IEEE Draft P Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

Transcription

1 Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009

2 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion

3 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

4 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

5 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

6 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

7 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

8 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

9 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

10 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

11 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

12 Pairing: a mathematical formalism Definition Let (G 1, +), (G 2, +), (G 3, ) be groups of prime order p N. A pairing is a Z p bilinear map e : G 1 G 2 G 3 between Z p modules for which the following holds: 1. e is non-degenerated (i. e. P 0 G1 G 1, Q 0 G2 G 2 : e(p, Q) 1 G3 ). 2. e is computable in an efficient manner.

13 Now: ID-based cryptography using the example of ID-based encryption.

14 Identity Based Encryption (IBE) The Participants Participants are: Sender A (want s to send message m). Receiver B (has an identification ID, e. g. bob@domain.com). A Trusted Third Party the Private Key Generator (PKG).

15 Identity Based Encryption (IBE) The Participants Participants are: Sender A (want s to send message m). Receiver B (has an identification ID, e. g. bob@domain.com). A Trusted Third Party the Private Key Generator (PKG).

16 Identity Based Encryption (IBE) The Participants Participants are: Sender A (want s to send message m). Receiver B (has an identification ID, e. g. bob@domain.com). A Trusted Third Party the Private Key Generator (PKG).

17 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

18 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

19 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

20 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

21 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol (cont.) Summarization: PKG runs Setup() (P, s). PKG runs Extract(P, s, ID) K ID. A runs Encrypt(P, ID, m) c. B runs Decrypt(P, ID, c) m.

22 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

23 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

24 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

25 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

26 The Protocol Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion

27 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

28 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

29 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

30 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

31 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

32 The Protocol Setup PKG chooses a master key s := (s 1, s 2, s 3 ) R Z p Z p Z p. PKG generates public parameter P := (Q 1, Q 2, R, T, V, G 1, G 2, e), where Qi is a generator of G i, i = 1, 2, i. e. Q i = G i, R := s1 Q 1, T := s 3 Q 1, V := e(r, s 2 Q 2 ).

33 The Protocol Setup PKG chooses a master key s := (s 1, s 2, s 3 ) R Z p Z p Z p. PKG generates public parameter P := (Q 1, Q 2, R, T, V, G 1, G 2, e), where Qi is a generator of G i, i = 1, 2, i. e. Q i = G i, R := s1 Q 1, T := s 3 Q 1, V := e(r, s 2 Q 2 ).

34 The Protocol The primitives (knowing P and s) Generation: P-BB1-G(M) r 0 R Z p. i := s 1 s 2 + r 0 (s 1 M + s 3 ). return (iq 2, r 0 Q 2 ). Encryption: P-BB1-E(r) E 0 := rq 1. E 1 := (rm)r + rt. B := V r. return (E 0, E 1, B). Decryption: P-BB1-D(E 0, E 1, (K 0,M, K 1,M )) return e(e 0, K 0,M ) e(e 1, K 1,M ) 1.

35 The Protocol The primitives (knowing P and s) Generation: P-BB1-G(M) r 0 R Z p. i := s 1 s 2 + r 0 (s 1 M + s 3 ). return (iq 2, r 0 Q 2 ). Encryption: P-BB1-E(r) E 0 := rq 1. E 1 := (rm)r + rt. B := V r. return (E 0, E 1, B). Decryption: P-BB1-D(E 0, E 1, (K 0,M, K 1,M )) return e(e 0, K 0,M ) e(e 1, K 1,M ) 1.

36 The Protocol The primitives (knowing P and s) Generation: P-BB1-G(M) r 0 R Z p. i := s 1 s 2 + r 0 (s 1 M + s 3 ). return (iq 2, r 0 Q 2 ). Encryption: P-BB1-E(r) E 0 := rq 1. E 1 := (rm)r + rt. B := V r. return (E 0, E 1, B). Decryption: P-BB1-D(E 0, E 1, (K 0,M, K 1,M )) return e(e 0, K 0,M ) e(e 1, K 1,M ) 1.

37 The Protocol There are three algorithms left. Using the three primitives P-BB1-G, P-BB1-E, P-BB1-D we can now formulate them. Therefore: consider three Hashfunctions H 1 : {0, 1} Z p H 2 : G 3 {0, 1} n H 3 : G 3 {0, 1} n G 1 G 1 Z p

38 The Protocol There are three algorithms left. Using the three primitives P-BB1-G, P-BB1-E, P-BB1-D we can now formulate them. Therefore: consider three Hashfunctions H 1 : {0, 1} Z p H 2 : G 3 {0, 1} n H 3 : G 3 {0, 1} n G 1 G 1 Z p

39 The Protocol There are three algorithms left. Using the three primitives P-BB1-G, P-BB1-E, P-BB1-D we can now formulate them. Therefore: consider three Hashfunctions H 1 : {0, 1} Z p H 2 : G 3 {0, 1} n H 3 : G 3 {0, 1} n G 1 G 1 Z p

40 The Protocol Extract M := H 1 (ID). K ID := (K 0,M, K 1,M ) P-BB1-G(M). K ID is the private key for the receiver.

41 The Protocol Extract M := H 1 (ID). K ID := (K 0,M, K 1,M ) P-BB1-G(M). K ID is the private key for the receiver.

42 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

43 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

44 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

45 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

46 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

47 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

48 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

49 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

50 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

51 Security Of The Protocol Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion

52 Security Of The Protocol Security Definition Let e : G 1 G 2 G 3 be a pairing and P G 1, Q G 2. The Bilinear-Diffie-Hellman (BDH) Assumption says, that if P, Q, ap, bp, aq, cq for a, b, c Z p are given, then it is hard to compute e(p, Q) abc.

53 Security Of The Protocol Security (cont.) The security depends on Hashfunctions H 1, H 2, H 3. The secure channel between the receiver and the PKG. The BDH Assumption (at which point?).

54 Security Of The Protocol Security (cont.) The security depends on Hashfunctions H 1, H 2, H 3. The secure channel between the receiver and the PKG. The BDH Assumption (at which point?).

55 Security Of The Protocol Security (cont.) The security depends on Hashfunctions H 1, H 2, H 3. The secure channel between the receiver and the PKG. The BDH Assumption (at which point?).

56 Security Of The Protocol Security (cont.) Definition Let q Z p. Then the q Bilinear-Diffie-Hellman-Inverse (q-bdhi) Assumption says, that if (P, ap, a 2 P,..., a q P, Q, aq,..., a q Q) are given, it is hard to compute (e(p, Q) a ) 1. Definition We say, that the (t, q, ε) BDHI Assumption holds, if no t time algorithm A has advantage ε (i. e. P (A(P,..., a q P, Q,..., a q Q)) ε) in solving the q-bdhi problem.

57 Security Of The Protocol Security (cont.) Definition Let q Z p. Then the q Bilinear-Diffie-Hellman-Inverse (q-bdhi) Assumption says, that if (P, ap, a 2 P,..., a q P, Q, aq,..., a q Q) are given, it is hard to compute (e(p, Q) a ) 1. Definition We say, that the (t, q, ε) BDHI Assumption holds, if no t time algorithm A has advantage ε (i. e. P (A(P,..., a q P, Q,..., a q Q)) ε) in solving the q-bdhi problem.

58 Security Of The Protocol Security (cont.) Definition We say, that an IBE system is (t, q ID, ε)-selective identity, chosen plaintext secure (short: (t, q ID, ε) IND-sID-CPA secure) iff for every IND-sID-CPA adversary A, that makes at most q ID chosen private key queries, there is ADV A < ε, where ADV A is the advantage of A, attacking the IBE system.

59 Security Of The Protocol Security (cont.) Theorem Suppose the (t, q, ε)-bdhi Assumption holds for G 1 and G 2. Then is (t, q S, ε) IND-sID-CPA secure for any q S < q and any t < t Θ(τq 2 ), where τ is the maximum time for an exponentiation in G 1, G 2. Proof: see [BB04].

60 Advantages

61 Advantages IBE eliminates the need for a public key distribution infrastructure. No key agreement. Interesting features (e. g. encode additional information into the ID: for instance expirations dates).

62 Disadvantages

63 Disadvantages PKG may decrypt and/or sign any message without authorisation. A secure channel is required between the PKG and the receiver.

64 That s it. Thank you for your attention.

65 Anhang Literaturverzeichnis Literaturverzeichnis [P ] IEEE P1636.3/D1 Draft Standard for Identity-based Public-key Cryptography Using Pairings. Working Group of the Microprocessor Standards Committee [ASha84] Identity-Based Cryptosystems and Signature Schemes. Advances in Cryptology: Proceedings of CRYPTO 84. Adi Shamir Lecture Notes in Computer Science 7, 1984

66 Anhang Literaturverzeichnis [BB04] Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. D. Boneh, X. Boyen Advances in Cryptology Eurocrypt, 2004, Springer-Verlag (2004), pp [Wiki09] Wikipedia (DE, EN) As of: 14. Dezember 2009.