Identity-Based Encryption from the Weil Pairing

  • Dan Boneh
  • Matt Franklin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)


We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem. Our system is based on the Weil pairing. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.


Signature Scheme Random Oracle Random Oracle Model Cryptographic Hash Function Weil Pairing 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, “Relations among notions of security for public-key encryption schemes”, Proc. Crypto’ 98, pp. 26–45, 1998.Google Scholar
  2. 2.
    D. Boneh, M. Franklin, “Identity based encryption from the Weil pairing”, Full version available at
  3. 3.
    D. Boneh, B. Lynn, H. Shacham, “Short signatures from the Weil pairing”, manuscript.Google Scholar
  4. 4.
    M. Bellare, A. Boldyreva, S. Micali, “Public-key Encryption in a Multi-User Setting: Security Proofs and Improvements”, Proc. Eurocrypt 2000, LNCS 1807, 2000.Google Scholar
  5. 5.
    J. Coron, “On the exact security of Full-Domain-Hash”, Proc. of Crypto 2000.Google Scholar
  6. 6.
    R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack”, in proc. Crypto’ 98, pp. 13–25.Google Scholar
  7. 7.
    Y. Desmedt and J. Quisquater, “Public-key systems based on the difficulty of tampering”, Proc. Crypto’ 86, pp. 111–117, 1986.Google Scholar
  8. 8.
    G. Di Crescenzo, R. Ostrovsky, and S. Rajagopalan, “Conditional Oblivious Transfer and Timed-Release Encryption”, Proc. of Eurocrypt’ 99.Google Scholar
  9. 9.
    D. Dolev, C. Dwork, M. Naor, “Non-malleable cryptography”, SIAM J. of Computing, Vol. 30(2), pp. 391–437, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    U. Feige, A. Fiat and A. Shamir, “Zero-knowledge proofs of identity”, J. Cryptology, vol. 1, pp. 77–94, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    A. Fiat and A. Shamir, “How to prove yourself: Practical solutions to identification and signature problems”, Proc. Crypto’ 86, pp. 186–194, 1986.Google Scholar
  12. 12.
    E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes”, Proc. Crypto’ 99, pp. 537–554, 1999.Google Scholar
  13. 13.
    G. Frey, M. Müller, H. Rück, “The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems”, IEEE Tran. on Info. Th., Vol. 45, pp. 1717–1718, 1999.zbMATHCrossRefGoogle Scholar
  14. 14.
    P. Gemmell, “An introduction to threshold cryptography”, in CryptoBytes, a technical newsletter of RSA Laboratories, Vol. 2, No. 7, 1997.Google Scholar
  15. 15.
    R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, “Secure Distributed Key Generation for Discrete-Log Based Cryptosystems”, Advances in Cryptology-Eurocrypt’ 99, Springer-Verlag LNCS 1592, pp. 295–310, 1999.Google Scholar
  16. 16.
    O. Goldreich, B. Pfitzmann and R. Rivest, “Self-delegation with controlled propagation-or-What if you lose your laptop”, proc. Crypto’ 98, pp. 153–168, 1998.Google Scholar
  17. 17.
    A. Joux, “A one round protocol for tripartite Diffie-Hellman”, Proc of ANTS 4, LNCS 1838, pp. 385–394, 2000.Google Scholar
  18. 18.
    A. Joux, K. Nguyen, “Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups”, available from
  19. 19.
    S. Lang, “Elliptic functions”, Addison-Wesley, Reading, 1973.zbMATHGoogle Scholar
  20. 20.
    U. Maurer, “Towards proving the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms”, Proc. Crypto’ 94, pp. 271–281.Google Scholar
  21. 21.
    U. Maurer and Y. Yacobi, “Non-interactive public-key cryptography”, proc. Eurocrypt’ 91, pp. 498–507.Google Scholar
  22. 22.
    A. Menezes, T. Okamoto, S. Vanstone, “Reducing elliptic curve logarithms to logarithms in a finite field”, IEEE Tran. on Info. Th., Vol. 39, pp. 1639–1646, 1993.zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    V. Miller, “Short programs for functions on curves”, unpublished manuscript.Google Scholar
  24. 24.
    P. Paillier and M. Yung, “Self-escrowed public-key infrastructures” in Proc. ICISC, pp. 257–268, 1999.Google Scholar
  25. 25.
    C. Rackoff, D. Simon, “Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack”, in proc. Crypto’ 91, pp. 433–444, 1991.Google Scholar
  26. 26.
    R. Rivest, A. Shamir and D. Wagner, “Time lock puzzles and timed release cryptography,” Technical report, MIT/LCS/TR-684Google Scholar
  27. 27.
    A. Shamir, “Identity-based cryptosystems and signature schemes”, Proc. Crypto’ 84, pp. 47–53.Google Scholar
  28. 28.
    S. Tsuji and T. Itoh, “An ID-based cryptosystem based on the discrete logarithm problem”, IEEE Journal on Selected Areas in Communication, vol. 7, no. 4, pp. 467–473, 1989.CrossRefGoogle Scholar
  29. 29.
    H. Tanaka, “A realization scheme for the identity-based cryptosystem”, Proc. Crypto’ 87, pp. 341–349, 1987.Google Scholar
  30. 30.
    E. Verheul, “Evidence that XTR is more secure than supersingular elliptic curve cryptosystems”, Proc. Eurocrypt 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Dan Boneh
    • 1
  • Matt Franklin
    • 2
  1. 1.Computer Science DepartmentStanford UniversityStanford
  2. 2.Computer Science DepartmentUniversity of CaliforniaDavis

Personalised recommendations