docb c o p xx
download 
Report Transcription
b c o p xx
Pairing-based Cryptography
and Its Applications
Rong-Jaye Chen
Department of Computer Science,
National Chiao Tung University, Taiwan
Outline
[1] Elliptic Curve Cryptograph (ECC)
1. Elliptic Curve
2. Elliptic Curve DLP
[2] Pairing-based Cryptography (PBC)
1. Pairings
2. Cryptography from Pairings
[3] Applications of PBC
1. ID-based Encryption
2. Searchable Encryption
3. Broadcast Encryption
p2.
Elliptic Curve Cryptography (ECC)
1. Elliptic Curves
Over Fields of Characteristic p>3
Curve form
E: Y2 = X3 + aX + b
where a, b Fq, q = pn
4a3+27b2≠0
Group operation
given P1(x1,y1) and P2(x2,y2)
compute P3(x3,y3) = P1+P2
(xP+Q, yP+Q)
Q
P
P+Q (xP+Q, yP+Q)
p4.
Example of EC over GF(p)
Example:
p 23 , a 1 , b 0
2
Ea ,b ( Z23 ) {( x , y ) Z23 : y2 x3 x } { O }
-P
P
P+Q
Q
p5.
Example of EC over GF(p)
Addition (P1P2)
Computational Cost
I+3M
Doubling (P1=P2)
Computational Cost
I+4M
y2 y1
x2 x1
x3 2 x1 x2
y3 ( x1 x3 ) x3 y1
3x1 a
2 y1
2
x3 2 2 x1
y3 ( x1 x3 ) x3 y1
p6.
1. Elliptic Curves
Over Fields of Characteristic 2
Curve form
E: Y2 + XY = X3 + aX2 + b
where a, b Fq, b≠0, q = 2n
Group operation
given P1(x1,y1) and P2(x2,y2)
compute P3(x3,y3) = P1+P2
p7.
Example of EC over GF(2m)
GF (2 ) Z 2 [ x] / p( x) , p( x) x x 1
4
m
E : y xy x g x 1
2
3
4
2
g (0011)
4
1 g 0 (0001)
p8.
Example of EC over GF(2m)
Addition (P1P2)
Computational Cost
I+2M+S
y2 y1
x2 x1
x3 2 x1 x2 a
y3 ( x1 x3 ) x3 y1
Doubling (P1=P2)
Computational Cost
I+2M+S
y1
x1
x1
x3 2 a
y3 ( x1 x3 ) x3 y1
p9.
2. Elliptic Curve DLP
Basic computation of ECC
P
P
...
P
Q = kP =
k times
where P is a curve point, k is an integer
Strength of ECC
Given curve, the point P, and kP
It is hard to recover k
- Elliptic Curve Discrete Logarithm Problem
(ECDLP)
p10.
Elliptic Curve Security
Symmetric
Key Size
(bits)
RSA and Diffie-Hellman
Key Size
(bits)
Elliptic Curve
Key Size
(bits)
Years
80
1024
160
~2010
112
2048
224
~2030
128
3072
256
192
7680
384
256
15360
521
NIST Recommended Key Sizes
p11.
Pairing-based Cryptography (PBC)
1. Pairings
Divisors
Definition
Principal Divisors
Pairings
Tate Pairings
Weil Pairings
More on Pairings
p13.
Definition of Divisors
p14.
Functions on E
p15.
Order of f at P
p16.
Principal Divisors (1/3)
p17.
Principal Divisors (2/3)
p18.
Principal Divisors (3/3)
p19.
Group Relation
p20.
Example (1/2)
p21.
Example (2/2)
p22.
Pairings
p23.
Preliminaries (1/2)
p24.
Preliminaries (2/2)
p25.
Tate Pairing (1/2)
p26.
Tate Pairing (2/2)
p27.
Properties of Tate Pairing
p28.
The Idea of Miller’s Algorithm
p29.
Weil Pairing
p30.
Properties of Weil Pairing
p31.
Tate Pairing vs. Weil Pairing
p32.
More on Pairings
p33.
Distortion Maps
p34.
Modified Pairings
p35.
2. Cryptography from Pairings
Key Distribution Schemes
Identity-based Non-interactive Key Distribution
Three-party Key Distribution
Signature Schemes
Identity-based Signature
Short Signature
p36.
ID-based Non-interactive Key Distribution
p37.
Three-party Key Distribution
p38.
ID-based Signature
p39.
Short Signature
p40.
Applications of PBC
1. ID-based Encryption
History
Certificate-based Cryptography
Identity-based Cryptography
p42.
History
Shamir (CRYPTO 1984) raised the open
problem.
Two solutions:
Pairing-based approach:
Boneh and Franklin (CRYPTO 2001)
Based on the Quadratic Residuosity problem:
Cocks (Crypto and Coding 2001)
p43.
Certificate-based Cryptography
p44.
Identity-based Cryptography
p45.
Protocol (1/2)
p46.
Protocol (2/2)
p47.
2. Searchable Encryption [BCOP 2003]
p48.
Goal
p49.
BCOP Scheme
p50.
PEKS
p51.
Construction of PEKS
p52.
3. Broadcast Encryption
[BGW2005]
Alice
3’ Broadcast the ciphertext to all
users (under unsecure channel)
Bob
1’ Decide Recipient List
(say Alice and Charles)
and Extract Key for them
2’ Encrypt under the public key
for the qualified recipients
(only one public key for all)
4b’ Unqualified Recipients
cannot decrypt the message,
even all them collude
4a’ Qualified Recipients
can decrypt the message
Charles
Charles
Eve
p53.
Broadcast Encryption
Use Hdr and (dAlice, PK)
to recover K
System Parameters
Alice
3’ Broadcast the ciphertext to all
users (under unsecure channel)
Bob
4a’ Qualified Recipients
can decrypt the message
Charles
1’ Decide Recipient List S
(say Alice and Charles)
and give user private key duser
2’ Encrypt using public key PK
under this list Output (Hdr, K)
Use Hdr and (dCharles, PK)
to recover K
Charles
4b’ Unqualified Recipients
cannot decrypt the message,
even all them collude
Eve
Don’t have d to recover K
p54.
BGW Scheme - Setup
Setup(n)
in: # of intended users
out: n private keys (d1, .. dn), one public key PK
Public Key:
Private Key:
PK ( P, P1 ,..., Pn , Pn 2 ,..., P2 n , v)
di i i P Pi , i i....n
Where Pi i P, P
55
p55.
BGW Scheme - Encrypt
Encrypt(S, PK)
in: S ⊆ {1, . . ., n}, public key PK
out: a pair (Hdr, K)
Hdr is called the header. (aka broadcast
ciphertext)
K ∈ K is a message encryption key chosen
from a finite key set K.
Hdr (tP, t ( Pn 1 j ))
jS
K e( Pn1, P)t
56
p56.
BGW Scheme - Decrypt
Decrypt(S, i, di, Hdr, PK)
If i ∈ S, then the algorithm outputs a message
encryption key K ∈ K.
Hdr (tP, t ( Pn1 j )) (C0 , C1 )
jS
e( Pi , C1 )
K
e(di Pn 1 j i , C0 )
Note:di i i P Pi , i i....n
Pi i P, P
jS , j i
e( P , P )
t ( i
n1 ji ) t ( i
jS
n1 j i )
jS , j i
If you don’t have di, you cannot
cross out this term to gain K
e( Pn 1, P )t
Session Key
57
p57.
BGW Scheme – Setup (Generalized)
IDEA: run A parallel instances of special case
where each instance can broadcast to at
most B<n users
I
I
I
I
…… I
SetupB(n):
n
n AB, A
B
1
1…B
2
3
B+1…2B 2B+1…3B
A-1
A
(A-2)B+1…(A-1)B
58
(A-1)B+1…AB
in: # of intended users
out: n private keys (d1, .. dn), one public key PK
PK ( P, P1 ,..., PB , PB 2 ,..., P2 B , v1 ,..., vA )
Public Key:
di b a b a P a Pb , i i....n
Private Key:
Where Pi P, a a P
i
Write i as i (a 1) B b
i
i.e. a , b i mod B
B
p58.
