Download
what is in a name n.
Skip this Video
Loading SlideShow in 5 Seconds..
What is in a name? PowerPoint Presentation
Download Presentation
What is in a name?

What is in a name?

125 Views Download Presentation
Download Presentation

What is in a name?

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. What is in a name? Identity-based cryptography

  2. How public-key crypto works • When you use public key cryptography, you can publish a value (public key) • If it is a public encryption scheme, anybody may send encrypted messages to you using that key • If it is a signature scheme, you may authenticate messages that anybody will be able to verify comes from you

  3. Whose public key? • You need to convey it to the other party, and in principle could just publish it. • However, it is a random-looking number; in order to establish its authenticity, a trusted path from you to the other party must be established • Most effectively done via certificates; a trusted authority attests to the key on your behalf (usually by signing it)

  4. 85B32 07E86 993A0 126B3 F1671

  5. “Adverse Network Effect” • If you want to send an encryption to someone else, and: • That person has not established a public key, or you don’t know what that is • You can’t afford to establish a physically-protected channel to send a shared key • You are out of luck • More generally, if too few people have public keys, public keys are not very useful, or not advertised, and so not too many people will have a reason to get one...

  6. You have a name... • What if you could use your own name as a public key? • You would need to get a corresponding private key • The function that extracts the private key from the public one must be a trapdoor function (can only be computed by someone who knows a secret value that enables computation, called a trapdoor)

  7. Identity-based Crypto Alice’s private key message encrypted under Alice’s name

  8. This talk’s plan • What is identity-based cryptography • First identity-based schemes • Identity-based encryption using traditional crypto • Identity-based encryption via pairings • Extensions • Self-certified schemes

  9. Shamir’s identification scheme • Shamir was interested in using smart-cards to implement strong identification schemes • Should be efficient • Should not use shared key (open environment) • Should use strong crypto • Does not use certificates

  10. Identity-based Identification • Smart-card issuer (SCI) is trusted • SCI’s scheme setup: • Generate two large primes, p and q. • Computes n = pq • Publishes n, keeps p, q secret. • Chooses a hash function • f: {0, 1}*  {0, 1, ..., n-1} • SCI initializes each smart card with the secret key of its owner.

  11. Issuing private keys • For each identity I, SCI: • Computes the values vj = f(I || j), forseveral j= 0, 1, ..., • Choose first k values that are squares modulo n (quadratic residues). • let sj be the square root of vj • sj2 = vj mod n • Smart card contains I,{sj}

  12. Identification protocol • Card sends to Server: I • S re-computes the vj • C computes random r, and also t = r2mod n • C sends to server: t • S replies with k-bit string (e1, .., ek) • C sends z = rs1e1s2e2 ... skek to S • S checks if z2 = tv1e1v2e2 ... vkek mod n

  13. Security: Key not leaked • If C could guess S’s challenge string (e1, e2, ..., ek), then: • C could choose z at random, and compute t = z2v1-e1v2-e2 ... vk-ek mod n • Respond to S’s challenge with z • If C could see the future, it could answer challenges correctly without knowing keys, therefore: • C’s answers reveal nothing about keys.

  14. Security: Key knowledge • C may still do as before so that it can answer one challenge correctly. • Can C answer correctly more than one challenge without knowing the sj ? • C would have to know how to answer: • z; z2 = tv1e1v2e2 ... vkek mod n; and • w; w2 = t·v1d1v2d2 ... vkdk mod n • (z/w)2 = v1e1-d1v2e2-d2 ... vkek-dk mod n • z/w =s1e1-d1s2e2-d2 ... skek-dk mod n

  15. Zero-Knowledge RSA Security/RSA Labs

  16. Identity-based encryption • Over the years, many identity-based schemes were developed for identification and signature • For nearly two decades, nobody knew how to do identity-based encryption • Then, pairings came along and changed everything, but • Let’s first see a scheme using square roots

  17. The Jacobi Symbol • The Jacobi Symbol for a natural number N has the following properties: • x J(x, N) is in {0, 1} • J(x, N) = 0  g.c.d.(x, N)  1. • J(xy, N) =J(x, N)  J(y, N) • J(x2, N) = 1 • J(x, N) = -1, for some x (hence for 50% of all x) • J(,N) is efficiently computable

  18. Clifford Cocks’ Scheme • Authority sets up the scheme • Generate two large primes, p and q. (p and q must be of the form 4k + 3) • Computes n = pq • Publishes n, keeps p, q secret. • Chooses a hash function • f: {0, 1}*  {0, 1, ..., n-1} • For user with identity I: • Compute f(I||0), f(I||1), ..., until: • J( f(I||k), n) = 1. This is the user’s public key.

  19. Private key • To find the private key, there is 50% chance that the public key A is a square mod n. • If not, -A is. • The private key B is the square root of either A or -A. Let’s suppose of A. • B2 = A mod n.

  20. To encrypt • Sender computes Receiver public key • S sends R one bit b =  1 (at a time) • S chooses random t such that • J(t, n) = b • sends s, where s = t + A/t mod n • Note that: • s = t(1 + A/t2) mod n • s + 2B = t(1 + 2B/t + A/t2) = t(1 + B/t)2

  21. To decrypt • R receives s, computes • J(s + 2B,n) = J(t,n) J((1 + B/t)2, n) = J(t, n) = b • If receiver does not know B, must solve s = t + A/t for t, or at least for J(t, n) • t2 + A - st = 0 mod n, ...

  22. Pairings-Based IBE • Pairings were first used in cryptography in “a constructive way” by A. Joux, who created a 3-party Diffie-Hellman key agreement protocol with no need to exchange messages. • Great excitement in the cryptographic community resulted from the discovery that pairings could also be used for an efficient identity-based encryption scheme.

  23. Cryptographic groups • Most public-key schemes are based on “cryptographic groups,” i.e., mathematical groups where the discrete-logarithm problem is hard. • (x, g) gx(easy) • (y, g) x; y = gx (hard)

  24. Pairing groups • A map • e: G1 G2  GT (same prime order p) • e(ga, hb) = e(g, h)ab (bilinearity) • g generates G1h generates G2 e(g,h) generates GT

  25. Boneh-Franklin Scheme • Trusted party chooses a secret s, and generator P inG1, set Pgroup (= Ps) • Each group member with identity I has public key QI = f(I), where • f: {0, 1}* G2. • Gets private key PI = QIs from T • Scheme also defines the message space as {0, 1}k , and a hash function • H: GT {0, 1}k

  26. Encrypting/decrypting • Someone wants to encrypt message M • C = A, B = Pr, MH( e(QI, Pgroup)r )  • To decrypt, intended receiver just computes: • Z = e(PI, A) = e(PI, Pr) = e(QIs, Pr) = e(QI, Pr)s = e(QI, Ps)r = e(QI, Pgroup)r • Then M = Z B • Another party would have to compute QIrfrom P, Pr, QI(hard!)

  27. Extensions • What can you do with identity-based encryption? • It can extract a secret key associated to any public string---not only a name • What about a date, such as “05/03/05” • What about your fingerprint?

  28. Timed-release encryption • The goal of timed-release encryption is to encrypt a message that can only be read at a future point in time. • One way is to use a one-way function (no decryption algorithm) and tune the hardness of the function so that it will be inverted in the time frame. • The other is to use IBE. Encrypt a message under name: “Alice Wonderlie||01/01/2031” and the trusted party will only release the secret key to alice in 2031.

  29. Application: Unwanted Will

  30. Questions ?

  31. A Few References • Adi Shamir: Identity-based cryptosystems and signature schemes. CRYPTO 1984. Pp: 47-53 • Clifford Cocks: An identity-based on quadratic residues, LNCS 2260, 2001. Pp: 360-363 • Antoine Joux: A One-round protocol for tri-partite Diffie-Hellman. J. Cryptology, 17(4), 2004, and Proc. of ANTS 2000, LNCS 1830, 2000. • Dan Boneh and Matt Franklin: Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3), 2003. Pp. 586-615, and CRYPTO 2001, LNCS 2139, 2001. Pp. 213-229.