Special Topics in Cryptography Instructors Ran Canetti and Ron Rivest Lecture PairingBased - PDF document

540 views
Uploaded On 2014-12-24

Special Topics in Cryptography Instructors Ran Canetti and Ron Rivest Lecture PairingBased - PPT Presentation

897 Special Topics in Cryptography Instructors Ran Canetti and Ron Rivest Lecture 25 PairingBased Cryptography May 5 2004 Scribe Ben Adida 1 Introduction The 64257eld of PairingBased Cryptography has exploded ID: 28602

897 Special Topics Cryptography

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/28602" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Pdf The PPT/PDF document "Special Topics in Cryptography Instructo..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Non-DegeneracyIfeverythingmapstotheidentity,that'sobviouslynotinteresting:8P2G1;P6=0)he(P;P)i=G2(e(P;P)generatesG2)Inotherwords:P6=0)e(P;P)6=1Computabilityeisecientlycomputable.WecanndG1andG2wherethesepropertieshold:theWeilandTatepairingsprovetheexistenceofsuchconstructions.Typically,G1isanelliptic-curvegroupandG2isaniteeld.3ComplexityImplicationsTheconstructionofabilinearmapcomeswithanumberofcomplexityimplications.Theorem1TheDiscreteLogProbleminG1isnoharderthantheDiscreteLogProbleminG2.Proof1ConsiderQ=aP(stillusingadditivenotation),thoughaisunknown.SolvingtheDiscreteLogProbleminvolvesdiscoveringaforagivenPandarandomQ.Wenote:e(P;Q)=e(P;aP)=e(P;P)aThus,wecanreducetheDiscreteLogProbleminG1totheDiscreteLogProbleminG2.GivenP2G1andarandomQ2G1,andnotingthatthemappingeiseasilycomputable,wecancomputelogP(Q)asfollows:1.determineP0=e(P;P)2.determineQ0=e(P;Q)3.determinea=logP0(Q0)inG2.4.aisalsologP(Q).Theorem2TheDecisionalDie-Helman[Bon98]iseasyinG1.Proof2SolvingtheDDHprobleminvolvesdistinguishing:hP;aP;bP;cPiwitha;b;c2RZq,andhP;aP;bP;abPiwitha;b2RZqIfwedeneP;A;B;Casthefourvaluesgiventothedistinguisher,thedistinguisherfunctionsasfollows:17-2 thecorrespondingprivatekeyisdeliveredtotheproperownerofthisstring(e.g.therecipientoftheemailaddress)byatrustedprivatekeygenerator.Thiskeygeneratormustverifytheuser'sidentitybeforedeliveringaprivatekey,ofcourse,thoughthisvericationisessentiallythesameasthatrequiredforissuingacerticateinatypicalPublicKeyInfrastructure(PKI).Thus,anIdentity-BasedEncryptionSchemeenablesthedeploymentofapublic-keycryptosystemwithoutthepriorsetupofaPKI:auserproveshisidentityinalazyway,onlyonceheneedshisprivatekeytodecryptamessagesenttohim.In2001,BonehandFranklindevisedtherstpracticalimplementationofsuchanIdentity-BasedEncryptionscheme[BF01].TheirapproachusesbilinearmapsandreliesontheBDHAssumptionandtheRandomOraclemodel.SetuptheusualG1andG2withabilinearmappinge:G1G1�!G2andPageneratorasystem-widesecretkeys2RZq.acorrespondingsystem-widepublickeyPpub=sP.EncryptWewanttoencryptamessagemtopublickeyAusingthesystem-widesettingsfromabove.Theencryptionfunctionis:Enc(Ppub;A;m)=hrP;MH2(grA)i;r2RZqgA=e(QA;Ppub)QA=H1(A)H1:f0;1g�!G1,arandomoracleH2:G2�!f0;1g,arandomoracleDecryptWewanttodecryptaciphertextc=(u;v)encryptedwithpublic-keystringA.ThesecretkeyisdeliveredtotheownerofAasdA=sQA,withQAdenedasabove:QA=H1(A).Wedene:Dec(u;v;dA)=vH2(e(dA;u))=vH2(e(sH1(A);rP))=vH2(e(H1(A);P)rs)=vH2(e(QA;sP)r)=vH2(e(QA;Ppub)r)=vH2(grA)=(mH2(grA))H2(grA)=m17-4