Computer Science CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu
Computer Science
CSC 774 Advanced Network Security
Topic 2.6 ID Based Cryptography #2
Slides by An Liu
Computer Science
Outline
• Applications
• Elliptic Curve Group over real number and Fp
• Weil Pairing
• BasicIdent
• FullIdent
• Extensions
• Escrow ElGamal Encryption
Computer Science
Identity-Based Encryption
`
Alice
`
Bob PKG
M encrypted using [email protected]
•Authentication
Private key for [email protected]
•global parameters
•master key•global parameters •global parameters
•setup
•extract•encrypt •decrypt
Computer Science
Applications
• Revocation of public keys– [email protected] || 2006– [email protected] || 2006-10-20– Send message into the future
• Delegation of decryption keys– Delegation to a laptop (use date as public key)– Delegation of duties (use subject as public key)
Computer Science
Elliptic Curve Group over Real Numbers
• y2 = x3 + ax + b– x, y, a, b are real numbers
• If 4a3 + 27b2 ≠ 0, a group can be formed.– points on curve and infinity
point – Additive group
Computer Science
Elliptic Curve Addition: A Geometric Approach
• Adding distinct points P and Q
* The negative of a point P is its reflection in the x-axis.
Computer Science
Elliptic Curve Addition: An Algebraic Approach
• Adding distinct points P and Q (P+Q=R) P(xP,yP) and Q(xQ,yQ) are not negative each other
s = (yP – yQ) ∕ (xP – xQ)
xR = s2 – xP – xQ, yR = – yP + s(xP – xR)
• Doubling the point P (2P=R) yP ≠ 0
s = (3xP2 + a) ∕ 2yP
xR = s2 – 2xP, yR = – yP + s(xP – xR)
Computer Science
Elliptic Curve Groups over Fp
• Calculations over real number are slow and inaccurate.
• y2 mod p = x3 + ax + b mod p
– x, y, a, b are in Fp
• finite set of points
• no geometric approach
Computer Science
Elliptic Curve Groups over Fp (Cont’d)
• Adding distinct points P and Q (P+Q=R) P(xP, yP) is not − Q = (xQ, − yQ mod p)
s = (yP – yQ) ∕ (xP – xQ) mod p
xR = s2 – xP – xQ mod p
yR = – yP + s(xP – xR) mod p
• Doubling the point P (2P=R) yP ≠ 0
s = (3xP2 + a) ∕ 2yP mod p
xR = s2 – 2xP mod p, yR = – yP + s(xP – xR) mod p
Computer Science
Elliptic Curve Discrete Logarithm Problem (ECDLP)
• Discrete Logarithm Problem– For multiplicative group Zp
*, given r, q, p, find k such that r = qk mod p.
– Foundation of many cryptosystems.
• Scalar multiplication– P, 2P, 3P=2P+P, 4P=3P+P,… , kP (additive
notation)
• ECDLP– Given points Q, P, find k such that kP=Q
Computer Science
Weil Pairing
• Bilinear map– A map e: G1×G1→G2
– ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab
• Weil Pairing– bilinear map
• G1 is the group of points of an elliptic curve over Fp
• G2 is a subgroup of Fp2*
– efficiently computable• Miller’s algorithm
Computer Science
Weil Pairing (Cont’d)
• Elliptic Curve Group in this paper– p, q are primes, p = 2 mod 3, p = 6q – 1– E is the elliptic curve defined by y2 = x3 + 1 over Fp
– Gq is the group with order q = (p+1)/6 generated by P ∈E/Fp
• Modified Weil pairing– ê: Gq×Gq→μq
– μq is the subgroup of Fp2* containing all elements of
order q– Non-degenerate: ê(P, P) ∈ Fp2 is generator of μq
Computer Science
Weil Diffie-Hellman Assumption (WDH)
• Given < P, aP, bP, cP > for random a,b,c∈Zq*,
P∈E/Fp, compute W = ê(P,P)abc ∈Fp2
• When p is a random k-bit prime, there is no probabilistic polynomial time algorithm for the WDH problem.
Computer Science
MapToPoint algorithm
• Convert arbitrary string ID∈{0,1}* to a point QID∈E/Fp of order q
• hash function G: {0,1}*→Fp
• Steps:– y0 = G(ID), x0 = (y0
2 – 1)1/3 = (y02 – 1)(2p – 1)/3
– Q = (x0, y0)∈E/Fp, QID = 6Q
Computer Science
BasicIdent – Setup
• Use the elliptic curve group we already defined
• Choose arbitrary P∈E/Fp of order q
• Pick random s∈Zq* and set Ppub = sP
• Choose hash functions– H: Fp2 →{0,1}n
– G: {0,1}*→Fp
• Message space M = {0,1}n, ciphertext space is C = E/Fp×{0,1}n
• System parameters are <p, n, P, Ppub, G, H>. Master-key is s.
Computer Science
BasicIdent (Cont’d)
• Extract (get private key from ID)1. Use MapToPoint to map ID to a point QID
2. Private key corresponding to ID is dID = sQID
• Encrypt (encrypt M with ID)1. Use MapToPoint to map ID to a point QID
2. Choose random r ∈ Zq
3. C = <rP, M⊕H(gIDr)> where gID = ê(QID,Ppub) ∈
Fp2
Computer Science
BasicIdent (Cont’d)
• Decrypt (decrypt C = <U,V>)– If U is not a point of order q, reject the ciphertext
– Otherwise, M = V ⊕ H(ê(dID, U))
• Why M can be recovered? ê(dID, U) = ê(sQID, rP) = ê(QID, P)sr = ê(QID, Ppub)r = gID
r
V ⊕ H(ê(dID, U)) = M⊕H(gIDr)⊕ H(gID
r) = M
Computer Science
FullIdent
• BasicIdent is not chosen ciphertext secure.
• Setup– In addition to BasicIdent, pick another two hash
functions:• H1: {0,1}n×{0,1}n→Fq
• G1: {0,1}n→ {0,1}n
• Extract– Same as BasicIdent
Computer Science
FullIdent (Cont’d)
• Encrypt (encrypt M using ID)1. Use MapToPoint to convert ID into point QID
2. Choose random σ∈{0,1}n
3. Set r = H1(σ, M)
4. C = < rP, σ⊕H(gIDr), M⊕G1(σ) > where gID =
ê(QID, Ppub) ∈ Fp2
Computer Science
FullIdent (Cont’d)
• Decrypt (decrypt C=<U,V,W>)1. Compute V ⊕ H(ê(dID, U)) = σ
2. Compute W ⊕ G1(σ) = M
3. Set r = H1(σ, M)
4. If U ≠ rP, reject.
Computer Science
Extensions & Observations
• Tate pairing and other curves can improve the speed
• Distributed PKG
• IBE implies signatures– Master-key s is private key (sign)– Global system parameters is public key (verify)
– Signature of M: sQM
– Verification: encrypt random M’ use ID=M, then decrypt use sQM
Computer Science
Escrow ElGamal Encryption
• Setup– Use same elliptic curve
– Pick a random s∈Zq, Q = sP
– Choose hash function: Fp2 → {0,1}n
– System parameters: < p, n, P, Q, H >– s is the escrow key
• Keygen– User randomly choose x∈Zq as private key
– Public key is Ppub = xP