12. identity-based cryptographyj25ni/cp460/cp460_chap12_ibe.pdfmicrosoft powerpoint - 12....
TRANSCRIPT
-
Chapter 12
Identity-based Cryptography
1
-
Public Key Private keys are to be kept secret.Public keys are accessible to all parties.How to associate entities with their respective public keys?• An attacker may present a harmful key as the public key
of a victim.• Before using a public key, one should verify that the key
belongs to the claimed party.
Certificates• Certificate Issuing• Certificate verification• Certificate Management• Certificate Revocation
2
-
Identity-based CryptographyProblems of Public-Key Certificates• A trusted CA is needed.• Every certificate validation requires contact with the CA for the verification key
and for the revocation list.
Identity-Based Public Keys• Alice’s identity (like e-mail ID) is used as her public key.• No contact with the CA is necessary to validate public keys.• A trusted authority is still needed: Private-Key Generator (PKG) or Key-
Generation Center (KGC).• Each party should meet the PKG privately once (registration phase).Limitation: Revocation of public keys may be difficult.
3
-
Identity-based CryptographyIBC: Public key cryptography where public key is an arbitrary string (ID).
Examples: user’s e-mail address, current-date, …
email encrypted using public key:“[email protected]”
master-key
PKG/KGC
Extractgenerate private keyby ID and master key 4
-
Adv. and Disadv.• No user preparation required – most compelling advantage• No PKI management or certificate database• Inherent key escrow allows for some additional benefits:
― No client-side installation required; PKG can encrypt and sign messages for the user, in a web-based messaging application;
― Users’ keys may be kept on the PKG, which is more secure than users’ workstations.
• Inherent key escrow― Weaken non-repudiation― Variants being developed to overcome this weakness
• No key revocation― If private key gets compromised, do I have to get a new identity?― Can be fixed by appending validity timestamp to public key
• PKG requires extremely high level of assurance, since it holds all private keys and must remain online.
Adv.
Disadv.
-
IBC History• Shamir (Crypto 1984) introduces the concept of identity-based encryption
(IBE) and signature (IBS). He gives a concrete realization of an IBS scheme.
• In early 2000s, bilinear pairing maps are used for concrete realizations of IBE schemes.
• Sakai, Ohgishi and Kasahara (2000) propose an identity-based key-agreement scheme and an IBS scheme.
• Boneh and Franklin (Crypto 2001) propose an IBE scheme. Its security is proved in the random-oracle model.
• Boneh and Boyen (EuroCrypt 2004) propose an IBE scheme whose security is proved without random oracles.
• Joux (ANTS 2004) proposes a pairing-based three-party key-agreement protocol.
6
-
A Failed AttemptLet H map public identities to unique odd integers.
To generate an RSA key pair, Bob (the recipient) takes e = H(IDBob).
Bob keeps on generating random primes p,q until gcd(p−1,e) = gcd(q−1,e) = 1.
Bob publishes e and n = pq.
Bob computes d ≡ e−1 (mod φ(n)) (private key).
The public key of Bob is the pair (e, n).
An attacker can generate n as Bob does.
A certificate is needed to validate n.
-
Bilinear PairingG , G1 : finite cyclic groups of prime order q.
Def: An admissible bilinear map e: GG G1 is:
• Bilinear: e(aP, bP) = e(P,P)ab a,bZ, PG
• Non-degenerate:g generates G e(P,P) generates G1 .
• “Efficiently” computable.
Example: Weil or Tate pairing on supersingular curves.
-
Bilinear Diffie-Hellman ProblemsDef: Alg. A -solves Bilinear-DH in group G if:
Pr[ A(P, Q, aP, bP) = e(P,Q)ab ] >
where P, Q G and a,b {1,…,q-1}.
Def: Alg. A -solves Bilinear-DDH in group G if:
Pr[ A(P, Q, aP, bP, e(P, Q)ab) = 1 ] -Pr[ A(P, Q, aP, bP, e(P,Q)r) = 1 ] | >
where P, Q G and a,b,r {1,…,q-1}.
-
Boneh–Franklin IBE• Setup: params = (G, G1, P, H1,H2); MK=s, Kpub = sP G
• KeyGen (ID, Kpub): given pub-key ID{0,1}* KGC do:
QID=H1(ID), dID = sQID
• Encrypt ( m, ID, (P, Kpub) ): QID=H1(ID)
r{1,…,q-1}; C = ( rP, m H2(e(QID, Kpub)r))
• Decrypt (C, dID): C = (C0, C1) using dID
observe: m= C1 H2(e(C1 , dID))
-
Correctness of BF-IBEm= C1 H2(e(C1 , dID))
=m H2(e(QID, Kpub)r) H2(e(C1 , dID))=m H2(e(QID, sP)r) H2(e(rP , sQID))=m H2(e(QID, P)sr) H2(e(P, QID)sr)=m
Based on Bilinear pairing
-
SecurityThe security of the scheme depends on the hardness of the bilinear Diffie-Hellman problem (BDH) for the groups.
Suppose the hash functions H1, H2 are random oracles. Then Boneh–Franklin IBE is a semantically secure identity based encryption scheme (IND-ID-CPA) assuming BDH is hard in groups
-
Thank You
13
-
Acknowledge
Dan Boneh, Matthew Franklin, Xavier Boyen, Abhijit Das,and Kui Ren for PowerPoint Slides and figures
14