Download - Crypto cs36 39
IBE (Identitiy-Based Encryption) from the
Weil Pairing
Sravan Babu Bodapati Eswar Sai Putti
Identity Based Encryption
Identity Based Encryption• An identity-based encryption scheme E is specified by four randomized algorithms: • Setup, • Extract, • Encrypt,• Decrypt:
• Setup: ( Run by PKG )• It takes a security parameter k and returns params (system parameters) and
master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C.
• > The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG).
Protocol framework (contd.)
•Extract: ( Run by PKG )• Run when user requests his private key • It takes as input parameters, master-key, and an arbitrary ID {0, 1} , ∈ ∗and returns a private key d. Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key.• • >> The Extract algorithm extracts a private key from the given public key.
Encrypt:•It takes as input parameters, ID, and M M. It returns a ciphertext ∈•C C.∈
Decrypt: • It takes as input params, C C, and a private key d. It return M M.∈ ∈
Identity-Based Encryption
`
Alice
`
Bob PKG
M encrypted using [email protected]
•Authentication
Private key for [email protected]
•global parameters
•master key•global parameters
•global parameters
•setup
•extract
•encrypt •decrypt
Applications • Revocation of Public Keys :
– Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender.
• >>> “[email protected]||current-year||clearance=secret”. • He also has to get the clearance by the end of current year .
• Delegation of Decryption Keys :• - Delegation of Laptop ( when it is stolen )• -Delegation of Duties ( Persons of only a particular department an decrypt their own messages
but cannot tamper with those belonging to other departments.
•
Applications (Contd.)• Chosen ciphertext security:• >> Setup:• The challenger takes a security parameter k and runs the Setup algorithm. It gives
the adversary the resulting system parameters params. It keeps the master-key to itself. • Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of:
– Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 M and an identity ID on which it wishes to be challenged. ∈
•
• Phase 2: • The adversary issues more queries qm+1 , . . . , qn where query qi is one
of:• - Extraction query• - Deryption Query
• Limitations :• These algorithms must satisfy the standard consistency constraint, namely • > when d is the private key generated by algorithm ,• > Extract when it is given ID as the public key, then
M M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )∀ ∈
Types of IBE• Semantically Secure IBE • >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except
that the adversary is more limited;• >> It cannot issue decryption queries while attacking the challenge public key.
• One way identity-based encryption :• >> If given the encryption of a random plain text , the adversary cannot
produce the plaintext in its entirety. ( Total Decryption is not possible )•
Bilinear maps and the Bilinear Diffie-Hellman Assumption:
• Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties :
• >> Bilinear • We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q
G1 and all a, b Z.∈ ∈• >> Non – Degenerate• The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that
since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 .
>> Computable • There is an efficient algorithm to compute e(P, Q) for any P, Q G 1 .∈
• If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
Basic Ident•Setup: • Given a security parameter k Z+ , the algorithm works as follows:∈ •Step 1: • Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 → G2 . Choose a random generator P G1 .∈ ˆ Step 2: • Pick a random s Zq and set Ppub = sP .∈
Step 3:• Choose a cryptographic hash function H1 : {0, 1} → G1 . ∗ ∗• Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n.
The message space is M = {0, 1}n . The ciphertext space is C = G1 × {0, 1}n . The system ∗parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s Zq .∈ ∗
Steps of Basic Ident• Extract:• For a given string ID {0, 1} the algorithm does:∈ ∗• (1) computes QID = H1 (ID) G1 , and ∈ ∗• (2) sets the private key dID to be dID = sQID where s is the master key.
Encrypt: • To encrypt M M under the public key ID do the following: (1) compute QID = H1 ∈
(ID) G1 , (2) choose a random r Zq , and (3) set the ciphertext to be∈ ∗ ∈ ∗ C = (rP, M H2 (grID )) where gID = e(QID , Ppub ) G2⊕ ∈ ∗
Decrypt:• Let C = U, V C be a ciphertext encrypted using the public key ID. To decrypt C using∈
the private key dID G1 compute:∈ ∗ V H2 (e(dID , U )) = M⊕
Elliptic Curve Let p be a prime larger than 3. An elliptic curve over a finite field of size p is
denoted by GF(p) can be given by an equation of the form: E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b GF(p). }∈ If a line intersects the curve at 2 points, It must intersect the curve at the third
point also. The Elliptic Curve Point Addition : P + Q = R > Find the tow points P and Q where the line intersects the curve> Solve for the 3rd point by solving the polynomial Curve eqn with the Line.> Now take the reflection of the point 3 obtained to obtain R> P + Q = R' ( the Reflection obtained)
Divisor : Zero and Pole A divisor D can be defined as a formal sum of points on elliptic curve
group E: D =∑ n ( P)where nP is a non-zero integer that specifies the zero/pole property of point
P and its respective order. Inequality a) nP > 0 indicates that point P is a zero, where as b) nP < 0 indicates that P is a pole. For example, for P, Q, R E, D1 = 2(P) + 3(Q) – 3(R)∈indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively,
and a pole at R with order 3. Degree of the divisor of a rational function must be zero
Definition Weil pairing is a construction of roots of
unity by means of functions on an elliptic curve E,
It's done in such a way as to constitute a pairing on the torsion subgroup of E.
Elliptic Curve Group over Real Numbers
• y2 = x3 + ax + b– x, y, a, b are real numbers
• If 4a3 + 27b2 ≠ 0, a group can be formed.– points on curve and infinity
point – Additive group
A Deeper Understanding
• E is an elliptic curve over K and n is an integer not divisible by char(K)
• E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K.
• Let TE[n], then there exist a function f such that div(f) = n[T]-n[]
• Note that f has zero at T with order n and has pole at with order -n.
Elliptic Curve Addition: A Geometric Approach
• Adding distinct points P and Q
* The negative of a point P is its reflection in the x-axis.
Adding the points P and -P
Doubling the point P
Weil Pairing• Definiton :
Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T
• Bilinear map :
– A map e: G1×G1→G2
– ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab
• Weil Pairing :
– bilinear map
• G1 is the group of points of an elliptic curve over Fp
• G2 is a subgroup of Fp2*
– efficiently computable
• Miller’s algorithm
Properties of Weil Pairing • The Weil pairing has the following properties for points in E[n]:
• Property 1 :
For all P έ E[n] we have: e(P; P ) = 1.
• Bilinear Property:
• e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and
• e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2).
• Property 3
• When P,Q έ E[n] are collinear then e(P; Q) = 1.
• Similarly, e(P, Q) = e(Q, P ) ^-1
• n'th root Property :
For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2.
• Non-degenerate Property : ( in the following sense: )
• If P έ E[n] satises e(P; Q) = 1 for all Q έ E[n] , then P = O.
Computing The Weil Pairing
• Given two points P, Q E[n] we show how to compute e(P, Q) F (p^2) using ∈ ∈ ∗O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows:
• > Pick two random points R1 , R2 E[n].∈
> Consider the divisors Ap = (P + R1 ) − (R1 ) and
» Aq = (Q + R2 ) − (R2 ).
> These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively.
• Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap)
=Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
Computations ( Contd.) :
• This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )).
• In the rare event that a division by zero occurs during the computation of
e(P, Q) ,
• In such cases , we simply pick new random points R1 , R2 and repeat the process.
Miller’s algorithm
• As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points PE[n] and RE and
evaluating f(Q1)/f(Q2)• Note that, we omit Tate pairing here because the
Galois cohomology theorem is too hard.
Basic idea
• Define Dj = j[P+R]-j[R]-[jP]+[∞].
– Note that, we can’t define Dj = j[P+R]-j[R].
• We can find a function fj such that div(fj) = Dj.
• Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following:
– Let ax+by+c = 0 be the line through jP and kP.– Let x+d = 0 be the vertical line through (j+k)P.
1 . div ax+by+cx+d
=[ jP ][ kP ]−[ j+k P ]−[∞]
2 . Therfore, div f j+k =D j+k
= j+k [ P+R ]− j+k [ R ]−[ j+k P ][∞] = j [ P+R ]− j [ R ]−[ jP ][∞ ] k [ P+R]−k [ R ]−[ kP ][∞]
div ax+by+cx+d
=D j +Dk div ax+by+cx+d
=div f j div f k div ax+by+cx+d
=div f j f kax+by+cx+d
3 . That is, f j+k =t⋅ f j f kax+by+cx+d
for some const t
4 . Therefore,
f j+k Q1 f j+k Q 2
= tt
f j Q1 f j Q2
f k Q1 f k Q 2
ax+by+c / x+d ∣ x,y =Q 1
ax+by+c / x+d ∣ x,y =Q 2
.
Escrow El-Gamal Encryption
• Setup– Use same elliptic curve
– Pick a random s∈Zq, Q = sP
– Choose hash function: Fp2 → {0,1}n
– System parameters: < p, n, P, Q, H >– s is the escrow key
• Keygen– User randomly choose x∈Zq as private key
– Public key is Ppub = xP
Big Picture
encryption
Alice Bob
yBob, cert (yBob,
Bob)
(a,b) = (…)(a,b)
Escrow ElGamal Encryption (Cont’d)
• Encrypt ( Ciphertext) – Pick random r∈Zq
– C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2
(Our Encrypted message is C )
• Decrypt (C = <U,V>)– V ⊕ H(ê(U, xQ)) = M
• Escrow-decrypt– V ⊕ H(ê(U, sPpub)) = M