Usually trusted key-servers are used.
Identity based encryption (IBE)
IBE Authority (Auth) publishes public parameters (PP), has master secret key (MSK).
Security
Semantic security under CPA
Challenger C, attacker A. C sends PP to A. A sends C
Security under the random oracle model
If Hash fn H is used. Adversary assumed not to have access to H code, but only oracle access to H used in the protocol. H returns a random group element when queried.
Used in SSL, PGP security proofs.
Selective security under CPA
Adversary must choose target before seeing PP.
Can be selectively secure without full security: take any fully secure scheme X with algs Setup, KeyGen, Encrypt, Decrypt. Make selectively secure but not fully secure scheme Y by saying keygen’(id) = keygen(id) if id = tid, and keygen(oid).
Main challenges in proofs
Make keys for
Applications
If recipient is not online, can’t get public key directly from him. IBE: No need to look up public key. Also, auth can grant SK at a future date, enabling messages which can be opened at a future date,
Disadvantages
Auth can decrypt anything. If CA is compromised, it will be noticed. But if auth is compromised, this may not happen.
Boneh Franklin (BF) system
Setup(l):
Security against CPA under Random Oracle model
DBDH challenger A, DBDH attacker/ IBE challenger B, IBE attacker C. C makes q oracle queries. Before attack starts, B guesses C’s target id tid, fixes H so that
Boneh Boyen
Setup: Pick
Randomized keygen: new key each time: Pick
Enc(PP, M, ID): pick
Dec: \
Selective security under CPA
DBDH challenger A, DBDH attacker/ IBE challenger B, IBE attacker C. A:
Keygen: pick
B sends cyphertext:
Waters cryptosystem
Instead of guessing tid as in BF, guess 1/q of the space of id’s as possible targets. Setup:
Fully secure. Selective id proof led us in the right direction.
Non pairing based IBE cryptosystems
Based on learning parity with noise hardness assumption by Vaikuntanathan et al.