Pairing Based Cryptography Standards - Middleware by pengxiang

VIEWS: 14 PAGES: 17

									Pairing Based Cryptography Standards


Terence Spies
VP Engineering
Voltage Security
terence@voltage.com
Overview
  • What is a Pairing?
  • Pairing-based Crypto Applications
  • Pairing-based Crypto Standards
What is a Pairing?
  • An old mathematical idea
     • It “pairs” elliptic curve points
     • Has a very interesting property called bilinearity:


         Pair(aB, cD) = Pair(cB, aD)

     • This property makes for a powerful new cryptographic
       primitive
     • Popular cryptographic research area (200+ papers)
What can Pairings do?
  • Identity based encryption
     • Encryption where any string (like an email address) can
       be a public key
  • Identity based key exchange
     • Key exchange using identities
  • Short signatures
     • 160-bit signatures
  • Searchable encryption, and others
Identity-Based Encryption (IBE)
  • IBE is an old idea
     • Originally proposed by Adi Shamir, co-inventor of the
       RSA Algorithm in 1984
     • Fundamental problem: can any string be used as a
       public key?


  • Practical implementation:
     • Boneh-Franklin Algorithm published at Crypto 2001
     • First efficient, provably secure IBE scheme
Identity-Based Encryption (IBE)
  The ability to use any string makes key management easier


  • IBE Public Key:

       alice@gmail.com
  • RSA Public Key:
    Public exponent=0x10001
    Modulus=13506641086599522334960321627880596993888147
         560566702752448514385152651060485953383394028715
         057190944179820728216447155137368041970396419174
         304649658927425623934102086438320211037295872576
         235850964311056407350150818751067659462920556368
         552947521350085287941637732853390610975054433499
         9811150056977236890927563
How IBE works in practice
Alice sends a Message to Bob                       Key Server




                                          2              Receives
                                Requests
                                                   3    Private Key
                               private key,
                                                     for bob@b.com
                              authenticates

          bob@b.com



   alice@a.com                            bob@b.com
                          1
                                         Bob decrypts with 4
    Alice encrypts with
                                            Private Key
        bob@b.com
How IBE works in practice
Charlie sends a Message to Bob                     Key Server




      Fully off-line - no connection to server required


          bob@b.com



    charlie@c.com                       bob@b.com
                      1
   Charlie encrypts                     Bob decrypts with 2
   with bob@b.com                          Private Key
How Pairings Lead to IBE
  • Setup
     • Key generator generates secret s, random P
     • Gives everyone P, sP
  • Encryption
     • Alice hashes Bob@b.com -> ID
     • Encrypt message with k = Pair(rID, sP)
     • Send encrypted message and rP
  • Key Generation
     • Bob authenticates, asks for private key
     • Key generator gives back sID
  • Decrypt
     • Bob decrypts with k = Pair(sID, rP)
     • Bob’s k and Alice’s k are identical
IBE’s Operational Characteristics
  • Easy cross-domain encryption
     • No per-user databases
     • No per-user queries to find keys
     • State of the system does not grow per user
  • Key recovery
     • Accomodates content scanning, anti-virus, archiving and
       other regulatory mechanisms
     • Keys still under control of enterprise
  • Fine-grained key control
     • Easy to change authentication policy over time
     • Revocation handled without CRLs
IBE and PKI - Complementary Strengths
PKI
•   Maximum protection
                                            Sweet Spots for PKI
•   Works well for signing/authentication
•   Requires roll-out                       • Authentication
      •   generate keys for users           • Signing
      •   Certificate managment             • Inside the
                                              organization


Identity-Based Encryption
•   Good for encryption
      •   no key-lookup                     Sweet Spots for IBE
      •   revocation is easy
•   Ad-hoc capable
                                            • Encryption
      •   requires no pre-enrollment        • Inside and outside
•   Content scanning easy                     the organization
Other Pairing Applications
  • Short Signatures
     • BLS scheme and others yield 160-bit signatures
     • Half the size of DSA signatures
     • Have other interesting properties
         • Can aggregate signatures
             • Allows, for example, a single signature on a cert chain
         • Verifiable encrypted signatures
             • Use in fair exchange, other protocols

  • Searchable Encryption
  • Key Exchange
Standards Activities
  • IEEE Study Group formed last Monday, as part of
    the P1363 Group
  • Goal is writing and submitting a PAR, defining the
    mission of the standards group
  • 24 participants from various countries and
    industries
  • Technical content drafts soon
     • Pairings module: Hovav Shacham, Stanford
     • IBE module: Mike Scott, Dublin City University
  • Draft PAR agreed, to be submitted
Standards Philosophy
  • Model after past IEEE cryptographic standards
     • Standardize algorithms, but not protocols
     • e.g. formats for IBE encrypted email would be part of a
       different standard

  • Don’t block future standards based on PBC
     • Allow for amendments that build on parts of this
       standard
     • Separate IBE and PBC layers

  • Limit scope to keep the task manageable
     • Focus on one set of algorithms, split off other types of
       algorithms into separate standards
   Proposed Structure of an PBC/IBE Standard
   Pairing Based Crypto Layer and Algorithm Layers

           IBE based Protocols
Other      e.g. IBE email,
stds       key request etc.


 1363                                 Identity based
             Identity-Based                            Signatures
               Encryption             key exchange



           Pairing Based
           Cryptography
           e.g. pairing, algorithms
           to compute pairings,
           curve types,
           curve parameters
Current Discussion Points
  • Scaling Security to 128/256 bits
  • Separation between pairing layer and crypto
    methods
  • Curve families for embedded and hardware
    implementation
For More Information
  • On 1363 activities:
     http://grouper.ieee.org/groups/1363/WorkingGroup/


  • On pairing based crypto
     • Paulo Barreto’s Pairing Based Crypto Lounge
     http://paginas.terra.com.br/informatica/paulobarreto/pblounge.htm


  • On IBE
     http://crypto.stanford.edu/ibe/
     http://www.voltage.com

								
To top