Fermilab Computer Security Awareness Day November 2012 Basic Computer Security.
Security of Systems Department of Computer Science Radboud
Transcript of Security of Systems Department of Computer Science Radboud
Identity based cryptographyThe case of encryption schemes
David Galindo
Security of Systems
Department of Computer Science
Radboud Universiteit Nijmegen
Identity based cryptography – p. 1/25
Outline
Motivation
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEs
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEsBilinear maps and problems
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEsBilinear maps and problems
Schemes2001 Boneh&Franklin scheme (ROM)2004 Waters scheme (standard model)
Identity based cryptography – p. 2/25
Outline
Motivation
DefinitionsIdentity Based Encryption (IBE)Secure IBEsBilinear maps and problems
Schemes2001 Boneh&Franklin scheme (ROM)2004 Waters scheme (standard model)
Future research
Identity based cryptography – p. 2/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
Identity based cryptography – p. 3/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
A Certification Authority (CA) issues certificates:
U user’s identity
PK public key
D1 issue date
D2 expiration date
Identity based cryptography – p. 3/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
A Certification Authority (CA) issues certificates:
U user’s identity
PK public key
D1 issue date
D2 expiration date
Certificate(U, PK)SigCA(U, PK,D1, D2)
Identity based cryptography – p. 4/25
Motivation: PKI
To use Public Key Cryptography we need to bind identitiesand keys.
Public Key Infrastructures
A Certification Authority (CA) issues certificates:
U user’s identity
PK public key
D1 issue date
D2 expiration date
Certificate(U, PK)SigCA(U, PK,D1, D2)
Certificate Revocation Problem
Identity based cryptography – p. 4/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Identity based cryptography – p. 5/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Easy for signature schemes. User U sends the certificatealong with its signature on a message m
(Certificate(U, PK), SigPK(m),m)
Identity based cryptography – p. 5/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Easy for signature schemes. User U sends the certificatealong with its signature on a message m
(Certificate(U, PK), SigPK(m),m)
Difficult for encryption schemes. Before sending a messagem to user U, we should know if it is in possession of a validcertificate.
Identity based cryptography – p. 5/25
Motivation: PKI (ii)
Before performing the cryptographic operation involving thepublic key, we must validate Certificate(U, PK).
Easy for signature schemes. User U sends the certificatealong with its signature on a message m
(Certificate(U, PK), SigPK(m),m)
Difficult for encryption schemes. Before sending a messagem to user U, we should know if it is in possession of a validcertificate.
We would like to perform the public operationwithout extra communication.
Identity based cryptography – p. 5/25
Identity Based Encryption (IBE)
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
ExtractPrivateKey Takes as inputs params, master-key andID ∈ {0, 1}∗ and outputs a private decryption key dID.
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
ExtractPrivateKey Takes as inputs params, master-key andID ∈ {0, 1}∗ and outputs a private decryption key dID.
Decrypt Takes as inputs params, private key dID andmessage C and outputs a message M .
Identity based cryptography – p. 6/25
Identity Based Encryption (IBE)
Main idea The public key is an identity ID ∈ {0, 1}∗
A Key Generation Center KGC issues private keys for ID
An IBE scheme consists of 4 algorithms:
Setup Takes a security parameter ℓ and outputs systemparamaters params and master-key.
Encrypt Takes as inputs params, ID ∈ {0, 1}∗ and message M
and outputs a ciphertext C.
Certificate revocation problem can be “avoided” usingID = [email protected]||year||month||day
Identity based cryptography – p. 7/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CPA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Guess A outputs a bit b′ and wins if b′ = b.
Identity based cryptography – p. 8/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Identity based cryptography – p. 9/25
Security notions for IBE schemes
IND-ID-CCA security for an IBE scheme E
Initialization The challenger runs setup , gives the adversaryA the description of E , params and keeps dID secret.
Phase 1 A issues adaptive queries of the type
Extraction query 〈IDi〉
Decryption query 〈IDi, Ci〉
Challenge A outputs two equal length M0,M1 and an IDch onwhich it wishes to be challenged. The challengerb← {0, 1} and sets C = Encrypt(params,IDch,Mb)
Phase 2 As in Phase 1, except submitting IDch.
Guess A outputs a bit b′ and wins if b′ = b.
Identity based cryptography – p. 9/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Computational Diffie-Hellman problem on G GivenP, aP, bP ← G as input, compute abP ∈ G, wherea← Z
∗
p.
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Computational Diffie-Hellman problem on G GivenP, aP, bP ← G as input, compute abP ∈ G, wherea← Z
∗
p.
Decisional Diffie-Hellman problem on G Given P, aP, bP, cP ← G
as input, output yes if c = ab and no otherwise, wherea, b← Z
∗
p.
Identity based cryptography – p. 10/25
Bilinear maps and bilinear groups
Let G, GT be prime order p abelian groups in which thediscrete logarithm is believed to be hard.By a bilinear map we will refer to a non-degenerate bilinearfunction t̂ : G×G→ GT .
Computational Diffie-Hellman problem on G GivenP, aP, bP ← G as input, compute abP ∈ G, wherea← Z
∗
p.
Decisional Diffie-Hellman problem on G Given P, aP, bP, cP ← G
as input, output yes if c = ab and no otherwise, wherea, b← Z
∗
p.
(P, aP, bP, cP ) is a DH tuple iff t̂(aP, bP ) = t̂(P, abP ).
Identity based cryptography – p. 10/25
BDH problems
Identity based cryptography – p. 11/25
BDH problems
Bilinear Diffie-Hellman (BDH) Problem on G. GivenP, aP, bP, cP ← G as input, compute W = t̂(P, P )abc ∈ GT .
Identity based cryptography – p. 11/25
BDH problems
Bilinear Diffie-Hellman (BDH) Problem on G. GivenP, aP, bP, cP ← G as input, compute W = t̂(P, P )abc ∈ GT .
Decision Bilinear Diffie-Hellman (DBDH) Problem on G. GivenP, aP, bP, cP ← G as input, and T ← GT ,; output yes ifT = t̂(P, P )abc and no otherwise.
Identity based cryptography – p. 11/25
Boneh-Franklin identity basedencryption scheme
Identity based cryptography – p. 12/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗ and H2 : GT → {0, 1}n.
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗ and H2 : GT → {0, 1}n.
SetM = {0, 1}n and C = G∗ × {0, 1}n.
Identity based cryptography – p. 13/25
Basic scheme
An IND-ID-CPA is defined first.BasicIdent
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗ and H2 : GT → {0, 1}n.
SetM = {0, 1}n and C = G∗ × {0, 1}n.
params = 〈p, G, GT , t̂, P, Ppub, H1, H2〉.
The master-key is s ∈ Z∗p.
Identity based cryptography – p. 13/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Identity based cryptography – p. 14/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗2.
Choose r ← Z∗p
Set C = 〈rP, M ⊕H2(grID
)〉 where gID = t̂(Ppub, QID) ∈ GT .
Identity based cryptography – p. 14/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗2.
Choose r ← Z∗p
Set C = 〈rP, M ⊕H2(grID
)〉 where gID = t̂(Ppub, QID) ∈ GT .
Decrypt.
C = 〈U, V 〉 ∈ C
Compute V ⊕H2(t̂(U, dID)) = M.
Identity based cryptography – p. 14/25
Basic scheme
Extract.
Given ID ∈ {0, 1}∗, compute QID = H1(ID) ∈ G∗.
Set dID = sQID ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗2.
Choose r ← Z∗p
Set C = 〈rP, M ⊕H2(grID
)〉 where gID = t̂(Ppub, QID) ∈ GT .
Decrypt.
C = 〈U, V 〉 ∈ C
Compute V ⊕H2(t̂(U, dID)) = M.
t̂(U, dID) = t̂(rP, sQID) = t̂(P, QID)sr = t̂(Ppub, QID)r = grID
Identity based cryptography – p. 14/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
Identity based cryptography – p. 15/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
FO conversion If we denote by Epk(M, r) the encryption of M
using randomness r under public key pk
Identity based cryptography – p. 15/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
FO conversion If we denote by Epk(M, r) the encryption of M
using randomness r under public key pk
Ehypk
(M) = 〈Epk(σ,H3(σ,M)), H4(σ)⊕M〉
where σ ← {0, 1}n.
Identity based cryptography – p. 15/25
Full scheme
FullIdent is obtained by applying Fujisaki-Okamotoconversion from Crypto’99 to BasicIdent
FO conversion If we denote by Epk(M, r) the encryption of M
using randomness r under public key pk
Ehypk
(M) = 〈Epk(σ,H3(σ,M)), H4(σ)⊕M〉
where σ ← {0, 1}n.
This adds n bits to the resulting ciphertext
Identity based cryptography – p. 15/25
Full scheme (ii)
Setup.
Choose P ← G, s← Z∗p and set Ppub = sP ∈ G
∗.
Choose H1 : {0, 1}∗ → G∗, H2 : GT → {0, 1}n,
H3 : {0, 1}n × {0, 1}n → Z∗p, H4 : {0, 1}n → {0, 1}n.
SetM = {0, 1}n and C = G∗ × {0, 1}n × {0, 1}n.
params = 〈p, G, GT , t̂, P, Ppub, H1, H2,H3, H4〉.
The master-key is s ∈ Z∗p.
Identity based cryptography – p. 16/25
Full scheme (iii)
Extract.
Just as before, dID = sH1(ID) ∈ G∗.
Identity based cryptography – p. 17/25
Full scheme (iii)
Extract.
Just as before, dID = sH1(ID) ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗.
Choose σ ← {0, 1}n
Set C = 〈rP, σ ⊕H2(grID
, M ⊕H4(σ))〉 where
gID = t̂(Ppub, QID) ∈ GT , and r = H3(σ, M).
Identity based cryptography – p. 17/25
Full scheme (iii)
Extract.
Just as before, dID = sH1(ID) ∈ G∗.
Encrypt. To encrypt M ∈ {0, 1}n under the public key ID
Compute QID = H1(ID) ∈ G∗.
Choose σ ← {0, 1}n
Set C = 〈rP, σ ⊕H2(grID
, M ⊕H4(σ))〉 where
gID = t̂(Ppub, QID) ∈ GT , and r = H3(σ, M).
Decrypt.
C = 〈U, V, W 〉 ∈ C
Compute V ⊕H2(t̂(U, dID)) = M and W ⊕H4(σ) = M.
Set r = H3(σ, M). Check that U = rP. If not reject.Identity based cryptography – p. 17/25
Security result
Theorem Let A an IND-ID-CCA adversary running in time t andwith advantage ε against FullIdent making at most qE privatekey extraction queries, qD decryption queries and qH hashqueries. Then there is an algorithm B running in timeroughly t that has advantage at least ε
q2
HqD
against BDH
problem in G.
Identity based cryptography – p. 18/25
Security result
Theorem Let A an IND-ID-CCA adversary running in time t andwith advantage ε against FullIdent making at most qE privatekey extraction queries, qD decryption queries and qH hashqueries. Then there is an algorithm B running in timeroughly t that has advantage at least ε
q2
HqD
against BDH
problem in G.
Bilinear Diffie-Hellman (BDH) Problem on G. GivenP, aP, bP, cP ← G as input, compute W = t̂(P, P )abc ∈ GT .
Identity based cryptography – p. 18/25
Waters IBE scheme in the standardmodel
Identity based cryptography – p. 19/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Identity based cryptography – p. 20/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Choose Q′ ← G∗ and a random n-length vector U = (Qi) with
Qi ← G∗.
Identity based cryptography – p. 20/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Choose Q′ ← G∗ and a random n-length vector U = (Qi) with
Qi ← G∗.
SetM = GT , C = GT ×G∗ ×G
∗ and ID = {0, 1}n.
Identity based cryptography – p. 20/25
Waters scheme
Setup.
Choose s← Z∗p.
Choose P2 ← G, and set P1 = sP ∈ G∗.
Choose Q′ ← G∗ and a random n-length vector U = (Qi) with
Qi ← G∗.
SetM = GT , C = GT ×G∗ ×G
∗ and ID = {0, 1}n.
params = 〈p, G, GT , t̂, P, P1, P2, Q′, U〉.
The master-key is sP2.
Identity based cryptography – p. 20/25
Waters scheme (ii)
Extract.
Let IDi denote the i-th bit of ID and V ⊂ {0, . . . , n} the set of i
st IDi = 1.
Choose r ← Z∗p.
dID =
(sP2
(Q′∏
i∈V
Qi
)r
, rP
)
Identity based cryptography – p. 21/25
Waters scheme (ii)
Extract.
Let IDi denote the i-th bit of ID and V ⊂ {0, . . . , n} the set of i
st IDi = 1.
Choose r ← Z∗p.
dID =
(sP2
(Q′∏
i∈V
Qi
)r
, rP
)
Encrypt. To encrypt M ∈ GT under the public key ID
Choose x← Z∗p.
Set C =
(t̂(P1, P2)
xM, xP,
(Q′∏
i∈V
Qi
)x).
Identity based cryptography – p. 21/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
C =(t̂(P1, P2)
xM, xP,(Q′∏
i∈V Qi
)x), then
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
C =(t̂(P1, P2)
xM, xP,(Q′∏
i∈V Qi
)x), then
C1
t̂(d2, C3)
t̂(d1, C2)= (t̂(P1, P2)
xM)t̂(rP,
(Q′∏
i∈V Qi
)x)
t̂(sP2
(Q′∏
i∈V Qi
)r, xP )
=
Identity based cryptography – p. 22/25
Waters scheme (iii)
Decryption. Let C = (C1, C2, C3) a valid encryption under ID.
Decrypt C using dID = (d1, d2) as C1
t̂(d2, C3)
t̂(d1, C2)
Let dID =(sP2
(Q′∏
i∈V Qi
)r, rP
)and
C =(t̂(P1, P2)
xM, xP,(Q′∏
i∈V Qi
)x), then
C1
t̂(d2, C3)
t̂(d1, C2)= (t̂(P1, P2)
xM)t̂(rP,
(Q′∏
i∈V Qi
)x)
t̂(sP2
(Q′∏
i∈V Qi
)r, xP )
=
(t̂(P1, P2)xM)
t̂(P,(Q′∏
i∈V Qi
)rx)
t̂(P1, P2)xt̂((Q′∏
i∈V Qi
)rx, P )
= M.
Identity based cryptography – p. 22/25
Security result
Theorem Let A an IND-ID-CPA adversary running in time t andwith advantage ε making at most qE private key extractionqueries and qD decryption queries. Then there is analgorithm B running in time roughlyt +O(qEnε−2 ln(ε−1) ln(qEn)) that has advantage at least
ε32nqE
against BDDH problem in G.
Identity based cryptography – p. 23/25
Security result
Theorem Let A an IND-ID-CPA adversary running in time t andwith advantage ε making at most qE private key extractionqueries and qD decryption queries. Then there is analgorithm B running in time roughlyt +O(qEnε−2 ln(ε−1) ln(qEn)) that has advantage at least
ε32nqE
against BDDH problem in G.
Decision Bilinear Diffie-Hellman (DBDH) Problem on G. GivenP, aP, bP, cP ← G as input, and T ← GT ,; output yes ifT = t̂(P, P )abc and no otherwise.
Identity based cryptography – p. 23/25
Some applications of IBE schemes
IBE schemes imply secure signature schemes
Access control
Delegation of decryption keys
Strong-key insulated encryption
Identity based cryptography – p. 24/25
Some applications of IBE schemes
IBE schemes imply secure signature schemes
Access control
Delegation of decryption keys
Strong-key insulated encryption
and many more... take a look at Cryptology ePrintArchive http://eprint.iacr.org
Identity based cryptography – p. 24/25
Some applications of IBE schemes
IBE schemes imply secure signature schemes
Access control
Delegation of decryption keys
Strong-key insulated encryption
and many more... take a look at Cryptology ePrintArchive http://eprint.iacr.org
It is fair to say that identity/pairing based cryptography iscurrently the most active research area in cryptology
Identity based cryptography – p. 24/25
Drawbacks & Open Problems
dID must be sent over a secure channel
The system is inherently escrowedCertificate Based encryption (Gentry)Certificate-Less PKC (Al-Riyami&Paterson)
(Mostly) Suitable for small environments
Security reductions are inefficient
Few schemes proven secure without the ROM
Identity based cryptography – p. 25/25
Drawbacks & Open Problems
dID must be sent over a secure channel
The system is inherently escrowedCertificate Based encryption (Gentry)Certificate-Less PKC (Al-Riyami&Paterson)
(Mostly) Suitable for small environments
Security reductions are inefficient
Few schemes proven secure without the ROM
The slides of this talk are available athttp://www.cs.ru.nl/∼dgalindo
Identity based cryptography – p. 25/25