Pairing Based Cryptography Standards

innocentsickΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 4 χρόνια και 1 μήνα)

75 εμφανίσεις

Pairing Based Cryptography Standards

Terence Spies

VP Engineering

Voltage Security

terence@voltage.com

Overview


What is a Pairing?


Pairing
-
based Crypto Applications


Pairing
-
based Crypto Standards


What is a Pairing?


An old mathematical idea


It “pairs” elliptic curve points


Has a very interesting property called bilinearity:


Pair(aB, cD) = Pair(cB, aD)



This property makes for a powerful new cryptographic
primitive


Popular cryptographic research area (200+ papers)

What can Pairings do?


Identity based encryption


Encryption where any string (like an email address) can
be a public key


Identity based key exchange


Key exchange using identities


Short signatures


160
-
bit signatures


Searchable encryption, and others

Identity
-
Based Encryption (IBE)


IBE is an old idea


Originally proposed by Adi Shamir, co
-
inventor of the
RSA Algorithm in 1984


Fundamental problem: can any string be used as a
public key?



Practical implementation:


Boneh
-
Franklin Algorithm published at Crypto 2001


First efficient, provably secure IBE scheme

Identity
-
Based Encryption (IBE)

The ability to use any string makes key management easier





IBE Public Key:




alice@gmail.com



RSA Public Key:



Public exponent=0x10001


Modulus=13506641086599522334960321627880596993888147

560566702752448514385152651060485953383394028715

057190944179820728216447155137368041970396419174

304649658927425623934102086438320211037295872576

235850964311056407350150818751067659462920556368

552947521350085287941637732853390610975054433499

9811150056977236890927563


How IBE works in practice

Alice sends a Message to Bob

bob@b.com

Key Server

Alice encrypts with
bob@b.com

1

Requests
private key,
authenticates

2

Receives


Private Key

for bob@b.com

3

Bob decrypts with


Private Key

4

alice@a.com

bob@b.com

How IBE works in practice

Charlie sends a Message to Bob

bob@b.com

Charlie encrypts
with
bob@b.com

1

Bob decrypts with


Private Key

2

charlie@c.com

Fully off
-
line
-

no connection to server required

bob@b.com

Key Server

How Pairings Lead to IBE


Setup


Key generator generates secret s, random P


Gives everyone P, sP


Encryption


Alice hashes
Bob@b.com

-
> ID


Encrypt message with k = Pair(rID, sP)


Send encrypted message and rP


Key Generation


Bob authenticates, asks for private key


Key generator gives back sID


Decrypt


Bob decrypts with k = Pair(sID, rP)


Bob’s k and Alice’s k are identical

IBE’s Operational Characteristics


Easy cross
-
domain encryption


No per
-
user databases


No per
-
user queries to find keys


State of the system does not grow per user


Key recovery


Accomodates content scanning, anti
-
virus, archiving and
other regulatory mechanisms


Keys still under control of enterprise


Fine
-
grained key control


Easy to change authentication policy over time


Revocation handled without CRLs

Sweet Spots for IBE


Encryption


Inside and outside
the organization

Sweet Spots for PKI


Authentication


Signing


Inside the
organization




IBE and PKI
-

Complementary Strengths

PKI


Maximum protection


Works well for signing/authentication


Requires roll
-
out


generate keys for users


Certificate managment

Identity
-
Based Encryption


Good for encryption


no key
-
lookup


revocation is easy


Ad
-
hoc capable


requires no pre
-
enrollment


Content scanning easy

Other Pairing Applications


Short Signatures


BLS scheme and others yield 160
-
bit signatures


Half the size of DSA signatures


Have other interesting properties


Can aggregate signatures


Allows, for example, a single signature on a cert chain


Verifiable encrypted signatures


Use in fair exchange, other protocols


Searchable Encryption


Key Exchange

Standards Activities


IEEE Study Group formed last Monday, as part of
the P1363 Group


Goal is writing and submitting a PAR, defining the
mission of the standards group


24 participants from various countries and
industries


Technical content drafts soon


Pairings module: Hovav Shacham, Stanford


IBE module: Mike Scott, Dublin City University


Draft PAR agreed, to be submitted

Standards Philosophy


Model after past IEEE cryptographic standards


Standardize algorithms, but not protocols


e.g. formats for IBE encrypted email would be part of a
different standard



Don’t block future standards based on PBC


Allow for amendments that build on parts of this
standard


Separate IBE and PBC layers



Limit scope to keep the task manageable


Focus on one set of algorithms, split off other types of
algorithms into separate standards

Proposed Structure of an PBC/IBE Standard

Pairing Based Crypto Layer and Algorithm Layers


Identity
-
Based


Encryption



Pairing Based

Cryptography


e.g. pairing, algorithms

to compute pairings,

curve types,

curve parameters

IBE based Protocols

e.g. IBE email,

key request etc.

Identity based

key exchange


Signatures


1363

Other

stds

Current
Discussion

Points


Scaling Security to 128/256 bits


Separation between pairing layer and crypto
methods


Curve families for embedded and hardware
implementation

For More Information


On 1363 activities:

http://grouper.ieee.org/groups/1363/WorkingGroup/



On pairing based crypto


Paulo Barreto’s Pairing Based Crypto Lounge

http://paginas.terra.com.br/informatica/paulobarreto/pblounge.htm



On IBE

http://crypto.stanford.edu/ibe/

http://www.voltage.com