Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur.

Published byBaldwin Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur."— Presentation transcript:

1 Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur

2 Public Key Setting Alice and Bob might not have a prior shared secret. Each participant has a pair of public and private key for certain pre-specified cryptosystem or signature scheme. It is always necessary to authenticate the public keys of other people in the network. This requires some kind of Public Key Infrastructure (PKI) We assume there is a Trusted Authoruty (TA) or Certification Authority (CA) who signs the public keys of all people in the network. The public verification key, ver TA of the TA is known to all.

3 Certificates A certificate for someone in the network will consist of: some identifying information for a person (eg, name, email address, etc.), their public keys, and the signature of the TA on that information. The certificate allows network users to verify the authenticity of each other’s keys. How does Alice obtain a certificate from the TA which contains a copy of Alice’s public verification key for a signature scheme?

4 A Protocol to Issue a Certificate to Alice The TA establishes Alice’s identity by means of conventional forms of identification like birth certificate, passport etc. Then the TA forms a string ID(Alice), which contains Alice’s identification. A private signing key for Alice, sign Alice, and a corresponding public verification key ver Alice are determined. The TA determines its signature: s=sig TA (ID(Alice)||ver Alice ) on Alice’s identity string and verification key. The certificate Cert(Alice)=(ID(Alice)||ver Alice ||s) is given to Alice, along with Alice’s private key, sig Alice.

5 Verification of the Public Key Any one who has the TA’s verification key, ver TA can verify anyone else’s certificate. Suppose, Bob wants to be sure that Alice’s public key is authentic: Alice gives her certificate to Bob. Bob can then verify the signature of the TA by checking: ver TA (ID(Alice)||ver Alice ||s)=true Note: The purpose of verifying a certificate is to authenticate the public key. Verifying the signature allows someone to verify that the certificate was issued by the CA. Having verified the signature, a user would then believe the information provided the CA can be trusted of verifying the information before signing.

6 X.509 v3 Version number Serial number Signature algorithm ID Issuer name Validity period Subject name (ie. Signature owner) Public key of owner Signature of CA on all the fields

7 Problems of PKI Many difficulties associated with practical large scale deployments of PKI Who is responsible for its deployment, maintenance, and regulations? Govt or Industry? What standards should be used?: certificate formats, cryptographic algorithms, revocation, etc. Lack of PKI compatible applications has slowed down its deployment.

8 Alternative to PKI Identity Based Encryption (IBE): Refers to Public Key Cryptography where the values of the public key are computed from the identity of the owners. Renders certificates unnecessary, and hence the need for an infrastructure to verify public keys is avoided.

9 ID-based Encryption Public Key for a user U is obtained by applying a public hash function h to the user’s identity string, ID(U). The corresponding private key would be generated by a central trusted authority (denoted by TA). The private key would then be supplied to the user U after that user proves his or her identity to the TA. Issuance of private key by the TA replaces the issuing of a certificate. The resulting private and public keys are used in an encryption scheme, signature scheme, or other scheme. The scheme uses some fixed public parameters, incluiding a certain master key.

10 IBE and PKI IBE removes the need for certificates. However, still need a convenient and reliable method for associating an identity string with a person. However IBE alleviates many of the problems of PKI. Note that unlike PKI, in IBE any user, say Bob, can encrypt a message for Alice (using the ID A and the public key of the TA) before Alice has received her private key from the TA. Also Bob could include in the ID A any set of conditions that should be met before the TA issues the private key. Could include credit ratings, employment status, minimum age requirement, etc. Date in the ID A to solve the key revocation problem (ie. Private key will be issued only if it has not been revoked).

11 Designing an IBE Can a Public Key Cryptosystem be converted to an IBE? Let us try with RSA. The TA chooses the RSA modulus n=pq, as the public master key. The factors p and q are known only to the TA, and work as the master private key. How does a user U obtain its key pair?

12 RSA converted to IBE? Public Key of a user U is an encryption exponent and a private key is a decryption exponent. However, once U has a public key and private key pair, it can factor n. Once U knows the private master key, it can impersonate the TA. Can compute any one else’s private key. The IBE fails! Thus IBE necessitates that a user’s public key and private key cannot be used to determine the private master key of the TA.

13 Components of an IBE System Parameters: Master key generation: The TA generates the master public key M pub and a corresponding master private key M priv. Master key, M=(M pub,M priv ). A hash function h is also public.

14 User Key Generation When a user U identifies himself to the TA, the TA uses a function extract to compute to compute U’s private key private key K u priv : K u priv =extract(M,K u pub ), where U’s public key is K u pub =h(ID(U)). User U’s key is K U =(K u pub, K u priv ).

15 Encryption and Decryption Encryption: User U’s public key K u pub defines a public encryption rule, e KU, that can be used by anyone to encrypt messages sent to U. Decryption: U’s private key K u priv defines a private decryption rule d KU, that U will use to decrypt messages he receives.

16 The Cocks IBE Based on certain properties of the Jacobi symbols. It uses certain number theoretic properties of quadratic residues.

17 Quadratic Residues

18 Example Z 11 1 2 =1 2 2 =4 3 2 =9 4 2 =5 5 2 =3 6 2 =3 7 2 =5 8 2 =9 9 2 =4 10 2 =1 There are exactly (p-1)/2 QR (Quadratic Residues) Note, that the QR forms a palindrome There are exactly (11-1)/2=5 QRs.

19 The QR Problem We have a polynomial time deterministic algorithm to solve this decision problem.

20 Euler comes to the rescue again The time complexity of this check is O(log p) 3 by applying square and multiply method to raise an element to a power. Note that if then a is a non-quadratic residue.

21 Legendre Symbol

22 Jacobi Symbol: Generalization of Legendre Symbol

23 Example Compute Note 9975=3x5 2 x7x19 (prime power factorization)

24 Properties of Jacobi

25 Example An Example

26 Computing Jacobi without factorization of n Input: m≥0, n≥1, n odd Output: JacobiSymbol(m,n) if(m==0) { if(n==1) return 1; else return 0;} else if (m>n) return JacobiSymbol(m mod n, n); else{ m=2 δ m’; (where m’≥1, m’ odd) return ±[JacobiSymbol(2,n)] δ [JacobiSymbol(n,m’)] /* Use -, if m’≡n≡3 (mod n), + otherwise */}

27 Complexity Roughly O(log n) 3 Only arithmetic operations are factoring out powers of two and modular reductions. Former depends on number of trailing zeros if the number is encoded as binary. So, dominated by modular reduction. Roughly O(log n) modular reductions necessary, each can be done in O(log n) 2

28 QR(n)

29 Composite Quadratic Residues

30

31 Cocks Identity Based Encryption

32 User Key Generation

33 Encryption

34 Decryption

35 Proof of Decryption Correctness

36

37 Cocks IBE is IND-CPA Secure Quadratic Residue Assumption: J n * ={aϵZ n * |(a/n)=1}. Note: |QR n *|=|J n * \QR n * | =1/2|J n * | ≈ It is hard to distinguish between a random quadratic residue and a random non-quadratic residue, given both has Jacobi symbol 1)

38 Cocks IBE is IND-CPA Secure

39 Indistinguishability of the cipher

40

41 IND-CPA-security Under the assumption of QRA, we can prove the IND-CPA security of the scheme. ≈ ≡

Download ppt "Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur."

Similar presentations

Key Management Nick Feamster CS 6262 Spring 2009.

Key Management Nick Feamster CS 6262 Spring 2009.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
and Factoring Integers (I)

and Factoring Integers (I)
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
C HAPTER 13 Asymmetric Key Cryptography Slides adapted from Foundations of Security: What Every Programmer Needs To Know by Neil Daswani, Christoph Kern,

C HAPTER 13 Asymmetric Key Cryptography Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.

Similar presentations

Ads by Google