IDENTITY-BASED CRYPTOGRAPHY

ISSN 1871-6431

Cryptology and Information Security Series

The Cryptology & Information Security Series (CISS) presents the latest research results in the

theory and practice, analysis and design, implementation, application and experience of

cryptology and information security techniques. It covers all aspects of cryptology and

information security for an audience of information security researchers with specialized

technical backgrounds.

Coordinating Series Editors: Raphael C.-W. Phan and Jianying Zhou

Series editors

Feng Bao, Institute for Infocomm Research, Singapore

Kefei Chen, Shanghai Jiaotong University, China

Robert Deng, SMU, Singapore

Yevgeniy Dodis, New York University, USA

Dieter Gollmann, TU Hamburg-Harburg, Germany

Markus Jakobsson, Indiana University, USA

Marc Joye, Thomson R&D, France

Javier Lopez, University of Malaga, Spain

Nasir Memon, Polytech University, USA

Chris Mitchell, RHUL, United Kingdom

David Naccache, École Normale Supérieure, France

Gregory Neven, IBM Research, Switzerland

Phong Nguyen, CNRS / École Normale Supérieure, France

Andrew Odlyzko, University of Minnesota, USA

Adam Young, MITRE Corporation, USA

Moti Yung, Columbia University, USA

Volume 2

Recently published in this series

Vol. 1. J. Lopez and J. Zhou (Eds.), Wireless Sensor Network Security

Identity-Based Cryptography

Edited by

Marc Joye

Thomson R&D, France

and

Gregory Neven

IBM Zürich Research Laboratory, Switzerland

Amsterdam • Berlin • Oxford • Tokyo • Washington, DC

© 2009 The authors and IOS Press.

All rights reserved. No part of this book may be reproduced, stored in a retrieval system,

or transmitted, in any form or by any means, without prior written permission from the publisher.

ISBN 978-1-58603-947-9

Library of Congress Control Number: 2008940895

Publisher

IOS Press

Nieuwe Hemweg 6B

1013 BG Amsterdam

The Netherlands

fax: +31 20 687 0019

e-mail: order@iospress.nl

Distributor in the UK and Ireland Distributor in the USA and Canada

Gazelle Books Services Ltd. IOS Press, Inc.

White Cross Mills 4502 Rachael Manor Drive

Hightown Fairfax, VA 22032

Lancaster LA1 4XS USA

United Kingdom fax: +1 703 323 3668

fax: +44 1524 63232 e-mail: iosbooks@iospress.com

e-mail: sales@gazellebooks.co.uk

LEGAL NOTICE

The publisher is not responsible for the use which might be made of the following information.

PRINTED IN THE NETHERLANDS

Foreword

In an active field like that of cryptography, a problem that remains open for seventeenyears must be a pretty tough problem. In a practically relevant field like that of cryp-tography, a solution that inspires hundreds of follow-up papers within a few years’ timemust be a pretty interesting solution.

Posed as an open problem in 1984, but efficiently instantiated only in 2001, identity-based encryption hasn’t left the forefront of cryptographic research since. Praised byfans as the economical alternative to public-key infrastructures, booed by critics for itsinherent key escrow — was that 1984 you said? — identity-based cryptography is alsothe topic of numerous debates in the cryptographic community.

This book looks beyond the controversy and intends to give an overview of the cur-rent state-of-the-art in identity-based cryptography. Since research on the topic is stillactively continuing, this is necessarily a snapshot of a field in motion, rather than thefinal word about it. Still, we felt the main concepts have by now sufficiently matured tocollect them in a single dedicated volume.

Each of the chapters in this volume is written by international experts on the topic.Our first word of thanks goes to the authors for their top-quality contributions to thebook. Our special gratitude is due to Jean-Luc Beuchat, Jérémie Detrey, David Galindo,Kenny Paterson, and Nigel Smart who have looked over various portions of the bookand have given comments and suggestions, and to Michel Abdalla for letting us use hisextensive bibliographic library. We would also like to thank Juliette Joye for the beautifulillustration on the cover of this book. Finally, we would like to thank the people at IOSPress for the smooth interaction.

September 2008 Marc JoyeGregory Neven

Identity-Based CryptographyM. Joye and G. Neven (Eds.)IOS Press, 2009© 2009 The authors and IOS Press. All rights reserved.

v

This page intentionally left blank

Contents

Foreword v

Marc Joye and Gregory Neven

Chapter I. Introduction to Identity-Based Cryptography 1

Antoine Joux

Chapter II. Pairings on Elliptic Curves 13

Frederik Vercauteren

Chapter III. Identity-Based Signatures 31

Eike Kiltz and Gregory Neven

Chapter IV. Identity-Based Encryption and Hierarchical Identity-Based Encryption 45

Sanjit Chatterjee and Palash Sarkar

Chapter V. Flexible IBE and Beyond in the Commutative-Blinding Framework 65

Xavier Boyen

Chapter VI. Generalized IBE in the Exponent-Inversion Framework 83

Xavier Boyen

Chapter VII. Forward-Secure Hierarchical IBE with Applications to Broadcast

Encryption 100

Danfeng (Daphne) Yao, Nelly Fazio, Yevgeniy Dodis and Anna Lysyanskaya

Chapter VIII. Identity-Based Identification and Signature Schemes Using Error

Correcting Codes 119

Pierre-Louis Cayrel, Philippe Gaborit and Marc Girault

Chapter IX. Certificateless Encryption 135

Sherman S.M. Chow

Chapter X. Attribute-Based Encryption 156

Amit Sahai, Brent Waters and Steve Lu

Chapter XI. On Generic Groups and Related Bilinear Problems 169

David Lubicz and Thomas Sirvent

Chapter XII. Software Implementation of Pairings 188

Darrel Hankerson, Alfred Menezes and Michael Scott

Chapter XIII. Hardware Implementation of Pairings 207

Maurice Keller, Robert Ronan, Andrew Byrne, Colin Murphy and

William Marnane

Chapter XIV. Implementation Attacks & Countermeasures 226

Claire Whelan, Dan Page, Frederik Vercauteren, Michael Scott and

William Marnane

vii

Bibliography 245

Author Index 263

viii

Chapter I

Introduction to Identity-BasedCryptography

Antoine JOUX

DGA and University of Versailles St-Quentin-en-Yvelines, France

Abstract. Identity-based cryptography is a new development of public-key cryp-tography. It was first proposed by Adi Shamir at CRYPTO ’84. However, it took thecryptographic community a long while to produce effective identity-based cryp-tosystems. Indeed, this solution only appeared at the beginning of the twenty-firstcentury. Nowadays, identity-based cryptography has become a very active field ofresearch. This introductory chapter presents the basics of identity-based cryptogra-phy and briefly surveys its early history.

1. Public-Key Cryptography, Certificates and Identity-Based Cryptography

Identity-based cryptography is an extension of the public-key paradigm, which was ini-tially suggested by Adi Shamir [Sha85] at CRYPTO ’84. In order to better understandidentity-based cryptography, we start by reviewing how traditional public-key systemsare usually put to use in real-life applications. First, to offer reasonable speed, public-keyencryption systems are usually used in conjunction with a secret-key encryption scheme.More precisely, the public-key scheme is used in order to produce a shared encryptionkey for the secret-key scheme, known to the sender and receiver of the communication.Once this is done, they simply use this common secret key for encrypting the rest ofthe communication. This initial phase is usually called a key exchange protocol. It canbe devised in several ways. The simplest approach is simply to let the sender encrypt arandom value R with a public-key encryption scheme such as RSA, using the receiver’spublic key. Since R can be obtained by the receiver after decryption, it is a commonvalue which can be used to key the secret-key encryption. Note that to avoid simple mul-tiplicative attacks against RSA, for example the attacks described in [BJN00], R shouldpreferably be of the length of the RSA modulus. This means that R is usually too longand must be truncated to obtain the secret key. The other classical approach is to useDiffie-Hellman key exchange, either in the multiplicative subgroup of a finite field or onan elliptic curve. There, the common value is no longer chosen by the sender but instead

Identity-Based CryptographyM. Joye and G. Neven (Eds.)IOS Press, 2009© 2009 The author and IOS Press. All rights reserved.doi:10.3233/978-1-58603-947-9-1

1