The Boneh–Franklin scheme is an identity-based encryption system proposed by Dan Boneh and Matthew K. Franklin in 2001.
[1] This article refers to the protocol version called BasicIdent.
It is an application of pairings (Weil pairing) over elliptic curves and finite fields.
As the scheme is based upon pairings, all computations are performed in two groups,
and consider the elliptic curve
Note that this curve is not singular as
which is excluded by the additional constraint.
be a prime factor of
) and find a point
is the set of points generated by
is the subgroup of order
We do not need to construct this group explicitly (this is done by the pairing) and thus don't have to find a generator.
is considered an additive group, being a subgroup of the additive group of points of
is considered a multiplicative group, being a subgroup of the multiplicative group of the finite field
{\displaystyle \textstyle GF(p^{2})^{*}}
The public key generator (PKG) chooses: To create the public key for
, the PKG computes Given
is obtained as follows: Note that
is the PKG's public key and thus independent of the recipient's ID.
, the plaintext can be retrieved using the private key:
The primary step in both encryption and decryption is to employ the pairing and
to generate a mask (like a symmetric key) that is xor'ed with the plaintext.
So in order to verify correctness of the protocol, one has to verify that an honest sender and recipient end up with the same values here.
The encrypting entity uses
Due to the properties of pairings, it follows that:
{\displaystyle {\begin{aligned}H_{2}\left(e\left(d_{ID},u\right)\right)&=H_{2}\left(e\left(sQ_{ID},rP\right)\right)\\&=H_{2}\left(e\left(Q_{ID},P\right)^{rs}\right)\\&=H_{2}\left(e\left(Q_{ID},sP\right)^{r}\right)\\&=H_{2}\left(e\left(Q_{ID},K_{pub}\right)^{r}\right)\\&=H_{2}\left(g_{ID}^{r}\right)\\\end{aligned}}}
The security of the scheme depends on the hardness of the bilinear Diffie-Hellman problem (BDH) for the groups used.
It has been proved that in a random-oracle model, the protocol is semantically secure under the BDH assumption.
BasicIdent is not chosen ciphertext secure.
However, there is a universal transformation method due to Fujisaki and Okamoto[2] that allows for conversion to a scheme having this property called FullIdent.