SlideShare a Scribd company logo

Ibe weil pairing

sravanbabu
sravanbabu
TechnologyEducation
1 of 30
Download to read offline
IBE (Identitiy-Based Encryption) from the Weil Pairing  Sravan Babu Bodapati  Eswar Sai Putti
Identity Based Encryption
Identity Based Encryption • An identity-based encryption scheme E is specified by four randomized algorithms: • Setup, • Extract, • Encrypt, • Decrypt: • Setup: ( Run by PKG ) • It takes a security parameter k and returns params (system parameters) and master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. • > The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG).
Protocol framework (contd.) •Extract: ( Run by PKG ) • Run when user requests his private key • It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and returns a private key d. Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key. • • >> The Extract algorithm extracts a private key from the given public key. Encrypt: •It takes as input parameters, ID, and M ∈ M. It returns a ciphertext •C ∈ C. Decrypt: • It takes as input params, C ∈ C, and a private key d. It return M ∈ M.
Identity-Based Encryption •setup •global parameters •global •global •master key parameters parameters M encrypted •Authentication using bob@iitm.ac.in ` ` Private key Alice Bob for PKG alice@iitm.ac. •encrypt •decrypt in •extrac t
Applications • Revocation of Public Keys : – Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender. • >>> “bob@company.com||current-year||clearance=secret”. • He also has to get the clearance by the end of current year . • Delegation of Decryption Keys : • - Delegation of Laptop ( when it is stolen ) • -Delegation of Duties ( Persons of only a particular department an decrypt their own messages but cannot tamper with those belonging to other departments.
Applications (Contd.) • Chosen ciphertext security: •>> Setup: • The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself. • Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged. •
• Phase 2: • The adversary issues more queries qm+1 , . . . , qn where query qi is one of: • - Extraction query • - Deryption Query • Limitations : •These algorithms must satisfy the standard consistency constraint, namely • > when d is the private key generated by algorithm , • > Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )
Types of IBE • Semantically Secure IBE • >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that the adversary is more limited; •>> It cannot issue decryption queries while attacking the challenge public key. • One way identity-based encryption : • >> If given the encryption of a random plain text , the adversary cannot produce the plaintext in its entirety. ( Total Decryption is not possible ) •
Bilinear maps and the Bilinear Diffie-Hellman Assumption: • Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties : • >> Bilinear • We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and all a, b ∈ Z. • >> Non – Degenerate •The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 . >> Computable •There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 . •If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
Basic Ident • Setup: • Given a security parameter k ∈ Z+ , the algorithm works as follows: •Step 1: • Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 . ˆ Step 2: • Pick a random s ∈ Zq and set Ppub = sP . Step 3: • Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ . • Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n. The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .
Steps of Basic Ident • Extract: • For a given string ID ∈ {0, 1}∗ the algorithm does: • (1) computes QID = H1 (ID) ∈ G1∗ , and • (2) sets the private key dID to be dID = sQID where s is the master key. Encrypt: • To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID) ∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗ Decrypt: • Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M
Elliptic Curve  Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form:  E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). }  If a line intersects the curve at 2 points, It must intersect the curve at the third point also.  The Elliptic Curve Point Addition : P+Q=R > Find the tow points P and Q where the line intersects the curve > Solve for the 3rd point by solving the polynomial Curve eqn with the Line. > Now take the reflection of the point 3 obtained to obtain R > P + Q = R' ( the Reflection obtained)
Divisor : Zero and Pole  A divisor D can be defined as a formal sum of points on elliptic curve group E:  D =∑ n ( P) where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order.  Inequality a) nP > 0 indicates that point P is a zero, where as b) nP < 0 indicates that P is a pole.  For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R) indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3.  Degree of the divisor of a rational function must be zero
Definition  Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E,  It's done in such a way as to constitute a pairing on the torsion subgroup of E.
Elliptic Curve Group over Real Numbers • y2 = x3 + ax + b – x, y, a, b are real numbers • If 4a3 + 27b2 ≠ 0, a group can be formed. – points on curve and infinity point – Additive group
A Deeper Understanding • E is an elliptic curve over K and n is an integer not divisible by char(K) • E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K. • Let TE[n], then there exist a function f such that div(f) = n[T]-n[] • Note that f has zero at T with order n and has pole at  with order -n.
Elliptic Curve Addition: A Geometric Approach • Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis.
Adding the points P and -P
Doubling the point P
Weil Pairing • Definiton : Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T • Bilinear map : – A map e: G1×G1→G2 – ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab • Weil Pairing : – bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* – efficiently computable • Miller’s algorithm
Properties of Weil Pairing • The Weil pairing has the following properties for points in E[n]: • Property 1 : For all P έ E[n] we have: e(P; P ) = 1. • Bilinear Property: • e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and • e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2). • Property 3 • When P,Q έ E[n] are collinear then e(P; Q) = 1. • Similarly, e(P, Q) = e(Q, P ) ^-1 • n'th root Property : For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2. • Non-degenerate Property : ( in the following sense: ) • If P έ E[n] satis es e(P; Q) = 1 for all Q έ E[n] , then P = O.
Computing The Weil Pairing • Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows: • > Pick two random points R1 , R2 ∈ E[n]. > Consider the divisors Ap = (P + R1 ) − (R1 ) and » Aq = (Q + R2 ) − (R2 ). > These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively. • Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) =Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
Computations ( Contd.) : • This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )). • In the rare event that a division by zero occurs during the computation of e(P, Q) , • In such cases , we simply pick new random points R1 , R2 and repeat the process.
Miller’s algorithm • As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points PE[n] and RE and evaluating f(Q1)/f(Q2) • Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.
Basic idea • Define Dj = j[P+R]-j[R]-[jP]+[∞]. – Note that, we can’t define Dj = j[P+R]-j[R]. • We can find a function fj such that div(fj) = Dj. • Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following: – Let ax+by+c = 0 be the line through jP and kP. – Let x+d = 0 be the vertical line through (j+k)P.
ax+by+c 1 . div = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ] x+d 2 . Therfore, div f j+k =D j+k = j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ] = j [ P+R ]− j [ R ]− [ jP ] [ ∞ ] k [ P+R]− k [ R ]− [ kP ] [ ∞ ] ax+by+c div x+d ax+by+c =D j +Dk div x+d ax+by+c = div f j div f k div x+d ax+by+c = div f j f k x+d ax+by+c 3 . That is, f j+k =t f j f k for some const t x+d 4 . Therefore, f j+k Q1 t f j Q1 f k Q1 ax+by+c / x+d x,y =Q 1 = . f j+k Q 2 t f j Q2 f k Q 2 ax+by+c / x+d x,y =Q 2
Escrow El-Gamal Encryption • Setup – Use same elliptic curve – Pick a random s∈Zq, Q = sP – Choose hash function: Fp2 → {0,1}n – System parameters: < p, n, P, Q, H > – s is the escrow key • Keygen – User randomly choose x∈Zq as private key – Public key is Ppub = xP
Big Picture encryption Alice Bob yBob, cert (yBob, Bob) (a,b) = (…) (a,b)
Escrow ElGamal Encryption (Cont’d) • Encrypt ( Ciphertext) – Pick random r∈Zq – C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2 (Our Encrypted message is C ) • Decrypt (C = <U,V>) – V ⊕ H(ê(U, xQ)) = M • Escrow-decrypt – V ⊕ H(ê(U, sPpub)) = M

Recommended

Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyAbhijit Mondal
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Fahad Layth
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 
encryption and decryption
encryption and decryptionencryption and decryption
encryption and decryptionSri Manakula Vinayagar Engineering College
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 

Recommended

Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyAbhijit Mondal
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Fahad Layth
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 
encryption and decryption
encryption and decryptionencryption and decryption
encryption and decryptionSri Manakula Vinayagar Engineering College
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 
Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithmPrateek Pandey
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7Infinity Tech Solutions
 
RSA
RSARSA
RSAbansidhar11
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography rinnocente
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Information and Network Security
Information and Network SecurityInformation and Network Security
Information and Network SecurityMaulik Togadiya
 
Computer security module 1
Computer security module 1Computer security module 1
Computer security module 1Deepak John
 
Chapter 03 cyclic codes
Chapter 03 cyclic codesChapter 03 cyclic codes
Chapter 03 cyclic codesManoj Krishna Yadavalli
 
F010243136
F010243136F010243136
F010243136IOSR Journals
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Forward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionForward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionNational Chengchi University
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMSathish Kumar
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionMd. Ariful Hoque
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongInformation Security Awareness Group
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 

More Related Content

What's hot

The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography rinnocente
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Information and Network Security
Information and Network SecurityInformation and Network Security
Information and Network SecurityMaulik Togadiya
 
Computer security module 1
Computer security module 1Computer security module 1
Computer security module 1Deepak John
 
Forward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionForward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionNational Chengchi University
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionMd. Ariful Hoque
 

What's hot (20)

Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithm
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
RSA
RSARSA
RSA
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
Information and Network Security
Information and Network SecurityInformation and Network Security
Information and Network Security
 
Computer security module 1
Computer security module 1Computer security module 1
Computer security module 1
 
Chapter 03 cyclic codes
Chapter 03 cyclic codesChapter 03 cyclic codes
Chapter 03 cyclic codes
 
F010243136
F010243136F010243136
F010243136
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Forward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionForward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryption
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
 

Similar to Ibe weil pairing

implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Paillier Cryptosystem
Paillier CryptosystemPaillier Cryptosystem
Paillier CryptosystemDejan Radic
 
Image encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipherImage encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipherkarthik kedarisetti
 
Convolution presentation
Convolution presentationConvolution presentation
Convolution presentationSoham Mondal
 
Novel encryption algorithm and software development ecc and rsa
Novel encryption algorithm and software development ecc and rsaNovel encryption algorithm and software development ecc and rsa
Novel encryption algorithm and software development ecc and rsaSoham Mondal
 
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxUnit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxVishwanathMahalle
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Madhumita Tamhane
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Wireless Body Area Networking
Wireless Body Area NetworkingWireless Body Area Networking
Wireless Body Area Networkingsubhradeep mitra
 
815.07 machine learning using python.pdf
815.07 machine learning using python.pdf815.07 machine learning using python.pdf
815.07 machine learning using python.pdfSairaAtta5
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
 

Similar to Ibe weil pairing (20)

implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Paillier Cryptosystem
Paillier CryptosystemPaillier Cryptosystem
Paillier Cryptosystem
 
Image encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipherImage encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipher
 
Convolution presentation
Convolution presentationConvolution presentation
Convolution presentation
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
 
Novel encryption algorithm and software development ecc and rsa
Novel encryption algorithm and software development ecc and rsaNovel encryption algorithm and software development ecc and rsa
Novel encryption algorithm and software development ecc and rsa
 
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxUnit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
 
Mmclass3
Mmclass3Mmclass3
Mmclass3
 
Bch codes
Bch codesBch codes
Bch codes
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Wireless Body Area Networking
Wireless Body Area NetworkingWireless Body Area Networking
Wireless Body Area Networking
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
 
New ppt.ppt
New ppt.pptNew ppt.ppt
New ppt.ppt
 
815.07 machine learning using python.pdf
815.07 machine learning using python.pdf815.07 machine learning using python.pdf
815.07 machine learning using python.pdf
 
Ecc2
Ecc2Ecc2
Ecc2
 
Primitives
PrimitivesPrimitives
Primitives
 
Class3
Class3Class3
Class3
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption Algorithm
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Ibe weil pairing

  • 1. IBE (Identitiy-Based Encryption) from the Weil Pairing  Sravan Babu Bodapati  Eswar Sai Putti
  • 3. Identity Based Encryption • An identity-based encryption scheme E is specified by four randomized algorithms: • Setup, • Extract, • Encrypt, • Decrypt: • Setup: ( Run by PKG ) • It takes a security parameter k and returns params (system parameters) and master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. • > The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG).
  • 4. Protocol framework (contd.) •Extract: ( Run by PKG ) • Run when user requests his private key • It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and returns a private key d. Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key. • • >> The Extract algorithm extracts a private key from the given public key. Encrypt: •It takes as input parameters, ID, and M ∈ M. It returns a ciphertext •C ∈ C. Decrypt: • It takes as input params, C ∈ C, and a private key d. It return M ∈ M.
  • 5. Identity-Based Encryption •setup •global parameters •global •global •master key parameters parameters M encrypted •Authentication using bob@iitm.ac.in ` ` Private key Alice Bob for PKG alice@iitm.ac. •encrypt •decrypt in •extrac t
  • 6. Applications • Revocation of Public Keys : – Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender. • >>> “bob@company.com||current-year||clearance=secret”. • He also has to get the clearance by the end of current year . • Delegation of Decryption Keys : • - Delegation of Laptop ( when it is stolen ) • -Delegation of Duties ( Persons of only a particular department an decrypt their own messages but cannot tamper with those belonging to other departments.
  • 7. Applications (Contd.) • Chosen ciphertext security: •>> Setup: • The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself. • Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged. •
  • 8. Phase 2: • The adversary issues more queries qm+1 , . . . , qn where query qi is one of: • - Extraction query • - Deryption Query • Limitations : •These algorithms must satisfy the standard consistency constraint, namely • > when d is the private key generated by algorithm , • > Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )
  • 9. Types of IBE • Semantically Secure IBE • >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that the adversary is more limited; •>> It cannot issue decryption queries while attacking the challenge public key. • One way identity-based encryption : • >> If given the encryption of a random plain text , the adversary cannot produce the plaintext in its entirety. ( Total Decryption is not possible ) •
  • 10. Bilinear maps and the Bilinear Diffie-Hellman Assumption: • Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties : • >> Bilinear • We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and all a, b ∈ Z. • >> Non – Degenerate •The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 . >> Computable •There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 . •If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
  • 11. Basic Ident • Setup: • Given a security parameter k ∈ Z+ , the algorithm works as follows: •Step 1: • Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 . ˆ Step 2: • Pick a random s ∈ Zq and set Ppub = sP . Step 3: • Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ . • Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n. The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .
  • 12. Steps of Basic Ident • Extract: • For a given string ID ∈ {0, 1}∗ the algorithm does: • (1) computes QID = H1 (ID) ∈ G1∗ , and • (2) sets the private key dID to be dID = sQID where s is the master key. Encrypt: • To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID) ∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗ Decrypt: • Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M
  • 13. Elliptic Curve  Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form:  E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). }  If a line intersects the curve at 2 points, It must intersect the curve at the third point also.  The Elliptic Curve Point Addition : P+Q=R > Find the tow points P and Q where the line intersects the curve > Solve for the 3rd point by solving the polynomial Curve eqn with the Line. > Now take the reflection of the point 3 obtained to obtain R > P + Q = R' ( the Reflection obtained)
  • 14. Divisor : Zero and Pole  A divisor D can be defined as a formal sum of points on elliptic curve group E:  D =∑ n ( P) where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order.  Inequality a) nP > 0 indicates that point P is a zero, where as b) nP < 0 indicates that P is a pole.  For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R) indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3.  Degree of the divisor of a rational function must be zero
  • 15. Definition  Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E,  It's done in such a way as to constitute a pairing on the torsion subgroup of E.
  • 16. Elliptic Curve Group over Real Numbers • y2 = x3 + ax + b – x, y, a, b are real numbers • If 4a3 + 27b2 ≠ 0, a group can be formed. – points on curve and infinity point – Additive group
  • 17. A Deeper Understanding • E is an elliptic curve over K and n is an integer not divisible by char(K) • E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K. • Let TE[n], then there exist a function f such that div(f) = n[T]-n[] • Note that f has zero at T with order n and has pole at  with order -n.
  • 18. Elliptic Curve Addition: A Geometric Approach • Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis.
  • 19. Adding the points P and -P
  • 21. Weil Pairing • Definiton : Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T • Bilinear map : – A map e: G1×G1→G2 – ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab • Weil Pairing : – bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* – efficiently computable • Miller’s algorithm
  • 22. Properties of Weil Pairing • The Weil pairing has the following properties for points in E[n]: • Property 1 : For all P έ E[n] we have: e(P; P ) = 1. • Bilinear Property: • e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and • e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2). • Property 3 • When P,Q έ E[n] are collinear then e(P; Q) = 1. • Similarly, e(P, Q) = e(Q, P ) ^-1 • n'th root Property : For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2. • Non-degenerate Property : ( in the following sense: ) • If P έ E[n] satis es e(P; Q) = 1 for all Q έ E[n] , then P = O.
  • 23. Computing The Weil Pairing • Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows: • > Pick two random points R1 , R2 ∈ E[n]. > Consider the divisors Ap = (P + R1 ) − (R1 ) and » Aq = (Q + R2 ) − (R2 ). > These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively. • Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) =Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
  • 24. Computations ( Contd.) : • This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )). • In the rare event that a division by zero occurs during the computation of e(P, Q) , • In such cases , we simply pick new random points R1 , R2 and repeat the process.
  • 25. Miller’s algorithm • As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points PE[n] and RE and evaluating f(Q1)/f(Q2) • Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.
  • 26. Basic idea • Define Dj = j[P+R]-j[R]-[jP]+[∞]. – Note that, we can’t define Dj = j[P+R]-j[R]. • We can find a function fj such that div(fj) = Dj. • Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following: – Let ax+by+c = 0 be the line through jP and kP. – Let x+d = 0 be the vertical line through (j+k)P.
  • 27. ax+by+c 1 . div = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ] x+d 2 . Therfore, div f j+k =D j+k = j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ] = j [ P+R ]− j [ R ]− [ jP ] [ ∞ ] k [ P+R]− k [ R ]− [ kP ] [ ∞ ] ax+by+c div x+d ax+by+c =D j +Dk div x+d ax+by+c = div f j div f k div x+d ax+by+c = div f j f k x+d ax+by+c 3 . That is, f j+k =t f j f k for some const t x+d 4 . Therefore, f j+k Q1 t f j Q1 f k Q1 ax+by+c / x+d x,y =Q 1 = . f j+k Q 2 t f j Q2 f k Q 2 ax+by+c / x+d x,y =Q 2
  • 28. Escrow El-Gamal Encryption • Setup – Use same elliptic curve – Pick a random s∈Zq, Q = sP – Choose hash function: Fp2 → {0,1}n – System parameters: < p, n, P, Q, H > – s is the escrow key • Keygen – User randomly choose x∈Zq as private key – Public key is Ppub = xP
  • 29. Big Picture encryption Alice Bob yBob, cert (yBob, Bob) (a,b) = (…) (a,b)
  • 30. Escrow ElGamal Encryption (Cont’d) • Encrypt ( Ciphertext) – Pick random r∈Zq – C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2 (Our Encrypted message is C ) • Decrypt (C = <U,V>) – V ⊕ H(ê(U, xQ)) = M • Escrow-decrypt – V ⊕ H(ê(U, sPpub)) = M