Public key to ID matching

Usually trusted key-servers are used.

Identity based encryption (IBE)

IBE Authority (Auth) publishes public parameters (PP), has master secret key (MSK). Setup(l)(PP,MSK). c = E(PP, ID, m). SKid=K(MSK,ID). m=D(SK,c,PP).

Security

Semantic security under CPA

Challenger C, attacker A. C sends PP to A. A sends C {IDi}. C returns {SKi}. A chooses target \(ID^{}\), sends it to C. A sends C m0,m1. C randomly picks g and sends \(c = E(PP, ID^{}, m_g)\). A sends C {IDi}. C returns {SKi}. If A returns correct g wnnp advantage over random guessing, attack is successful.

Security under the random oracle model

If Hash fn H is used. Adversary assumed not to have access to H code, but only oracle access to H used in the protocol. H returns a random group element when queried.

Used in SSL, PGP security proofs.

Selective security under CPA

Adversary must choose target before seeing PP.

Can be selectively secure without full security: take any fully secure scheme X with algs Setup, KeyGen, Encrypt, Decrypt. Make selectively secure but not fully secure scheme Y by saying keygen’(id) = keygen(id) if id = tid, and keygen(oid).

Main challenges in proofs

Make keys for idtid; use attacker’s response to break assumptions. Usually met in Setup, hash fn oracle.

Applications

If recipient is not online, can’t get public key directly from him. IBE: No need to look up public key. Also, auth can grant SK at a future date, enabling messages which can be opened at a future date,

Disadvantages

Auth can decrypt anything. If CA is compromised, it will be noticed. But if auth is compromised, this may not happen.

Boneh Franklin (BF) system

Setup(l): MSK=yZp; PP: g,gy,H:{0,1}nG. Collision resistant hash fn H can handle long ID’s. Bilinear map e:Zp×ZpG with order p. Encrypt: Pick mG, find e(H(ID),gy)s; c1=gs, bf e(H(ID),g)ys. Keygen: SKid=H(id)y. Decrypt: e(SKID,c1) to get bf.

Security against CPA under Random Oracle model

DBDH challenger A, DBDH attacker/ IBE challenger B, IBE attacker C. C makes q oracle queries. Before attack starts, B guesses C’s target id tid, fixes H so that H(tid)=gb, random element in G otherwise. B aborts if C queries H(tid). Account for this probability in proof.

Boneh Boyen

Setup: Pick g,hG;a,bZp. Bilinear map e. PP:g,h,u=ga,e(g,g)ab. f(id)=uidh. MSK:gab.

Randomized keygen: new key each time: Pick rZp; k1=gab.f(id)r; k2=gr: like encrypting MSK. If r were not random, could query 2 SK’s, divide, find ur and then find anyone’s SK.

Enc(PP, M, ID): pick sZp, c1=gs, c2=f(ID)s, c0=m.(e(g,g)ab)s.

Dec: \ e(k1,c1)=e(gab.f(id)r,gs)=e(gab,gs)e(f(id)r,gs)=e(g,g)abse(k2,c2): bf for bf!.

Selective security under CPA

DBDH challenger A, DBDH attacker/ IBE challenger B, IBE attacker C. A: g,ga,gb,gs,T. C: Attacking tid. B. Setup: g,u=ga,e(g,g)ab,h=ga(tid)gy. So B’s view of f: f(tid)=gy,f(id)=ga(idtid)gy; but in C’s view f is as random as it would be if u and h were picked randomly from G: C is guaranteed to succeed wnnp only in such a case.

Keygen: pick r=bidtid, so k2=gbidtid,k1=gyidtid. For tid, k1=k2=1. But C is not guaranteed to work in such a distribution: so rerandomize the key: pick rand tZp; set r := r+t; get k1:=f(id)tk1,k2:=gtkid. \chk

B sends cyphertext: c0=mgT,c1=gc,c2=gcy=f(tid)c.

Waters cryptosystem

Instead of guessing tid as in BF, guess 1/q of the space of id’s as possible targets. Setup: g,e(g,g)ab,h,u1,..,un; f(id)=huiidi where idi = ith bit of id.

Fully secure. Selective id proof led us in the right direction.

Non pairing based IBE cryptosystems

Based on learning parity with noise hardness assumption by Vaikuntanathan et al.