Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Identity based encryption from the weil pairing
1. 1/21
Identity-Based Encryption from the Weil Pairing
CRYPTO 2001
Dan Boneh and Matt Franklin
Computer Science Department, Stanford University
Computer Science Department, University of California
02 August 2001
林彥賓
2020 年 5 月 7 日
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
2. 2/21
Outline
Introduction
Applications For Identity-Based Encryption
Definitions
One Way Encryption Scheme (OWE)
One Way Identity-based Encryption
Properties of the Weil Pairing
Weil Diffie-Hellman Assumption (WDH)
The Proposed Scheme
MapToPoint
BasicIdent
FullIdent
Random Oracle
Fujisaki-Okamoto Transform
Extensions and Observation
Distributed PKG
Shamir secret sharing
Escrow ElGamal Encryption
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
3. 3/21
Applications For Identity-Based Encryption
Revocation of Public Keys:Set ID as
”bob@hotmail.com||current-date”.This force Bob to obtain private key
every day.To revoke Bob’s key, the corporate PKG is instructed to
stop issuing private keys for Bob’s e-mail address the next day.
Delegation of Decryption Keys: Gives private key to each of one’s
assistants corresponding to the assistant’s responsibility. Each
assistant can then decrypt messages whose subject line falls within its
responsibilities, but it cannot decrypt messages intended for other
assistants.
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
4. 4/21
One Way Encryption Scheme (OWE)
The attacker A is given:
random public key Kpub
ciphertext C which is the encryption of a random message M using
Kpub
It has advantage ϵ in attacking the system if Pr[A(Kpub, C) = M] = ϵ
one way encryption scheme (OWE):The scheme that the attacker cannot
gain advantages within polynomial time
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
5. 5/21
One Way Identity-based Encryption.
Setup: Challenger takes a security parameter k and runs the Setup
algorithm. Resulting system parameters params. Challenger keeps the
master-key
Phase 1: Adversary issues private key extraction queries ID1, ..., IDm.
Challenger run algorithm Extract to send private key di to adversary,
corresponding to the public key IDi.
Challenge: Challenger picks a random M and encrypts M using ID as
the public key. It then sends the resulting ciphertext C to the
adversary.
Phase 2: Adversary issues more extraction queries
IDm+1, ..., IDn, IDi ̸= ID
Guess: Adversary wins by output a guess M’ = M
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
6. 6/21
Properties Of The Weil Pairing
Let p be a prime satisfying p = 2 mod 3 and p = 6q−1 for some prime q
Let E be the elliptic curve y2 = x3 + 1 over Fp
There area few fact of this curve:
Let P ∈ E/Fp be a generator of order q = (p + 1)= 6. Those point
denote Gp
For any y0 ∈ Fp there is a unique point (x0, y0) on E = Fp. So, y is
uniform in Fp of random point (x, y) on E/Fp
Let map ϕ(x, y) = (ζx, y), 1 ̸= ζ ∈ Fp2 be a solution of x3−1 = 0
mod p. P ∈ E/Fp is linearly independent of ϕ(P) ∈ E/Fp2
Let uq be the subgroup of Fp2 of order q = (p + 1)/6. modified Weil
Pairing e:Gq × Gq −→ uq be e(P, Q) = wei(P, ϕ(Q))
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
7. 7/21
Weil Diffie-Hellman Assumption (WDH)
Given <P, aP, bP, cP> for random a, b, c ∈ Zp, p is a random k-bit prime.
No algorithm is able to compute e(P, P)abc in probabilistic polynomial time
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
8. 8/21
The Proposed Scheme
Define curve
p is a prime that p = 2 mod 3 and p = 6q−1 for some prime q > 3
E is the elliptic curve y2 = x3 + 1 over Fp
Any Point P ∈ E/Fp of order q
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
9. 9/21
MapToPoint
Let G be hash function G : {0, 1} −→ Fp
Algorithm MapToPointG :
1 Compute y0 = G(ID), x0 = (y2
0−1)1/3 = (y2
0−1)(2p−1)/3 mod p
2 Let Q = (x0, y0) ∈ E/Fp, QID = 6Q
Note that the points in 6-torsion group will cause 6Q = O, so we should
avoid these points
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
10. 10/21
BasicIdent
Setup:
1 Pick a random s ∈ Z∗
q and set Ppub = sP
2 Choose a cryptographic hash function H : Fp2 −→ {0, 1}n, n is ouput
length. Hash function G : {0, 1}∗ −→ Fp2
The message space is M = {0, 1}n
The ciphertext space is C = E/Fp × {0, 1}n
The system parameters are params = (p, n, P, Ppub, G, H)
The master-key is s ∈ Zq
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
11. 11/21
BasicIdent
Extract: For a given string ID ∈ {0, 1}∗, build private key d
1 Use MapToPointG to map ID to a point QID ∈ E/Fp of order q
2 Set the private key dID = sQID where s is the master key
Encrypt:
1 Use MapToPointG to map ID to a point QID ∈ E/Fp of order q
2 choose a random r ∈ Zq
3 set C = ⟨rP, M ⊕ H(e(QID, Ppub)r)⟩
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
12. 12/21
BasicIdent
Decrypt: Let C = < U, V >, compute
V ⊕ H(e(dID, U)) = M
M ⊕ H(e(QID, Ppub)r) ⊕ H(e(sQID, rP))
= M ⊕ H(e(QID, Ppub)r) ⊕ H(e(QID, sP = Ppub)r)
= M
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
13. 13/21
Random Oracle
Basic properties
If input is repeat, respond the same output of this input
output should respond in polynomial time
output should be uniform in the output space
Random oracle does not exist in real world. However, It helps when an
Encryption schema is first built. Then the schema advanced on without it
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
14. 14/21
Fujisaki-Okamoto Transform
Definition: Fujisaki-Okamoto
Let ϵpk(M; r)be a public key encryption scheme of M concatenated
with a random bit r
Let ϵhk be hybrid scheme
Let G, H be two random oracle
Let σ be a random number
Fujisaki-Okamoto transform:
ϵhk
pk = ϵpk
(σ; H(σ, m))||G(σ) ⊕ M
For ciphertext (C,U), do the followint tips to verify correctness
1 Use private key to decrypt C to get σ
2 Compute m = U ⊕ G(σ)
3 Verify C = ϵpk(σ; H(σ, m))
Transform OWE into choose ciphertext secure system (IND-CCA)
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
15. 15/21
FullIdent
Setup: Same as in the BasicIdent scheme. In addition, pick two hash
function:
H1 : {0, 1}n × {0, 1}n −→ Zq
G1 : {0, 1}n × {0, 1}n
Extract: Same as in the BasicIdent scheme.
Encrypt:
1 Use MapToPointG to map ID to a point QID ∈ E/Fp of order q
2 choose a random r ∈ Zq
3 set r = H1(σ, M)
4 set C = ⟨rP, σ ⊕ H(gr
ID), M ⊕ G1(σ), gID = e(QID, Ppub) ∈ Fp2 ⟩
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
16. 16/21
FullIdent
Decrypt: Let C = ⟨U, V, W⟩
1 Compute
V⊕H(e(dID, U)) = σ ⊕H(e(QID, Ppub = sP)r
)⊕H(e(sQID, rP)) = σ
2 Compute
W ⊕ G1(σ) = M ⊕ G1(σ) ⊕ G1(σ) = M
3 Test U = H1(σ, M)P. Output reject if test failed, else output M
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
17. 17/21
Shamir Secret Sharing
Split secrete into N part. Suppose we need M(M < N) part of share to
return secrete, it need polynomial of degree M-1.
Ex:
Let secrete be 3, M be 3. We need polynomial of degree 3 - 1 = 2.
Let y = ax2 + bx + c, a, b be any number and c is secrete.
Here we set a = 2, b = 1, so the polynomial is y = 2x2 + x + 3。
Any three points of this polynomial can help us build back the polynomial
and get c = 3
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
18. 18/21
Distributed PKG
Use master key s ∈ Fq to generate private keyQpriv = sQID by many
distributed PKG
Setup:
1 Give each PKGsi
2 PKG generate public key P
(i)
pub = siP
KeyGen:build private key
1 The chosen PKG reply Q
(i)
priv = siQID
2 Compute Qpriv =
∑
λiQ
(i)
priv, λ is the appropriate Lagrange
coefficients
Verify: Check PKG is honest or not
e(Q
(i)
priv, P) = e(QID, P
(i)
pub)
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
19. 19/21
Escrow ElGamal Encryption
Setup:
1 Choose a large k-bit prime p such that p = 2 (mod 3) and p = 6q−1
for some prime q > 3
2 Pick a random s ∈ Zq and set Q = sP
3 Choose a cryptographic hash function G : Fp2 −→ {0, 1}n, n is output
length
The message space is M = {0, 1}n
The ciphertext space is C = E/Fp × {0, 1}n
The system parameters are params = (p, n, P, Q)
The escrow key is s ∈ Zq
keygen:
1 Pick a random x ∈ Zq as private key
2 Compute Ppub = xP
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
20. 20/21
Escrow ElGamal Encryption
Encrypt:
1 Pick a random r ∈ Zq
2 Set C = ⟨rP, M ⊕ H(e(Ppub, Q)r)⟩
Decrypt: Let C = ⟨U, V⟩
V ⊕ H(e(U, xQ)) = M ⊕ H(e(Ppub = xP, Q)r
) ⊕ H(e(rP, xQ)) = M
Escrow-decrypt: Using the escrow key s do
V ⊕ H(e(U, sPpub)) = M ⊕ H(e(Ppub, Q = sP)r
) ⊕ H(e(rP, sPpub)) = M
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日
21. 21/21
Escrow ElGamal Encryption
Ppub = xP
params : P, Q = sP
U = rP
The system should satisfy Weil Diffie-Hellman Assumption (WDH)
Boneh and Franklin IBE from the Weil Pairing 2020 年 5 月 7 日