1 / 30

Identity-Based Key Agreement and Signature Schemes from Weil Pairing Dr. Xun Yi

Identity-Based Key Agreement and Signature Schemes from Weil Pairing Dr. Xun Yi School of Computer Science and Mathematics Victoria University Australia. Identity-Based Public Key Cryptosystem.

rylee-rice
Télécharger la présentation

Identity-Based Key Agreement and Signature Schemes from Weil Pairing Dr. Xun Yi

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity-Based Key Agreement and Signature Schemes from Weil Pairing Dr. Xun Yi School of Computer Science and Mathematics Victoria University Australia

  2. Identity-Based Public Key Cryptosystem An identity-based scheme resembles an ideal mail system. If you know somebody’s name and address, you can send him a message that only he can read, and you can verify the signatures that only he could have produced.

  3. Weil Pairing Let p be a prime such that p=6q-1 for some prime q and E a supersingular elliptic curve defined by the Weierstrass equation y2=x3+1 over Fp. The set of rational points E(Fp)={(x,y)FpFp: (x,y)E} forms a cyclic group of order p+1. Furthermore, because p+1=6q for some prime q, the set of points of order q in E(Fp) form a cyclic subgroup, denoted as G1. Let g be the generator of G1 and G2 be the subgroup of Fp2 containing all elements of order q. A modified Weil pairing is a map ê: G1  G1  G2 which has the following properties: 1. Bilinear: For any P,QG1 and a,bZ, we have ê(aP,bQ)= ê(P,Q)ab. 2. Non-degenerate: ê(g,g)Fp2 is a generator of G2.

  4. Identity-based Key Agreement Protocolfrom WeilPairing N.P.Smart, “Identity-based authenticated key agreement protocol based on Weil pairing”,Electronics Letters, Vol. 38,  No. 13,  Jun 2002, pp. 630 – 632.

  5. Smart’s Protocol System setup: KGC chooses a secret key s, and a PG1, computes PKGS=sP and publishes (P, PKGS) and a map H: {0,1}* G1*. For a user A with identity IDA, KGC issues SA=sQA where QA=H(IDA) to A. Authenticated key exchange: User A User B a b TA=aP  TA TB  TB=bP

  6. Cont. User A: kA= ê(aQB,PKGS)ê(SA,TB) User B: kB= ê(bQA,PKGS)ê(SB,TA) kA= kB Because ê(aQB,PKGS)ê(SA,TB) = ê(QB,PKGS)a ê(SA,TB) = ê(QB,P)as ê(QA,P)bs = ê(SB,TA)ê(QA, PKGS)b = ê(bQA,PKGS)ê(SB,TA)

  7. Identity-based Signature Scheme from WeilPairing R. Sakai, K. Ohgishi and M. Kasahara, “Cryptosystems based on pairing”, SCIS2000, Japan, 2000. K.G.Paterson, ”ID-based signatures from pairings on elliptic curves”, Electronics Letters, Vol. 38, No. 18 2002, pp. 1025-1026.

  8. Paterson’s Scheme • Key Generation • Trusted Authority chooses a secret key s, and a PG1, computes Ppub=sP and publishes (P, Ppub) and maps h1: {0,1}* G1, h2: {0,1}* Zq, h3: G1Zq. For a user A with identity IDA, TA issues SA=sQA where QA=h1(IDA) to A. • Signing: m, (R,S) R=kP, S=k-1(h2(m)P+h3(R)SA) • Verifying: e(R,S)=ê(P,P)h2(m) ê(Ppub,SA)h3(R)

  9. Motivation • (x,y)G1, Weierstrass equation y2=x3+1 over Fp. • xy • If p=3 (mod 4), e.g., p=12q-1, y=(x3+1)(p+1)/4=(x3+1)3q(mod p)

  10. Cont.

  11. Proposed Identity-Based Key Agreement Protocol from Weil Pairing

  12. Our Protocol Setup: KGC constructs two groups G1 and G2 (where p=12q-1), and a map ê: G1  G1  G2, publishes (G1,G2, ê,p,q,H) where H: {0,1}* G1*, choose a secret key s. For a user A with identity IDA, KGC issues SA=sQA where QA=H(IDA) to A. Key agreement: User A User B a b aQA=(xa,ya) bQB=(xb,yb) UA=(a+xa)SA if ya-ya(mod p) UB=(b+xb)SB if yb-yb(mod p) UA=(-a+xa)SA if ya<-ya(mod p) UB=(-b+xb)SB if yb<-yb(mod p) xa  xa xb  xb

  13. How to Map a Message into Non-zero Point of G1? Step 1: Input IDA Step 2: ya=h(IDA) xa=(ya2-1)8q-1(mod p) Step 3: Output QA=12(xa,ya)

  14. Cont. User A: y’b= (xb3+1)3q(mod p) TB= (xb,max(y’b,-y’b(mod p)) kA= ê(UA,TB+xbQB) User B: y’a= (xa3+1)3q(mod p) TA= (xa,max(y’a,-y’a(mod p)) kB= ê(TA+xaQA, UB)

  15. Cont. kA= kB Because Case 1. If ya-ya(mod p), yb-yb(mod p), then TA=aQA,TB=bQB ê(UA,TB+xbQB)=ê(QA,QB)(a+x_a)s(b+x_b)=ê(TA+xaQA,UB) Case 2. If ya-ya(mod p), yb<-yb(mod p), then TA=aQA, TB=-bQB ê(UA,TB+xbQB)=ê(QA,QB)(a+x_a)s(-b+x_b)=ê(TA+xaQA,UB) Case 3. If ya<-ya(mod p), yb-yb(mod p), then TA=-aQA,TB=bQB ê(UA,TB+xbQB)=ê(QA,QB)(-a+x_a)s(b+x_b)=ê(TA+xaQA,UB) Case 4. If ya<-ya(mod p), yb<-yb(mod p), then TA=-aQA,TB=-bQB ê(UA,TB+xbQB)=ê(QA,QB)(-a+x_a)s(-b+x_b)=ê(TA+xaQA,UB)

  16. Security Analysis • Passive and active attacks • UA=(a+xa)SA, UB=(b+xb)SB • 2. Perfect forward secrecy • kA= ê(UA,TB+xbQB), kB= ê(TA+xaQA, UB) • 3. Key compromising impersonation attack • aQA, SA=sQA aSA=asQA • 4. Known-key security • Randomness of a, b • 5. Key control • TA, TB

  17. Comparisons of Smart’s Protocol and Our Protocol Communication load Weil pairing Point multiplication Exponentiation Smart’s 2log2p 2 1 (pre) +1 0 Ours 1log2p 1 2 (pre) +1 1

  18. Conclusion We have improved Smart’s protocol and developed a more efficient ID-based key agreement protocol from the Weil pairing. Our protocol required lower communication load and less computation complexity than Smart’s protocol.

  19. Reference Xun Yi, “Efficient ID-based key agreement from Weil pairing”, Electronics Letters, Vol.39,No.2, Jan. 2003, pp. 206 – 208.

  20. Proposed Identity-Based Signature Scheme from Weil Pairing

  21. Proposed Identity-Based Signature Scheme • Key Generation: TKGC chooses two prime order groups G1 and G2 (where p=12q-1) and a modified Weil pairing map ê. Next TKGC selects a cryptography hash function h: {0,1}* {0,1}l for certain l and a map H: {0,1}* G1*. Then it picks up a secret key s, and computes Ppub=sg where g is a generator of G1. At last, TKGC publish {G1,G2,ê,g,Ppub,h,H,p,q). For a user A with identity IDA, TKGC issues SA=sQA where QA=H(IDA) to A.

  22. Signing When a signer Ui signs a message m, he chooses a random number r and computes R = rg = (Rx,Ry) T = Signature: (Rx,Tx) { rPpub+h(m,R)Si, if Ry  -Ry(mod p) -rPpub+h(m,-R)Si, otherwise

  23. Verification After receiving (Rx,Tx), a verifier computes a = (Rx3+1)3q(mod p) b = (Tx3+1)3q(mod p) R’=(Rx,max{a,-a(mod p)}), T’=(Tx,b). u= ê(T’,g) v=ê(R’+h(m,R’)Qi,Ppub) If u=v1, accept.

  24. Correctness Case 1. If Ry-Ry(mod p), then R’=R,T’=T u=ê(T’,g)=ê(T,g)=ê(T,g)1 = ê(rPpub+h(m,R)Si,g)1 = ê(rg+h(m,R)Qi,Ppub)1 = ê(R+h(m,R)Qi,Ppub)1 = ê(R’+h(m,R’)Qi,Ppub)1 = v1

  25. Cont. Case 2. If Ry<-Ry(mod p), then R’=-R,T’=T u=ê(T’,g)=ê(T,g)=ê(T,g)1 = ê(-rPpub+h(m,-R)Si,g)1 = ê(-rg+h(m,-R)Qi,Ppub)1 = ê(-R+h(m,-R)Qi,Ppub)1 = ê(R’+h(m,R’)Qi,Ppub)1 = v1

  26. Security Analysis Theorem 2: Let an adversary A be a probabilistic polynomial time Turing machine whose input only consist of public data {G1,G2,ê,g,Ppub,h,H,p,q} where q  2l. A can make n1 queries to the signer Ui, and n2 queries to the random oracle h. If A can make an existential forgery with probability 10(n1+1)(n1+n2)/2l with time t, then there exists another probabilistic algorithm which solves an instance of the Diffie-Hellman problem in G1 in expected time t’120686n2t/.

  27. Cont. Based on Forking Lemma in [1] Probabilistic algorithm B  two valid signatures (m, Rx,h,T1x), (m,Rx,h’,T2x), where h  h’ Probabilistic algorithm C: g, Qi (=rig), Ppub (=sg)  Si=(ris)g

  28. Comparisons of Paterson Scheme and Proposed Scheme Signature size Key generation Signing Verification Paterson’s scheme 4log2p bits 1 point multi. 2 (pre) +1 point. 2 pairings Proposed 2log2p bits 1 point multi. 2 (pre) +1 point. 1 point+ 2 Weil

  29. Conclusion We have proposed a ID-based signature scheme from the Weil pairing. The proposed signature scheme is secure if the Diffie-Hellman problem is hard.

  30. References • Xun Yi, “An identity-based signature scheme from the Weil pairing”, IEEE Communications Letters, Vol.7,No.2, Feb. 2003, pp. 76 – 78. • D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures”, Journal of Cryptology, vol. 13, no. 3, pp. 361-396, Mar. 2000.

More Related