Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is in a name? Identity-based cryptography. How public-key crypto works When you use public key cryptography, you can publish a value (public key)

Published byCharity Gordon Modified over 7 years ago

Similar presentations

Presentation on theme: "What is in a name? Identity-based cryptography. How public-key crypto works When you use public key cryptography, you can publish a value (public key)"— Presentation transcript:

1 What is in a name? Identity-based cryptography

2 How public-key crypto works When you use public key cryptography, you can publish a value (public key) If it is a public encryption scheme, anybody may send encrypted messages to you using that key If it is a signature scheme, you may authenticate messages that anybody will be able to verify comes from you

3 Whose public key? You need to convey it to the other party, and in principle could just publish it. However, it is a random-looking number; in order to establish its authenticity, a trusted path from you to the other party must be established Most effectively done via certificates; a trusted authority attests to the key on your behalf (usually by signing it)

4 85B32 07E86 993A0 126B3 F1671

5 “Adverse Network Effect” If you want to send an encryption to someone else, and: –That person has not established a public key, or you don’t know what that is –You can’t afford to establish a physically- protected channel to send a shared key –You are out of luck More generally, if too few people have public keys, public keys are not very useful, or not advertised, and so not too many people will have a reason to get one...

6

7 You have a name... What if you could use your own name as a public key? You would need to get a corresponding private key The function that extracts the private key from the public one must be a trapdoor function (can only be computed by someone who knows a secret value that enables computation, called a trapdoor)

8 Identity-based Crypto message encrypted under Alice’s name Alice’s private key

9 This talk’s plan What is identity-based cryptography First identity-based schemes Identity-based encryption using traditional crypto Identity-based encryption via pairings Extensions Self-certified schemes

10 Shamir’s identification scheme Shamir was interested in using smart- cards to implement strong identification schemes Should be efficient Should not use shared key (open environment) Should use strong crypto Does not use certificates

11 Identity-based Identification Smart-card issuer (SCI) is trusted SCI’s scheme setup: –Generate two large primes, p and q. –Computes n = p  q –Publishes n, keeps p, q secret. –Chooses a hash function f: {0, 1}*  {0, 1,..., n-1} SCI initializes each smart card with the secret key of its owner.

12 Issuing private keys For each identity I, SCI: –Computes the values v j = f(I || j), for several j= 0, 1,..., –Choose first k values that are squares modulo n (quadratic residues). –let s j be the square root of v j s j 2 = v j mod n –Smart card contains I, {s j }

13 Identification protocol Card sends to Server: I S re-computes the v j C computes random r, and also t = r 2 mod n C sends to server: t S replies with k-bit string (e 1,.., e k ) C sends z = r  s 1 e 1  s 2 e 2 ... s k e k to S S checks if z 2 = t v 1 e 1  v 2 e 2 ... v k e k mod n

14 Security: Key not leaked If C could guess S’s challenge string (e 1, e 2,..., e k ), then: C could choose z at random, and compute t = z 2  v 1 -e 1  v 2 -e 2 ... v k -e k mod n Respond to S’s challenge with z If C could see the future, it could answer challenges correctly without knowing keys, therefore: –C’s answers reveal nothing about keys.

15 Security: Key knowledge C may still do as before so that it can answer one challenge correctly. Can C answer correctly more than one challenge without knowing the s j ? C would have to know how to answer: –z; z 2 = t  v 1 e 1  v 2 e 2 ... v k e k mod n; and –w; w 2 = t·v 1 d 1  v 2 d 2 ... v k d k mod n –(z/w) 2 = v 1 e 1 -d 1  v 2 e 2 -d 2 ... v k e k -d k mod n –z/w = s 1 e 1 -d 1  s 2 e 2 -d 2 ... s k e k -d k mod n

16 Zero-Knowledge RSA Security/RSA Labs

17 Identity-based encryption Over the years, many identity-based schemes were developed for identification and signature For nearly two decades, nobody knew how to do identity-based encryption Then, pairings came along and changed everything, but –Let’s first see a scheme using square roots

18 The Jacobi Symbol The Jacobi Symbol for a natural number N has the following properties: x  J(x, N) is in {0,  1} J(x, N) = 0  g.c.d.(x, N)  1. J(x  y, N) = J(x, N)  J(y, N) J(x 2, N) = 1 J(x, N) = -1, for some x (hence for 50% of all x) J(,N) is efficiently computable

19 Clifford Cocks’ Scheme Authority sets up the scheme –Generate two large primes, p and q. (p and q must be of the form 4k + 3) –Computes n = p  q –Publishes n, keeps p, q secret. –Chooses a hash function f: {0, 1}*  {0, 1,..., n-1} For user with identity I: – Compute f(I||0), f(I||1),..., until: –J( f(I||k), n) = 1. This is the user’s public key.

20 Private key To find the private key, there is 50% chance that the public key A is a square mod n. –If not, -A is. The private key B is the square root of either A or -A. Let’s suppose of A. –B 2 = A mod n.

21 To encrypt Sender computes Receiver public key S sends R one bit b =  1 (at a time) S chooses random t such that –J(t, n) = b –sends s, where s = t + A/t mod n Note that: –s = t(1 + A/t 2 ) mod n –s + 2B = t(1 + 2B/t + A/t 2 ) = t(1 + B/t) 2

22 To decrypt R receives s, computes J(s + 2B,n) = J(t,n) J((1 + B/t) 2, n) = J(t, n) = b If receiver does not know B, must solve s = t + A/t for t, or at least for J(t, n) t 2 + A - st = 0 mod n,...

23 Pairings-Based IBE Pairings were first used in cryptography in “a constructive way” by A. Joux, who created a 3-party Diffie-Hellman key agreement protocol with no need to exchange messages. Great excitement in the cryptographic community resulted from the discovery that pairings could also be used for an efficient identity-based encryption scheme.

24 Cryptographic groups Most public-key schemes are based on “cryptographic groups,” i.e., mathematical groups where the discrete-logarithm problem is hard. (x, g)  g x (easy) (y, g)  x; y = g x (hard)

25 Pairing groups A map –e: G 1  G 2  G T (same prime order p) e(g a, h b ) = e(g, h) ab (bilinearity) g generates G 1 h generates G 2  e(g,h) generates G T

26 Boneh-Franklin Scheme Trusted party chooses a secret s, and generator P in G 1, set P group (= P s ) Each group member with identity I has public key Q I = f(I), where –f: {0, 1} *  G 2. Gets private key P I = Q I s from T Scheme also defines the message space as {0, 1} k, and a hash function –H: G T  {0, 1} k

27 Encrypting/decrypting Someone wants to encrypt message M –C =  A, B  =  P r, M  H( e(Q I, P group ) r )  To decrypt, intended receiver just computes: –Z = e(P I, A) = e(P I, P r ) = e(Q I s, P r ) = e(Q I, P r ) s = e(Q I, P s ) r = e(Q I, P group ) r Then M = Z  B Another party would have to compute Q I r from P, P r, Q I (hard!)

28 Extensions What can you do with identity-based encryption? It can extract a secret key associated to any public string---not only a name What about a date, such as “05/03/05” What about your fingerprint?

29 Timed-release encryption The goal of timed-release encryption is to encrypt a message that can only be read at a future point in time. One way is to use a one-way function (no decryption algorithm) and tune the hardness of the function so that it will be inverted in the time frame. The other is to use IBE. Encrypt a message under name: “Alice Wonderlie||01/01/2031” and the trusted party will only release the secret key to alice in 2031.

30 Application: Unwanted Will

31 Questions ?

32 A Few References ZAdi Shamir: Identity-based cryptosystems and signature schemes. CRYPTO 1984. Pp: 47-53CRYPTO 1984 ZClifford Cocks: An identity-based on quadratic residues, LNCS 2260, 2001. Pp: 360-363 ZAntoine Joux: A One-round protocol for tri-partite Diffie-Hellman. J. Cryptology, 17(4), 2004, and Proc. of ANTS 2000, LNCS 1830, 2000. ZDan Boneh and Matt Franklin: Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3), 2003. Pp. 586-615, and CRYPTO 2001, LNCS 2139, 2001. Pp. 213-229.

Download ppt "What is in a name? Identity-based cryptography. How public-key crypto works When you use public key cryptography, you can publish a value (public key)"

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
By Jyh-haw Yeh Boise State University ICIKM 2013.

By Jyh-haw Yeh Boise State University ICIKM 2013.
Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur.

Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur.
An Efficient Identity-based Cryptosystem for

An Efficient Identity-based Cryptosystem for
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.

Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.

Similar presentations

Ads by Google