SlideShare una empresa de Scribd logo

Ibe weil pairing

sravanbabu
sravanbabu
TecnologíaEducación
1 de 30
Descargar para leer sin conexión
IBE (Identitiy-Based Encryption) from the Weil Pairing  Sravan Babu Bodapati  Eswar Sai Putti
Identity Based Encryption
Identity Based Encryption • An identity-based encryption scheme E is specified by four randomized algorithms: • Setup, • Extract, • Encrypt, • Decrypt: • Setup: ( Run by PKG ) • It takes a security parameter k and returns params (system parameters) and master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. • > The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG).
Protocol framework (contd.) •Extract: ( Run by PKG ) • Run when user requests his private key • It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and returns a private key d. Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key. • • >> The Extract algorithm extracts a private key from the given public key. Encrypt: •It takes as input parameters, ID, and M ∈ M. It returns a ciphertext •C ∈ C. Decrypt: • It takes as input params, C ∈ C, and a private key d. It return M ∈ M.
Identity-Based Encryption •setup •global parameters •global •global •master key parameters parameters M encrypted •Authentication using bob@iitm.ac.in ` ` Private key Alice Bob for PKG alice@iitm.ac. •encrypt •decrypt in •extrac t
Applications • Revocation of Public Keys : – Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender. • >>> “bob@company.com||current-year||clearance=secret”. • He also has to get the clearance by the end of current year . • Delegation of Decryption Keys : • - Delegation of Laptop ( when it is stolen ) • -Delegation of Duties ( Persons of only a particular department an decrypt their own messages but cannot tamper with those belonging to other departments.
Applications (Contd.) • Chosen ciphertext security: •>> Setup: • The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself. • Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged. •
• Phase 2: • The adversary issues more queries qm+1 , . . . , qn where query qi is one of: • - Extraction query • - Deryption Query • Limitations : •These algorithms must satisfy the standard consistency constraint, namely • > when d is the private key generated by algorithm , • > Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )
Types of IBE • Semantically Secure IBE • >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that the adversary is more limited; •>> It cannot issue decryption queries while attacking the challenge public key. • One way identity-based encryption : • >> If given the encryption of a random plain text , the adversary cannot produce the plaintext in its entirety. ( Total Decryption is not possible ) •
Bilinear maps and the Bilinear Diffie-Hellman Assumption: • Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties : • >> Bilinear • We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and all a, b ∈ Z. • >> Non – Degenerate •The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 . >> Computable •There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 . •If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
Basic Ident • Setup: • Given a security parameter k ∈ Z+ , the algorithm works as follows: •Step 1: • Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 . ˆ Step 2: • Pick a random s ∈ Zq and set Ppub = sP . Step 3: • Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ . • Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n. The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .
Steps of Basic Ident • Extract: • For a given string ID ∈ {0, 1}∗ the algorithm does: • (1) computes QID = H1 (ID) ∈ G1∗ , and • (2) sets the private key dID to be dID = sQID where s is the master key. Encrypt: • To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID) ∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗ Decrypt: • Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M
Elliptic Curve  Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form:  E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). }  If a line intersects the curve at 2 points, It must intersect the curve at the third point also.  The Elliptic Curve Point Addition : P+Q=R > Find the tow points P and Q where the line intersects the curve > Solve for the 3rd point by solving the polynomial Curve eqn with the Line. > Now take the reflection of the point 3 obtained to obtain R > P + Q = R' ( the Reflection obtained)
Divisor : Zero and Pole  A divisor D can be defined as a formal sum of points on elliptic curve group E:  D =∑ n ( P) where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order.  Inequality a) nP > 0 indicates that point P is a zero, where as b) nP < 0 indicates that P is a pole.  For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R) indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3.  Degree of the divisor of a rational function must be zero
Definition  Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E,  It's done in such a way as to constitute a pairing on the torsion subgroup of E.
Elliptic Curve Group over Real Numbers • y2 = x3 + ax + b – x, y, a, b are real numbers • If 4a3 + 27b2 ≠ 0, a group can be formed. – points on curve and infinity point – Additive group
A Deeper Understanding • E is an elliptic curve over K and n is an integer not divisible by char(K) • E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K. • Let TE[n], then there exist a function f such that div(f) = n[T]-n[] • Note that f has zero at T with order n and has pole at  with order -n.
Elliptic Curve Addition: A Geometric Approach • Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis.
Adding the points P and -P
Doubling the point P
Weil Pairing • Definiton : Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T • Bilinear map : – A map e: G1×G1→G2 – ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab • Weil Pairing : – bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* – efficiently computable • Miller’s algorithm
Properties of Weil Pairing • The Weil pairing has the following properties for points in E[n]: • Property 1 : For all P έ E[n] we have: e(P; P ) = 1. • Bilinear Property: • e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and • e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2). • Property 3 • When P,Q έ E[n] are collinear then e(P; Q) = 1. • Similarly, e(P, Q) = e(Q, P ) ^-1 • n'th root Property : For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2. • Non-degenerate Property : ( in the following sense: ) • If P έ E[n] satis es e(P; Q) = 1 for all Q έ E[n] , then P = O.
Computing The Weil Pairing • Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows: • > Pick two random points R1 , R2 ∈ E[n]. > Consider the divisors Ap = (P + R1 ) − (R1 ) and » Aq = (Q + R2 ) − (R2 ). > These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively. • Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) =Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
Computations ( Contd.) : • This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )). • In the rare event that a division by zero occurs during the computation of e(P, Q) , • In such cases , we simply pick new random points R1 , R2 and repeat the process.
Miller’s algorithm • As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points PE[n] and RE and evaluating f(Q1)/f(Q2) • Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.
Basic idea • Define Dj = j[P+R]-j[R]-[jP]+[∞]. – Note that, we can’t define Dj = j[P+R]-j[R]. • We can find a function fj such that div(fj) = Dj. • Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following: – Let ax+by+c = 0 be the line through jP and kP. – Let x+d = 0 be the vertical line through (j+k)P.
ax+by+c 1 . div = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ] x+d 2 . Therfore, div f j+k =D j+k = j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ] = j [ P+R ]− j [ R ]− [ jP ] [ ∞ ] k [ P+R]− k [ R ]− [ kP ] [ ∞ ] ax+by+c div x+d ax+by+c =D j +Dk div x+d ax+by+c = div f j div f k div x+d ax+by+c = div f j f k x+d ax+by+c 3 . That is, f j+k =t f j f k for some const t x+d 4 . Therefore, f j+k Q1 t f j Q1 f k Q1 ax+by+c / x+d x,y =Q 1 = . f j+k Q 2 t f j Q2 f k Q 2 ax+by+c / x+d x,y =Q 2
Escrow El-Gamal Encryption • Setup – Use same elliptic curve – Pick a random s∈Zq, Q = sP – Choose hash function: Fp2 → {0,1}n – System parameters: < p, n, P, Q, H > – s is the escrow key • Keygen – User randomly choose x∈Zq as private key – Public key is Ppub = xP
Big Picture encryption Alice Bob yBob, cert (yBob, Bob) (a,b) = (…) (a,b)
Escrow ElGamal Encryption (Cont’d) • Encrypt ( Ciphertext) – Pick random r∈Zq – C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2 (Our Encrypted message is C ) • Decrypt (C = <U,V>) – V ⊕ H(ê(U, xQ)) = M • Escrow-decrypt – V ⊕ H(ê(U, sPpub)) = M

Recomendados

Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyAbhijit Mondal
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Fahad Layth
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 
encryption and decryption
encryption and decryptionencryption and decryption
encryption and decryptionSri Manakula Vinayagar Engineering College
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 

Recomendados

Crypto cs36 39
Crypto cs36 39Crypto cs36 39
Crypto cs36 39sravanbabu
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyAbhijit Mondal
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Al-Gamal-W6(al gamal)-d1-d2
Al-Gamal-W6(al gamal)-d1-d2Fahad Layth
 
Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)Cs8792 cns - Public key cryptosystem (Unit III)
Cs8792 cns - Public key cryptosystem (Unit III)ArthyR3
 
encryption and decryption
encryption and decryptionencryption and decryption
encryption and decryptionSri Manakula Vinayagar Engineering College
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 
Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithmPrateek Pandey
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7Infinity Tech Solutions
 
RSA
RSARSA
RSAbansidhar11
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography rinnocente
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Information and Network Security
Information and Network SecurityInformation and Network Security
Information and Network SecurityMaulik Togadiya
 
Computer security module 1
Computer security module 1Computer security module 1
Computer security module 1Deepak John
 
Chapter 03 cyclic codes
Chapter 03 cyclic codesChapter 03 cyclic codes
Chapter 03 cyclic codesManoj Krishna Yadavalli
 
F010243136
F010243136F010243136
F010243136IOSR Journals
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Forward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionForward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionNational Chengchi University
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMSathish Kumar
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionMd. Ariful Hoque
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongInformation Security Awareness Group
 
implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 

Más contenido relacionado

La actualidad más candente

The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2Deepak John
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography rinnocente
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysDharmalingam Ganesan
 
Information and Network Security
Information and Network SecurityInformation and Network Security
Information and Network SecurityMaulik Togadiya
 
Computer security module 1
Computer security module 1Computer security module 1
Computer security module 1Deepak John
 
Forward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionForward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionNational Chengchi University
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionMd. Ariful Hoque
 

La actualidad más candente (20)

Public key algorithm
Public key algorithmPublic key algorithm
Public key algorithm
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
RSA
RSARSA
RSA
 
Computer security module 2
Computer security module 2Computer security module 2
Computer security module 2
 
Public key cryptography
Public key cryptography Public key cryptography
Public key cryptography
 
On the Secrecy of RSA Private Keys
On the Secrecy of RSA Private KeysOn the Secrecy of RSA Private Keys
On the Secrecy of RSA Private Keys
 
Information and Network Security
Information and Network SecurityInformation and Network Security
Information and Network Security
 
Computer security module 1
Computer security module 1Computer security module 1
Computer security module 1
 
Chapter 03 cyclic codes
Chapter 03 cyclic codesChapter 03 cyclic codes
Chapter 03 cyclic codes
 
F010243136
F010243136F010243136
F010243136
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Forward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryptionForward secure asynchronous messaging from puncturable encryption
Forward secure asynchronous messaging from puncturable encryption
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attack
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and DecryptionImplementation of RSA Algorithm for Speech Data Encryption and Decryption
Implementation of RSA Algorithm for Speech Data Encryption and Decryption
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
 

Similar a Ibe weil pairing

implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptMuhammadAbdullah311866
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Paillier Cryptosystem
Paillier CryptosystemPaillier Cryptosystem
Paillier CryptosystemDejan Radic
 
Image encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipherImage encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipherkarthik kedarisetti
 
Convolution presentation
Convolution presentationConvolution presentation
Convolution presentationSoham Mondal
 
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxUnit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxVishwanathMahalle
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Madhumita Tamhane
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Wireless Body Area Networking
Wireless Body Area NetworkingWireless Body Area Networking
Wireless Body Area Networkingsubhradeep mitra
 
815.07 machine learning using python.pdf
815.07 machine learning using python.pdf815.07 machine learning using python.pdf
815.07 machine learning using python.pdfSairaAtta5
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmRifat Tasnim
 
2.13 Inroductory idea of elliptic curve cryptography.pptx
2.13 Inroductory idea of elliptic curve cryptography.pptx2.13 Inroductory idea of elliptic curve cryptography.pptx
2.13 Inroductory idea of elliptic curve cryptography.pptxgirilogu2
 

Similar a Ibe weil pairing (20)

implementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.pptimplementing the encryption in the JAVA.ppt
implementing the encryption in the JAVA.ppt
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Paillier Cryptosystem
Paillier CryptosystemPaillier Cryptosystem
Paillier Cryptosystem
 
Image encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipherImage encryption using elliptical curve cryptosytem with hill cipher
Image encryption using elliptical curve cryptosytem with hill cipher
 
Convolution presentation
Convolution presentationConvolution presentation
Convolution presentation
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
 
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptxUnit-III_3R-CRYPTO_2021-22_VSM.pptx
Unit-III_3R-CRYPTO_2021-22_VSM.pptx
 
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
Convolution codes - Coding/Decoding Tree codes and Trellis codes for multiple...
 
Mmclass3
Mmclass3Mmclass3
Mmclass3
 
Bch codes
Bch codesBch codes
Bch codes
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Wireless Body Area Networking
Wireless Body Area NetworkingWireless Body Area Networking
Wireless Body Area Networking
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
 
New ppt.ppt
New ppt.pptNew ppt.ppt
New ppt.ppt
 
815.07 machine learning using python.pdf
815.07 machine learning using python.pdf815.07 machine learning using python.pdf
815.07 machine learning using python.pdf
 
Ecc2
Ecc2Ecc2
Ecc2
 
Primitives
PrimitivesPrimitives
Primitives
 
Class3
Class3Class3
Class3
 
Two fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption AlgorithmTwo fish & Rijndael (AES) Encryption Algorithm
Two fish & Rijndael (AES) Encryption Algorithm
 
2.13 Inroductory idea of elliptic curve cryptography.pptx
2.13 Inroductory idea of elliptic curve cryptography.pptx2.13 Inroductory idea of elliptic curve cryptography.pptx
2.13 Inroductory idea of elliptic curve cryptography.pptx
 

Último

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Último (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Ibe weil pairing

  • 1. IBE (Identitiy-Based Encryption) from the Weil Pairing  Sravan Babu Bodapati  Eswar Sai Putti
  • 3. Identity Based Encryption • An identity-based encryption scheme E is specified by four randomized algorithms: • Setup, • Extract, • Encrypt, • Decrypt: • Setup: ( Run by PKG ) • It takes a security parameter k and returns params (system parameters) and master-key. The system parameters include a description of a finite message space M, and a description of a finite ciphertext space C. • > The system parameters will be publicly known, while the master-key will be known only to the “Private Key Generator” (PKG).
  • 4. Protocol framework (contd.) •Extract: ( Run by PKG ) • Run when user requests his private key • It takes as input parameters, master-key, and an arbitrary ID ∈ {0, 1}∗ , and returns a private key d. Here ID is an arbitrary string that will be used as a public key, and d is the corresponding private decryption key. • • >> The Extract algorithm extracts a private key from the given public key. Encrypt: •It takes as input parameters, ID, and M ∈ M. It returns a ciphertext •C ∈ C. Decrypt: • It takes as input params, C ∈ C, and a private key d. It return M ∈ M.
  • 5. Identity-Based Encryption •setup •global parameters •global •global •master key parameters parameters M encrypted •Authentication using bob@iitm.ac.in ` ` Private key Alice Bob for PKG alice@iitm.ac. •encrypt •decrypt in •extrac t
  • 6. Applications • Revocation of Public Keys : – Annual Private key expiration ( Virtual Effect ) as the Receiver cannot decrypt the message after Specific deadline set by the Sender. • >>> “bob@company.com||current-year||clearance=secret”. • He also has to get the clearance by the end of current year . • Delegation of Decryption Keys : • - Delegation of Laptop ( when it is stolen ) • -Delegation of Duties ( Persons of only a particular department an decrypt their own messages but cannot tamper with those belonging to other departments.
  • 7. Applications (Contd.) • Chosen ciphertext security: •>> Setup: • The challenger takes a security parameter k and runs the Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the master-key to itself. • Phase 1: The adversary issues queries q1 , . . . , qm where query qi is one of: – Extraction query IDi : The challenger responds by running algorithm Extract to generate the private key di corresponding to the public key IDi . It sends di to the adversary. – Decryption query IDi , Ci : The challenger responds by running algorithm Extract to generate the private key di corresponding to IDi . It then runs algorithm Decrypt to decrypt the ciphertext Ci using the private key di . It sends the resulting plaintext to the adversary. ---Challenge: Once the adversary decides that Phase 1 is over it outputs two equal length plaintexts M0 , M1 ∈ M and an identity ID on which it wishes to be challenged. •
  • 8. Phase 2: • The adversary issues more queries qm+1 , . . . , qn where query qi is one of: • - Extraction query • - Deryption Query • Limitations : •These algorithms must satisfy the standard consistency constraint, namely • > when d is the private key generated by algorithm , • > Extract when it is given ID as the public key, then ∀M ∈ M : Decrypt(params, C, d) = M where C = Encrypt(params, ID, M )
  • 9. Types of IBE • Semantically Secure IBE • >> Semantic security is similar to chosen ciphertext security (IND-ID-CCA) except that the adversary is more limited; •>> It cannot issue decryption queries while attacking the challenge public key. • One way identity-based encryption : • >> If given the encryption of a random plain text , the adversary cannot produce the plaintext in its entirety. ( Total Decryption is not possible ) •
  • 10. Bilinear maps and the Bilinear Diffie-Hellman Assumption: • Our IBE system makes use of a bilinear map e : G1 x G1 = G2 , The map must satisfy following properties : • >> Bilinear • We say that a map e : G1 × G1 → G2 is bilinear if e(aP, bQ) = e(P, Q)ab for all P, Q ∈ G1 and all a, b ∈ Z. • >> Non – Degenerate •The map does not send all pairs in G1 × G1 to the identity in G2 . Observe that since G1 , G2 are groups of prime order, this implies that if P is a generator of G1 then e(P, P ) is a generator of G2 . >> Computable •There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ G 1 . •If all the above 3 properties are satisfied, then it is called Admissible Bilinear map.
  • 11. Basic Ident • Setup: • Given a security parameter k ∈ Z+ , the algorithm works as follows: •Step 1: • Run G on input k to generate a prime q, two groups G1 , G2 of order q, and an admissible bilinear map e : G1 × G1 → G2 . Choose a random generator P ∈ G1 . ˆ Step 2: • Pick a random s ∈ Zq and set Ppub = sP . Step 3: • Choose a cryptographic hash function H1 : {0, 1}∗ → G1∗ . • Choose a cryptographic hash function H2 : G2 → {0, 1}n for some n. The message space is M = {0, 1}n . The ciphertext space is C = G1∗ × {0, 1}n . The system parameters are params = (q, G1 , G2 , e, n, P, Ppub , H1 , H2) . The master-key is s ∈ Zq∗ .
  • 12. Steps of Basic Ident • Extract: • For a given string ID ∈ {0, 1}∗ the algorithm does: • (1) computes QID = H1 (ID) ∈ G1∗ , and • (2) sets the private key dID to be dID = sQID where s is the master key. Encrypt: • To encrypt M ∈ M under the public key ID do the following: (1) compute QID = H1 (ID) ∈ G1∗ , (2) choose a random r ∈ Zq∗ , and (3) set the ciphertext to be C = (rP, M ⊕ H2 (grID )) where gID = e(QID , Ppub ) ∈ G2∗ Decrypt: • Let C = U, V ∈ C be a ciphertext encrypted using the public key ID. To decrypt C using the private key dID ∈ G1∗ compute: V ⊕ H2 (e(dID , U )) = M
  • 13. Elliptic Curve  Let p be a prime larger than 3. An elliptic curve over a finite field of size p is denoted by GF(p) can be given by an equation of the form:  E={ (x,y) U O | (x,y) satisfies the equation y^2 = x^3 + ax +b, where a,b ∈ GF(p). }  If a line intersects the curve at 2 points, It must intersect the curve at the third point also.  The Elliptic Curve Point Addition : P+Q=R > Find the tow points P and Q where the line intersects the curve > Solve for the 3rd point by solving the polynomial Curve eqn with the Line. > Now take the reflection of the point 3 obtained to obtain R > P + Q = R' ( the Reflection obtained)
  • 14. Divisor : Zero and Pole  A divisor D can be defined as a formal sum of points on elliptic curve group E:  D =∑ n ( P) where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order.  Inequality a) nP > 0 indicates that point P is a zero, where as b) nP < 0 indicates that P is a pole.  For example, for P, Q, R∈E, D1 = 2(P) + 3(Q) – 3(R) indicates that divisor D1 has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3.  Degree of the divisor of a rational function must be zero
  • 15. Definition  Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E,  It's done in such a way as to constitute a pairing on the torsion subgroup of E.
  • 16. Elliptic Curve Group over Real Numbers • y2 = x3 + ax + b – x, y, a, b are real numbers • If 4a3 + 27b2 ≠ 0, a group can be formed. – points on curve and infinity point – Additive group
  • 17. A Deeper Understanding • E is an elliptic curve over K and n is an integer not divisible by char(K) • E[n] is a torsion subgroup of E(K), that is E[n] = {PE()| nP = } E(K). Where we make a assumption that n = {x |xn = 1, x}K. • Let TE[n], then there exist a function f such that div(f) = n[T]-n[] • Note that f has zero at T with order n and has pole at  with order -n.
  • 18. Elliptic Curve Addition: A Geometric Approach • Adding distinct points P and Q * The negative of a point P is its reflection in the x-axis.
  • 19. Adding the points P and -P
  • 21. Weil Pairing • Definiton : Weil pairing is a construction of roots of unity by means of functions on an elliptic curve E, in such a way as to constitute a pairing (bilinear form, though with multiplicative notation) on the torsion subgroup of E. T • Bilinear map : – A map e: G1×G1→G2 – ∀P,Q∈G1, ∀a,b∈Z, e(aP, bQ) = e(P, Q)ab • Weil Pairing : – bilinear map • G1 is the group of points of an elliptic curve over Fp • G2 is a subgroup of Fp2* – efficiently computable • Miller’s algorithm
  • 22. Properties of Weil Pairing • The Weil pairing has the following properties for points in E[n]: • Property 1 : For all P έ E[n] we have: e(P; P ) = 1. • Bilinear Property: • e(P1 + P2, Q) = e(P1, Q). e(P2, Q) and • e(P, Q1 + Q2) = e(P, Q1) . e(P, Q2). • Property 3 • When P,Q έ E[n] are collinear then e(P; Q) = 1. • Similarly, e(P, Q) = e(Q, P ) ^-1 • n'th root Property : For all P, Q έ E[n] : we have e(P; Q) ^ n = 1 , i.e. e(P; Q) έ G2. • Non-degenerate Property : ( in the following sense: ) • If P έ E[n] satis es e(P; Q) = 1 for all Q έ E[n] , then P = O.
  • 23. Computing The Weil Pairing • Given two points P, Q ∈ E[n] we show how to compute e(P, Q) ∈ F∗ (p^2) using O(log p) arithmetic operations in Fp . We assume P != Q. We proceed as follows: • > Pick two random points R1 , R2 ∈ E[n]. > Consider the divisors Ap = (P + R1 ) − (R1 ) and » Aq = (Q + R2 ) − (R2 ). > These divisors are equivalent to (P ) − (O) and (Q) − (O) respectively. • Hence we use them to compute Weil Pairing as e(P,Q) = Fp(Aq) / Fq ( Ap) =Fp( Q + R2 ). Fq ( R1 ) / Fp(R2) .Fq( P + R1)
  • 24. Computations ( Contd.) : • This expression is well defined with very high probability over the choice of R1 , R2 (the probability of failure is at most O( log p/p )). • In the rare event that a division by zero occurs during the computation of e(P, Q) , • In such cases , we simply pick new random points R1 , R2 and repeat the process.
  • 25. Miller’s algorithm • As we seen above, both of the computing of Weil pairing and Tate pairing can reduce to finding a function a function f with div(f) = n[P+R]-n[R] for points PE[n] and RE and evaluating f(Q1)/f(Q2) • Note that, we omit Tate pairing here because the Galois cohomology theorem is too hard.
  • 26. Basic idea • Define Dj = j[P+R]-j[R]-[jP]+[∞]. – Note that, we can’t define Dj = j[P+R]-j[R]. • We can find a function fj such that div(fj) = Dj. • Miller’s Algo. can compute fj+k(Q1)/fj+k(Q2) by fj(Q1)/fj(Q2) and fk(Q1)/fk(Q2) as following: – Let ax+by+c = 0 be the line through jP and kP. – Let x+d = 0 be the vertical line through (j+k)P.
  • 27. ax+by+c 1 . div = [ jP ] [ kP ]− [ j+k P ]− [ ∞ ] x+d 2 . Therfore, div f j+k =D j+k = j+k [ P+R ]− j+k [ R ]− [ j+k P ] [ ∞ ] = j [ P+R ]− j [ R ]− [ jP ] [ ∞ ] k [ P+R]− k [ R ]− [ kP ] [ ∞ ] ax+by+c div x+d ax+by+c =D j +Dk div x+d ax+by+c = div f j div f k div x+d ax+by+c = div f j f k x+d ax+by+c 3 . That is, f j+k =t f j f k for some const t x+d 4 . Therefore, f j+k Q1 t f j Q1 f k Q1 ax+by+c / x+d x,y =Q 1 = . f j+k Q 2 t f j Q2 f k Q 2 ax+by+c / x+d x,y =Q 2
  • 28. Escrow El-Gamal Encryption • Setup – Use same elliptic curve – Pick a random s∈Zq, Q = sP – Choose hash function: Fp2 → {0,1}n – System parameters: < p, n, P, Q, H > – s is the escrow key • Keygen – User randomly choose x∈Zq as private key – Public key is Ppub = xP
  • 29. Big Picture encryption Alice Bob yBob, cert (yBob, Bob) (a,b) = (…) (a,b)
  • 30. Escrow ElGamal Encryption (Cont’d) • Encrypt ( Ciphertext) – Pick random r∈Zq – C = < rP, M⊕H(gr) > where g = ê(Ppub, Q)∈ Fp2 (Our Encrypted message is C ) • Decrypt (C = <U,V>) – V ⊕ H(ê(U, xQ)) = M • Escrow-decrypt – V ⊕ H(ê(U, sPpub)) = M