Computer Science

CSC 774 Advanced Network Security

Topic 2.6 ID Based Cryptography #2

Slides by An Liu

Computer Science

Outline

• Applications

• Elliptic Curve Group over real number and Fp

• Weil Pairing

• BasicIdent

• FullIdent

• Extensions

• Escrow ElGamal Encryption

Computer Science

Identity-Based Encryption

`

Alice

`

Bob PKG

M encrypted using bob@ncsu.edu

•Authentication

Private key for bob@ncsu.edu

•global parameters

•master key•global parameters •global parameters

•setup

•extract•encrypt •decrypt

Computer Science

Applications

• Revocation of public keys– bob@ncsu.edu || 2006– bob@ncsu.edu || 2006-10-20– Send message into the future

• Delegation of decryption keys– Delegation to a laptop (use date as public key)– Delegation of duties (use subject as public key)

Computer Science

Elliptic Curve Group over Real Numbers

• y2 = x3 + ax + b– x, y, a, b are real numbers

• If 4a3 + 27b2 ≠ 0, a group can be formed.– points on curve and infinity

point – Additive group

Computer Science

Elliptic Curve Addition: A Geometric Approach

• Adding distinct points P and Q

* The negative of a point P is its reflection in the x-axis.

Computer Science

• Adding the points P and -P

Computer Science

• Doubling the point P

Computer Science

Elliptic Curve Addition: An Algebraic Approach

• Adding distinct points P and Q (P+Q=R) P(xP,yP) and Q(xQ,yQ) are not negative each other

s = (yP – yQ) ∕ (xP – xQ)

xR = s2 – xP – xQ, yR = – yP + s(xP – xR)

• Doubling the point P (2P=R) yP ≠ 0

s = (3xP2 + a) ∕ 2yP

xR = s2 – 2xP, yR = – yP + s(xP – xR)

Computer Science

Elliptic Curve Groups over Fp

• Calculations over real number are slow and inaccurate.

• y2 mod p = x3 + ax + b mod p

– x, y, a, b are in Fp

• finite set of points

• no geometric approach

Computer Science

Elliptic Curve Groups over Fp (Cont’d)

• Adding distinct points P and Q (P+Q=R) P(xP, yP) is not − Q = (xQ, − yQ mod p)

s = (yP – yQ) ∕ (xP – xQ) mod p

xR = s2 – xP – xQ mod p

yR = – yP + s(xP – xR) mod p

• Doubling the point P (2P=R) yP ≠ 0

s = (3xP2 + a) ∕ 2yP mod p

xR = s2 – 2xP mod p, yR = – yP + s(xP – xR) mod p

Computer Science

Elliptic Curve Discrete Logarithm Problem (ECDLP)

• Discrete Logarithm Problem– For multiplicative group Zp

*, given r, q, p, find k such that r = qk mod p.

– Foundation of many cryptosystems.

• Scalar multiplication– P, 2P, 3P=2P+P, 4P=3P+P,… , kP (additive

notation)

• ECDLP– Given points Q, P, find k such that kP=Q

Computer Science

Weil Pairing

• Bilinear map– A map e: G1×G1→G2

– ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab

• Weil Pairing– bilinear map

• G1 is the group of points of an elliptic curve over Fp

• G2 is a subgroup of Fp2*

– efficiently computable• Miller’s algorithm

Computer Science

Weil Pairing (Cont’d)

• Elliptic Curve Group in this paper– p, q are primes, p = 2 mod 3, p = 6q – 1– E is the elliptic curve defined by y2 = x3 + 1 over Fp

– Gq is the group with order q = (p+1)/6 generated by P ∈E/Fp

• Modified Weil pairing– ê: Gq×Gq→μq

– μq is the subgroup of Fp2* containing all elements of

order q– Non-degenerate: ê(P, P) ∈ Fp2 is generator of μq

Computer Science

Weil Diffie-Hellman Assumption (WDH)

• Given < P, aP, bP, cP > for random a,b,c∈Zq*,

P∈E/Fp, compute W = ê(P,P)abc ∈Fp2

• When p is a random k-bit prime, there is no probabilistic polynomial time algorithm for the WDH problem.

Computer Science

MapToPoint algorithm

• Convert arbitrary string ID∈{0,1}* to a point QID∈E/Fp of order q

• hash function G: {0,1}*→Fp

• Steps:– y0 = G(ID), x0 = (y0

2 – 1)1/3 = (y02 – 1)(2p – 1)/3

– Q = (x0, y0)∈E/Fp, QID = 6Q

Computer Science

BasicIdent – Setup

• Use the elliptic curve group we already defined

• Choose arbitrary P∈E/Fp of order q

• Pick random s∈Zq* and set Ppub = sP

• Choose hash functions– H: Fp2 →{0,1}n

– G: {0,1}*→Fp

• Message space M = {0,1}n, ciphertext space is C = E/Fp×{0,1}n

• System parameters are <p, n, P, Ppub, G, H>. Master-key is s.

Computer Science

BasicIdent (Cont’d)

• Extract (get private key from ID)1. Use MapToPoint to map ID to a point QID

2. Private key corresponding to ID is dID = sQID

• Encrypt (encrypt M with ID)1. Use MapToPoint to map ID to a point QID

2. Choose random r ∈ Zq

3. C = <rP, M⊕H(gIDr)> where gID = ê(QID,Ppub) ∈

Fp2

Computer Science

BasicIdent (Cont’d)

• Decrypt (decrypt C = <U,V>)– If U is not a point of order q, reject the ciphertext

– Otherwise, M = V ⊕ H(ê(dID, U))

• Why M can be recovered? ê(dID, U) = ê(sQID, rP) = ê(QID, P)sr = ê(QID, Ppub)r = gID

r

V ⊕ H(ê(dID, U)) = M⊕H(gIDr)⊕ H(gID

r) = M

Computer Science

FullIdent

• BasicIdent is not chosen ciphertext secure.

• Setup– In addition to BasicIdent, pick another two hash

functions:• H1: {0,1}n×{0,1}n→Fq

• G1: {0,1}n→ {0,1}n

• Extract– Same as BasicIdent

Computer Science

FullIdent (Cont’d)

• Encrypt (encrypt M using ID)1. Use MapToPoint to convert ID into point QID

2. Choose random σ∈{0,1}n

3. Set r = H1(σ, M)

4. C = < rP, σ⊕H(gIDr), M⊕G1(σ) > where gID =

ê(QID, Ppub) ∈ Fp2

Computer Science

FullIdent (Cont’d)

• Decrypt (decrypt C=<U,V,W>)1. Compute V ⊕ H(ê(dID, U)) = σ

2. Compute W ⊕ G1(σ) = M

3. Set r = H1(σ, M)

4. If U ≠ rP, reject.

Computer Science

Extensions & Observations

• Tate pairing and other curves can improve the speed

• Distributed PKG

• IBE implies signatures– Master-key s is private key (sign)– Global system parameters is public key (verify)

– Signature of M: sQM

– Verification: encrypt random M’ use ID=M, then decrypt use sQM

Computer Science

Escrow ElGamal Encryption

• Setup– Use same elliptic curve

– Pick a random s∈Zq, Q = sP

– Choose hash function: Fp2 → {0,1}n

– System parameters: < p, n, P, Q, H >– s is the escrow key

• Keygen– User randomly choose x∈Zq as private key

– Public key is Ppub = xP

Computer Science

Escrow ElGamal Encryption (Cont’d)

• Encrypt– Pick random r∈Zq

– C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2

• Decrypt (C = <U,V>)– V ⊕ H(ê(U, xQ)) = M

• Escrow-decrypt– V ⊕ H(ê(U, sPpub)) = M