Boneh–Franklin scheme explained

The Boneh–Franklin scheme is an identity-based encryption system proposed by Dan Boneh and Matthew K. Franklin in 2001.^[1] This article refers to the protocol version called BasicIdent. It is an application of pairings (Weil pairing) over elliptic curves and finite fields.

Groups and parameters

As the scheme is based upon pairings, all computations are performed in two groups,

styleG₁

and

styleG₂

For

styleG₁

, let

stylep

be prime,

stylep\equiv2\mod3

and consider the elliptic curve

styleE:y²=x³+1

over

styleZ/pZ

. Note that this curve is not singular as

style4a^3+27b²=27=3³

only equals

style0

for the case

stylep=3

which is excluded by the additional constraint.

Let

styleq>3

be a prime factor of

stylep+1

(which is the order of

styleE

) and find a point

styleP\inE

of order

styleq

styleG₁

is the set of points generated by

styleP

style\left\{nP\|n\in\left\{0,\ldots,q-1\right\}\right\}

styleG₂

is the subgroup of order

styleq

styleGF\left(p^2\right)^*

. We do not need to construct this group explicitly (this is done by the pairing) and thus don't have to find a generator.

styleG₁

is considered an additive group, being a subgroup of the additive group of points of

styleE

, while

styleG₂

is considered a multiplicative group, being a subgroup of the multiplicative group of the finite field

styleGF(p²⁾^*

Protocol description

Setup

The public key generator (PKG) chooses:

the public groups

styleG₁

(with generator

styleP

) and

styleG₂

as stated above, with the size of

styleq

depending on security parameter

stylek

the corresponding pairing

stylee

a random private master-key

styleK_m=s\in

	*
Z
	q

a public key

styleK_pub=sP

a public hash function

styleH_1:\left\{0,1\right\}^* →

	*
G
	1

a public hash function

styleH_2:G₂ → \left\{0,1\right\}ⁿ

for some fixed

stylen

and

stylel{M}=\left\{0,1\right\}^n,l{C}=

	*
G
	1

x \left\{0,1\right\}ⁿ

Extraction

To create the public key for

styleID\in\left\{0,1\right\}^*

, the PKG computes

styleQ_ID=H_{1\left(ID\right)}

and

the private key

styled_ID=sQ_ID

which is given to the user.

Encryption

Given

stylem\inl{M}

, the ciphertext

stylec

is obtained as follows:

styleQ_ID=H_{1\left(ID\right)}\in

	*
G
	1

choose random

styler\in

	*
Z
	q

compute

styleg_ID=e\left(Q_ID,K_pub\right)\inG₂

and

stylec=\left(rP,m ⊕ H_2\left(g

	r\right)\right)

	ID

Note that

styleK_pub

is the PKG's public key and thus independent of the recipient's ID.

Decryption

Given

stylec=\left(u,v\right)\inl{C}

, the plaintext can be retrieved using the private key:

stylem=v ⊕ H_{2\left(e\left(d}_ID,u\right)\right)

Correctness

The primary step in both encryption and decryption is to employ the pairing and

styleH₂

to generate a mask (like a symmetric key) that is xor'ed with the plaintext. So in order to verify correctness of the protocol, one has to verify that an honest sender and recipient end up with the same values here.

The encrypting entity uses

styleH_2\left(g

	r\right)

	ID

, while for decryption,

styleH_2\left(e\left(d_ID,u\right)\right)

is applied. Due to the properties of pairings, it follows that:

\begin{align} H_2\left(e\left(d_ID,u\right)\right)&=H_2\left(e\left(sQ_ID,rP\right)\right)\\ &=H_2\left(e\left(Q_ID,P\right)^rs\right)\\ &=H_2\left(e\left(Q_ID,sP\right)^r\right)\\ &=H_2\left(e\left(Q_ID,K_pub\right)^r\right)\\ &=H_2\left(

	r
g
	ID

\right)\\ \end{align}

Security

The security of the scheme depends on the hardness of the bilinear Diffie-Hellman problem (BDH) for the groups used. It has been proved that in a random-oracle model, the protocol is semantically secure under the BDH assumption.

Improvements

BasicIdent is not chosen ciphertext secure. However, there is a universal transformation method due to Fujisaki and Okamoto^[2] that allows for conversion to a scheme having this property called FullIdent.

References

Dan Boneh, Matthew K. Franklin, "Identity-Based Encryption from the Weil Pairing", Advances in Cryptology – Proceedings of CRYPTO 2001 (2001)
Eiichiro Fujisaki, Tatsuaki Okamoto, "Secure Integration of Asymmetric and Symmetric Encryption Schemes", Advances in Cryptology – Proceedings of CRYPTO 99 (1999). Full version appeared in J. Cryptol. (2013) 26: 80–101

Boneh–Franklin scheme explained

Groups and parameters

Protocol description

Setup

Extraction

Encryption

Decryption

Correctness

Security

Improvements

References

External links