What is in a name? Identity-based cryptography

How public-key crypto works When you use public key cryptography, you can publish a value (public key) If it is a public encryption scheme, anybody may send encrypted messages to you using that key If it is a signature scheme, you may authenticate messages that anybody will be able to verify comes from you

Whose public key? You need to convey it to the other party, and in principle could just publish it. However, it is a random-looking number; in order to establish its authenticity, a trusted path from you to the other party must be established Most effectively done via certificates; a trusted authority attests to the key on your behalf (usually by signing it)

85B32 07E86 993A0 126B3 F1671

“Adverse Network Effect” If you want to send an encryption to someone else, and: –That person has not established a public key, or you don’t know what that is –You can’t afford to establish a physically- protected channel to send a shared key –You are out of luck More generally, if too few people have public keys, public keys are not very useful, or not advertised, and so not too many people will have a reason to get one...

You have a name... What if you could use your own name as a public key? You would need to get a corresponding private key The function that extracts the private key from the public one must be a trapdoor function (can only be computed by someone who knows a secret value that enables computation, called a trapdoor)

Identity-based Crypto message encrypted under Alice’s name Alice’s private key

This talk’s plan What is identity-based cryptography First identity-based schemes Identity-based encryption using traditional crypto Identity-based encryption via pairings Extensions Self-certified schemes

Shamir’s identification scheme Shamir was interested in using smart- cards to implement strong identification schemes Should be efficient Should not use shared key (open environment) Should use strong crypto Does not use certificates

Identity-based Identification Smart-card issuer (SCI) is trusted SCI’s scheme setup: –Generate two large primes, p and q. –Computes n = p  q –Publishes n, keeps p, q secret. –Chooses a hash function f: {0, 1}*  {0, 1,..., n-1} SCI initializes each smart card with the secret key of its owner.

Issuing private keys For each identity I, SCI: –Computes the values v j = f(I || j), for several j= 0, 1,..., –Choose first k values that are squares modulo n (quadratic residues). –let s j be the square root of v j s j 2 = v j mod n –Smart card contains I, {s j }

Identification protocol Card sends to Server: I S re-computes the v j C computes random r, and also t = r 2 mod n C sends to server: t S replies with k-bit string (e 1,.., e k ) C sends z = r  s 1 e 1  s 2 e 2 ... s k e k to S S checks if z 2 = t v 1 e 1  v 2 e 2 ... v k e k mod n

Security: Key not leaked If C could guess S’s challenge string (e 1, e 2,..., e k ), then: C could choose z at random, and compute t = z 2  v 1 -e 1  v 2 -e 2 ... v k -e k mod n Respond to S’s challenge with z If C could see the future, it could answer challenges correctly without knowing keys, therefore: –C’s answers reveal nothing about keys.

Security: Key knowledge C may still do as before so that it can answer one challenge correctly. Can C answer correctly more than one challenge without knowing the s j ? C would have to know how to answer: –z; z 2 = t  v 1 e 1  v 2 e 2 ... v k e k mod n; and –w; w 2 = t·v 1 d 1  v 2 d 2 ... v k d k mod n –(z/w) 2 = v 1 e 1 -d 1  v 2 e 2 -d 2 ... v k e k -d k mod n –z/w = s 1 e 1 -d 1  s 2 e 2 -d 2 ... s k e k -d k mod n

Zero-Knowledge RSA Security/RSA Labs

Identity-based encryption Over the years, many identity-based schemes were developed for identification and signature For nearly two decades, nobody knew how to do identity-based encryption Then, pairings came along and changed everything, but –Let’s first see a scheme using square roots

The Jacobi Symbol The Jacobi Symbol for a natural number N has the following properties: x  J(x, N) is in {0,  1} J(x, N) = 0  g.c.d.(x, N)  1. J(x  y, N) = J(x, N)  J(y, N) J(x 2, N) = 1 J(x, N) = -1, for some x (hence for 50% of all x) J(,N) is efficiently computable

Clifford Cocks’ Scheme Authority sets up the scheme –Generate two large primes, p and q. (p and q must be of the form 4k + 3) –Computes n = p  q –Publishes n, keeps p, q secret. –Chooses a hash function f: {0, 1}*  {0, 1,..., n-1} For user with identity I: – Compute f(I||0), f(I||1),..., until: –J( f(I||k), n) = 1. This is the user’s public key.

Private key To find the private key, there is 50% chance that the public key A is a square mod n. –If not, -A is. The private key B is the square root of either A or -A. Let’s suppose of A. –B 2 = A mod n.

To encrypt Sender computes Receiver public key S sends R one bit b =  1 (at a time) S chooses random t such that –J(t, n) = b –sends s, where s = t + A/t mod n Note that: –s = t(1 + A/t 2 ) mod n –s + 2B = t(1 + 2B/t + A/t 2 ) = t(1 + B/t) 2

To decrypt R receives s, computes J(s + 2B,n) = J(t,n) J((1 + B/t) 2, n) = J(t, n) = b If receiver does not know B, must solve s = t + A/t for t, or at least for J(t, n) t 2 + A - st = 0 mod n,...

Pairings-Based IBE Pairings were first used in cryptography in “a constructive way” by A. Joux, who created a 3-party Diffie-Hellman key agreement protocol with no need to exchange messages. Great excitement in the cryptographic community resulted from the discovery that pairings could also be used for an efficient identity-based encryption scheme.

Cryptographic groups Most public-key schemes are based on “cryptographic groups,” i.e., mathematical groups where the discrete-logarithm problem is hard. (x, g)  g x (easy) (y, g)  x; y = g x (hard)

Pairing groups A map –e: G 1  G 2  G T (same prime order p) e(g a, h b ) = e(g, h) ab (bilinearity) g generates G 1 h generates G 2  e(g,h) generates G T

Boneh-Franklin Scheme Trusted party chooses a secret s, and generator P in G 1, set P group (= P s ) Each group member with identity I has public key Q I = f(I), where –f: {0, 1} *  G 2. Gets private key P I = Q I s from T Scheme also defines the message space as {0, 1} k, and a hash function –H: G T  {0, 1} k

Encrypting/decrypting Someone wants to encrypt message M –C =  A, B  =  P r, M  H( e(Q I, P group ) r )  To decrypt, intended receiver just computes: –Z = e(P I, A) = e(P I, P r ) = e(Q I s, P r ) = e(Q I, P r ) s = e(Q I, P s ) r = e(Q I, P group ) r Then M = Z  B Another party would have to compute Q I r from P, P r, Q I (hard!)

Extensions What can you do with identity-based encryption? It can extract a secret key associated to any public string---not only a name What about a date, such as “05/03/05” What about your fingerprint?

Timed-release encryption The goal of timed-release encryption is to encrypt a message that can only be read at a future point in time. One way is to use a one-way function (no decryption algorithm) and tune the hardness of the function so that it will be inverted in the time frame. The other is to use IBE. Encrypt a message under name: “Alice Wonderlie||01/01/2031” and the trusted party will only release the secret key to alice in 2031.

Application: Unwanted Will

Questions ?

A Few References ZAdi Shamir: Identity-based cryptosystems and signature schemes. CRYPTO Pp: 47-53CRYPTO 1984 ZClifford Cocks: An identity-based on quadratic residues, LNCS 2260, Pp: ZAntoine Joux: A One-round protocol for tri-partite Diffie-Hellman. J. Cryptology, 17(4), 2004, and Proc. of ANTS 2000, LNCS 1830, ZDan Boneh and Matt Franklin: Identity based encryption from the Weil pairing. SIAM J. of Computing, 32(3), Pp , and CRYPTO 2001, LNCS 2139, Pp