The Boneh–Franklin scheme is an identity-based encryption system proposed by Dan Boneh and Matthew K. Franklin in 2001. This article refers to the protocol version called BasicIdent. It is an application of pairings (Weil pairing) over elliptic curves and finite fields.
Contents
Groups and parameters
As the scheme bases upon pairings, all computations are performed in two groups,
For
Let
Setup
The private key generator (PKG) chooses:
- the public groups
G 1 P ) andG 2 q depending on security parameterk , - the corresponding pairing
e , - a random private master-key
K m = s ∈ Z q ∗ - a public key
K p u b = s P , - a public hash function
H 1 : { 0 , 1 } ∗ → G 1 ∗ - a public hash function
H 2 : G 2 → { 0 , 1 } n n and - the message space and the cipher space
M = { 0 , 1 } n , C = G 1 ∗ × { 0 , 1 } n
Extraction
To create the public key for
-
Q I D = H 1 ( I D ) and - the private key
d I D = s Q I D
Encryption
Given
-
Q I D = H 1 ( I D ) ∈ G 1 ∗ - choose random
r ∈ Z q ∗ - compute
g I D = e ( Q I D , K p u b ) ∈ G 2 - set
c = ( r P , m ⊕ H 2 ( g I D r ) ) .
Note that
Decryption
Given
Correctness
The primary step in both encryption and decryption is to employ the pairing and
The encrypting entity uses
Security
The security of the scheme depends on the hardness of the bilinear Diffie-Hellman problem (BDH) for the groups used. It has been proved that in a random-oracle model, the protocol is semantically secure under the BDH assumption.
Improvements
BasicIdent is not chosen ciphertext secure. However, there is a universal transformation method due to Fujisaki and Okamoto that allows for conversion to a scheme having this property called FullIdent.