what is in a name
Skip this Video
Download Presentation
What is in a name?

Loading in 2 Seconds...

play fullscreen
1 / 32

What is in a name - PowerPoint PPT Presentation

  • Uploaded on

What is in a name?. Identity-based cryptography. How public-key crypto works. When you use public key cryptography, you can publish a value (public key) If it is a public encryption scheme , anybody may send encrypted messages to you using that key

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'What is in a name' - hideaki

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
what is in a name

What is in a name?

Identity-based cryptography

how public key crypto works
How public-key crypto works
  • When you use public key cryptography, you can publish a value (public key)
  • If it is a public encryption scheme, anybody may send encrypted messages to you using that key
  • If it is a signature scheme, you may authenticate messages that anybody will be able to verify comes from you
whose public key
Whose public key?
  • You need to convey it to the other party, and in principle could just publish it.
  • However, it is a random-looking number; in order to establish its authenticity, a trusted path from you to the other party must be established
  • Most effectively done via certificates; a trusted authority attests to the key on your behalf (usually by signing it)






adverse network effect
“Adverse Network Effect”
  • If you want to send an encryption to someone else, and:
    • That person has not established a public key, or you don’t know what that is
    • You can’t afford to establish a physically-protected channel to send a shared key
    • You are out of luck
  • More generally, if too few people have public keys, public keys are not very useful, or not advertised, and so not too many people will have a reason to get one...
you have a name
You have a name...
  • What if you could use your own name as a public key?
  • You would need to get a corresponding private key
  • The function that extracts the private key from the public one must be a trapdoor function (can only be computed by someone who knows a secret value that enables computation, called a trapdoor)
identity based crypto
Identity-based Crypto

Alice’s private


message encrypted

under Alice’s name

this talk s plan
This talk’s plan
  • What is identity-based cryptography
  • First identity-based schemes
  • Identity-based encryption using traditional crypto
  • Identity-based encryption via pairings
  • Extensions
  • Self-certified schemes
shamir s identification scheme
Shamir’s identification scheme
  • Shamir was interested in using smart-cards to implement strong identification schemes
  • Should be efficient
  • Should not use shared key (open environment)
  • Should use strong crypto
  • Does not use certificates
identity based identification
Identity-based Identification
  • Smart-card issuer (SCI) is trusted
  • SCI’s scheme setup:
    • Generate two large primes, p and q.
    • Computes n = pq
    • Publishes n, keeps p, q secret.
    • Chooses a hash function
      • f: {0, 1}*  {0, 1, ..., n-1}
  • SCI initializes each smart card with the secret key of its owner.
issuing private keys
Issuing private keys
  • For each identity I, SCI:
    • Computes the values vj = f(I || j), forseveral j= 0, 1, ...,
    • Choose first k values that are squares modulo n (quadratic residues).
    • let sj be the square root of vj
      • sj2 = vj mod n
    • Smart card contains I,{sj}
identification protocol
Identification protocol
  • Card sends to Server: I
  • S re-computes the vj
  • C computes random r, and also t = r2mod n
  • C sends to server: t
  • S replies with k-bit string (e1, .., ek)
  • C sends z = rs1e1s2e2 ... skek to S
  • S checks if z2 = tv1e1v2e2 ... vkek mod n
security key not leaked
Security: Key not leaked
  • If C could guess S’s challenge string (e1, e2, ..., ek), then:
  • C could choose z at random, and compute t = z2v1-e1v2-e2 ... vk-ek mod n
  • Respond to S’s challenge with z
  • If C could see the future, it could answer challenges correctly without knowing keys, therefore:
    • C’s answers reveal nothing about keys.
security key knowledge
Security: Key knowledge
  • C may still do as before so that it can answer one challenge correctly.
  • Can C answer correctly more than one challenge without knowing the sj ?
  • C would have to know how to answer:
    • z; z2 = tv1e1v2e2 ... vkek mod n; and
    • w; w2 = t·v1d1v2d2 ... vkdk mod n
    • (z/w)2 = v1e1-d1v2e2-d2 ... vkek-dk mod n
    • z/w =s1e1-d1s2e2-d2 ... skek-dk mod n
zero knowledge

RSA Security/RSA Labs

identity based encryption
Identity-based encryption
  • Over the years, many identity-based schemes were developed for identification and signature
  • For nearly two decades, nobody knew how to do identity-based encryption
  • Then, pairings came along and changed everything, but
    • Let’s first see a scheme using square roots
the jacobi symbol
The Jacobi Symbol
  • The Jacobi Symbol for a natural number N has the following properties:
  • x J(x, N) is in {0, 1}
  • J(x, N) = 0  g.c.d.(x, N)  1.
  • J(xy, N) =J(x, N)  J(y, N)
  • J(x2, N) = 1
  • J(x, N) = -1, for some x (hence for 50% of all x)
  • J(,N) is efficiently computable
clifford cocks scheme
Clifford Cocks’ Scheme
  • Authority sets up the scheme
    • Generate two large primes, p and q. (p and q must be of the form 4k + 3)
    • Computes n = pq
    • Publishes n, keeps p, q secret.
    • Chooses a hash function
      • f: {0, 1}*  {0, 1, ..., n-1}
  • For user with identity I:
    • Compute f(I||0), f(I||1), ..., until:
    • J( f(I||k), n) = 1. This is the user’s public key.
private key
Private key
  • To find the private key, there is 50% chance that the public key A is a square mod n.
    • If not, -A is.
  • The private key B is the square root of either A or -A. Let’s suppose of A.
    • B2 = A mod n.
to encrypt
To encrypt
  • Sender computes Receiver public key
  • S sends R one bit b =  1 (at a time)
  • S chooses random t such that
    • J(t, n) = b
    • sends s, where s = t + A/t mod n
  • Note that:
    • s = t(1 + A/t2) mod n
    • s + 2B = t(1 + 2B/t + A/t2) = t(1 + B/t)2
to decrypt
To decrypt
  • R receives s, computes
  • J(s + 2B,n) = J(t,n) J((1 + B/t)2, n) = J(t, n) = b
  • If receiver does not know B, must solve s = t + A/t for t, or at least for J(t, n)
  • t2 + A - st = 0 mod n, ...
pairings based ibe
Pairings-Based IBE
  • Pairings were first used in cryptography in “a constructive way” by A. Joux, who created a 3-party Diffie-Hellman key agreement protocol with no need to exchange messages.
  • Great excitement in the cryptographic community resulted from the discovery that pairings could also be used for an efficient identity-based encryption scheme.
cryptographic groups
Cryptographic groups
  • Most public-key schemes are based on “cryptographic groups,” i.e., mathematical groups where the discrete-logarithm problem is hard.
  • (x, g) gx(easy)
  • (y, g) x; y = gx (hard)
pairing groups
Pairing groups
  • A map
    • e: G1 G2  GT (same prime order p)
  • e(ga, hb) = e(g, h)ab (bilinearity)
  • g generates G1h generates G2 e(g,h) generates GT
boneh franklin scheme
Boneh-Franklin Scheme
  • Trusted party chooses a secret s, and generator P inG1, set Pgroup (= Ps)
  • Each group member with identity I has public key QI = f(I), where
    • f: {0, 1}* G2.
  • Gets private key PI = QIs from T
  • Scheme also defines the message space as {0, 1}k , and a hash function
    • H: GT {0, 1}k
encrypting decrypting
  • Someone wants to encrypt message M
    • C = A, B = Pr, MH( e(QI, Pgroup)r ) 
  • To decrypt, intended receiver just computes:
    • Z = e(PI, A) = e(PI, Pr) = e(QIs, Pr) = e(QI, Pr)s = e(QI, Ps)r = e(QI, Pgroup)r
  • Then M = Z B
  • Another party would have to compute QIrfrom P, Pr, QI(hard!)
  • What can you do with identity-based encryption?
  • It can extract a secret key associated to any public string---not only a name
  • What about a date, such as “05/03/05”
  • What about your fingerprint?
timed release encryption
Timed-release encryption
  • The goal of timed-release encryption is to encrypt a message that can only be read at a future point in time.
  • One way is to use a one-way function (no decryption algorithm) and tune the hardness of the function so that it will be inverted in the time frame.
  • The other is to use IBE. Encrypt a message under name: “Alice Wonderlie||01/01/2031” and the trusted party will only release the secret key to alice in 2031.
a few references
A Few References
  • Adi Shamir: Identity-based cryptosystems and signature schemes. CRYPTO 1984. Pp: 47-53
  • Clifford Cocks: An identity-based on quadratic residues, LNCS 2260, 2001. Pp: 360-363
  • Antoine Joux: A One-round protocol for tri-partite Diffie-Hellman. J. Cryptology, 17(4), 2004, and Proc. of ANTS 2000, LNCS 1830, 2000.
  • Dan Boneh and Matt Franklin: Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3), 2003. Pp. 586-615, and CRYPTO 2001, LNCS 2139, 2001. Pp. 213-229.