Lecture 25: Pairing-Based Cryptography



Similar documents
Identity-Based Encryption from the Weil Pairing

Efficient Unlinkable Secret Handshakes for Anonymous Communications

New Efficient Searchable Encryption Schemes from Bilinear Pairings

Lecture 17: Re-encryption

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

A New and Efficient Signature on Commitment Values

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings

A One Round Protocol for Tripartite

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Anonymous ID-based Group Key Agreement for Wireless Networks

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

The Mathematics of the RSA Public-Key Cryptosystem

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

Lecture 2: Complexity Theory Review and Interactive Proofs

Title Security Related Issues for Cloud Computing

Public Key (asymmetric) Cryptography

Metered Signatures - How to restrict the Signing Capability -

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Computer Security: Principles and Practice

Lukasz Pater CMMS Administrator and Developer

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Modular Security Proofs for Key Agreement Protocols

Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Overview of Public-Key Cryptography

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

CSCE 465 Computer & Network Security

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

SECURITY IN NETWORKS

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

A Factoring and Discrete Logarithm based Cryptosystem

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Public Key Cryptography and RSA. Review: Number Theory Basics

Strengthen RFID Tags Security Using New Data Structure

Analysis on Secure Data sharing using ELGamal s Cryptosystem in Cloud

THE ADVANTAGES OF ELLIPTIC CURVE CRYPTOGRAPHY FOR WIRELESS SECURITY KRISTIN LAUTER, MICROSOFT CORPORATION

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems

A Searchable Encryption Scheme for Outsourcing Cloud Storage

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

The science of encryption: prime numbers and mod n arithmetic

Efficient ID-based authentication and key agreement protocols for the session initiation protocol

Notes on Network Security Prof. Hemant K. Soni

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Modeling and verification of security protocols

An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method

MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS

Oblivious Signature-Based Envelope

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

Identity Based Encryption. Terence Spies VP Engineering

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction

Experiments in Encrypted and Searchable Network Audit Logs

Lecture 6 - Cryptography

Public Key Cryptography: RSA and Lots of Number Theory

Cryptography: Authentication, Blind Signatures, and Digital Cash

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

Introduction to Cryptography

Secure Index Management Scheme on Cloud Storage Environment

Bootstrapping Security in Mobile Ad Hoc Networks Using Identity-Based Schemes with Key Revocation

CRYPTOGRAPHY IN NETWORK SECURITY

Identity Based Undeniable Signatures

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption

Secure Communication in a Distributed System Using Identity Based Encryption

Network Security. HIT Shimrit Tzur-David

A SECURE FRAMEWORK WITH KEY- AGGREGATION FOR DATA SHARING IN CLOUD

Cryptography and Network Security

CS 758: Cryptography / Network Security

How To Ensure Data Integrity In Clouds

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Implementation of Elliptic Curve Digital Signature Algorithm

Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography

A novel deniable authentication protocol using generalized ElGamal signature scheme

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Lecture 9 - Message Authentication Codes

A ROLE OF DIGITAL SIGNATURE TECHNOLOGY USING RSA ALGORITHM

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Chosen-Ciphertext Security from Identity-Based Encryption

Lecture 15 - Digital Signatures

An Introduction to digital signatures

Software Tool for Implementing RSA Algorithm

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves

Privacy, Discovery, and Authentication for the Internet of Things

Group Security Model in Wireless Sensor Network using Identity Based Cryptographic Scheme

Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes

Symmetric Key cryptosystem

RSA Attacks. By Abdulaziz Alrasheed and Fatima

CIS 5371 Cryptography. 8. Encryption --

Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones

VoteID 2011 Internet Voting System with Cast as Intended Verification

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE

Chapter 7: Network security

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

A framework using IBC achieving non-repudiation and privacy in vehicular network.

Transcription:

6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography has exploded over the past 3 years [cry, DBS04]. The central idea is the construction of a mapping between two useful cryptographic groups which allows for new cryptographic schemes based on the reduction of one problem in one group to a different, usually easier problem in the other group. In many research papers, the first of these two groups is referred to as a Gap Group, where the Decisional Diffie-Helman problem [Bon98] is easy (because it reduces to an easy problem in the second group), but the Computational Diffie-Helman problem remains hard. The known implementations of these pairings the Weil and Tate pairings involve fairly complex mathematics. Fortunately, they can be dealt with abstractly, using only the group structure and mapping properties. Many interesting schemes have been built based purely on abstract bilinear maps. 2 Bilinear Maps The major pairing-based construct is the bilinear map. Consider two groups G 1 and G 2 of prime order q. For clarity, we denote G 1 using additive notation and G 2 using multiplicative notation, even though the group operations in G 1 and G 2 may well be very different from the well-known arithmetic addition and multiplication. (Sometimes G 1 is also written multiplicatively in the literature.) We consider P and Q two generators of G 1, and we write a times ap = { }} { P + P +... + P We now consider the mapping e as follows: e : G 1 G 1 G 2 (Note that we do not know how to build a self-bilinear map, G 1 G 1 G 1. This would be quite powerful.) Useful bilinear maps have three properties: Bilinearity P, Q G 1, a, b Z q, e(ap, bq) = e(p, Q) ab 17-1

Non-Degeneracy If everything maps to the identity, that s obviously not interesting: In other words: P G 1, P 0 e(p, P ) = G 2 (e(p, P ) generates G 2 ) P 0 e(p, P ) 1 Computability e is efficiently computable. We can find G 1 and G 2 where these properties hold: the Weil and Tate pairings prove the existence of such constructions. Typically, G 1 is an elliptic-curve group and G 2 is a finite field. 3 Complexity Implications The construction of a bilinear map comes with a number of complexity implications. Theorem 1 The Discrete Log Problem in G 1 is no harder than the Discrete Log Problem in G 2. Proof 1 Consider Q = ap (still using additive notation), though a is unknown. Solving the Discrete Log Problem involves discovering a for a given P and a random Q. We note: e(p, Q) = e(p, ap ) = e(p, P ) a Thus, we can reduce the Discrete Log Problem in G 1 to the Discrete Log Problem in G 2. Given P G 1 and a random Q G 1, and noting that the mapping e is easily computable, we can compute log P (Q) as follows: 1. determine P = e(p, P ) 2. determine Q = e(p, Q) 3. determine a = log P (Q ) in G 2. 4. a is also log P (Q). Theorem 2 The Decisional Diffie-Helman [Bon98] is easy in G 1. Proof 2 Solving the DDH problem involves distinguishing: P, ap, bp, cp with a, b, c R Z q, and P, ap, bp, abp with a, b R Z q If we define P, A, B, C as the four values given to the distinguisher, the distinguisher functions as follows: 17-2

1. Determine v 1 = e(a, B) and v 2 = e(p, C) 2. If v 1 = v 2, then the tuple is of the type P, ap, bp, abp. Indeed, assume C = abp, then: e(a, B) = e(ap, bp ) = e(p, P ) ab = e(p, abp ) = e(p, C) Since we know the mapping e is non-degenerate, the equality e(a, B) = e(p, C) is equivalent to c = ab. The distinguisher can gain a significant advantage in deciding DDH given the mapping e. 4 Cryptographic Schemes The application of bilinear maps leads to numerous interesting cryptographic schemes. 4.1 One-Round, 3-party Key Agreement Scheme In 2000, Joux introduced a scheme for one-round, 3-party key agreement based on bilinear maps [Jou00]. Key agreement schemes based on Diffie-Helman [DH76] are well known, but all require more than one round of exchanged data. In the Joux scheme, assume the above notation and existence of a bilinear map between groups G 1 and G 2 with P a generator of G 1. Three parties A, B, C respectively have secrets a, b, c Z q. The protocol functions as follows: 1. A B, C: ap 2. B A, C: bp 3. C A, B: cp 4. Note that steps 1, 2, 3 are done in one round of parallel message exchanges. 5. A computes e(bp, cp ) a = e(p, P ) abc. 6. B computes e(ap, cp ) b = e(p, P ) abc. 7. C computes e(ap, bp ) c = e(p, P ) abc. 8. Note that steps 5, 6, 7 are done in parallel. 9. All parties have the same shared key K = e(p, P ) abc G 2. This protocol is contingent on the BDH assumption. Definition The Bilinear Diffie-Helman (BDH) Assumption considers the computation of e(p, P ) abc given P, ap, bp, cp to be hard. 4.2 Identity-Based Encryption In 1984, Shamir imagined a public-key encryption scheme where any publicy-known string (e.g. someone s email address) could be used as a public key [Sha85]. In this scheme, 17-3

the corresponding private key is delivered to the proper owner of this string (e.g. the recipient of the email address) by a trusted private key generator. This key generator must verify the user s identity before delivering a private key, of course, though this verification is essentially the same as that required for issuing a certificate in a typical Public Key Infrastructure (PKI). Thus, an Identity-Based Encryption Scheme enables the deployment of a public-key cryptosystem without the prior setup of a PKI: a user proves his identity in a lazy way, only once he needs his private key to decrypt a message sent to him. In 2001, Boneh and Franklin devised the first practical implementation of such an Identity-Based Encryption scheme [BF01]. Their approach uses bilinear maps and relies on the BDH Assumption and the Random Oracle model. Setup the usual G 1 and G 2 with a bilinear mapping e : G 1 G 1 G 2 and P a generator a system-wide secret key s R Z q. a corresponding system-wide public key P pub = sp. Encrypt We want to encrypt a message m to public key A using the system-wide settings from above. The encryption function is: Enc(P pub, A, m) = rp, M H 2 (g r A), r R Z q g A = e(q A, P pub ) Q A = H 1 (A) H 1 : {0, 1} G 1, a random oracle H 2 : G 2 {0, 1}, a random oracle Decrypt We want to decrypt a ciphertext c = (u, v) encrypted with public-key string A. The secret key is delivered to the owner of A as d A = sq A, with Q A defined as above: Q A = H 1 (A). We define: Dec(u, v, d A ) = v H 2 (e(d A, u)) = v H 2 (e(sh 1 (A), rp )) = v H 2 (e(h 1 (A), P ) rs ) = v H 2 (e(q A, sp ) r ) = v H 2 (e(q A, P pub ) r ) = v H 2 (ga) r = (m H 2 (ga)) r H 2 (ga) r = m 17-4

This scheme is not CCA2-secure, but can be made so with the Fujisaki-Okamoto construction [FO99], which assumes the Random Oracle model nothing further than what we already assume. References [BF01] [Bon98] Dan Boneh and Matt Franklin. Identity-based encryption from the Weil pairing. Lecture Notes in Computer Science, 2139:213??, 2001. Dan Boneh. The decisional diffie-hellman problem. In Third Algorithmic Number Theory Symposium, pages 48 63. Springer-Verlag, 1998. [cry] Pairing-based crypto lounge. available at http://planeta.terra.com.br/ informatica/paulobarreto/pblounge.html. [DBS04] Ratna Dutta, Rana Barua, and Palash Sarkar. Pairing-based cryptography : A survey. Cryptology eprint Archive, Report 2004/064, 2004. http://eprint. iacr.org/. [DH76] [FO99] [Jou00] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644 654, 1976. Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and symmetric encryption schemes. Lecture Notes in Computer Science, 1666:537 554, 1999. Antoine Joux. A one round protocol for tripartite diffie-hellman. In Proceedings of the 4th International Symposium on Algorithmic Number Theory, pages 385 394. Springer-Verlag, 2000. [Sha85] Adi Shamir. Identity-based cryptosystems and signature schemes. In Crypto 84, LNCS Vol. 196, pages 47 53. Springer, 1985. 17-5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information