3. Identity Based Encryption
• An identity-based encryption scheme E is specified by four randomized
algorithms:
• Setup,
• Extract,
• Encrypt,
• Decrypt:
• Setup: ( Run by PKG )
• It takes a security parameter k and returns params (system parameters) and
master-key. The system parameters include a description of a finite message space M,
and a description of a finite ciphertext space C.
• > The system parameters will be publicly known, while the master-key will be
known only to the “Private Key Generator” (PKG).
4. Protocol framework (contd.)
•Extract: ( Run by PKG )
• Run when user requests his private key
• It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and
returns a private key d. Here ID is an arbitrary string that will be used as a
public key, and d is the corresponding private decryption key.
•
• >> The Extract algorithm extracts a private key from the given public key.
Encrypt:
•It takes as input parameters, ID, and M ∈ M. It returns a ciphertext
•C ∈ C.
Decrypt:
• It takes as input params, C ∈ C, and a private key d. It return M ∈ M.
5. Identity-Based Encryption
•setup
•global
parameters
•global •global •master key
parameters parameters
M encrypted •Authentication
using
bob@iitm.ac.in `
`
Private key
Alice Bob for PKG
alice@iitm.ac.
•encrypt •decrypt in •extrac
t
6. Applications
• Revocation of Public Keys :
– Annual Private key expiration ( Virtual Effect ) as the Receiver cannot
decrypt the message after Specific deadline set by the Sender.
• >>> “bob@company.com||current-year||clearance=secret”.
• He also has to get the clearance by the end of current year .
• Delegation of Decryption Keys :
• - Delegation of Laptop ( when it is stolen )
• -Delegation of Duties ( Persons of only a particular department an
decrypt their own messages but cannot tamper with those belonging to other
departments.
7. Applications (Contd.)
• Chosen ciphertext security:
•>> Setup:
• The challenger takes a security parameter k and runs the Setup algorithm. It gives
the adversary the resulting system parameters params. It keeps the master-key to
itself.
• Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of:
– Extraction query IDi : The challenger responds by running algorithm Extract to
generate the private key di corresponding to the public key IDi . It sends di to the
adversary.
– Decryption query IDi , Ci : The challenger responds by running algorithm Extract
to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to
decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to
the adversary.
---Challenge: Once the adversary decides that Phase 1 is over it outputs two equal
length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged.
•
8. • Phase 2:
• The adversary issues more queries qm+1 , . . . , qn where query qi is one of:
• - Extraction query
• - Deryption Query
• Limitations :
•These algorithms must satisfy the standard consistency constraint, namely
• > when d is the private key generated by algorithm ,
• > Extract when it is given ID as the public key, then
∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )
9. Types of IBE
• Semantically Secure IBE
• >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except
that the adversary is more limited;
•>> It cannot issue decryption queries while attacking the challenge public key.
• One way identity-based encryption :
• >> If given the encryption of a random plain text , the adversary cannot produce
the plaintext in its entirety. ( Total Decryption is not possible )
•
10. Bilinear maps and the
Bilinear Diffie-Hellman Assumption:
• Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must
satisfy following properties :
• >> Bilinear
• We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈
G1 and all a, b ∈ Z.
• >> Non – Degenerate
•The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since
G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P
) is a generator of G2 .
>> Computable
•There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 .
•If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
11. Basic Ident
• Setup:
• Given a security parameter k ∈ Z+ , the algorithm works as follows:
•Step 1:
• Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an
admissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 .
ˆ
Step 2:
• Pick a random s ∈ Zq and set Ppub = sP .
Step 3:
• Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ .
• Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n.
The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system
parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .
12. Steps of Basic Ident
• Extract:
• For a given string ID ∈ {0, 1}∗ the algorithm does:
• (1) computes QID = H1 (ID) ∈ G1∗ , and
• (2) sets the private key dID to be dID = sQID where s is the master key.
Encrypt:
• To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID)
∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be
C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗
Decrypt:
• Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using
the private key dID ∈ G1∗ compute:
V ⊕ H2 (e(dID , U )) = M
13. Elliptic Curve
Let p be a prime larger than 3. An elliptic curve over a finite field of size p is
denoted by GF(p) can be given by an equation of the form:
E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). }
If a line intersects the curve at 2 points, It must intersect the curve at the third
point also.
The Elliptic Curve Point Addition :
P+Q=R
> Find the tow points P and Q where the line intersects the curve
> Solve for the 3rd point by solving the polynomial Curve eqn with the Line.
> Now take the reflection of the point 3 obtained to obtain R
> P + Q = R' ( the Reflection obtained)
14. Divisor : Zero and Pole
A divisor D can be defined as a formal sum of points on elliptic curve
group E:
D =∑ n ( P)
where nP is a non-zero integer that specifies the zero/pole property of point
P and its respective order.
Inequality a) nP > 0 indicates that point P is a zero, where as
b) nP < 0 indicates that P is a pole.
For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R)
indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively,
and a pole at R with order 3.
Degree of the divisor of a rational function must be zero
15. Definition
Weil pairing is a construction of roots of
unity by means of functions on an elliptic
curve E,
It's done in such a way as to constitute a
pairing on the torsion subgroup of E.
16. Elliptic Curve Group over Real Numbers
• y2 = x3 + ax + b
– x, y, a, b are real numbers
• If 4a3 + 27b2 ≠ 0, a group
can be formed.
– points on curve and infinity
point
– Additive group
17. A Deeper Understanding
• E is an elliptic curve over K and n is an integer not
divisible by char(K)
• E[n] is a torsion subgroup of E(K), that is E[n] =
{PE()| nP = } E(K). Where we make a
assumption that n = {x |xn = 1, x}K.
• Let TE[n], then there exist a function f such that
div(f) = n[T]-n[]
• Note that f has zero at T with order n and has pole at
with order -n.
18. Elliptic Curve Addition: A Geometric Approach
• Adding distinct points P and Q
* The negative of a point P is its reflection in the x-axis.
21. Weil Pairing
• Definiton :
Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E,
in such a way as to constitute a pairing (bilinear form, though with multiplicative notation)
on the torsion subgroup of E. T
• Bilinear map :
– A map e: G1×G1→G2
– ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab
• Weil Pairing :
– bilinear map
• G1 is the group of points of an elliptic curve over Fp
• G2 is a subgroup of Fp2*
– efficiently computable
• Miller’s algorithm
22. Properties of Weil Pairing
• The Weil pairing has the following properties for points in E[n]:
• Property 1 :
For all P έ E[n] we have: e(P; P ) = 1.
• Bilinear Property:
• e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and
• e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2).
• Property 3
• When P,Q έ E[n] are collinear then e(P; Q) = 1.
• Similarly, e(P, Q) = e(Q, P ) ^-1
• n'th root Property :
For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2.
• Non-degenerate Property : ( in the following sense: )
• If P έ E[n] satis
es e(P; Q) = 1 for all Q έ E[n] , then P = O.
23. Computing The Weil Pairing
• Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using
O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows:
• > Pick two random points R1 , R2 ∈ E[n].
> Consider the divisors Ap = (P + R1 ) − (R1 ) and
» Aq = (Q + R2 ) − (R2 ).
> These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively.
• Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap)
=Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
24. Computations ( Contd.) :
• This expression is well defined with very high probability over the choice
of R1 , R2 (the probability of failure is at most O( log p/p )).
• In the rare event that a division by zero occurs during the computation of
e(P, Q) ,
• In such cases , we simply pick new random points R1 , R2 and repeat the
process.
25. Miller’s algorithm
• As we seen above, both of the computing of Weil
pairing and Tate pairing can reduce to finding a
function a function f with
div(f) = n[P+R]-n[R]
for points PE[n] and RE and
evaluating f(Q1)/f(Q2)
• Note that, we omit Tate pairing here because the
Galois cohomology theorem is too hard.
26. Basic idea
• Define Dj = j[P+R]-j[R]-[jP]+[∞].
– Note that, we can’t define Dj = j[P+R]-j[R].
• We can find a function fj such that div(fj) = Dj.
• Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by
fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following:
– Let ax+by+c = 0 be the line through jP and kP.
– Let x+d = 0 be the vertical line through (j+k)P.
27. ax+by+c
1 . div = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ]
x+d
2 . Therfore, div f j+k =D j+k
= j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ]
= j [ P+R ]− j [ R ]− [ jP ] [ ∞ ]
k [ P+R]− k [ R ]− [ kP ] [ ∞ ]
ax+by+c
div
x+d
ax+by+c
=D j +Dk div
x+d
ax+by+c
= div f j div f k div
x+d
ax+by+c
= div f j f k
x+d
ax+by+c
3 . That is, f j+k =t f j f k for some const t
x+d
4 . Therefore,
f j+k Q1 t f j Q1 f k Q1 ax+by+c / x+d x,y =Q 1
= .
f j+k Q 2 t f j Q2 f k Q 2 ax+by+c / x+d x,y =Q 2
28. Escrow El-Gamal Encryption
• Setup
– Use same elliptic curve
– Pick a random s∈Zq, Q = sP
– Choose hash function: Fp2 → {0,1}n
– System parameters: < p, n, P, Q, H >
– s is the escrow key
• Keygen
– User randomly choose x∈Zq as private key
– Public key is Ppub = xP