Ibe weil pairing


Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ibe weil pairing

  1. 1. IBE (Identitiy-Based Encryption) from the Weil Pairing  Sravan Babu Bodapati  Eswar Sai Putti
  2. 2. Identity Based Encryption
  3. 3. Identity Based Encryption• An identity-based encryption scheme E is specified by four randomized algorithms:• Setup,• Extract,• Encrypt,• Decrypt:• Setup: ( Run by PKG )• It takes a security parameter k and returns params (system parameters) andmaster-key. The system parameters include a description of a finite message space M,and a description of a finite ciphertext space C.• > The system parameters will be publicly known, while the master-key will beknown only to the “Private Key Generator” (PKG).
  4. 4. Protocol framework (contd.)•Extract: ( Run by PKG )• Run when user requests his private key• It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , andreturns a private key d. Here ID is an arbitrary string that will be used as apublic key, and d is the corresponding private decryption key.•• >> The Extract algorithm extracts a private key from the given public key.Encrypt:•It takes as input parameters, ID, and M ∈ M. It returns a ciphertext•C ∈ C.Decrypt:• It takes as input params, C ∈ C, and a private key d. It return M ∈ M.
  5. 5. Identity-Based Encryption •setup •global parameters•global •global •master keyparameters parameters M encrypted •Authentication using bob@iitm.ac.in ` ` Private key Alice Bob for PKG alice@iitm.ac. •encrypt •decrypt in •extrac t
  6. 6. Applications• Revocation of Public Keys : – Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender.• >>> “bob@company.com||current-year||clearance=secret”.• He also has to get the clearance by the end of current year .• Delegation of Decryption Keys :• - Delegation of Laptop ( when it is stolen )• -Delegation of Duties ( Persons of only a particular department andecrypt their own messages but cannot tamper with those belonging to otherdepartments.
  7. 7. Applications (Contd.)• Chosen ciphertext security:•>> Setup:• The challenger takes a security parameter k and runs the Setup algorithm. It givesthe adversary the resulting system parameters params. It keeps the master-key toitself.• Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract togenerate the private key di corresponding to the public key IDi . It sends di to theadversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extractto generate the private key di corresponding to IDi . It then runs algorithm Decrypt todecrypt the ciphertext Ci using the private key di . It sends the resulting plaintext tothe adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equallength plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged.•
  8. 8. • Phase 2:• The adversary issues more queries qm+1 , . . . , qn where query qi is one of:• - Extraction query• - Deryption Query• Limitations :•These algorithms must satisfy the standard consistency constraint, namely• > when d is the private key generated by algorithm ,• > Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )
  9. 9. Types of IBE• Semantically Secure IBE• >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) exceptthat the adversary is more limited;•>> It cannot issue decryption queries while attacking the challenge public key.• One way identity-based encryption :• >> If given the encryption of a random plain text , the adversary cannot producethe plaintext in its entirety. ( Total Decryption is not possible )•
  10. 10. Bilinear maps and the Bilinear Diffie-Hellman Assumption:• Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties :• >> Bilinear• We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈G1 and all a, b ∈ Z.• >> Non – Degenerate•The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that sinceG1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P) is a generator of G2 . >> Computable•There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 .•If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
  11. 11. Basic Ident• Setup:• Given a security parameter k ∈ Z+ , the algorithm works as follows:•Step 1:• Run G on input k to generate a prime q, two groups G1 , G2 of order q, and anadmissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 . ˆ Step 2:• Pick a random s ∈ Zq and set Ppub = sP . Step 3:• Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ .• Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n.The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The systemparameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .
  12. 12. Steps of Basic Ident• Extract:• For a given string ID ∈ {0, 1}∗ the algorithm does:• (1) computes QID = H1 (ID) ∈ G1∗ , and• (2) sets the private key dID to be dID = sQID where s is the master key.Encrypt:• To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID)∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to beC = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗Decrypt:• Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M
  13. 13. Elliptic Curve Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form: E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). } If a line intersects the curve at 2 points, It must intersect the curve at the third point also. The Elliptic Curve Point Addition : P+Q=R> Find the tow points P and Q where the line intersects the curve> Solve for the 3rd point by solving the polynomial Curve eqn with the Line.> Now take the reflection of the point 3 obtained to obtain R> P + Q = R ( the Reflection obtained)
  14. 14. Divisor : Zero and Pole A divisor D can be defined as a formal sum of points on elliptic curve group E: D =∑ n ( P)where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order. Inequality a) nP > 0 indicates that point P is a zero, where as b) nP < 0 indicates that P is a pole. For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R)indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3. Degree of the divisor of a rational function must be zero
  15. 15. Definition Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, Its done in such a way as to constitute a pairing on the torsion subgroup of E.
  16. 16. Elliptic Curve Group over Real Numbers• y2 = x3 + ax + b – x, y, a, b are real numbers• If 4a3 + 27b2 ≠ 0, a group can be formed. – points on curve and infinity point – Additive group
  17. 17. A Deeper Understanding• E is an elliptic curve over K and n is an integer not divisible by char(K)• E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K.• Let TE[n], then there exist a function f such that div(f) = n[T]-n[]• Note that f has zero at T with order n and has pole at  with order -n.
  18. 18. Elliptic Curve Addition: A Geometric Approach• Adding distinct points P and Q* The negative of a point P is its reflection in the x-axis.
  19. 19. Adding the points P and -P
  20. 20. Doubling the point P
  21. 21. Weil Pairing• Definiton : Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T• Bilinear map : – A map e: G1×G1→G2 – ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab• Weil Pairing : – bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* – efficiently computable • Miller’s algorithm
  22. 22. Properties of Weil Pairing• The Weil pairing has the following properties for points in E[n]:• Property 1 : For all P έ E[n] we have: e(P; P ) = 1.• Bilinear Property:• e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and• e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2).• Property 3• When P,Q έ E[n] are collinear then e(P; Q) = 1.• Similarly, e(P, Q) = e(Q, P ) ^-1• nth root Property :For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2.• Non-degenerate Property : ( in the following sense: )• If P έ E[n] satis es e(P; Q) = 1 for all Q έ E[n] , then P = O.
  23. 23. Computing The Weil Pairing• Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows:• > Pick two random points R1 , R2 ∈ E[n].> Consider the divisors Ap = (P + R1 ) − (R1 ) and » Aq = (Q + R2 ) − (R2 ).> These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively.• Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) =Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
  24. 24. Computations ( Contd.) :• This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )).• In the rare event that a division by zero occurs during the computation ofe(P, Q) ,• In such cases , we simply pick new random points R1 , R2 and repeat the process.
  25. 25. Miller’s algorithm• As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points PE[n] and RE and evaluating f(Q1)/f(Q2)• Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.
  26. 26. Basic idea• Define Dj = j[P+R]-j[R]-[jP]+[∞]. – Note that, we can’t define Dj = j[P+R]-j[R].• We can find a function fj such that div(fj) = Dj.• Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following: – Let ax+by+c = 0 be the line through jP and kP. – Let x+d = 0 be the vertical line through (j+k)P.
  27. 27. ax+by+c1 . div = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ] x+d2 . Therfore, div f j+k =D j+k = j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ] = j [ P+R ]− j [ R ]− [ jP ] [ ∞ ] k [ P+R]− k [ R ]− [ kP ] [ ∞ ] ax+by+c div x+d ax+by+c =D j +Dk div x+d ax+by+c = div f j div f k div x+d ax+by+c = div f j f k x+d ax+by+c3 . That is, f j+k =t f j f k for some const t x+d4 . Therefore, f j+k Q1 t f j Q1 f k Q1 ax+by+c / x+d x,y =Q 1 = . f j+k Q 2 t f j Q2 f k Q 2 ax+by+c / x+d x,y =Q 2
  28. 28. Escrow El-Gamal Encryption• Setup – Use same elliptic curve – Pick a random s∈Zq, Q = sP – Choose hash function: Fp2 → {0,1}n – System parameters: < p, n, P, Q, H > – s is the escrow key• Keygen – User randomly choose x∈Zq as private key – Public key is Ppub = xP
  29. 29. Big Picture encryption Alice Bob yBob, cert (yBob, Bob) (a,b) = (…) (a,b)
  30. 30. Escrow ElGamal Encryption (Cont’d)• Encrypt ( Ciphertext) – Pick random r∈Zq – C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2 (Our Encrypted message is C )• Decrypt (C = <U,V>) – V ⊕ H(ê(U, xQ)) = M• Escrow-decrypt – V ⊕ H(ê(U, sPpub)) = M