Pairing Based Cryptography Standards

Τεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 4 χρόνια και 6 μήνες)

85 εμφανίσεις

Pairing Based Cryptography Standards

Terence Spies

VP Engineering

Voltage Security

terence@voltage.com

Overview

What is a Pairing?

Pairing
-
based Crypto Applications

Pairing
-
based Crypto Standards

What is a Pairing?

An old mathematical idea

It “pairs” elliptic curve points

Has a very interesting property called bilinearity:

This property makes for a powerful new cryptographic
primitive

Popular cryptographic research area (200+ papers)

What can Pairings do?

Identity based encryption

Encryption where any string (like an email address) can
be a public key

Identity based key exchange

Key exchange using identities

Short signatures

160
-
bit signatures

Searchable encryption, and others

Identity
-
Based Encryption (IBE)

IBE is an old idea

Originally proposed by Adi Shamir, co
-
inventor of the
RSA Algorithm in 1984

Fundamental problem: can any string be used as a
public key?

Practical implementation:

Boneh
-
Franklin Algorithm published at Crypto 2001

First efficient, provably secure IBE scheme

Identity
-
Based Encryption (IBE)

The ability to use any string makes key management easier

IBE Public Key:

alice@gmail.com

RSA Public Key:

Public exponent=0x10001

Modulus=13506641086599522334960321627880596993888147

560566702752448514385152651060485953383394028715

057190944179820728216447155137368041970396419174

304649658927425623934102086438320211037295872576

235850964311056407350150818751067659462920556368

552947521350085287941637732853390610975054433499

9811150056977236890927563

How IBE works in practice

Alice sends a Message to Bob

bob@b.com

Key Server

Alice encrypts with
bob@b.com

1

Requests
private key,
authenticates

2

Private Key

for bob@b.com

3

Bob decrypts with

Private Key

4

alice@a.com

bob@b.com

How IBE works in practice

Charlie sends a Message to Bob

bob@b.com

Charlie encrypts
with
bob@b.com

1

Bob decrypts with

Private Key

2

charlie@c.com

Fully off
-
line
-

no connection to server required

bob@b.com

Key Server

Setup

Key generator generates secret s, random P

Gives everyone P, sP

Encryption

Alice hashes
Bob@b.com

-
> ID

Encrypt message with k = Pair(rID, sP)

Send encrypted message and rP

Key Generation

Bob authenticates, asks for private key

Key generator gives back sID

Decrypt

Bob decrypts with k = Pair(sID, rP)

Bob’s k and Alice’s k are identical

IBE’s Operational Characteristics

Easy cross
-
domain encryption

No per
-
user databases

No per
-
user queries to find keys

State of the system does not grow per user

Key recovery

Accomodates content scanning, anti
-
virus, archiving and
other regulatory mechanisms

Keys still under control of enterprise

Fine
-
grained key control

Easy to change authentication policy over time

Revocation handled without CRLs

Sweet Spots for IBE

Encryption

Inside and outside
the organization

Sweet Spots for PKI

Authentication

Signing

Inside the
organization

IBE and PKI
-

Complementary Strengths

PKI

Maximum protection

Works well for signing/authentication

Requires roll
-
out

generate keys for users

Certificate managment

Identity
-
Based Encryption

Good for encryption

no key
-
lookup

revocation is easy

-
hoc capable

requires no pre
-
enrollment

Content scanning easy

Other Pairing Applications

Short Signatures

BLS scheme and others yield 160
-
bit signatures

Half the size of DSA signatures

Have other interesting properties

Can aggregate signatures

Allows, for example, a single signature on a cert chain

Verifiable encrypted signatures

Use in fair exchange, other protocols

Searchable Encryption

Key Exchange

Standards Activities

IEEE Study Group formed last Monday, as part of
the P1363 Group

Goal is writing and submitting a PAR, defining the
mission of the standards group

24 participants from various countries and
industries

Technical content drafts soon

Pairings module: Hovav Shacham, Stanford

IBE module: Mike Scott, Dublin City University

Draft PAR agreed, to be submitted

Standards Philosophy

Model after past IEEE cryptographic standards

Standardize algorithms, but not protocols

e.g. formats for IBE encrypted email would be part of a
different standard

Don’t block future standards based on PBC

Allow for amendments that build on parts of this
standard

Separate IBE and PBC layers

Limit scope to keep the task manageable

Focus on one set of algorithms, split off other types of
algorithms into separate standards

Proposed Structure of an PBC/IBE Standard

Pairing Based Crypto Layer and Algorithm Layers

Identity
-
Based

Encryption

Pairing Based

Cryptography

e.g. pairing, algorithms

to compute pairings,

curve types,

curve parameters

IBE based Protocols

e.g. IBE email,

key request etc.

Identity based

key exchange

Signatures

1363

Other

stds

Current
Discussion

Points

Scaling Security to 128/256 bits

Separation between pairing layer and crypto
methods

Curve families for embedded and hardware
implementation

On 1363 activities:

http://grouper.ieee.org/groups/1363/WorkingGroup/

On pairing based crypto

Paulo Barreto’s Pairing Based Crypto Lounge

http://paginas.terra.com.br/informatica/paulobarreto/pblounge.htm

On IBE

http://crypto.stanford.edu/ibe/

http://www.voltage.com