1 / 25

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security. Topic 2.6 ID Based Cryptography #2. Slides by An Liu. Outline. Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow ElGamal Encryption. Identity-Based Encryption. setup. global parameters

saskia
Download Presentation

CSC 774 Advanced Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu

  2. Outline • Applications • Elliptic Curve Group over real number and Fp • Weil Pairing • BasicIdent • FullIdent • Extensions • Escrow ElGamal Encryption

  3. Identity-Based Encryption setup global parameters master key global parameters global parameters M encrypted using bob@ncsu.edu Authentication Private key for bob@ncsu.edu encrypt decrypt extract

  4. Applications • Revocation of public keys • bob@ncsu.edu || 2006 • bob@ncsu.edu || 2006-10-20 • Send message into the future • Delegation of decryption keys • Delegation to a laptop (use date as public key) • Delegation of duties (use subject as public key)

  5. Elliptic Curve Group over Real Numbers • y2 = x3 + ax + b • x, y, a, b are real numbers • If 4a3 + 27b2≠ 0, a group can be formed. • points on curve and infinity point • Additive group

  6. Elliptic Curve Addition: A Geometric Approach • Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis.

  7. Adding the points P and -P

  8. Doubling the point P

  9. Elliptic Curve Addition: An Algebraic Approach • Adding distinct points P and Q (P+Q=R) • P(xP,yP) and Q(xQ,yQ) are not negative each other • s = (yP – yQ) ∕ (xP – xQ) • xR = s2 – xP – xQ, yR = – yP + s(xP – xR) • Doubling the point P (2P=R) • yP≠ 0 • s = (3xP2 + a) ∕ 2yP • xR = s2 – 2xP, yR = – yP + s(xP – xR)

  10. Elliptic Curve Groups over Fp • Calculations over real number are slow and inaccurate. • y2 mod p = x3 + ax + b mod p • x, y, a, b are in Fp • finite set of points • no geometric approach

  11. Elliptic Curve Groups over Fp (Cont’d) • Adding distinct points P and Q (P+Q=R) • P(xP, yP) is not − Q = (xQ, − yQ mod p) • s = (yP – yQ) ∕ (xP – xQ) mod p • xR = s2 – xP – xQ mod p • yR = – yP + s(xP – xR) mod p • Doubling the point P (2P=R) • yP≠ 0 • s = (3xP2 + a) ∕ 2yP mod p • xR = s2 – 2xP mod p, yR = – yP + s(xP – xR) mod p

  12. Elliptic Curve Discrete Logarithm Problem (ECDLP) • Discrete Logarithm Problem • For multiplicative group Zp*, given r, q, p, find k such that r = qk mod p. • Foundation of many cryptosystems. • Scalar multiplication • P, 2P, 3P=2P+P, 4P=3P+P,… , kP (additive notation) • ECDLP • Given points Q, P, find k such that kP=Q

  13. Weil Pairing • Bilinear map • A map e: G1×G1→G2 • ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab • Weil Pairing • bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* • efficiently computable • Miller’s algorithm

  14. Weil Pairing (Cont’d) • Elliptic Curve Group in this paper • p, q are primes, p = 2 mod 3, p = 6q – 1 • E is the elliptic curve defined by y2 = x3 + 1 over Fp • Gq is the group with order q = (p+1)/6 generated by P ∈E/Fp • Modified Weil pairing • ê: Gq×Gq→μq • μq is the subgroup of Fp2* containing all elements of order q • Non-degenerate: ê(P, P)∈Fp2is generator of μq

  15. Weil Diffie-Hellman Assumption (WDH) • Given < P, aP, bP, cP > for random a,b,c∈Zq*, P∈E/Fp, compute W = ê(P,P)abc ∈Fp2 • When p is a random k-bit prime, there is no probabilistic polynomial time algorithm for the WDH problem.

  16. MapToPoint algorithm • Convert arbitrary string ID∈{0,1}* to a point QID∈E/Fp of order q • hash function G: {0,1}*→Fp • Steps: • y0 = G(ID), x0 = (y02 – 1)1/3 = (y02 – 1)(2p – 1)/3 • Q = (x0, y0)∈E/Fp, QID = 6Q

  17. BasicIdent – Setup • Use the elliptic curve group we already defined • Choose arbitrary P∈E/Fp of order q • Pick random s∈Zq* and set Ppub = sP • Choose hash functions • H: Fp2 →{0,1}n • G: {0,1}*→Fp • Message space M = {0,1}n, ciphertext space is C = E/Fp×{0,1}n • System parameters are <p, n, P, Ppub, G, H>. Master-key is s.

  18. BasicIdent (Cont’d) • Extract (get private key from ID) • Use MapToPoint to map ID to a point QID • Private key corresponding to ID is dID = sQID • Encrypt (encrypt M with ID) • Use MapToPoint to map ID to a point QID • Choose random r ∈Zq • C = <rP, M⊕H(gIDr)> where gID =ê(QID,Ppub) ∈Fp2

  19. BasicIdent (Cont’d) • Decrypt (decrypt C = <U,V>) • If U is not a point of order q, reject the ciphertext • Otherwise, M = V ⊕ H(ê(dID, U)) • Why M can be recovered? ê(dID, U) = ê(sQID, rP) = ê(QID, P)sr = ê(QID, Ppub)r = gIDr V ⊕ H(ê(dID, U)) = M⊕H(gIDr)⊕ H(gIDr) = M

  20. FullIdent • BasicIdent is not chosen ciphertext secure. • Setup • In addition to BasicIdent, pick another two hash functions: • H1: {0,1}n×{0,1}n→Fq • G1: {0,1}n→ {0,1}n • Extract • Same as BasicIdent

  21. FullIdent (Cont’d) • Encrypt (encrypt M using ID) • Use MapToPoint to convert ID into point QID • Choose random σ∈{0,1}n • Set r = H1(σ, M) • C = < rP, σ⊕H(gIDr), M⊕G1(σ) > where gID = ê(QID, Ppub) ∈Fp2

  22. FullIdent (Cont’d) • Decrypt (decrypt C=<U,V,W>) • Compute V ⊕ H(ê(dID, U)) = σ • Compute W ⊕G1(σ) = M • Set r = H1(σ, M) • If U ≠ rP, reject.

  23. Extensions & Observations • Tate pairing and other curves can improve the speed • Distributed PKG • IBE implies signatures • Master-key s is private key (sign) • Global system parameters is public key (verify) • Signature of M: sQM • Verification: encrypt random M’ use ID=M, then decrypt use sQM

  24. Escrow ElGamal Encryption • Setup • Use same elliptic curve • Pick a random s∈Zq, Q = sP • Choose hash function: Fp2→ {0,1}n • System parameters: < p, n, P, Q, H > • s is the escrow key • Keygen • User randomly choose x∈Zq as private key • Public key is Ppub = xP

  25. Escrow ElGamal Encryption (Cont’d) • Encrypt • Pick random r∈Zq • C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈Fp2 • Decrypt (C = <U,V>) • V ⊕H(ê(U, xQ)) = M • Escrow-decrypt • V ⊕H(ê(U, sPpub)) = M

More Related