SLIDE 1
Mihir Bellare, UCSD
1
Identity-Based Encryption and Pairings
Mihir Bellare, UCSD
2
The People
Mihir Bellare, UCSD
3
The Awards
Mihir Bellare, UCSD
4
Mihir Bellare, UCSD
5
P K E D mpk msk M C sk I M
algorithm
parameter generation key generation encryption decryption
IBE = (P, K, E, D)
Syntax of an IBE scheme
mpk master public key msk master secret key I identity sk secret (decryption) key for I M message C ciphertext
P K E D The correct decryption requirement for identity I and message M asks that
Pr[D(mpk, K(mpk, msk, I), E(mpk, I, M)) = M] = 1
Mihir Bellare, UCSD
6
Security of an IBE scheme
IBE = (P, K, E, D) is an IBE scheme.
A C ←$ E(mpk, I, M) I mpk sk0 ←$ K(mpk, msk, I0) for any I0 6= I M = ? Adversary A should be unable to figure out a message M encrypted to identity I, even given
- The master public key mpk
- The identity I
- The ciphertext C
- AND: Secret key sk0 for any identity I0 6= I
Mihir Bellare, UCSD
7
Security of an IBE scheme
IBE = (P, K, E, D) is an IBE scheme. Let A be an adversary. Advind-cpa
IBE
(A) = 2 Pr[IND-CPAA
IBE ⇒ true] − 1
b Challenge bit ExI Set of exposed identities ChI Set of challenge identities b0 A’s output, guess of b
Security requires that adversary can’t figure out whether left (b=0) or right (b=1) messages are encrypted for challenge identities. Even when it is allowed to obtain the secret keys of non- challenge identities. Game IND-CPAIBE Initialize (mpk, msk) ←$ P ; b ←$ {0, 1} ExI ← ∅ ; ChI ← ∅ Return mpk Expose(I) If (I ∈ ChI) then return ⊥ ExI ← ExI ∪ {I} sk ←$ K(mpk, msk, I) Return sk LR(I, M0, M1) If (I ∈ ExI) then return ⊥ ChI ← ChI ∪ {I} C ←$ E(mpk, I, Mb) Return C Finalize(b0) Return (b = b0)
Mihir Bellare, UCSD
8
Building an IBE scheme
IBE = (P, K, E, D) is an IBE scheme.
It is hard to find a way to build an IND-CPA-secure IBE scheme based on conventional number theory. With RSA, let
- mpk = (N,e)
- msk = (N,d)
- sk = ?
- C = ?