Backward differentiation formula

The Boneh/Franklin scheme is an Identity based encryption system proposed by Dan Boneh and Matthew K. Franklin in 2001.^[1] This article refers to the protocol version called BasicIdent. It is an application of pairings (Weil pairing) over elliptic curves and finite fields.

Groups and parameters

As the scheme bases upon pairings, all computations are performed in two groups ${\displaystyle G_1}$ and ${\displaystyle G_2}$:

For ${\displaystyle G_1}$, let ${\displaystyle p}$ be prime, ${\displaystyle p\equiv 2mod3}$ and consider the elliptic curve ${\displaystyle E:y^2=x^3+1}$ over ${\displaystyle \mathbb{\mathbb{Z}}/p\mathbb{\mathbb{Z}}}$. Note that this curve is not singular as ${\displaystyle 4a^3+27b^2=27=3^3}$ only equals ${\displaystyle 0}$ for the case ${\displaystyle p=3}$ which is excluded by the additional constraint.

Let ${\displaystyle q>3}$ be a prime factor of ${\displaystyle p+1}$ (which is the order of ${\displaystyle E}$) and find a point ${\displaystyle P\in E}$ of order ${\displaystyle q}$. ${\displaystyle G_1}$ is the set of points generated by ${\displaystyle P}$: ${\displaystyle \{nP\Vert n\in \{0,\dots ,q-1\}\}}$

${\displaystyle G_2}$ is the subgroup of order ${\displaystyle q}$ of ${\displaystyle GF{\left(p^2\right)}^{*}}$. We do not need to construct this group explicitly (this is done by the pairing) and thus don't have to find a generator.

Protocol description

Setup

The Private Key Generator (PKG) chooses:

1. the public groups ${\displaystyle G_1}$ (with generator ${\displaystyle P}$) and ${\displaystyle G_2}$ as stated above, with the size of ${\displaystyle q}$ depending on security parameter ${\displaystyle k}$,
2. the corresponding pairing ${\displaystyle e}$,
3. a random private master-key ${\displaystyle K_m=s\in {\mathbb{\mathbb{Z}}}_q^{*}}$,
4. a public key ${\displaystyle K_{pub}=sP}$,
5. a public hash function ${\displaystyle H_1:{\{0,1\}}^{*}\to G_1^{*}}$,
6. a public hash function ${\displaystyle H_2:G_2\to {\{0,1\}}^n}$ for some fixed ${\displaystyle n}$ and
7. the message space and the cipher space ${\displaystyle \mathcal{ℳ}={\{0,1\}}^n,\mathcal{𝒞}=G_1^{*}\times {\{0,1\}}^n}$

Extract

To create the public key for ${\displaystyle ID\in {\{0,1\}}^{*}}$, the PKG computes

1. ${\displaystyle Q_{ID}=H_1\left(ID\right)}$ and
2. the private key ${\displaystyle d_{ID}=s{Q}_{ID}}$ which is given to the user.

Encrypt

Given ${\displaystyle m\in \mathcal{ℳ}}$, the ciphertext ${\displaystyle c}$ is obtained as follows:

1. ${\displaystyle Q_{ID}=H_1\left(ID\right)\in G_1^{*}}$,
2. choose random ${\displaystyle r\in {\mathbb{\mathbb{Z}}}_q^{*}}$,
3. compute ${\displaystyle g_{ID}=e(Q_{ID},K_{pub})\in G_2}$ and
4. set ${\displaystyle c=(rP,m\oplus H_2\left(g_{ID}^r\right))}$.

Note that ${\displaystyle K_{pub}}$ is the PKG's public key and thus independent of the recipient's ID.

Decrypt

Given ${\displaystyle c=(u,v)\in \mathcal{𝒞}}$, the plaintext can be retrieved using the private key:

${\displaystyle m=v\oplus H_2\left(e(d_{ID},u)\right)}$

Correctness

The primary step in both en- and decryption is to employ the pairing and ${\displaystyle H_2}$ to generate a mask (like a symmetric key) that is xor'ed with the plaintext. So in order to verify correctness of the protocol, one has to verify that an honest sender and recipient end up with the same values here.

The encrypting entity uses ${\displaystyle H_2\left(g_{ID}^r\right)}$, while for decryption, ${\displaystyle H_2\left(e(d_{ID},u)\right)}$ is applied. Due to the properties of pairings, it follows that:

${\displaystyle \begin{array}{rl}{H}_2\left(e(d_{ID},u)\right)& =H_2\left(e(s{Q}_{ID},rP)\right)\\ & =H_2\left(e{(Q_{ID},P)}^{rs}\right)\\ & =H_2\left(e{(Q_{ID},sP)}^r\right)\\ & =H_2\left(e{(Q_{ID},K_{pub})}^r\right)\\ & =H_2\left(g_{ID}^r\right)\\ \end{array}}$

Security

The security of the scheme depends on the hardness of the Bilinear Diffie-Hellman Problem (BDH) for the groups used. It has been proved that in a random-oracle model, the protocol is semantically secure under the BDH assumption.

Improvements

BasicIdent is not chosen ciphertext secure. However, there is a universal transformation method due to Fujisaki and Okamoto that allows for conversion to a scheme having this property called FullIdent.

References

External links

• Seminar 'Cryptography and Security in Banking'/'Alternative Cryptology', Ruhr University Bochum
• P(airing) B(ased) C(ryptography) library, designed by Ben Lynn et al.