Créer une présentation
Télécharger la présentation

Télécharger la présentation
## What is in a name?

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**What is in a name?**Identity-based cryptography**How public-key crypto works**• When you use public key cryptography, you can publish a value (public key) • If it is a public encryption scheme, anybody may send encrypted messages to you using that key • If it is a signature scheme, you may authenticate messages that anybody will be able to verify comes from you**Whose public key?**• You need to convey it to the other party, and in principle could just publish it. • However, it is a random-looking number; in order to establish its authenticity, a trusted path from you to the other party must be established • Most effectively done via certificates; a trusted authority attests to the key on your behalf (usually by signing it)**85B32**07E86 993A0 126B3 F1671**“Adverse Network Effect”**• If you want to send an encryption to someone else, and: • That person has not established a public key, or you don’t know what that is • You can’t afford to establish a physically-protected channel to send a shared key • You are out of luck • More generally, if too few people have public keys, public keys are not very useful, or not advertised, and so not too many people will have a reason to get one...**You have a name...**• What if you could use your own name as a public key? • You would need to get a corresponding private key • The function that extracts the private key from the public one must be a trapdoor function (can only be computed by someone who knows a secret value that enables computation, called a trapdoor)**Identity-based Crypto**Alice’s private key message encrypted under Alice’s name**This talk’s plan**• What is identity-based cryptography • First identity-based schemes • Identity-based encryption using traditional crypto • Identity-based encryption via pairings • Extensions • Self-certified schemes**Shamir’s identification scheme**• Shamir was interested in using smart-cards to implement strong identification schemes • Should be efficient • Should not use shared key (open environment) • Should use strong crypto • Does not use certificates**Identity-based Identification**• Smart-card issuer (SCI) is trusted • SCI’s scheme setup: • Generate two large primes, p and q. • Computes n = pq • Publishes n, keeps p, q secret. • Chooses a hash function • f: {0, 1}* {0, 1, ..., n-1} • SCI initializes each smart card with the secret key of its owner.**Issuing private keys**• For each identity I, SCI: • Computes the values vj = f(I || j), forseveral j= 0, 1, ..., • Choose first k values that are squares modulo n (quadratic residues). • let sj be the square root of vj • sj2 = vj mod n • Smart card contains I,{sj}**Identification protocol**• Card sends to Server: I • S re-computes the vj • C computes random r, and also t = r2mod n • C sends to server: t • S replies with k-bit string (e1, .., ek) • C sends z = rs1e1s2e2 ... skek to S • S checks if z2 = tv1e1v2e2 ... vkek mod n**Security: Key not leaked**• If C could guess S’s challenge string (e1, e2, ..., ek), then: • C could choose z at random, and compute t = z2v1-e1v2-e2 ... vk-ek mod n • Respond to S’s challenge with z • If C could see the future, it could answer challenges correctly without knowing keys, therefore: • C’s answers reveal nothing about keys.**Security: Key knowledge**• C may still do as before so that it can answer one challenge correctly. • Can C answer correctly more than one challenge without knowing the sj ? • C would have to know how to answer: • z; z2 = tv1e1v2e2 ... vkek mod n; and • w; w2 = t·v1d1v2d2 ... vkdk mod n • (z/w)2 = v1e1-d1v2e2-d2 ... vkek-dk mod n • z/w =s1e1-d1s2e2-d2 ... skek-dk mod n**Zero-Knowledge**RSA Security/RSA Labs**Identity-based encryption**• Over the years, many identity-based schemes were developed for identification and signature • For nearly two decades, nobody knew how to do identity-based encryption • Then, pairings came along and changed everything, but • Let’s first see a scheme using square roots**The Jacobi Symbol**• The Jacobi Symbol for a natural number N has the following properties: • x J(x, N) is in {0, 1} • J(x, N) = 0 g.c.d.(x, N) 1. • J(xy, N) =J(x, N) J(y, N) • J(x2, N) = 1 • J(x, N) = -1, for some x (hence for 50% of all x) • J(,N) is efficiently computable**Clifford Cocks’ Scheme**• Authority sets up the scheme • Generate two large primes, p and q. (p and q must be of the form 4k + 3) • Computes n = pq • Publishes n, keeps p, q secret. • Chooses a hash function • f: {0, 1}* {0, 1, ..., n-1} • For user with identity I: • Compute f(I||0), f(I||1), ..., until: • J( f(I||k), n) = 1. This is the user’s public key.**Private key**• To find the private key, there is 50% chance that the public key A is a square mod n. • If not, -A is. • The private key B is the square root of either A or -A. Let’s suppose of A. • B2 = A mod n.**To encrypt**• Sender computes Receiver public key • S sends R one bit b = 1 (at a time) • S chooses random t such that • J(t, n) = b • sends s, where s = t + A/t mod n • Note that: • s = t(1 + A/t2) mod n • s + 2B = t(1 + 2B/t + A/t2) = t(1 + B/t)2**To decrypt**• R receives s, computes • J(s + 2B,n) = J(t,n) J((1 + B/t)2, n) = J(t, n) = b • If receiver does not know B, must solve s = t + A/t for t, or at least for J(t, n) • t2 + A - st = 0 mod n, ...**Pairings-Based IBE**• Pairings were first used in cryptography in “a constructive way” by A. Joux, who created a 3-party Diffie-Hellman key agreement protocol with no need to exchange messages. • Great excitement in the cryptographic community resulted from the discovery that pairings could also be used for an efficient identity-based encryption scheme.**Cryptographic groups**• Most public-key schemes are based on “cryptographic groups,” i.e., mathematical groups where the discrete-logarithm problem is hard. • (x, g) gx(easy) • (y, g) x; y = gx (hard)**Pairing groups**• A map • e: G1 G2 GT (same prime order p) • e(ga, hb) = e(g, h)ab (bilinearity) • g generates G1h generates G2 e(g,h) generates GT**Boneh-Franklin Scheme**• Trusted party chooses a secret s, and generator P inG1, set Pgroup (= Ps) • Each group member with identity I has public key QI = f(I), where • f: {0, 1}* G2. • Gets private key PI = QIs from T • Scheme also defines the message space as {0, 1}k , and a hash function • H: GT {0, 1}k**Encrypting/decrypting**• Someone wants to encrypt message M • C = A, B = Pr, MH( e(QI, Pgroup)r ) • To decrypt, intended receiver just computes: • Z = e(PI, A) = e(PI, Pr) = e(QIs, Pr) = e(QI, Pr)s = e(QI, Ps)r = e(QI, Pgroup)r • Then M = Z B • Another party would have to compute QIrfrom P, Pr, QI(hard!)**Extensions**• What can you do with identity-based encryption? • It can extract a secret key associated to any public string---not only a name • What about a date, such as “05/03/05” • What about your fingerprint?**Timed-release encryption**• The goal of timed-release encryption is to encrypt a message that can only be read at a future point in time. • One way is to use a one-way function (no decryption algorithm) and tune the hardness of the function so that it will be inverted in the time frame. • The other is to use IBE. Encrypt a message under name: “Alice Wonderlie||01/01/2031” and the trusted party will only release the secret key to alice in 2031.**A Few References**• Adi Shamir: Identity-based cryptosystems and signature schemes. CRYPTO 1984. Pp: 47-53 • Clifford Cocks: An identity-based on quadratic residues, LNCS 2260, 2001. Pp: 360-363 • Antoine Joux: A One-round protocol for tri-partite Diffie-Hellman. J. Cryptology, 17(4), 2004, and Proc. of ANTS 2000, LNCS 1830, 2000. • Dan Boneh and Matt Franklin: Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3), 2003. Pp. 586-615, and CRYPTO 2001, LNCS 2139, 2001. Pp. 213-229.