# Pairing Based Cryptography Standards - Middleware by pengxiang

VIEWS: 14 PAGES: 17

• pg 1
```									Pairing Based Cryptography Standards

Terence Spies
VP Engineering
Voltage Security
terence@voltage.com
Overview
• What is a Pairing?
• Pairing-based Crypto Applications
• Pairing-based Crypto Standards
What is a Pairing?
• An old mathematical idea
• It “pairs” elliptic curve points
• Has a very interesting property called bilinearity:

• This property makes for a powerful new cryptographic
primitive
• Popular cryptographic research area (200+ papers)
What can Pairings do?
• Identity based encryption
• Encryption where any string (like an email address) can
be a public key
• Identity based key exchange
• Key exchange using identities
• Short signatures
• 160-bit signatures
• Searchable encryption, and others
Identity-Based Encryption (IBE)
• IBE is an old idea
• Originally proposed by Adi Shamir, co-inventor of the
RSA Algorithm in 1984
• Fundamental problem: can any string be used as a
public key?

• Practical implementation:
• Boneh-Franklin Algorithm published at Crypto 2001
• First efficient, provably secure IBE scheme
Identity-Based Encryption (IBE)
The ability to use any string makes key management easier

• IBE Public Key:

alice@gmail.com
• RSA Public Key:
Public exponent=0x10001
Modulus=13506641086599522334960321627880596993888147
560566702752448514385152651060485953383394028715
057190944179820728216447155137368041970396419174
304649658927425623934102086438320211037295872576
235850964311056407350150818751067659462920556368
552947521350085287941637732853390610975054433499
9811150056977236890927563
How IBE works in practice
Alice sends a Message to Bob                       Key Server

Requests
3    Private Key
private key,
for bob@b.com
authenticates

bob@b.com

alice@a.com                            bob@b.com
1
Bob decrypts with 4
Alice encrypts with
Private Key
bob@b.com
How IBE works in practice
Charlie sends a Message to Bob                     Key Server

Fully off-line - no connection to server required

bob@b.com

charlie@c.com                       bob@b.com
1
Charlie encrypts                     Bob decrypts with 2
with bob@b.com                          Private Key
• Setup
• Key generator generates secret s, random P
• Gives everyone P, sP
• Encryption
• Alice hashes Bob@b.com -> ID
• Encrypt message with k = Pair(rID, sP)
• Send encrypted message and rP
• Key Generation
• Bob authenticates, asks for private key
• Key generator gives back sID
• Decrypt
• Bob decrypts with k = Pair(sID, rP)
• Bob’s k and Alice’s k are identical
IBE’s Operational Characteristics
• Easy cross-domain encryption
• No per-user databases
• No per-user queries to find keys
• State of the system does not grow per user
• Key recovery
• Accomodates content scanning, anti-virus, archiving and
other regulatory mechanisms
• Keys still under control of enterprise
• Fine-grained key control
• Easy to change authentication policy over time
• Revocation handled without CRLs
IBE and PKI - Complementary Strengths
PKI
•   Maximum protection
Sweet Spots for PKI
•   Works well for signing/authentication
•   Requires roll-out                       • Authentication
•   generate keys for users           • Signing
•   Certificate managment             • Inside the
organization

Identity-Based Encryption
•   Good for encryption
•   no key-lookup                     Sweet Spots for IBE
•   revocation is easy
• Encryption
•   requires no pre-enrollment        • Inside and outside
•   Content scanning easy                     the organization
Other Pairing Applications
• Short Signatures
• BLS scheme and others yield 160-bit signatures
• Half the size of DSA signatures
• Have other interesting properties
• Can aggregate signatures
• Allows, for example, a single signature on a cert chain
• Verifiable encrypted signatures
• Use in fair exchange, other protocols

• Searchable Encryption
• Key Exchange
Standards Activities
• IEEE Study Group formed last Monday, as part of
the P1363 Group
• Goal is writing and submitting a PAR, defining the
mission of the standards group
• 24 participants from various countries and
industries
• Technical content drafts soon
• Pairings module: Hovav Shacham, Stanford
• IBE module: Mike Scott, Dublin City University
• Draft PAR agreed, to be submitted
Standards Philosophy
• Model after past IEEE cryptographic standards
• Standardize algorithms, but not protocols
• e.g. formats for IBE encrypted email would be part of a
different standard

• Don’t block future standards based on PBC
• Allow for amendments that build on parts of this
standard
• Separate IBE and PBC layers

• Limit scope to keep the task manageable
• Focus on one set of algorithms, split off other types of
algorithms into separate standards
Proposed Structure of an PBC/IBE Standard
Pairing Based Crypto Layer and Algorithm Layers

IBE based Protocols
Other      e.g. IBE email,
stds       key request etc.

1363                                 Identity based
Identity-Based                            Signatures
Encryption             key exchange

Pairing Based
Cryptography
e.g. pairing, algorithms
to compute pairings,
curve types,
curve parameters
Current Discussion Points
• Scaling Security to 128/256 bits
• Separation between pairing layer and crypto
methods
• Curve families for embedded and hardware
implementation
• On 1363 activities:
http://grouper.ieee.org/groups/1363/WorkingGroup/

• On pairing based crypto
• Paulo Barreto’s Pairing Based Crypto Lounge
http://paginas.terra.com.br/informatica/paulobarreto/pblounge.htm

• On IBE
http://crypto.stanford.edu/ibe/
http://www.voltage.com

```
To top