IdentityBased Encryption from the Weil Pairing - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

IdentityBased Encryption from the Weil Pairing

Description:

PhD, Computer Science, Princeton University ... Tate pairing and other curves can improve the speed. Distributed PKG. IBE implies signatures ... – PowerPoint PPT presentation

Number of Views:150
Avg rating:3.0/5.0
Slides: 27
Provided by: MIC61
Category:

less

Transcript and Presenter's Notes

Title: IdentityBased Encryption from the Weil Pairing


1
Identity-Based Encryption from the Weil Pairing
  • Dan Boneh and Matt Franklin
  • Presenter An Liu

2
Authors
  • Dan Boneh
  • PhD, Computer Science, Princeton University
  • Associate Professor, Computer Science and
    Electrical Engineering at the Stanford University
  • co-founded the company Voltage Security in 2003.
  • Matt Franklin
  • PhD, Computer Science, Columbia University
  • Professor, Computer Science, U.C. Davis

3
Outline
  • Applications
  • Elliptic Curve Group over real number and Fp
  • Weil Pairing
  • BasicIdent
  • FullIdent
  • Extensions
  • Escrow ElGamal Encryption

4
Identity-Based Encryption
  • setup
  • global parameters
  • master key
  • global parameters
  • global parameters

M encrypted using bob_at_ncsu.edu
  • Authentication

Private key for bob_at_ncsu.edu
  • extract
  • encrypt
  • decrypt

5
Applications
  • Revocation of public keys
  • bob_at_ncsu.edu 2006
  • bob_at_ncsu.edu 2006-10-20
  • Send message into the future
  • Delegation of decryption keys
  • Delegation to a laptop (use date as public key)
  • Delegation of duties (use subject as public key)

6
Elliptic Curve Group over Real Numbers
  • y2 x3 ax b
  • x, y, a, b are real numbers
  • If 4a3 27b2 ? 0, a group can be formed.
  • points on curve and infinity point
  • Additive group

7
Elliptic Curve Addition A Geometric Approach
  • Adding distinct points P and Q
  • The negative of a point P is its reflection in
    the x-axis.

8
  • Adding the points P and -P

9
  • Doubling the point P

10
Elliptic Curve Addition An Algebraic Approach
  • Adding distinct points P and Q (PQR)
  • P(xP,yP) and Q(xQ,yQ) are not negative each other
  • s (yP yQ) / (xP xQ)
  • xR s2 xP xQ, yR yP s(xP xR)
  • Doubling the point P (2PR)
  • yP ? 0
  • s (3xP2 a) / 2yP
  • xR s2 2xP, yR yP s(xP xR)

11
Elliptic Curve Groups over Fp
  • Calculations over real number are slow and
    inaccurate.
  • y2 mod p x3 ax b mod p
  • x, y, a, b are in Fp
  • finite points
  • no geometric approach

12
Elliptic Curve Groups over Fp (Contd)
  • Adding distinct points P and Q (PQR)
  • P(xP, yP) is not - Q (xQ, - yQ mod p)
  • s (yP yQ) / (xP xQ) mod p
  • xR s2 xP xQ mod p
  • yR yP s(xP xR) mod p
  • Doubling the point P (2PR)
  • yP ? 0
  • s (3xP2 a) / 2yP mod p
  • xR s2 2xP mod p, yR yP s(xP xR) mod p

13
Elliptic Curve Discrete Logarithm Problem (ECDLP)
  • Discrete Logarithm Problem
  • For multiplicative group Zp, given r,q,p, find k
    such that r qk mod p.
  • Foundation of many cryptosystems.
  • Scalar multiplication
  • P, 2P, 3P2PP, 4P3PP, , kP (additive
    notation)
  • ECDLP
  • Given point Q, P, find k such that kPQ

14
Weil Pairing
  • Bilinear map
  • A map e G1G1?G2
  • ?P,Q?G1, ?a,b?Z, e(aP, bQ) e(P, Q)ab
  • Weil Pairing
  • bilinear map
  • G1 is the group of points of an elliptic curve
    over Fp
  • G2 is a subgroup of Fp2
  • efficiently computable
  • Millers algorithm

15
Weil Pairing (Contd)
  • Elliptic Curve Group in this paper
  • p,q are primes, p 2 mod 3, p 6q 1
  • E is the elliptic curve defined by y2 x3 1
    over Fp
  • Gq is the group with order q (p1)/6 generated
    by P ?E/Fp
  • Modified Weil pairing
  • ê GqGq?µq
  • µq is the subgroup of Fp2 containing all
    elements of order q
  • Non-degenerate ê(P, P) ? Fp2 is generator of µq

16
Weil Diffie-Hellman Assumption (WDH)
  • Given lt P, aP, bP, cP gt for random a,b,c?Zq,
    P?E/Fp, compute W ê(P,P)abc ?Fp2
  • When p is a random k-bit prime, there is no
    probabilistic polynomial time algorithm for the
    WDH problem.

17
MapToPoint algorithm
  • Convert arbitrary string ID?0,1 to a point
    QID?E/Fp of order q
  • hash function G 0,1?Fp
  • Steps
  • y0 G(ID), x0 (y02 1)1/3 (y02 1)(2p
    1)/3
  • Q (x0, y0)?E/Fp, QID 6Q

18
BasicIdent Setup
  • Use the elliptic curve group we already defined
  • Choose arbitrary P?E/Fp of order q
  • Pick random s?Zq and set Ppub sP
  • Choose hash functions
  • H Fp2 ?0,1n
  • G 0,1?Fp
  • Message space M 0,1n, ciphertext space is C
    E/Fp0,1n
  • System parameters are ltp, n, P, Ppub, G, Hgt.
    Master-key is s.

19
BasicIdent (Contd)
  • Extract (get private key from ID)
  • Use MapToPoint to map ID to a point QID
  • Private key corresponding to ID is dID sQID
  • Encrypt (encrypt M with ID)
  • Use MapToPoint to map ID to a point QID
  • Choose random r ? Zq
  • C ltrP, M?H(gIDr)gt where gID ê(QID,Ppub) ? Fp2

20
BasicIdent (Contd)
  • Decrypt (decrypt C ltU,Vgt)
  • If U is not a point of order q, reject the
    ciphertext
  • Otherwise, M V ? H(ê(dID, U))
  • Why M can be recovered?
  • ê(dID, U) ê(sQID, rP) ê(QID, P)sr ê(QID,
    Ppub)r gIDr
  • V ? H(ê(dID, U)) M?H(gIDr)? H(gIDr) M

21
FullIdent
  • BasicIdent is not chosen ciphertext secure.
  • Setup
  • In addition to BasicIdent, pick another two hash
    functions
  • H1 0,1n0,1n?Fq
  • G1 0,1n? 0,1n
  • Extract
  • Same as BasicIdent

22
FullIdent (Contd)
  • Encrypt (encrypt M using ID)
  • Use MapToPoint to convert ID into point QID
  • Choose random s?0,1n
  • Set r H1(s, M)
  • C lt rP, s?H(gIDr), M?G1(s) gt where gID ê(QID,
    Ppub) ? Fp2

23
FullIdent (Contd)
  • Decrypt (decrypt CltU,V,Wgt)
  • Compute V ? H(ê(dID, U)) s
  • Compute W ? G1(s) M
  • Set r H1(s, M)
  • If U ? rP, reject.

24
Extensions Observations
  • Tate pairing and other curves can improve the
    speed
  • Distributed PKG
  • IBE implies signatures
  • Master-key s is private key (sign)
  • Global system parameters is public key (verify)
  • Signature of M sQM
  • Verification encrypt random M use IDM, then
    decrypt use sQM

25
Escrow ElGamal Encryption
  • Setup
  • Use same elliptic curve
  • Pick a random s?Zq, Q sP
  • Choose hash function Fp2 ? 0,1n
  • System parameters lt p, n, P, Q, H gt
  • s is the escrow key
  • Keygen
  • User randomly choose x?Zq as private key
  • Public key is Ppub xP

26
Escrow ElGamal Encryption (Contd)
  • Encrypt
  • Pick random r?Zq
  • C lt rP, M?H(gr) gt where g ê(Ppub, Q)? Fp2
  • Decrypt (C ltU,Vgt)
  • V ? H(ê(U, xQ)) M
  • Escrow-decrypt
  • V ? H(ê(U, sPpub)) M
Write a Comment
User Comments (0)
About PowerShow.com