CSC 774 Advanced Network Security

Similar documents
CSC 774 Advanced Network Security

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Applied cryptography

An Introduction to Pairings in Cryptography

REMARKS ON IBE SCHEME OF WANG AND CAO

One can use elliptic curves to factor integers, although probably not RSA moduli.

T Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju

Introduction to Elliptic Curve Cryptography

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Introduction to Elliptic Curve Cryptography. Anupam Datta

ABHELSINKI UNIVERSITY OF TECHNOLOGY

Boneh-Franklin Identity Based Encryption Revisited

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

Security Analysis of Some Batch Verifying Signatures from Pairings

CPSC 467b: Cryptography and Computer Security

Remove Key Escrow from The Identity-Based Encryption System

SM9 identity-based cryptographic algorithms Part 1: General

Discrete logarithm and related schemes

CPSC 467: Cryptography and Computer Security

Other Public-Key Cryptosystems

G Advanced Cryptography April 10th, Lecture 11

Efficient Identity-based Encryption Without Random Oracles

Pairing-Based Cryptographic Protocols : A Survey

MATH 158 FINAL EXAM 20 DECEMBER 2016

Public Key Algorithms

Public Key Cryptography

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Lecture 1: Introduction to Public key cryptography

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014

Secure Certificateless Public Key Encryption without Redundancy

Identity-based encryption

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

An Efficient Signature Scheme from Bilinear Pairings and Its Applications

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Elliptic Curve Cryptography with Derive

Project: Supersingular Curves and the Weil Pairing in Elliptic Curve Cryptography

On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)

Aspects of Pairing Inversion

Chapter 8 Public-key Cryptography and Digital Signatures

An Enhanced ID-based Deniable Authentication Protocol on Pairings

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Simple SK-ID-KEM 1. 1 Introduction

CPSC 467b: Cryptography and Computer Security

Public-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Short Signature Scheme From Bilinear Pairings

Secure and Practical Identity-Based Encryption

Other Public-Key Cryptosystems

A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Ti Secured communications

Cryptography IV: Asymmetric Ciphers

Public Key Encryption with Conjunctive Field Keyword Search

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Lecture 7: ElGamal and Discrete Logarithms

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Fixed Argument Pairings

Public-key Cryptography and elliptic curves

Public-Key Encryption: ElGamal, RSA, Rabin

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

An Efficient Signature Scheme from Bilinear Pairings and Its Applications

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

CS 355: Topics in Cryptography Spring Problem Set 5.

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Asymmetric Encryption

Chapter 10 Elliptic Curves in Cryptography

Multi-key Hierarchical Identity-Based Signatures

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

CPSC 467: Cryptography and Computer Security

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Introduction to Cryptography. Lecture 8

Pairing-Based Cryptography An Introduction

Points of High Order on Elliptic Curves ECDSA

Definition of a finite group

Generalized Mersenne Numbers in Pairing-Based Cryptography

Cryptography and Security Final Exam

Lecture Notes, Week 6

Gentry IBE Paper Reading

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit

Elliptic Curve Cryptography

Short Signatures Without Random Oracles

Hidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith

Notes for Lecture 17

Identity Based Undeniable Signatures

Secure Bilinear Diffie-Hellman Bits

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Elliptic Curve Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Montgomery Algorithm for Modular Multiplication with Systolic Architecture

Introduction to Modern Cryptography. Benny Chor

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Cryptography: Joining the RSA Cryptosystem

ID-Based Blind Signature and Ring Signature from Pairings

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Identity-Based Online/Offline Encryption

Transcription:

CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow ElGamal Encryption Identity-Based Encryption setup global parameters global parameters M encrypted using bob@ncsu.edu global parameters Authentication master key encrypt decrypt Private key for bob@ncsu.edu PKG extract 1

Applications Revocation of public keys bob@ncsu.edu 2006 bob@ncsu.edu 2006-10-20 Send message into the future Delegation of decryption keys Delegation to a laptop (use date as public key) Delegation of duties (use subject as public key) Elliptic Curve Group over Real Numbers y 2 = x 3 + ax + b x, y, a, b are real numbers If 4a 3 + 27b 2 0, a group can be formed. points on curve and infinity point Additive group Elliptic Curve Addition: A Geometric Approach Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis. 2

Adding the points P and -P Doubling the point P Elliptic Curve Addition: An Algebraic Approach Adding distinct points P and Q (P+Q=R) P(x P,y P ) and Q(x Q,y Q ) are not negative each other s = (y P y Q ) (x P x Q ) x R = s 2 x P x Q, y R = y P + s(x P x R ) Doubling the point P (2P=R) y P 0 s = (3x P 2 + a) 2y P x R = s 2 2x P, y R = y P + s(x P x R ) 3

Elliptic Curve Groups over Fp Calculations over real number are slow and inaccurate. y 2 mod p = x 3 + ax + b mod p x, y, a, b are in F p finite set of points no geometric approach Elliptic Curve Groups over Fp (Cont d) Adding distinct points P and Q (P+Q=R) P(x P, y P ) is not Q = (x Q, y Q mod p) s = (y P y Q ) (x P x Q ) mod p x R = s 2 x P x Q mod p y R = y P + s(x P x R ) mod p Doubling the point P (2P=R) y P 0 s = (3x P 2 + a) 2y P mod p x R = s 2 2x P mod p, y R = y P + s(x P x R ) mod p Elliptic Curve Discrete Logarithm Problem (ECDLP) Discrete Logarithm Problem For multiplicative group Z p*, given r, q, p, find k such that r = q k mod p. Foundation of many cryptosystems. Scalar multiplication P, 2P, 3P=2P+P, 4P=3P+P,, kp (additive notation) ECDLP Given points Q, P, find k such that kp=q 4

Weil Pairing Bilinear map A map e: G 1 G 1 G 2 P,Q G 1, a,b Z, e(ap, bq) = e(p, Q) ab Weil Pairing bilinear map G 1 is the group of points of an elliptic curve over F p G 2 is a subgroup of F p2 * efficiently computable Miller s algorithm Weil Pairing (Cont d) Elliptic Curve Group in this paper p, q are primes, p = 2 mod 3, p = 6q 1 E is the elliptic curve defined by y 2 = x 3 + 1 over F p G q is the group with order q = (p+1)/6 generated by P E/F p Modified Weil pairing ê: G q G q µ q µ q is the subgroup of F p2 * containing all elements of order q Non-degenerate: ê(p, P) F p2 is generator of µ q Weil Diffie-Hellman Assumption (WDH) Given < P, ap, bp, cp > for random a,b,c Z q*, P E/F p, compute W = ê(p,p) abc F p2 When p is a random k-bit prime, there is no probabilistic polynomial time algorithm for the WDH problem. 5

MapToPoint algorithm Convert arbitrary string ID {0,1} * to a point Q ID E/F p of order q hash function G: {0,1} * F p Steps: y 0 = G(ID), x 0 = (y 2 0 1) 1/3 = (y 2 0 1) (2p 1)/3 Q = (x 0, y 0 ) E/F p, Q ID = 6Q BasicIdent Setup Use the elliptic curve group we already defined Choose arbitrary P E/F p of order q Pick random s Z q * and set P pub = sp Choose hash functions H: F p2 {0,1} n G: {0,1} * F p Message space M = {0,1} n, ciphertext space is C = E/F p {0,1} n System parameters are <p, n, P, P pub, G, H>. Masterkey is s. BasicIdent (Cont d) Extract (get private key from ID) 1. Use MapToPoint to map ID to a point Q ID 2. Private key corresponding to ID is d ID = sq ID Encrypt (encrypt M with ID) 1. Use MapToPoint to map ID to a point Q ID 2. Choose random r Z q 3. C = <rp, M H(g IDr )> where g ID = ê(q ID,P pub ) F p2 6

BasicIdent (Cont d) Decrypt (decrypt C = <U,V>) If U is not a point of order q, reject the ciphertext Otherwise, M = V H(ê(d ID, U)) Why M can be recovered? ê(d ID, U) = ê(sq ID, rp) = ê(q ID, P) sr = ê(q ID, P pub ) r = g ID r V H(ê(d ID, U)) = M H(g ID r ) H(g ID r ) = M FullIdent BasicIdent is not chosen ciphertext secure. Setup In addition to BasicIdent, pick another two hash functions: H 1 : {0,1} n {0,1} n F q G 1 : {0,1} n {0,1} n Extract Same as BasicIdent FullIdent (Cont d) Encrypt (encrypt M using ID) 1. Use MapToPoint to convert ID into point Q ID 2. Choose random σ {0,1} n 3. Set r = H 1 (σ, M) 4. C = < rp, σ H(g IDr ), M G 1 (σ) > where g ID = ê(q ID, P pub ) F p2 7

FullIdent (Cont d) Decrypt (decrypt C=<U,V,W>) 1. Compute V H(ê(d ID, U)) = σ 2. Compute W G 1 (σ) = M 3. Set r = H 1 (σ, M) 4. If U rp, reject. Extensions & Observations Tate pairing and other curves can improve the speed Distributed PKG IBE implies signatures Master-key s is private key (sign) Global system parameters is public key (verify) Signature of M: sq M Verification: encrypt random M use ID=M, then decrypt use sq M Escrow ElGamal Encryption Setup Use same elliptic curve Pick a random s Z q, Q = sp Choose hash function: F p2 {0,1} n System parameters: < p, n, P, Q, H > s is the escrow key Keygen User randomly choose x Z q as private key Public key is P pub = xp 8

Escrow ElGamal Encryption (Cont d) Encrypt Pick random r Z q C = < rp, M H(g r ) > where g = ê(p pub, Q) F p2 Decrypt (C = <U,V>) V H(ê(U, xq)) = M Escrow-decrypt V H(ê(U, sp pub )) = M 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback