Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Identity based and CCA-secure encryption
By Ilia Lotosh
Based on [BFrsquo03] [BCHK rsquo07]
2
Agenda
Definition of ID-based encryption
Possible applications
CCA-secure encryption based on IBE
Boneh-Franklin construction
Possible implementations of BF
constructions
Boneh-Franklin IBE scheme
3
Definition of ID-based encryption
Problems with this approach
There is a need in central certificate-authority that will provide public key associated with Bob
Alice needs a way to validate Bobrsquos certificate to make sure message is being sent to Bob
The system is tightly-coupled messages can be sent only after Bob registers his public key and Alice has to know about this before sending the message
Standard Public-Key Encryption
Alice
Certificate-Authority
Bob
Send message encrypted with Bobrsquos public key
4
Definition of ID-based encryption
Messages can be encoded with any public key
There is a central authority that generates private keys for public keys
Senderrsquos and receiverrsquos actions are independent and can be done in any order
Authorization against PKG is done like with regular CA
AliceBob
PKG
Identity-based encryption proposed by Shamir in lsquo84
Message encoded with arbitrary string as public key
5
Formal definition
IBE scheme consists of 4 randomized algorithms
Setup Takes a security parameter k and returns mpk and msk The parameters
include a description of a finite message space M and a description of a finite
ciphertext space C
Extract Takes as input mpk msk and an arbitrary and returns a
private key SKID Here ID is an arbitrary string that will be used as a public key
and SKID is the corresponding private decryption key
Encrypt Takes as input mpk ID and It returns a ciphertext
Decrypt Takes as input mpk and a private key SKID It returns
ID 01
m M c C
c C m M
These algorithm must satisfy the standard consistency constraint namely when SKID is
the private key generated by algorithm Extract when it is given ID as the public key then
ID Decrypt(mpkcSK )=m where c=Encrypt(mpkIDm)m M
6
Security notions ndash IND-ID-CPA
IBE scheme is semantically secure against an adaptive chosen plaintext attack if no poly-bounded adversary A has non-negligible advantage against Challenger in the following IND-ID-CPA game
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting mpk It keeps the msk for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages and an identity ID that
did not appear in any extraction query The challenger picks a random b and sets C =
Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
7
Security notions ndash selective IBE
Even weaker security notion can be obtained if we require adversary to choose ID he wants to
compromise before seeing public system parameters generated by the challenger Selective IBE
IND-ID-CPA game will be the following
ID Selection The adversary chooses identity ID and passes it to the challenger
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting params It keeps the master-key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query (not on ID)
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages The challenger picks a
random b and sets C = Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
2
Agenda
Definition of ID-based encryption
Possible applications
CCA-secure encryption based on IBE
Boneh-Franklin construction
Possible implementations of BF
constructions
Boneh-Franklin IBE scheme
3
Definition of ID-based encryption
Problems with this approach
There is a need in central certificate-authority that will provide public key associated with Bob
Alice needs a way to validate Bobrsquos certificate to make sure message is being sent to Bob
The system is tightly-coupled messages can be sent only after Bob registers his public key and Alice has to know about this before sending the message
Standard Public-Key Encryption
Alice
Certificate-Authority
Bob
Send message encrypted with Bobrsquos public key
4
Definition of ID-based encryption
Messages can be encoded with any public key
There is a central authority that generates private keys for public keys
Senderrsquos and receiverrsquos actions are independent and can be done in any order
Authorization against PKG is done like with regular CA
AliceBob
PKG
Identity-based encryption proposed by Shamir in lsquo84
Message encoded with arbitrary string as public key
5
Formal definition
IBE scheme consists of 4 randomized algorithms
Setup Takes a security parameter k and returns mpk and msk The parameters
include a description of a finite message space M and a description of a finite
ciphertext space C
Extract Takes as input mpk msk and an arbitrary and returns a
private key SKID Here ID is an arbitrary string that will be used as a public key
and SKID is the corresponding private decryption key
Encrypt Takes as input mpk ID and It returns a ciphertext
Decrypt Takes as input mpk and a private key SKID It returns
ID 01
m M c C
c C m M
These algorithm must satisfy the standard consistency constraint namely when SKID is
the private key generated by algorithm Extract when it is given ID as the public key then
ID Decrypt(mpkcSK )=m where c=Encrypt(mpkIDm)m M
6
Security notions ndash IND-ID-CPA
IBE scheme is semantically secure against an adaptive chosen plaintext attack if no poly-bounded adversary A has non-negligible advantage against Challenger in the following IND-ID-CPA game
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting mpk It keeps the msk for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages and an identity ID that
did not appear in any extraction query The challenger picks a random b and sets C =
Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
7
Security notions ndash selective IBE
Even weaker security notion can be obtained if we require adversary to choose ID he wants to
compromise before seeing public system parameters generated by the challenger Selective IBE
IND-ID-CPA game will be the following
ID Selection The adversary chooses identity ID and passes it to the challenger
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting params It keeps the master-key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query (not on ID)
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages The challenger picks a
random b and sets C = Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
3
Definition of ID-based encryption
Problems with this approach
There is a need in central certificate-authority that will provide public key associated with Bob
Alice needs a way to validate Bobrsquos certificate to make sure message is being sent to Bob
The system is tightly-coupled messages can be sent only after Bob registers his public key and Alice has to know about this before sending the message
Standard Public-Key Encryption
Alice
Certificate-Authority
Bob
Send message encrypted with Bobrsquos public key
4
Definition of ID-based encryption
Messages can be encoded with any public key
There is a central authority that generates private keys for public keys
Senderrsquos and receiverrsquos actions are independent and can be done in any order
Authorization against PKG is done like with regular CA
AliceBob
PKG
Identity-based encryption proposed by Shamir in lsquo84
Message encoded with arbitrary string as public key
5
Formal definition
IBE scheme consists of 4 randomized algorithms
Setup Takes a security parameter k and returns mpk and msk The parameters
include a description of a finite message space M and a description of a finite
ciphertext space C
Extract Takes as input mpk msk and an arbitrary and returns a
private key SKID Here ID is an arbitrary string that will be used as a public key
and SKID is the corresponding private decryption key
Encrypt Takes as input mpk ID and It returns a ciphertext
Decrypt Takes as input mpk and a private key SKID It returns
ID 01
m M c C
c C m M
These algorithm must satisfy the standard consistency constraint namely when SKID is
the private key generated by algorithm Extract when it is given ID as the public key then
ID Decrypt(mpkcSK )=m where c=Encrypt(mpkIDm)m M
6
Security notions ndash IND-ID-CPA
IBE scheme is semantically secure against an adaptive chosen plaintext attack if no poly-bounded adversary A has non-negligible advantage against Challenger in the following IND-ID-CPA game
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting mpk It keeps the msk for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages and an identity ID that
did not appear in any extraction query The challenger picks a random b and sets C =
Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
7
Security notions ndash selective IBE
Even weaker security notion can be obtained if we require adversary to choose ID he wants to
compromise before seeing public system parameters generated by the challenger Selective IBE
IND-ID-CPA game will be the following
ID Selection The adversary chooses identity ID and passes it to the challenger
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting params It keeps the master-key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query (not on ID)
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages The challenger picks a
random b and sets C = Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
4
Definition of ID-based encryption
Messages can be encoded with any public key
There is a central authority that generates private keys for public keys
Senderrsquos and receiverrsquos actions are independent and can be done in any order
Authorization against PKG is done like with regular CA
AliceBob
PKG
Identity-based encryption proposed by Shamir in lsquo84
Message encoded with arbitrary string as public key
5
Formal definition
IBE scheme consists of 4 randomized algorithms
Setup Takes a security parameter k and returns mpk and msk The parameters
include a description of a finite message space M and a description of a finite
ciphertext space C
Extract Takes as input mpk msk and an arbitrary and returns a
private key SKID Here ID is an arbitrary string that will be used as a public key
and SKID is the corresponding private decryption key
Encrypt Takes as input mpk ID and It returns a ciphertext
Decrypt Takes as input mpk and a private key SKID It returns
ID 01
m M c C
c C m M
These algorithm must satisfy the standard consistency constraint namely when SKID is
the private key generated by algorithm Extract when it is given ID as the public key then
ID Decrypt(mpkcSK )=m where c=Encrypt(mpkIDm)m M
6
Security notions ndash IND-ID-CPA
IBE scheme is semantically secure against an adaptive chosen plaintext attack if no poly-bounded adversary A has non-negligible advantage against Challenger in the following IND-ID-CPA game
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting mpk It keeps the msk for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages and an identity ID that
did not appear in any extraction query The challenger picks a random b and sets C =
Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
7
Security notions ndash selective IBE
Even weaker security notion can be obtained if we require adversary to choose ID he wants to
compromise before seeing public system parameters generated by the challenger Selective IBE
IND-ID-CPA game will be the following
ID Selection The adversary chooses identity ID and passes it to the challenger
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting params It keeps the master-key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query (not on ID)
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages The challenger picks a
random b and sets C = Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
5
Formal definition
IBE scheme consists of 4 randomized algorithms
Setup Takes a security parameter k and returns mpk and msk The parameters
include a description of a finite message space M and a description of a finite
ciphertext space C
Extract Takes as input mpk msk and an arbitrary and returns a
private key SKID Here ID is an arbitrary string that will be used as a public key
and SKID is the corresponding private decryption key
Encrypt Takes as input mpk ID and It returns a ciphertext
Decrypt Takes as input mpk and a private key SKID It returns
ID 01
m M c C
c C m M
These algorithm must satisfy the standard consistency constraint namely when SKID is
the private key generated by algorithm Extract when it is given ID as the public key then
ID Decrypt(mpkcSK )=m where c=Encrypt(mpkIDm)m M
6
Security notions ndash IND-ID-CPA
IBE scheme is semantically secure against an adaptive chosen plaintext attack if no poly-bounded adversary A has non-negligible advantage against Challenger in the following IND-ID-CPA game
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting mpk It keeps the msk for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages and an identity ID that
did not appear in any extraction query The challenger picks a random b and sets C =
Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
7
Security notions ndash selective IBE
Even weaker security notion can be obtained if we require adversary to choose ID he wants to
compromise before seeing public system parameters generated by the challenger Selective IBE
IND-ID-CPA game will be the following
ID Selection The adversary chooses identity ID and passes it to the challenger
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting params It keeps the master-key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query (not on ID)
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages The challenger picks a
random b and sets C = Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
6
Security notions ndash IND-ID-CPA
IBE scheme is semantically secure against an adaptive chosen plaintext attack if no poly-bounded adversary A has non-negligible advantage against Challenger in the following IND-ID-CPA game
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting mpk It keeps the msk for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages and an identity ID that
did not appear in any extraction query The challenger picks a random b and sets C =
Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
7
Security notions ndash selective IBE
Even weaker security notion can be obtained if we require adversary to choose ID he wants to
compromise before seeing public system parameters generated by the challenger Selective IBE
IND-ID-CPA game will be the following
ID Selection The adversary chooses identity ID and passes it to the challenger
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting params It keeps the master-key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query (not on ID)
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages The challenger picks a
random b and sets C = Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
7
Security notions ndash selective IBE
Even weaker security notion can be obtained if we require adversary to choose ID he wants to
compromise before seeing public system parameters generated by the challenger Selective IBE
IND-ID-CPA game will be the following
ID Selection The adversary chooses identity ID and passes it to the challenger
Setup The challenger takes a security parameter k and runs the Setup algorithm It gives the
adversary the resulting params It keeps the master-key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi is extraction query (not on ID)
bull Extraction query ltIDigt The challenger responds the private key di corresponding to
the public key ltIDigt
Challenge The adversary outputs two equal length messages The challenger picks a
random b and sets C = Encrypt(params ID Mb) It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
8
A little bit of history
Scheme definition by Shamir
IBE in random-oracle
Model using Weil-Pairing
By Boneh-Franklin
IBE using Factoring
By CocksIBE in standard model
using bilinear maps
By Waters
1984 2001 2005
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
9
Possible applications
First and trivial ndash to overcome PKE scheme
problems wersquove discussed
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
10
Possible applications
In addition ability to use an arbitrary string as public key allows following usages
Revocation of Public Keysndash Keys of form bobcompanycom || year
ndash There is a corporate PKG which will give Bob private key valid for a year
Managing user credentialsndash Keys of form bobcompanycom ||year||clearance
ndash Bob will be able to read messages only if he has appropriate clearance on the specified date
Delegation to a laptopndash Bob knows private master-key and creates temporary private keys to be used on his
laptop during vacation
Delegation of dutiesndash Suppose Bob has several assistants for different subjects then he can create different
private keys for each subject and having master key will allow him to read all the mail
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
11
Possible applications
Finally identity based encryption can be used to
construct CCA2-secure encryption
We will see such construction now
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
12
Recall ndash CCA2 security
CCA2 or adaptive chosen ciphertext attack security means that there is no poly-time adversary A
that can win IND-CCA game with probability non-negligibly greater than half The IND-CCA game
is defined as follows
Setup The challenger takes a security parameter k and runs the GEN algorithm It gives the
adversary the resulting public key It keeps the private key for itself
Phase 1 The adversary issues queries q1 q2hellipqm where qi
bullDecryption query ltCigt The challenger responds by decrypting Ci using the private
key It sends resulting plaintext to the adversary
Challenge The adversary outputs two equal length messages that did not appear in
any decryption query The challenger picks a random b and sets C = Encrypt(private-key Mb)
It sends C as a challenge to the adversary
Phase 2 Adversary issues more queries as in phase 1 (but not about the challenge)
Guess Adversary outputs a guess brsquo and with the game if b=brsquo
0 1m m M
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
13
Constructing CCA-secure scheme
We will construct now a public-key encryption scheme that is based on
IBE scheme which is selective-ID secure against chosen-plaintext attacks
One-time signature which is strongly unforgeable (which means that an adversary
should not be able to forge a new signature even on a previously-signed
message) Example of such scheme
10 11 20 21 0 1
Lamport scheme
Let be a one-way-function Then to sign a message of bits do
The signing key is 2 random elements in the domain of
The public verification key
n n
f n
n f
X x x x x x x
1 2
1 2
10 11 20 21 0 1
0 1 1 2
1 2
is the images of X under
where ( )
To sing a message output the values
To verify a signature on
n
n
n n i j i j
n m m nm
m m nm
f
Y y y y y y y i j y f x
m m m m n x x x
x x x
message with public key
verify that for each ( )i iim im
m Y
i y f x
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
14
Constructing CCA-secure scheme
The construction is by Canetti Halevi and Katz and goes as following
Let =(SetupExtractEncodeDecode) be an IBE scheme and Sig=(G Sign Verify) be a one-time signature scheme
Our public encryption scheme =(GenEncodeDecode) will work as follows
on 1
Runs S
k
Gen
etup(1 ) to obtain ( ) The public key is and the secret key is
To encrypt message using public key the sender first runs G(1 ) to obtain verification key and signing ke
k
k
PK msk PK msk
m PK vk
Encryption
y
The sender then computes ( ) (ie sender uses as an identity) and ( )
The final ciphertext is ( )
To decrypt ciphertext ( ) using secret key t
sk
c Encode PK vk m vk Sign sk c
vk c
vk c msk
Decryption
he receiver first checks whether Verify( ) 1
If not the receiver simply outputs Otherwise the receiver computes ( ) and outputs
( )
It is clear that this s
vk
vk
vk c
SK Extract msk vk
Decode SK vk c m
cheme is indeed a correct public-key encryption scheme
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
15
Proof of CCA2-security
Intuition for the proof (informal) Let ( ) be the challenge ciphertext It is clear that without any decryption oracle queries the plaintext
corresponding to the ciphertext remains hidden to the adversary this is so because
vk c is output by which is
CPA-secure (and the additional components of the ciphertext provide no additional help)
Decryption oracle queries cant further help the adversary On one hand if the adve
c
rsary submits to the oracle a
ciphertext ( ) that is different from the challenge ciphertext but with then the decryption oracle
will reply with since the adversary is unable to forge
vk c vk vk
new valid signatures with respect to On the other
hand if then the decryption query will not help the adversary since the eventual decryption using Decrypt
will be done with respect to a
vk
vk vk
different identity vk
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
16
Proof of CCA2-security
Formal proof
Assume we are given a poly-time adversary attacking in an adaptive chosen-ciphertext attack
Say a ciphertext ( ) is valid if ( ) 1 Let ( ) denote the challenge
ciphertext r
A
vk c Verify vk c vk c
eceived by during a particular run of the game and let Forge denote the event that
submits a valid ciphertext ( ) We prove the following claims
Pr [ ] is negligible
PKE
A
A
A vk c
Forge
Claim 1
Claim
1 12|Pr [ ] Pr [ ] | is negligible
2 2
Now from these two claims we get
1Pr [ ]
2
1 1 |Pr [ ] Pr [ ]|+|Pr [ ] Pr
2 2
PKE PKE
A A
PKE
A
PKE PKE PKE PKE
A A A A
Success Forge Forge
Success
Success Forge Forge Success Forge
1[ ] |
2
1 1 Pr [ ] |Pr [ ] Pr [ ] |
2 2
which is negligible given the stated claims
PKE PKE PKE
A A A
Forge
Forge Success Forge Forge
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
17
Proof of CCA2-security
Proof of claim 1
We construct a poly-time forger who forges a signature with respect to signature scheme Sig with
probability exactly Pr [ ] Security of Sig implies the claim
is defined as follows giv
PKE
A
F
Forge
F
en input 1 and verification key first runs Setup(1 ) to obtain
(PK msk) and then runs (1 ) Note that can answer any decryption queries of If
happens to submit a valid ciphertext (
k k
k
vk F
A PK F A A
v
0 1
) to its decryption oracle before requesting the challenge
ciphertext then simple outputs the forgery ( ) and stops Otherwise when outputs messages
forger proceeds as follows ch
k c
F c A
m m F
ooses a random bit b computes ( ) and
obtains from its signing oracle a signature on the message Finally hands ( ) to A
If submits a valid ciphertext ( ) to i
bc Encrypt vk m
c F vk c
A vk c
ts decryption oracle note that we must have ( ) ( )
In this case simply outputs ( ) as its forgery It is easy to see that s success probability is
exactly Pr [ ]PKE
A
c c
F c F
Forge
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
18
Proof of CCA2-security
Proof of claim 2
We use to construct a poly-time adversary which attacks the IBE scheme in selective IND-ID-CPA game
Define adversary as follows
1 (1 ) runs G(1 ) to generate ( ) and outputs the tk k
A A
A
A vk sk
arget identity
2 is given a master public key Adversary in turn runs (1 )
3 When makes a decryption oracle query ( ) adversary proceeds as follows
(a) If
k
ID vk
A PK A A PK
A Decode vk c A
then checks whether ( ) 1 If so aborts and outputs a random bit
Otherwise it simply responds with
(b) If and ( ) 0 then responds w
vk vk A Verify vk c A
vk vk Verify vk c A
ith
(c) If and ( ) 1 then makes the oracle query ( ) to obtain
It then computes ( ) and responds with
4 At some point outpu
vk vk
vk vk Verify vk c A Extract msk vk
SK m Decode SK vk c m
A
0 1
ts two messages These messages are output by A as well In return A
is given a challenge ciphertext adversary then computes ( ) and returns ( ) to
5 may co
m m
c A Sign sk c vk c A
A
ntinue to make decryption queries and these are answered as before
6 Finally outputs a guess this same guess is output by A b A
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
19
Proof of CCA2-security
Proof of claim 2 continued
Note that represents a legal adversarial strategy for attacking in particular never requests
the secret key corresponding to the target identity Furthermore provides a perfect sim
A A
vk A
ulation
for until event Forge occurs (in such event outputs a random bit) And thus
1 1 1 Pr [ ] Pr [ ] Pr [ ]
2 2 2
And the left side of the a
IBE PKE PKE
A A A
A A
Success Success Forge Success Forge
bove is negligible by the assumed security of
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
20
Boneh-Franklin construction
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
21
Bilinear maps
1 2 1 1 2
1
ˆLet and be two groups of order We say that a map eG between
these two groups is bilinear if it satisfies the following properties
ˆ ˆ1 Bilinear for all and ( ) (a b
G G q G G
P Q G a b e P Q e P
1 1 2
1
)
2 Non-degenerate The map does not send all pairs in G to the identity in
ˆ3 Computable There is an efficient algorithm to compute ( ) for any
abQ
G G
e P Q P Q G
A bilinear map satisfying the three properties above is said to be an admissible
bilinear map The existence of such a map has two direct implications to these
groups we will see them next
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
22
Bilinear maps ndash MOV reduction
Named after Menezes Okamoto and Vanstone
Shows that the discrete log problem in G1 is no harder than the discrete
log problem in G2
1
2
Let where both have order We wish to find such that
ˆ ˆLet ( ) and ( )
ˆBy non-degeneracy of both have order in
bilinearity
P Q G P Q q Q P
g e P P h e Q P h g
e g h q G
Hence we reduced the discrete log problem in G1 to a discrete log
problem in G2
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
23
Bilinear maps ndash DDH is easy
The Decision Diffie-Hellman problem in G1 is to
distinguish between the distributions (P Pa Pb Pab)and
(P Pa Pb Pc) where abc are random in Zq0 and P is
random in G10
1Given we have
ˆ ˆmod ( ) ( )
a b c
c a b
P P P P G
c ab q e P P e P P
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
24
Bilinear Diffie-Hellman Problem
1 2 1 1 2 1
1 2
ˆLet be two groups of prime order Let be an admissible bilinear map and let be a generator of
ˆThe BDH problem in (G ) is
Given ( ) for some compute a b c
q
G G q e G G G P G
G e
P P P P a b c W
2
1 2
ˆ( ) An algorithm has advantage in solving BDH
ˆ ˆin (G ) if Pr[ ( ) ( ) ]
abc
a b c abc
e P P G A
G e A P P P P e P P
1 2
A randomized algorithm is a BDH parameter generator if
1) takes security parameter
2) runs in time polynomial in
3) outputs prime number description of two groups of order q and t
G
G k
G k
G q G G
1 1 2ˆhe description of admissible bilinear map e G G G
BDH parameter Generator
BDH problem
BDH assumption
1 2
1 2
1
Let be a BDH parameter generator We say that an algorithm has advantage ( ) in solving BDH problem for if
ˆ( ) (1 )ˆ ˆ( ) Pr[ ( ) ( ) | ]
k
a b c abc
G A
q
G A k G
q G G e GAdv k A q G G e P P P P e P P
P G a b c
( )
We say that satisfies the BDH assumption if for any randomized polynomial time (in ) algorithm we have that
( ) is a negliglible functionG A
k
G k A
Adv k
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
25
Possible construction for generator satisfying BDH assumption
2 3
2 3
A curve defined by the equation over some field We will talk about elliptic curve defined by the equation
= +1 over field where is a prime satisfying 2mod3 Let ( ) denote thrp p
y x ax b E
y x p p E
F F e group of points on defined over rpE F
Elliptic curves
Some facts from number theory regarding E3
1
1 is a permutation on ( ) contains 1 points
Let denote a point at infinity let ( ) be a point of order and let be the subgroup generated by
For any
p p
p
x E p
O P E q P
Fact 1
Fact 2
F F
F G
2
2 13
0 0 0 0 0
3
p
there is a unique point ( ) on ( ) namely ( 1) Hence if ( ) is a
random non-zero point on ( ) then is uniform in
Let 1 be a solution of
p p p
p p
y x y E x y x y
E y
x
Fact 3
F F F
F F
F 2
2
p1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hence
Q
p pp
x y x y
E Q x y E Q E Q E
F
F F F
2
1
( ) is linearly independent of ( ) ( )
Since the points and ( ) are linearly independent they generate a group isomorphic to
We denote this group of points by
p p
q q
E Q E
P P
E
Fact 4
F F
G
[ ]q
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
26
Possible construction for generator satisfying BDH assumption
Some basic concepts
2
2
2
In the following we let and be arbitrary points in ( )
A divisor is a formal sum of points on the curve ( ) We write divisors as = ( ) where and
( ) W
p
P Pp P
p
P Q E
E a P a
P E
Divisors
F
F
F
A
2 2
2
e will only consider divisors = ( ) where 0
A function on the curve ( ) can be viewed as a rational function ( ) ( )
For any point ( ) ( ) we def
P PP P
p p
p
a P a
f E f x y E
P x y E
Functions F F
F
A
2
ine ( ) ( )
Let be a function on the curve ( ) We define its divisor denoted by ( ) as
( ) ( ) ( ) Here ( ) is the orde
p
P PP
f P f x y
f E f
f ord f P ord f
Divisors of functions F
r of the zero that has at point
Let be a divisor If there exists a function such that ( ) then we say that is a principal
divisor We know
f P
f f Principal divisors A A A
that a divisor = ( ) is principal if and only if 0 and
Furthemore given a principal divisor there exists a unique function such that ( )
P P PP P Pa P a a P O
f f
Equivalen
A
A A
We say that two divisors are equivalent is their difference - is a principal divisor
We know that any divisor = ( ) (with 0) is eP PP Pa P a
ce of divisors A B A B
A quivalent to a divisor of the
form ( ) - ( )
Given a function and a divisor = ( ) we define ( ) as ( ) ( ) Pa
PP P
Q O
f a P f f f P
Notation
A
A A A
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
27
Possible construction for generator satisfying BDH assumption
Weil pairing
We will define now the Weil pairing of two points [ ] Let be some divisor equivalent
to the divisor ( ) ( ) We know that is a principal divisor (it is equivalent to ( ) - ( ))
Hence ther
P
P
P Q E n
P O n n P n O
A
A
1 2 1
e exists a function such that ( ) Define and analogously
The Weil pairing of and is defined as
( )( )
( )
Its clear that this map is bilinear since ( ) ( ) (
p P P Q Q
P Q
Q P
f f n f
P Q
fe P Q
f
e P P Q e P Q e
A A
A
A
2 1 2 1 2 ) and ( ) ( ) ( )
But its degenerate since for all [ ] we have ( ) 1
P Q e P Q Q e P Q e P Q
P E n e P P
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
28
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Recall
2 2
2
3
p pLet 1 be a solution of 1 0 in Then the map ( ) ( ) is an automorphism of the group
of points on Note that for any point ( ) ( ) we have that ( ) ( ) but ( ) ( ) Hep pp
x x y x y
E Q x y E Q E Q E
F F
F F F
2
2
1
2
nce
Q ( ) is linearly independent of ( ) ( )
Subgroup of points in ( ) generated by the point of order
Subgroup of of order
p p
p
p
E Q E
E P q
q
F F
G F
G F
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
29
Possible construction for generator satisfying BDH assumption
1 1 2ˆModified Weil pairing is defined as followse G G G
ˆ( ) ( ( ))e P Q e P Q
Modified Weil pairingTo overcome the problem of degeneracy we modify Weil pairing
Modified Weil pairing satisfy the following properties
1 Bilinear (follows from bilinearity of Weil pairing)
2 Non-degenerate Obvious
3 Computable There is an efficient algorithm to compute the value of the map
Generator built basing on this map is believed to satisfy BDH assumption asymptotically
However there is still the question of what values of p and q can be used in practice to
make the BDH problem sufficiently hard
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
30
Boneh-Franklin IBE scheme
Let G be some BDH parameter generator (for example the one we saw before)
1 2
Given a security parameter the algorithm works as follows
Step 1 Run G on input to generate a prime two groups of order and an
admissibl
k
k q q
Setup
G G
1 1 2 1
1 1
ˆe map Choose a random generator
Step 2 Pick a random and set
Step 3 Choose a cryptographic hash function 01 Choose a cryptographic
s
q pub
e P
s P P
H
G G G G
G
2 2
1
1 2 1 2
hash function 01 for some
The message space is 01 The ciphertext space is 01 The system parameters
ˆare ( ) The is
n
n n
pub
H n
M C
q e n P P H H
mpk msk
G
G
G G qs
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
31
Boneh-Franklin IBE scheme
1 1
ID
For a given string 01 the algorithm does
1) Computes ( )
2) Sets the private key to be where is the master key
ID
s
ID ID
ID
Q H ID
d d Q s
Extract
G
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
32
Boneh-Franklin IBE scheme
1 1
To encrypt under the public key do the following
(1) compute ( )
(2) choose a random
(3) set the ciphertext to be
ID
q
m M ID
Q H ID
r
Encrypt
G
2 2ˆ ( ( )) where ( )r r
ID ID ID pubC P m H g g e Q P G
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
33
Boneh-Franklin IBE scheme
1
2
Let ( ) be a ciphertext encypted using the public key
To decrypt using the private key compute
ˆ ( ( ))
ID
ID
c U V C ID
c d
V H e d U
Decrypt
G
m
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
34
Boneh-Franklin IBE scheme
ˆ ˆ ˆ ˆ( ) ( ) ( ) ( )s r sr r r
ID ID ID ID pub IDe d U e Q P e Q P e Q P g
1 During encryption m is bitwise xored with the hash of
2 During decryption V is bitwise xored with the hash of
These masks used during encryption and decryption are the same since
ˆ( )IDe d U
r
IDg
Consistency
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
35
BF IBE scheme security
We will prove now that presented scheme is selective IND-ID-CPA secure in the standard
model
Reminder In selective IND-ID-CPA game the adversary first tells challenger which ID
he wants to be challenged on then he receives public setup and is allowed
to issue key extraction queries
Selective IND-ID-CPA security under standard model
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
36
BF IBE scheme security
To distinguish between ( ) and ( )
ˆ which is equal to distinguish between ( ( ) ) and
aP P P P P P P P P P
P P P P e P
Decisional BDH
2 ( ) for random P P P P r r G
Selective IND-ID-CPA security under standard model
Theorem If there exists a poly-time adversary A that gains advantage in
selective IND-ID-CPA game then there exists a poly-time adversary
B that solves Decisional BDH with probability
1
1
We are going to use a family of hash functions = that satisfy the following properties
1 01
2 01 st ( )
3 Such is easy to find
k
k
k
H
H
x y k H x y
k
G
G
H
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
37
BF IBE scheme securitySelective IND-ID-CPA security under standard model
1 2 2
1
ˆ1 Gets and ( )
ˆ has to answer 1 if ( ) = and 0 otherwise
2 starts to execute and on a first step receives
3 chooses random and finds
q
q e P Q P U P R P r
B e P P r
B A ID
B s s
G G G
1
1 1
2 2
1 2 1 2
chooses hash function such that ( ) and another hash
function 01 for some without any restriction
ˆ4 provides with public setup ( )
So mas
s
n
s
B H H ID P
H n
B A q e n Q Q H H
G
G G
H
0 1
2
ter-key is and public key is
5 answers s extraction queries in a standard way
6 When ready for a challenge it gives two messages
chooses bit at random and gives (
s
b
s P
B A
A B m m
B b A C R m H
( ))
7 answers 1 if was correct
r
B A
Algorithm B
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
38
BF IBE scheme securitySelective IND-ID-CPA security under standard model
Analysis of algorithm B
1
2 2
2
- Algorithm runs the same time as
- In the last stage
ˆ ˆ - If ( ) then ( ) ( ) since ( )
and thus ( ( ) ) is a valid encryption of and hence
Pr[
s s
ID ID
b b
B A
e P P r H r H g g e P P
P H r m m
A
2 2
answers correctly]
- Otherwise ( ) is a random uniform string and thus ( ) is a
1 random uniform string and hence Pr[ answers correctly]
2
- Thus answers correctly with probabili
bH r H r m
A
B
ty at least
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
39
BF IBE scheme security
Now we will see how to show that BF IBE scheme is IND-ID-CPA
secure in random oracle model
IND-ID-CPA security under random oracle model
Reminder In random oracle model cryptographic hash functions are replaced by truly
random functions Our benefit in this model is that we can build our random
oracle on the fly according to adversary actions
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
40
BF IBE scheme security
First we will show a reduction from BF IBE scheme to the following public-key scheme
called BasicPub this scheme is defined by the following algorithms
IND-ID-CPA security under random oracle model
1 2 1 1 2
1 2
Given a security parameter the algorithm works as follows
ˆ Step 1 Generate two prime order groups and a bilinear map
Let be the order of C
k
e
q
keygen
G G G G G
G G 1
1
2 2
hoose a random generator
Step 2 Pick a random and set Pick a random
Step 3 Choose a cryptographic hash function 01 for some
Step 4 The public key
s
q pub id
n
P
k P P Q
H n
1
G
G
G
1 2 2
2 2
ˆis ( ) the private key is
To encrypt 01 choose a random and set the cipthertext to be
ˆ ( ( )) where ( )
s
pub id id id
n
q
r r
id pub
q e n P P Q H d Q
m r
C P m H g g e Q P
encrypt
decr
G G
G
2
Let ( ) be a ciphertext created using the public key above To decrypt C
ˆ using a private key compute ( ( ))id id
C U V
d V H e d U m
ypt
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
41
BF IBE scheme securityIND-ID-CPA security under random oracle model
Now if there is a polytime adversary A that wins IND-ID-CPA game against BF IBE
scheme with non-negligible then there is a polytime adversary B that wins IND-CPA game
against BasicPub with non-negligible probability
Proof
1 2 2
1 2 1 2 1
ˆAlgorithm is given public key ( )
ˆ gives system parameters ( ) is a random oracle controlled by in the following way
maintain
pub pub id
pub
B K q e n P P Q H
B A q e n P P H H H B
B
setup
G G
G G
1
1
s a list of tuples ( ) we call it the list is initially empty When asked on
1 If the query already appears on the in a tuple ( ) then responds with
list
j j j j i
list
i i i i i
ID Q b c H ID
ID H ID Q b c B 1
( )
2 Otherwise generates a random 01 so that Pr[ 0]
3 picks a random If 0 otherwise
4 adds the tuple ( ) to the list and resp
i i
b b
q i i id
i i i i
H ID Q
B coin coin
B b coin Q P Q Q
B ID Q b c
onds with iQ
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
42
BF IBE scheme securityIND-ID-CPA security under random oracle model
-
Let be a private key extraction query issued by algorithm Algorithm do the following
1 Obtain using the previous algorithm let ( ) be corresponding tuple
2 If
i
i i i i i
ID A B
Q ID Q b c
co
key extraction
1 then B reports failure and terminates
3 Otherwise we know that Define Observe that and
therefore is the private key associated to the public key Give
i i i
i
b b b s s
i i pub i i
i i
in
Q P d P d P Q
d ID
to algorithm id A
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
43
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
0 1
Once algorithm decides to begin the challenge it outputs a public key and two messages
1 Algorithm gives its challenger the messages The challenger responds with ciphe
chA ID m m
B m m
Challenge
rtext ( )
such that is the encryption of for a random 01
2 Next obtains tuple corresponding to ( ) If 0 then reports failure and terminates
3 We know
c
ch ch
C U V
C m c
B ID ID Q b coin coin B
coi
1
1 1
1
1
1 and therefore Recall that when ( ) we have
Set ( ) where is the inverse of mod Algorithm B responds to A with C Note
ˆ ˆ ( ) ( )
s
ID
b
b b
ch
n Q Q C U V U
C U V b b q
e U d e U sQ
G
1
ˆ ˆ ˆ( ) ( ) ( )
Hence the BF IBE decryption of C using is the same as the BasicPub decryption of C using
sb s
ID ID
ch ID
e U Q e U Q e U d
d d
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
44
BF IBE scheme securityIND-ID-CPA security under random oracle model
After the challenge being set algorithm A may continue issuing key extraction queries
algorithm B will respond as before
Eventually algorithm A will output its answer ndash brsquo algorithm B will output the same
answer
If algorithm B does not abort Arsquos view is identical to its view in the real attack and
thus if A answers correctly ndash so does B
B does not abort with non-negligible probability And thus B wins IND-CPA game
against BasicPub scheme with non-negligible probability
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
45
BF IBE scheme securityIND-ID-CPA security under random oracle model
As a final step we will show a reduction from BasicPub IND-CPA game to BDH
problem and from this we will have that if BDH is hard then BF IBE is IND-ID-CPA
secure
To show this letrsquos assume by contradiction that there is a poly-time algorithm A that
wins IND-CPA game against BasicPub with non-negligible probability We will show an
algorithm B that solves BDH problem with non-negligible probability
1 2
1 2 3
2
ˆAlgorithm B is given as input the BDH parameters ( ) and a random instance
( ) ( )of the BDH problem for these parameters
ˆLet ( ) be the solution to this BDH pr
a b c
abc
q e
P P P P P P P P
D e P P
G G
G oblem
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
46
BF IBE scheme securityIND-ID-CPA security under random oracle model
1 2 2 1
2 2
ˆAlgorithm creates the BasicPub public key ( ) by setting
and Here is a random oracle controlled by as described below Algorithm gives
pub pub ID pub
ID pub
B K q e n P P Q H P P
Q P H B B A K
setup
G G
2
2
The (unknown) private key associated to is
At any time algorithm may issue queries to the random oracle to respond to them
maintains a list of tuples ( ) we call it
s ab
pub ID ID
li
j j
K d Q P
A H
B X H H
2 2
the list is initially empty When asked on
1 If the query X already appears on the in a tuple ( ) then responds with ( )
2 Otherwise generates just picks a random s
st
i
list
i i i i i
X
H X H B H X H
B
2tring 01 and adds the tuple ( ) to the
It responds to with
n list
i i i
i
H X H H
A H
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
47
BF IBE scheme securityIND-ID-CPA security under random oracle model
0 1
3
Algorithm outputs two messages Algorithms picks a random string 01 and defines
to be the ciphertext ( ) Algorithm B gives as the challenge to A Observe that by def
nA m m B R c
c P R c
challenge
2 3 2
inition
ˆthe decryption of is ( ( )) ( )IDC R H e P d R H D
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)
48
BF IBE scheme securityIND-ID-CPA security under random oracle model
2Algorithm outputs its guess 01 At this point picks a random tuple ( ) from the
and outputs as the solution
list
j j
j
A c B X H H
X
guess
Proof of correctness
B simulates a real attack environment for A and thus we expect A to be correct with non-
negligible probability (if given correct encryption in last stage) And thus probability of A
asking for H2(D) is not negligible (since otherwise the decryption of C is independent of Arsquos
view and thus A canrsquot answer correctly with probability greater than half) So we have D in
our list with probability and since itrsquos length is polynomial picking entry at random will
provide correct answer with non-negligible probability
49
References
bull Identity based encryption from the Weil pairing
D Boneh and M Franklin
SIAM J of Computing Vol 32 No 3 pp 586-615 2003
bull Chosen-Ciphertext Security from Identity-Based Encryption
D Boneh R Canetti S Halevi and J Katz
SIAM J Comput 36(5) 1301-1328 (2007)