Pairing based IBE. Some Definitions Some more definitions.

Slides:

Advertisements

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Advertisements

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

Encryption Public-Key, Identity-Based, Attribute-Based.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

7. Asymmetric encryption-

Session 4 Asymmetric ciphers.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

Identity Based Encryption

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.

1 Identity-Based Encryption form the Weil Pairing Author ： Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date ：

A Designer’s Guide to KEMs Alex Dent

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Chapter 7-1 Signature Schemes.

Identity-based authenticated key agreement protocol based on Weil pairing N.P.Smart ELECTRONICS LETTERS 20 th June 2002 vol.38 No13 p Present by.

Certificateless Authenticated Two-Party Key Agreement Protocols

CSE331: Introduction to Networks and Security Lecture 20 Fall 2002.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

Lecture 6: Public Key Cryptography

Public Key Model 8. Cryptography part 2.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

8. Data Integrity Techniques

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

By Abhijith Chandrashekar and Dushyant Maheshwary.

An Efficient Identity-based Cryptosystem for

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Bilinear Mappings in Formal Cryptography

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Computer Science CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 8 –

Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.

Digital Signatures, Message Digest and Authentication Week-9.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

CS 4803 Fall 04 Public Key Algorithms. Modular Arithmetic n Public key algorithms are based on modular arithmetic. n Modular addition. n Modular multiplication.

Introduction to Cryptography Lecture 9. Public – Key Cryptosystems Each participant has a public key and a private key. It should be infeasible to determine.

Elliptic Curves Number Theory and Cryptography. A Pile of Cannonballs A Square of Cannonballs.

11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.

Key Management Network Systems Security Mort Anvari.

1 Efficient Selective-ID IBE Without Random Oracle Dan Boneh Stanford University Xavier Boyen Voltage Security.

ID-base Signature from Pairings on Elliptic Curve Kenneth G. Paterson From IACR Server 2002/004 Reference :Identity-Based Encryption from the Weil Pairing.

1 Cryptanalysis Lab Elliptic Curves. Cryptanalysis Lab Elliptic Curves 2 Outline [1] Elliptic Curves over R [2] Elliptic Curves over GF(p) [3] Properties.

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.

What is in a name? Identity-based cryptography. How public-key crypto works When you use public key cryptography, you can publish a value (public key)

An Introduction to Pairing Based Cryptography

Identity Based Encryption

Boneh-Franklin Identity Based Encryption Scheme

Group theory exercise.

An Introduction to Pairing Based Cryptography

Topic 25: Discrete LOG, DDH + Attacks on Plain RSA

The power of Pairings towards standard model security

Presentation transcript:

Pairing based IBE

Some Definitions

Some more definitions

Tate Pairing

Few Details

Making the output unique

Tate Pairing and Weil Pairing

Linear Dependence Property

Application of Pairings: Finally! Two Party One-round Key agreement Protocol P is a base point of an EC. Public Knowledge: (n,P). Alice selects aϵ[1,n-1] and sends aP. Bob selects bϵ[1,n-1] and sends bP. Both can compute abP. Eavesdropper is faced with the task of computing K given (P,aP,bP). This instance of problem is called DHP (Diffie-Hellman Problem). Alice (a) Bob (b) aP bP

Extending to Three Parties Can be easily extended to 3 parties Alice (a) Bob (b) aP bP Chris (c) cP Round 1

Extending to Three Parties Can be easily extended to 3 parties Key=abcP. Attackers’s Problem: Compute abcP from (P,aP,bP,cP,abP,bcP,caP). Alice (a) Bob (b) abP bcP Chris (c) caP Round 2

Can this be done in one round? Problem remained open till 2000 when Joux devised a surprisingly simple protocol using bilinear pairings. This triggered interest in Pairings, and two next most important applications emerged: Boneh-Franklin IBE Boneh,Lynn,Shacham short-signature scheme

Quick Refresh on Pairings

Some more Derived Properties

Implication on DLP Discrete Log Problem (DLP): Let aϵ[0,n-1] be a secret, given aP, compute a. Believed to be intractable for a chosen group (like multiplicative group of a finite field, group of points on an EC defined over a finite field). One consequence of the bilinearity property is that the DLP in G 1 can be efficiently reduced to the DLP in G T.

Implication on DLP One consequence of the bilinearity property is that the DLP in G 1 can be efficiently reduced to the DLP in G T. If (P,Q) is an instance of DLP in G 1 where Q=xP, then e(P,Q)=e(P,xP)=e(P,P) x. Thus, log P Q=log q h, where h=e(P,Q), and g=e(P,P) are elements of G T.

Bilinear Diffie-Hellman Problem (BDHP) Let e be a bilinear pairing on (G 1,G T ). The BDHP is the following: Given P,aP,bP,cP, compute e(P,P) abc Hardness of BDHP => Hardness of DHP in both G 1 and G T. If DHP in G 1 is not hard => BDHP is not hard. 1.ap, bP => Compute abP 2.e(abP,cP)=e(P,P) abc

Security Implications If DHP in G T is not hard => BDHP is not hard. 1.Compute g=e(P,P). 2.Compute e(aP,bP)=g ab ϵG T 3.Compute e(cP,P)=g c ϵG T 4.Compute g abc from g ab and g c.

Decisional Diffie-Hellman Problem due to Pairings

Few Fundamental Protocols using Pairings 3-Party One Round Key Agreement: Alice (a) Bob (b) aP bP Chris (c) cP Round 1 aP bP cP Alice (and likewise the others) can compute: e(bP,cP) a =e(P,P) abc

Short Signatures

BLS Signatures Alice’s private key, aϵ[1,n-1] Public key: A=aP. Sign: Alice’s Signature on a message mϵ{0,1}* M=H(m), s=aM. Verify: Bob with the public key A=aP can easily verify. Bob calculates M=H(m) Then Bob checks whether (P,A=aP,M,s=aM) is a valid quadruple by solving DDHP in G 1 (check e(P,s)=e(A,M))

Boneh Franklin’s IBE

Private Key of Alice Alice requests her private key d A : TTP creates Alice’s identity string ID A, computes d A =tH 1 (ID A ). Securely transforms d A to Alice. Note that d A is the BLS signature on the message ID A.

Bob’s Encryption for Alice

Alice’s Decryption Bob uses his decryption key d A, and: computes e(d A,R)=e(tH 1 (ID A ),rP)=e(Q A,tP) r =e(Q A,T) r Thus Bob can recover m. The eavesdropper has to compute e(Q A,T) r from (P,Q A,T, R)

CCA Security Given a target ciphertext (R,c), flips the first bit of c to get c’, and then obtains m’ using the decryption oracle. Then flips the first bit of m’ to get m.

CCA security

Few More Security Implications Bilinear DHP (BDHP): Given (P,aP,bP,cP) Decisional: c=ab? Computational: Compute cP=abP Inverse DHP (IDHP): Decisional: c=a -1 b? Equivalently, b=a -1 ? Computational: cP=a -1 bP. Equivalently, bP=a -1 P. These hardness assumptions are the basis of most Pairing based protocols. Now consider few attack oracles.

Attack Oracles FAPI: Fixed Argument Pairing Inversion. Consider a pairing: e: G 1 xG 2  G T FAPI-1 : O1 Input PϵG 1, zϵG T Output QϵG 2, e(P,Q)=z. FAPI-2: O2 Input QϵG 2,zϵG T Output PϵG 1, st. e(P,Q)=z

Solve BCDHP Bilinear DHP: Given (P,aP,bP,cP) Computational: Compute cP=abP z 1 =e(aP,Q) aQ=O 1 (P,z 1 ) z 2 =e(bP,aQ) abQ=O 1 (P,z 2 ) abP=O 2 (Q,z 2 )

Solve IDHP Inverse DHP (IDHP): Given (P,aP) Computational: Compute bP=a -1 P. Choose QϵG 2. z 1 =e(aP,Q) aQ=O 1 (P,z 1 ) z 2 =e(P,Q) a -1 P=O 2 (aQ,z 2 )