Computer Science CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu

Computer Science Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow ElGamal Encryption

Computer Science Identity-Based Encryption M encrypted using Authentication Private key for global parameters master key global parameters setup extractencryptdecrypt

Computer Science Applications Revocation of public keys || 2006 || –Send message into the future Delegation of decryption keys –Delegation to a laptop (use date as public key) –Delegation of duties (use subject as public key)

Computer Science Elliptic Curve Group over Real Numbers y 2 = x 3 + ax + b –x, y, a, b are real numbers If 4a b 2 ≠ 0, a group can be formed. –points on curve and infinity point –Additive group

Computer Science Elliptic Curve Addition: A Geometric Approach Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis.

Computer Science Adding the points P and -P

Computer Science Doubling the point P

Computer Science Elliptic Curve Addition: An Algebraic Approach Adding distinct points P and Q (P+Q=R)  P(x P,y P ) and Q(x Q,y Q ) are not negative each other  s = (y P – y Q ) ∕ (x P – x Q )  x R = s 2 – x P – x Q, y R = – y P + s(x P – x R ) Doubling the point P (2P=R)  y P ≠ 0  s = (3x P 2 + a) ∕ 2y P  x R = s 2 – 2x P, y R = – y P + s(x P – x R )

Computer Science Elliptic Curve Groups over Fp Calculations over real number are slow and inaccurate. y 2 mod p = x 3 + ax + b mod p –x, y, a, b are in F p finite set of points no geometric approach

Computer Science Elliptic Curve Groups over Fp (Cont’d) Adding distinct points P and Q (P+Q=R)  P(x P, y P ) is not − Q = (x Q, − y Q mod p)  s = (y P – y Q ) ∕ (x P – x Q ) mod p  x R = s 2 – x P – x Q mod p  y R = – y P + s(x P – x R ) mod p Doubling the point P (2P=R)  y P ≠ 0  s = (3x P 2 + a) ∕ 2y P mod p  x R = s 2 – 2x P mod p, y R = – y P + s(x P – x R ) mod p

Computer Science Elliptic Curve Discrete Logarithm Problem (ECDLP) Discrete Logarithm Problem –For multiplicative group Z p *, given r, q, p, find k such that r = q k mod p. –Foundation of many cryptosystems. Scalar multiplication –P, 2P, 3P=2P+P, 4P=3P+P,…, kP (additive notation) ECDLP –Given points Q, P, find k such that kP=Q

Computer Science Weil Pairing Bilinear map –A map e: G 1 ×G 1 →G 2 –∀ P,Q ∈ G 1, ∀ a,b ∈ Z, e(aP, bQ) = e(P, Q) ab Weil Pairing –bilinear map G 1 is the group of points of an elliptic curve over F p G 2 is a subgroup of F p 2 * –efficiently computable Miller’s algorithm

Computer Science Weil Pairing (Cont’d) Elliptic Curve Group in this paper –p, q are primes, p = 2 mod 3, p = 6q – 1 –E is the elliptic curve defined by y 2 = x over F p –G q is the group with order q = (p+1)/6 generated by P ∈ E/F p Modified Weil pairing –ê: G q ×G q →μ q –μ q is the subgroup of F p 2 * containing all elements of order q –Non-degenerate: ê(P, P) ∈ F p 2 is generator of μ q

Computer Science Weil Diffie-Hellman Assumption (WDH) Given for random a,b,c ∈ Z q *, P ∈ E/F p, compute W = ê(P,P) abc ∈ F p 2 When p is a random k-bit prime, there is no probabilistic polynomial time algorithm for the WDH problem.

Computer Science MapToPoint algorithm Convert arbitrary string ID ∈ {0,1} * to a point Q ID ∈ E/F p of order q hash function G: {0,1} * →F p Steps: –y 0 = G(ID), x 0 = (y 0 2 – 1) 1/3 = (y 0 2 – 1) (2p – 1)/3 –Q = (x 0, y 0 ) ∈ E/F p, Q ID = 6Q

Computer Science BasicIdent – Setup Use the elliptic curve group we already defined Choose arbitrary P ∈ E/F p of order q Pick random s ∈ Z q * and set P pub = sP Choose hash functions –H: F p 2 →{0,1} n –G: {0,1} * →F p Message space M = {0,1} n, ciphertext space is C = E/F p ×{0,1} n System parameters are. Master- key is s.

Computer Science BasicIdent (Cont’d) Extract (get private key from ID) 1.Use MapToPoint to map ID to a point Q ID 2.Private key corresponding to ID is d ID = sQ ID Encrypt (encrypt M with ID) 1.Use MapToPoint to map ID to a point Q ID 2.Choose random r ∈ Z q 3.C = where g ID = ê(Q ID,P pub ) ∈ F p 2

Computer Science BasicIdent (Cont’d) Decrypt (decrypt C = ) –If U is not a point of order q, reject the ciphertext –Otherwise, M = V ⊕ H(ê(d ID, U)) Why M can be recovered? ê(d ID, U) = ê(sQ ID, rP) = ê(Q ID, P) sr = ê(Q ID, P pub ) r = g ID r V ⊕ H(ê(d ID, U)) = M ⊕ H(g ID r ) ⊕ H(g ID r ) = M

Computer Science FullIdent BasicIdent is not chosen ciphertext secure. Setup –In addition to BasicIdent, pick another two hash functions: H 1 : {0,1} n ×{0,1} n →F q G 1 : {0,1} n → {0,1} n Extract –Same as BasicIdent

Computer Science FullIdent (Cont’d) Encrypt (encrypt M using ID) 1.Use MapToPoint to convert ID into point Q ID 2.Choose random σ ∈ {0,1} n 3.Set r = H 1 (σ, M) 4.C = where g ID = ê(Q ID, P pub ) ∈ F p 2

Computer Science FullIdent (Cont’d) Decrypt (decrypt C= ) 1.Compute V ⊕ H(ê(d ID, U)) = σ 2.Compute W ⊕ G 1 (σ) = M 3.Set r = H 1 (σ, M) 4.If U ≠ rP, reject.

Computer Science Extensions & Observations Tate pairing and other curves can improve the speed Distributed PKG IBE implies signatures –Master-key s is private key (sign) –Global system parameters is public key (verify) –Signature of M: sQ M –Verification: encrypt random M’ use ID=M, then decrypt use sQ M

Computer Science Escrow ElGamal Encryption Setup –Use same elliptic curve –Pick a random s ∈ Z q, Q = sP –Choose hash function: F p 2 → {0,1} n –System parameters: –s is the escrow key Keygen –User randomly choose x ∈ Z q as private key –Public key is P pub = xP

Computer Science Escrow ElGamal Encryption (Cont’d) Encrypt –Pick random r ∈ Z q –C = where g = ê(P pub, Q) ∈ F p 2 Decrypt (C = ) –V ⊕ H(ê(U, xQ)) = M Escrow-decrypt –V ⊕ H(ê(U, sP pub )) = M