Identity-Based Encryption Schemes – a Review

Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue Identity-Based Encryption Schemes – A Review

Boon Chian Tea1, Muhammad Rezal Kamel Ariffin1,2, Muhammad Asyraf Asbullah*1,3 1Institute for Mathematical Research (INSPEM), Universiti Putra Malaysia, 43400 UPM Serdang, Malaysia. 2Faculty of Science, Universiti Putra Malaysia, 43400 UPM Serdang, Malaysia. 3Centre of Foundation Studies for Agricultural Science, Universiti Putra Malaysia, 43400 UPM Serdang, Malaysia.

Abstract—Identity-based encryption (IBE) allows a computes the user’s corresponding private key, i.e. the user to compute public key from arbitrary string identity-based cryptography (IBC) to overcome the such as name or email address as user’s identity above-mentioned issues [4]. This new paradigm of explicitly, thus provides a key-certificateless encryption provides key-certificateless platform which encryption platform while ensuring message effectively overcome the issue of key management by confidentiality. In this paper, several identity- the server. However, it becomes a reality only after 16 based encryption schemes are reviewed, ranging years when Boneh and Franklin successfully designed from the first practical well-known Boneh-Franklin a practical and secure identity-based encryption (IBE) IBE scheme based on pairing function to the scheme via the utilization of bilinear pairing on elliptic recent IBE based on lattices. The aim of this curve [5]. It is since then pairing function and IBE review is to provide an extensive view and started to gain attention by many researchers and classification of these IBE schemes based on their hence the birth of pairing-based cryptography. setting, including underlying primitives in the The design of the IBE schemes does not limit to parameter setup, fundamental security behind only using the pairing function, Clifford Cocks in the these schemes, comparative computational same year as Boneh and Franklin proposed an IBE complexity and efficiency analysis. This review scheme considering the quadratic residuosity which is does not consider the variants of IBE such as number theoretic based as his underlying primitive [6]. hierarchical IBE, fuzzy IBE and those from the His design features more efficient and cheaper similar categories. Some current trends in IBE computational cost than the Boneh-Franklin IBE but research and its implementation, along with some defeated at the produced ciphertext length (we will possible suggestions in designing new IBE explain this further in the later section 5). schemes in the future are given as a conclusion of Nevertheless, this opened alternative options for this review. researchers to construct IBE scheme in different approaches rather than just using pairing function. Keywords—Identity-Based Encryption, Pairing Some researchers later considered the trapdoor Function, Multivariate, Trapdoor Subgroup, subgroup over integer modulo composite number as Lattice, Post-Quantum. their primitive [7,8]. I. INTRODUCTION As research progresses, in recent years, The advancement in public key cryptography since knowledge of linear algebra was also adapted in 1976 has provided the world a new paradigm in designing IBE schemes. One that is worth to mention achieving security in communication [1]. Via the use of to is the problem of lattices, since it has the potential to a pair of different public-private keys (such as in well- be one of the four (4) main areas that is currently known RSA Cryptosystem and Elliptic Curve expected to be post-quantum (besides hash-based, Cryptography (ECC)), communicating parties are now code-based and multivariate quadratic polynomial able to encrypt and decrypt messages and then sent cryptography). Also, it involves only linear operations through insecure network channel. The benefit of this that is computational cost friendly and efficient, hence public key cryptography was however unable to be more focuses have been given in this area, especially optimized effectively, as usability of public key in designing encryption type and signature type cryptography are not as user-friendly as one might cryptosystems. expect [2,3]. Making the situation worse, key There are many surveys and reviews that have management issue – (i) key storage capacity required been done on IBE schemes, capturing the original to archive all the unique private keys for recovery design and its modification, along with some purpose for distinct users are huge, and (ii) users’ key enhancement and improvement made. However, most certification and validation processes that are costly of these papers either considered only IBE under the and length, resulting major drawbacks in its practical same primitive (pairing-based or lattice-based), implementation. comparing their own enhancement with the previous Shamir in 1984 proposed the idea of generating works, or included too many technical details and public key using arbitrary string, such as user’s name, mathematics that are not suitable those who just email address or contact number, while explicitly started to get in touch with IBE. These do not imply that those papers are not good enough, rather it

www.jmest.org JMESTN42353050 1 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue restricts the readers to only one-environment iii. Computability. The pairing 푒̂ is efficiently comparison. Readers who are expert and wish to computable. focus on specific primitive may consider the articles Furthermore, if , then it is called a symmetric due to Boyen [9] who discussed in detail about pairing- 픾1 = 픾2 pairing, otherwise asymmetric pairing. based IBE, and Hanaoka and Yamada [10] that surveyed the lattice-based IBE professionally. The fundamental hardness behind pairing function lies on the difficulty of solving the Bilinear Diffie- A. Our Contribution Hellman Problem, which is a variant of the original In this paper, we review several IBE schemes, Diffie-Hellman Problem (DHP) as defined as follows ranging from the very first practical IBE scheme based [22]. on pairing function due to Boneh-Franklin, up to the Definition 2. (Diffie-Hellman Problem) Let 푝 be prime current active design of IBE based on lattices. We ∗ currently do not consider IBE extensions such as and 𝑔 a generator of finite cyclic group ℤ푝. The Diffie- 푎 Hierarchical IBE (HIBE) and some other variants such Hellman Problem is the problem that given 𝑔 (mod 푝) 푏 ∗ as Fuzzy IBE and similar categories [11,12,13]. Also, and 𝑔 (mod 푝) for some integers 푎, 푏 ∈ ℤ푝 , compute we try to simplify our content with lesser technical 𝑔푎푏 (mod 푝). details, targeting those amateurs who wish to initiate Definition 3. (Decisional Diffie-Hellman Problem) their interest in researching the area of IBE. Extended from Definition 2, the Decisional DHP is the The layout of this article is as follows. In section 2, problem that given two sets of (𝑔, 𝑔푎, 𝑔푏, 𝑔푎푏) and 푎 푏 푐 ∗ we give preliminaries about the selected IBE schemes, (𝑔, 𝑔 , 𝑔 , 𝑔 ) for integer 푐 ∈ ℤ푝 , determine whether considering their fundamental primitives in their 푐 ≡ 푎푏 (mod 푝). designs. The selected IBE schemes and security model are presented in Section 3. Computation Definition 4. (Bilinear Diffie-Hellman Problem) Let 픾 efficiencies and computational complexities are and 픾푇 be finite cyclic groups of prime order 푞 and described in Section 4. We conclude our review in generator 푃 ∈ 픾. Let 푒̂: 픾 × 픾 → 픾푇 be a bilinear map. Section 5. The Bilinear DHP is the problem that given the set of ∗ (푃, 푎푃, 푏푃, 푐푃) for some integers 푎, 푏, 푐 ∈ ℤ푞 , II. PRELIMINARIES compute 푒̂(푃, 푃)푎푏푐. We describe the fundamental mathematical tools in Definition 5. (Decisional Bilinear Diffie-Hellman designing the selected IBE scheme in this section. Problem) Extended from Definition 4, the Decisional There are four (4) different primitives that currently Bilinear DHP is the problem that given two sets of IBE schemes based on, namely bilinear pairing on (푃, 푎푃, 푏푃, 푎푏푃) and (푃, 푎푃, 푏푃, 푐푃) for integer 푐 ∈ ℤ∗ , elliptic curve, quadratic residuosity, trapdoor subgroup 푞 determine whether 푐 = 푎푏. over integer modulo composite number and lattices. In next section we shall observe how these four (4) A. Bilinear Pairing and Diffie-Hellman (DH) problems (alternatively known as assumptions) provide Variants the security strength in their corresponding IBE Pairing functions had been proposed since 1940 by schemes. Other than the four (4) problems described few authors and its efficient computation algorithm in above, there are several other variants of Diffie- 1984 by Miller [14,15,16,17,18]. Confined to theoretical Hellman problem, such as 푞 -Bilinear Diffie-Hellman studies, their practical usage was only started in 1993 Inversion problem which are not discussed here as the by Menezes et al. to attack the Elliptic Curve IBE schemes considered in this review do not rely on Cryptography (ECC) [19]. The first positive those. Readers who are interested may refer to [23, implementation of pairing was later in 2000s when 24] on how these variants applied in IBE schemes of Joux proposed a one-round tripartite key exchange different designs. using pairing function that successfully solved the multi B. Quadratic Residue, Jacobi Symbol and party’s key distribution problem, which initiated the Quadratic Residuosity Problem research of pairing-based cryptography [20]. The idea of prime and composite numbers have The definition of pairing function and its properties been the core mathematics in cryptography since the are given as follows. revolution from symmetric cryptography to asymmetric Definition 1 [21]. (Pairing) Let 픾1, 픾2 and 픾푇 be finite cryptography in 1976. The Integer Factorization cyclic groups. A pairing function is a map 푒̂: 픾1 × 픾2 → Problem (IFP) for instance, features the hardness of 픾푇 that satisfies the following properties: factoring into primes 푝 and 푞 given a composite number 푁 = 푝푞. i. Bilinearity. For all 푃, 푄, 푅 ∈ 픾1, 픾2 , 푒̂(푃 + ) ( ) ( ) and ( ) 푄, 푅 = 푒̂ 푃, 푅 ∗ 푒̂ 푄, 푅 푒̂ 푃, 푄 + 푅 = The following problem captures this core idea in its ( ) ( ) 푒̂ 푃, 푄 ∗ 푒̂ 푃, 푅 . underlying primitive – the quadratic residuosity

ii. Non-degeneracy. For any 푃 ∈ 픾1 and 푄 ∈ 픾2, problem. We firstly define the concept of quadratic 푒̂(푃, 푄) ≠ 1. residue and Jacobi symbol [24].

www.jmest.org JMESTN42353050 2 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue Definition 6. (Quadratic Residue) Let 푎 be integer, for this trapdoor subgroup specifically construct a positive integer 푁 , 푎 is called a quadratic residue trapdoor subgroup 픾 of order ord푁𝑔 = 푝1푞1 which is modulo 푁 if gcd(푎, 푁) = 1 and 푥2 ≡ 푎 (mod 푁) for composite. It is easy to observe that if one can factor some integer 푥 . Otherwise 푎 is called a quadratic 푁 efficiently, then one can solve to find 푝, 푞, followed nonresidue modulo 푁. by 푝1, 푞1 easily, this is indeed the integer factorization problem. Definition 7. (Jacobi Symbol) Let 푎 be integer and 푁 be positive odd integer such that 푁 = 푝1 … 푝푘 where 푝푖 D. Lattices and Learning With Errors (LWE) are odd primes, not necessarily distinct. The Jacobi 푎 The first lattice-based cryptosystem started in 2008 symbol of ( ) is defined as 푁 by Gentry et al. in proposing their signature and IBE 푎 푎 푎 schemes [26]. The utilization of lattices in designing ( ) = ( ) … ( ) 푁 푝1 푝푘 cryptosystem has gained so much attention in recent research due to its simplicity (which requires only 푎 푝푖−1 linear operations and involves small integers). In where ( ) ≡ 푎 2 (mod 푝푖) (known as Legendre 푝푖 addition, lattice-based cryptography is expected to be symbol) satisfies the following conditions: post-quantum, i.e. it is currently secure against quantum algorithm (quantum cryptanalysis). These , if 푎 is a quadratic residue mod 푝 huge advantages over other mathematical problems 푎 +1 푖 ( ) = { 0 , if 푝푖 divides 푎 have led lattices to be one of the main focuses given 푝푖 −1 , if 푎 is a quadratic nonresidue mod 푝푖 in today’s cryptography.

Definition 8 [25]. (Quadratic Residuosity Problem) The core hardness of lattices rests on the difficulty Extended from Definition 6, the quadratic residuosity of finding a Shortest Vector Problem (SVP) and problem is the problem that given integers 푎 and 푁, Closest Vector Problem (CVP). However, the where 푁 = 푝푞 with 푝, 푞 two distinct unknown primes, Learning with Errors (LWE) that was introduced by determine whether 푎 is a quadratic residue modulo 푁. Regev in 2005 turned out to be the basis in most cryptographic constructions, especially in designing As explained earlier, if the integer factorization IBE schemes [27]. We outline the definitions of lattices problem is easy, that is one can factor 푁 into 푝 and 푞, and LWE as follows, leaving the SVP and CVP as it is then determining whether an integer 푎 is a quadratic not the main content of our discussion. Readers who residue becomes easy. However, there is no known are interested may refer to [28] for further readings efficient algorithm to defeat this problem currently, and about problems surrounding lattices. this becomes the security strength to the proposal of Cocks IBE scheme in 2001 [6]. Definition 10 [10]. (Lattices) For positive integers 푛+푚 푚 푞, 푚, 푛, a matrix 퐀 ∈ ℤ푞 and a vector 퐮 ∈ ℤ푞 , the 푚- C. Trapdoor Subgroup over Integer Modulo dimensional integer lattices 훬⊥(퐀) and 훬퐮(퐀) are Composite Number, ℤ∗ 푞 푞 푁 defined as ⊥ 푚 There are many different types of trapdoor 훬푞 (퐀) = {퐞 ∈ ℤ : 퐀퐞 = ퟎ (mod 푞)} 퐮 푚 subgroup that are used to design IBE schemes, such 훬푞(퐀) = {퐞 ∈ ℤ : 퐀퐞 = 퐮 (mod 푞)}. as allowing a user to compute discrete logarithm modulo composite number 푁 while remaining Definition 11. (Learning with Errors) Let 푝 = 푝(푛) ≤ infeasibility for the user to factor 푁, which is due to the poly(푛) be some prime integers. Let the following list IBE scheme by Maurer and Yacobi in 1991 [26]. be ‘equation with errors’ 〈푠, 퐚1〉 ≈휒 푏1 (mod 푝) However, in this paper, we consider the trapdoor 〈푠, 퐚 〉 ≈ 푏 (mod 푝) subgroup used by Park et al. in proposing their IBE 2 휒 2 scheme, as their design contains similar hard problem ⋮ 푛 of trapdoor subgroup by Maurer and Yacobi, where 푠 ∈ ℤ푝 , 퐚푖 are chosen independently and 푛 meanwhile exhibits similar setup as in other well- uniformly from ℤ푝 , and 푏푖 ∈ ℤ푝 . Then for each known IBE schemes [7]. equation 𝑖 such that 푏푖 = 〈푠, 퐚푖〉 + 푒푖 , where the error 푒푖 ∈ ℤ푝 is chosen independently according to Definition 9. (Trapdoor Subgroup) Let 푁 be product + probability distribution 휒: ℤ푝 → ℝ on ℤ푝, the Learning of primes 푝, 푞 such that 푝 = 2푝1 + 1 and 푞 = 2푞1 + 1 with Errors, LWE denotes the problem of recovering where 푝 , 푞 are odd primes. Let order ord 𝑔 be the 푝,휒 1 1 푁 푠 from these equations. least integer of 푥 such that 𝑔푥 ≡ 1 (mod 푁) for generator 𝑔 . Then a group 픾 is called a trapdoor III. IDENTITY-BASED ENCRYPTION (IBE) SCHEMES AND subgroup of ℤ∗ when it is determined by (푁, 𝑔), where N SECURITY MODEL ord푁𝑔 remains hidden and used as a ‘trapdoor’. Slightly different from traditional encryption Based on the Definition 9, the Euler- 휙 function for schemes such as RSA and ECC where user’s public 푁 is 휙(푁) = 4푝1푞1. The IBE scheme designed using and private keys are computed implicitly, these keys

www.jmest.org JMESTN42353050 3 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue are computed explicitly in IBE scheme. In other words, outputs two (2) plaintexts 푀0 and 푀1 and user’s public key is computed from some arbitrary 퐼퐷 ≠ 퐼퐷푖 on which it wishes to attack. The string (usually identity 퐼퐷 ) while its corresponding challenger chooses a random bit 푏 ∈ {0,1} and private key is computed using master secret that is sends 퐶 = Encrypt(푝푎푟푎푚, 퐼퐷, 푀푏) to the kept by Private Key Generator (PKG). Therefore, an adversary. additional algorithm is needed for PKG to handle this private key generation – Extraction algorithm. iv. Phase 2: The adversary issues more queries as in Phase 1: The conventional IBE scheme consists of quadruple randomized algorithms of (Setup, Extract, a) Extraction queries 〈퐼퐷푖〉. With the condition Encrypt, Decrypt) [24]: that 퐼퐷푖 ≠ 퐼퐷. i. Setup: On input of security parameter 1푛 , b) Decryption queries 〈퐼퐷푖, 퐶푖〉 . With the output public system parameters (푝푎푟푎푚) and condition that 〈퐼퐷푖, 퐶푖〉 ≠ 〈퐼퐷, 퐶〉. master secret (푚푠푘) . The 푝푎푟푎푚 are to be v. Guess: The adversary finally outputs a guess publicized while 푚푠푘 is kept secret by Private 푏′ ∈ {0,1} . The adversary wins the game if Key Generator (푃퐾퐺). 푏′ = 푏. ii. Extract: On input of 푝푎푟푎푚, 푚푠푘 and user’s An IBE scheme is said to be secure against identity (퐼퐷) , compute user’s corresponding adaptive chosen ciphertext attack (IND-ID-CCA) if private key (decryption key). there does not exists polynomial time adversary that has non-negligible advantage, Adv(풜) against the iii. Encrypt: On input of 푝푎푟푎푚 , user’s 퐼퐷 and challenger in the above security game, where message 푀, output ciphertext 퐶. 1 iv. Decrypt: On input of 푝푎푟푎푚, user’s 퐼퐷, user’s Adv(풜) = |Pr[푏 = 푏′] − |. private key and ciphertext 퐶, output message 2 푀 or abort ⊥. All the IBE schemes described in the following subsections used the above-mentioned game in their The correctness of IBE scheme remains the same security proofs, with suitable adjustment due to as in any public key cryptosystem – with correct standard and random oracle models. Readers can private key, ciphertext that is encrypted using the refer to each original paper for the complete proof and corresponding public key is decryptable. game descriptions. For the security model in IBE, the definition of the A. Pairing-Based IBE Schemes notion of security is also slightly different from the traditional encryption scheme, since one must take Soon after utilization of pairing function in account the possession of identities and their constructive manner by Joux in 2000 [20], Boneh and corresponding private keys by the adversary. Franklin successfully designed the very first practical Therefore, strengthening the definition is crucial to and secure IBE scheme using the Weil pairing. Their remain their security proofs’ validity. We describe the design exhibits the Diffie-Hellman key exchange security model (game) of an IBE scheme, following the property via the computation of secret shared values model presented in Boneh-Franklin’s paper [5]. using pairing function on elliptic curve, which is where the security of the scheme relies on. i. Setup: The challenger takes the security parameter 1푛 and runs the Setup algorithm. It We reviewed the two (2) most well-known IBE output 푝푎푟푎푚 and keeps 푚푠푘 to itself. schemes based on pairing, the Boneh-Franklin and Boneh-Boyen IBE schemes. There are two versions of ii. Phase 1: The adversary performs one of the each of the schemes in their original papers, the CPA- following queries 푞푖: secure and the CCA-secure versions. However, we

a) Extraction queries 〈퐼퐷푖〉 . The challenger consider the CCA-secure version in our review as it responds by running Extract algorithm to provides more powerful security notion which implies generate the private keys 푑푖 corresponds also the CPA security. to the public key 〈퐼퐷푖〉. It sends 푑푖 to the Before discussing the IBE schemes in details, we adversary. outline the general setup algorithm for 푝푎푟푎푚

b) Decryption queries 〈퐼퐷푖, 퐶푖〉 . The generation. This algorithm helps to generate suitable challenger responds by running Extract curve and pairing function for practical use in setting up pairing-based IBE scheme. algorithm to generate the private keys 푑푖 corresponds to 퐼퐷푖. Next it runs Decrypt Algorithm 1: General System Parameter Setup. algorithm to decrypt the ciphertext 퐶푖 using 1) On input of security parameter 1푛, generates two the private key 푑푖, and sends the resulting random large primes 푝 and 푞, such that 푝|#퐸(픽푞) plaintext to the adversary. 2 and 푝 ∤ #퐸(픽푞) , where #퐸(픽푞) indicates the iii. Challenge: When adversary is ready to number of points on elliptic curve 퐸 over 픽푞. perform the challenge, it stops Phase 1 and 2) Selects a random point (or generator) 푃 ∈

www.jmest.org JMESTN42353050 4 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue

퐸(픽푞)[푝], and let 픾 = 〈푃〉. which it involves computing ratio of two pairing values 3) Let 푘 be the smallest integer such that 푝|푞푘 − 1, i.e. in the decryption process [24]. the embedding degree of 퐸/픽푞 , generates There are two (2) Boneh-Boyen IBE schemes ∗ pairing 푒̂: 픾 × 픾 → 픽푞푘. proposed in the original article. In this case, we 4) Let 픾푇 = 〈푒̂(푃, 푃)〉. consider the first scheme which are selective ID- secure based on Decisional Bilinear Diffie-Hellman The first IBE scheme due to Boneh and Franklin assumption without random oracle. It was presented in was proposed in 2001 [5]. Their scheme utilized the HIBE form but can easily be reduced to normal IBE Weil pairing in a simple and straight forward manner, scheme, we refer to [24] for the CCA-secure IBE i.e. to compute the secret shared values as in Diffie- version. Hellman key exchange. The Boneh-Franklin IBE Also, in the Setup algorithm of the original Boneh- scheme was proven to be IND-ID-CCA secure via the Boyen IBE schemes, there is no specific parameters random oracle model in which the random oracles are given. Therefore, for this purpose we remain the same served by the hash functions 퐻1 and 퐻2 stated in the parameters as in Boneh-Franklin scheme since the following algorithm. Their IBE scheme is changeable elliptic curve chosen is one of the pairing-friendly types using Tate pairing instead of Weil by simply modifying and works well when implementing it in the Boneh- the general parameter setup algorithm (Algorithm 1). Boyen IBE scheme. Algorithm 2: Boneh-Franklin IBE Scheme. Algorithm 3: Boneh-Boyen IBE Scheme. Setup: Setup: 1. Runs Algorithm 1. 1. Runs Algorithm 1. 2. Selects a random 푠 ∈ ℤ∗ and computes 푃 = 푠푃. 푞 1 2. Selects a random 훼, 훽, 훾 ∈ ℤ푝 and computes 3. Generates following hash functions: 𝑔훼, 𝑔훽, 𝑔훾. ∗ a) 퐻1: {0,1} → 픽푝 3. Computes public pairing value 푣 = 푒̂(𝑔훼, 𝑔훽) = 푛 b) 퐻 : 픽 푘 → {0,1} 2 푝 푒̂(𝑔, 𝑔)훼훽. 푛 푛 c) 퐻3: {0,1} × {0,1} → 픽푞 4. Generates following hash functions: 푛 푛 ∗ d) 퐻4: {0,1} → {0,1} a) 퐻1: {0,1} → 픽푝 for some 푛. 푛 b) 퐻2: 픽푝푘 → {0,1} 4. Publicizes {푝, 푛, 푃, 푃1, 퐻1, 퐻2, 퐻3, 퐻4} and keeps {푠}. 푛 c) 퐻3: 픽푝푘 × {0,1} × 픽푝 × 픽푝 → ℤ푝 Extract: for some 푛. ( ) 훼 훽 훾 1. On user’s 퐼퐷, maps it to a point 푄 = 퐻1 퐼퐷 ∈ 퐸/픽푝 5. Publicizes {푛, 𝑔, 𝑔 , 𝑔 , 𝑔 , 푣, 퐻1, 퐻2, 퐻3} and keeps of order 푞. This 푄 is user’s public key. {훼, 훽, 훾}. 2. Computes user’s private key 푑 = 푠푄. Extract: Encrypt: 1. On user’s 퐼퐷, maps it to an integer 푧 = 퐻1(퐼퐷) ∈ 1. To encrypt message 푀 using user’s public key 푄, ℤ푝. This 푧 is user’s public key. sender chooses random 𝜎 ∈ {0,1}푛 and computes 2. Randomly choose an integer 푟 ∈ ℤ푝 , computes ( ) 푟 = 퐻3 𝜎, 푀 . user’s private keys 푑 = 𝑔훼푧푟𝑔훼훽푟𝑔훾푟 and 푑 = 𝑔푟. 2. Computes ciphertext tuple: 1 2 a) 푐1 = 푟푃 Encrypt: 푟 b) 푐2 = 𝜎⨁퐻2(𝑔 ) where 𝑔 = 푒̂(푟푄, 푃1) 1. To encrypt message 푀 using user’s public key 푧, 푠 c) 푐3 = 푀⨁퐻4(𝜎) sender chooses random 푠 ∈ ℤ푝, computes 푘 = 푣 . where ⨁ denotes the exclusive-OR operation. 2. Compute ciphertext tuples: 3. Sends 퐶 = {푐1, 푐2, 푐3}. a) 푐1 = 푀⨁퐻2(푘) b) 푐 = 𝑔푠 Decrypt: 2 c) 푐 = 𝑔훼푧푠𝑔훾푠 1. Upon receiving 퐶 = {푐 , 푐 , 푐 } and private key 푑 , 3 1 2 3 d) 푐 = 푠 + 퐻 (푘, 푐 , 푐 , 푐 ). computes: 4 3 1 2 3 ′ 3. Sends 퐶 = {푐1, 푐2, 푐3, 푐4}. a) 𝜎 = 푐2⨁퐻1(푒̂(푑, 푐1)) ′ b) 푀 = 푐3 ⨁ 퐻4(𝜎′) Decrypt: ′ ′ ′ { } c) 푟 = 퐻3(𝜎 , 푀 ). 1. Upon receiving 퐶 = 푐1, 푐2, 푐3, 푐4 and private keys 2. Checks whether 푐1 = 푟′푃 . If not rejects the {푑1, 푑2}, computes: 푒̂(푐 ,푑 ) ciphertext, otherwise recover message 푀. a) 푘′ = 2 1 푒̂(푐3,푑2) ′ ′ b) 푠 = 푐4 − 퐻3(푘 , 푐1, 푐2, 푐3). The second IBE scheme based on pairing after 푠′ 푠′ Boneh-Franklin was due to Boneh and Boyen in 2004 2. Check whether 푘 = 푘′ = 푣 and 푐1 = 𝑔 , if not rejects the ciphertext. [30]. While Boneh-Franklin applied pairing function to ′ compute secret shared value directly, Boneh-Boyen 3. Recover message 푀 = 푐1⨁퐻2(푘 ). utilized the pairing in different fashion. Their design features the family of ‘commutative blinding’ scheme in The main core security behind these pairing-based IBE schemes lies on the assumptions of Diffie-Hellman

www.jmest.org JMESTN42353050 5 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue (as in Definition 2) and Decisional Bilinear Diffie- 푎 푐2 ≡ (푡2 − ) (mod 푁). Hellman (as in Definition 5). As outlined in the above 푡2 two (2) schemes, the decryption of the ciphertexts 4. Sends ciphertexts 퐶 = {푐1, 푐2}. requires the receiver to firstly computes the secret Decrypt: shared values via the pairing function, that is in the first 1. Upon receiving ciphertexts { } and private step in both IBEs’ decryption procedure. We illustrate 퐶 = 푐1, 푐2 this statement further using Boneh-Franklin IBE key 푟, computes +푎 , then let 퐶 = 푐 scheme: 푟2 ≡ { 1 −푎 , then let 퐶 = 푐2. 푒̂(푑, 푐 ) = 푒̂(푠푄, 푟푃) = 푒̂(푄, 푃)푠푟 = 푒̂(푟푄, 푠푃) 1 2. Computes the encoded message bit = 푒̂(푟푄, 푃 ). 1 퐶 + 2푟 −1 , then let 푚 = 0 푚 = ( ) = { If an adversary can compute 푒̂(푄, 푃)푠푟 from both points 푁 +1 , then let 푚 = 1. 푃 and 푄 in polynomial time, he has then successfully defeated the Diffie-Hellman assumption. On the other The Cocks IBE scheme shows that for each bit of hand, if the adversary can compute 푒̂(푄, 푃)푥 = the message (plaintext) encrypted, two (2) bits of 푒̂(푄, 푃)푠푟 for some integer 푥 , then he is able to corresponding ciphertexts are produced (step 3 in determine whether 푥 = 푠푟 , which is precisely the Encrypt). Since it is unknown whether 푎 or −푎 is a Decisional Bilinear Diffie-Hellman assumption. square root modulo 푁, receiver who possesses the private key can easily verify whether 푟2 ≡ +푎 (mod 푁) The IBE schemes by Boneh-Franklin and Boneh- or 푟2 ≡ −푎 (mod 푁) and hence able to perform Boyen are now proposed to be standardized by decryption on the ciphertext successfully. This is National Institute for Standard and Technology (NIST), indeed the hardness of the quadratic residuosity. specified in the IEEE P1363.3, along with another two (2) IBE schemes of Sakai-Kasahara Key Encapsulate Besides, the security of Cocks IBE scheme also Mechanisms (KEM) and Boneh-Boyen Key related to the difficulty of integer factorization problem Encapsulate Mechanism [31]. (in which the RSA cryptosystem security based). As , if the adversary can find the factors of and , Other than these two (2) IBE schemes above, there 푁 = 푝푞 푝 푞 he can next solve the quadratic residuosity problem are several pairing-based IBE published after them, for (following Definition 7) and determine which ciphertext instance Sakai-Kasahara IBE scheme in which the ‘exponent inversion’ type of pairing is used, i.e. its 퐶 should be chosen. Hence successfully decrypting the ciphertext to recover the message. security is due to 푞-Bilinear Diffie-Hellman Inversion assumption [23]. C. IBE Scheme Based on Trapdoor Subgroup B. IBE Scheme Based on Quadratic Residuosity As explained in the previous section, we considered the IBE scheme based on trapdoor Proposed by Cocks in 2001 right after the IBE by subgroup due to Park et al., which defined the trapdoor Boneh-Franklin, this IBE scheme was designed subgroup differently compared to the definition by utilizing different approach, i.e. based on the difficulty Maurer and Yacobi [7,26]. However, both definitions of solving the Quadratic Residuosity problem. presented the same core idea – the infeasibility of The Cocks IBE scheme is described as follows [6]. factoring composite integer that leads to the security of the Discrete Logarithm problem in computing the Algorithm 4: Cocks IBE Scheme. secret shared values. Setup: 1. On input of security parameter 1푛, generates two We present the CCA-secure version of the IBE random large primes 푝, 푞 such that 푝 ≡ 3 (mod 4) scheme based on trapdoor subgroup by Park et al. as and 푞 ≡ 3 (mod 4). follows [7]. 2. Computes . 푁 = 푝푞 Algorithm 5: IBE Scheme Based on Trapdoor { } 3. Generates a hash function 퐻: 0,1 → ℤ푁. Subgroup. 4. On input of user’s 퐼퐷, compute user’s public key 푎 Setup: 푎 = 퐻(퐼퐷) such that the jacobi symbol ( ) = +1. 푛 푁 1. On input of security parameter 1 , generates two 5. Publicizes {푁, 푎, 퐻} and keeps {푝, 푞}. safe primes 푝 = 2푝1 + 1 and 푞 = 2푞1 + 1 for primes 푝1, 푞1. Extract: 2. Computes 푁 = 푝푞. 1. On user’s public key 퐻(퐼퐷) , computes user’s ∗ 휙(푁)+4 3. Selects a random generator 𝑔 ∈ ℤ푁 such that private key 푟 ≡ 푎 8 (mod 푁). ord푁𝑔 = 푝1푞1. 4. Chooses a random 푥 ∈ ℤ and sets 𝑔 ≡ Encrypt: ord푁푔 1 𝑔푥 (mod 푁). 1. To encrypt message 푀, encodes 푀 as 푚 = (−1)푀. 5. Generates following hash functions: 푡1 푡2 2. Selects random 푡1 and 푡2 such that ( ) = ( ) = 푚. ∗ 푙 푁 푁 a) 퐻1: {0,1} → {0,1} , where 푙 < log(표푟푑푁𝑔) 훿+휃 3. Computes ciphertexts b) 퐻2: ℤ푁 → {0,1} 푎 ∗ ⌈log 푁⌉ 푐 ≡ (푡 + ) (mod 푁) c) 퐻3: {0,1} → {0,1} . 1 1 푡 1 6. Publicizes {푁, 𝑔, 𝑔1, 퐻1, 퐻2, 퐻3} and keeps www.jmest.org JMESTN42353050 6 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue

{푥, ord푁𝑔}. Lemma 2. (GVP-Sampling) There is a probabilistic polynomial time (PPT) algorithm that given 퐀 ∈ ℤ푛+푚, Extract: 푞 푚+푚 푛 퐓퐀 ∈ ℤ , 𝜎 > ‖퐓퐀‖ ∙ 휔(√log 푛) and 퐮 ∈ ℤ푞 , and 1. On user’s 퐼퐷, computes 푎 = 퐻1(퐼퐷). outputs a sample from the distribution statistically 2. Checks whether gcd(푥 + 퐻1(퐼퐷), ord푁𝑔) = 1. If do, computes user’s private key 푑 such that 푑(푥 + close to 퐷Λ퐮(퐀),휎 , where 퐷Λ퐮(퐀),휎 is the discrete 퐻 (퐼퐷)) ≡ 1 (mod ord 𝑔). Else abort. Gaussian distribution over 훬 with parameter 𝜎. Such 1 푁 algorithm is denoted by GVPSamp. Encrypt: We now describe the lattice-based IBE scheme 1. To encrypt message 푀 ∈ {0,1}훿 with user’s public based on Gentry et al. in [28] but refer to the simplified key 푎, selects a random 𝜌 ∈ {0,1}휃 and computes ⌈log 푁⌉ version from Hanaoka dan Yamada as follows [10]. 푠 = 퐻3(푀, 퐼퐷, 𝜌) ∈ {0,1} . 2. Computes ciphertexts: Algorithm 6: IBE Based on Lattices. 푠 a) 푐0 ≡ 𝑔 (mod 푁) Setup: 푎 푠 휆 b) 푐1 ≡ (𝑔1𝑔 ) (mod 푁) 1. On input of security parameter 1 , runs 훿+휃 푛 푚 c) 푐2 = 퐻2(푐0)⨁(푀 ∥ 𝜌) ∈ {0,1} . TrapGen(1 , 1 , 푞) → (퐀, 퐓퐀). 푛 3. Sends ciphertext pair 퐶 = {푐1, 푐2}. 2. Generates hash function 퐻: 퐼퐷 → ℤ푞 for user’s identity. Decrypt: 3. Publicizes {퐀, 퐻} and keeps {퐓퐀}. 1. Upon receiving ciphertext 퐶 = {푐1, 푐2} and private key 푑, computes: Extract: ′ 푑 a) 푐0 ≡ 푐1 (mod 푁) 1. On user’s 퐼퐷, computes 퐮 = 퐻1(퐼퐷). ′ ′ ′ b) (푀 ∥ 𝜌 ) = 퐻2(푐0)⨁푐2 2. Computes user’s private key c) 푠′ = 퐻 (푀′, 퐼퐷, 𝜌′) 3 퐞 ← GVPSamp(퐀, 퐓 , 𝜎, 퐮) 푎 푠′ 퐀 2. Checks whether 푐1 ≡ (𝑔1𝑔 ) (mod 푁) . If not rejects the ciphertext, otherwise recover message where 퐞 ∈ ℤ푚 is a short vector satisfies 퐀퐞 = 퐮. 푀. Encrypt: 1. To encrypt message 푀 ∈ {0,1}, samples random The main attraction in the IBE scheme by Pak et al. 푛 퐬 ← ℤ푞, 푥0 ← 퐷ℤ,α, and 퐱 ← 퐷ℤ푚,α. is the infeasibility of finding the secret trapdoor – the 2. Computes ciphertexts: ord 𝑔. If such problem can be solved efficiently, then it 푞 푁 a) 푐 = 퐬⊺퐮 + 푥 + 푀 ∙ ⌈ ⌉ implies that factoring the modulus 푁 is easy, since an 1 0 2 ⊺ ⊺ ⊺ adversary knows the ord푁𝑔 = 푝1푞1 that can next use b) 퐜ퟐ = 퐬 퐀 + 퐱 . ⊺ these primes to solve for 푝 and 푞. 3. Sends ciphertext 퐶 = {푐1, 퐜ퟐ}.

Besides the hardness of finding ord푁𝑔, the discrete Decrypt: ⊺ logarithm assumption is another attention-drawing 1. Upon receiving ciphertext 퐶 = {푐1, 퐜ퟐ} and private ⊺ point. Since solving discrete logarithm is equivalent to key 퐞, computes 푤 = 푐1 − 퐜ퟐ퐞 (mod 푞). 푞 solving the integer factorization problem, if 푥 can be 2. Checks whether 푤 is closer to than to 0 over ℤ . If 2 푞 found, then by the congruence relation 푑(푥 + not rejects the ciphertext, otherwise recover 퐻1(퐼퐷)) ≡ 1 (mod ord푁𝑔), one can efficiently find the message 푀. private key 푑 and next decrypt the ciphertext intercepted easily [7]. Gentry et al. in their work proved that their scheme D. Lattice-Based IBE Scheme is secure under random oracle model via the assumption of LWE. The standard model was only The very first IBE scheme based on lattices was given Cash et al. in 2010 [32]. The underlying security proposed by Gentry et al. in 2008. Rely on the assumption of Gentry et al. IBE scheme is that, if an ⊺ hardness of solving the LWE problem, they designed adversary intercepted ciphertext 퐶 = {푐1, 퐜ퟐ} , ⊺ ⊺ ⊺ several cryptosystems in the same paper, that are specifically 퐜ퟐ = 퐬 퐀 + 퐱 , then it is computationally signature, encryption and IBE schemes. However, infeasible for the adversary to distinguish the two (2) unlike other designs, Gentry et al. used the dual given sets of distributions between (퐀, 퐬⊺퐀 + 퐱⊺) and cryptosystem in constructing their IBE scheme. ⊺ 푚 (퐀, 퐯 ) where 퐯 ← ℤ푞 , and this implies the difficulty of Before giving the details of the IBE scheme, the recovering 퐬 as well [10]. following lemmas provides the core constructions of Utilizing LWE problem is not the only way to design the scheme in the Setup and Extract algorithms [10]. a lattice-based IBE scheme, another interesting Lemma 1. There is an efficient randomize algorithm method that worth its mentioned is the IBE scheme 푛 푚 proposed using the NTRU lattices. However, we do not that given TrapGen(1 , 1 , 푞) → (퐀, 퐓퐀) , that when 푛+푚 outline the NTRU Lattice-based IBE scheme and 푚 ≥ 6푛⌈log 푞⌉, outputs a full rank matrix 퐀 ∈ ℤ푞 and a basis 퐓 ∈ ℤ푚+푚 for 훬⊥(퐀) such that 퐀 is negl(푛)- readers who are interested may consider referring [33] 퐀 푞 for more details. close to uniform ‖퐓퐀‖ = 풪(√푛 log 푞) with all but negligible probability in 푛.

www.jmest.org JMESTN42353050 7 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue We summarize all the five (5) IBE schemes discussed above in the following Table I.

TABLE I. SUMMARY OF SELECTED IBE SCHEMES. CCA IBE Scheme Primitive Security Assumption Additional Notes Security Pairing on Elliptic Decisional Bilinear Standardized in IEEE Boneh-Franklin Yes Curve Diffie-Hellman P1363.3 by NIST [31] Pairing on Elliptic Decisional Bilinear Standardized in IEEE Boneh-Boyen Yes Curve Diffie-Hellman P1363.3 by NIST [31] Cocks Quadratic Residue Quadratic Residuosity Yes - Trapdoor Subgroup Trapdoor Subgroup, Park et al. ∗ Yes - over ℤ푁 Integer Factorization Expected to be post- Gentry et al. Learning with Errors Learning with Errors Yes quantum [10]

IV. COMPARATIVE ANALYSIS i. 퐻 denotes hash function. ii. 픾 denotes group. In this section, we discuss in a general perspective iii. 퐿 denotes lattice (matrix/vector). about the computation efficiency and computational iv. denotes Gaussian distribution. complexity of all the five (5) IBE schemes described 퐷 above. Readers should take note that the exact v. 푃 denotes pairing computation. computation of the IBE schemes are varied from one vi. ℎ denotes hashing. to another, since each scheme consider groups (finite vii. 퐸 denotes modulo exponentiation. or arbitrary groups) and functions (hash and pairing) in viii. Mod denotes modulo addition/subtraction. different setting. ix. 퐴 denotes addition/subtraction. x. 푀 denotes multiplication/division. A. Computation Efficiency xi. ⨁ denotes exclusive-OR (XOR) operation. We provide the notations prior to the discussion of the computation efficiency as follows: The computation efficiency of all the reviewed IBE schemes are summarized in the following Table II.

TABLE II. SUMMARY OF COMPUTATION EFFICIENCY OF SELECTED IBE SCHEMES.

IBE Scheme Setup Extraction Encryption Decryption Boneh-Franklin 3픾, 4퐻, 1퐴 1ℎ, 1퐴 3ℎ, 2퐸, 2⨁, 1푃 3ℎ, 1푃, 2⨁, 1퐴 Boneh-Boyen 3픾, 3퐻, 3퐸, 1푃 1ℎ, 4퐸, 2푀 2ℎ, 4퐸, 1⨁, 1푀, 1퐴 2ℎ, 2푃, 1⨁, 1퐴, 3퐸 Cocks 1퐻, 1ℎ, 1푀 1퐸, 2푀, 3퐴 4퐸, 2퐴 3퐸, 1퐴, 1푀 Park et al. 3퐻, 1퐸, 4푀, 2퐴 1ℎ, 1퐼, 1퐴 2ℎ, 3퐸, 1⨁, 1푀 2ℎ, 3퐸, 1⨁, 1푀 Gentry et al. 2퐿, 1퐻 2퐿, 1ℎ 1퐿, 2퐷, 3푀, 3퐴 1푀, 1퐴, 1Mod

From the summary above, it is interestingly granted these IBE schemes strength and they are noticeable that among the five (5) selected IBE now under the standardization by NIST. schemes, lattice-based by Gentry et al. has simpler operations (as explained in previous section) in both Cocks’ IBE scheme at first sight may seem to have encryption and decryption procedures, as they mainly more advantage over pairing-based IBE as it does not involve only linear lattice multiplications and additions. involve expensive pairing computations and was Therefore, one could conclude that overall this IBE proposed at the same year as Boneh-Franklin in scheme is more efficient than the other four (4) IBE 2001. However, due to its longer ciphertext length schemes. produced for equivalent security strength, i.e. for each bit of message in Cock’s IBE scheme, two (2) bits of IBE schemes due to Boneh-Franklin and Boneh- ciphertext are produced. For 112-bit security, Cocks Boyen may seem having less advantage among the IBE would need to channel 458,752 bits of ciphertext selected schemes, due to their expensive pairing which is extremely lengthy, and this is obviously operations in the encryption and decryption impractical for implementation purpose [24]. processes. Though these two (2) are well recognized B. Computational Complexity as practical and secure IBE schemes, as many studies have been performed (including cryptanalysis Like many cryptographic schemes, the security of by experts) on the IBE schemes and the underlying IBE schemes rely on the hardness assumption of strong-established hard problem (Diffie-Hellman solving certain mathematical problem, as defined in assumption). Such strong evidence and security proof Section 2. The assumption stated here referred to the

www.jmest.org JMESTN42353050 8 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue infeasibility of current classical computing power to For the IBE scheme by Cocks which used quadratic output solutions to those problem efficiently. For residue and IBE scheme by Park et al. which utilized ∗ instance, to solve the integer factorization problem trapdoor subgroup over ℤ푁, the common core problem when 푁 = 푝푞 for both 푝 and 푞 large primes, this behind these two (2) schemes is the integer problem requires exponential-time algorithm to solve it factorization problem (IFP) of factoring 푁 into primes 푝 efficiently, which is currently impossible in polynomial- and 푞. There are few algorithms that can be used to time algorithm in classical computer. solve this IFP – the Pollard (푝 − 1) , Coppersmith method, continued fraction, quadratic sieve and The above situation described is the study of number field sieve methods, to name a few. Among complexity theory. We put the popular three (3) the listed methods, the general Number Field Sieve classes in complexity theory that are widely discussed (NFS) is the fastest known method to the current stage in the following definitions, referring to [34]. in solving the IFP which has the complexity of Definition 12. (풫-class) The class of problems that are 3 64 풪 (exp (√ √log 푛 3√(log log 푛)2)) that is sub- solvable in polynomial time by a Deterministic Turing 9 Machine (DTM), i.e. in polynomial time. exponential. Even though there is another core Definition 13. (풩풫-class) The class of problems that problem lies in the Park et al. IBE scheme – the are solvable in polynomial time by a Non-Deterministic Discrete Logarithm Problem (DLP), the fastest Turing Machine (NDTM). algorithm for solving DLP which is index calculus method has the complexity of Definition 14. (ℰ풳풫-class) The class of problems that 풪(exp(√2√log 푛 log log 푛)) which is also sub- 푛푖 are solvable by DTM in time bounded by 2 , i.e. in exponential, but is relatively larger than the NFS exponential time. method, so it is comparatively best to consider NFS Besides the three (3) main classes, there are over index calculus when cryptanalyzing Park et al. algorithms that grow faster than polynomial time IBE scheme. algorithm but significantly smaller than exponential Unlike the rest of the selected IBE scheme which time algorithm, we called such class as sub- utilized the mathematical hard problems that have exponential time algorithm. unique solution, the lattice-based IBE scheme by The Boneh-Franklin and Boneh-Boyen IBE Gentry et al. used the random sampling for lattice 퐀 schemes which based on pairing on elliptic curve has and therefore the complexity analysis is differ from the core problem of Elliptic Curve Discrete Logarithm those of conventional one. Since there are many Problem (ECDLP), that given points 푃 and 푄 = 푛푃 , different complexities for different cases under LWE, find the integer 푛. There are few algorithms that can be following [27], the best way to generalize the 푘 used to solve ECDLP, such as Pohlig-Hellman, Baby- complexity is to take the upper bound which is 풪(푛 ) step Giant-step, and the Pollard’s 𝜌 algorithms. for some integer 푘 that is exponential. Since currently Currently the Pollard’s 𝜌 algorithm is the best-known there is no known efficient algorithm to solve the LWE (fastest) algorithm to solve ECDLP over finite prime problem in general even in the presence of quantum computer, lattice-based IBE is expected to be post- field 픽 and has the complexity of 풪(√푝) which is 푝 quantum secure. exponential [21].

TABLE III. COMPUTATIONAL COMPLEXITY OF SELECTED IBE SCHEMES. Fundamental Fastest IBE Scheme Core Problem Computational Complexity Primitive Algorithm Elliptic Curve Boneh- Pairing on Elliptic Pollard’s 𝜌 Discrete Logarithm 풪( 푝) Franklin Curve Method √ Problem Elliptic Curve Boneh- Pairing on Elliptic Pollard’s 𝜌 Discrete Logarithm 풪( 푝) Boyen Curve Method √ Problem

3 Integer Factorization Number Field 64 3 Cocks Quadratic Residue 풪 (exp (√ √log 푛 √(log log 푛)2)) Problem Sieve 9 Integer Factorization 3 64 Trapdoor Problem and Number Field 3 2 Park et al. ∗ 풪 (exp (√ √log 푛 √(log log 푛) )) Subgroup over ℤ푁 Discrete Logarithm Sieve 9 Problem Learning with Gentry et al. Lattice N/A 풪(푛푘) Error

www.jmest.org JMESTN42353050 9 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue The above Table III summarizes the IBE schemes [3] S. Sheng, L. Broderick, C.A. Koranda, and and their corresponding primitive, core problem, the J.J. Hyland, “Why Johnny Still Can’t Encrypt: fastest known algorithm for solving the core problem Evaluating the Usability of Email Encryption and their corresponding computational complexity. Software,” in Proceedings of the 2006 Symposium on Once again it should be noted that the fastest known Usable Privacy and Security, Pittsburgh, PA, July 12- algorithm indicates the best method to solve the hard 14, 2006. problem lied in the IBE scheme. [4] A. Shamir, “Identity-Based Cryptosystems V. CONCLUSION AND FUTURE WORK and Signature Schemes,” in Blakley G.R., Chaum D. (eds.) Advances in Cryptology - CRYPTO1984, In this article, we have reviewed several IBE LNCS, vol. 196, pp. 47-53. Springer, Berlin, schemes designed using various mathematical Heidelberg, 1985. problems – pairing function on elliptic curve, quadratic residue, trapdoor subgroup over integer modulo [5] D. Boneh, and M. Franklin, “Identity-Based composite number, and learning with errors on Encryption from the Weil Pairing,” in Kilian J. (eds.) lattices. All these schemes exhibit different Advances in Cryptology - CRYPTO 2001, LNCS, vol. approaches in their setup, as well as their 2139, pp. 213-229. Springer, Berlin, Heidelberg, 2001. corresponding computation efficiencies and [6] C. Cocks, “An Identity Based Encryption computational complexities. One scheme may be Scheme Based on Quadratic Residues,” in Honary efficient and acquire advantage in generating public B. (eds) Cryptography and Coding: Cryptography parameters while another scheme has advantage of and Coding 2001, LNCS, vol. 2260, pp. 360-363. shortest ciphertext over the rests. Springer, Berlin, Heidelberg, 2001. The security of IBE are based on current well- [7] J.H. Park, K. Lee, and D.H. Lee, “Efficient recognized hard mathematical problems, i.e. solving Identity-Based Encryption and Public-Key Signature these problems using current best classical computing from Trapdoor Subgroups,” IACR Cryptology ePrint power is infeasible. While the idea of quantum Archive, pp. 500, 2016. computer may soon be a reality, alongside with the [8] J. Liu, and L. Ke, “New Efficient Identity introduction of Shor’s and Grover’s quantum Based Encryption Without Pairings,” in Journal of algorithms [35,36,37] that can break most of the Ambient Intelligence Humanized Computing, vol. current public key cryptography including the IBE 10(4), pp. 1561-1570, 2019. schemes, research on post-quantum scheme should be given more focus. As readers may have noticed, [9] X. Boyen, “A Tapestry of Identity-Based the IBE scheme based on lattice features such Encryption: Practical Frameworks Compared,” potential in surviving against quantum cryptanalysis, in International Journal of Applied Cryptolgraphy, since it is one of the mathematical tools that is still vol. 1(1), pp. 3-21, 2008. inefficient to be cryptanalyzed even under quantum algorithms. [10] G. Hanaoka, and S. Yamada, “A Survey on Identity-Based Encryption from Lattices,” in: Takagi T., Wakayama M., Tanaka K., Kunihiro N., Kimoto Besides relying solely on lattices, other post- K., Duong D. (eds) Mathematical Modelling for quantum candidates can be exploited, such as Next-Generation Cryptography, Mathematics for multivariate quadratic polynomial in designing novel Industry, vol. 29, pp. 349-365, Springer, Singapore, IBE schemes. This could be another potential 2016. research area in the future, in line with enhancing and strengthening current schemes to achieve better [11] J. Horwitz, and B. Lynn, “Towards efficiency and usability. Hierarchical Identity-Based Encryption,” in Knudsen L.R. (eds.) Adavances in Cryptology - EUROCRYPT ACKNOWLEDGMENT 2002, LNCS, vol. 2332, pp. 466-481, Springer, Berlin, Heidelberg, 2002. The present research was partially supported by the Putra Grant with Project Number [12] C. Gentry, and A. Silverberg, “Hierarchical ID- GP/2017/9552200. Based Cryptgraphy,” in Zheng Y. (eds) Advances in Cryptology - ASIACRYPT 2002, LNCS, vol. 2501. , REFERENCES pp. 548-566, Springer, Berlin, Heidelberg, 2002. [1] W. Diffie, and M. Hellman, “New directions in [13] D. Boneh, X. Boyen, and E. Goh, cryptography,” in IEEE Trans. Inf. Theor., vol. 22(6), “Hierarchical Identity Based Encryption with pp. 644-654, 1976. Constant Size Ciphertext,” in Cramer R. (eds) [2] A. Whitten, and J.D. Tygar, “Why Johnny Advances in Cryptology - EUROCRYPT 2005, Can’t Encrypt,” Proceedings of the 8th USENIX LNCS, vol. 3494, pp. 440-456, Springer, Berlin, Security Symposium, Washington, D.C., Aug. 23–36, Heidelberg, 2005. 1999, pp.169-184. [14] A. Weil, “Sur Les Fonctions Algébriques à Corps de Constantes Fini,” in Comptes Rendus

www.jmest.org JMESTN42353050 10 Journal of Multidisciplinary Engineering Science and Technology (JMEST) ISSN: 2458-9403 Vol. 6 Issue 12, December - 2019, Special Issue Hebdomadaires des Séances de l’Academie des Theory of Computing (STOC '05), ACM, New York, Sciences, vol. 210(17), pp. 589-616, 1940. NY, USA, pp. 84-93, 2005. [15] J. Tate, “WC-Groups Over p-Adic Fields,” in [28] C. Gentry, C. Peikert, and V. Vaikuntanathan, Séminaire Bourbaki: Années 1956/57-1957/58, “Trapdoors For Hard Lattices and New Cryptographic exposés 137-168, Séminaire Bourbaki, vol. 4(156), Constructions,” in Proceedings of the 40th annual pp. 265-277, 1958. ACM Symposium on Theory of Computing (STOC '08), ACM, New York, NY, USA, pp. 197-206, 2008. [16] S. Lichtenbaum, “Duality Theorems For Curves over p-adic Fields,” in: Invent Math, vol. 7, pp. [29] S. Yamada, “Adaptively Secure Identity- 120-136, Springer, 1969. Based Encryption from Lattices with Asymptotically Shorter Public Parameters,” in Fischlin M., Coron [17] V. Miller, “Short Programs of Function on JS. (eds) Advances in Cryptology - EUROCRYPT Curve,” unpublished manuscript, 1986. 2016, LNCS, vol. 9666, pp. 32-62, Springer, Berlin, [18] V. Miller, “The Weil Pairing, and Its Effcient Heidelberg, 2016. Calculation,” in Journal of Cryptology, vol. 17, pp. 235- [30] D. Boneh, and X. Boyen, “Effcient Selective- 261, 2004. ID Secure Identity-Based Encryption Without Random [19] A. Menezes, T. Okamoto, and S. Vanstone, Oracles,” in Cachin C., Camenisch J.L. (eds.) “Reducing Elliptic Curve Logarithms to Logarithms in Advances in Cryptology - EUROCRYPT 2004, LNCS, a Finite Field,” in IEEE Trans. on Information Theory, vol. 3027, pp. 223-238, Springer, Berlin, Heidelberg, vol. 39(5), pp. 1639-1646, 1993. 2004. [20] A. Joux, “A One Round Protocol for Tripartite [31] D. Moody, R. Peralta, R. Perlner, A. Diffe-Hellman,” in Bosma W. (eds.) Algorithmic Regenscheid, A. Roginsky, and L. Chen, “Report on Number Theory - ANTS 2000, LNCS, vol. 1838, pp. Pairing-based Cryptography,” in Journal of research of 385-393, Springer, Berlin, Heidelberg, 2000. the National Institute of Standards and Technology, vol. 120, pp. 11–27, 2015. [21] J. Hoffstein, J. Pipher, and J.H. Silverman, “An Intoduction to Mathematical Cryptography,” [32] D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Springer, New York, NY, 2008. “Bonsai Trees, or How To Delegate a Lattice Basis,” in Gilbert H. (eds) Advances in Cryptology - [22] D. Boneh, “The Decision Diffie-Hellman EUROCRYPT 2010. LNCS, vol. 6110, pp. 523-552, problem,” in: Buhler J.P. (eds) Algorithmic Number Springer, Berlin, Heidelberg, 2010. Theory, ANTS 1998. LNCS, vol. 1423, pp. 48-63, Springer, Berlin, Heidelberg, 1998. [33] L. Ducas, V. Lyubashevsky, and T. Prest, “Efficient Identity-Based Encryption over NTRU [23] L. Chen, Z. Cheng, J. Malone-Lee, and N.P. Lattices,” in Sarkar P., Iwata T. (eds) Advances in Smart, “An Effcient ID-KEM Based on the Sakai- Cryptology - ASIACRYPT 2014, LNCS, vol. 8874, Kasahara Key Construction,” in IEEE Proceedings pp. 22-41, Springer, Berlin, Heidelberg, 2014. Information Theory, vol. 153(1), pp. 19-26, 2006. [34] S.Y. Yan, “Quantum Computational Number [24] L. Martin, “Intrduction to Identity-Based Theory,” Springer International Publishing, 2015. Encryption (Information Security andPrivacy Series),” Artech House, Norwood, MA, USA, 2008. [35] P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a [25] V. Shoup, “A Computational Introduction to Quantum Computer,” in SIAM J. Comput., vol. 26, pp. Number Theory and Algebra,” Cambridge University 1484-1509, 1997. Press, New York, US, 2005. [36] L.K. Grover, “A Fast Quantum Mechanical [26] U.M. Maurer, and Y. Yacobi Y, “Non- Algorithm For Database Search,” in Proceedings of interactive Public-Key Cryptography,” in Davies the 28th Annual ACM Symposium on Theory of D.W. (eds) Advances in Cryptology - EUROCRYPT Computing (STOC '96), ACM, New York, NY, USA, ’91, LNCS, vol. 547, pp. 498-507, Springer, Berlin, pp. 212-219, 1996. Heidelberg, 1991. [37] L.K. Grover, “From Schrödinger's Equation To [27] O. Regev, “On Lattices, Learning With Errors, The Quantum Search Algorithm,” in Pramana - Random Linear Codes, and Cryptography,” in Journal of Physics, vol. 56, pp. 333-348, 2001. Proceedings of The 37th Annual ACM Symposium on