Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IBE (Identitiy-Based Encryption)  from the   Weil Pairing <ul><ul><ul><ul><li>Sravan Babu Bodapati  </li></ul></ul></ul></...
Identity Based Encryption
Identity Based Encryption <ul><li>An identity-based encryption scheme E is specified by four randomized algorithms:  </li>...
Protocol framework (contd.) <ul><li>Extract: ( Run by PKG ) </li></ul><ul><li>Run when user requests his private key  </li...
Identity-Based Encryption M encrypted using bob@iitm.ac.in <ul><li>Authentication </li></ul>Private key for  [email_addres...
Applications  <ul><li>Revocation of Public Keys : </li></ul><ul><ul><li>Annual Private  key expiration  ( Virtual Effect  ...
Applications (Contd.) <ul><li>Chosen ciphertext security: </li></ul><ul><li>>>  Setup: </li></ul><ul><li>The challenger ta...
<ul><li>Phase 2:  </li></ul><ul><li>The adversary issues more queries qm+1 , . . . , qn where query qi is one of: </li></u...
Types of IBE <ul><li>Semantically Secure IBE  </li></ul><ul><li>>>  Semantic security is similar to chosen ciphertext secu...
Bilinear maps and the  Bilinear Diffie-Hellman Assumption: <ul><li>Our IBE system makes use of a bilinear map e  : G1 x G1...
Basic Ident <ul><li>Setup:  </li></ul><ul><li>Given a security parameter k ∈ Z+ , the algorithm works as follows:   </li><...
Steps of Basic Ident <ul><li>Extract: </li></ul><ul><li>For a given string ID ∈ {0, 1}∗ the algorithm does: </li></ul><ul>...
Elliptic Curve <ul><li>Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p)...
Divisor : Zero and Pole  <ul><li>A divisor D can be defined as a formal sum of points on elliptic curve group E: </li></ul...
Definition <ul><li>Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, </li></u...
Elliptic Curve Group over Real Numbers <ul><li>y 2  = x 3  + ax + b </li></ul><ul><ul><li>x, y, a, b are real numbers  </l...
A Deeper Understanding  <ul><li>E is an elliptic curve over K and  n  is an integer not divisible by char(K)  </li></ul><u...
Elliptic Curve Addition: A Geometric Approach <ul><li>Adding distinct points P and Q </li></ul><ul><li>*  The negative of ...
Adding the points P and -P
Doubling the point P
Weil Pairing <ul><li>Definiton  : </li></ul><ul><li>Weil pairing is a construction of roots of unity by means of functions...
Properties of Weil Pairing  <ul><li>The Weil pairing has the following properties for points in E[n]: </li></ul><ul><li>Pr...
Computing The Weil Pairing  <ul><li>Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) ...
Computations ( Contd.) :  <ul><li>This expression is well defined with very high probability over the choice of R1 , R2 (t...
Miller’s algorithm <ul><li>As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding ...
Basic idea <ul><li>Define D j  = j[P+R]-j[R]-[jP]+[∞]. </li></ul><ul><ul><li>Note that, we can’t define D j  = j[P+R]-j[R]...
 
Escrow El-Gamal Encryption <ul><li>Setup </li></ul><ul><ul><li>Use same elliptic curve </li></ul></ul><ul><ul><li>Pick a r...
Big  Picture encryption Alice Bob y Bob , cert (y Bob , Bob) (a,b)  =  (…) (a,b)
Escrow ElGamal Encryption (Cont’d) <ul><li>Encrypt  ( Ciphertext)  </li></ul><ul><ul><li>Pick random r ∈ Z q  </li></ul></...
Upcoming SlideShare
Loading in …5
×

Crypto cs36 39

596 views

Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Crypto cs36 39

  1. 1. IBE (Identitiy-Based Encryption) from the Weil Pairing <ul><ul><ul><ul><li>Sravan Babu Bodapati </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Eswar Sai Putti </li></ul></ul></ul></ul>
  2. 2. Identity Based Encryption
  3. 3. Identity Based Encryption <ul><li>An identity-based encryption scheme E is specified by four randomized algorithms: </li></ul><ul><li>Setup, </li></ul><ul><li>Extract, </li></ul><ul><li>Encrypt, </li></ul><ul><li>Decrypt: </li></ul><ul><li>Setup: ( Run by PKG ) </li></ul><ul><li>It takes a security parameter k and returns params (system parameters) and master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. </li></ul><ul><li>> The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG). </li></ul>
  4. 4. Protocol framework (contd.) <ul><li>Extract: ( Run by PKG ) </li></ul><ul><li>Run when user requests his private key </li></ul><ul><li>It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and returns a private key d . Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key. </li></ul><ul><li>>> The Extract algorithm extracts a private key from the given public key. Encrypt: </li></ul><ul><li>It takes as input parameters, ID, and M ∈ M. It returns a ciphertext </li></ul><ul><li>C ∈ C. Decrypt: </li></ul><ul><li>It takes as input params, C ∈ C, and a private key d. It return M ∈ M. </li></ul>
  5. 5. Identity-Based Encryption M encrypted using bob@iitm.ac.in <ul><li>Authentication </li></ul>Private key for [email_address] <ul><li>global parameters </li></ul><ul><li>master key </li></ul><ul><li>global parameters </li></ul><ul><li>global parameters </li></ul><ul><li>setup </li></ul><ul><li>extract </li></ul><ul><li>encrypt </li></ul><ul><li>decrypt </li></ul>
  6. 6. Applications <ul><li>Revocation of Public Keys : </li></ul><ul><ul><li>Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender. </li></ul></ul><ul><li>>>> “bob@company.com||current-year||clearance=secret”. </li></ul><ul><li>He also has to get the clearance by the end of current year . </li></ul><ul><li>Delegation of Decryption Keys : </li></ul><ul><li>- Delegation of Laptop ( when it is stolen ) </li></ul><ul><li>- Delegation of Duties ( Persons of only a particular department an decrypt their own messages but cannot tamper with those belonging to other departments. </li></ul>
  7. 7. Applications (Contd.) <ul><li>Chosen ciphertext security: </li></ul><ul><li>>> Setup: </li></ul><ul><li>The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself. </li></ul><ul><li>Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. --- Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged. </li></ul><ul><li> </li></ul>
  8. 8. <ul><li>Phase 2: </li></ul><ul><li>The adversary issues more queries qm+1 , . . . , qn where query qi is one of: </li></ul><ul><li>- Extraction query </li></ul><ul><li>- Deryption Query </li></ul><ul><li>Limitations : </li></ul><ul><li>These algorithms must satisfy the standard consistency constraint, namely </li></ul><ul><li>> when d is the private key generated by algorithm , </li></ul><ul><li>> Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M ) </li></ul>
  9. 9. Types of IBE <ul><li>Semantically Secure IBE </li></ul><ul><li>>> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that the adversary is more limited; </li></ul><ul><li>>> It cannot issue decryption queries while attacking the challenge public key. </li></ul><ul><li>One way identity-based encryption : </li></ul><ul><li>>> If given the encryption of a random plain text , the adversary cannot produce the plaintext in its entirety. ( Total Decryption is not possible ) </li></ul>
  10. 10. Bilinear maps and the Bilinear Diffie-Hellman Assumption: <ul><li>Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties : </li></ul><ul><li>>> Bilinear </li></ul><ul><li>We say that a map e : G1 × G1 -> G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and all a, b ∈ Z. </li></ul><ul><li>>> Non – Degenerate </li></ul><ul><li>The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 . >> Computable </li></ul><ul><li>There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 . </li></ul><ul><li>If all the above 3 properties are satisfied, then it is called Admissible Bilinear map. </li></ul>
  11. 11. Basic Ident <ul><li>Setup: </li></ul><ul><li>Given a security parameter k ∈ Z+ , the algorithm works as follows: </li></ul><ul><li>Step 1: </li></ul><ul><li>Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 -> G2 . Choose a random generator P ∈ G1 . ˆ Step 2: </li></ul><ul><li>Pick a random s ∈ Zq and set Ppub = sP . Step 3: </li></ul><ul><li>Choose a cryptographic hash function H1 : {0, 1}∗ -> G1∗ . </li></ul><ul><li>Choose a cryptographic hash function H2 : G2 -> {0, 1}n for some n. The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ . </li></ul>
  12. 12. Steps of Basic Ident <ul><li>Extract: </li></ul><ul><li>For a given string ID ∈ {0, 1}∗ the algorithm does: </li></ul><ul><li>(1) computes QID = H1 (ID) ∈ G1∗ , and </li></ul><ul><li>(2) sets the private key dID to be dID = sQID where s is the master key. Encrypt: </li></ul><ul><li>To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID) ∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗ Decrypt: </li></ul><ul><li>Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M </li></ul>
  13. 13. Elliptic Curve <ul><li>Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form: </li></ul><ul><li>E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). } </li></ul><ul><li>If a line intersects the curve at 2 points, It must intersect the curve at the third point also. </li></ul><ul><li>The Elliptic Curve Point Addition : </li></ul><ul><li>P + Q = R </li></ul><ul><li>> Find the tow points P and Q where the line intersects the curve </li></ul><ul><li>> Solve for the 3 rd point by solving the polynomial Curve eqn with the Line. </li></ul><ul><li>> Now take the reflection of the point 3 obtained to obtain R </li></ul><ul><li>> P + Q = R' ( the Reflection obtained) </li></ul>
  14. 14. Divisor : Zero and Pole <ul><li>A divisor D can be defined as a formal sum of points on elliptic curve group E: </li></ul><ul><li>D =∑ n ( P) </li></ul><ul><li>where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order. </li></ul><ul><li>Inequality a) nP > 0 indicates that point P is a zero, where as </li></ul><ul><li>b) nP < 0 indicates that P is a pole. </li></ul><ul><li>For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R) </li></ul><ul><li>indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3. </li></ul><ul><li>Degree of the divisor of a rational function must be zero </li></ul>
  15. 15. Definition <ul><li>Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, </li></ul><ul><li>It's done in such a way as to constitute a pairing on the torsion subgroup of E. </li></ul>
  16. 16. Elliptic Curve Group over Real Numbers <ul><li>y 2 = x 3 + ax + b </li></ul><ul><ul><li>x, y, a, b are real numbers </li></ul></ul><ul><li>If 4a 3 + 27b 2 ≠ 0 , a group can be formed. </li></ul><ul><ul><li>points on curve and infinity point </li></ul></ul><ul><ul><li>Additive group </li></ul></ul>
  17. 17. A Deeper Understanding <ul><li>E is an elliptic curve over K and n is an integer not divisible by char(K) </li></ul><ul><li>E[ n ] is a torsion subgroup of E(K), that is E[ n ] = {P  E(  ) | n P =  }  E(K). Where we make a assumption that  n = { x | x n = 1, x   }  K. </li></ul><ul><li>Let T  E[ n ], then there exist a function f such that div(f) = n [T]- n [  ] </li></ul><ul><li>Note that f has zero at T with order n and has pole at  with order - n . </li></ul>
  18. 18. Elliptic Curve Addition: A Geometric Approach <ul><li>Adding distinct points P and Q </li></ul><ul><li>* The negative of a point P is its reflection in the x-axis. </li></ul>
  19. 19. Adding the points P and -P
  20. 20. Doubling the point P
  21. 21. Weil Pairing <ul><li>Definiton : </li></ul><ul><li>Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T </li></ul><ul><li>Bilinear map : </li></ul><ul><ul><li>A map e: G 1 ×G 1 ->G 2 </li></ul></ul><ul><ul><li>∀ P,Q ∈ G 1 , ∀ a,b ∈ Z, e(aP, bQ) = e(P, Q) ab </li></ul></ul><ul><li>Weil Pairing : </li></ul><ul><ul><li>bilinear map </li></ul></ul><ul><ul><ul><li>G 1 is the group of points of an elliptic curve over F p </li></ul></ul></ul><ul><ul><ul><li>G 2 is a subgroup of F p 2 * </li></ul></ul></ul><ul><ul><li>efficiently computable </li></ul></ul><ul><ul><ul><li>Miller’s algorithm </li></ul></ul></ul>
  22. 22. Properties of Weil Pairing <ul><li>The Weil pairing has the following properties for points in E[n]: </li></ul><ul><li>Property 1 : </li></ul><ul><li>For all P έ E[n] we have: e(P; P ) = 1. </li></ul><ul><li> Bilinear Property: </li></ul><ul><li>e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and </li></ul><ul><li>e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2). </li></ul><ul><li>Property 3 </li></ul><ul><li> When P,Q έ E[n] are collinear then e(P; Q) = 1. </li></ul><ul><li>Similarly, e(P, Q) = e(Q, P ) ^-1 </li></ul><ul><li>n'th root Property : </li></ul><ul><li>For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2. </li></ul><ul><li> Non-degenerate Property : ( in the following sense: ) </li></ul><ul><li>If P έ E[n] satises e(P; Q) = 1 for all Q έ E[n] , then P = O. </li></ul>
  23. 23. Computing The Weil Pairing <ul><li>Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows: </li></ul><ul><li>> Pick two random points R1 , R2 ∈ E[n]. </li></ul><ul><li>> Consider the divisors Ap = (P + R1 ) − (R1 ) and </li></ul><ul><ul><ul><ul><ul><li>Aq = (Q + R2 ) − (R2 ). </li></ul></ul></ul></ul></ul><ul><li>> These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively. </li></ul><ul><li>Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) </li></ul><ul><li>=Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1) </li></ul>
  24. 24. Computations ( Contd.) : <ul><li>This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )). </li></ul><ul><li>In the rare event that a division by zero occurs during the computation of </li></ul><ul><li>e(P, Q) , </li></ul><ul><li>In such cases , we simply pick new random points R1 , R2 and repeat the process. </li></ul>
  25. 25. Miller’s algorithm <ul><li>As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with </li></ul><ul><li>div(f) = n [P+R]- n [R] </li></ul><ul><li>for points P  E[ n ] and R  E and </li></ul><ul><li>evaluating f(Q 1 )/f(Q 2 ) </li></ul><ul><li>Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard. </li></ul>
  26. 26. Basic idea <ul><li>Define D j = j[P+R]-j[R]-[jP]+[∞]. </li></ul><ul><ul><li>Note that, we can’t define D j = j[P+R]-j[R]. </li></ul></ul><ul><li>We can find a function f j such that div(f j ) = D j . </li></ul><ul><li>Miller’s Algo. can compute f j+k (Q 1 )/f j+k (Q 2 ) by f j (Q 1 )/f j (Q 2 ) and f k (Q 1 )/f k (Q 2 ) as following: </li></ul><ul><ul><li>Let ax+by+c = 0 be the line through jP and kP. </li></ul></ul><ul><ul><li>Let x+d = 0 be the vertical line through (j+k)P. </li></ul></ul>
  27. 28. Escrow El-Gamal Encryption <ul><li>Setup </li></ul><ul><ul><li>Use same elliptic curve </li></ul></ul><ul><ul><li>Pick a random s ∈ Z q , Q = sP </li></ul></ul><ul><ul><li>Choose hash function: F p 2 -> {0,1} n </li></ul></ul><ul><ul><li>System parameters: < p, n, P, Q, H > </li></ul></ul><ul><ul><li>s is the escrow key </li></ul></ul><ul><li>Keygen </li></ul><ul><ul><li>User randomly choose x ∈ Z q as private key </li></ul></ul><ul><ul><li>Public key is P pub = xP </li></ul></ul>
  28. 29. Big Picture encryption Alice Bob y Bob , cert (y Bob , Bob) (a,b) = (…) (a,b)
  29. 30. Escrow ElGamal Encryption (Cont’d) <ul><li>Encrypt ( Ciphertext) </li></ul><ul><ul><li>Pick random r ∈ Z q </li></ul></ul><ul><ul><li>C = < rP, M ⊕ H(g r ) > where g = ê(P pub , Q) ∈ F p 2 </li></ul></ul><ul><ul><li>(Our Encrypted message is C ) </li></ul></ul><ul><li>Decrypt (C = <U,V>) </li></ul><ul><ul><li>V ⊕ H( ê(U, xQ)) = M </li></ul></ul><ul><li>Escrow-decrypt </li></ul><ul><ul><li>V ⊕ H( ê(U, sP pub )) = M </li></ul></ul>

×