Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pairing based IBE. Some Definitions Some more definitions.

Published byRosalyn Manning Modified over 8 years ago

Similar presentations

Presentation on theme: "Pairing based IBE. Some Definitions Some more definitions."— Presentation transcript:

1 Pairing based IBE

2 Some Definitions

3 Some more definitions

4 Tate Pairing

5 Few Details

6

7

8 Making the output unique

9 Tate Pairing and Weil Pairing

10 Linear Dependence Property

11 Application of Pairings: Finally! Two Party One-round Key agreement Protocol P is a base point of an EC. Public Knowledge: (n,P). Alice selects aϵ[1,n-1] and sends aP. Bob selects bϵ[1,n-1] and sends bP. Both can compute abP. Eavesdropper is faced with the task of computing K given (P,aP,bP). This instance of problem is called DHP (Diffie-Hellman Problem). Alice (a) Bob (b) aP bP

12 Extending to Three Parties Can be easily extended to 3 parties Alice (a) Bob (b) aP bP Chris (c) cP Round 1

13 Extending to Three Parties Can be easily extended to 3 parties Key=abcP. Attackers’s Problem: Compute abcP from (P,aP,bP,cP,abP,bcP,caP). Alice (a) Bob (b) abP bcP Chris (c) caP Round 2

14 Can this be done in one round? Problem remained open till 2000 when Joux devised a surprisingly simple protocol using bilinear pairings. This triggered interest in Pairings, and two next most important applications emerged: Boneh-Franklin IBE Boneh,Lynn,Shacham short-signature scheme

15 Quick Refresh on Pairings

16 Some more Derived Properties

17 Implication on DLP Discrete Log Problem (DLP): Let aϵ[0,n-1] be a secret, given aP, compute a. Believed to be intractable for a chosen group (like multiplicative group of a finite field, group of points on an EC defined over a finite field). One consequence of the bilinearity property is that the DLP in G 1 can be efficiently reduced to the DLP in G T.

18 Implication on DLP One consequence of the bilinearity property is that the DLP in G 1 can be efficiently reduced to the DLP in G T. If (P,Q) is an instance of DLP in G 1 where Q=xP, then e(P,Q)=e(P,xP)=e(P,P) x. Thus, log P Q=log q h, where h=e(P,Q), and g=e(P,P) are elements of G T.

19 Bilinear Diffie-Hellman Problem (BDHP) Let e be a bilinear pairing on (G 1,G T ). The BDHP is the following: Given P,aP,bP,cP, compute e(P,P) abc Hardness of BDHP => Hardness of DHP in both G 1 and G T. If DHP in G 1 is not hard => BDHP is not hard. 1.ap, bP => Compute abP 2.e(abP,cP)=e(P,P) abc

20 Security Implications If DHP in G T is not hard => BDHP is not hard. 1.Compute g=e(P,P). 2.Compute e(aP,bP)=g ab ϵG T 3.Compute e(cP,P)=g c ϵG T 4.Compute g abc from g ab and g c.

21 Decisional Diffie-Hellman Problem due to Pairings

22 Few Fundamental Protocols using Pairings 3-Party One Round Key Agreement: Alice (a) Bob (b) aP bP Chris (c) cP Round 1 aP bP cP Alice (and likewise the others) can compute: e(bP,cP) a =e(P,P) abc

23 Short Signatures

24 BLS Signatures Alice’s private key, aϵ[1,n-1] Public key: A=aP. Sign: Alice’s Signature on a message mϵ{0,1}* M=H(m), s=aM. Verify: Bob with the public key A=aP can easily verify. Bob calculates M=H(m) Then Bob checks whether (P,A=aP,M,s=aM) is a valid quadruple by solving DDHP in G 1 (check e(P,s)=e(A,M))

25 Boneh Franklin’s IBE

26 Private Key of Alice Alice requests her private key d A : TTP creates Alice’s identity string ID A, computes d A =tH 1 (ID A ). Securely transforms d A to Alice. Note that d A is the BLS signature on the message ID A.

27 Bob’s Encryption for Alice

28 Alice’s Decryption Bob uses his decryption key d A, and: computes e(d A,R)=e(tH 1 (ID A ),rP)=e(Q A,tP) r =e(Q A,T) r Thus Bob can recover m. The eavesdropper has to compute e(Q A,T) r from (P,Q A,T, R)

29 CCA Security Given a target ciphertext (R,c), flips the first bit of c to get c’, and then obtains m’ using the decryption oracle. Then flips the first bit of m’ to get m.

30 CCA security

31 Few More Security Implications Bilinear DHP (BDHP): Given (P,aP,bP,cP) Decisional: c=ab? Computational: Compute cP=abP Inverse DHP (IDHP): Decisional: c=a -1 b? Equivalently, b=a -1 ? Computational: cP=a -1 bP. Equivalently, bP=a -1 P. These hardness assumptions are the basis of most Pairing based protocols. Now consider few attack oracles.

32 Attack Oracles FAPI: Fixed Argument Pairing Inversion. Consider a pairing: e: G 1 xG 2  G T FAPI-1 : O1 Input PϵG 1, zϵG T Output QϵG 2, e(P,Q)=z. FAPI-2: O2 Input QϵG 2,zϵG T Output PϵG 1, st. e(P,Q)=z

33 Solve BCDHP Bilinear DHP: Given (P,aP,bP,cP) Computational: Compute cP=abP z 1 =e(aP,Q) aQ=O 1 (P,z 1 ) z 2 =e(bP,aQ) abQ=O 1 (P,z 2 ) abP=O 2 (Q,z 2 )

34 Solve IDHP Inverse DHP (IDHP): Given (P,aP) Computational: Compute bP=a -1 P. Choose QϵG 2. z 1 =e(aP,Q) aQ=O 1 (P,z 1 ) z 2 =e(P,Q) a -1 P=O 2 (aQ,z 2 )

Download ppt "Pairing based IBE. Some Definitions Some more definitions."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.

11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Identity Based Encryption

Identity Based Encryption
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.

Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.

Similar presentations

Ads by Google