Lecture 25: Pairing Based Cryptography

Transcription

1 6.897 Special Topics in Cyptogaphy Instucto: Ran Canetti May 5, 2004 Lectue 25: Paiing Based Cyptogaphy Scibe: Ben Adida 1 Intoduction The field of Paiing Based Cyptogaphy has exploded ove the past 3 yeas [cy, DBS04]. The cental idea is the constuction of a mapping between two useful cyptogaphic goups which allows fo new cyptogaphic schemes based on the eduction of one poblem in one goup to a diffeent, usually easie poblem in the othe goup. In many eseach papes, the fist of these two goups is efeed to as a Gap Goup, whee the Decisional Diffie Helman poblem [Bon98] is easy (because it educes to an easy poblem in the second goup), but the Computational Diffie Helman poblem emains had. The known implementations of these paiings the Weil and Tate paiings involve faily complex mathematics. Fotunately, they can be dealt with abstactly, using only the goup stuctue and mapping popeties. Many inteesting schemes have been built based puely on abstact bilinea maps. 2 Bilinea Maps The majo paiing based constuct is the bilinea map. Conside two goups G 1 and G 2 of pime ode. Fo claity, we denote G 1 using additive notation and G 2 using multiplicative notation, even though the goup opeations in G 1 and G 2 may well be vey diffeent fom the well known aithmetic addition and multiplication. (Sometimes G 1 is also witten multiplicatively in the liteatue.) We conside P and Q two geneatos of G 1, and we wite a times {}}{ ap = P + P P We now conside the mapping e as follows: e : G 1 G 1 G 2 (Note that we do not know how to build a self bilinea map, G 1 G 1 G 1. This would be uite poweful.) Useful bilinea maps have thee popeties: Bilineaity P, Q G 1, a, b Z, e(ap, bq) = e(p, Q) ab 17 1

2 Non Degeneacy If eveything maps to the identity, that s obviously not inteesting: P G 1, P = 0 e(p, P ) = G 2 (e(p, P ) geneates G 2 ) In othe wods: P = 0 e(p, P ) = 1 Computability e is efficiently computable. We can find G 1 and G 2 whee these popeties hold: the Weil and Tate paiings pove the existence of such constuctions. Typically, G 1 is an elliptic cuve goup and G 2 is a finite field. 3 Complexity Implications The constuction of a bilinea map comes with a numbe of complexity implications. Theoem 1 The Discete Log Poblem in G 1 is no hade than the Discete Log Poblem in G 2. Poof 1 Conside Q = ap (still using additive notation), though a is unknown. Solving the Discete Log Poblem involves discoveing a fo a given P and a andom Q. We note: e(p, Q) = e(p, ap ) = e(p, P ) a Thus, we can educe the Discete Log Poblem in G 1 to the Discete Log Poblem in G 2. Given P G 1 and a andom Q G 1, and noting that the mapping e is easily computable, we can compute log P (Q) as follows: 1. detemine P = e(p, P ) 2. detemine Q = e(p, Q) 3. detemine a = log P (Q ) in G a is also log P (Q). Theoem 2 The Decisional Diffie Helman [Bon98] is easy in G 1. Poof 2 Solving the DDH poblem involves distinguishing: P, ap, bp, cp with a, b, c R Z, and P, ap, bp, abp with a, b R Z If we define P, A, B, C as the fou values given to the distinguishe, the distinguishe functions as follows: 17 2

3 1. Detemine v 1 = e(a, B) and v 2 = e(p, C) 2. If v 1 = v 2, then the tuple is of the type P, ap, bp, abp. Indeed, assume C = abp, then: e(a, B) = e(ap, bp ) = e(p, P ) ab = e(p, abp ) = e(p, C) Since we know the mapping e is non degeneate, the euality e(a, B) = e(p, C) is euivalent to c = ab. The distinguishe can gain a significant advantage in deciding DDH given the mapping e. 4 Cyptogaphic Schemes The application of bilinea maps leads to numeous inteesting cyptogaphic schemes. 4.1 One Round, 3 paty Key Ageement Scheme In 2000, Joux intoduced a scheme fo one ound, 3 paty key ageement based on bilinea maps [Jou00]. Key ageement schemes based on Diffie Helman [DH76] ae well known, but all euie moe than one ound of exchanged data. In the Joux scheme, assume the above notation and existence of a bilinea map between goups G 1 and G 2 with P a geneato of G 1. Thee paties A, B, C espectively have secets a, b, c Z. The potocol functions as follows: 1. A B, C: ap 2. B A, C: bp 3. C A, B: cp 4. Note that steps 1, 2, 3 ae done in one ound of paallel message exchanges. 5. A computes e(bp, cp ) a = e(p, P ) abc. 6. B computes e(ap, cp ) b = e(p, P ) abc. 7. C computes e(ap, bp ) c = e(p, P ) abc. 8. Note that steps 5, 6, 7 ae done in paallel. 9. All paties have the same shaed key K = e(p, P ) abc G 2. This potocol is contingent on the BDH assumption. Definition The Bilinea Diffie Helman (BDH) Assumption consides the computation of e(p, P ) abc given P, ap, bp, cp to be had. 4.2 Identity Based Encyption In 1984, Shami imagined a public key encyption scheme whee any publicy known sting (e.g. someone s addess) could be used as a public key [Sha85]. In this scheme, 17 3

4 the coesponding pivate key is deliveed to the pope owne of this sting (e.g. the ecipient of the addess) by a tusted pivate key geneato. This key geneato must veify the use s identity befoe deliveing a pivate key, of couse, though this veification is essentially the same as that euied fo issuing a cetificate in a typical Public Key Infastuctue (PKI). Thus, an Identity Based Encyption Scheme enables the deployment of a public key cyptosystem without the pio setup of a PKI: a use poves his identity in a lazy way, only once he needs his pivate key to decypt a message sent to him. In 2001, Boneh and Fanklin devised the fist pactical implementation of such an Identity Based Encyption scheme [BF01]. Thei appoach uses bilinea maps and elies on the BDH Assumption and the Random Oacle model. Setup the usual G 1 and G 2 with a bilinea mapping e : G 1 G 1 G 2 and P a geneato a system wide secet key s R Z. a coesponding system wide public key P pub = sp. Encypt We want to encypt a message m to public key A using the system wide settings fom above. The encyption function is: Enc(P pub, A, m) = P, M H 2 (g A ), R Z g A = e(q A, P pub ) Q A = H 1 (A) H 1 : { 0, 1} G 1, a andom oacle H 2 : G 2 { 0, 1}, a andom oacle Decypt We want to decypt a ciphetext c = (u, v) encypted with public key sting A. The secet key is deliveed to the owne of A as d A = sq A, with Q A defined as above: Q A = H 1 (A). We define: Dec(u, v, d A ) = v H 2 (e(d A, u)) = v H 2 (e(sh 1 (A), P )) = v H 2 (e(h 1 (A), P ) s ) = v H 2 (e(q A, sp ) ) = v H 2 (e(q A, P pub ) ) = v H 2 (g A ) = (m H 2 (g A )) H 2 (g A ) = m 17 4

5 This scheme is not CCA2 secue, but can be made so with the Fujisaki Okamoto constuction [FO99], which assumes the Random Oacle model nothing futhe than what we aleady assume. Refeences [BF01] Dan Boneh and Matt Fanklin. Identity based encyption fom the Weil paiing. Lectue Notes in Compute Science, 2139:213??, [Bon98] Dan Boneh. The decisional diffie hellman poblem. In Thid Algoithmic Numbe Theoy Symposium, pages Spinge Velag, [cy] Paiing based cypto lounge. available at infomatica/paulobaeto/pblounge.html. [DBS04] Ratna Dutta, Rana Baua, and Palash Saka. Paiing based cyptogaphy : A suvey. Cyptology epint Achive, Repot 2004/064, iac.og/. [DH76] [FO99] Whitfield Diffie and Matin E. Hellman. New diections in cyptogaphy. IEEE Tansactions on Infomation Theoy, IT 22(6): , Eiichio Fujisaki and Tatsuaki Okamoto. Secue integation of asymmetic and symmetic encyption schemes. Lectue Notes in Compute Science, 1666: , [Jou00] Antoine Joux. A one ound potocol fo tipatite diffie hellman. In Poceedings of the 4th Intenational Symposium on Algoithmic Numbe Theoy, pages Spinge Velag, [Sha85] Adi Shami. Identity based cyptosystems and signatue schemes. In Cypto 84, LNCS Vol. 196, pages Spinge,