- 106 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'What is in a name' - hideaki

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### What is in a name?

Identity-based cryptography

How public-key crypto works

- When you use public key cryptography, you can publish a value (public key)
- If it is a public encryption scheme, anybody may send encrypted messages to you using that key
- If it is a signature scheme, you may authenticate messages that anybody will be able to verify comes from you

Whose public key?

- You need to convey it to the other party, and in principle could just publish it.
- However, it is a random-looking number; in order to establish its authenticity, a trusted path from you to the other party must be established
- Most effectively done via certificates; a trusted authority attests to the key on your behalf (usually by signing it)

“Adverse Network Effect”

- If you want to send an encryption to someone else, and:
- That person has not established a public key, or you don’t know what that is
- You can’t afford to establish a physically-protected channel to send a shared key
- You are out of luck
- More generally, if too few people have public keys, public keys are not very useful, or not advertised, and so not too many people will have a reason to get one...

You have a name...

- What if you could use your own name as a public key?
- You would need to get a corresponding private key
- The function that extracts the private key from the public one must be a trapdoor function (can only be computed by someone who knows a secret value that enables computation, called a trapdoor)

This talk’s plan

- What is identity-based cryptography
- First identity-based schemes
- Identity-based encryption using traditional crypto
- Identity-based encryption via pairings
- Extensions
- Self-certified schemes

Shamir’s identification scheme

- Shamir was interested in using smart-cards to implement strong identification schemes
- Should be efficient
- Should not use shared key (open environment)
- Should use strong crypto
- Does not use certificates

Identity-based Identification

- Smart-card issuer (SCI) is trusted
- SCI’s scheme setup:
- Generate two large primes, p and q.
- Computes n = pq
- Publishes n, keeps p, q secret.
- Chooses a hash function
- f: {0, 1}* {0, 1, ..., n-1}
- SCI initializes each smart card with the secret key of its owner.

Issuing private keys

- For each identity I, SCI:
- Computes the values vj = f(I || j), forseveral j= 0, 1, ...,
- Choose first k values that are squares modulo n (quadratic residues).
- let sj be the square root of vj
- sj2 = vj mod n
- Smart card contains I,{sj}

Identification protocol

- Card sends to Server: I
- S re-computes the vj
- C computes random r, and also t = r2mod n
- C sends to server: t
- S replies with k-bit string (e1, .., ek)
- C sends z = rs1e1s2e2 ... skek to S
- S checks if z2 = tv1e1v2e2 ... vkek mod n

Security: Key not leaked

- If C could guess S’s challenge string (e1, e2, ..., ek), then:
- C could choose z at random, and compute t = z2v1-e1v2-e2 ... vk-ek mod n
- Respond to S’s challenge with z
- If C could see the future, it could answer challenges correctly without knowing keys, therefore:
- C’s answers reveal nothing about keys.

Security: Key knowledge

- C may still do as before so that it can answer one challenge correctly.
- Can C answer correctly more than one challenge without knowing the sj ?
- C would have to know how to answer:
- z; z2 = tv1e1v2e2 ... vkek mod n; and
- w; w2 = t·v1d1v2d2 ... vkdk mod n
- (z/w)2 = v1e1-d1v2e2-d2 ... vkek-dk mod n
- z/w =s1e1-d1s2e2-d2 ... skek-dk mod n

Zero-Knowledge

RSA Security/RSA Labs

Identity-based encryption

- Over the years, many identity-based schemes were developed for identification and signature
- For nearly two decades, nobody knew how to do identity-based encryption
- Then, pairings came along and changed everything, but
- Let’s first see a scheme using square roots

The Jacobi Symbol

- The Jacobi Symbol for a natural number N has the following properties:
- x J(x, N) is in {0, 1}
- J(x, N) = 0 g.c.d.(x, N) 1.
- J(xy, N) =J(x, N) J(y, N)
- J(x2, N) = 1
- J(x, N) = -1, for some x (hence for 50% of all x)
- J(,N) is efficiently computable

Clifford Cocks’ Scheme

- Authority sets up the scheme
- Generate two large primes, p and q. (p and q must be of the form 4k + 3)
- Computes n = pq
- Publishes n, keeps p, q secret.
- Chooses a hash function
- f: {0, 1}* {0, 1, ..., n-1}
- For user with identity I:
- Compute f(I||0), f(I||1), ..., until:
- J( f(I||k), n) = 1. This is the user’s public key.

Private key

- To find the private key, there is 50% chance that the public key A is a square mod n.
- If not, -A is.
- The private key B is the square root of either A or -A. Let’s suppose of A.
- B2 = A mod n.

To encrypt

- Sender computes Receiver public key
- S sends R one bit b = 1 (at a time)
- S chooses random t such that
- J(t, n) = b
- sends s, where s = t + A/t mod n
- Note that:
- s = t(1 + A/t2) mod n
- s + 2B = t(1 + 2B/t + A/t2) = t(1 + B/t)2

To decrypt

- R receives s, computes
- J(s + 2B,n) = J(t,n) J((1 + B/t)2, n) = J(t, n) = b
- If receiver does not know B, must solve s = t + A/t for t, or at least for J(t, n)
- t2 + A - st = 0 mod n, ...

Pairings-Based IBE

- Pairings were first used in cryptography in “a constructive way” by A. Joux, who created a 3-party Diffie-Hellman key agreement protocol with no need to exchange messages.
- Great excitement in the cryptographic community resulted from the discovery that pairings could also be used for an efficient identity-based encryption scheme.

Cryptographic groups

- Most public-key schemes are based on “cryptographic groups,” i.e., mathematical groups where the discrete-logarithm problem is hard.
- (x, g) gx(easy)
- (y, g) x; y = gx (hard)

Pairing groups

- A map
- e: G1 G2 GT (same prime order p)
- e(ga, hb) = e(g, h)ab (bilinearity)
- g generates G1h generates G2 e(g,h) generates GT

Boneh-Franklin Scheme

- Trusted party chooses a secret s, and generator P inG1, set Pgroup (= Ps)
- Each group member with identity I has public key QI = f(I), where
- f: {0, 1}* G2.
- Gets private key PI = QIs from T
- Scheme also defines the message space as {0, 1}k , and a hash function
- H: GT {0, 1}k

Encrypting/decrypting

- Someone wants to encrypt message M
- C = A, B = Pr, MH( e(QI, Pgroup)r )
- To decrypt, intended receiver just computes:
- Z = e(PI, A) = e(PI, Pr) = e(QIs, Pr) = e(QI, Pr)s = e(QI, Ps)r = e(QI, Pgroup)r
- Then M = Z B
- Another party would have to compute QIrfrom P, Pr, QI(hard!)

Extensions

- What can you do with identity-based encryption?
- It can extract a secret key associated to any public string---not only a name
- What about a date, such as “05/03/05”
- What about your fingerprint?

Timed-release encryption

- The goal of timed-release encryption is to encrypt a message that can only be read at a future point in time.
- One way is to use a one-way function (no decryption algorithm) and tune the hardness of the function so that it will be inverted in the time frame.
- The other is to use IBE. Encrypt a message under name: “Alice Wonderlie||01/01/2031” and the trusted party will only release the secret key to alice in 2031.

A Few References

- Adi Shamir: Identity-based cryptosystems and signature schemes. CRYPTO 1984. Pp: 47-53
- Clifford Cocks: An identity-based on quadratic residues, LNCS 2260, 2001. Pp: 360-363
- Antoine Joux: A One-round protocol for tri-partite Diffie-Hellman. J. Cryptology, 17(4), 2004, and Proc. of ANTS 2000, LNCS 1830, 2000.
- Dan Boneh and Matt Franklin: Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3), 2003. Pp. 586-615, and CRYPTO 2001, LNCS 2139, 2001. Pp. 213-229.

Download Presentation

Connecting to Server..