IBE (Identitiy-Based Encryption)  from the   Weil Pairing <ul><ul><ul><ul><li>Sravan Babu Bodapati  </li></ul></ul></ul></...
Identity Based Encryption
Identity Based Encryption <ul><li>An identity-based encryption scheme E is specified by four randomized algorithms:  </li>...
Protocol framework (contd.) <ul><li>Extract: ( Run by PKG ) </li></ul><ul><li>Run when user requests his private key  </li...
Identity-Based Encryption M encrypted using bob@iitm.ac.in <ul><li>Authentication </li></ul>Private key for  [email_addres...
Applications  <ul><li>Revocation of Public Keys : </li></ul><ul><ul><li>Annual Private  key expiration  ( Virtual Effect  ...
Applications (Contd.) <ul><li>Chosen ciphertext security: </li></ul><ul><li>>>  Setup: </li></ul><ul><li>The challenger ta...
<ul><li>Phase 2:  </li></ul><ul><li>The adversary issues more queries qm+1 , . . . , qn where query qi is one of: </li></u...
Types of IBE <ul><li>Semantically Secure IBE  </li></ul><ul><li>>>  Semantic security is similar to chosen ciphertext secu...
Bilinear maps and the  Bilinear Diffie-Hellman Assumption: <ul><li>Our IBE system makes use of a bilinear map e  : G1 x G1...
Basic Ident <ul><li>Setup:  </li></ul><ul><li>Given a security parameter k ∈ Z+ , the algorithm works as follows:   </li><...
Steps of Basic Ident <ul><li>Extract: </li></ul><ul><li>For a given string ID ∈ {0, 1}∗ the algorithm does: </li></ul><ul>...
Elliptic Curve <ul><li>Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p)...
Divisor : Zero and Pole  <ul><li>A divisor D can be defined as a formal sum of points on elliptic curve group E: </li></ul...
Definition <ul><li>Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, </li></u...
Elliptic Curve Group over Real Numbers <ul><li>y 2  = x 3  + ax + b </li></ul><ul><ul><li>x, y, a, b are real numbers  </l...
A Deeper Understanding  <ul><li>E is an elliptic curve over K and  n  is an integer not divisible by char(K)  </li></ul><u...
Elliptic Curve Addition: A Geometric Approach <ul><li>Adding distinct points P and Q </li></ul><ul><li>*  The negative of ...
Adding the points P and -P
Doubling the point P
Weil Pairing <ul><li>Definiton  : </li></ul><ul><li>Weil pairing is a construction of roots of unity by means of functions...
Properties of Weil Pairing  <ul><li>The Weil pairing has the following properties for points in E[n]: </li></ul><ul><li>Pr...
Computing The Weil Pairing  <ul><li>Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) ...
Computations ( Contd.) :  <ul><li>This expression is well defined with very high probability over the choice of R1 , R2 (t...
Miller’s algorithm <ul><li>As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding ...
Basic idea <ul><li>Define D j  = j[P+R]-j[R]-[jP]+[∞]. </li></ul><ul><ul><li>Note that, we can’t define D j  = j[P+R]-j[R]...
 
Escrow El-Gamal Encryption <ul><li>Setup </li></ul><ul><ul><li>Use same elliptic curve </li></ul></ul><ul><ul><li>Pick a r...
Big  Picture encryption Alice Bob y Bob , cert (y Bob , Bob) (a,b)  =  (…) (a,b)
Escrow ElGamal Encryption (Cont’d) <ul><li>Encrypt  ( Ciphertext)  </li></ul><ul><ul><li>Pick random r ∈ Z q  </li></ul></...
Upcoming SlideShare
Loading in …5
×

Crypto cs36 39

486 views
419 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
486
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Crypto cs36 39

  1. 1. IBE (Identitiy-Based Encryption) from the Weil Pairing <ul><ul><ul><ul><li>Sravan Babu Bodapati </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Eswar Sai Putti </li></ul></ul></ul></ul>
  2. 2. Identity Based Encryption
  3. 3. Identity Based Encryption <ul><li>An identity-based encryption scheme E is specified by four randomized algorithms: </li></ul><ul><li>Setup, </li></ul><ul><li>Extract, </li></ul><ul><li>Encrypt, </li></ul><ul><li>Decrypt: </li></ul><ul><li>Setup: ( Run by PKG ) </li></ul><ul><li>It takes a security parameter k and returns params (system parameters) and master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. </li></ul><ul><li>> The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG). </li></ul>
  4. 4. Protocol framework (contd.) <ul><li>Extract: ( Run by PKG ) </li></ul><ul><li>Run when user requests his private key </li></ul><ul><li>It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and returns a private key d . Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key. </li></ul><ul><li>>> The Extract algorithm extracts a private key from the given public key. Encrypt: </li></ul><ul><li>It takes as input parameters, ID, and M ∈ M. It returns a ciphertext </li></ul><ul><li>C ∈ C. Decrypt: </li></ul><ul><li>It takes as input params, C ∈ C, and a private key d. It return M ∈ M. </li></ul>
  5. 5. Identity-Based Encryption M encrypted using bob@iitm.ac.in <ul><li>Authentication </li></ul>Private key for [email_address] <ul><li>global parameters </li></ul><ul><li>master key </li></ul><ul><li>global parameters </li></ul><ul><li>global parameters </li></ul><ul><li>setup </li></ul><ul><li>extract </li></ul><ul><li>encrypt </li></ul><ul><li>decrypt </li></ul>
  6. 6. Applications <ul><li>Revocation of Public Keys : </li></ul><ul><ul><li>Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender. </li></ul></ul><ul><li>>>> “bob@company.com||current-year||clearance=secret”. </li></ul><ul><li>He also has to get the clearance by the end of current year . </li></ul><ul><li>Delegation of Decryption Keys : </li></ul><ul><li>- Delegation of Laptop ( when it is stolen ) </li></ul><ul><li>- Delegation of Duties ( Persons of only a particular department an decrypt their own messages but cannot tamper with those belonging to other departments. </li></ul>
  7. 7. Applications (Contd.) <ul><li>Chosen ciphertext security: </li></ul><ul><li>>> Setup: </li></ul><ul><li>The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself. </li></ul><ul><li>Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. --- Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged. </li></ul><ul><li> </li></ul>
  8. 8. <ul><li>Phase 2: </li></ul><ul><li>The adversary issues more queries qm+1 , . . . , qn where query qi is one of: </li></ul><ul><li>- Extraction query </li></ul><ul><li>- Deryption Query </li></ul><ul><li>Limitations : </li></ul><ul><li>These algorithms must satisfy the standard consistency constraint, namely </li></ul><ul><li>> when d is the private key generated by algorithm , </li></ul><ul><li>> Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M ) </li></ul>
  9. 9. Types of IBE <ul><li>Semantically Secure IBE </li></ul><ul><li>>> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that the adversary is more limited; </li></ul><ul><li>>> It cannot issue decryption queries while attacking the challenge public key. </li></ul><ul><li>One way identity-based encryption : </li></ul><ul><li>>> If given the encryption of a random plain text , the adversary cannot produce the plaintext in its entirety. ( Total Decryption is not possible ) </li></ul>
  10. 10. Bilinear maps and the Bilinear Diffie-Hellman Assumption: <ul><li>Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties : </li></ul><ul><li>>> Bilinear </li></ul><ul><li>We say that a map e : G1 × G1 -> G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and all a, b ∈ Z. </li></ul><ul><li>>> Non – Degenerate </li></ul><ul><li>The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 . >> Computable </li></ul><ul><li>There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 . </li></ul><ul><li>If all the above 3 properties are satisfied, then it is called Admissible Bilinear map. </li></ul>
  11. 11. Basic Ident <ul><li>Setup: </li></ul><ul><li>Given a security parameter k ∈ Z+ , the algorithm works as follows: </li></ul><ul><li>Step 1: </li></ul><ul><li>Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 -> G2 . Choose a random generator P ∈ G1 . ˆ Step 2: </li></ul><ul><li>Pick a random s ∈ Zq and set Ppub = sP . Step 3: </li></ul><ul><li>Choose a cryptographic hash function H1 : {0, 1}∗ -> G1∗ . </li></ul><ul><li>Choose a cryptographic hash function H2 : G2 -> {0, 1}n for some n. The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ . </li></ul>
  12. 12. Steps of Basic Ident <ul><li>Extract: </li></ul><ul><li>For a given string ID ∈ {0, 1}∗ the algorithm does: </li></ul><ul><li>(1) computes QID = H1 (ID) ∈ G1∗ , and </li></ul><ul><li>(2) sets the private key dID to be dID = sQID where s is the master key. Encrypt: </li></ul><ul><li>To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID) ∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗ Decrypt: </li></ul><ul><li>Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M </li></ul>
  13. 13. Elliptic Curve <ul><li>Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form: </li></ul><ul><li>E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). } </li></ul><ul><li>If a line intersects the curve at 2 points, It must intersect the curve at the third point also. </li></ul><ul><li>The Elliptic Curve Point Addition : </li></ul><ul><li>P + Q = R </li></ul><ul><li>> Find the tow points P and Q where the line intersects the curve </li></ul><ul><li>> Solve for the 3 rd point by solving the polynomial Curve eqn with the Line. </li></ul><ul><li>> Now take the reflection of the point 3 obtained to obtain R </li></ul><ul><li>> P + Q = R' ( the Reflection obtained) </li></ul>
  14. 14. Divisor : Zero and Pole <ul><li>A divisor D can be defined as a formal sum of points on elliptic curve group E: </li></ul><ul><li>D =∑ n ( P) </li></ul><ul><li>where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order. </li></ul><ul><li>Inequality a) nP > 0 indicates that point P is a zero, where as </li></ul><ul><li>b) nP < 0 indicates that P is a pole. </li></ul><ul><li>For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R) </li></ul><ul><li>indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3. </li></ul><ul><li>Degree of the divisor of a rational function must be zero </li></ul>
  15. 15. Definition <ul><li>Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, </li></ul><ul><li>It's done in such a way as to constitute a pairing on the torsion subgroup of E. </li></ul>
  16. 16. Elliptic Curve Group over Real Numbers <ul><li>y 2 = x 3 + ax + b </li></ul><ul><ul><li>x, y, a, b are real numbers </li></ul></ul><ul><li>If 4a 3 + 27b 2 ≠ 0 , a group can be formed. </li></ul><ul><ul><li>points on curve and infinity point </li></ul></ul><ul><ul><li>Additive group </li></ul></ul>
  17. 17. A Deeper Understanding <ul><li>E is an elliptic curve over K and n is an integer not divisible by char(K) </li></ul><ul><li>E[ n ] is a torsion subgroup of E(K), that is E[ n ] = {P  E(  ) | n P =  }  E(K). Where we make a assumption that  n = { x | x n = 1, x   }  K. </li></ul><ul><li>Let T  E[ n ], then there exist a function f such that div(f) = n [T]- n [  ] </li></ul><ul><li>Note that f has zero at T with order n and has pole at  with order - n . </li></ul>
  18. 18. Elliptic Curve Addition: A Geometric Approach <ul><li>Adding distinct points P and Q </li></ul><ul><li>* The negative of a point P is its reflection in the x-axis. </li></ul>
  19. 19. Adding the points P and -P
  20. 20. Doubling the point P
  21. 21. Weil Pairing <ul><li>Definiton : </li></ul><ul><li>Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T </li></ul><ul><li>Bilinear map : </li></ul><ul><ul><li>A map e: G 1 ×G 1 ->G 2 </li></ul></ul><ul><ul><li>∀ P,Q ∈ G 1 , ∀ a,b ∈ Z, e(aP, bQ) = e(P, Q) ab </li></ul></ul><ul><li>Weil Pairing : </li></ul><ul><ul><li>bilinear map </li></ul></ul><ul><ul><ul><li>G 1 is the group of points of an elliptic curve over F p </li></ul></ul></ul><ul><ul><ul><li>G 2 is a subgroup of F p 2 * </li></ul></ul></ul><ul><ul><li>efficiently computable </li></ul></ul><ul><ul><ul><li>Miller’s algorithm </li></ul></ul></ul>
  22. 22. Properties of Weil Pairing <ul><li>The Weil pairing has the following properties for points in E[n]: </li></ul><ul><li>Property 1 : </li></ul><ul><li>For all P έ E[n] we have: e(P; P ) = 1. </li></ul><ul><li> Bilinear Property: </li></ul><ul><li>e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and </li></ul><ul><li>e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2). </li></ul><ul><li>Property 3 </li></ul><ul><li> When P,Q έ E[n] are collinear then e(P; Q) = 1. </li></ul><ul><li>Similarly, e(P, Q) = e(Q, P ) ^-1 </li></ul><ul><li>n'th root Property : </li></ul><ul><li>For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2. </li></ul><ul><li> Non-degenerate Property : ( in the following sense: ) </li></ul><ul><li>If P έ E[n] satises e(P; Q) = 1 for all Q έ E[n] , then P = O. </li></ul>
  23. 23. Computing The Weil Pairing <ul><li>Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows: </li></ul><ul><li>> Pick two random points R1 , R2 ∈ E[n]. </li></ul><ul><li>> Consider the divisors Ap = (P + R1 ) − (R1 ) and </li></ul><ul><ul><ul><ul><ul><li>Aq = (Q + R2 ) − (R2 ). </li></ul></ul></ul></ul></ul><ul><li>> These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively. </li></ul><ul><li>Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) </li></ul><ul><li>=Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1) </li></ul>
  24. 24. Computations ( Contd.) : <ul><li>This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )). </li></ul><ul><li>In the rare event that a division by zero occurs during the computation of </li></ul><ul><li>e(P, Q) , </li></ul><ul><li>In such cases , we simply pick new random points R1 , R2 and repeat the process. </li></ul>
  25. 25. Miller’s algorithm <ul><li>As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with </li></ul><ul><li>div(f) = n [P+R]- n [R] </li></ul><ul><li>for points P  E[ n ] and R  E and </li></ul><ul><li>evaluating f(Q 1 )/f(Q 2 ) </li></ul><ul><li>Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard. </li></ul>
  26. 26. Basic idea <ul><li>Define D j = j[P+R]-j[R]-[jP]+[∞]. </li></ul><ul><ul><li>Note that, we can’t define D j = j[P+R]-j[R]. </li></ul></ul><ul><li>We can find a function f j such that div(f j ) = D j . </li></ul><ul><li>Miller’s Algo. can compute f j+k (Q 1 )/f j+k (Q 2 ) by f j (Q 1 )/f j (Q 2 ) and f k (Q 1 )/f k (Q 2 ) as following: </li></ul><ul><ul><li>Let ax+by+c = 0 be the line through jP and kP. </li></ul></ul><ul><ul><li>Let x+d = 0 be the vertical line through (j+k)P. </li></ul></ul>
  27. 28. Escrow El-Gamal Encryption <ul><li>Setup </li></ul><ul><ul><li>Use same elliptic curve </li></ul></ul><ul><ul><li>Pick a random s ∈ Z q , Q = sP </li></ul></ul><ul><ul><li>Choose hash function: F p 2 -> {0,1} n </li></ul></ul><ul><ul><li>System parameters: < p, n, P, Q, H > </li></ul></ul><ul><ul><li>s is the escrow key </li></ul></ul><ul><li>Keygen </li></ul><ul><ul><li>User randomly choose x ∈ Z q as private key </li></ul></ul><ul><ul><li>Public key is P pub = xP </li></ul></ul>
  28. 29. Big Picture encryption Alice Bob y Bob , cert (y Bob , Bob) (a,b) = (…) (a,b)
  29. 30. Escrow ElGamal Encryption (Cont’d) <ul><li>Encrypt ( Ciphertext) </li></ul><ul><ul><li>Pick random r ∈ Z q </li></ul></ul><ul><ul><li>C = < rP, M ⊕ H(g r ) > where g = ê(P pub , Q) ∈ F p 2 </li></ul></ul><ul><ul><li>(Our Encrypted message is C ) </li></ul></ul><ul><li>Decrypt (C = <U,V>) </li></ul><ul><ul><li>V ⊕ H( ê(U, xQ)) = M </li></ul></ul><ul><li>Escrow-decrypt </li></ul><ul><ul><li>V ⊕ H( ê(U, sP pub )) = M </li></ul></ul>

×