Identity Based Encryption

a form of public-key encryption, where sender can use public parameters of an entity to encrypt a message which can be decrypted only by a private key that is generated by a central authority.

then it's not that beneficial, right? you have to trust a central authority which can be adversary itself?

Third party entity called PRG (Private Key Generator) is responsible for creating public and private keys and assigning them to participants. PRG has a master private/public key pair which it uses to create new public/private key pair for any other participant. Any public entity can contact PRG to create a private key pair for itself and public key can be generated by combining master public key and self’s public ID.

so PRG is a single point of failure. PRG can't get compromised. also how does PRG at the time generating the private key authenticates identity of the entity?

It’s mentioned in the wikipedia article that IBE doesn’t concern with the need of security (integrity, authentication, confidentiality)

sequenceDiagram
actor Alice
participant PRG
actor Bob
note over PRG:1. generate a master <br/> private/public key pair
note over Alice:2. generate a private key
Alice->>PRG:3. Obtain master public key
Note over Alice:4. create public key from master public key
Alice->>PRG:5. send request to create a private key
PRG->>Alice:6. send private key for Alice
note over Alice:7. use Bob's ID to generate <br/> Bob's public key and encrypt message
Alice->>Bob:8. send ciphertext
Bob->>PRG:9. obtain master public key
Bob->>PRG:10.send request to create private key
PRG->>Bob:11. send private key for Bob
note over Bob:12. decrypt ciphertext for message m

Formal Protocol:

$Setup (1^{λ}) \to P, K_{m}$ : takes security parameter and outputs public parameters (message space $M$ and ciphertext space $C$ ), and master key $K_{m}$ .
$Extract (P, K_{m}, ID \in {0, 1}^{*}) \to d$ : generates user’s private key. takes public parameter, master key, user public ID and outputs user private key $d$ .
$Encrypt (P, m \in M, ID) \to c \in C$ : encrypts a message $m$ to ciphertext $c$ .
$Decrypt (P, c \in C, d) \to m \in M$ : decrypts a message encrypted by user’s public key using private key as decryption key.

\forall m \in M, ID \in {0, 1}^{*} : Decrypt (Extract, P, Encrypt) = m

Practical Protocols:

Boneh-Franklin scheme

Assume existence of hash function $H$ that can map element to $G$ .

$\textsf{Setup}(1^{\lambda})$$: sample a bilinear group$ \mathcal{P}:\mathbb{G},p,g,e $,$ K_{m}=x $, an e l e m e n t$ s \xleftarrow{$}\mathbb{Z}_{p} $an d$ pk:(\mathcal{P},h=g^{x})$.
$Extract (P, K_{m}, ID)$ : output $s k (ID) = H (ID)^{x}$
$Encrypt (P, ID, m)$ : samples $r\xleftarrow{\$ }\mathbb{Z}_{p} $, co m p u t es$ u=g^{r} $an d$ v=m\times e(H(\textsf{ID}),u) $.$ c=(u,v)$
$Decrypt (P, c, sk_{ID})$ : parse $(u, v) \leftarrow c$ , computes $z = e (s k (ID), u)$ , outputs $m = v / z$ .

things that I am liking about IBE:

in a network where key escrows are necessary, it’s perfect use case for setting up PKI.

doesn’t require bootstrapping of public key infrastructure

sender can control the properties of ciphertext. For example: can encode expiration in public key identifier like bob@hotmail.com || current-year, which PRG can use to deny private key generation for the receiver.

PRG can control entities inside the system using expiration of keys. can produce static or ephemeral keys.

A corporation PKI is perfect use case for IBE.

Security

PKG is a single point of failure, as if it gets compromised, all the keys being used in the system are compromised and adversary can spoof anyone.

Is standard public-key encryption (PKE) semantic security enough?

what’s the meaning of semantic security? if the notion of semantic security is satisfied even when encryption algorithm ignores identities and everyone has same secret key, then what is it use case because obviously, stricter algorithm will satisfy it as well, i.e. everyone having different secret keys?

Security of any public key encryption scheme is based on the notion of semantic security wherein an adversary $A$ knowing the public key $pk$ cannot tell the difference between $m_{0}, m_{1}$ for message of its own choice.

Security which is considered for IBE, will allow $A$ to obtain secret keys of $I D_{1}, I D_{2}, \dots, I D_{k}$ and has to break semantic security for $ID^{*}$ . Let’s define an attack game between challenger and adversary $A$ :

$Setup (1^{λ})$ : outputs $P$ and $p k$ is given to $A$ .
$A$ samples secret key queries for any identity $i d_{i}$ and get $s k \leftarrow Extract (P, ID, K_{m})$
$A$ outputs challenge id $I D^{*}$ and messages $m_{0}, m_{1}$ and get $c \leftarrow Encrypt (P, ID, m_{b})$ .
$A$ can sample additional secret key queries.
$A$ has to output $i$ for message $m_{i}$ that was chosen for encryption.

$A$ wins if $m_{i} = m_{b}$ and $A$ never queries for secret key of $ID^{*}$ . An IBE scheme is deemed secure if for any PPT adversary, $P r_{A} (m_{i} = m_{b}) \geq \frac{1}{2} + negl (λ)$

Let’s define other variations of IBE with varying security guarantees:

Adaptively secure IBE: adversary can make series of queries to challenger, queries being key queries or encryption query. at the end of game, adversary has to output bit $\hat{b} \in {0, 1}$ .
Private IBE (anonymous IBE): stricter assumption, an eavesdropper who has $m p k$ and $c R E (m p k, i d, m)$ cannot learn the identity of the target recipient.
- the attack game is modified where in encryption query, adversary $A$ sends: tuple: $(ID_{0}, m_{0}), (ID_{1}, m_{1})$ .
- In the end, adversary has to output bit $\hat{b} \in {0, 1}$ such that $c \leftarrow E (m p k, I D_{b}, m_{b})$ .
Selectively secure IBE: weaker notion of IBE security where adversary needs to select challenge identity $ID$ before key queries.
- to model the security proof, we first select a hash function $H : ID^{'} \to ID$ which will be modelled as a random oracle.
- choose an adversary $B$ that will wrap around adversary $A$ and play the attack game with the challenger.
- $A$ can at most make $Q_{RO}$ random oracle queries for $ID$ and $Q_{S}$ key queries.
- $B$ chooses a $\omega \xleftarrow{\$ }\left{1,\dots,Q_{RO}+1\right} $, an d a r an d o m$ \mathsf{ID}{ch}\xleftarrow{$}\mathcal{ID} $. se n d s$ \mathsf{ID}{ch} $t oc ha ll e n g er a sc ha ll e n g e i d e n t i t y an d g e t s ba c k$ mpk $f or$ \mathcal{E}’_{id}$.
- Now, $A$ starts querying random oracle of $ID_{j}$ and $B$ maps each query to random identity in $I D$ and sends value of $H (ID_{j}^{'})$ . for query number $ω$ , it maps that to $ID_{c h}$ that it sent to challenger.
- then, $A$ starts key queries. for jth query, if $H (ID_{j}) \neq = ID_{c h}$ then $B$ sends the key query to challenger and send response back to $A$ . if it’s equal to $ID_{c h}$ , then $B$ can’t send to challenger and aborts with random bit.
- $A$ issues its single encryption query for $(ID^{'}, m_{0}, m_{1})$ , $B$ first checks if $H (ID^{'}) = ID_{c h}$ , if its not, sends the query to challenger, gets $c$ and send that to $A$ , for which $A$ outputs the bit $\hat{b}$ . if $H (ID^{'}) = ID_{c h}$ , then $B$ aborts with random bit.

Some questions regarding the security of this scheme:

why $E_{i d} (S, G, E, D)$ is modified to $E_{i d}^{'} (S, G^{'}, E^{'}, D)$ ?

why use a hash function to map $H : I D \to I D^{'}$ ?

Security of Boneh-Franklin scheme

TODO

lonerapier.xyz

Explorer

Identity Based Encryption

Practical Protocols:

Security

Security of Boneh-Franklin scheme

Resources

Graph View

Table of Contents

Backlinks