IBE (Identitiy-Based Encryption)

from the Weil Pairing

Sravan Babu Bodapati

Eswar Sai Putti

Identity Based Encryption

Identity Based Encryption

• An identity-based encryption scheme E is specified by four randomized algorithms:

• Setup,

• Extract,

• Encrypt,

• Decrypt:

• Setup: ( Run by PKG )

• It takes a security parameter k and returns params (system parameters) and master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C.

• > The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG).

Protocol framework (contd.)

•Extract: ( Run by PKG ) • Run when user requests his private key • It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and returns a private key d. Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key. • • >> The Extract algorithm extracts a private key from the given public key. Encrypt: •It takes as input parameters, ID, and M ∈ M. It returns a ciphertext •C ∈ C. Decrypt: • It takes as input params, C ∈ C, and a private key d. It return M ∈ M.

Identity-Based Encryption

`

Alice

`

Bob PKG

M encrypted

using

bob@iitm.ac.in

•Authentication

Private key

for

alice@iitm.ac.

in

•global

parameters

•master key •global

parameters

•global

parameters

•setup

•extrac

t

•encrypt •decrypt

Applications

• Revocation of Public Keys :

– Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender.

• >>> “bob@company.com||current-year||clearance=secret”.

• He also has to get the clearance by the end of current year .

• Delegation of Decryption Keys :

• - Delegation of Laptop ( when it is stolen )

• -Delegation of Duties ( Persons of only a particular department an decrypt their own messages but cannot tamper with those belonging to other departments.

•

Applications (Contd.)

• Chosen ciphertext security:

•>> Setup:

• The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself.

• Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged.

•

• Phase 2:

• The adversary issues more queries qm+1 , . . . , qn where query qi is one of:

• - Extraction query

• - Deryption Query

• Limitations :

•These algorithms must satisfy the standard consistency constraint, namely

• > when d is the private key generated by algorithm ,

• > Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )

Types of IBE

• Semantically Secure IBE

• >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that the adversary is more limited;

•>> It cannot issue decryption queries while attacking the challenge public key.

• One way identity-based encryption :

• >> If given the encryption of a random plain text , the adversary cannot produce the plaintext in its entirety. ( Total Decryption is not possible )

•

Bilinear maps and the Bilinear Diffie-Hellman Assumption:

• Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties :

• >> Bilinear

• We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and all a, b ∈ Z.

• >> Non – Degenerate

•The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 . >> Computable

•There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 .

•If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.

Basic Ident

• Setup: • Given a security parameter k ∈ Z+ , the algorithm works as follows: •Step 1: • Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 . ˆ Step 2: • Pick a random s ∈ Zq and set Ppub = sP . Step 3: • Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ . • Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n. The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .

Steps of Basic Ident

• Extract: • For a given string ID ∈ {0, 1}∗ the algorithm does: • (1) computes QID = H1 (ID) ∈ G1∗ , and • (2) sets the private key dID to be dID = sQID where s is the master key. Encrypt: • To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID) ∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗ Decrypt: • Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M

Elliptic Curve Let p be a prime larger than 3. An elliptic curve over a finite field of size p is

denoted by GF(p) can be given by an equation of the form:

E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). }

If a line intersects the curve at 2 points, It must intersect the curve at the third point also.

The Elliptic Curve Point Addition :

P + Q = R

> Find the tow points P and Q where the line intersects the curve

> Solve for the 3rd point by solving the polynomial Curve eqn with the Line.

> Now take the reflection of the point 3 obtained to obtain R

> P + Q = R' ( the Reflection obtained)

Divisor : Zero and Pole A divisor D can be defined as a formal sum of points on elliptic curve

group E:

D =∑ n ( P)

where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order.

Inequality a) nP > 0 indicates that point P is a zero, where as

b) nP < 0 indicates that P is a pole.

For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R)

indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3.

Degree of the divisor of a rational function must be zero

Definition

Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E,

It's done in such a way as to constitute a pairing on the torsion subgroup of E.

Elliptic Curve Group over Real Numbers

• y2 = x3 + ax + b

– x, y, a, b are real numbers

• If 4a3 + 27b2 ≠ 0, a group

can be formed.

– points on curve and infinity

point

– Additive group

A Deeper Understanding

• E is an elliptic curve over K and n is an integer not divisible by char(K)

• E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K.

• Let TE[n], then there exist a function f such that div(f) = n[T]-n[]

• Note that f has zero at T with order n and has pole at with order -n.

Elliptic Curve Addition: A Geometric Approach

• Adding distinct points P and Q

* The negative of a point P is its reflection in the x-axis.

Adding the points P and -P

Doubling the point P

Weil Pairing

• Definiton :

Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E,

in such a way as to constitute a pairing (bilinear form, though with multiplicative notation)

on the torsion subgroup of E. T

• Bilinear map :

– A map e: G1×G1→G2

– ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab

• Weil Pairing :

– bilinear map

• G1 is the group of points of an elliptic curve over Fp

• G2 is a subgroup of Fp2*

– efficiently computable

• Miller’s algorithm

Properties of Weil Pairing • The Weil pairing has the following properties for points in E[n]:

• Property 1 :

For all P έ E[n] we have: e(P; P ) = 1.

• � Bilinear Property:

• e(P1 + P2, Q) = e(P1, Q).� e(P2, Q) and

• e(P, Q1 + Q2) = e(P, Q1) � . e(P, Q2).

• Property 3

• � When P,Q έ E[n] are collinear then e(P; Q) = 1.

• Similarly, e(P, Q) = e(Q, P ) ^-1

• n'th root Property :

For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2.

• � Non-degenerate Property : ( in the following sense: )

• If P έ E[n] satis es e(P; Q) = 1 for all Q έ E[n] , then P = O.

Computing The Weil Pairing

• Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using

O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows:

• > Pick two random points R1 , R2 ∈ E[n].

> Consider the divisors Ap = (P + R1 ) − (R1 ) and

» Aq = (Q + R2 ) − (R2 ).

> These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively.

• Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap)

=Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)

Computations ( Contd.) :

• This expression is well defined with very high probability over the choice

of R1 , R2 (the probability of failure is at most O( log p/p )).

• In the rare event that a division by zero occurs during the computation of

e(P, Q) ,

• In such cases , we simply pick new random points R1 , R2 and repeat the

process.

Miller’s algorithm

• As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with

div(f) = n[P+R]-n[R]

for points PE[n] and RE and

evaluating f(Q1)/f(Q2)

• Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.

Basic idea

• Define Dj = j[P+R]-j[R]-[jP]+[∞].

– Note that, we can’t define Dj = j[P+R]-j[R].

• We can find a function fj such that div(fj) = Dj.

• Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by

fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following:

– Let ax+by+c = 0 be the line through jP and kP.

– Let x+d = 0 be the vertical line through (j+k)P.

1 . divax+by+c

x+d= [ jP ] [ kP ]− [ j+k P ]− [ ∞ ]

2 . Therfore, div f j+k =D j+k

= j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ]

= j [ P+R ]− j [ R ]− [ jP ] [∞ ]

k [ P+R]− k [ R ]− [ kP ] [ ∞ ]

divax+by+c

x+d

=D j +Dk divax+by+c

x+d

= div f j div f k divax+by+c

x+d

= div f j f k

ax+by+c

x+d

3 . That is, f j+k =t⋅f j f k

ax+by+c

x+d for some const t

4 . Therefore,

f j+k Q1

f j+k Q2

=t

t

f j Q1

f j Q2

f k Q1

f k Q2

ax+by+c / x+d∣x,y =Q1

ax+by+c / x+d∣x,y =Q 2

.

Escrow El-Gamal Encryption

• Setup

– Use same elliptic curve

– Pick a random s∈Zq, Q = sP

– Choose hash function: Fp2 → {0,1}n

– System parameters: < p, n, P, Q, H >

– s is the escrow key

• Keygen

– User randomly choose x∈Zq as private key

– Public key is Ppub = xP

Big Picture

encryption

Alice Bob

yBob, cert (yBob,

Bob)

(a,b) = (…)

(a,b)

Escrow ElGamal Encryption (Cont’d)

• Encrypt ( Ciphertext)

– Pick random r∈Zq

– C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2

(Our Encrypted message is C )

• Decrypt (C = <U,V>)

– V ⊕ H(ê(U, xQ)) = M

• Escrow-decrypt

– V ⊕ H(ê(U, sPpub)) = M