Pairing Based Cryptography Standards - Middleware by pengxiang


									Pairing Based Cryptography Standards

Terence Spies
VP Engineering
Voltage Security
  • What is a Pairing?
  • Pairing-based Crypto Applications
  • Pairing-based Crypto Standards
What is a Pairing?
  • An old mathematical idea
     • It “pairs” elliptic curve points
     • Has a very interesting property called bilinearity:

         Pair(aB, cD) = Pair(cB, aD)

     • This property makes for a powerful new cryptographic
     • Popular cryptographic research area (200+ papers)
What can Pairings do?
  • Identity based encryption
     • Encryption where any string (like an email address) can
       be a public key
  • Identity based key exchange
     • Key exchange using identities
  • Short signatures
     • 160-bit signatures
  • Searchable encryption, and others
Identity-Based Encryption (IBE)
  • IBE is an old idea
     • Originally proposed by Adi Shamir, co-inventor of the
       RSA Algorithm in 1984
     • Fundamental problem: can any string be used as a
       public key?

  • Practical implementation:
     • Boneh-Franklin Algorithm published at Crypto 2001
     • First efficient, provably secure IBE scheme
Identity-Based Encryption (IBE)
  The ability to use any string makes key management easier

  • IBE Public Key:
  • RSA Public Key:
    Public exponent=0x10001
How IBE works in practice
Alice sends a Message to Bob                       Key Server

                                          2              Receives
                                                   3    Private Key
                               private key,

                                         Bob decrypts with 4
    Alice encrypts with
                                            Private Key
How IBE works in practice
Charlie sends a Message to Bob                     Key Server

      Fully off-line - no connection to server required

   Charlie encrypts                     Bob decrypts with 2
   with                          Private Key
How Pairings Lead to IBE
  • Setup
     • Key generator generates secret s, random P
     • Gives everyone P, sP
  • Encryption
     • Alice hashes -> ID
     • Encrypt message with k = Pair(rID, sP)
     • Send encrypted message and rP
  • Key Generation
     • Bob authenticates, asks for private key
     • Key generator gives back sID
  • Decrypt
     • Bob decrypts with k = Pair(sID, rP)
     • Bob’s k and Alice’s k are identical
IBE’s Operational Characteristics
  • Easy cross-domain encryption
     • No per-user databases
     • No per-user queries to find keys
     • State of the system does not grow per user
  • Key recovery
     • Accomodates content scanning, anti-virus, archiving and
       other regulatory mechanisms
     • Keys still under control of enterprise
  • Fine-grained key control
     • Easy to change authentication policy over time
     • Revocation handled without CRLs
IBE and PKI - Complementary Strengths
•   Maximum protection
                                            Sweet Spots for PKI
•   Works well for signing/authentication
•   Requires roll-out                       • Authentication
      •   generate keys for users           • Signing
      •   Certificate managment             • Inside the

Identity-Based Encryption
•   Good for encryption
      •   no key-lookup                     Sweet Spots for IBE
      •   revocation is easy
•   Ad-hoc capable
                                            • Encryption
      •   requires no pre-enrollment        • Inside and outside
•   Content scanning easy                     the organization
Other Pairing Applications
  • Short Signatures
     • BLS scheme and others yield 160-bit signatures
     • Half the size of DSA signatures
     • Have other interesting properties
         • Can aggregate signatures
             • Allows, for example, a single signature on a cert chain
         • Verifiable encrypted signatures
             • Use in fair exchange, other protocols

  • Searchable Encryption
  • Key Exchange
Standards Activities
  • IEEE Study Group formed last Monday, as part of
    the P1363 Group
  • Goal is writing and submitting a PAR, defining the
    mission of the standards group
  • 24 participants from various countries and
  • Technical content drafts soon
     • Pairings module: Hovav Shacham, Stanford
     • IBE module: Mike Scott, Dublin City University
  • Draft PAR agreed, to be submitted
Standards Philosophy
  • Model after past IEEE cryptographic standards
     • Standardize algorithms, but not protocols
     • e.g. formats for IBE encrypted email would be part of a
       different standard

  • Don’t block future standards based on PBC
     • Allow for amendments that build on parts of this
     • Separate IBE and PBC layers

  • Limit scope to keep the task manageable
     • Focus on one set of algorithms, split off other types of
       algorithms into separate standards
   Proposed Structure of an PBC/IBE Standard
   Pairing Based Crypto Layer and Algorithm Layers

           IBE based Protocols
Other      e.g. IBE email,
stds       key request etc.

 1363                                 Identity based
             Identity-Based                            Signatures
               Encryption             key exchange

           Pairing Based
           e.g. pairing, algorithms
           to compute pairings,
           curve types,
           curve parameters
Current Discussion Points
  • Scaling Security to 128/256 bits
  • Separation between pairing layer and crypto
  • Curve families for embedded and hardware
For More Information
  • On 1363 activities:

  • On pairing based crypto
     • Paulo Barreto’s Pairing Based Crypto Lounge

  • On IBE

To top