Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IBE (Identitiy-Based Encryption)             from the          Weil Pairing              Sravan Babu Bodapati           ...
Identity Based Encryption
Identity Based Encryption•   An identity-based encryption scheme E is specified by four randomized    algorithms:•   Setup...
Protocol framework (contd.)•Extract: ( Run by PKG )• Run when user requests his private key• It takes as input parameters,...
Identity-Based Encryption                                                                     •setup                      ...
Applications•   Revocation of Public Keys :     – Annual Private key expiration ( Virtual Effect ) as the Receiver cannot ...
Applications (Contd.)• Chosen ciphertext security:•>> Setup:• The challenger takes a security parameter k and runs the Set...
•   Phase 2:•        The adversary issues more queries qm+1 , . . . , qn where query qi is one of:•        - Extraction qu...
Types of IBE• Semantically Secure IBE• >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) exceptth...
Bilinear maps and the    Bilinear Diffie-Hellman Assumption:•    Our IBE system makes use of a bilinear map e : G1 x G1 = ...
Basic Ident•   Setup:•     Given a security parameter k ∈ Z+ , the algorithm works as follows:•Step 1:•          Run G on ...
Steps of Basic Ident• Extract:•      For a given string ID ∈ {0, 1}∗ the algorithm does:• (1) computes QID = H1 (ID) ∈ G1∗...
Elliptic Curve   Let p be a prime larger than 3. An elliptic curve over a finite field of size p is    denoted by GF(p) c...
Divisor : Zero and Pole  A divisor D can be defined as a formal sum of points on elliptic curve   group E:  D =∑ n ( P)w...
Definition   Weil pairing is a construction of roots of    unity by means of functions on an elliptic    curve E,    Its...
Elliptic Curve Group over Real Numbers• y2 = x3 + ax + b  – x, y, a, b are real numbers• If 4a3 + 27b2 ≠ 0, a group  can b...
A Deeper Understanding• E is an elliptic curve over K and n is an integer not  divisible by char(K)• E[n] is a torsion sub...
Elliptic Curve Addition: A Geometric Approach• Adding distinct points P and Q* The negative of a point P is its reflection...
Adding the points P and -P
Doubling the point P
Weil Pairing• Definiton :  Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, ...
Properties of Weil Pairing•   The Weil pairing has the following properties for points in E[n]:•   Property 1 :    For all...
Computing The Weil Pairing• Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using  O(log p) arithme...
Computations ( Contd.) :• This expression is well defined with very high probability over the choice  of R1 , R2 (the prob...
Miller’s algorithm• As we seen above, both of the computing of Weil  pairing and Tate pairing can reduce to finding a  fun...
Basic idea• Define Dj = j[P+R]-j[R]-[jP]+[∞].  – Note that, we can’t define Dj = j[P+R]-j[R].• We can find a function fj s...
ax+by+c1 . div              = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ]         x+d2 . Therfore, div f j+k =D j+k    = j+k [ P+R ]− ...
Escrow El-Gamal Encryption• Setup  – Use same elliptic curve  – Pick a random s∈Zq, Q = sP  – Choose hash function: Fp2 → ...
Big Picture encryption  Alice                           Bob              yBob, cert (yBob,              Bob)  (a,b) = (…) ...
Escrow ElGamal Encryption (Cont’d)• Encrypt ( Ciphertext)  – Pick random r∈Zq  – C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈...
Upcoming SlideShare
Loading in …5
×

Ibe weil pairing

970 views

Published on

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Ibe weil pairing

  1. 1. IBE (Identitiy-Based Encryption) from the Weil Pairing  Sravan Babu Bodapati  Eswar Sai Putti
  2. 2. Identity Based Encryption
  3. 3. Identity Based Encryption• An identity-based encryption scheme E is specified by four randomized algorithms:• Setup,• Extract,• Encrypt,• Decrypt:• Setup: ( Run by PKG )• It takes a security parameter k and returns params (system parameters) andmaster-key. The system parameters include a description of a finite message space M,and a description of a finite ciphertext space C.• > The system parameters will be publicly known, while the master-key will beknown only to the “Private Key Generator” (PKG).
  4. 4. Protocol framework (contd.)•Extract: ( Run by PKG )• Run when user requests his private key• It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , andreturns a private key d. Here ID is an arbitrary string that will be used as apublic key, and d is the corresponding private decryption key.•• >> The Extract algorithm extracts a private key from the given public key.Encrypt:•It takes as input parameters, ID, and M ∈ M. It returns a ciphertext•C ∈ C.Decrypt:• It takes as input params, C ∈ C, and a private key d. It return M ∈ M.
  5. 5. Identity-Based Encryption •setup •global parameters•global •global •master keyparameters parameters M encrypted •Authentication using bob@iitm.ac.in ` ` Private key Alice Bob for PKG alice@iitm.ac. •encrypt •decrypt in •extrac t
  6. 6. Applications• Revocation of Public Keys : – Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender.• >>> “bob@company.com||current-year||clearance=secret”.• He also has to get the clearance by the end of current year .• Delegation of Decryption Keys :• - Delegation of Laptop ( when it is stolen )• -Delegation of Duties ( Persons of only a particular department andecrypt their own messages but cannot tamper with those belonging to otherdepartments.
  7. 7. Applications (Contd.)• Chosen ciphertext security:•>> Setup:• The challenger takes a security parameter k and runs the Setup algorithm. It givesthe adversary the resulting system parameters params. It keeps the master-key toitself.• Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract togenerate the private key di corresponding to the public key IDi . It sends di to theadversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extractto generate the private key di corresponding to IDi . It then runs algorithm Decrypt todecrypt the ciphertext Ci using the private key di . It sends the resulting plaintext tothe adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equallength plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged.•
  8. 8. • Phase 2:• The adversary issues more queries qm+1 , . . . , qn where query qi is one of:• - Extraction query• - Deryption Query• Limitations :•These algorithms must satisfy the standard consistency constraint, namely• > when d is the private key generated by algorithm ,• > Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )
  9. 9. Types of IBE• Semantically Secure IBE• >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) exceptthat the adversary is more limited;•>> It cannot issue decryption queries while attacking the challenge public key.• One way identity-based encryption :• >> If given the encryption of a random plain text , the adversary cannot producethe plaintext in its entirety. ( Total Decryption is not possible )•
  10. 10. Bilinear maps and the Bilinear Diffie-Hellman Assumption:• Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties :• >> Bilinear• We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈G1 and all a, b ∈ Z.• >> Non – Degenerate•The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that sinceG1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P) is a generator of G2 . >> Computable•There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 .•If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
  11. 11. Basic Ident• Setup:• Given a security parameter k ∈ Z+ , the algorithm works as follows:•Step 1:• Run G on input k to generate a prime q, two groups G1 , G2 of order q, and anadmissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 . ˆ Step 2:• Pick a random s ∈ Zq and set Ppub = sP . Step 3:• Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ .• Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n.The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The systemparameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .
  12. 12. Steps of Basic Ident• Extract:• For a given string ID ∈ {0, 1}∗ the algorithm does:• (1) computes QID = H1 (ID) ∈ G1∗ , and• (2) sets the private key dID to be dID = sQID where s is the master key.Encrypt:• To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID)∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to beC = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗Decrypt:• Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M
  13. 13. Elliptic Curve Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form: E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). } If a line intersects the curve at 2 points, It must intersect the curve at the third point also. The Elliptic Curve Point Addition : P+Q=R> Find the tow points P and Q where the line intersects the curve> Solve for the 3rd point by solving the polynomial Curve eqn with the Line.> Now take the reflection of the point 3 obtained to obtain R> P + Q = R ( the Reflection obtained)
  14. 14. Divisor : Zero and Pole A divisor D can be defined as a formal sum of points on elliptic curve group E: D =∑ n ( P)where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order. Inequality a) nP > 0 indicates that point P is a zero, where as b) nP < 0 indicates that P is a pole. For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R)indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3. Degree of the divisor of a rational function must be zero
  15. 15. Definition Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, Its done in such a way as to constitute a pairing on the torsion subgroup of E.
  16. 16. Elliptic Curve Group over Real Numbers• y2 = x3 + ax + b – x, y, a, b are real numbers• If 4a3 + 27b2 ≠ 0, a group can be formed. – points on curve and infinity point – Additive group
  17. 17. A Deeper Understanding• E is an elliptic curve over K and n is an integer not divisible by char(K)• E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K.• Let TE[n], then there exist a function f such that div(f) = n[T]-n[]• Note that f has zero at T with order n and has pole at  with order -n.
  18. 18. Elliptic Curve Addition: A Geometric Approach• Adding distinct points P and Q* The negative of a point P is its reflection in the x-axis.
  19. 19. Adding the points P and -P
  20. 20. Doubling the point P
  21. 21. Weil Pairing• Definiton : Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T• Bilinear map : – A map e: G1×G1→G2 – ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab• Weil Pairing : – bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* – efficiently computable • Miller’s algorithm
  22. 22. Properties of Weil Pairing• The Weil pairing has the following properties for points in E[n]:• Property 1 : For all P έ E[n] we have: e(P; P ) = 1.• Bilinear Property:• e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and• e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2).• Property 3• When P,Q έ E[n] are collinear then e(P; Q) = 1.• Similarly, e(P, Q) = e(Q, P ) ^-1• nth root Property :For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2.• Non-degenerate Property : ( in the following sense: )• If P έ E[n] satis es e(P; Q) = 1 for all Q έ E[n] , then P = O.
  23. 23. Computing The Weil Pairing• Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows:• > Pick two random points R1 , R2 ∈ E[n].> Consider the divisors Ap = (P + R1 ) − (R1 ) and » Aq = (Q + R2 ) − (R2 ).> These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively.• Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) =Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
  24. 24. Computations ( Contd.) :• This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )).• In the rare event that a division by zero occurs during the computation ofe(P, Q) ,• In such cases , we simply pick new random points R1 , R2 and repeat the process.
  25. 25. Miller’s algorithm• As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points PE[n] and RE and evaluating f(Q1)/f(Q2)• Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.
  26. 26. Basic idea• Define Dj = j[P+R]-j[R]-[jP]+[∞]. – Note that, we can’t define Dj = j[P+R]-j[R].• We can find a function fj such that div(fj) = Dj.• Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following: – Let ax+by+c = 0 be the line through jP and kP. – Let x+d = 0 be the vertical line through (j+k)P.
  27. 27. ax+by+c1 . div = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ] x+d2 . Therfore, div f j+k =D j+k = j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ] = j [ P+R ]− j [ R ]− [ jP ] [ ∞ ] k [ P+R]− k [ R ]− [ kP ] [ ∞ ] ax+by+c div x+d ax+by+c =D j +Dk div x+d ax+by+c = div f j div f k div x+d ax+by+c = div f j f k x+d ax+by+c3 . That is, f j+k =t f j f k for some const t x+d4 . Therefore, f j+k Q1 t f j Q1 f k Q1 ax+by+c / x+d x,y =Q 1 = . f j+k Q 2 t f j Q2 f k Q 2 ax+by+c / x+d x,y =Q 2
  28. 28. Escrow El-Gamal Encryption• Setup – Use same elliptic curve – Pick a random s∈Zq, Q = sP – Choose hash function: Fp2 → {0,1}n – System parameters: < p, n, P, Q, H > – s is the escrow key• Keygen – User randomly choose x∈Zq as private key – Public key is Ppub = xP
  29. 29. Big Picture encryption Alice Bob yBob, cert (yBob, Bob) (a,b) = (…) (a,b)
  30. 30. Escrow ElGamal Encryption (Cont’d)• Encrypt ( Ciphertext) – Pick random r∈Zq – C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2 (Our Encrypted message is C )• Decrypt (C = <U,V>) – V ⊕ H(ê(U, xQ)) = M• Escrow-decrypt – V ⊕ H(ê(U, sPpub)) = M

×