identity based cryptosystems and quadratic residuosity
play

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye - PowerPoint PPT Presentation

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption


  1. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 · Tapei, Taiwan 1 / 20

  2. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Encryption Definition An identity-based encryption scheme is a set of 4 algorithms 1 Setup Input: security parameter κ Output: master public/secret key mpk / msk 2 / 20

  3. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Encryption Definition An identity-based encryption scheme is a set of 4 algorithms 1 Setup Input: security parameter κ Output: master public/secret key mpk / msk 2 Encryption Input: master public key mpk , identity id , message m Output: C = E ( mpk , id , m ) 2 / 20

  4. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Encryption Definition An identity-based encryption scheme is a set of 4 algorithms 1 Setup Input: security parameter κ Output: master public/secret key mpk / msk 2 Encryption Input: master public key mpk , identity id , message m Output: C = E ( mpk , id , m ) 3 Key derivation Input: identity id , master secret key msk Output: user’s private key usk 2 / 20

  5. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Encryption Definition An identity-based encryption scheme is a set of 4 algorithms 1 Setup Input: security parameter κ Output: master public/secret key mpk / msk 2 Encryption Input: master public key mpk , identity id , message m Output: C = E ( mpk , id , m ) 3 Key derivation Input: identity id , master secret key msk Output: user’s private key usk 4 Decryption Input: decryption key usk , ciphertext C Output: m = D ( usk , C ) 2 / 20

  6. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion This Talk Study of Cocks IBE scheme Clifford Cocks (mathematician, GCHQ) Our Main Contribution Discovery of the algebraic structure underlying Cocks encryption better understanding of its properties and its security new applications 3 / 20

  7. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Outline Cocks IBE Scheme 1 Algebraic Structure 2 Applications 3 Conclusion 4 4 / 20

  8. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Preliminaries If p prime number, a ∈ F p , Legendre symbol:  0 if a ≡ 0 mod p � a �   if a is a square ( a = b 2 mod p ) = 1 p  − 1 else  5 / 20

  9. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Preliminaries If p prime number, a ∈ F p , Legendre symbol:  0 if a ≡ 0 mod p � a �   if a is a square ( a = b 2 mod p ) = 1 p  − 1 else  If N = pq RSA modulus, a ∈ Z N , Jacobi symbol: � a � � a � � a � = · p q N (efficiently computable) 5 / 20

  10. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Preliminaries If p prime number, a ∈ F p , Legendre symbol:  0 if a ≡ 0 mod p � a �   if a is a square ( a = b 2 mod p ) = 1 p  − 1 else  If N = pq RSA modulus, a ∈ Z N , Jacobi symbol: � a � � a � � a � = · p q N (efficiently computable) � a � � a � a is a square mod N ⇐ ⇒ = = 1 p q 5 / 20

  11. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Preliminaries If p prime number, a ∈ F p , Legendre symbol:  0 if a ≡ 0 mod p � a �   if a is a square ( a = b 2 mod p ) = 1 p  − 1 else  If N = pq RSA modulus, a ∈ Z N , Jacobi symbol: � a � � a � � a � = · p q N (efficiently computable) � a � a � � a � � a is a square mod N ⇐ ⇒ = = 1 = ⇒ = 1 p q N 5 / 20

  12. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Cocks Cryptosystem First pairing-free IBE scheme (2001) works in standard RSA groups semantically secure under QR assumption (in the ROM) Quadratic Residuosity Assumption Let N = pq be an RSA-type modulus. The distributions of � � � � a ∈ Z × � a a ∈ Z × � a � a � � � J N = N | = 1 and QR N = N | = = 1 p q N are indistinguishable 6 / 20

  13. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Cocks Cryptosystem (cont’d) Setup mpk = { N , u , H} , msk = { p , q } where: N = pq an RSA modulus u ∈ J N \ QR N H : { 0 , 1 } ∗ → J N hash function (RO) Key derivation compute D id = H ( id ) and returns � ( D id ) 1 / 2 if D id ∈ QR N usk = δ id = ( uD id ) 1 / 2 if D id ∈ J N \ QR N Remark: Original cryptosystem defined with p , q ≡ 3 (mod 4) and u = − 1 7 / 20

  14. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Cocks Cryptosystem (cont’d) Setup mpk = { N , u , H} , msk = { p , q } where: N = pq an RSA modulus u ∈ J N \ QR N H : { 0 , 1 } ∗ → J N hash function (RO) Key derivation compute D id = H ( id ) and returns � ( D id ) 1 / 2 if D id ∈ QR N usk = δ id = ( uD id ) 1 / 2 if D id ∈ J N \ QR N Remark: Original cryptosystem defined with p , q ≡ 3 (mod 4) and u = − 1 7 / 20

  15. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Cocks Cryptosystem (cont’d) mpk Alice Bob δ id = H ( id ) 1 / 2 mod N message m ∈ {− 1 , 1 } ∈ R Z N s.t. t � t � = m N c = t + H ( id ) C =( c ) mod N − − − − − − − → γ = c t � γ + 2 δ id � m = N 7 / 20

  16. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Cocks Cryptosystem (cont’d) mpk Alice Bob δ id = H ( id ) 1 / 2 mod N message m ∈ {− 1 , 1 } or δ id = ( u H ( id )) 1 / 2 mod N t , ¯ t ∈ R Z N s.t. � t � ¯ � � t = = m N N c = t + H ( id ) C =( c , ¯ c ) mod N − − − − − − − → γ = c or ¯ c t � γ + 2 δ id � t + u H ( id ) m = c = ¯ ¯ mod N ¯ N t 7 / 20

  17. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Outline Cocks IBE Scheme 1 Algebraic Structure 2 Applications 3 Conclusion 4 8 / 20

  18. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Pell Curve Consider the Pell curve given by the Pell equation x 2 − ∆ y 2 = 1 over F p , where ∆ = δ 2 ∈ F × p 9 / 20

  19. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Pell Curve Consider the Pell curve given by the Pell equation x 2 − ∆ y 2 = 1 over F p , where ∆ = δ 2 ∈ F × p Set of points ( x , y ) on the Pell curve forms a group C ( F p ) order p − 1 neutral element: O = (0 , 1) 9 / 20

  20. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Pell Curve Consider the Pell curve given by the Pell equation x 2 − ∆ y 2 = 1 over F p , where ∆ = δ 2 ∈ F × p Set of points ( x , y ) on the Pell curve forms a group C ( F p ) ∼ = F × p order p − 1 neutral element: O = (0 , 1) 9 / 20

  21. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Group Law Geometric interpretation 10 / 20

  22. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Group Law Geometric interpretation 10 / 20

  23. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Group Law Geometric interpretation 10 / 20

  24. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Group Law Geometric interpretation Algebraically: ( x 1 , y 1 ) ⊕ ( x 2 , y 2 ) = ( x 1 x 2 + ∆ y 1 y 2 , x 1 y 2 + x 2 y 1 ) 10 / 20

  25. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Compact Representation Slope line through P P and O : y = s ( x − 1) P ∆ y for efficiency, let t := ∆ s = x − 1 � � � t 2 +∆ 2 t t �→ P P P = t 2 − ∆ , t 2 − ∆ ψ : F p ∪ {∞} → C ( F p ) , ∞ �→ O Remark: ψ not defined at ± δ when ∆ ∈ QR p 11 / 20

  26. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion The Group Z N , ∆ We recall that ∆ = δ 2 ∈ QR p Define the group ( F p , ∆ , ⊛ ) with neutral element ∞ , where F p , ∆ = ( F p \ {± δ } ) ∪ {∞} = { ψ − 1 ( P P P ) | P P P ∈ C ( F p ) } = { t ∈ F p | t 2 � = ∆ } ∪ {∞} under the law ⊛ : t 1 ⊛ t 2 = t 1 t 2 + ∆ t 1 + t 2 12 / 20

  27. Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion The Group Z N , ∆ We recall that ∆ = δ 2 ∈ QR p Define the group ( F p , ∆ , ⊛ ) with neutral element ∞ , where F p , ∆ = ( F p \ {± δ } ) ∪ {∞} = { ψ − 1 ( P P P ) | P P P ∈ C ( F p ) } = { t ∈ F p | t 2 � = ∆ } ∪ {∞} ∼ = F × p under the law ⊛ : t 1 ⊛ t 2 = t 1 t 2 + ∆ t 1 + t 2 12 / 20

Recommend


More recommend