Title: IdentityBased Encryption from the Weil Pairing
1Identity-Based Encryption from the Weil Pairing
- Dan Boneh and Matt Franklin
- Presenter An Liu
2Authors
- Dan Boneh
- PhD, Computer Science, Princeton University
- Associate Professor, Computer Science and
Electrical Engineering at the Stanford University - co-founded the company Voltage Security in 2003.
- Matt Franklin
- PhD, Computer Science, Columbia University
- Professor, Computer Science, U.C. Davis
3Outline
- Applications
- Elliptic Curve Group over real number and Fp
- Weil Pairing
- BasicIdent
- FullIdent
- Extensions
- Escrow ElGamal Encryption
4Identity-Based Encryption
- global parameters
- master key
M encrypted using bob_at_ncsu.edu
Private key for bob_at_ncsu.edu
5Applications
- Revocation of public keys
- bob_at_ncsu.edu 2006
- bob_at_ncsu.edu 2006-10-20
- Send message into the future
- Delegation of decryption keys
- Delegation to a laptop (use date as public key)
- Delegation of duties (use subject as public key)
6Elliptic Curve Group over Real Numbers
- y2 x3 ax b
- x, y, a, b are real numbers
- If 4a3 27b2 ? 0, a group can be formed.
- points on curve and infinity point
- Additive group
7Elliptic Curve Addition A Geometric Approach
- Adding distinct points P and Q
- The negative of a point P is its reflection in
the x-axis.
8- Adding the points P and -P
9 10Elliptic Curve Addition An Algebraic Approach
- Adding distinct points P and Q (PQR)
- P(xP,yP) and Q(xQ,yQ) are not negative each other
- s (yP yQ) / (xP xQ)
- xR s2 xP xQ, yR yP s(xP xR)
- Doubling the point P (2PR)
- yP ? 0
- s (3xP2 a) / 2yP
- xR s2 2xP, yR yP s(xP xR)
11Elliptic Curve Groups over Fp
- Calculations over real number are slow and
inaccurate. - y2 mod p x3 ax b mod p
- x, y, a, b are in Fp
- finite points
- no geometric approach
12Elliptic Curve Groups over Fp (Contd)
- Adding distinct points P and Q (PQR)
- P(xP, yP) is not - Q (xQ, - yQ mod p)
- s (yP yQ) / (xP xQ) mod p
- xR s2 xP xQ mod p
- yR yP s(xP xR) mod p
- Doubling the point P (2PR)
- yP ? 0
- s (3xP2 a) / 2yP mod p
- xR s2 2xP mod p, yR yP s(xP xR) mod p
13Elliptic Curve Discrete Logarithm Problem (ECDLP)
- Discrete Logarithm Problem
- For multiplicative group Zp, given r,q,p, find k
such that r qk mod p. - Foundation of many cryptosystems.
- Scalar multiplication
- P, 2P, 3P2PP, 4P3PP, , kP (additive
notation) - ECDLP
- Given point Q, P, find k such that kPQ
14Weil Pairing
- Bilinear map
- A map e G1G1?G2
- ?P,Q?G1, ?a,b?Z, e(aP, bQ) e(P, Q)ab
- Weil Pairing
- bilinear map
- G1 is the group of points of an elliptic curve
over Fp - G2 is a subgroup of Fp2
- efficiently computable
- Millers algorithm
15Weil Pairing (Contd)
- Elliptic Curve Group in this paper
- p,q are primes, p 2 mod 3, p 6q 1
- E is the elliptic curve defined by y2 x3 1
over Fp - Gq is the group with order q (p1)/6 generated
by P ?E/Fp - Modified Weil pairing
- ê GqGq?µq
- µq is the subgroup of Fp2 containing all
elements of order q - Non-degenerate ê(P, P) ? Fp2 is generator of µq
16Weil Diffie-Hellman Assumption (WDH)
- Given lt P, aP, bP, cP gt for random a,b,c?Zq,
P?E/Fp, compute W ê(P,P)abc ?Fp2 - When p is a random k-bit prime, there is no
probabilistic polynomial time algorithm for the
WDH problem.
17MapToPoint algorithm
- Convert arbitrary string ID?0,1 to a point
QID?E/Fp of order q - hash function G 0,1?Fp
- Steps
- y0 G(ID), x0 (y02 1)1/3 (y02 1)(2p
1)/3 - Q (x0, y0)?E/Fp, QID 6Q
18BasicIdent Setup
- Use the elliptic curve group we already defined
- Choose arbitrary P?E/Fp of order q
- Pick random s?Zq and set Ppub sP
- Choose hash functions
- H Fp2 ?0,1n
- G 0,1?Fp
- Message space M 0,1n, ciphertext space is C
E/Fp0,1n - System parameters are ltp, n, P, Ppub, G, Hgt.
Master-key is s.
19BasicIdent (Contd)
- Extract (get private key from ID)
- Use MapToPoint to map ID to a point QID
- Private key corresponding to ID is dID sQID
- Encrypt (encrypt M with ID)
- Use MapToPoint to map ID to a point QID
- Choose random r ? Zq
- C ltrP, M?H(gIDr)gt where gID ê(QID,Ppub) ? Fp2
20BasicIdent (Contd)
- Decrypt (decrypt C ltU,Vgt)
- If U is not a point of order q, reject the
ciphertext - Otherwise, M V ? H(ê(dID, U))
- Why M can be recovered?
- ê(dID, U) ê(sQID, rP) ê(QID, P)sr ê(QID,
Ppub)r gIDr - V ? H(ê(dID, U)) M?H(gIDr)? H(gIDr) M
21FullIdent
- BasicIdent is not chosen ciphertext secure.
- Setup
- In addition to BasicIdent, pick another two hash
functions - H1 0,1n0,1n?Fq
- G1 0,1n? 0,1n
- Extract
- Same as BasicIdent
22FullIdent (Contd)
- Encrypt (encrypt M using ID)
- Use MapToPoint to convert ID into point QID
- Choose random s?0,1n
- Set r H1(s, M)
- C lt rP, s?H(gIDr), M?G1(s) gt where gID ê(QID,
Ppub) ? Fp2
23FullIdent (Contd)
- Decrypt (decrypt CltU,V,Wgt)
- Compute V ? H(ê(dID, U)) s
- Compute W ? G1(s) M
- Set r H1(s, M)
- If U ? rP, reject.
24Extensions Observations
- Tate pairing and other curves can improve the
speed - Distributed PKG
- IBE implies signatures
- Master-key s is private key (sign)
- Global system parameters is public key (verify)
- Signature of M sQM
- Verification encrypt random M use IDM, then
decrypt use sQM
25Escrow ElGamal Encryption
- Setup
- Use same elliptic curve
- Pick a random s?Zq, Q sP
- Choose hash function Fp2 ? 0,1n
- System parameters lt p, n, P, Q, H gt
- s is the escrow key
- Keygen
- User randomly choose x?Zq as private key
- Public key is Ppub xP
26Escrow ElGamal Encryption (Contd)
- Encrypt
- Pick random r?Zq
- C lt rP, M?H(gr) gt where g ê(Ppub, Q)? Fp2
- Decrypt (C ltU,Vgt)
- V ? H(ê(U, xQ)) M
- Escrow-decrypt
- V ? H(ê(U, sPpub)) M