
st IDi = 1.
Choose r ← Z∗p.
dID =
(sP2
(Q′∏
i∈V
Qi
)r
, rP
)
Identity based cryptography – p. 21/25
Waters scheme (ii)
Extract.
Let IDi denote the i-th bit of ID and V ⊂ {0, . . . , n} the set of i
st IDi = 1.
Choose r ← Z∗p.
dID =
(sP2
(Q′∏
i∈V
Qi
)r
, rP
)
Encrypt. To encrypt M ∈ GT under the public key ID
Choose x← Z∗p.
Set C =
(t̂(P1, P2)
xM, xP,
(Q′∏
i∈V
Qi
)x).
Identity based cryptography – p. 21/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
C =(t̂(P1, P2)
xM, xP,(Q′∏
i∈V Qi
)x), then
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
C =(t̂(P1, P2)
xM, xP,(Q′∏
i∈V Qi
)x), then
C1
t̂(d2, C3)
t̂(d1, C2)= (t̂(P1, P2)
xM)t̂(rP,
(Q′∏
i∈V Qi
)x)
t̂(sP2
(Q′∏
i∈V Qi
)r, xP )
=
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
C =(t̂(P1, P2)
xM, xP,(Q′∏
i∈V Qi
)x), then
C1
t̂(d2, C3)
t̂(d1, C2)= (t̂(P1, P2)
xM)t̂(rP,
(Q′∏
i∈V Qi
)x)
t̂(sP2
(Q′∏
i∈V Qi
)r, xP )
=
(t̂(P1, P2)xM)
t̂(P,(Q′∏
i∈V Qi
)rx)
t̂(P1, P2)xt̂((Q′∏
i∈V Qi
)rx, P )
= M.
Identity based cryptography – p. 22/25
Security result
Theorem Let A an IND-ID-CPA adversary running in time t andwith advantage ε making at most qE private key extractionqueries and qD decryption queries. Then there is analgorithm B running in time roughlyt +O(qEnε−2 ln(ε−1) ln(qEn)) that has advantage at least
ε32nqE
against BDDH problem in G.
Identity based cryptography – p. 23/25
Security result
Theorem Let A an IND-ID-CPA adversary running in time t andwith advantage ε making at most qE private key extractionqueries and qD decryption queries. Then there is analgorithm B running in time roughlyt +O(qEnε−2 ln(ε−1) ln(qEn)) that has advantage at least
ε32nqE
against BDDH problem in G.
Decision Bilinear Diffie-Hellman (DBDH) Problem on G. GivenP, aP, bP, cP ← G as input, and T ← GT ,; output yes ifT = t̂(P, P )abc and no otherwise.
Identity based cryptography – p. 23/25
Some applications of IBE schemes
IBE schemes imply secure signature schemes
Access control
Delegation of decryption keys
Strong-key insulated encryption
Identity based cryptography – p. 24/25
Some applications of IBE schemes
IBE schemes imply secure signature schemes
Access control
Delegation of decryption keys
Strong-key insulated encryption
and many more... take a look at Cryptology ePrintArchive http://eprint.iacr.org
Identity based cryptography – p. 24/25
Some applications of IBE schemes
IBE schemes imply secure signature schemes
Access control
Delegation of decryption keys
Strong-key insulated encryption
and many more... take a look at Cryptology ePrintArchive http://eprint.iacr.org
It is fair to say that identity/pairing based cryptography iscurrently the most active research area in cryptology
Identity based cryptography – p. 24/25
Drawbacks & Open Problems
dID must be sent over a secure channel
The system is inherently escrowedCertificate Based encryption (Gentry)Certificate-Less PKC (Al-Riyami&Paterson)
(Mostly) Suitable for small environments
Security reductions are inefficient
Few schemes proven secure without the ROM
Identity based cryptography – p. 25/25
Drawbacks & Open Problems
dID must be sent over a secure channel
The system is inherently escrowedCertificate Based encryption (Gentry)Certificate-Less PKC (Al-Riyami&Paterson)
(Mostly) Suitable for small environments
Security reductions are inefficient
Few schemes proven secure without the ROM
The slides of this talk are available athttp://www.cs.ru.nl/∼dgalindo
Identity based cryptography – p. 25/25