## Identity-based encryption from the Weil pairing (2001)

### Cached

### Download Links

Citations: | 1124 - 22 self |

### BibTeX

@INPROCEEDINGS{Boneh01identity-basedencryption,

author = {Dan Boneh and Matthew Franklin},

title = {Identity-based encryption from the Weil pairing},

booktitle = {},

year = {2001},

pages = {213--229},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie-Hellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems. 1

### Citations

2467 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1996 |

1768 | How to Share a Secret
- Shamir
- 1979
(Show Context)
Citation Context ...utes Q priv = sQ ID , where Q ID is derived from the user's public key ID. This can easily be distributed in a t-out-of-n fashion by giving each of the n PKGs one share s i of a Shamir secret sharing =-=[2-=-5] of s mod q. When generating a private key each of the t chosen PKGs simply responds with Q (i) priv = s i Q ID . The user can then construct Q priv as Q priv = P i Q (i) priv where the i 's are t... |

1335 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... our main result. Random oracle model. To analyze the security of certain natural cryptographic constructions Bellare and Rogaway introduced an idealized security model called the random oracle model =-=[3]-=-. Roughly 6sspeaking, a random oracle is a function H : X → Y chosen uniformly at random from the set of all functions {h : X → Y } (we assume Y is a finite set). An algorithm can query the random ora... |

1179 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...tity based encryption. The proof of security for our IBE system makes use of a weaker notion of security known as semantic security (also known as semantic security against a chosen plaintext attack) =-=[24, 2]-=-. Semantic security is similar to chosen ciphertext security (IND-IDCCA) except that the adversary is more limited; it cannot issue decryption queries while attacking the challenge public key. For a s... |

1114 |
A public-key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...oints of small order, and hence is much faster. 6 Escrow ElGamal encryption In this section we note that the Weil pairing enables us to add a simple escrow capability to the ElGamal encryption system =-=[8]-=-. The ElGamal escrow system works as follows: Setup: The algorithm works as follows: Step 1: Choose a large k-bit prime p such that p = 2 mod 3 and p = 6q 1 for some prime q. Let E be the elliptic cur... |

833 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ... a usable IBE system is still an open problem. Interestingly, the related notions of identitybased signature and authentication schemes, also introduced by Shamir [27], do have satisfactory solutions =-=[11, 10]-=-. In this paper we propose a fully functional identity-based encryption scheme. The performance of our system is comparable to the performance of ElGamal encryption in F ∗ p. The security of our syste... |

819 |
The Arithmetic of Elliptic Curves
- Silverman
- 1986
(Show Context)
Citation Context ... satisfying p = 2 mod 3 and let q > 3 be some prime factor of p + 1. Let E be the elliptic curve defined by the equation y 2 = x 3 + 1 over Fp. We state a few elementary facts about this curve E (see =-=[43]-=- for more information). From here on we let E(Fpr) denote the group of points on E defined over Fpr. Fact 1: Since x 3 + 1 is a permutation on Fp it follows that the group E(Fp) contains p + 1 points.... |

719 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1985
(Show Context)
Citation Context ...roblem. Our system is based on the Weil pairing. We give precise definitions for secure identity based encryption schemes and give several applications for such systems. 1 Introduction In 1984 Shamir =-=[27]-=- asked for a public key encryption scheme in which the public key can be an arbitrary string. In such a scheme there are four algorithms: (1) setup generates global system parameters and a master-key,... |

559 | Short signatures from the weil pairing
- Lynn, Shacham
- 2001
(Show Context)
Citation Context ...omized. This shows that secure IBE schemes incorporate both public key encryption and digital signatures. We note that the signature scheme derived from our IBE system has some interesting properties =-=[4]-=-. 7 Escrow ElGamal encryption In this section we note that the Weil pairing enables us to add a global escrow capability to the ElGamal encryption system. A single escrow key enables the decryption of... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...build chosen ciphertext secure identity based systems that are secure under standard complexity assumptions (rather than the random oracle model). One might hope to use the techniques of Cramer-Shoup =-=[6]-=- to provide chosen ciphertext security based on DDH. Unfortunately, as mentioned in Section 2 the DDH assumption is false in the group of points on the curve E. However, a natural variant of DDH does ... |

450 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...To argue about the security of our IBE system we define chosen ciphertext security for identity-based encryption. Our model is slightly stronger than the standard model for chosen ciphertext security =-=[25, 1]-=-. While mounting a chosen ciphertext attack on the public key ID, the attacker could ask the PKG for the private key of some public key ID ′ �= ID. This private key might help the attacker. Hence, dur... |

450 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...arams, ID, C, d) = M where C = Encrypt(params, ID, M) Chosen ciphertext security. Chosen ciphertext security (IND-CCA) is the standard acceptable notion of security for a public key encryption scheme =-=[25, 1, 9]-=-. Hence, it is natural to require that an identity-based encryption scheme also satisfy this strong notion of security. However, the definition of chosen ciphertext security must be strengthened a bit... |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...To argue about the security of our IBE system we define chosen ciphertext security for identity-based encryption. Our model is slightly stronger than the standard model for chosen ciphertext security =-=[25, 1]-=-. While mounting a chosen ciphertext attack on the public key ID, the attacker could ask the PKG for the private key of some public key ID ′ �= ID. This private key might help the attacker. Hence, dur... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ... a usable IBE system is still an open problem. Interestingly, the related notions of identitybased signature and authentication schemes, also introduced by Shamir [27], do have satisfactory solutions =-=[11, 10]-=-. In this paper we propose a fully functional identity-based encryption scheme. The performance of our system is comparable to the performance of ElGamal encryption in F ∗ p. The security of our syste... |

292 | Efficient Algorithms for Pairing-Based Cryptosystems
- Barreto, Kim, et al.
- 2002
(Show Context)
Citation Context ...ieties are proposed by Rubin and Silverberg [39]. We note that both encryption and decryption in FullIdent can be made faster by using the Tate pairing on elliptic curves rather than the Weil pairing =-=[19, 1]-=-. Asymmetric pairings. Our IBE system can use slightly more general bilinear maps, namely maps of the form ê : G0 × G1 → G2 where G0, G1, G2 are three groups of prime order q. Using the notation of Se... |

285 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ... DiffieHellman problem in G1 is hard. We use the Weil pairing on elliptic curves as an example of such a map. Until recently the Weil pairing has mostly been used for attacking elliptic curve systems =-=[22, 13]-=-. Joux [17] recently showed that the Weil pairing can be used for “good” by using it in a protocol for three party one round Diffie-Hellman key exchange. Using similar ideas, Verheul [30] recently con... |

261 |
A one round protocol for tripartite Diffie-Hellman
- Joux
(Show Context)
Citation Context ...problem in G1 is hard. We use the Weil pairing on elliptic curves as an example of such a map. Until recently the Weil pairing has mostly been used for attacking elliptic curve systems [22, 13]. Joux =-=[17]-=- recently showed that the Weil pairing can be used for “good” by using it in a protocol for three party one round Diffie-Hellman key exchange. Using similar ideas, Verheul [30] recently constructed an... |

221 | bounds for discrete logarithms and related problems
- Shoup, “Lower
- 1997
(Show Context)
Citation Context ... step above one can avoid having to pick a random element from the H list 2 by using the random self reduction of the BDH problem. This requires running algorithm A multiple times (as in Theorem 7 of =-=[42]-=-). The success probability for solving the given BDH problem increases at the cost of also increasing the running time. Proof of Theorem 4.1. The theorem follows directly from Lemma 4.2 and Lemma 4.3.... |

205 | An identity based encryption scheme based on quadratic residues
- Cocks
- 2001
(Show Context)
Citation Context ...ample, it could be interesting to see whether the techniques of [30] can be used to prove that the BDH assumption is equivalent to the discrete log assumption on the curve for certain primes p. Cocks =-=[8]-=- recently proposed another IBE system whose security is based on the difficulty of distinguishing quadratic residues from non-residues in the ring Z/NZ where N is an RSA modulus (i.e., a product of tw... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ... for discrete log to be hard in G1 we must choose our security parameter so that discrete log is hard in G2 (see Section 5). Decision Diffie-Hellman is Easy: The Decision Diffie-Hellman problem (DDH) =-=[4]-=- in G1 is to distinguish between the distributions 〈P, aP, bP, abP 〉 and 〈P, aP, bP, cP 〉 where a, b, c are random in Z∗ q and P is random in G∗ 1 . Joux and Nguyen [28] point out that DDH in G1 is ea... |

174 |
Cryptosystems based on pairing
- Sakai, Ohgishi, et al.
- 2000
(Show Context)
Citation Context ...tisfy the BDH assumption. We note that Joux [20] (implicitly) used the BDH assumption to construct a one-round three party Die-Hellman protocol. The BDH assumption is also needed for constructions in =-=[35, 31]-=-. It is interesting to study the relationship of the BDH problem to other hard problems used in cryptography. Currently, all we can say is that the BDH problem in hG 1 ; G 2 ; ^ ei is no harder than t... |

172 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...letely insecure when extraction queries are allowed. One way identity-based encryption. The proof of security for our IBE system makes use of a weak notion of security called one-way encryption (OWE) =-=[12]-=-. OWE is defined for standard public key encryption schemes (not identity based) as follows: the attacker A is given a random public key Kpub and a ciphertext C which is the encryption of a random mes... |

142 |
Implementing the Tate pairing
- Galbraith, Harrison, et al.
- 2002
(Show Context)
Citation Context ...ieties are proposed by Rubin and Silverberg [39]. We note that both encryption and decryption in FullIdent can be made faster by using the Tate pairing on elliptic curves rather than the Weil pairing =-=[19, 1]-=-. Asymmetric pairings. Our IBE system can use slightly more general bilinear maps, namely maps of the form ê : G0 × G1 → G2 where G0, G1, G2 are three groups of prime order q. Using the notation of Se... |

132 | Secure distributed key generation for discrete-log based cryptosystems
- Gennaro, Jarecki, et al.
- 1999
(Show Context)
Citation Context ...an assumption on elliptic curves. Based on this assumption we show that the new system has chosen ciphertext security in the random oracle model. Using standard techniques from threshold cryptography =-=[14, 15]-=- the PKG in our scheme can be distributed so that the master-key is never available in a single location. Unlike common threshold systems, we show that robustness for our distributed PKG is free. Our ... |

117 | On the exact security of Full Domain Hash
- Coron
- 2000
(Show Context)
Citation Context .... This shows that B’s advantage is at least ɛ/e(1+q E) as required. □ The analysis used in the proof of Lemma 4.2 uses a similar technique to Coron’s analysis of the Full Domain Hash signature scheme =-=[9]-=-. Next, we show that BasicPub is a semantically secure public key system if the BDH assumption holds. Lemma 4.3. Let H2 be a random oracle from G2 to {0, 1} n . Let A be an IND-CPA adversary that has ... |

112 | Elliptic functions - Lang - 1973 |

104 | Public-key encryption in a multi-user setting: Security proofs and improvements
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ...sary is challenged on a random public key (rather than a public key of her choice). Private key extraction queries are related to the denition of chosen ciphertext security in the multiuser settings [=-=5-=-]. After all, our denition involves multiple public keys belonging to multiple users. In [5] the authors show that that multiuser IND-CCA is reducible to single user IND-CCA using a standard hybrid ar... |

100 | New explicit conditions of elliptic curve traces for fr-reduction,” IEICE transactions on fundamentals of electronics, communications and computer sciences
- Miyaji, Takano
- 2001
(Show Context)
Citation Context ... abc with non-negligible probability. If one is willing to accept this assumption then we can avoid using supersingular curves and instead use elliptic curves over Fp, p > 3 proposed by Miyaji et al. =-=[35]-=-. Curves E/Fp in this family are not supersingular and have the property that if q divides |E(Fp)| then E[q] ⊆ E(F p 6) (recall that E[q] is the group containing all point in E of order dividing q). O... |

87 | Supersingular Curves in Cryptography
- Galbraith
- 2001
(Show Context)
Citation Context ... of the curves being used and the denition of the pairing. For example, one could use the curve y 2 = x 3 + x with its endomorphism : (x; y) ! ( x; iy) where i 2 = 1. As another example, Galbraith [1=-=5]-=- suggests using special supersingular elliptic curves over aseld of small characteristic to reduce the ciphertext size in our system. We also note that both encryption and decryption in FullIdent can ... |

76 | Evidence that XTR is more secure than supersingular elliptic curve cryptosystems (full version
- Verheul
(Show Context)
Citation Context ... systems [22, 13]. Joux [17] recently showed that the Weil pairing can be used for “good” by using it in a protocol for three party one round Diffie-Hellman key exchange. Using similar ideas, Verheul =-=[30]-=- recently constructed an ElGamal encryption scheme where each public key has two corresponding private keys. In addition to our identity-based encryption scheme, we show how to construct an ElGamal en... |

65 | Separating decision Diffie-Hellman from Diffie-Hellman in cryptographic groups
- Joux, Nguyen
(Show Context)
Citation Context ...ficient algorithm, due to Miller, to compute ê(P, Q). This algorithm is described in [2]. Its run time is comparable to a full exponentiation in Fp. 3.1 Weil Diffie-Hellman Assumption Joux and Nguyen =-=[18]-=- point out that although the Computational Diffie-Hellman problem (CDH) appears to be hard in the group Gq, the Decisional DiffieHellman problem (DDH) is easy in Gq. Observe that given P, aP, bP, cP ∈... |

62 |
The Weil and Tate pairings as building blocks for public key cryptosystems
- Joux
- 2002
(Show Context)
Citation Context ...DH in G1 or G2 is sufficient for solving BDH in 〈G1, G2, ê〉. The converse is currently an open problem: is an algorithm for BDH sufficient for solving CDH in G1 or in G2? We refer to a survey by Joux =-=[27]-=- for a more detailed analysis of the relationship between BDH and other standard problems. We note that in all our examples (in Section 5.1) the isomorphisms from G1 to G2 induced by the bilinear map ... |

61 | Short programs for functions on curves. Unpublished manuscript - Miller - 1986 |

54 | The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems
- Frey, Müller, et al.
- 1999
(Show Context)
Citation Context ...Diffie-Hellman problem in G1 is hard. We use the Weil pairing on elliptic curves as an example of such a map. Until recently the Weil pairing has mostly been used for attacking elliptic curve systems =-=[32, 17]-=-. Joux [26] recently showed that the Weil pairing can be used for “good” by using it for a protocol for three party one round Diffie-Hellman key exchange. Sakai et al. [40] used the pairing for key ex... |

45 | Supersingular abelian varieties in cryptology
- Rubin, Silverberg
- 2002
(Show Context)
Citation Context ...] suggests using supersingular 21selliptic curves over a field of small characteristic to reduce the ciphertext size in our system. More general Abelian varieties are proposed by Rubin and Silverberg =-=[39]-=-. We note that both encryption and decryption in FullIdent can be made faster by using the Tate pairing on elliptic curves rather than the Weil pairing [19, 1]. Asymmetric pairings. Our IBE system can... |

42 |
Non-interactive public-key cryptography
- Maurer, Yacobi
- 1991
(Show Context)
Citation Context ...e key. We discuss key revocation, as well as several new applications for IBE schemes in the next section. Since the problem was posed in 1984 there have been several proposals for IBE schemes (e.g., =-=[7, 29, 28, 21]-=-). However, none of these are fully satisfactory. Some solutions require that users not collude. Other solutions require the PKG to spend a long time for each private key generation request. Some solu... |

41 |
A one round protocol for tripartite Di e-Hellman
- Joux
- 2000
(Show Context)
Citation Context ...roblem in G 1 is hard. We use the Weil pairing on elliptic curves as an example of such a map. Until recently the Weil pairing has mostly been used for attacking elliptic curve systems [25, 14]. Joux =-=[20] rece-=-ntly showed that the Weil pairing can be used for \good" by using it in a protocol for three party one round Die-Hellman key exchange. Using similar ideas, Verheul [35] recently constructed an El... |

38 |
The Decision Die-Hellman Problem
- Boneh
- 1998
(Show Context)
Citation Context ...that for discrete log to be hard in G 1 we must choose our security parameter so that discrete log is hard in G 2 (see Section 5). Decision Die-Hellman is Easy: The Decision Die-Hellman problem (DDH) =-=[2]-=- in G 1 is to distinguish between the distributions hP; aP; bP; abP i and hP; aP; bP; cP i where a; b; c are random in Z q and P is random in G 1 . Joux and Nguyen [21] point out that DDH in G 1 is ea... |

37 |
An introduction to threshold cryptography
- Gemmell
- 1997
(Show Context)
Citation Context ...an assumption on elliptic curves. Based on this assumption we show that the new system has chosen ciphertext security in the random oracle model. Using standard techniques from threshold cryptography =-=[14, 15]-=- the PKG in our scheme can be distributed so that the master-key is never available in a single location. Unlike common threshold systems, we show that robustness for our distributed PKG is free. Our ... |

27 |
A realization scheme for the identity-based cryptosystem
- Tanaka
- 1988
(Show Context)
Citation Context ...e key. We discuss key revocation, as well as several new applications for IBE schemes in the next section. Since the problem was posed in 1984 there have been several proposals for IBE schemes (e.g., =-=[7, 29, 28, 21]-=-). However, none of these are fully satisfactory. Some solutions require that users not collude. Other solutions require the PKG to spend a long time for each private key generation request. Some solu... |

22 |
Seperating decision Di#e-Hellman from Di#e-Hellman in cryptographic groups", J. Cryptology Online First, available from http://eprint.iacr.org/2001/003
- Joux, Nguyen
(Show Context)
Citation Context ...cision Die-Hellman problem (DDH) [2] in G 1 is to distinguish between the distributions hP; aP; bP; abP i and hP; aP; bP; cP i where a; b; c are random in Z q and P is random in G 1 . Joux and Nguyen =-=[21-=-] point out that DDH in G 1 is easy. To see this, observe that given P; aP; bP; cP 2 G 1 we have c = ab mod q () ^ e(P; cP ) = ^ e(aP; bP ): The Computational Die-Hellman problem (CDH) in G 1 can sti... |

21 |
Public-key systems based on the difficulty of tampering (is there a difference between
- Desmedt, Quisquater
- 1986
(Show Context)
Citation Context ...e key. We discuss key revocation, as well as several new applications for IBE schemes in the next section. Since the problem was posed in 1984 there have been several proposals for IBE schemes (e.g., =-=[7, 29, 28, 21]-=-). However, none of these are fully satisfactory. Some solutions require that users not collude. Other solutions require the PKG to spend a long time for each private key generation request. Some solu... |

16 | Self-delegation with controlled propagation -- or -- what if you lose your laptop
- Goldreich, Pfitzmann, et al.
- 1998
(Show Context)
Citation Context ...top is stolen, only the private key for those seven days are compromised. The master-key is unharmed. This is analogous to the delegation scenario for signature schemes considered by Goldreich et al. =-=[16]-=-.s2. Delegation of duties. Suppose Alice encrypts mail to Bob using the subject line as the IBE encryption key. Bob can decrypt mail using his master-key. Now, suppose Bob has several assistants each ... |

15 |
Public-key encryption in a multi-user setting
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ...ker is challenged on a random public key (rather than a public key of her choice). Private key extraction queries are related to the definition of chosen ciphertext security in the multiuser settings =-=[4]-=-. After all, our definition involves multiple public keys belonging to multiple users. In [4] the authors show that that multiuser IND-CCA is reducible to single user IND-CCA using a standard hybrid a... |

15 |
Conditional oblivious transfer and timed-release encryption
- Crescenzo, Rajagopalan
- 1999
(Show Context)
Citation Context ...ate with any third party to obtain Bob's daily public key. This approach enables Alice to send messages into the future: Bob will only be able to decrypt the e-mail on the date specied by Alice (see [=-=30, 9]-=- for methods of sending messages into the future using a stronger security model). 1.1.2 Delegation of Decryption Keys Another application for IBE systems is delegation of decryption capabilities. We ... |

13 |
T.Itoh, An ID-based cryptosystem based on the discrete logarithm problem
- Tsuji
- 1989
(Show Context)
Citation Context |

8 |
Time lock puzzles and timed release cryptography
- Rivest, Shamir, et al.
(Show Context)
Citation Context ...te with any third party to obtain Bob’s daily public key. This approach enables Alice to send messages into the future: Bob will only be able to decrypt the e-mail on the date specified by Alice (see =-=[26, 8]-=- for methods of sending messages into the future using a stronger security model). Delegation of Decryption Keys Another application for IBE systems is delegation of decryption capabilities. We give t... |

7 | Towards Practical Non-interactive Public Key Cryptosystems Using Non-maximal Imaginary Quadratic Orders
- Hühnlein, Jacobson, et al.
- 2000
(Show Context)
Citation Context ... private key. We discuss key revocation, as well as several new applications for IBE schemes in the next section. Since the problem was posed in 1984 there have been several proposals for IBE schemes =-=[8, 34, 33, 24, 19]-=- (see also [26, p. 561]). However, none of these are fully satisfactory. Some solutions require that users not collude. Other solutions require the PKG to spend a long time for each private key genera... |

6 | Short Programs for Functions on Curves," unpublished manuscript - Miller - 1986 |

6 |
Identity based encryption from the Weil pairing. Extended abstract
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...ot collude. Other solutions require the PKG to spend a long time for each private key generation request. Some solutions require tamper resistant hardware. It is fair to say that until the results in =-=[5]-=- constructing a usable IBE system was an open problem. Interestingly, the related notions of identity-based signature and authentication schemes, also introduced by Shamir [41], do have satisfactory s... |