250 likes | 411 Views
CSC 774 Advanced Network Security. Topic 2.6 ID Based Cryptography #2. Slides by An Liu. Outline. Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow ElGamal Encryption. Identity-Based Encryption. setup. global parameters
E N D
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu
Outline • Applications • Elliptic Curve Group over real number and Fp • Weil Pairing • BasicIdent • FullIdent • Extensions • Escrow ElGamal Encryption
Identity-Based Encryption setup global parameters master key global parameters global parameters M encrypted using bob@ncsu.edu Authentication Private key for bob@ncsu.edu encrypt decrypt extract
Applications • Revocation of public keys • bob@ncsu.edu || 2006 • bob@ncsu.edu || 2006-10-20 • Send message into the future • Delegation of decryption keys • Delegation to a laptop (use date as public key) • Delegation of duties (use subject as public key)
Elliptic Curve Group over Real Numbers • y2 = x3 + ax + b • x, y, a, b are real numbers • If 4a3 + 27b2≠ 0, a group can be formed. • points on curve and infinity point • Additive group
Elliptic Curve Addition: A Geometric Approach • Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis.
Elliptic Curve Addition: An Algebraic Approach • Adding distinct points P and Q (P+Q=R) • P(xP,yP) and Q(xQ,yQ) are not negative each other • s = (yP – yQ) ∕ (xP – xQ) • xR = s2 – xP – xQ, yR = – yP + s(xP – xR) • Doubling the point P (2P=R) • yP≠ 0 • s = (3xP2 + a) ∕ 2yP • xR = s2 – 2xP, yR = – yP + s(xP – xR)
Elliptic Curve Groups over Fp • Calculations over real number are slow and inaccurate. • y2 mod p = x3 + ax + b mod p • x, y, a, b are in Fp • finite set of points • no geometric approach
Elliptic Curve Groups over Fp (Cont’d) • Adding distinct points P and Q (P+Q=R) • P(xP, yP) is not − Q = (xQ, − yQ mod p) • s = (yP – yQ) ∕ (xP – xQ) mod p • xR = s2 – xP – xQ mod p • yR = – yP + s(xP – xR) mod p • Doubling the point P (2P=R) • yP≠ 0 • s = (3xP2 + a) ∕ 2yP mod p • xR = s2 – 2xP mod p, yR = – yP + s(xP – xR) mod p
Elliptic Curve Discrete Logarithm Problem (ECDLP) • Discrete Logarithm Problem • For multiplicative group Zp*, given r, q, p, find k such that r = qk mod p. • Foundation of many cryptosystems. • Scalar multiplication • P, 2P, 3P=2P+P, 4P=3P+P,… , kP (additive notation) • ECDLP • Given points Q, P, find k such that kP=Q
Weil Pairing • Bilinear map • A map e: G1×G1→G2 • ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab • Weil Pairing • bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* • efficiently computable • Miller’s algorithm
Weil Pairing (Cont’d) • Elliptic Curve Group in this paper • p, q are primes, p = 2 mod 3, p = 6q – 1 • E is the elliptic curve defined by y2 = x3 + 1 over Fp • Gq is the group with order q = (p+1)/6 generated by P ∈E/Fp • Modified Weil pairing • ê: Gq×Gq→μq • μq is the subgroup of Fp2* containing all elements of order q • Non-degenerate: ê(P, P)∈Fp2is generator of μq
Weil Diffie-Hellman Assumption (WDH) • Given < P, aP, bP, cP > for random a,b,c∈Zq*, P∈E/Fp, compute W = ê(P,P)abc ∈Fp2 • When p is a random k-bit prime, there is no probabilistic polynomial time algorithm for the WDH problem.
MapToPoint algorithm • Convert arbitrary string ID∈{0,1}* to a point QID∈E/Fp of order q • hash function G: {0,1}*→Fp • Steps: • y0 = G(ID), x0 = (y02 – 1)1/3 = (y02 – 1)(2p – 1)/3 • Q = (x0, y0)∈E/Fp, QID = 6Q
BasicIdent – Setup • Use the elliptic curve group we already defined • Choose arbitrary P∈E/Fp of order q • Pick random s∈Zq* and set Ppub = sP • Choose hash functions • H: Fp2 →{0,1}n • G: {0,1}*→Fp • Message space M = {0,1}n, ciphertext space is C = E/Fp×{0,1}n • System parameters are <p, n, P, Ppub, G, H>. Master-key is s.
BasicIdent (Cont’d) • Extract (get private key from ID) • Use MapToPoint to map ID to a point QID • Private key corresponding to ID is dID = sQID • Encrypt (encrypt M with ID) • Use MapToPoint to map ID to a point QID • Choose random r ∈Zq • C = <rP, M⊕H(gIDr)> where gID =ê(QID,Ppub) ∈Fp2
BasicIdent (Cont’d) • Decrypt (decrypt C = <U,V>) • If U is not a point of order q, reject the ciphertext • Otherwise, M = V ⊕ H(ê(dID, U)) • Why M can be recovered? ê(dID, U) = ê(sQID, rP) = ê(QID, P)sr = ê(QID, Ppub)r = gIDr V ⊕ H(ê(dID, U)) = M⊕H(gIDr)⊕ H(gIDr) = M
FullIdent • BasicIdent is not chosen ciphertext secure. • Setup • In addition to BasicIdent, pick another two hash functions: • H1: {0,1}n×{0,1}n→Fq • G1: {0,1}n→ {0,1}n • Extract • Same as BasicIdent
FullIdent (Cont’d) • Encrypt (encrypt M using ID) • Use MapToPoint to convert ID into point QID • Choose random σ∈{0,1}n • Set r = H1(σ, M) • C = < rP, σ⊕H(gIDr), M⊕G1(σ) > where gID = ê(QID, Ppub) ∈Fp2
FullIdent (Cont’d) • Decrypt (decrypt C=<U,V,W>) • Compute V ⊕ H(ê(dID, U)) = σ • Compute W ⊕G1(σ) = M • Set r = H1(σ, M) • If U ≠ rP, reject.
Extensions & Observations • Tate pairing and other curves can improve the speed • Distributed PKG • IBE implies signatures • Master-key s is private key (sign) • Global system parameters is public key (verify) • Signature of M: sQM • Verification: encrypt random M’ use ID=M, then decrypt use sQM
Escrow ElGamal Encryption • Setup • Use same elliptic curve • Pick a random s∈Zq, Q = sP • Choose hash function: Fp2→ {0,1}n • System parameters: < p, n, P, Q, H > • s is the escrow key • Keygen • User randomly choose x∈Zq as private key • Public key is Ppub = xP
Escrow ElGamal Encryption (Cont’d) • Encrypt • Pick random r∈Zq • C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈Fp2 • Decrypt (C = <U,V>) • V ⊕H(ê(U, xQ)) = M • Escrow-decrypt • V ⊕H(ê(U, sPpub)) = M