Department of Computer Science and Engineering

NIT Warangal

Identity Based
Encryption (IBE)

2010-11
 Project group:

Amitanshu Mishra (CS7707)

Naga Rama LokeshGopu (CS7750)

Arnav Singh Arora (CS7710)

Supervised by:

Prof.B.B.Amberker

1
 ABSTRACT
The first practical identity based encryption (IBE) schemewas proposed by Boneh and
Franklin. In this work we pointout that the caveat of this approach is that the PKG must
be highly trusted, as it is capable of generating any user's private key and may therefore
decrypt (or sign) messages without authorization.Fortunately,it is possible to fix it
without changing the scheme or the underlying assumption.In the second place, we
introduce a variant of the existing IBE schemein which the responsibility of private key
generation is reduced by sharing it between two PKGs and the trust is put into the hands
of the user.The idea is to preserve the underlying principles and extend the strength of the
existing scheme by ensuring that the PKG is not the sole point of failure.

2
 Table of Contents
1 Introduction ................................................................................................................ 4
1.1 What is IBE? ...................................................................................................... 4
1.2 Why IBE? .......................................................................................................... 5
2 Project Description ..................................................................................................... 6
2.1 Focus ..................................................................................................................... 6
2.2 Objective................................................................................................................ 6
3 Solution ....................................................................................................................... 7

3.1 Preliminaries ............................................................................................................. 7

3.2 Assumptions ..................................................................................................... 7

3.3 Definitions ........................................................................................................ 8

3.4 Working ............................................................................................................ 8

4 Future works ............................................................................................................ 11

5 References /Bibliography ......................................................................................... 11

3
 1. Introduction
1.1 What is IBE?

Identity Based Encryption (IBE) is a public cryptographic scheme where any piece of
text can act as a valid public key. This is a powerful concept as it means that email
addresses, dates or a combination of both can act as public keys.

The concept of IBE was first proposed by Shamir. However, despite many proposals no
satisfactory implementation of IBE was formulated until 2001 by Boneh and Franklin.

In an IBE system an entity’s public key is derived directly from its public identity
information, for example, name, e-mail address, IP address of the user, etc. The
corresponding private key of the user is generated by a trusted authority called private
key generator (PKG) and given to the user through a secure channel. ID-based
cryptography is advantageous in key management, since distribution of public key is not
required. A sender can send an encrypted message to a receiver using the receiver’s
public identity information, even before the receiver obtains his private key from PKG. If
a signature is received, it can be verified immediately by using sender’s public identity
information.

Encryption with an IBE system Decryption with an IBE system

4
 1.2 Why IBE?

IBE is an interesting technology because other public-key algorithms have encountered

practical difficulties in use. In particular, implementations of traditional public-key
technologies have gained a reputation for being difficult and expensive, at least when
they are used by people; the most successful application of public-key technology has
been in the widespread use of SSL, which requires minimal interaction with a user when
it is used to authenticate a server and to encrypt communications with the same server.
Applications that require a user to manage or use public keys have not been as successful.

Key validation, or checking to make sure that a particular key is valid at some point in its
lifetime, can be an expensive and difficult process, particularly when validating uses of a
key that took place in the past. Suppose that you are doing digitally signed and encrypted
electronic transactions and you need to verify whether or not a particular transaction had
a valid signature at some point in the past, like when the transaction took place two years
ago. The validity of a digital certificate can change during its lifetime as it is temporarily
suspended or revoked, so it is necessary to be able to reconstruct the validity of the key
managed by any certificate at any point in the key’s lifetime to be able to answer such
questions. Doing so requires being able to reconstruct the state of the system that
manages the validity of keys, which is a complex and difficult problem. To avoid the
practical difficulties of key validation, IBE systems typically use short-lived keys. So if
an IBE key is valid for only one day, then we assume that it is valid for that entire day,
and there is no provision for revoking or suspending a key during that period. The ability
to quickly and easily calculate keys makes short-lived keys in IBE practical, where they
are often impractical, although not impossible, to use in a system based on traditional PKI
technology.

In addition, IBE systems calculate keys as needed, so there is no need for archiving keys
at all. The only information that needs to be backedup is the master secret that is used by
the PKG to calculate IBE private keys. This simpler process makes IBE systems simpler
and easier in many applications than traditional public-key technologies, and can make
the cost of supporting and maintaining an IBE system much less than the cost of
supporting and maintaining a system with the same capabilities that is based on
traditional public-key technology.The ability to calculate public and private keys as
needed is a subtle difference between IBE and traditional public-key technologies, but
one that provides many useful properties. In particular, it is not necessary to enroll a user
before encrypting information to them. Therefore, it is easy to IBE-encrypt information to
a user that does not exist yet and rely on the future user to properly authenticate before he
can decrypt the information.

5
 2. Project Description
2.1 Focus

In an IBE system, the public key of a user may be an arbitrary string like an e-mail
address or other identifier. This eliminates certificates altogether; the sender could just
encrypt the message with the identity of the recipient without having to first obtain his
public key (and make sure that the obtained public key is the right one). Of course, users
are not capable of generating a private key for an identity themselves. For this reason,
there is a trusted party called the private key generator (PKG) who does the system setup.
To obtain a private key for his identity, a user would go to the PKG and prove his
identity. The PKG would then generate the appropriate private key and pass it on to the
user.Since the PKG is able to compute the private key corresponding to any identity, it
has to be completely trusted. The PKG is free to engage in malicious activities which
include decrypting and reading messages meant for any user, or worse still, generating
and distributing private keys for any identity. In a practical implementation of an IBE
system, bringing down the PKG is sufficient to bring the system to a complete halt
(single point of failure).

This, in fact, has been cited as a reason for the slow adoption of IBE despite its nice
properties in terms of usability. It has been argued that due to the inherent key escrow
problem, the use of IBE is restricted to small and closed groups where a central trusted
authority is available.

2.2 Objective

To the best of our knowledge, without making the PKG distributed, there is no known
solution to mitigate the problem of having to place trust in the PKG. This project seeks to
introduce a new approach to mitigate the (inherent) key escrow problem in identity based
encryption scheme. Our main goal is to restrict the ways in which the PKG can
misbehave by enrolling the services of the client. The bedrock of the solution lies in the
Boneh-Franklin (basic) IBE scheme and slight modification in terms of multiple PKGs
producing independent master keys.

6
 3. A New Approach
3.1 Preliminaries

Let G1 and G2 be two groups of order ‘q’ for some large prime q. Our IBE system makes
use of a bilinear map ‘e’ such that e: G1 × G1-> G2 between these two groups. The map
must satisfy the following properties:

1. Bilinear: We say that a map e: G1 × G1-> G2 is bilinear if

∀P, Q ∈ G1, ∀a, b ∈ Zq * e(aP, bQ) = e(P,Q)ab

2. Non-degenerate: The map does not send all pairs in G1 × G1 to the identity in G2.
Observe thatsince G1, G2 are groups of prime order this implies that if P is a
generator of G1 then e(P, P) is a generator of G2.
3. Computable: There is an efficient algorithm to compute e(P,Q) for any P,Q ∈ G1.

3.2 Assumptions

Bilinear Diffie-Hellman Problem

Let G1 and G2 be two groups of prime order ‘q’. Let e: G1 × G1-> G2be an admissible
bilinear map and let P be a generator of G1. The BDH problem in < G1,G2 , e> is as
follows: Given <P, aP, bP, cP> for some a, b, c ∈Zq* compute W = e(P, P)abc∈ G2. An
algorithm A has advantage ‘ε’ in solving BDH in < G1, G2, e> if

Pr[ A(P, aP, bP, cP ) = e(P, P)abc ] ≥ ε

BDH Parameter Generator

We say that a randomized algorithm G is a BDH parameter generator if (1) G takes a

security parameter k ∈Zq* ; (2) G runs in polynomial time in k and (3) G outputs a prime
number q, the description of two groups G1 and G2 of order q, and the description of an
admissible bilinear map e: G1 × G1-> G2 .

We denote the output of G byG(1k) = <q, G1, G2, e>. The security parameter k is used to
determine the size of q; for example, one could take q to be a random k-bit prime.

BDH Assumption Let Gbe a BDH parameter generator. We say that an algorithm A has
advantage ε (k) in solving the BDH problem for G if for sufficiently large k:

𝐀𝐀𝐀𝐀𝐀𝐀𝐆𝐆,𝐀𝐀 (𝒌𝒌) = 𝐏𝐏𝐏𝐏�𝒂𝒂(𝐪𝐪, 𝐆𝐆𝟏𝟏, 𝐆𝐆𝟐𝟐, 𝐞𝐞, 𝐏𝐏, 𝐚𝐚𝐚𝐚, 𝐛𝐛𝐛𝐛, 𝐜𝐜𝐜𝐜) = 𝒆𝒆(𝑷𝑷, 𝑷𝑷)𝒂𝒂𝒂𝒂𝒂𝒂 � ≥ 𝛆𝛆 (𝐤𝐤)

7
 We say that G satisfies the BDH assumption if for any randomized polynomial time (in
k) algorithm A we have that is a negligible function. When G satisfies the BDH
assumption we say that BDH is hard in groups generated by G.

3.3 Definitions

An identity-based encryption scheme E is specified by four algorithms:

Setup: takes a security parameter k and returns params (system parameters) and master-
key. The system parameters include a description of a finite message space M, and a
description of a finite ciphertext space C.

Extract: takes as input, params , master-key, and an arbitrary ID Є {0,1} *, and returns a
private key d. Here ID is an arbitrary string that will be used as a public key, and d is the
corresponding private decryption key.

Encrypt: takes as input params, ID, and M Є M. It returns a ciphertextC Є C.

Decrypt: takes as input params, C Є C, and a private key d. It returns M Є M.

3.4 Working of the solution

• Setup: resembles the setup algorithm of the Boneh-Franklin scheme except for the
generation of two secret keys, one for each node. The algorithm runs separately
for each node using the security parameter k.

– Uses kto generate a prime q

– generates cyclic groups G1, GT of order q, and a bilinear map e: G1×G1 →

GT

– chooses an arbitrary generator P ∈ G1

– picks a random s1∈Zq* and set Ppub1 = s1P

– picks two crypto hash functions:H1:{0,1}* →G1 and H2:GT → {0,1} n

Similarly, we get s2and Ppub2. < q , G1, G2, e , n , P ,Ppub1, H1, H2> and < q , G1,
G2 ,e ,n, P ,Ppub2, H1, H2> are the two sets of public parameters.

• Extract :For each node in the PKG,

– Map the identity ID to a point on the curve E by calculating QID= H1(ID)

8
 – Multiply this point QID by master secret key si to get private keydi = siQID
where i=1, 2.

• Encrypt:

To encrypt a message M ∈ {0, 1} n to the recipient(user 2) with the identity ID,

user 1(sender) has to perform the following steps.

– Generates a random integer r ∈Zp* and calculate rP.

– Calculates QID=H1(ID) from the recipient’s identity ID.

– User 1 can use either Ppub1or Ppub2 for producing the ciphertext. Suppose
he chooses Ppub1.

K=H2(e(r QID,s1P))

– Sets the ciphertext corresponding to the pair C = (C1 , C2 ) where

C1 = rPandC2 = M ⊕ K.

9
 – Decrypt: User 2 gets both the private keys from the PKG after authenticating
itself. When the user 2 receives the ciphertextC = (rP, M ⊕ H2 (e(r QID ,Ppubi)) =
(C1 , C2 ) he performs the following steps.

1. Calculates K = H2(eˆ(dIDi ,C1)) from the ciphertext component C1 and only one
private key siQID.

2. If dID1 is used then use M = C2⊕ K.

This recovers the plaintext M because the sender calculates K as

K = H2(eˆ(r QID , Ppub1)) = H2(eˆ(QID,P)rs1 )

and the recipient calculates K as K =H2 (eˆ(s1QID , C1)) = H2(eˆ(QID,P)rs1 )

3. If dID2 is used then we have

user1 : K = H2(eˆ(r QID , Ppub1)) = H2(eˆ(QID,P)rs1 )

user2 :K’ =H2 (eˆ(dID2 , C1)) = H2(eˆ(QID,P)rs2 )

C2⊕ K = M ⊕H2(eˆ(r QID , Ppub1)) ⊕ H2 (eˆ(s2QID , C1))

= M ⊕ H2(eˆ(QID,P)rs1 ) ⊕ H2(eˆ(QID,P)rs2 ) ≠ M

10
 4 Future works
The above proposed variant is the first step towards developing a full-fledged solution to
the inherent key escrow problem plaguing IBE. The scheme has been properly defined as
illustrated above. Design and analysis of the mathematical model on the lines of the
Boneh Franklin scheme along with the identification of security strengths and
vulnerabilities are the areas which require attention in the near future.

5 References / Bibliography

[1] Research paper titled “Identity-Based Encryption from the Weil Pairing” by Dan
Boneh and Matthew Franklin, Stanford University ,

[2] “Introduction to Identity-based Encryption” by Luther Martin, Artech House

Publications

[3] “An Overview of Identity Based Encryption” – A White Paper by Vertoda

[4] “Cryptography and Network Security-Principles and Practices” by William

Stallings

[5]“Reducing Trust in the PKG in Identity BasedCryptosystems”, VipulGoyal,

Department of Computer Science, University of California, Los Angeles

[6] “An Identity Based Encryption System” by Louise Owens and Adam Duffy,
Crypto GroupComputer Science Dept., NUI MaynoothCo. Kildare, Ireland

11