Identity based encryption from the weil pairing

1/21
Identity-Based Encryption from the Weil Pairing
CRYPTO 2001
Dan Boneh and Matt Franklin
Computer Science Department, Stanford University
Computer Science Department, University of California
02 August 2001
林彥賓
2020 年 5 月 7 日
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日

2/21
Outline
Introduction
Applications For Identity-Based Encryption
Definitions
One Way Encryption Scheme (OWE)
One Way Identity-based Encryption
Properties of the Weil Pairing
Weil Diffie-Hellman Assumption (WDH)
The Proposed Scheme
MapToPoint
BasicIdent
FullIdent
Random Oracle
Fujisaki-Okamoto Transform
Extensions and Observation
Distributed PKG
Shamir secret sharing
Escrow ElGamal Encryption

3/21
Applications For Identity-Based Encryption
Revocation of Public Keys:Set ID as
”bob@hotmail.com||current-date”.This force Bob to obtain private key
every day.To revoke Bob’s key, the corporate PKG is instructed to
stop issuing private keys for Bob’s e-mail address the next day.
Delegation of Decryption Keys: Gives private key to each of one’s
assistants corresponding to the assistant’s responsibility. Each
assistant can then decrypt messages whose subject line falls within its
responsibilities, but it cannot decrypt messages intended for other
assistants.

4/21
One Way Encryption Scheme (OWE)
The attacker A is given:
random public key Kpub
ciphertext C which is the encryption of a random message M using
Kpub
It has advantage ϵ in attacking the system if Pr[A(Kpub, C) = M] = ϵ
one way encryption scheme (OWE):The scheme that the attacker cannot
gain advantages within polynomial time

5/21
One Way Identity-based Encryption.
Setup: Challenger takes a security parameter k and runs the Setup
algorithm. Resulting system parameters params. Challenger keeps the
master-key
Phase 1: Adversary issues private key extraction queries ID1, ..., IDm.
Challenger run algorithm Extract to send private key di to adversary,
corresponding to the public key IDi.
Challenge: Challenger picks a random M and encrypts M using ID as
the public key. It then sends the resulting ciphertext C to the
adversary.
Phase 2: Adversary issues more extraction queries
IDm+1, ..., IDn, IDi ̸= ID
Guess: Adversary wins by output a guess M’ = M

6/21
Properties Of The Weil Pairing
Let p be a prime satisfying p = 2 mod 3 and p = 6q−1 for some prime q
Let E be the elliptic curve y2 = x3 + 1 over Fp
There area few fact of this curve:
Let P ∈ E/Fp be a generator of order q = (p + 1)= 6. Those point
denote Gp
For any y0 ∈ Fp there is a unique point (x0, y0) on E = Fp. So, y is
uniform in Fp of random point (x, y) on E/Fp
Let map ϕ(x, y) = (ζx, y), 1 ̸= ζ ∈ Fp2 be a solution of x3−1 = 0
mod p. P ∈ E/Fp is linearly independent of ϕ(P) ∈ E/Fp2
Let uq be the subgroup of Fp2 of order q = (p + 1)/6. modified Weil
Pairing e:Gq × Gq −→ uq be e(P, Q) = wei(P, ϕ(Q))

7/21
Weil Diffie-Hellman Assumption (WDH)
Given <P, aP, bP, cP> for random a, b, c ∈ Zp, p is a random k-bit prime.
No algorithm is able to compute e(P, P)abc in probabilistic polynomial time

8/21
The Proposed Scheme
Define curve
p is a prime that p = 2 mod 3 and p = 6q−1 for some prime q > 3
E is the elliptic curve y2 = x3 + 1 over Fp
Any Point P ∈ E/Fp of order q

9/21
MapToPoint
Let G be hash function G : {0, 1} −→ Fp
Algorithm MapToPointG :
1 Compute y0 = G(ID), x0 = (y2
0−1)1/3 = (y2
0−1)(2p−1)/3 mod p
2 Let Q = (x0, y0) ∈ E/Fp, QID = 6Q
Note that the points in 6-torsion group will cause 6Q = O, so we should
avoid these points

10/21
BasicIdent
Setup:
1 Pick a random s ∈ Z∗
q and set Ppub = sP
2 Choose a cryptographic hash function H : Fp2 −→ {0, 1}n, n is ouput
length. Hash function G : {0, 1}∗ −→ Fp2
The message space is M = {0, 1}n
The ciphertext space is C = E/Fp × {0, 1}n
The system parameters are params = (p, n, P, Ppub, G, H)
The master-key is s ∈ Zq

11/21
BasicIdent
Extract: For a given string ID ∈ {0, 1}∗, build private key d
1 Use MapToPointG to map ID to a point QID ∈ E/Fp of order q
2 Set the private key dID = sQID where s is the master key
Encrypt:
2 choose a random r ∈ Zq
3 set C = ⟨rP, M ⊕ H(e(QID, Ppub)r)⟩

12/21
BasicIdent
Decrypt: Let C = < U, V >, compute
V ⊕ H(e(dID, U)) = M
M ⊕ H(e(QID, Ppub)r) ⊕ H(e(sQID, rP))
= M ⊕ H(e(QID, Ppub)r) ⊕ H(e(QID, sP = Ppub)r)
= M

13/21
Random Oracle
Basic properties
If input is repeat, respond the same output of this input
output should respond in polynomial time
output should be uniform in the output space
Random oracle does not exist in real world. However, It helps when an
Encryption schema is first built. Then the schema advanced on without it

14/21
Fujisaki-Okamoto Transform
Definition: Fujisaki-Okamoto
Let ϵpk(M; r)be a public key encryption scheme of M concatenated
with a random bit r
Let ϵhk be hybrid scheme
Let G, H be two random oracle
Let σ be a random number
Fujisaki-Okamoto transform:
ϵhk
pk = ϵpk
(σ; H(σ, m))||G(σ) ⊕ M
For ciphertext (C,U), do the followint tips to verify correctness
1 Use private key to decrypt C to get σ
2 Compute m = U ⊕ G(σ)
3 Verify C = ϵpk(σ; H(σ, m))
Transform OWE into choose ciphertext secure system (IND-CCA)

15/21
FullIdent
Setup: Same as in the BasicIdent scheme. In addition, pick two hash
function:
H1 : {0, 1}n × {0, 1}n −→ Zq
G1 : {0, 1}n × {0, 1}n
Extract: Same as in the BasicIdent scheme.
Encrypt:
2 choose a random r ∈ Zq
3 set r = H1(σ, M)
4 set C = ⟨rP, σ ⊕ H(gr
ID), M ⊕ G1(σ), gID = e(QID, Ppub) ∈ Fp2 ⟩

16/21
FullIdent
Decrypt: Let C = ⟨U, V, W⟩
1 Compute
V⊕H(e(dID, U)) = σ ⊕H(e(QID, Ppub = sP)r
)⊕H(e(sQID, rP)) = σ
2 Compute
W ⊕ G1(σ) = M ⊕ G1(σ) ⊕ G1(σ) = M
3 Test U = H1(σ, M)P. Output reject if test failed, else output M

17/21
Shamir Secret Sharing
Split secrete into N part. Suppose we need M（M < N) part of share to
return secrete, it need polynomial of degree M-1.
Ex:
Let secrete be 3, M be 3. We need polynomial of degree 3 - 1 = 2.
Let y = ax2 + bx + c, a, b be any number and c is secrete.
Here we set a = 2, b = 1, so the polynomial is y = 2x2 + x + 3。
Any three points of this polynomial can help us build back the polynomial
and get c = 3

18/21
Distributed PKG
Use master key s ∈ Fq to generate private keyQpriv = sQID by many
distributed PKG
Setup:
1 Give each PKGsi
2 PKG generate public key P
(i)
pub = siP
KeyGen:build private key
1 The chosen PKG reply Q
(i)
priv = siQID
2 Compute Qpriv =
∑
λiQ
(i)
priv, λ is the appropriate Lagrange
coefficients
Verify: Check PKG is honest or not
e(Q
(i)
priv, P) = e(QID, P
(i)
pub)

19/21
Setup:
1 Choose a large k-bit prime p such that p = 2 (mod 3) and p = 6q−1
for some prime q > 3
2 Pick a random s ∈ Zq and set Q = sP
3 Choose a cryptographic hash function G : Fp2 −→ {0, 1}n, n is output
length
The message space is M = {0, 1}n
The ciphertext space is C = E/Fp × {0, 1}n
The system parameters are params = (p, n, P, Q)
The escrow key is s ∈ Zq
keygen:
1 Pick a random x ∈ Zq as private key
2 Compute Ppub = xP

20/21
Encrypt:
1 Pick a random r ∈ Zq
2 Set C = ⟨rP, M ⊕ H(e(Ppub, Q)r)⟩
Decrypt: Let C = ⟨U, V⟩
V ⊕ H(e(U, xQ)) = M ⊕ H(e(Ppub = xP, Q)r
) ⊕ H(e(rP, xQ)) = M
Escrow-decrypt: Using the escrow key s do
V ⊕ H(e(U, sPpub)) = M ⊕ H(e(Ppub, Q = sP)r
) ⊕ H(e(rP, sPpub)) = M

21/21
Ppub = xP
params : P, Q = sP
U = rP
The system should satisfy Weil Diffie-Hellman Assumption (WDH)

Identity based encryption from the weil pairing

Recommended

Recommended

More Related Content

Similar to Identity based encryption from the weil pairing

Similar to Identity based encryption from the weil pairing (20)

More from National Chengchi University

More from National Chengchi University (9)

Recently uploaded

Recently uploaded (20)

Identity based encryption from the weil pairing