criptografIa_asimetrica.pdf

Cryptography

CryptographicToolsSymmetric-keycryptography

Public-keycryptography

Hash Functions

Key Distribution

Digital Certificates

Hash constructions

ClassicAsymmetricCrytographyMultiplicative Groups

DH & ElGamal

Elliptic CurvesDefinition

Multiplying Points

EC over Fp

ECCDigital Signature

Key Exchange

Encryption Scheme

Identity-basedcryptographyIntroduction

Bilinear Pairings

Boneth andFranklin’s IBE

Cha & Cheon’s IBS

Cryptography

Dr. Jose L. MuñozTelematics Engineering

Universitat Politècnica de Catalunya (UPC)

Version: 11 2011-02-21 19:27:38Z 1/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Outline1 Cryptographic Tools

Symmetric-key cryptographyPublic-key cryptographyHash FunctionsKey DistributionDigital CertificatesHash constructions

2 Classic Asymmetric CrytographyMultiplicative GroupsDH & ElGamal

3 Elliptic CurvesDefinitionMultiplying PointsEC over Fp

4 ECCDigital SignatureKey ExchangeEncryption Scheme

5 Identity-based cryptographyIntroductionBilinear PairingsBoneth and Franklin’s IBECha & Cheon’s IBS

2/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Symmetric-key cryptography I

• Symmetric-key cryptography is sometimes also calledsecret-key cryptography.

• Symmetric-key encryption involves using a single key Kto encrypt and to decrypt data.

• The sender and the recipient share the knowledge of asecret key that is used to encrypt and decrypt themessages exchanged between them.

• Formally:• The message M is encrypted by applying the symmetric

algorithm S to M using the key K :C = SK (M)

• The secret message C is decrypted by applying theinverse algorithm S−1 to the secret message C with thekey K :M = S−1

K (C)

3/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Symmetric-key cryptography II

• DES [?] (Digital Encryption Standard) and its extendedversion Triple-DES [?] (3DES) have been the mostpopular symmetric-key systems during many years.

• Recently, the AES [?] (Advanced Encryption Standard)has been designated as the successor of DES.

• Generally speaking, symmetric-key systems aresimpler and faster than the public-key ones.

• Their main drawback is that the two parties mustsomehow exchange the symmetric key in a secure way,this problem is relevant for large scenarios and it is isknown as the “key distribution problem”.

4/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Asymmetric-key cryptography I

• Public-key cryptography (PKC) is asymmetric.• It involves the use of two separate keys, in contrast to

the symmetric cryptography, which uses only one key.• One of these keys is “public” i.e., known by everybody.• The other key is “private” i.e., secret.• The public-key cryptography makes easier the key

distribution problem because the public key can bedistributed without keeping it secret, and the private keyis never transmitted.

• Diffie and Hellman postulated the conditions that apublic-key system must fulfill [?]:

1 It is computationally easy for a party B to generate apair: (public key KUB, private key KRB).

5/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Asymmetric-key cryptography II

2 It is computationally easy for a sender A, knowing thepublic key and the message to be encrypted, M, togenerate the corresponding ciphertextC = EKUB (M)

3 It is computationally easy for the receiver B to decryptthe resulting cipher text using the private key to recoverthe original message.M = DKRB (C) = DKRB [EKUB (M)]

4 It is computationally infeasible for an opponent, knowingthe public key, KUB, to determinate the private key, KRB.

5 It is computationally infeasible for an opponent, knowingthe public key, KUB, and a ciphertext, C, to recover theoriginal message, M.

6/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Asymmetric-key cryptography III

• There are also public-key systems that meet anotherinteresting property: either of the two related keys canbe used for encryption, with the other used fordecryption:M = DKRB [EKUB (M)] = DKUB [EKRB (M)]

• Depending on the application, the sender uses eitherthe sender’s private key or the receiver’s public key, orboth, to perform some type of cryptographic function.

7/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Asymmetric-key cryptographyIV

• Public-key systems are mainly used for the followingpurposes:Encryption– The sender encrypts a message with the

recipient’s public key.Digital signatures– A digital signature emulates a real,

physical signature by generating a digitalproof that only the creator/ sender of amessage can make, but everyone canidentify as belonging to the creator. Anencryption under the private key of thecreator serves as a signature that only theowner of the private key can create, buteveryone with the public key can verify.The encryption (signature) can be appliedto the complete message or to a small

8/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Asymmetric-key cryptography Vblock of data that is a function of themessage.

Key exchange– Two parties cooperate to exchange asession key (symmetric key). Severaldifferent approaches are possible,involving the private key(s) of one or bothparties.

• Some public-key algorithms are suitable for all threeapplications, whereas others can be used only for oneor two of these applications. The most famouspublic-key algorithm is RSA [?] (Rivest ShamirAdleman) which can be used for all three applications,whereas DSS [?] (Digital Signature Standard) is widelyused but only can be used for signing and DH [?] (DiffieHellman) can be used only for key exchange.

9/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Hash functions

• Used in informatics in efficient database searching• Post direction searching:

• “6th avenue, 329, New York “• Efficient searching with a hash function:

• Example:• Use of ASCII code for every letter: 6=54, t=116...• The sum of all letters in ASCII code is: 1785• Has moves between 0 and 999. For hash obtainment,

hash = 1785mod1000 = 785• Direction hash is 785• Search in database the 785th entry• There are collisions!

10/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

One Way Hash Functions(OWHF) I

• In security, we use non-invertible hash funcions alsocalled One Way Hash Functions (OWHF).

• A OWHF is a function that takes a variable length input(pre-image), and computes a fixed-length output string(which is usually smaller than the pre-image) called thehash value, digest or check value.

• Given the hash it is computationally infeasible to find amessage (pre-image) with that hash.

• In fact, one can’t determine any usable informationabout a message with that hash, not even a single bit.

• For some OWHFs it is also computationally impossibleto determine two messages which produce the samehash.

11/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

One Way Hash Functions(OWHF) II

• One important role of OWHFs in cryptography is in theprovision of digital signatures.

• Since hash functions are generally much faster thandigital signature algorithms, it is typical to compute thedigital signature to some document by computing thesignature on the document’s hash value, which is smallcompared to the document itself.

• Additionally, a digest can be made public withoutrevealing the contents of the document from which it isderived.

• A hash function H must have the following properties:1 H can be applied to a block of data of any size.2 H produces a fixed-length output.

12/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

One Way Hash Functions(OWHF) III

3 H(M) is relatively easy to compute for any given M,making both hardware and software implementationspractical.

4 For any given digest m, it is computationally infeasibleto find M such that H(M) = m.

5 For any given the message M, it is computationallyinfeasible to find another message M ′ 6= M withH(M ′) = H(M).

6 It is computationally infeasible to find any pair (M,M ′)such that H(M) = H(M ′).

• Examples of well-known hash functions are MD5 [?]and SHA-1 (Secure Hash Algorithm-1) [?].

• Now, we also have SHA-256, SHA-512, etc.

13/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Symmetric keys distribution I

Alice TrudyKpuA

KpuT <<KpuB>>

spoofing attack

Alice BobKpuA

KpuB

Alice BobC(KpuB,M1)

C(KpuA,M2)

Trivial approximation

14/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Symmetric keys distribution II• Trivial solution: If there is

N users, there must beestablished N2 secretshared keys.

• N2 is not scalable. Howto do this in a sharednetwork?

• There must be trustedintermediaries

• trusted intermediariesare known as KeyDistribution Center(KDC)is symmetriccryptography

N users→ N · (N − 1)relations

• Alice and Bob need a shared symmetric key

15/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Symmetric keys distribution III

• KDC shares a symmetric key with each registeredusers

• Alice and Bob know only their symmetric shared keywith KDC

• If there are N users, there are N sharedkeys(User-KDC)

KX-KDCKB-KDC

KA-KDC

KA-KDC

KDC

16/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Symmetric keys distribution IV

KB-KDC(A,Ks)

AliceBob

Alice y Bob can communicate each other using KS as a symmetric key

The most simple protocol is next:

KDCK A-KDC(A,B)

KA-KDC(Ks , KB-KDC(A, Ks) )

KS generated

How is shared key created?

17/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Public key announcement I

AliceTrudy

KpuA

KpuT <<KpuB>>

Attack Men in the-Middle

Bob

KpuB

KpuT <<KpuA>>

C(KpuT,M1) C(KpuB,M1’)

C(KpuA,M2’) C(KpuT,M2)

M1’=f (M1)

M2’=f (M2)

18/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Public key announcement II

• If keys exchange is done with the trivial approximationthrough a KDC, there are the same attacks that in aone-to-one exchange.

• The attack is a more complex because a Bob and KDCspoofing is needed.

• It can be done by changing the DNS

KDC

Alice

Bob

19/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Public keys exchange with anintermediary and digital

signatures

CA

Req?Bob

C(KprCA,{Bob,KpuB})Alice

Bob

• In this case, theintermediary is calledCertificationAuthority(CA)

• The CA signs public keysthat validate with keyowner identity

20/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Certificates I

• A certificate is a digital document that connectscryptographically a identity w with a public key

• This relation is done with a digital signature• Certificates are emitted by a third trusted party called

Certification Authority(CA)• We can automatically trust with CA certificated users• With certificates, Men in the middle attack is neutralized

in public keys distribution• The only key that we must to confirm is the CA public

key• Public CA key is distributed with an auto-signed

certificate:• CA demonstrates that it knows its private key. Public

key transport is done with a certificate (standard way)

21/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Certificates II

• Auto-signed certificates are called root certificates, andtheir CA is called root CA

CRL’slong/short-lived.Attribute certificates!

22/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Hash Chains

A hash chain results from applying d + 1 times a hash “h”over a secret nonce R:

R h−→Rd

h−→Rd−1

h−→ · · · h

−→R hi −→ · · · R1

h−→R0

primaryValue (R) is the secret nonce (the beginning of the hash chain). R isonly known by the generator.

currentIndex (i) is the current index of the chain.

maximumIndex (d) is the length of the chain.

baseValue (R0) is the last value of the hash chain. This value is typicallyauthenticated by some method like a digital signature. R0 iscomputed by applying (d + 1) times h over R:R0 = hd+1(R)

currentUpdateValue (Ri ) is computed by applying (d + 1− i) times h over R:Ri = hd+1−i (R)

Checking equation:R0 = hi (Ri ) with i ≤ d

23/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Examples: Hash Chains

• One-time Passwords.• H-OCSP.• Novomodo.• Authentication of distance.• TESLA.

24/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Hash Trees I

The MHT [?] relies on the properties of the OWHF (OneWay Hash Functions). It exploits the fact that an OWHF is atleast 10,000 times faster to compute than a digitalsignature, so the majority of the cryptographic operationsperformed in the revocation system are hash functionsinstead of digital signatures.

N1,0

N0,0 N0,1

N1,1

N0,2 N0,3

N2,0

H 1,0 H 1,1 h ( H | H )h ( H | H )

H 0,0 0h ( c ) H 0,1 1h ( c ) H 0,2 2h ( c ) H 0,3 3h ( c )

H root= H 2,0 h ( H | H )= 1,11,0

= =0,10,0 0,30,2

= = = =

25/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Hash Trees IIWe denote by Ni,j the nodes within the MHT where i and jrepresent respectively the i-th level and the j-th node. Wedenote by Hi,j the cryptographic variable stored by node Ni,j .Nodes at level 0 are called “leaves” and they represent thedata stored in the tree. In the case of revocation, leavesrepresent the set Φ of certificates that have been revoked,

Φ = {c0, c1, . . . , cj , . . . , cn} . (1)

where cj is the data stored by leaf N0,j . Then, H0,j iscomputed as (2)

H0,j = h(cj) . (2)

where h is a OWHF.To build the MHT, a set of t adjacent nodes at a given level i ;Ni,j , Ni,j+1, . . . ,Ni,j+t−1, are combined into one node in the

26/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Hash Trees III

upper level, which we denote by Ni+1,k . Then, Hi+1,k isobtained by applying h to the concatenation of the tcryptographic variables (3)

Hi+1,k = h(Hi,j |Hi,j+1| . . . |Hi,j+t−1). (3)

At the top level there is only one node called the “root”. Hrootis a digest for all the data stored in the MHT.The sample MHT of Figure ?? is a binary tree becauseadjacent nodes are combined in pairs to form a node in thenext level (t = 2) and Hroot = H2,0.

DefinitionThe Digest is defined asDigest = {DNRDI , Hroot , Validity Period}SIGRDI

27/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Hash Trees IVDefinitionThe Pathcj is defined as the set of cryptographic valuesnecessary to compute Hroot from the leaf cj .

Notice that the Digest is trusted data because it is signed bythe RDI and it is unique within the tree while Path isdifferent for each leaf.If the MHT provides a response with the proper Pathcj andthe MHT Digest, an End Entity can verify whether cj ∈ Φ.Let us suppose that a certain user wants to find out whetherc1 belongs to the sample MHT of Figure ??. Then,Pathc1 = {N0,0,N1,1}Digest = {DNRDI , H2,0, Validity Period}SIGRDI

The response verification consists in checking that H2,0computed from the Pathc1 matches H2,0 included in theDigest,

28/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Hash Trees V

Hroot = H2,0 = h(h(h(c1)|H0,0)|H1,1) . (4)

Notice that the MHT can be built by a TTP (RDI) anddistributed to a repository because a leaf cannot be addedor deleted to Φ without modifying Hroot

1 which is included inthe Digest and as the Digest is signed, it cannot be forgedby a non-TTP.

1To do such a thing, an attacker needs to find a pre-image of a OWHFwhich is computationally infeasible by definition.

29/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Examples: Hash Trees

• Certificate issuation.• Revocation.• P2P corruption.• 2-3 tree, binary, or ranges (adjacency checking).

30/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS







31/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Groups

• A group G is an algebraic structure consisting of a setof elements and an operation.

• The operation combines two group elements to form athird element of the group.

• A group is cyclic if it can be generated by operatingwith a single element g.

• In this case, g is called a generator of the group.• < g > means the group or subgroup generated by g.• In a multiplicative group, the operation is written as a

multiplication.• Formally, G =< g >= {gn where n is an integer}.• We define the order of a group as its number of

elements.

32/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Modular MultiplicationLet us consider: a · b m«od q .

For each value of b, we take a = 1,2, ..q − 1.

q = 6b = 2 : {2 4 0 2 4}b = 3 : {3 0 3 0 3}b = 4 : {4 2 0 4 2}b = 5 : {5 4 3 2 1}

Only the element 5has inverse.

q = 7b = 2 : {2 4 6 1 3 5}b = 3 : {3 6 2 5 1 4}b = 4 : {4 1 5 2 6 3}b = 5 : {5 3 1 6 4 2}b = 6 : {6 5 4 3 2 1}

All the elements haveinverse.

• In general, only the co-primes of q have inverse.• Two integers are co-primes if they have no common

positive factors other than 1.

33/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Co-primes have Inverse

• Given two co-prime integers a,b, with b > a, we canstate that:∃α | aα ≡ 1 m«od b

• I.e. a has an inverse modulo b: a−1 = α.• Proof:

1 lcm(a,b) = ab2 Notice that if aγ ≡ 0 m«od b, then γ = b is the smallest

possible γ.3 Now, if we take n 6= m and 0 ≤ m,n ≤ b, then:

ma 6≡ na m«od bBy contradiction. If ma ≡ na m«od b then,a(m − n) ≡ 0 m«od bThus, (m − n) ≥ b, which contradicts statement 2.

4 Finally, by the pigeonhole principle, as all the terms“an m«od b ”are different values for 0 ≤ n < b one ofthese terms must be 1.

34/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Notation

• We note Zq as the finite set of integers modulo q:Zq = {0,1,2, ...,q − 1}.

• We note Z∗q as the set of invertible elements of Zq.• As mentioned, Z∗q is the set of integers (congruence

classes modulo n) k ∈ {1, ..,n − 1} with the propertythat gcd(k ,n) = 1.

• Examples: Z∗6 = {5} or Z∗12 = {1,5,7,11}.• If q is prime, then: Z∗q = {1,2, ...,q − 1} (notice that “0”

is not included).

35/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Multiplicative Groups I

• Let’s repeat the multiplication of a number g ∈ Z∗q:

g i m«od q .

• For example, let’s use each value g ∈ Z∗11:g = 2 : {2 4 8 5 10 9 7 3 6 1 }g = 3 : {3 9 5 4 1 3 9 5 4 1 }g = 4 : {4 5 9 3 1 4 5 9 3 1 }g = 5 : {5 3 4 9 1 5 3 4 9 1 }g = 6 : {6 3 7 9 10 5 8 4 2 1 }g = 7 : {7 5 2 3 10 4 6 9 8 1 }g = 8 : {8 9 6 4 10 3 2 5 7 1 }g = 9 : {9 4 3 5 1 9 4 3 5 1 }g = 10 : {10 1 10 1 10 1 10 1 10 1 }

• g = 2,6,7,8 generate all the elements of Z∗11.• This is noted as {G =< 7 >= Z∗11}

36/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Multiplicative Groups II

g = 3 : {3 9 5 4 1 3 9 5 4 1 }g = 10 : {10 1 10 1 10 1 10 1 10 1 }• The order of a group is its number of elements.• Example: the order of <3 > is 5 and the order of <10 >

is 2.• We define the order of an element “a” as the smallest

positive integer k such that ak ≡ 1 m«od q.• This is noted as Oq(a) = k .• Example: O11(3) = 5.• Modular Exponentiation is an “easy operation”, we

can use “square-and-multiply“.

37/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

The Discrete Logarithm (DL)

• The reverse operation of modular exponentiation iscalled the Discrete Logarithm (DL).

• Given an element g in a finite group G and anotherelement h ∈ G, find an integer x such that gx = h.

• The discrete logarithm problem is a ”difficultproblem“.

• This means that there is not any efficient algorithm tosolve this problem.

38/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Diffie–Hellman key agreement I

• The Diffie–Hellman (1976) is the first practical methodfor establishing a shared secret over an unprotectedcommunications channel.

• Uses modular exponentiation as easy problem and thediscrete logarithm as hard problem.

• General description of the protocol:• Alice and Bob agree on a finite cyclic group G and a

generating element g ∈ G.• This is done before the rest of the protocol and g is

assumed to be known by all attackers.

39/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Diffie–Hellman key agreement II

• Alice picks a random natural number a and sends ga toBob.

• Bob picks a random natural number b and sends gb toAlice.

• Alice computes (gb)a.• Bob computes (ga)b.

• Both Alice and Bob are now in possession of the groupelement gab.

• The values of (gb)a and (ga)b are the same becausegroups are power associative.

• This serves as the shared secret key.

40/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

ElGamal

• Taher Elgamal, 1984.• It is a PKE (Public Key Encryption) algorithm.• Based on the Diffie–Hellman key exchange.• ElGamal encryption can be defined over any cyclic

group G.• Its security depends upon the difficulty of a DL problem

in G.

41/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Key generation

• Alice generates an efficient description of amultiplicative cyclic group G, of order q, with generatorg.

• Alice chooses a random x , from {0, . . . ,q − 1}.• Alice computes h = gx .• Alice publishes h as her public key, along with the

description of G, q and g.• Alice retains x , as her private key which must be kept

secret.

42/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Encryption/Decryption

• To encrypt a message M, to Alice under: (G,q,g,h).• Bob chooses a random y , from {0, . . . ,q − 1}.• Bob calculates an ephemeral key s = hy = gxy .• Using the ephemeral key, Bob converts the plaintext m

into a chiphertext m′: m′ = m · s.• Bob sends the ciphertext (c1, c2) = (gy ,m′) to Alice.• To decrypt a ciphertext, alice calculates the ephemeral

key using its secret key: s = (c1)x .• To recover the plaintext: m = c2 · s−1.• The decryption algorithm produces the intended

message, sincec2 · s−1 = m · (h)y · (gxy )−1 = m · gxy · g−xy = m.

43/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS







44/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Definition

DefinitionAn elliptic curve E is defined in a standard, two dimensional x , y Cartesiancoordinate system:E : y2 = f (x) for a cubic or quartic polynomial f (x).If we use a cubic form, after a change of variables, the equation takes the simplerform:E : y2 = x3 + ax + b.The definition of elliptic curve also requires that the curve be non-singular.Geometrically, this means that the graph has no cusps, self-intersections, orisolated points.Algebraically, this involves calculating the discriminant∆ = −16(4a3 + 27b2)The curve is non-singular if and only if the discriminant is not equal to zero.

For different values of a and bthe graphs have various forms.

Figura: Shape of Elliptic Curves

45/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Point Addition I

• The crucial property of an elliptic curve is that we candefine a rule for “adding” two points which are on thecurve to obtain a third point which is also on the curve.

• This addition rule satisfies the normal properties ofaddition.

• In math jargon, the points and the addition law form afinite Abelian group.

46/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Point Addition II

P

Q

P+Q

RE : Y2 = X3 – 5X + 8

Figura: Addition of two points

47/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Point Addition Algebraically

• Consider two distinct points P = (Px ,Py ) andQ = (Qx ,Qy ).

• We want to compute −R = P + Q.• Where R = (Rx ,Ry ) and −R = (Rx ,−Ry ).

• Notice that we can form two equations to express a andb as a function of the coordinates of P and Q.

• The equation of the PQ line is: (y − Py ) = s(x − Px )• Where ”s“ is the slope of the line:

s = (Py −Qy )/(Px −Qx )• Then, we can use the equations of the line and the

elliptic curve equations to find Rx .Rx = s2 − Px −Qx

• Finally, using the line equation and Rx :−Ry = −Py + s(Px − Rx )

48/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Definition of Zero I

• To complete the addition operation we need to add anextra point: O.

• This point should have the property that: P + (−P) = O

• Geometrically, the point O lies on a vertical line.

• Vertical lines have not a third intersection point.

• “O” can be interpreted as a point “at infinity“.

49/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Definition of Zero II

Q

O

P

Q = –P

Figura: O point

50/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Doubling a PointIdea

We use the point’s tangent line.

P

2*P

R

51/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Doubling a Point Algebraically

• Consider the point P such that P = (Px ,Py ).• We want to compute −R = 2 · P.• Where R = (Rx ,Ry ) and −R = (Rx ,−Ry ).• To do so:

• We have a point P of the elliptic curve y2 = x3 + ax + b.• We obtain a equation for the tangent line:

(y − Py ) = s(x − Px ).• Where the slope s is: 2y dy

dx = 3x2 + a→ dydx = 3x2+a

2y• Then, we can use the line and elliptic curve equations

to find Rx :Rx = s2 − 2Px

• Finally, using the line equation and Rx :Ry = Py + s(Rx − Px )

−Ry = −Py + s(Px − Rx )

52/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Point Addition Properties

• The addition law on E has the following properties:

(a) P + O = O + P = P for all P ∈ E .(b) P + (−P) = O for all P ∈ E .(c) (P + Q) + R = P + (Q + R) for all P,Q,R ∈ E .(d) P + Q = Q + P for all P,Q ∈ E .

• In other words, the addition law “+” makes the points ofE into a commutative group.

• All of the group properties are trivial to check except forthe associative law (c).

• The associative law can be verified algebraically.

53/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Point Multiplication

• Now we can define a point multiplication by a scalar k :k · P.

• The multiplication is defined as the sum of k copies ofP: 2 · P = P + P ; 3 · P = P + P + P ; etc.

• Point multiplication fulfills:(a + b)P = aP + bP

• To find 17P we can use:(2P) + P + P + P + P + P + P + P + P + P + P + P +P + P + P + P

• With less computation:(2P)+(2P)+(2P)+(2P)+(2P)+(2P)+(2P)+(2P)+P

• A faster computation:2(2(2(2P)))) + P

54/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Finite Fields

• The elliptic curve operations previously defined are onreal numbers.

• Operations over the real numbers are slow andinaccurate due to round-off error.

• Cryptographic operations need to be faster andaccurate.

• To make operations on elliptic curve accurate and moreefficient, the curve cryptography is defined over finitefields.

• In practice, two finite fields are used:• Prime field Fp.• Binary field F2m .

55/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

EC over Fp I

• Fp is the field of integers modulo p, and consists of allthe integers from 0 to p − 1.

• If p is prime, Fp is the same as Zq.• An elliptic curve with the underlying field of Fp can

formed by choosing all the variables within the field ofFp.

• The elliptic curve includes all points (x , y) which satisfythe elliptic curve equation modulo p (wherea,b, x , y ∈ Fp): y2 m«od p = x3 + ax + b m«od p

56/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

EC over Fp II

• We define the same operations that in R.• Point Addition (P+Q):

(P + Q)x = s2 − 2Px m«od p(P + Q)y = −Py + s(Px − Rx ) m«od ps = (Px −Qx )/(Py −Qy ) m«od p

• Point Multiplication (2P):(2P)x = s2 − 2Px m«od p(2P)y = −Py + s(Px − Rx ) m«od p

s =3P2

x +a2Py

m«od p

• With 4a3 + 27b2 m«od p 6= 0.• An important result is that adding two points of an

elliptic curve under Fp yields another point in thecurve in Fp.

57/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Example E over F5

• If we take E : y2 = x3 + 2x + 3 m«od 5x = 0→ y2 = 3→ no solution m«od 5x = 1→ y2 = 6 = 1→ y = 1, 4 m«od 5x = 2→ y2 = 15 = 0→ y = 0 m«od 5x = 3→ y2 == 36 = 1→ y = 1, 4 m«od 5x = 4→ y2 = 75 = 0→ y = 1, 4 m«od 5

• Then points on the elliptic curve are (1, 1)(1, 4)(2, 0)(3, 1)(3, 4)(4, 0) andthe point at infinity∞.

• Notice that like in R there are two points for every x value (except for pointson the x-axis (y=0)).

• Recall that elliptic curves over real numbers, there exists a negative point foreach point which is reflected through the x-axis.

• Over the finite field F5, the negative components in the y-values are takenmodulo 5: −P = (Px , (−Py m«od 5)).

• What is (1, 4) + (3, 1) = Q = (Qx ,Qy )?s = (1− 4) · (3− 1)−1 = −3 · 2−1 = 2(3) = 6 = 1 m«od 5Qx = 1− 1− 3 = 2 m«od 5Qy = 1(1− 2)− 4 = 0 m«od 5

• On this curve: (1, 4) + (3, 1) = (2, 0).

58/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

The group G and ECDL I• To form a group G over the EC we must choose a generator

or “base point” G.• Then, to generate the members of the group we compute

k ·G with k = 1,2, ...• Notice that unlike the groups used in the classic algorithms,

the elements of the multiplicative group aren’t integers, butpoints (x , y).

• If we carry on computing G + G + G... for long enough, wewill finally get a result of “O”, since the number of curvepoints is finite.

• That is to say, there will be a number “n” such that(n − 1)G = (Gx ,−Gy ) = −P.

• The least n for which n ·P = O is true is called the order of P.• There is a result that says that if a point has order n which is

a large prime then, the number of points on the curve#E(Fp) is h · n for some integer h (cofactor not divisible byn).

59/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

The group G and ECDL II• For efficiency reasons, it is desirable to take the cofactor h to

be as small as possible (in particular h = 1).• An important fact is that if we find a G for generating the

group whose order is a prime number n, then computing kfrom k ·G and G takes roughly 2(n/2) operations.

• This means that public keys and signatures can be muchsmaller than with RSA for the same predicted security.

• This inverse operation to point multiplication is called theElliptic Curve Discrete Logarithm Problem (ECDL).

• The ECDL problem is intractable.• ECC arranges itself so that your operations such encrypting

a message with the public key or decrypting it with theprivate key are based on point multiplication.

• However, to guess the decryption key you need to solve theECDL problem.

60/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

EC domain parameters for Fp

• The elliptic curve domain parameters over Fp are asextuple: T = (p,a,b,G,n,h)

• Where:• p is the order of the curve, that is to say, an integer

specifying the finite field Fp.• a,b ∈ Fp specify the elliptic curve E(Fp) defined by the

equation: E : y2 = x3 + ax + b m«od p• A base or generator point G = (Gx ,Gy ) on E(Fp).• A prime number n which is the order of the point G.• An integer h which is the cofactor h = #E(Fp)/n.

61/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS







62/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Motivation

Main motivationElliptic curve cryptography (ECC) offers considerablygreater security than other existing asymmetriccryptographic schemes for a given key size.

Cuadro: Key length equivalents (source Certicom)

ECC RSA AES163 1024256 3072 128384 7680 192512 15360 256

Motivation today: more functinality!

63/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

ElGamal ECC version

• Let us assume that we have a group G over an ellipticcurve and a generator point P.

• Let (dB, QB) be the key pair of Bob.• Alice generates a random value k .• Alice sends the pair (kG,M + (kQB)x ) to encrypt a

message M to Bob.• To decrypt the ciphertext, Bob:

• Takes kG and computes dB · kG.• M = (M + (kQB)x )− (dB · kG)x = M

64/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

ECDH I

• Elliptic Curve Diffie-Hellman (ECDH) is a keyagreement protocol.

• ECDH allows two parties to establish a shared secretkey that can be used for private key algorithms.

• Both parties exchange some public information to eachother.

• Using this public data and their own private data theseparties calculates the shared secret.

• Any third party, who doesn’t have access to the privatedetails of each device, will not be able to calculate theshared secret from the available public information.

• Both ends have a key pair consisting of a private key d(a randomly selected integer less than p, where p is theorder of the curve.

65/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

ECDH II

• Let (dA, QA) be the key pair of Alice and (dB, QB) bekey pair of Bob.

• Then,• Alice computes K = (Kx ,Ky ) = dA ·QB.• Bob computes L = (Lx ,Ly ) = dB ·QA.• Since dA ·QB = dA · dB ·G = dB · dA ·G = dB ·QA.• Therefore K = L and hence xK = xL.• Hence the shared secret is xK .• Since it is practically impossible to find the private key

dA or dB from the public key K or L, its not possible toobtain the shared secret for a third party.

66/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

ECIES I

• Elliptic Curve Integrated Encryption Scheme (ECIES),also known as Elliptic Curve Augmented EncryptionScheme or simply the Elliptic Curve EncryptionScheme.

• The scheme is based on Diffie–Hellman problem.• Two versions of the IES are standardized: Discrete

Logarithm Integrated Encryption Scheme (DLIES) andElliptic Curve Integrated Encryption Scheme (ECIES).

• Here we discuss ECIES but these two versions areidentical up to the change of an underlying group.

67/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

ECIES II

• ECIES provides message condifenciality and integrity.To do so it requires the following:• A Key Derivation Function (KDF).• KDFs are often used in conjunction with non-secret

parameters to derive one or more keys from a commonsecret value.

• This is sometimes also referred to as “keydiversification“.

• ECIES defines a Message Authentication Code (MAC)and uses a symmetric encryption scheme E.

• ECIES uses a group in an Elliptic Curve.• As usual, the Bob’s key pair is (dB, QB).• Typically (but it is optional), the algorithm also uses a

couple of public parameters: s1 and s2.

68/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

ECIES III• To encrypt a message m, Alice does the following:

• Generates a random number r ∈ (1, n − 1) and calculatesR = rG;

• Derives a shared secret: s = Px , where P = (Px ,Py ) = r ·QB

and P 6= O.• Uses the KDF to derive the symmetric encryption and MAC

keys: {kE , kM} = KDF (s|s1).• Encrypts the message: c = E(kE ,m).• Computes the MAC: d = MAC(kM , c|s2).• Outputs (R, c, d).

• To decrypt the ciphertext (R, c,d) Bob does the following:• Derives the shared secret: S = Px where

P = (Px ,Py ) = dB · R.This is the same as the one Alice derived becauseP = dB · R = r ·QB .

• Derives the keys: {kE |kM} = KDF (s|s1).• Uses the MAC key to check that d = MAC(kM , c|s2).• Uses the symmetric encryption scheme to decrypt the

message m = E−1(kE , c).

69/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS







70/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Introduction I

• Basic concept:• Alice (the sender) can use any receiver’s information

such as email, an IP address or even a digital image toencrypt a message.

• Bob (the receiver) can decrypt the ciphertext.• To do so, Bob has to obtain a private key associated

with his identifier information from a TTP.• This TTP is called “Private Key Generator” (PKG).

• This concept was proposed by Shamir in 1984 [xx].• Shamir easily constructed an identity-based signature

(IBS) scheme [xx] using the existing RSA [yy] function.• However, he was unable to construct an identity-based

encryption (IBE) scheme.• This became a long-lasting open problem and there is

not any proposed IBE sheme based on RSA up to now.

71/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Introduction II

• After 17 years, in 2001, Shamir’s open problem wasindependently solved by Boneh-Franklin and by Cocks.

• Cocks’ mathematical primitive were “QuadraticResidues” (a variant of the problem of integerfactorization).

• Boneh and Franklin’s mathematical primitive were“bilinear pairings“.

• Today, it is accepted that bilinear pairings are moreefficient than quadratic residues.

• Thanks to the application of bilinear pairings to IBCtoday this is a handy and useful cryptographictechnique used for securing many different scenarios.

72/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Bilinear Pairings I

• Let G1 and G2 be two groups of order q for some largeprime q.

• The group G1 is subgroup of the additive group ofpoints of an elliptic curve E/Fp.

• The group G2 is a subgroup of the multiplicative groupof a finite field F∗p2 .

• The Boneth and Franklin’s IBE Scheme makes use of abilinear map ê: G1 ×G1 → G2 between these twogroups.

73/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Bilinear Pairings II

• We can find maps in elliptic curves that satisfy thefollowing properties:

1 Bilinear: We say that a map ê : G1 ×G1 → G2 isbilinear if ê(aP,bQ) = ê(P,Q)ab

for all P,Q ∈ G1 and all a,b ∈ Z.2 Non-degenerate: The map does not send all pairs in

G1 ×G1 to the identity in G2.Observe that since G1 and G2 are groups of primeorder, this implies that if P is a generator of G1 thenê(P,P) is a generator of G2.

3 Computable: There is an efficient algorithm to computeê(P,Q) for any P,Q ∈ G1.

74/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Bilinear Diffie-HellmanAssumption

Bilinear pairings gave rise to the following computationalproblem called Bilinear Diffie-Hellman (BDH) problem:• Given (G1,q,ê,P,aP,bP, cP), where P ∈ G1 and a,b,

and c are chosen at random from Z∗q.

• Notice that we can compute ê(P,P)ab,ê(P,P)ac andê(P,P)bc (by the pairing properties).

• The BDH assumption says that compute ê(P,P)abc isintractable with the given parameters.

• The security of many identity-based cryptographicschemes in the current literature depends on the BDHassumption (or its variations).

75/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

A Key Agreement protocol

• The following is a simple and nice Key Agreementprotocol for three entities proposed by Joux [xx] (this isnot yet Identity cryptography).• Suppose that Alice, Bob, and Chris have private/public

key pairs (a,aP), (b,bP), and (c, cP) where a, b andc ∈ Z∗q and are chosen at random.

• aP ,bP, and cP ∈ G1.• Without the bilinear pairing, to share the same key, a

number of interactions must be conducted by the threepersons.

• With bilinear pairing just one round is needed.• Alice, Bob, and Chris compute respectively

ê(bP, cP)a,ê(aP, cP)b and ê(aP,bP)c .• It is easy to see that they are the same value, in fact

equal to ê(P,P)abc .

76/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Boneth & Franklin’s IBE I

• In the Setup Stage the PKG:• Selects P ∈ G∗1.• Where G∗1 = G1/{O} (O is the identity element of the

group).• Specifies the bilinear pairing ê : G1 ×G1 → G2.• Specifies a hash function H1 : {0,1}∗ → G∗1.• Specifies a hash function H2 : {0,1}l → G∗1.

Where ”l“ denotes the length of the plaintext.• Picks a master key s ∈ Z∗q at random and computes a

public key Ppkg = sP.• Publishes the descriptions of G1, G2, H1 and H2.• Publishes the public key Ppkg .

77/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Boneth & Franklin’s IBE II

• The basic protocol to encrypt is:• The PKG publishes descriptions of the group G1 and G2

and the hash functions H1 and H2 as well as Ppkg .• Bob, the receiver has a:

public key: Qbob = H1(ibob) where Qbob ∈ G∗1 (a point).private key: Dbob = sQbob where Dbob ∈ G∗1 (a point).

• Alice, the sender, can now encrypt a message m to Bobusing Bob’s identity i :U = rPV = H2(ê(Qbob,Ppkg)r )⊕m

• Where r is chosen at random from Z∗q .• The resulting ciphertext C = (U,V ) is sent to Bob.

• Bob decrypts C by computing m = V ⊕ H2(ê(Dbob,U)).

78/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Cha & Cheon’s IBS I

• The Cha and Cheon’s [yy] IBS scheme is based on thebilinear pairing.

• In the setup stage, the PKG specifies a group Ggenerated by P ∈ G∗ and the Bilinear mapê : G1 ×G1 → G2.

• It also specifies two hash functions H1,h2.• The PKG then picks a master key s uniformly at

random from Z∗q• The PKG computes a public key Ppkg = sP and

publishes descriptions of the groups G1,G2, the publickey Ppkg , and the hash functions H1 and h2.

79/80

Cryptography



Hash Functions

Key Distribution


Hash constructions


DH & ElGamal


Multiplying Points

EC over Fp


Key Exchange

Encryption Scheme


Bilinear Pairings


Cha & Cheon’s IBS

Cha & Cheon’s IBS II

• Alice, the signer, then contacts the PKG to get hisprivate key Dalice = sQalice where Qalice = H1(ialice).

• Alice can create a signature on a message m bycomputing:U = rQaliceV = (r + h)Dalice

• r is chosen at random from Z∗q.• h = h2(m,U) where h ∈ Z∗q.• Bob, the verifier, can verify the validity of Alice’s

signature (U,V ) by checking:

ê(P,V ) = ê(Ppkg ,U + hQalice)

80/80

Documents

criptografIa_asimetrica.pdf