1 / 32

330 likes | 467 Vues

What is in a name?. Identity-based cryptography. How public-key crypto works. When you use public key cryptography, you can publish a value (public key) If it is a public encryption scheme , anybody may send encrypted messages to you using that key

Télécharger la présentation
## What is in a name?

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**What is in a name?**Identity-based cryptography**How public-key crypto works**• When you use public key cryptography, you can publish a value (public key) • If it is a public encryption scheme, anybody may send encrypted messages to you using that key • If it is a signature scheme, you may authenticate messages that anybody will be able to verify comes from you**Whose public key?**• You need to convey it to the other party, and in principle could just publish it. • However, it is a random-looking number; in order to establish its authenticity, a trusted path from you to the other party must be established • Most effectively done via certificates; a trusted authority attests to the key on your behalf (usually by signing it)**85B32**07E86 993A0 126B3 F1671**“Adverse Network Effect”**• If you want to send an encryption to someone else, and: • That person has not established a public key, or you don’t know what that is • You can’t afford to establish a physically-protected channel to send a shared key • You are out of luck • More generally, if too few people have public keys, public keys are not very useful, or not advertised, and so not too many people will have a reason to get one...**You have a name...**• What if you could use your own name as a public key? • You would need to get a corresponding private key • The function that extracts the private key from the public one must be a trapdoor function (can only be computed by someone who knows a secret value that enables computation, called a trapdoor)**Identity-based Crypto**Alice’s private key message encrypted under Alice’s name**This talk’s plan**• What is identity-based cryptography • First identity-based schemes • Identity-based encryption using traditional crypto • Identity-based encryption via pairings • Extensions • Self-certified schemes**Shamir’s identification scheme**• Shamir was interested in using smart-cards to implement strong identification schemes • Should be efficient • Should not use shared key (open environment) • Should use strong crypto • Does not use certificates**Identity-based Identification**• Smart-card issuer (SCI) is trusted • SCI’s scheme setup: • Generate two large primes, p and q. • Computes n = pq • Publishes n, keeps p, q secret. • Chooses a hash function • f: {0, 1}* {0, 1, ..., n-1} • SCI initializes each smart card with the secret key of its owner.**Issuing private keys**• For each identity I, SCI: • Computes the values vj = f(I || j), forseveral j= 0, 1, ..., • Choose first k values that are squares modulo n (quadratic residues). • let sj be the square root of vj • sj2 = vj mod n • Smart card contains I,{sj}**Identification protocol**• Card sends to Server: I • S re-computes the vj • C computes random r, and also t = r2mod n • C sends to server: t • S replies with k-bit string (e1, .., ek) • C sends z = rs1e1s2e2 ... skek to S • S checks if z2 = tv1e1v2e2 ... vkek mod n**Security: Key not leaked**• If C could guess S’s challenge string (e1, e2, ..., ek), then: • C could choose z at random, and compute t = z2v1-e1v2-e2 ... vk-ek mod n • Respond to S’s challenge with z • If C could see the future, it could answer challenges correctly without knowing keys, therefore: • C’s answers reveal nothing about keys.**Security: Key knowledge**• C may still do as before so that it can answer one challenge correctly. • Can C answer correctly more than one challenge without knowing the sj ? • C would have to know how to answer: • z; z2 = tv1e1v2e2 ... vkek mod n; and • w; w2 = t·v1d1v2d2 ... vkdk mod n • (z/w)2 = v1e1-d1v2e2-d2 ... vkek-dk mod n • z/w =s1e1-d1s2e2-d2 ... skek-dk mod n**Zero-Knowledge**RSA Security/RSA Labs**Identity-based encryption**• Over the years, many identity-based schemes were developed for identification and signature • For nearly two decades, nobody knew how to do identity-based encryption • Then, pairings came along and changed everything, but • Let’s first see a scheme using square roots**The Jacobi Symbol**• The Jacobi Symbol for a natural number N has the following properties: • x J(x, N) is in {0, 1} • J(x, N) = 0 g.c.d.(x, N) 1. • J(xy, N) =J(x, N) J(y, N) • J(x2, N) = 1 • J(x, N) = -1, for some x (hence for 50% of all x) • J(,N) is efficiently computable**Clifford Cocks’ Scheme**• Authority sets up the scheme • Generate two large primes, p and q. (p and q must be of the form 4k + 3) • Computes n = pq • Publishes n, keeps p, q secret. • Chooses a hash function • f: {0, 1}* {0, 1, ..., n-1} • For user with identity I: • Compute f(I||0), f(I||1), ..., until: • J( f(I||k), n) = 1. This is the user’s public key.**Private key**• To find the private key, there is 50% chance that the public key A is a square mod n. • If not, -A is. • The private key B is the square root of either A or -A. Let’s suppose of A. • B2 = A mod n.**To encrypt**• Sender computes Receiver public key • S sends R one bit b = 1 (at a time) • S chooses random t such that • J(t, n) = b • sends s, where s = t + A/t mod n • Note that: • s = t(1 + A/t2) mod n • s + 2B = t(1 + 2B/t + A/t2) = t(1 + B/t)2**To decrypt**• R receives s, computes • J(s + 2B,n) = J(t,n) J((1 + B/t)2, n) = J(t, n) = b • If receiver does not know B, must solve s = t + A/t for t, or at least for J(t, n) • t2 + A - st = 0 mod n, ...**Pairings-Based IBE**• Pairings were first used in cryptography in “a constructive way” by A. Joux, who created a 3-party Diffie-Hellman key agreement protocol with no need to exchange messages. • Great excitement in the cryptographic community resulted from the discovery that pairings could also be used for an efficient identity-based encryption scheme.**Cryptographic groups**• Most public-key schemes are based on “cryptographic groups,” i.e., mathematical groups where the discrete-logarithm problem is hard. • (x, g) gx(easy) • (y, g) x; y = gx (hard)**Pairing groups**• A map • e: G1 G2 GT (same prime order p) • e(ga, hb) = e(g, h)ab (bilinearity) • g generates G1h generates G2 e(g,h) generates GT**Boneh-Franklin Scheme**• Trusted party chooses a secret s, and generator P inG1, set Pgroup (= Ps) • Each group member with identity I has public key QI = f(I), where • f: {0, 1}* G2. • Gets private key PI = QIs from T • Scheme also defines the message space as {0, 1}k , and a hash function • H: GT {0, 1}k**Encrypting/decrypting**• Someone wants to encrypt message M • C = A, B = Pr, MH( e(QI, Pgroup)r ) • To decrypt, intended receiver just computes: • Z = e(PI, A) = e(PI, Pr) = e(QIs, Pr) = e(QI, Pr)s = e(QI, Ps)r = e(QI, Pgroup)r • Then M = Z B • Another party would have to compute QIrfrom P, Pr, QI(hard!)**Extensions**• What can you do with identity-based encryption? • It can extract a secret key associated to any public string---not only a name • What about a date, such as “05/03/05” • What about your fingerprint?**Timed-release encryption**• The goal of timed-release encryption is to encrypt a message that can only be read at a future point in time. • One way is to use a one-way function (no decryption algorithm) and tune the hardness of the function so that it will be inverted in the time frame. • The other is to use IBE. Encrypt a message under name: “Alice Wonderlie||01/01/2031” and the trusted party will only release the secret key to alice in 2031.**A Few References**• Adi Shamir: Identity-based cryptosystems and signature schemes. CRYPTO 1984. Pp: 47-53 • Clifford Cocks: An identity-based on quadratic residues, LNCS 2260, 2001. Pp: 360-363 • Antoine Joux: A One-round protocol for tri-partite Diffie-Hellman. J. Cryptology, 17(4), 2004, and Proc. of ANTS 2000, LNCS 1830, 2000. • Dan Boneh and Matt Franklin: Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3), 2003. Pp. 586-615, and CRYPTO 2001, LNCS 2139, 2001. Pp. 213-229.

More Related