Professional Documents
Culture Documents
Identity Based Cryptosystems
Identity Based Cryptosystems
[] of existential unforgeability under chosen-message The above construction was extended to provide hier-
attacks by requiring any probabilistic polynomial-time archical identity-based signatures [] (i.e., IBS schemes
algorithm F to have negligible advantage in the following involving a hierarchy of signers organized in a hierar-
game. chical setting) and identity-based signatures with special
properties [].
. The challenger generates a master key pair (mpk, msk)
While simple and elegant, this construction leaves
← Setup(k) and hands mpk to the forger F .
room for efficiency improvements, notably in terms of sig-
. On polynomially-many occasions, the forger makes
nature size since each signature comprises two ordinary
queries of the following two types:
digital signatures and a public key. Ideally, one would like
(a) Key generation queries: F chooses an arbitrary
to have an IBS scheme performing as well as ordinary dig-
identity ID and the challenger replies by return-
ital signatures. The next subsections show two examples
ing dID ← Keygen(msk, ID).
of such schemes that both derive from the Fiat–Shamir
(b) Signing queries: F chooses a pair (ID, M).
paradigm [].
The challenger replies by computing dID ←
Keygen(msk, ID)and returning σ = Sign(dID , M).
The Guillou–Quisquater IBS
These queries can be made adaptively in that each one
This scheme is derived from a three round identifica-
may depend on the answers to prior queries.
tion scheme. It was proposed in and consists of the
. The forger outputs a triple (ID⋆ , M ⋆ , σ ⋆ ) and wins if
following algorithms.
the three following conditions are satisfied:
(a) ID⋆ was never queried for key generation. Setup: Given a security parameter k , the private key gen-
(b) The pair (ID⋆ , M ⋆ ) was never queried for signa- erator (PKG) picks two k /-bit primes p and q and
ture. computes n = pq. It also picks a prime number
(c) Verify(mpk, ID⋆ , σ ⋆ ) = . e ∈ Z φ(n) such that gcd(e, φ(n)) = and chooses
cryptographic hash functions H : {, }∗ → Ze and
Generic IBS from Any Signature G : {, }∗ → Zn . The master public key is mpk =
In [], Bellare, Namprempre, and Neven pointed out that (n, e, G, H) while the master secret key is the pair
any digital signature can be made identity-based in a msk = (p, q).
very simple manner using certification. This generic con- Keygen: Given a user’s identity ID, the PKG computes
struction was previously implicitly described in [] and I = G(ID) ∈ Z∗n and a ∈ Z∗n such that Iae ≡ (mod n).
goes as follows. Let Π sig = (Keygen, Sign, Verify ) be The obtained dID = a is returned to the user as a private
any ordinary (i.e., nonidentity-based) digital signature key.
scheme providing existential unforgeability under chosen- Sign: Given a message m, the signer does the following:
message attacks []. Then, a secure IBS scheme Π IBS = . Pick a random k ← Z∗n and compute r = ke mod n.
R
on a message consisting of the user’s identity: in other Keygen: Given a user’s identity ID, the PKG chooses
r ← Zp at random and computes R = g r as well as ℓ =
R
words, a GQ signature is actually a noninteractive proof
of knowledge of an RSA signature. H(ID∣∣R) ∈ Zp . The private key is the pair dID = (R, s)
The scheme can be proved existentially unforgeable where s = r + ℓx mod p.
(in the random oracle model []) provided it is hard to Sign: To sign a message m using dID = (R, s), the signer
invert the RSA function. The first security proof can be proceeds as follows:
traced back to the work of Pointcheval and Stern [, ]
Pick a random y ← Zp and compute Y = g y as well
R
.
who showed how their “forking technique” yields security
as S = g s .
proofs for signature schemes derived from identification
. Compute c = G(m∥S∥Y) ∈ Zp .
protocols. Their security proof was given in a model where
. Calculate z = y + cs mod p.
the scheme was treated as an ordinary (i.e., nonidentity-
based) signature. A security proof in the model of section The signature on m is (R, S, c, z).
“Identity-Based signatures” was provided by the general Verify: To verify a signature (R, S, c, z) on m:
framework of Bellare et al. [].
. Compute Y = g z S−c and reject the signature if c ≠
While the infeasibility of inverting the RSA func-
G(m∣∣S∣∣Y).
tion is sufficient to prove the security of the GQ sig-
. Compute ℓ = H(ID∣∣R).
nature scheme in the random oracle model, a stronger
. Accept the signature if S = RX ℓ .
interactive assumption (introduced in []) is necessary
to prove the security of the underlying interactive iden- Bellare et al. [] proved the security of their scheme assum-
tification scheme. The security of the GQ identification ing that computing discrete logarithms is hard and when
I
scheme against active and concurrent attacks was estab- the hash functions H and G are modeled as random
lished by Bellare and Palacio [] in a traditional public oracles.
key setting. Its security in the identity-based model was A BNN signature can be seen as a noninteractive proof
proved in []. of knowledge of a Schnorr signature in the same way
as GQ signatures prove knowledge of an RSA signature.
The above scheme can also be seen as an optimization of
The Bellare–Namprempre–Neven IBS
the generic construction described in section “Generic IBS
In , Bellare et al. [] described an identity-based sig-
from Any Signature” it indeed provides slightly shorter sig-
nature based on the discrete logarithm problem. In the
natures using suitable parameters such as carefully chosen
same way as the Guillou–Quisquater scheme can be seen
elliptic-curve subgroups. The BNN IBS was recently fur-
as a proof of knowledge of an RSA signature, the Bellare
ther optimized [] to provide shorter signatures and also
et al. scheme can be viewed as a noninteractive proof of
inspired an IBS scheme [] supporting partial signature
knowledge of a Schnorr [] signature.
aggregation.
The Schnorr signature scheme makes use of a cyclic
group G of prime order p. The signer holds a public key
X = g x , where x ← Zp is the private key which is
R
Signature”. Other IBS schemes supporting signature aggre- . In the guess stage, A asks new queries as in the find
gation [, ] or multiple signers [] were designed under stage but is restricted not to issue a key extraction request
specific assumptions. on the target identity ID∗ and cannot submit C to the
In addition, an observation made by Naor (and decryption oracle for the identity ID∗ . Eventually, A
reported in []) implies that identity-based signatures can outputs a bit b′ and wins if b′ = b.
also be derived from hierarchical identity-based encryp-
tion (HIBE) [, ]. Following this observation, Paterson A’s advantage is defined as Adv(A) := ∣ × Pr[b′ = b] − ∣.
and Schuldt [] proved the security (without using the The above definition captures the chosen-ciphertext
random oracle model) of a scheme derived from a -level scenario where the adversary is granted access to a decryp-
extension of the Waters IBE [] under the Diffie–Hellman tion oracle throughout the game. There exists a weaker
assumption in groups with a bilinear map. definition, called chosen-plaintext security (or IND-ID-
CPA for short), where no such decryption oracle is given
Identity-Based Encryption from Quadratic to the adversary.
Residuosity: The Cocks IBE The IBE scheme proposed by Cocks in [] is
An identity-based encryption scheme (IBE) consists of based on quadratic residues and on the properties of the
a tuple of algorithms (Setup, Keygen, Encrypt, Decrypt), Legendre and Jacobi symbols for Blum integers (i.e., com-
the first two ones of which have the same functional- posite integers n = pq, where p and q are primes such that
ities as in identity-based signatures. Algorithm Encrypt p ≡ q ≡ (mod )). It is made of the four algorithms
takes as input a plaintext m, the master public key mpk, depicted below.
and a receiver’s identity ID to output a ciphertext C =
Setup: The PKG picks prime numbers p and q such that
Encrypt(m, mpk, ID). On input of C and the private
p ≡ q ≡ (mod ), computes their product n =
key dID , the corresponding decryption algorithm outputs
pq, and chooses a hash function H : {, }∗ →
either a plaintext m or a special symbol indicating that
Z∗n . The PKG’s master secret key is defined to be
the ciphertext is invalid.
msk = (p, q), and the master public key consists of
The appropriate definition of security for IBE schemes
mpk = (n, H).
was given by Boneh and Franklin [].
Keygen: Given an identity ID, the PKG computes a
Definition An IBE scheme is said to be adaptively sequence of hash values starting from ID until obtain-
chosen-ciphertext secure (IND-ID-CCA) if no probabilis- ing a = H(H(H . . . (ID))) ∈ Z∗n such that ( na ) = .
tic polynomial time (PPT) adversary has a non-negligible For such a a ∈ Z∗n , either a or −a is a square in Z∗n .
advantage in the following game. n+−(p+q)
It is easy to verify that r = a mod n satisfies
. The challenger runs the Setup algorithm on input of a a = r mod n or a = −r mod n depending on whether
security parameter k and sends the domain-wide param- ( ap ) = ( aq ) = or ( ap ) = ( aq ) = −. The obtained r is
eters mpk to the adversary A. returned to the user as a private key.
. In a find stage, A starts probing the following oracles:
– Key extraction oracle: Given an identity ID, this Encrypt: The sender does not know which of a or −a
oracle returns the extracted private key dID = is a square in Z∗n and one first considers the case
Keygen(msk, ID). a = r mod n. The sender generates a symmetric
– Decryption oracle: Given an identity ID ∈ {, }∗ transport key K and encrypts the plaintext M with it.
and a ciphertext C, it generates the private key Each bit x of that symmetric key is then encrypted
dID associated to ID and returns either a plaintext before being sent to the receiver B. To do this, A
M ∈ M or a distinguished symbol indicating that encodes x in {−, } rather than in {, } and does the
the ciphertext was not correctly formed. following.
A can present her queries adaptively in the sense that . Pick a random t ∈ Z∗n such that ( nt ) = x.
each query may depend on the answers to previous ones. . Compute s = (t + at ) mod n (since ( nt ) ≠ , t is
At some point, she produces two plaintexts M , M ∈ M, coprime with p and q and thus invertible in Zn ) and
and a target identity ID∗ for which she has not requested send it to B.
the private key in stage . The challenger computes Since A does not know which of a or −a is the square of
C = Encrypt(Mb , mpk, ID∗ ), for a random hidden bit B’s decryption key, A has to repeat the above process for
b ← {, }, which is sent to A. a new t and, this time, send s = (t −a/t) mod n. Hence,
R
Identity-Based Cryptosystems I
∣n∣ bits, where ∣x∣ denotes the bitlength of x, have to be . Lecture notes in computer science, vol . Springer,
transmitted for each bit of the symmetric key. Heidelberg, pp –
. Bellare M, Neven G () Identity-based multi-signatures from
RSA. In: RSA conference cryptographers’ track (CT-RSA ’).
Decrypt: B recovers x as follows. Given that Lecture notes in computer science, vol . Springer,
Heidelberg, pp –
r a . Bellare M, Palacio A () GQ and schnorr identification
t( + r/t) ≡ t + r + ≡ t + r + ≡ s + r (mod n),
t t schemes: proofs of security against impersonation under active
and concurrent attacks. In: Advances in cryptology – Crypto
B can compute ( s+rn
) = ( nt ) = x and recover x using ’, Lecture notes in computer science, vol . Springer,
Heidelberg, pp –
his/her private key r thanks to the multiplicative prop-
. Bellare M, Rogaway P () Random oracles are practical:
erties of the Jacobi symbol. Once the symmetric key K a paradigm for designing efficient protocols. In: Proceedings
is obtained in clear, the ciphertext can be decrypted. of the st ACM conference on computer and communications
security, Fairfax, pp –
For -bit symmetric keys, the scheme is fairly cheap . Beth T () Efficient zero-knowledge identification scheme
from a computational standpoint: the sender’s cost is dom- for smart cards. In: Advances in cryptology – Eurocrypt ’.
Lecture notes in computer science, vol . Springer, Heidel-
inated by × Jacobi symbol evaluations and ×
berg, pp –
modular inversions. The receiver just has to compute . Boneh D, Franklin M () Identity based encryption from the
Jacobi symbols since he/she knows which of a or −a is Weil pairing, SIAM J of Comput (): –, . Earlier
the square of his/her private key. The drawback of the version in advances in cryptology – Crypto ’. Lecture notes in
scheme is its bandwidth overhead: for a -bit modu- computer science, vol . Springer, Heidelberg, pp – I
. Boneh D, Gentry C, Hamburg M () Space-efficient identity-
lus n and a -bit symmetric transport key, at least ×
based encryption without pairings. In: Proceedings of the FOCS
Kb need to be transmitted if all the integers s are sent ’, Providence, pp –
together. . Cha JC, Cheon JH () An identity-based signature from
Cocks showed that his construction is secure (in the gap Diffie-Hellman groups. In: Public Key Cryptography
random oracle model) against chosen-plaintext attacks (PKC ’). Lecture notes in computer science, vol . Springer,
Heidelberg, pp –
under the Quadratic Residuosity Assumption (i.e., the
. Cayrel PL, Gaborit P, Girault M () Identity-based iden-
hardness of deciding whether or not a random integer a tification and signature schemes using correcting codes. In:
such that ( na ) = is a square). Chosen-ciphertext security Workshop of cryptography and coding , Versailles
can be acquired via several generic transformations such . Cayrel PL, Gaborit P, Galindo D, Girault M () Improved
as the one of Fujisaki and Okamoto []. identity-based identification using correcting codes. In: Com-
puting Research Repository (CoRR) abs/.
While elegant, Cocks’s construction is somewhat
. Cocks C () An identity based encryption scheme based on
bandwidth-demanding. In addition, separately encrypt- quadratic residues. In: Proceedings of cryptography and cod-
ing each bit of plaintext makes it difficult to turn the ing. Lecture notes in computer science, vol . Springer,
scheme into a chosen-ciphertext secure multi-bit encryp- Heidelberg, pp –
tion scheme. In , Boneh et al. [] showed how to con- . Dodis Y, Katz J, Xu S, Yung M () Strong key-insulated signa-
ture schemes. In: Public key cryptography (PKC ’). Lec-
struct a multi-bit quadratic-residuosity-based IBE scheme
ture notes in computer science, vol . Springer, Heidelberg,
featuring much shorter ciphertexts. Other IBE systems pp –
avoiding the limitation of Cocks’s proposal will be covered . Fiat A, Shamir A () How to prove yourself: practical solu-
in the chapter dedicated to identity-based encryption. tions to identification and signature problems. In: Advances in
cryptology – Crypto ’. Lecture notes in computer science, vol
. Springer, Heidelberg, pp –
References . Fujisaki E, Okamoto T () Secure integration of asymmetric
. Barreto PSLM, Libert B, McCullagh N, Quisquater JJ () and symmetric encryption schemes. In: Advances in cryptol-
Efficient and provably-secure identity-based signatures ogy – Crypto ’. Lecture notes in computer science, vol .
and signcryption from bilinear maps. In: Advances in Springer, Heidelberg, pp –
cryptology – Asiacrypt ’. Lecture notes in computer science, . Fischlin M, Fischlin R () The representation problem based
vol . Springer, Heidelberg, pp – on factoring. In: RSA conference cryptographers’ track (CT-
. Bellare M, Namprempre C, Neven G () Security proofs RSA ’). Lecture notes in computer science, vol . Springer,
for identity-based identification and signature schemes. In: Heidelberg, pp –
Advances in cryptology – Eurocrypt ’. Lecture notes in com- . Galindo D, Herranz J, Kiltz E () On the generic con-
puter science, vol . Springer, Heidelberg, pp – struction of identity-based signatures with additional prop-
. Bellare M, Namprempre C, Pointcheval D, Semanko M () erties, In: Avances in cryptology – Asiacrypt ’. Lecture
The power of RSA inversion oracles and the security of Chaum’s notes in computer science, vol . Springer, Heidelberg,
RSA-based blind signature scheme. In: Financial cryptography pp –
I Identity-Based Encryption
. Galindo D, Garcia FD () A schnorr-like lightweight . Waters B () Efficient identity-based encryption without
identity-based signature scheme. In: Progress in cryptology – random oracles. In: Advances in cryptology – Eurocrypt .
Africacrypt ’. Lecture notes in computer science, vol . Lecture notes in computer science, vol . Springer, Heidel-
pp – berg, pp –
. Gentry C, Ramzan Z () Identity-based aggregate signatures.
In: Public key cryptography (PKC ’). Lecture notes in
computer science, vol . Springer, Heidelberg, pp –
. Gentry C, Silverberg A () Hierarchical ID-based cryptog-
raphy. In: Advances in cryptology – Asiacrypt ’. Lecture notes
in computer science, vol . Springer, Heidelberg, pp –
. Goldwasser S, Micali S, Rivest R () A digital signature
scheme secure against adaptive chosen-message attacks. SIAM J
Comput ():–
. Guillou L, Quisquater JJ () A “Paradoxical” identity-based
signature scheme resulting from zero-knowledge. In: Advances
in cryptology – Crypto ’. Lecture notes in computer science,
vol . Springer, Heidelberg, pp –
. Herranz J () Deterministic identity-based signatures for
partial aggregation. Comput J ():–
. Kiltz E, Mityagin A, Panjwani S, Raghavan B () Append-
only signatures. In: International colloquium automata, lan-
guages and programming (ICALP ’). Lecture notes in
computer science, vol . Springer, Heidelberg, pp –
. Hess F () Efficient identity based signature schemes based
on pairings. In: Proceedings of SAC ’. Lecture notes in com-
puter science, vol . Springer, Heidelberg, pp –
. Horwitz J, Lynn B () Toward hierarchical identity-based
encryption. In: Advances in cryptology – Eurocrypt ’. Lec-
ture notes in computer science, vol . Springer, Heidelberg,
pp –
. Okamoto T () Provably secure and practical identification
schemes and corresponding signature schemes. In: Advances
in cryptology – Crypto ’. Lecture notes in computer science,
vol . Springer, Heidelberg, pp –
. Ong H, Schnorr CP () Fast signature generation with a
fiat shamir-like scheme. In: Advances in cryptology – Euro-
crypt ’. Lecture notes in computer science, vol . Springer,
Heidelberg, pp –
. Paterson KG () ID-based signatures from pairings on ellip-
tic curves. Available at http://eprint.iacr.org///
. Paterson KG, Schuldt J () Efficient Identity-based signa-
tures secure in the standard model. In: th Australasian confer-
ence on information security and privacy (ACISP ’). Lecture
notes in computer science, vol . Springer, Heidelberg,
pp –, –
. Pointcheval D, Stern J () Security proofs for signature
schemes. In: Advances in cryptology – Eurocrypt ’. Lec-
ture notes in computer science, vol . Springer, Heidelberg,
pp –
. Pointcheval D, Stern J () Security arguments for digital
signatures and blind signatures. J Cryptol ():–
. Sakai R, Ohgishi K, Kasahara M () Cryptosystems based
on pairing. In: The symposium on cryptography and
information security, Okinawa, Japan
. Schnorr CP () Efficient identification and signatures for
smart cards. In: Advances in cryptology – Crypto ’. Lec-
ture notes in computer science, vol . Springer, Heidelberg,
pp –
. Shamir A () Identity based cryptosystems and signature
schemes. In: Advances in cryptology – Crypto ’. Lecture notes
in computer science, vol . Springer, Heidelberg