Pairing Based Cryptography Standards

1
Pairing Based Cryptography Standards

• Terence Spies
• VP Engineering
• Voltage Security
• terence_at_voltage.com

2
Overview

• What is a Pairing?
• Pairing-based Crypto Applications
• Pairing-based Crypto Standards

3
What is a Pairing?

• An old mathematical idea
• It pairs elliptic curve points
• Has a very interesting property called
  bilinearity
• Pair(aB, cD) Pair(cB, aD)
• This property makes for a powerful new
  cryptographic primitive
• Popular cryptographic research area (200 papers)

4
What can Pairings do?

• Identity based encryption
• Encryption where any string (like an email
  address) can be a public key
• Identity based key exchange
• Key exchange using identities
• Short signatures
• 160-bit signatures
• Searchable encryption, and others

5
Identity-Based Encryption (IBE)

• IBE is an old idea
• Originally proposed by Adi Shamir, co-inventor of
  the RSA Algorithm in 1984
• Fundamental problem can any string be used as a
  public key?
• Practical implementation
• Boneh-Franklin Algorithm published at Crypto 2001
• First efficient, provably secure IBE scheme

6
Identity-Based Encryption (IBE)

• The ability to use any string makes key
  management easier
• IBE Public Key
• alice_at_gmail.com
• RSA Public Key
• Public exponent0x10001
• Modulus13506641086599522334960321627880596993888
  147 5605667027524485143851526510604859533833940287
  15 05719094417982072821644715513736804197039641917
  4 304649658927425623934102086438320211037295872576
  235850964311056407350150818751067659462920556368
  552947521350085287941637732853390610975054433499 9
  811150056977236890927563

7
How IBE works in practiceAlice sends a Message
to Bob
Key Server
bob_at_b.com
bob_at_b.com
alice_at_a.com
8
How IBE works in practiceCharlie sends a Message
to Bob
Key Server
bob_at_b.com
bob_at_b.com
charlie_at_c.com
9
How Pairings Lead to IBE

• Setup
• Key generator generates secret s, random P
• Gives everyone P, sP
• Encryption
• Alice hashes Bob_at_b.com -gt ID
• Encrypt message with k Pair(rID, sP)
• Send encrypted message and rP
• Key Generation
• Bob authenticates, asks for private key
• Key generator gives back sID
• Decrypt
• Bob decrypts with k Pair(sID, rP)
• Bobs k and Alices k are identical

10
IBEs Operational Characteristics

• Easy cross-domain encryption
• No per-user databases
• No per-user queries to find keys
• State of the system does not grow per user
• Key recovery
• Accomodates content scanning, anti-virus,
  archiving and other regulatory mechanisms
• Keys still under control of enterprise
• Fine-grained key control
• Easy to change authentication policy over time
• Revocation handled without CRLs

11
IBE and PKI - Complementary Strengths

• PKI
• Maximum protection
• Works well for signing/authentication
• Requires roll-out
• generate keys for users
• Certificate managment

• Identity-Based Encryption
• Good for encryption
• no key-lookup
• revocation is easy
• Ad-hoc capable
• requires no pre-enrollment
• Content scanning easy

12
Other Pairing Applications

• Short Signatures
• BLS scheme and others yield 160-bit signatures
• Half the size of DSA signatures
• Have other interesting properties
• Can aggregate signatures
• Allows, for example, a single signature on a cert
  chain
• Verifiable encrypted signatures
• Use in fair exchange, other protocols
• Searchable Encryption
• Key Exchange

13
Standards Activities

• IEEE Study Group formed last Monday, as part of
  the P1363 Group
• Goal is writing and submitting a PAR, defining
  the mission of the standards group
• 24 participants from various countries and
  industries
• Technical content drafts soon
• Pairings module Hovav Shacham, Stanford
• IBE module Mike Scott, Dublin City University
• Draft PAR agreed, to be submitted

14
Standards Philosophy

• Model after past IEEE cryptographic standards
• Standardize algorithms, but not protocols
• e.g. formats for IBE encrypted email would be
  part of a different standard
• Dont block future standards based on PBC
• Allow for amendments that build on parts of this
  standard
• Separate IBE and PBC layers
• Limit scope to keep the task manageable
• Focus on one set of algorithms, split off other
  types of algorithms into separate standards

15
Proposed Structure of an PBC/IBE StandardPairing
Based Crypto Layer and Algorithm Layers
Other stds
Identity based key exchange
Signatures
Identity-Based Encryption
1363
Pairing Based Cryptography e.g. pairing,
algorithms to compute pairings, curve
types, curve parameters
16
Current Discussion Points

• Scaling Security to 128/256 bits
• Separation between pairing layer and crypto
  methods
• Curve families for embedded and hardware
  implementation

17
For More Information

• On 1363 activities
• http//grouper.ieee.org/groups/1363/WorkingGroup/
• On pairing based crypto
• Paulo Barretos Pairing Based Crypto Lounge
• http//paginas.terra.com.br/informatica/paulobarre
  to/pblounge.htm
• On IBE
• http//crypto.stanford.edu/ibe/
• http//www.voltage.com