Boneh/Franklin scheme

The Boneh/Franklin scheme is an Identity based encryption system proposed by Dan Boneh and Matthew K. Franklin in 2001 [Dan Boneh, Matthew K. Franklin, Identity-Based Encryption from the Weil Pairing "Advances in Cryptology - Proceedings of CRYPTO 2001" (2001)] . This article refers to the protocol version called BasicIdent. It is an application of pairings (Weil pairing) over elliptic curves and finite fields.

Groups and parameters

As the scheme bases upon pairings, all computations are performed in two groups $extstyle G_1$ and $extstyle G_2$ :

For $extstyle G_1$ , let $extstyle p$ be prime, $extstyle p equiv 2 mod 3$ and consider the elliptic curve $extstyle E: y^2 = x^3 + 1$ over $extstyle mathbb{Z}_p$ . Note that this curve is not singular as $extstyle 4a^3+27b^2 = 27 = 3^3$ only equals $extstyle 0$ for the case $extstyle p = 3$ which is excluded by the additional constraint.

Let $extstyle q > 3$ be a prime factor of $extstyle p + 1$ (which is the order of $extstyle E$ ) and find a point $extstyle P in E$ of order $extstyle q$ . $extstyle G_1$ is the set of points generated by $extstyle P$ : $extstyle left{nP | n in left{0,ldots,q-1
ight}
ight}$

$extstyle G_2$ is the subgroup of order $extstyle q$ of $extstyle GFleft(p^2
ight)^*$ . We do not need to construct this group explicitly (this is done by the pairing) and thus don't have to find a generator.

Protocol description

etup

The PKG chooses
# the public groups $extstyle G_1$ (with generator $extstyle P$ ) and $extstyle G_2$ as stated above, with the size of $extstyle q$ depending on security parameter $extstyle k$ ,
# the corresponding pairing $extstyle e$ ,
# a random private master-key $extstyle K_m = s in mathbb{Z}_q^*$ ,
# a public key $extstyle K_{pub} = sP$ ,
# a public hash function $extstyle H_1: left{0,1
ight}^*
ightarrow G_1^*$ ,
# a public hash function $extstyle H_2: G_2
ightarrow left{0,1
ight}^n$ for some fixed $extstyle n$ and
# the message space and the cipher space $extstyle mathcal{M} = left{0,1
ight}^n, mathcal{C} = G_1^* imes left{0,1
ight}^n$

Extract

To create the public key for $extstyle ID in left{0,1
ight}^*$ , the PKG computes
# $extstyle Q_{ID} = H_1left(ID
ight)$ and
# the private key $extstyle d_{ID} = sQ_{ID}$ which is given to the user.

Encrypt

Given $extstyle m in mathcal{M}$ , the ciphertext $extstyle c$ is obtained as follows:
# $extstyle Q_{ID} = H_1left(ID
ight) in G_1^*$ ,
# choose random $extstyle r in mathbb{Z}_q^*$ ,
# compute $extstyle g_{ID} = eleft(Q_{ID}, K_{pub}
ight) in G_2$ and
# set $extstyle c = left(rP, m oplus H_2left(g_{ID}^r
ight)
ight)$ .

Note that $extstyle K_{pub}$ is the PKG's public key and thus independent of the recipient's ID.

Decrypt

Given $extstyle c = left(u, v
ight) in mathcal{C}$ , the plaintext can be retrieved using the private key:

$extstyle m = v oplus H_2left(eleft(d_{ID}, u
ight)
ight)$

Correctness

The primary step in both en- and decryption is to employ the pairing and $extstyle H_2$ to generate a mask (like a symmetric key) that is xor'ed with the plaintext. So in order to verify correctness of the protocol, one has to verify that a honest sender and recipient end up with the same values here.

The encrypting entity uses $extstyle H_2left(g_{ID}^r
ight)$ , while for decryption, $extstyle H_2left( eleft(d_{ID}, u
ight)
ight)$ is applied. Due to the properties of pairings, it follows that:

$egin{align} H_2left( eleft(d_{ID}, u
ight)
ight) &= H_2left( eleft(sQ_{ID}, rP
ight)
ight) \&= H_2left( eleft(Q_{ID}, P
ight)^{rs}
ight) \&= H_2left( eleft(Q_{ID}, sP
ight)^r
ight) \&= H_2left( eleft(Q_{ID}, K_{pub}
ight)^r
ight) \&= H_2left( g_{ID}^r
ight) \end{align}$

ecurity

The security of the scheme depends on the hardness of the Bilinear Diffie-Hellman Problem (BDH) for the groups used. It has been proved that in a random-oracle model, the protocol is semantically secure under the BDH assumption.

Improvements

BasicIdent is not chosen ciphertext secure. However, there is a universal transformation method due to Fujisaki and Okamoto that allows for conversion to a scheme having this property called FullIdent.

External links

* [http://www.crypto.rub.de/its_seminar_ws0708.html Seminar 'Cryptography and Security in Banking'/'Alternative Cryptology', Ruhr University Bochum]
* [http://crypto.stanford.edu/pbc/ P(airing) B(ased) C(ryptography) library, designed by Ben Lynn et. al.]

References

Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

ID-based cryptography — Identity based cryptography is a type of public key cryptography in which a publicly known string representing an individual or organization is used as a public key. The public string could include an email address, domain name, or a physical IP… … Wikipedia
Distributed key generation — For some protocols no party should be in the sole possession of the secret key. Rather, during distributed key generation every party obtains a share of the key. A threshold of the participating parties need to cooperate in order to achieve a… … Wikipedia

Academic Dictionaries and Encyclopedias

Boneh/Franklin scheme

Look at other dictionaries:

Share the article and excerpts

Academic Dictionaries and Encyclopedias

Wikipedia

Boneh/Franklin scheme

Look at other dictionaries:

Share the article and excerpts

Direct link