Identity-Based Cryptosystem

ID-Based Cryptosystem [9] was introduced by Shamir in 1984. The main idea is that the public key of a user can be derived from public information that uniquely identifies the user, such as an email address or IP address. The traditional approach is to use the public key infrastructures, in which a certification authority (CA) issues a certificate which binds a user's identity with his/her public key. The need to make

6

available authentic copies of entities' public keys is a major drawback to the use of public-key cryptography. By using ID-Based Cryptosystem, all the participants need not to access public key directory. The major advantage is that it simplifies the key management process which is a heavy burden in the traditional certificate based cryptosystems.

Identity-Based Encryption

In 2001, Boneh and Franklin presented an efficient Identity-Based Encryption (IBE) scheme [10]. They performed encryption and decryption operation by using a bilinear map (the Weil pairing) over elliptic curves.

The bilinear map transforms a pair of elements in group G1 and sends it to an element in group G₂ in a way that satisfies some properties. The most important property is the bi-linearity that it should be linear in each entry of the pair. Weil pairing on elliptic curves is selected as the bilinear map. That is, they use the elliptic curve group as G1 and the multiplicative group of a finite field as G2.

Their ID-based encryption scheme works as follows. A trusted third party called the private key generator (PKG) initially chooses a secretive master key s and announces the public information including elliptic curve equation, the base point P, the public key sP of the system, and other needed hash functions.

Each user has the public key KU = QID that is a point on elliptic curve corresponding to his ID and is known to all other users. The private key is generated by KR = sQID, which is obtained from the PKG.

To encrypt a message M, the sender randomly chooses an integer r and sends (U, V) = (rP,M⊕h(e(QID, sP)r)) to the receiver, where h is a hash function announced by PKG in the public information and e is the Weil pairing function to be elaborated in Section II-D. To decrypt the received cipher text (U, V), the receiver uses the private

7

key sQID to compute M= V⊕h(e(sQID, U)). This decryption procedure yields the correct message due to the bilinearity of the Weil pairing (i.e., e(sQID, U) = e(sQID, rP) = e(QID, sP)r).

Fuzzy Identity-Based Encryption

In 2005, Sahai and Waters proposed Fuzzy Identity-Based Encryption (Fuzzy IBE) [4], where a user can decrypt a cipher-text encrypted with other's public key if and only if the two users are within a certain distance judged by some metric.

Fuzzy-IBE gives rise to two interesting new applications. The first is an Identity-Based Encryption system that uses biometric identities. That is we can view a user’s biometric, for example an iris scan, as that user’s identity described by several attributes and then encrypt to the user using their biometric identity. Since biometric measurements are noisy, we cannot use existing IBE systems. However, the error-tolerance property of Fuzzy-IBE allows for a private key (derived from a measurement of a biometric) to decrypt a cipher-text encrypted with a slightly different measurement of the same biometric.

Secondly, Fuzzy IBE can be used for an application that we call “attribute-based encryption”. In this application a party will wish to encrypt a document to all users that have a certain set of attributes. For example, in a computer science department, the chairperson might want to encrypt a document to all of its systems faculty on a hiring committee. In this case it would encrypt to the identity {“hiring-committee”,

“faculty”, “systems”}. Any user who has an identity that contains all of these attributes could decrypt the document. The advantage to using Fuzzy IBE is that the document can be stored on an simple untrusted storage server instead of relying on trusted server to perform authentication checks before delivering a document.

Setup(d): Providing some security parameter as input, the Private Key Generator

8

(PKG) runs this algorithm to generate its master key mk and public parameters params which contains an error tolerance parameter d. Note that params is given to all interested parties while mk is kept secret.

Extract(mk, ID): PKG runs this algorithm to generate a private key associated with ID, denoted by D_ID by providing the master key mk and an identity ID as input.

User’s identity, ID, as a set of strings representing a user’s attributes.

Encrypt(M, ID’, params): Providing the public parameters params, an target identity ID’, and a plaintext M as input, a sender runs this algorithm to generate a cipher-text C’.

Decrypt(C’, ID, params): Providing the public parameters params, a private key D_ID associated with the identity ID and a cipher-text C’ encrypted with an identity ID’

such that∣ID’∩ID∣≧ d as input, a receiver runs this algorithm to get a decryption, which is either a plaintext or a “Reject” message. If the set overlap |ID ∩ ID’| is greater than or equal to d the algorithm will output the decrypted message M.

When PKG is creating a private key for a user, he will associate a random d − 1 degree polynomial, q(x), with each user with the restriction that each polynomial have the same valuation at point 0, that is q(0) = y.

If the user is able to “match” at least d components of the cipher-text with their private key components, then they will be able to perform decryption. However, since the private key components are tied to random polynomials, multiple users’ are unable to combine them in any way that allows for collusion attacks.