identity based encryption a 30 minute tour palash sarkar
play

Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied - PowerPoint PPT Presentation

Nov 29, 2023 •100 likes •489 views

Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 1 / 22 Structure of the

  1. Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 1 / 22

  2. Structure of the Presentation A brief overview of IBE. Some constructions. Some issues. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 2 / 22

  3. Identity-Based Encryption PKG id A PP d A id A Alice Bob ciphertext Bob sends a message to Alice. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 3 / 22

  4. Identity-Based Encryption Proposed by Shamir in 1984. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 4 / 22

  5. Identity-Based Encryption Proposed by Shamir in 1984. Solutions: Cocks: 2001. Sakai, Ohgishi and Kasahara: 2000. Described an identity-based key agreement scheme. Boneh and Franklin: 2001. Cocks’ solution was based on quadratic residues. SOK and BF were based on bilinear maps. BF provided an appropriate security model. The BF work spurred a great deal of later research. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 4 / 22

  6. Identity-Based Encryption: Security Model Adversary Simulator PP Set−Up generate PP, msk id d id Queries−I C M or 1 , id * M M 0 , choose γ Challenge C * id d id Queries−II C M or γ Guess Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 5 / 22

  7. Identity-Based Encryption: Security Model “Full” model: supports adaptive-identity and adaptive-ciphertext queries in an interleaved fashion. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 6 / 22

  8. Identity-Based Encryption: Security Model “Full” model: supports adaptive-identity and adaptive-ciphertext queries in an interleaved fashion. Restricted Models: CPA-secure: Ciphertext queries not allowed. Selective-identity: The challenge identity id ∗ is to be provided by the adversary even before receiving the PP . Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 6 / 22

  9. Construction Approaches Based on quadratic residues. Based on lattices. Based on bilinear pairings of elliptic curve groups. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 7 / 22

  10. Cocks’ IBE Setting: N = pq ; J ( N ) : set of elements with Jacobi symbol 1 modulo N ; QR ( N ) : set of quadratic residues modulo N . Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 8 / 22

  11. Cocks’ IBE Setting: N = pq ; J ( N ) : set of elements with Jacobi symbol 1 modulo N ; QR ( N ) : set of quadratic residues modulo N . Public Parameters. $ N ; u ← J ( N ) \ QR ( N ) ; ( u is a random pseudo-square;) hash function H () which maps identities into J ( N ) . Master Secret Key: p and q . Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 8 / 22

  12. Cocks’ IBE Setting: N = pq ; J ( N ) : set of elements with Jacobi symbol 1 modulo N ; QR ( N ) : set of quadratic residues modulo N . Public Parameters. $ N ; u ← J ( N ) \ QR ( N ) ; ( u is a random pseudo-square;) hash function H () which maps identities into J ( N ) . Master Secret Key: p and q . Key Gen: identity id. √ √ R = H ( id ) ; r = R or uR according as R is square or not; d id = r . Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 8 / 22

  13. Cocks’ IBE (contd.) Encryption: bit m , identity id. $ R = H ( id ) ; t 0 , t 1 ← Z N ; a + u a R ) / t a and c a = ( − 1 ) m · ( t a compute d a = ( t 2 N ) ; ciphertext: (( d 0 , c 0 ) , ( d 1 , c 1 )) . Decryption: ciphertext (( d 0 , c 0 ) , ( d 1 , c 1 )) , identity id; d id = r : R = H ( id ) ; set a ∈ { 0 , 1 } such that r 2 = u a R ; � t a � � ( t a + r ) 2 and so, ( g � set g = d a + 2 r ; (note g = N ) = ;) t a N compute ( − 1 ) m to be c a · ( g N ) . Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 9 / 22

  14. Cocks’ IBE: Discussion Ciphertext expansion is large; efficiency not good. Boneh, Gentry and Hamburg (2007) obtained improved space efficiency by reusing randomness; but, encryption and decryption efficiencies are worse. Jhanwar and Barua (2008) consider the problem of improving efficiency. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 10 / 22

  15. Cocks’ IBE: Discussion Ciphertext expansion is large; efficiency not good. Boneh, Gentry and Hamburg (2007) obtained improved space efficiency by reusing randomness; but, encryption and decryption efficiencies are worse. Jhanwar and Barua (2008) consider the problem of improving efficiency. This approach currently does not lead to practical schemes. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 10 / 22

  16. Lattice-Based Approach Gentry, Peikert and Vaikuntanathan (2008). Based on a technique called efficient Pre-Image Sampling. This technique naturally leads to a signature scheme. By considering the decryption key corresponding to an identity to be the PKG’s signature on the identity (cf. Naor) suggests an IBE scheme. Security is based on the hardness of the Learning With Errors (LWE) problem. Later work have improved efficiency and provided constructions of hierarchical IBE (HIBE) schemes. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 11 / 22

  17. Lattice-Based Approach: Pros and Cons Motivation: Multi-precision arithmetic not required; Security based on the hardness of worst-case instance; No known quantum algorithm for solving lattice problems. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 12 / 22

  18. Lattice-Based Approach: Pros and Cons Motivation: Multi-precision arithmetic not required; Security based on the hardness of worst-case instance; No known quantum algorithm for solving lattice problems. These apply to all lattice problems and are not specific to lattice-based IBE. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 12 / 22

  19. Lattice-Based Approach: Pros and Cons Motivation: Multi-precision arithmetic not required; Security based on the hardness of worst-case instance; No known quantum algorithm for solving lattice problems. These apply to all lattice problems and are not specific to lattice-based IBE. Cons: The sizes of keys and ciphertexts are far too large compared to pairing-based schemes. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 12 / 22

  20. Pairing e : G 1 × G 2 → G T . G 1 and G 2 are sub-groups of points on an elliptic curve; G T is a sub-group of the multiplicative group of a finite field. Types of pairings: Type-1: G 1 = G 2 (symmetric pairing). Type-2: An efficiently computable isomorphism from G 2 to G 1 is known. Type-3: There is no known efficiently computable isomorphism from G 2 to G 1 (or vice versa). Type-3 pairings are the fastest to compute and provide the most compact parameter sizes. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 13 / 22

  21. Boneh-Franklin IBE $ Setup: G 1 = � P � , s ← Z p , Q = sP ; PP = ( P , Q , H 1 () , H 2 ()) , msk = s . Key-Gen: Given id, compute Q id = H 1 ( id ) ; d id = sQ id . ← Z p ; C = ( rP , M ⊕ H 2 ( e ( Q , Q id ) r $ Encrypt: Choose r � )) � �� Decrypt: Given C = ( U , V ) � and d id compute V ⊕ H 2 ( e ( U , d id ) � ) = M . � �� Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 14 / 22

  22. Boneh-Franklin IBE $ Setup: G 1 = � P � , s ← Z p , Q = sP ; PP = ( P , Q , H 1 () , H 2 ()) , msk = s . Key-Gen: Given id, compute Q id = H 1 ( id ) ; d id = sQ id . ← Z p ; C = ( rP , M ⊕ H 2 ( e ( Q , Q id ) r $ Encrypt: Choose r � )) � �� Decrypt: Given C = ( U , V ) � and d id compute V ⊕ H 2 ( e ( U , d id ) � ) = M . � �� Correctness: e ( U , d ID ) = e ( rP , sQ ID ) = e ( sP , Q ID ) r = e ( Q , Q ID ) r . Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 14 / 22

  23. Boneh-Franklin IBE $ Setup: G 1 = � P � , s ← Z p , Q = sP ; PP = ( P , Q , H 1 () , H 2 ()) , msk = s . Key-Gen: Given id, compute Q id = H 1 ( id ) ; d id = sQ id . ← Z p ; C = ( rP , M ⊕ H 2 ( e ( Q , Q id ) r $ Encrypt: Choose r � )) � �� Decrypt: Given C = ( U , V ) � and d id compute V ⊕ H 2 ( e ( U , d id ) � ) = M . � �� Correctness: e ( U , d ID ) = e ( rP , sQ ID ) = e ( sP , Q ID ) r = e ( Q , Q ID ) r . The scheme is CPA-secure; can be converted to CCA-secure using standard techniques such as the Fujisaki-Okamoto conversion. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 14 / 22

  24. BF-IBE: Discussion Pros: Simple, elegant, efficient, compact, ... Leads naturally to signature scheme, HIBE and other primitives. Best known practical attack: Solve DL in G 1 or G 2 . Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 15 / 22

  25. BF-IBE: Discussion Pros: Simple, elegant, efficient, compact, ... Leads naturally to signature scheme, HIBE and other primitives. Best known practical attack: Solve DL in G 1 or G 2 . Cons: Security argument is based on random oracles. Security reduction to the Decisional Bilinear Diffie-Hellman (DBDH) problem is not tight. Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata, 2012 15 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied

On Some Constructions for Authenticated Encryption with Associated Data Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in (Partially based on joint work with Debrup Chakraborty) Directions

1.01k views • 61 slides
On Symmetric Key Broadcast Encryption Sanjay Bhattacherjee and Palash Sarkar Indian Statistical

On Symmetric Key Broadcast Encryption Sanjay Bhattacherjee and Palash Sarkar Indian Statistical

On Symmetric Key Broadcast Encryption Sanjay Bhattacherjee and Palash Sarkar Indian Statistical Institute, Kolkata Elliptic Curve Cryptography (This is not) 2014 isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 1 / 53

1.67k views • 94 slides
Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian

Attacks on Stream Ciphers: A Perspective Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in First Asian Workshop on Symmetric Key Cryptography ASK 2011, 30th August 2011 isilogo Palash

1.76k views • 148 slides
Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption

655 views • 38 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name no PKI necessary

815 views • 24 slides
Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The

Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The

Identity Based Encryption from lattices Pauline Bert October 3, 2017 Outline Preliminaries The first IBE from lattices Our IBE from lattices Ring-LWE construction Implementation 1 Identity Based Encryption Private Key Generator ( mpk ,

621 views • 31 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption In PKE, KeyGen produces a random

1.47k views • 114 slides
gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen

Identity-Based Encryption gone WILD Gregory Neven IBM Zurich Research Laboratory Public-key encryption PKI pk KeyGen sk M C M Enc Dec Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow to encrypt based

584 views • 10 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based Encryption Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair

1.65k views • 115 slides
Tower Number Field Sieve Variant of a Recent Polynomial Selection Method Palash Sarkar; Shashank

Tower Number Field Sieve Variant of a Recent Polynomial Selection Method Palash Sarkar; Shashank

Rump Session 2016 Tower Number Field Sieve Variant of a Recent Polynomial Selection Method Palash Sarkar; Shashank Singh Indian Statistical Institute The Tower Number Field Sieve + SS Polynomial Selection Z [ z ] R = R [ x ] h ( z ) x

420 views • 13 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier

(Hierarchical) Identity-Based Encryption from Affine Message Authentication Crypto 2014 , Olivier Blazy Eike Kiltz Jiaxin Pan Horst Grtz Institute for IT Security Ruhr-University Bochum 1 Introduction 2 Affine MAC 3 From Affine MAC to IBE 4

880 views • 58 slides
T-IBE-T Identity-Based Encryption for Inter-Tile Communication 12th European Workshop on Systems

T-IBE-T Identity-Based Encryption for Inter-Tile Communication 12th European Workshop on Systems

T-IBE-T Identity-Based Encryption for Inter-Tile Communication 12th European Workshop on Systems Security (EuroSec 19) 2019-03-25, Dresden, Germany Alexander Wrstlein, Wolfgang Schrder-Preikschat Friedrich-Alexander-Universitt

440 views • 14 slides
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe

Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Bguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable Security 2011.10.17 Verifiable Security

457 views • 41 slides
Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Receiver

Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Receiver

The People Identity-Based Encryption and Pairings 1 Mihir Bellare, UCSD 2 Mihir Bellare, UCSD Receiver has identity I The Awards Example: I = bob@example.com PKE cert I cert I Sender Receiver Trusted Alice M C Bob Authority Receiver

380 views • 4 slides
Aligning and Integrating Data in Karma Craig Knoblock University of Southern California Data

Aligning and Integrating Data in Karma Craig Knoblock University of Southern California Data

Aligning and Integrating Data in Karma Craig Knoblock University of Southern California Data Integration Approaches Data Integration Approaches Data Warehousing 3 Data Integration Approaches Data Warehousing Virtual Integration 4 Domain

536 views • 52 slides
Overview An Introduction to the R Environment R Programming What does an R function look like

Overview An Introduction to the R Environment R Programming What does an R function look like

Overview An Introduction to the R Environment R Programming What does an R function look like Flow control Matrix algebra Peter Dalgaard Optimizers Department of Biostatistics Largish example: Time splitting University of

384 views • 5 slides
Using sparsity to overcome unmeasured confounding: Two parametric tales Qingyuan Zhao

Using sparsity to overcome unmeasured confounding: Two parametric tales Qingyuan Zhao

Using sparsity to overcome unmeasured confounding: Two parametric tales Qingyuan Zhao Statistical Laboratory, University of Cambridge 25 August, 2020 @ ICSB 2020 Slides and more information are available at http://www.statslab.cam.ac.uk/~qz280/

973 views • 49 slides
Sampling Techniques for Probabilistic and Deterministic Graphical models ICS 276, Spring 2017

Sampling Techniques for Probabilistic and Deterministic Graphical models ICS 276, Spring 2017

Sampling Techniques for Probabilistic and Deterministic Graphical models ICS 276, Spring 2017 Bozhena Bidyuk Rina Dechter Reading Darwiche chapter 15, related papers Overview 1. Probabilistic Reasoning/Graphical models 2. Importance

889 views • 63 slides
Pegasus Enhancing User Experience on OSG Mats Rynge rynge@isi.edu https://pegasus.isi.edu Key

Pegasus Enhancing User Experience on OSG Mats Rynge rynge@isi.edu https://pegasus.isi.edu Key

Pegasus Enhancing User Experience on OSG Mats Rynge rynge@isi.edu https://pegasus.isi.edu Key P Pegasus us Conc oncepts ts Pegasus WMS == Pegasus planner (mapper) + DAGMan workflow engine + HTCondor scheduler/broker Pegasus maps

459 views • 12 slides
Programming & Data Structure Laboratory Day 2, July 24, 2014 Loops Loops Pre and post

Programming & Data Structure Laboratory Day 2, July 24, 2014 Loops Loops Pre and post

Programming & Data Structure Laboratory Day 2, July 24, 2014 Loops Loops Pre and post test loops for while do-while switch-case Pre-test loop and post-test loop Loop Condition Body checking True True False

607 views • 35 slides
Part II. Linear Equalizations Matched-Filter, Zero-Forcing, MMSE Equalization 1 Mitigate ISI

Part II. Linear Equalizations Matched-Filter, Zero-Forcing, MMSE Equalization 1 Mitigate ISI

Part II. Linear Equalizations Matched-Filter, Zero-Forcing, MMSE Equalization 1 Mitigate ISI with Linear Filters { W m } Linear Equalizer symbol-wise { V m } { u m } LTI filter: { g ` } detection ISI is caused by a (discrete-time) LTI

480 views • 21 slides
Wireless Networks L ecture 9: Physical Layer OFDM Peter Steenkiste CS and ECE, Carnegie Mellon

Wireless Networks L ecture 9: Physical Layer OFDM Peter Steenkiste CS and ECE, Carnegie Mellon

Wireless Networks L ecture 9: Physical Layer OFDM Peter Steenkiste CS and ECE, Carnegie Mellon University Peking University, Summer 2016 1 Peter A. Steenkiste Outline RF introduction Modulation and multiplexing Channel capacity

278 views • 10 slides

More recommend