资源描述:
《Introduction to Identity-Based Encryption》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
IntroductiontoIdentity-BasedEncryptionLutherMartin LibraryofCongressCataloging-in-PublicationDataAcatalogrecordforthisbookisavailablefromtheU.S.LibraryofCongress.BritishLibraryCataloguinginPublicationDataAcataloguerecordforthisbookisavailablefromtheBritishLibrary.ISBN-13:978-1-59693-238-8CoverdesignbyYekaterinaRatner2008ARTECHHOUSE,INC.685CantonStreetNorwood,MA02062Allrightsreserved.PrintedandboundintheUnitedStatesofAmerica.Nopartofthisbookmaybereproducedorutilizedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,orbyanyinformationstorageandretrievalsystem,withoutpermissioninwritingfromthepublisher.Alltermsmentionedinthisbookthatareknowntobetrademarksorservicemarkshavebeenappropriatelycapitalized.ArtechHousecannotattesttotheaccuracyofthisinformation.Useofaterminthisbookshouldnotberegardedasaffectingthevalidityofanytrademarkorservicemark.10987654321 ContentsPrefacexiii1Introduction11.1WhatIsIBE?11.2WhyShouldICareAboutIBE?8References132BasicMathematicalConceptsandProperties152.1ConceptsfromNumberTheory152.1.1ComputingtheGCD162.1.2ComputingJacobiSymbols242.2ConceptsfromAbstractAlgebra25References393PropertiesofEllipticCurves413.1EllipticCurves413.2AddingPointsonEllipticCurves473.2.1AlgorithmforEllipticCurvePointAddition523.2.2ProjectiveCoordinates533.2.3AddingPointsinJacobianProjectiveCoordinates54v viIntroductiontoIdentity-BasedEncryption3.2.4DoublingaPointinJacobianProjectiveCoordinates553.3AlgebraicStructureofEllipticCurves553.3.1HigherDegreeTwists613.3.2ComplexMultiplication65References664DivisorsandtheTatePairing674.1Divisors674.1.1AnIntuitiveIntroductiontoDivisors684.2TheTatePairing764.2.1PropertiesoftheTatePairing814.3Miller’sAlgorithm84References875CryptographyandComputationalComplexity895.1Cryptography915.1.1Definitions915.1.2ProtectionProvidedbyEncryption935.1.3TheFujisaki-OkamotoTransform955.2RunningTimesofUsefulAlgorithms955.2.1FindingCollisionsforaHashFunction965.2.2Pollard’sRhoAlgorithm985.2.3TheGeneralNumberFieldSieve995.2.4TheIndexCalculusAlgorithm1025.2.5RelativeStrengthofAlgorithms1025.3UsefulComputationalProblems1045.3.1TheComputationalDiffie-HellmanProblem1055.3.2TheDecisionDiffie-HellmanProblem1065.3.3TheBilinearDiffie-HellmanProblem1075.3.4TheDecisionBilinearDiffie-HellmanProblem1075.3.5q-BilinearDiffie-HellmanInversion1085.3.6q-DecisionBilinearDiffie-HellmanInversion1095.3.7CobilinearDiffie-HellmanProblems109 Contentsvii5.3.8IntegerFactorization1095.3.9QuadraticResiduosity1095.4SelectingParameterSizes1105.4.1SecurityBasedonIntegerFactorizationandQuadraticResiduosity1105.4.2SecurityBasedonDiscreteLogarithms1105.5ImportantSpecialCases1115.5.1AnomalousCurves1125.5.2SupersingularEllipticCurves1125.5.3SingularEllipticCurves1135.5.4WeakPrimes1135.6ProvingSecurityofPublic-KeyAlgorithms1145.7QuantumComputing1165.7.1Grover’sAlgorithm1165.7.2Shor’sAlgorithm117References1186RelatedCryptographicAlgorithms1216.1Goldwasser-MichaliEncryption1216.2TheDiffie-HellmanKeyExchange1246.3EllipticCurveDiffie-Hellman1256.4Joux’sThree-WayKeyExchange1266.5ElGamalEncryption128References1297TheCocksIBEScheme1317.1SetupofParameters1317.2ExtractionofthePrivateKey1337.3EncryptingwithCocksIBE1337.4DecryptingwithCocksIBE1357.5Examples136 viiiIntroductiontoIdentity-BasedEncryption7.6SecurityoftheCocksIBEScheme1397.6.1RelationshiptotheQuadraticResiduosityProblem1397.6.2ChosenCiphertextSecurity1427.6.3ProofofSecurity1427.6.4SelectingParameterSizes1437.7Summary143References1458Boneh-FranklinIBE1478.1Boneh-FranklinIBE(BasicScheme)1498.1.1SetupofParameters(BasicScheme)1498.1.2ExtractionofthePrivateKey(BasicScheme)1508.1.3EncryptingwithBoneh-FranklinIBE(BasicScheme)1508.1.4DecryptingwithBoneh-FranklinIBE(BasicScheme)1518.1.5Examples(BasicScheme)1518.2Boneh-FranklinIBE(FullScheme)1568.2.1SetupofParameters(FullScheme)1568.2.2ExtractionofthePrivateKey(FullScheme)1578.2.3EncryptingwithBoneh-FranklinIBE(FullScheme)1578.2.4DecryptingwithBoneh-FranklinIBE(FullScheme)1588.3SecurityoftheBoneh-FranklinIBEScheme1588.4Summary159Reference1609Boneh-BoyenIBE1619.1Boneh-BoyenIBE(BasicScheme—AdditiveNotation)1629.1.1SetupofParameters(BasicScheme—AdditiveNotation)1629.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)164 Contentsix9.1.3EncryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)1649.1.4DecryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)1649.2Boneh-BoyenIBE(BasicScheme—MultiplicativeNotation)1689.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)1689.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)1709.2.3EncryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)1709.2.4DecryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)1709.3Boneh-BoyenIBE(FullScheme)1719.3.1SetupofParameters(FullScheme)1729.3.2ExtractionofthePrivateKey(FullScheme)1739.3.3EncryptingwithBoneh-BoyenIBE(FullScheme)1739.3.4DecryptingwithBoneh-BoyenIBE(FullScheme)1739.4SecurityoftheBoneh-BoyenIBEScheme1749.5Summary175Reference17610Sakai-KasaharaIBE17710.1Sakai-KasaharaIBE(BasicScheme—AdditiveNotation)17710.1.1SetupofParameters(BasicScheme—AdditiveNotation)17810.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)17810.1.3EncryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)18010.1.4DecryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)18010.2Sakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)182 xIntroductiontoIdentity-BasedEncryption10.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)18210.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)18310.2.3EncryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)18410.2.4DecryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)18410.3Sakai-KasaharaIBE(FullScheme)18510.3.1SetupofParameters(FullScheme)18510.3.2ExtractionofthePrivateKey(FullScheme)18510.3.3EncryptingwithSakai-KasaharaIBE(FullScheme)18510.3.4DecryptingwithSakai-KasaharaIBE(FullScheme)18710.4SecurityoftheSakai-KasaharaIBEScheme18710.5Summary188Reference18911HierarchialIBEandMasterSecretSharing19111.1HIBEBasedonBoneh-FranklinIBE19311.1.1GSHIBE(Basic)RootSetup19411.1.2GSHIBE(Basic)Lower-LevelSetup19411.1.3GSHIBE(Basic)Extract19411.1.4GSHIBE(Basic)Encrypt19411.1.5GSHIBE(Basic)Decrypt19511.2ExampleofaGSHIBESystem19511.2.1GSHIBE(Basic)RootSetup19611.2.2GSHIBE(Basic)Lower-LevelSetup19611.2.3GSHIBE(Basic)ExtractionofPrivateKey19611.2.4GSHIBE(Basic)Encryption19711.2.5GSHIBE(Basic)Decryption19711.3HIBEBasedonBoneh-BoyenIBE19711.3.1BBGHIBE(Basic)Setup19811.3.2BBGHIBE(Basic)Extract199 Contentsxi11.3.3BBGHIBE(Basic)Encryption19911.3.4BBGHIBE(Basic)Decryption19911.4ExampleofaBBGHIBESystem20011.4.1BBGHIBE(Basic)Setup20011.4.2BBGHIBE(Basic)ExtractionofPrivateKey20011.4.3BBGHIBE(Basic)Encryption20111.4.4BBGHIBE(Basic)Decryption20111.5MasterSecretSharing20111.6MasterSecretSharingExample202References20412CalculatingPairings20712.1Pairing-FriendlyCurves20712.1.1RelativeEfficiencyofParametersofPairing-FriendlyCurves20912.2EliminatingIrrelevantFactors21012.2.1EliminatingRandomComponents21112.2.2EliminatingExtensionFieldDivisions21412.2.3DenominatorElimination21512.3CalculatingtheProductofPairings21612.4TheShipsey-StangeAlgorithm21712.5Precomputation221References222Appendix:UsefulTestData225AbouttheAuthor229Index231 PrefaceThecontentofthisbookroughlyparallelsthecontentofaseriesoftalksthatIgaveattheVoltageSecurity‘‘brown-bag’’seminar,therandomlyoccurringseriesoftalksthattechnologistsatVoltagegavetoothersinthecompany,talksthatattemptedtoexplainwhatwasgoingonintheeastsideofthebuilding,thesidewherepeopleoftencametoworklate,routinelyworkeduntiltheearlymorning,andalwaysdranktoomuchcoffee.ThusthematerialisaimedatatypicalSiliconValleyengineer—apersonwhoprobablyhasanundergraduatedegreeincomputerscienceandhasbeenworkingforafewyears.Andalthoughtheyhaveusuallybeenexposedtoafairamountofdiscretemath,abstractalgebra,andcryptographyinthepast,theyhaveforgottenthedetailsofmostofit,butcanrecallitagainifremindedofthebasicfacts.Thistypeofpersonalsoseemstolikebeingshownconcreteexamplesofhowthingsworktoclarifynewconcepts;andI’vetriedtofollowthismodelwiththisbook,tryingtogivereadersagoodideaofhowidentity-basedencryptionalgorithmswork.Sobyreadingthisbookyoucanalmostexperienceabitofwhatit’sliketobeataSiliconValleystart-up,butwithoutfreefoodorthestressofwonderinghowlongyourcompanywillbeabletosurvive.Thetopicofthetalkswasidentity-basedencryption,or‘‘IBE’’asitiscommonlyknown.Theyearssince2001,whenDanBonehandMattFranklinwrotethepaper‘‘Identity-BasedEncryptionfromtheWeilPairing,’’havebeeninterestingones,atleasttothoseinthefieldofcryptography.Thetechniquesthattheydescribedinthispaperstartedwhatcouldprobablybecalledarevolutioninthefield,andtheirpaperhasbeencitedatahigherratethanexperiencedbyeitherofthetwootherground-breakingpapersinpublic-keycryptography,‘‘AMethodforObtainingDigitalSignaturesandPublic-KeyCryptosystems’’byRonRivest,AdiShamir,andLenAdleman,and‘‘NewDirectionsinCryptogra-xiii xivIntroductiontoIdentity-BasedEncryptionphy’’byWhitfieldDiffieandMartinHellman.ThepaperbyBonehandFranklinmightbeconsideredthebeginningofpairing-basedcryptographyinthesamewaythatChristopherColumbusmightbegivencreditfordiscoveringtheNewWorld;theymightnothavebeenthefirsttoactuallyaccomplishsomething,buttheiraccomplishmentswerealmostcertainlythemostsignificant.Whatmakesthenewfieldofpairing-basedcryptographyinterestingdependsonyourpointofview.Itcertainlyallowsfortheconstructionofinterestingcryptographicprimitivesthatwereunknownbeforetheuseofpair-ings,andidentity-basedencryptionisoneofthemostimportantofthese.Identity-basedencryptionisinturninterestingbecauseitallowsfortheimple-mentationofsystemsthataresimplerandeasiertousethanthealternatives,anditisprobablythisratherthananyotherbenefitsthathasledtotherapidacceptanceofthetechnology.Inthefewyearssinceitsfirstcommercialavailabilityin2003,therapidrateofadoptionofidentity-basedencryptionhasledtothesituationinwhichtherearecurrentlyalmostasmanyusersofthetechnologyasthereareusersoftraditionalpublic-keyinfrastructuretechnologies,andatthecurrentrateofadoption,thenumberofusersofidentity-basedencryptionwillsoonoutnumberthoseofcompetingtechnologies.Soifyouareauserofinformationsecuritytechnology,thetechnologyshouldbeinterestingtoyou,foryoumayseeitsoonerthanyoumighthaveexpected,andthisbookisdesignedtogivesuchpeopleawaytounderstandthetechnologythatisquickerandeasierthanreadingtheacademicpapersonthesubject.Thenumberofusersofencryptionhasincreaseddramaticallyinrecentyears,drivenbytheincreasinglystringentregulatoryenvironmentinwhichbusinessesnowoperate,andusingencryptionisaneasywaytoconvinceyourauditorsthatyouaretakingdatasecurityandprivacyseriouslyenoughforthemtoapproveofyouroveralldatasecurityanddataprivacyprogram.Thishasincreasedinterestinbothencryptioningeneralandinparticularencryptiontechnologieslikeidentity-basedencryption,whichprovideaneasywaytocomplywithdataprivacylawswhilestayingwithinyourbudgetandnotcausingsupportnightmaresforyourITorganization.Unfortunately,theonlywaytolearnaboutidentity-basedencryptionuntilnowhasbeentoreadresearchpapersonthetopic,arequirementthatmakesthetopicinaccessibletomostpeople,eventhosewithpotentialusesforthetechnology.Withanyluck,thisbookwillbridgethatgapabitandmakethetechnologymoreaccessible. 1IntroductionThisbookdescribesapublic-keyencryptiontechnologycalledidentity-basedencryption(IBE),andtriestoanswerafewofthecommonlyaskedquestionsaboutit.Theseincludethefollowing:1.WhatisIBEandhowdoesitdifferfromotherpublic-keytechnologies?2.WhyshouldIcareaboutIBE?3.WhyshouldIbelievethatIBEschemesaresecure?4.WhataresomeofthetechniquesthathavebeenusedtocreatepracticalandsecureIBEschemes?5.HowcanIefficientlyimplementIBEschemes?Theanswerstothefirsttwoofthesequestionsarerelativelysimple,andarecontainedinthischapter.Theotherthreerequireasignificantlevelofbackgroundbeforetheycanbeanswered.Chapters2,3,and4ofthisbookprovideaframeworkforunderstandingtheanswerstothemorecomplexques-tions.Chapters5and6provideananswertothethirdquestion.Chapters7through11collectivelyprovideananswertothefourthquestion.Chapter12providessomeanswerstothefifthquestion.1.1WhatIsIBE?IBEisapublic-keyencryptiontechnologythatallowsausertocalculateapublickeyfromanarbitrarystring.Weusuallythinkofthisstringasrepresentinganidentityofsomekind,butitisusuallyusefultousemorethanjustanidentity1 2IntroductiontoIdentity-BasedEncryptiontocalculatesuchapublickey.Forexample,toavoidauserhavingthesameIBEkeyforever,itisusefultoincludesomeinformationinthisstringaboutthevalidityperiodofthekey.Or,toensurethatauserwillreceivedifferentkeysfromdifferentIBEsystems,itmaybeusefultoincludeinformationinthisstringthatisuniquetoaparticularIBEimplementation,perhapsaURLthatidentifiesaserverthatisusedintheimplementationofeachofthedifferentIBEsystems.Becausethestringusedtocalculateakeyalmostalwayscontainsmorethanjustanidentity,itmaybemoreaccuratetousethetermidentifier-basedencryptioninstead,butthistermisnotwidelyusedtodescribethetechnol-ogy.TheabilitytocalculatekeysasneededgivesIBEsystemsdifferentpropertiesthanthoseoftraditionalpublic-keysystems,andthesepropertiesprovidesignifi-cantpracticaladvantagesinsomesituations.Soalthoughthereareprobablyfewsituationsinwhichitisimpossibletosolveanyproblemwithtraditionalpublic-keytechnologiesthatcanbesolvedwithIBE,thesolutionsthatuseIBEmaybemuchsimplertoimplementandmuchlessexpensivetosupportthanalternatives.Inimplementationsofatraditionalpublic-keysystemthatusesdigitalcertificatestomanagepublickeys,apublic-privatekeypairisgeneratedrandomlybyeitherauser,oranagentworkingonbehalfofauser,inwhichthepublickeycontainsalloftheparametersneededforusingitincryptographiccalculations.Randomgenerationofkeysisnotstrictlyrequiredbythepublic-keyalgorithmsthatareusedinsuchsystems,butisrequiredbytheexistingstandardsthatdefinetheuseofsuchalgorithms.Afteritiscreated,thepublickey,alongwiththeidentityoftheownerofthekey,isdigitallysignedbyacertificateauthority(CA)tocreateadigitalcertificatethatisthenusedtotransportandmanagethekey.Theowneroftheprivatekeythenreceivesacopyofthecertificateandacopyofthecertificateisstoredinacertificaterepositorythatisaccessiblebyotherswhomightneedtogetauser’skey.Inapplicationswhereitmaybenecessarytorecoverprivatekeysthatarelostorunavailableinsomeway,theprivatekeysarealsosecurelyarchivedbyakeyrecoveryagent.Ifanagentcreatedtheprivatekeyonbehalfofauser,likeoftenhappenswhenkeysarecentrallygeneratedsothatcopiescanbearchivedtoallowtherecoveryoflostorotherwiseunavailablekeys,theownerofthekeyalsoreceivestheprivatekeyfromtheCA.ThisisshowninFigure1.1.Inatraditionalpublic-keysystem,theidentityofauserisusuallycarefullyverifiedbeforeadigitalcertificateisissuedtohim,aprocessthatistypicallyrelativelyexpensive.Theprocessofgeneratingpublic-privatekeypairscanalsobecomputationallyexpensive.Generatingtwo512-bitprimenumbersthataresuitableforuseincreatinga1,024-bitRSAprivatekeyiscertainlyfeasible,butgeneratinglargerprimesgetsprogressivelymoreexpensive.Creatingtwo7,680-bitprimesthataresuitableforuseincreatinga15,360-bitRSAprivatekeyisnotanoperationthatwidelyusedcomputerscaneasilyperform,yetsuch Introduction3KeyrecoveryagentKeycreationCertificateauthorityCertificateagentrepositoryUserFigure1.1Generationofkeysinatraditionalpublic-keysystem.keysareneededtosecurelytransportthe256-bitAESkeysthatareusedtoday.Becausegeneratingkeysandverifyingusers’identitiescanbeexpensive,digitalcertificatesareoftenissuedwithfairlylongvalidityperiods,oftenbetweenoneandthreeyears.Becauseoftherelativelylongvalidityperiodofthepublickeysmanagedbydigitalcertificates,itisoftennecessarytocheckthekeyinacertificateforvaliditybeforeusingit.ThisisshowninFigure1.2.Therehavebeenmanysolutionsproposedforvalidatingpublickeys,buttheexistingtechnologiestodothisarestillrelativelyunprovenandhavepracticaldifficultieswhenusedforalargenumberofusers.Touseapublickeythatiscontainedinadigitalcertificate,auserqueriesthepublicrepositorywherethecertificatecanbefoundandretrievesthecertificate.Becauseapublickeymaybevalidforquiteawhile,itisoftennecessarytochecksuchapublickeyforvaliditybeforeusingit.Thismaybebycheckingalistofinvalidcertificatesorbyqueryinganonlineservicethatreturnsthe 4IntroductiontoIdentity-BasedEncryptionCertificateValidationrepositoryserverSenderRecipientFigure1.2Validationanduseofapublickeyinatraditionalpublic-keysystem.validitystatusofacertificate.Afteranynecessaryvaliditycheckingisdone,theuserthenusesthepublickeytoencryptinformationtotheownerofthepublickey.Becausetherecipienthastheprivatekeythatcorrespondstothepublickey,heisabletodecryptthisinformation.ThisisshowninFigure1.2.IBEwasfirstmentionedbyAdiShamirin1984[1],whenhedescribedaroughoutlineofthepropertiesthatsuchasystemshouldhaveandhowitcouldbeused,althoughhewasunabletofindasecureandfeasibletechnologythatworkedashedescribed.HeseemedtoseetheadvantagesofIBEtoberelatedtoitseaseofuserelativetoothertechnologieswhenhedescribedIBEinthisway:Anidentity-basedschemeresemblesanidealmailsystem:Ifyouknowsomebody’snameandaddressyoucansendhimmessagesthatonlyhecanread,andyoucanverifythesignaturesthatonlyhecouldhaveproduced.Itmakesthecryptographicaspectsofthecommunicationalmosttransparenttotheuser,anditcanbeusedeffectivelyevenbylaymenwhoknownothingaboutkeysorprotocols.AnIBEsystemhassimilaritiestotraditionalpublic-keysystems,butisalsoquitedifferentinotherways.Whiletraditionalpublickeyscontainalloftheparametersneededtousethekey,touseanIBEsystem,ausertypically Introduction5needstogetasetofpublicparametersfromatrustedthirdparty.Withtheseparameters,ausercanthencalculatetheIBEpubickeyofanyuseranduseittoencryptinformationtothatuser.ThisprocessisshowninFigure1.3.TherecipientofIBE-encryptedinformationthenauthenticatesinsomewaytoaprivatekeygenerator(PKG),atrustedthirdpartythatcalculatestheIBEprivatekeythatcorrespondstoaparticularIBEpublickey.ThePKGtypicallyusessecretinformationcalledamastersecret,plustheuser’sidentity,tocalculatesuchaprivatekey.Afterthisprivatekeyiscalculated,itissecurelydistributedtotheauthorizeduser.ThisisshowninFigure1.4.ThesedifferencesaresummarizedinTable1.1.Inatraditionalpublic-keyscheme,wecansummarizethealgorithmsinvolvedinthecreationanduseofapublic-privatekeypairaskeygeneration,encryption,anddecryption.Twoadditionalalgorithms,certificationandkeyvalidation,areoftenusedinmanyimplementationsofsuchschemes.Tofullyspecifytheoperationofsuchaschemeweneedtodefinetheoperationofeachofthesealgorithms.Inthekeygenerationstep,onekeyofthepublic-privatekeypairisgeneratedrandomlyandtheotherkeyinthepairiscalculatedfromit.Afterthis,thepublickeyandtheidentityofitsownerisdigitallysignedbyaCAtocreateadigitalcertificate.Encryptionisperformedusingthepublickeycontainedinthiscertificate.Decryptionisperformedusingtheprivatekeythatcorrespondstothepublickey.InanIBEschemetherearealsofouralgorithmsthatareusedtocreateanduseapublic-privatekeypair.Thesearetraditionallycalledsetup,extraction,PublicparameterserverSenderRecipientFigure1.3EncryptingwithanIBEsystem. 6IntroductiontoIdentity-BasedEncryptionPrivatekeygeneratorRecipientFigure1.4DecryptingwithanIBEsystem.Table1.1ComparisonofPropertiesofIBEandTraditionalPublic-KeySystemsIBETraditionalPublic-KeySystemsPublicparametersaredistributedbyaAllrequiredparametersarepartofaTTPpublickeyPKGmastersecretisusedtocalculateCAprivatekeyisusedtocreatedigitalprivatekeyscertificatesPrivatekeysgeneratedbyPKGPrivatekeysaregeneratedrandomlyPublickeyscanbecalculatedbyanyPublickeyscalculatedfromprivatekeysuserandtransportedinadigitalcertificateKeystypicallyshort-livedKeystypicallyvalidforlongperiodsOnlyencryptionDigitalsignaturesplusencryptionencryption,anddecryption.SetupisthealgorithmwithwhichtheparametersneededforIBEcalculationsareinitialized,includingthemastersecretthataPKGusestocalculateIBEprivatekeys.ExtractionisthealgorithmforcalculatinganIBEprivatekeyfromtheparametersestablishedinthesetupstep,alongwiththeidentityofauser,andusesthemastersecretofthePKGtodothis.EncryptionisperformedwithanIBEpublickeythatiscalculatedfromtheparametersfromthesetupstepandtheidentityofauser.DecryptionisperformedwithanIBEprivatekeythatiscalculatedfromauser’sidentityandtheprivate Introduction7keyofthePKG.ThesestepsaresummarizedinTable1.2.ThediscussionsofIBEschemesinthesubsequentchapterswilldescribetheoperationofIBEschemesintermsofthesefourparts:thealgorithmsthatimplementthesetup,extraction,encryption,anddecryptionsteps.Therearefivemainobjectivesthataninformationsecuritysolutioncanmeet:providingconfidentiality,integrity,availability,authentication,andnonre-pudiation.Confidentialitykeepsinformationsecretfromthosenotauthorizedtoseeit.Integrityensuresthatinformationhasnotbeenalteredbyunauthorizedorunknownmeans.Availabilityensuresthatinformationisintheplacerequiredbyauseratthetimethattheinformationisrequiredandintheformthatauserneedsit.Authenticationistheabilitytoverifytheidentityofauser.Nonrepudiationpreventsthedenialofpreviouscommitmentsoractions.Theuseofcryptographycansupportmostoftheseobjectives;theuseofIBEcansupportonlyoneoftheseobjectives.ThisissummarizedinTable1.3.Encryptionofdataisaneasywaytoprovideconfidentiality.Inawell-designedsystem,decryptingencrypteddataisinfeasibletoanyonenotpossessingthecorrectdecryptionkey.DigitalsignaturesprovidesolutionsfortheotherTable1.2FourAlgorithmsComprisinganIBESchemeStepSummarySetupInitializeallsystemparameters.ExtractionCalculateIBEprivatekeyfromPKGmastersecretandanidentityusingsystemparameters.EncryptEncryptinformationusinganIBEpublickeycalculatedfromsystemparametersandanidentity.DecryptDecryptinformationusinganIBEprivatekeycalculatedfromPKGmastersecretandanidentity.Table1.3ApplicabilityofDifferentEncryptionTechnologiesinAttainingInformationSecurityGoalsSecurityGoalIBETraditionalPublic-KeyTechnologiesConfidentialityYesYesIntegrityNoYesAvailabilityNoYesAuthenticationNoYesNonrepudiuationNoNo 8IntroductiontoIdentity-BasedEncryptionobjectivesofinformationsecurity.Theyprovideawaytoprovideintegrity,becausemodifyingdigitallysigneddatawhilekeepingthesignaturevalidisascomputationallyinfeasibleasdefeatingtheunderlyingcryptographythatisusedtocreatethesignature.Theycanalsoprovideatechnicalbasisfornonrepudiation,althoughdefiningexactlywhatnonrepudiationmeansisfairlydifficult.Notallwrittensignaturesarelegallybinding,afterall,andweshouldexpectthesamelimitationstothenonrepudiationprovidedbydigitalsignatures.Forallpracticalpurposes,nonrepudiationseemstobeanunattainablegoalforexistinginforma-tionsecuritytechnologies.Digitalsignaturesalsoprovideawaytoauthenticateusers;ausercreatingavaliddigitalsignatureneedstoeitherhavepossessionoftheprivatekeyusedtocreatethesignatureortohavedefeatedthecryptographyusedtocreatethesignature.Sousingdigitalsignaturestoauthenticateuserscanalsohelppreventdenial-of-serviceattacks,whichincreasestheavailabilityofdata.IBEprovidesaneasysolutionthatprovidesfortheconfidentialityofdata.Itdoesnotprovideintegrity,availability,authentication,andnonrepudiation.Thesearemoreeasilyprovidedbydigitalsignaturesusingkeysthatarecreatedandmanagedbyatraditionalpublic-keysystem.Aswewillsee,however,theadvantagesthatIBEprovidesmakeitaverygoodsolutionforsomeproblems,andahybridsolutionthatusedIBEforencryptionandatraditionalpublic-keysystemtoprovidedigitalsignaturesmaybeasolutionthatcombinesthebestfeaturesofeachtechnology.1.2WhyShouldICareAboutIBE?IBEisaninterestingtechnologybecauseotherpublic-keyalgorithmshaveencounteredpracticaldifficultiesinuse.Inparticular,implementationsoftradi-tionalpublic-keytechnologieshavegainedareputationforbeingdifficultandexpensive,atleastwhentheyareusedbypeople;themostsuccessfulapplicationofpublic-keytechnologyhasbeeninthewidespreaduseofSSL,whichrequiresminimalinteractionwithauserwhenitisusedtoauthenticateaserverandtoencryptcommunicationswiththesameserver.Applicationsthatrequireausertomangeorusepublickeyshavenotbeenassuccessful.Aclassicstudyin1999byAlmaWhittenandJ.D.Tygarthatwaspopularizedbythepaper‘‘WhyJohnnyCan’tEncrypt’’[2],foundthat75%ofuserswereunabletouseapublic-key-basedsystemtosendanencryptede-mail.Usabilityofpublic-keytechnologyseemstohaveincreasedsincethisstudy,butapparentlynotenough.Thetitlealoneofthe2006paper‘‘WhyJohnnyStillCan’tEncrypt’’[3]indicatesthatthetechnologyisstilltoodifficultformanyusers:noneofthesixtestsubjectsinthissecondstudywereabletoencrypte-mail.Poorusabilitycauseshigh-supportcostsforusersofthetechnol- Introduction9ogy,andhasprobablybeenoneofthemajorfactorshinderingthewidespreadadoptionofpublic-keytechnology.DanGeerevenconjecturedthathighcostsareunavoidablewhenusinganytypeofcryptography[4]:Bothsymmetriccryptosystems,likeKerberos,andasymmetriccryptosys-tems,likeRSA,dothesamething—thatistosaytheydokeydistribution—butthesemanticsarequitedifferent.Thefundamentalsecurity-enablingactivityofasecretkeysystemistoissuefreshkeysatlowlatencyandondemand.Thefundamentalsecurity-enablingactivityofanasymmetrickeysystemistoverifytheas-yet-unrevokedstatusofakeyalreadyincirculation,againwithlowlatencyandondemand.Thisiskeymanagementanditisasystemscost;asecretkeysystemlikeKerberoshasincurrednearlyallitscostsbythemomentofkeyissuance.Bycontrast,apublickeysystemincursnearlyallitscostswithrespecttokeyrevocation.Hence,aruleofthumb:Thecostofkeyissuanceplusthecostofkeyrevocationisaconstant,justyetanotherversionof‘‘Youcanpaymenoworyoucanpaymelater.Geer’sconjecturetellsusthatweshouldexpectanyuseofcryptographytobeexpensive.Becausetherearemanycaseswheretheuseofencryptionisdesirable,anewtypeofencryptiontechnologythatavoidssomeoftheproblemsassociatedwithtraditionalpublic-keytechnologiesisinherentlyinteresting,andthisisoneofthepromisesofIBE.IBEmaynotofferanynewcapabilitiesthattraditionalpublic-keytechnologiescannotprovide,butitallowsforthecreationofsolutionsthatwouldbeverydifficultandexpensivetoimplementwithearliertechnologies.Inparticular,thesesolutionsseemtoviolateGeer’sprinciplethatusingencryptionhastohaveahighcost.Keyvalidation,orcheckingtomakesurethataparticularkeyisvalidatsomepointinitslifetime,canbeanexpensiveanddifficultprocess,particularlywhenvalidatingusesofakeythattookplaceinthepast.Supposethatyouaredoingdigitallysignedandencryptedelectronictransactionsandyouneedtoverifywhetherornotaparticulartransactionhadavalidsignatureatsomepointinthepast,likewhenthetransactiontookplacetwoyearsago.Thevalidityofadigitalcertificatecanchangeduringitslifetimeasitistemporarilysuspendedorrevoked,soitisnecessarytobeabletoreconstructthevalidityofthekeymanagedbyanycertificateatanypointinthekey’slifetimetobeabletoanswersuchquestions.Doingsorequiresbeingabletoreconstructthestateofthesystemthatmanagesthevalidityofkeys,whichisacomplexanddifficultproblem.Toavoidthepracticaldifficultiesofkeyvalidation,IBEsystemstypicallyuseshort-livedkeys.SoifanIBEkeyisvalidforonlyoneday,thenweassumethatitisvalidforthatentireday,andthereisnoprovisionforrevokingorsuspendingakeyduringthatperiod.Thismaynotprovidethesamelevelof 10IntroductiontoIdentity-BasedEncryptionprecisionastheabilitytoimmediatelyrevokeorsuspendakey,butitmakesthevalidationofsuchkeystrivial.This,inturn,letsusbuildsimplerandlessexpensivesystems.Theabilitytoquicklyandeasilycalculatekeysmakesshort-livedkeysinIBEpractical,wheretheyareoftenimpractical,althoughnotimpossible,touseinasystembasedontraditionalPKItechnology.Keyrecovery,thecapabilitytorestorealostorotherwise-unavailablekey,isanessentialfeatureforcommerciallysuccessfulencryptiontechnology.Inpractice,mostkeyrecoveryisapparentlyperformedwhenpasswordsprotectingaccesstokeysarelostorforgotten[5]insteadofthescenarioinwhichtheownerofakeyisnotpresent,yetthereisanimmediateneedforinformationencryptedwithhiskey.Intraditionalpublic-keysystems,keyrecoveryistypicallyimplementedthroughhavingaTTPgeneratekeysonbehalfofauserandsecurelyarchivingacopyoftheuser’sprivatekeythatcanbeusedforkeyrecoveryasneeded.Suchkeyrecoverysystemsrequiresecurelystoringarchivalcopiesofallprivatekeysandcarefullycontrollingaccesstothearchiveofthesekeys.IBEsystems,ontheotherhand,calculatekeysasneeded,sothereisnoneedforarchivingkeysatall.Theonlyinformationthatneedstobebacked-upisthemastersecretthatisusedbythePKGtocalculateIBEprivatekeys.ThissimplerprocessmakesIBEsystemssimplerandeasierinmanyapplicationsthantraditionalpublic-keytechnologies,andcanmakethecostofsupportingandmaintaininganIBEsystemmuchlessthanthecostofsupportingandmaintainingasystemwiththesamecapabilitiesthatisbasedontraditionalpublic-keytechnology.ItalsoprovidesIBEsystemswithsomecapabilitiesthatcanbefairlydifficulttoimplementwithtraditionalpublic-keytechnologies.TheabilitytocalculatepublicandprivatekeysasneededisasubtledifferencebetweenIBEandtraditionalpublic-keytechnologies,butonethatprovidesmanyusefulproperties.Inparticular,itisnotnecessarytoenrollauserbeforeencryptinginformationtothem.Therefore,itiseasytoIBE-encryptinformationtoauserthatdoesnotexistyetandrelyonthefutureusertoproperlyauthenticatebeforehecandecrypttheinformation.Ifavalidityperiodispartofanidentity,itispossibletoencryptinformationthatcanonlybedecryptedatsomepointinthefuture,forexample.Or,inaresponsetoanaturaldisaster,respondersmaywanttosecurelycommunicatewithotherresponders,buttheymaynotknowwithwhomtheywillneedtocommunicatebeforeadisasterhappens.Becauseitisimpracticaltopre-enrolleverypotentialrespondertoeverytypeofdisaster,atechnologythatallowsencryptinginforma-tiontousersbeforetheyareenrolledcanbeusefulincircumstanceslikethis.IBEprovidesausefulwaytoaccomplishthis.E-mailmessaginghasbecomefairlydangerous.Thee-mailmessagesreceivedbyatypicaluserincludeannoyingunsolicitedcommerciale-mail,butalsoincludecomputervirusesaswellasmessagesthatarepartoforganized Introduction11effortstoacquiresensitivepersonalinformation,bankaccountnumbersorcreditcardnumbers.Tocombatthisgrowingthreat,manyorganizationsimplementfilteringonbothincomingandoutgoinge-mailmessagestoprotectusersfromsuchmaliciousmessages.Organizationsmayalsowanttosearchoutgoingmes-sagesforsensitiveinformationandprocessitinsomewaythatensuresthatnosensitivematerialissentunencryptedoverapublicnetwork.Someorganizationsreturntheoriginalmessagetothesenderwithawarningtoencryptsuchsensitivecontentinthefuture.Otherswanttoautomaticallyencryptsuchmessages.UsingIBE,itisnotdifficulttoscanevenencryptedmessagesforunsuitablecontent.DelegatetheauthoritytoretrieveIBEprivatekeystoascanningprocess,andthescanningprocesscanthenrequestIBEkeysonbehalfoftheowneroftheprivatekey,scanthedecryptedmessageforunsuitablecontent,andreencryptthemessageafteritisscannedbyusingtherecipient’sIBEpublickeythatitcaneasilycalculate.ThisisshownbelowinFigure1.5.Itispossibletoimplementasimilarsolutionusingtraditionalpublic-keytechnologies,butitistypicallymuchmorecomplexanddifficulttoimplement.PrivatekeygeneratorScanningEncryptedapplianceReencryptedmessagemessageDecryptedmessageFigure1.5ScanningthecontentofIBE-encryptede-mail. 12IntroductiontoIdentity-BasedEncryptionExistinginformationsecurityarchitecturesfocusoncreatingandmain-tainingasecurityperimeter.Insidetheperimeteritissupposedtoberelativelysecure,andtheperimeterisdesignedtokeepthreatsawayfromtheprotectednetwork.Trendsinboththeorganizationofbusinessesandtheevolutionoftechnologyhavemadethismodelmoreandmoredifficulttoimplement.Onetrendintheorganizationofbusinessesisthecontinuingintegrationofbusinesspartnerstohelpalloftheparticipantsgainfromthelowercostsoftightlyintegratedoperations.Inthecaseofcreditcardprocessing,forexample,thenetworksofthemerchantswhoacceptcreditcards,thebanksthatissuecreditcards,andthecreditcardcompaniesthemselvesarenowtightlyintegratedtomaketheprocessingofcreditcardtransactionsmoreefficient.Insituationslikethis,itcansometimesbedifficulttodetermineexactlywherethenetworkperimeteris,whichmakesitverydifficulttocreateandmaintainasecurityarchitecturethatreliesonastrongsecurityperimeter.Wirelessdevicesalsobroadcastdatawithoutregardforalogicalsecurityperimeter,andthusmakeitdifficulttoimplementsecuritythatisbasedonenforcingsuchaperimeterbecauseaneavesdroppercaneasilyinterceptwirelesstransmissionswithouthavingtophysicallyconnecttoanetwork.Situationsliketheseareleadingtoanalternativetoahighlysecureperimeter:asecurityarchitectureinwhichweprotectthedatathatresidesinthenetworkinsteadofthenetworkitself.Onewaytoimplementasecurityarchitectureinwhichweprotectdatainsteadofthenetworkisbyusingencryption,whereweencryptdatasothatonlytheauthorizeduserscandecryptit.IBEcanuseanyarbitrarydataforanidentity,includingstringsencodingroles.SoitispossibletouseIBEtoencryptsensitivemedicalrecordsusing‘‘doctor’’aspartofanidentity,forexample,andthentorequireuserstoprovethattheyareauthorizedtoaccesssuchdatawhentheyrequesttheIBEprivatekeyneededtodecryptit.Mostorganizationshavesomeexistingformofinfrastructureinplacetomanageidentities,evenifitisassimpleastheusername/passwordcombinationsneededtologintotheirnetwork.Morecomplexsystemsexistthatmanagemoregeneralformsofidentity,andthesesystemsprovideacommonwaytomanagemanydifferentformsofidentityinformation.SuchsystemsprovideaninterestingpossibilityforusewithIBE,inwhichmanydifferentsourcesofidentityinformationcouldbecombinedandusedtocalculateIBEkeysthatcouldthenenforceaccesstosensitiveinformationinwaysthatcorrespondtothepermissionsthatdifferentcombinationsofidentitiesmightgive.Justlikeane-mailmessagecanbeencryptedtomultiplerecipients,anyofwhichcandecryptit,wecanuseIBEtoencryptsensitiveinformationthatcouldbedecryptedbysomeonesatisfyinganyoneofseveralpossiblecombinationsofexistingidentityinformation.Astrendsinbothbusinessandtechnologymakeprotectingdatawithencryptionmoreandmoreinteresting,thepropertiesof Introduction13IBEmaymakeitparticularlyusefultosolvetheproblemsthatthisdifferentmodelofsecuritywillpresent.SoitappearsthatthepropertiesofIBEgivesystemsthatusethetechnologyinterestingpropertiesandallowforthecreationofsolutionsthatmaybeeasiertouseandlessexpensivetosupportthansolutionsprovidedbytraditionalpublic-keytechnologies.Ontheotherhand,IBEonlyprovidesthecapabilitytoencryptanddoesnotallowthecreationofdigitalsignatures.ThismeansthatacompleteinformationsecuritysolutionusingIBE,onethatprovidesconfidentiality,integrity,availability,authentication,andnonrepudiation,mayneedtobeahybridsolutionthatusesbothIBEandtraditionalpublic-keytechnologiestoprovideasolutionthattakesadvantageofthestrengthsofeachofthetechnologies.Suchsolutionsmayeventuallyreducethecostofusingencryptiontothepointwhereitwillbeusedonawidescale,violatingGeer’sprinciplethatanyuseofencryptionmustbeexpensive.ThepromiseofsuchsolutionsiswhatmotivatedtheexistingcommercialapplicationsofIBEandwillprobablyalsomotivatefutureapplicationsofthetechnology.References[1]Shamir,A.,‘‘Identity-BasedCryptosystemsandSignatureSchemes,’’ProceedingsofCRYPTO’84,SantaBarbara,CA,August19–22,1984,pp.47–53.[2]Whitten,A.,andJ.Tygar,‘‘WhyJohnnyCan’tEncrypt:AUsabilityEvaluationofPGP5.0,’’Proceedingsofthe8thUSENIXSecuritySymposium,Washington,D.C.,August23–26,1999,pp.169–184.[3]Sheng,S.,etal.,‘‘WhyJohnnyStillCan’tEncrypt:EvaluatingtheUsabilityofEmailEncryptionSoftware,’’Proceedingsofthe2006SymposiumonUsablePrivacyandSecurity,Pittsburgh,PA,July12–14,2006.[4]Geer,D.,‘‘RiskManagementIsWheretheMoneyIs,’’RisksDigest,Vol.20,No.6,1998,pp.1–9.[5]Nielsen,R.,‘‘ObservationsfromtheDeploymentofaLargeScalePKI,’’Proceedingsofthe4thAnnualPKIR&DWorkshop,Gaithersburg,MD,August19–21,2005,pp.159–165. 2BasicMathematicalConceptsandPropertiesThischaptercontainsareviewofallofthenecessarydefinitionsneededinthefollowingchaptersinwhichwediscussIBEalgorithms.Italsoprovidesalistofthenotationthatwewilluseinthefollowingchaptersandstateswithoutanyproofsvariousfactsthatwillbecitedinfollowingchapters.Proofsofthefactslistedinthischaptermaybefoundin[1,2].2.1ConceptsfromNumberTheoryNumbertheoryconcernsthepropertiesoftheintegersandtheirgeneralizations,andprovidesafoundationfortheotherconceptsthatfollowinlatersections.Thesetofnaturalnumbers{1,2,3,...}isdenotedbythesymbol.Thesetofintegers{...,−3,−2,−1,0,1,2,3,...}isdenotedbythesymbol.Thesetofrealnumbersisdenotedbythesymbol.Thesetofcomplexnumbersisdenotedbythesymbol.Elementsof2canbewrittenasa+bi,whereaandbarerealnumbersandi=−1.DefinitionIfaandbareintegers,thenadividesboraisadivisorofbifthereexistsanintegercsuchthatb=ac.Inthiscasewewritea|bandwesaythataisafactorofb.Example2.1(i)Notethat1,001=71113,sothat7|1,001and7isafactorof1,001.15 16IntroductiontoIdentity-BasedEncryption(iii)Wecanalsowrite1,001=(−7)(−11)13,so−7and−11arealsofactorsof1,001.Definition2.1Anintegerp≥2isaprimeifitsonlypositivedivisorsare1andp.Definition2.2abAprimepisaSolinasprimeifwecanwritep=2±2±1forsomepositiveintegersaandb.SuchprimesareusefulintheefficientimplementationofmanyIBEalgorithms,inwhichweneedtoperformadouble-and-additerationonthebinaryexpansionofaprime.IfweuseaSolinasprimeinsuchalgorithms,abthelowdensityofaSolinasprimeoftheformp=2+2+1willclearlyminimizethenumberofoperationsneededtoimplementsuchaniteration.Thecaseswherep=2a±2b±1canbesimilarlyimplementedveryefficientlybyrepresentingpinnonadjacentform[3].InthefollowingwewillalwaysabassumethataSolinasprimeisoftheformp=2+2+1.Example2.253(i)Theprime41=2+2+1isaSolinasprime.52(ii)Theprime29=2−2+1isaSolinasprime.Definition2.3LetF={p1,p2,...,pn}beasetofprimes.WesayanintegernisF-smoothisalloftheprimefactorsofnareelementsofF.Definition2.4Anonnegativeintegerdisthegreatestcommondivisorofintegersaandbifdisthelargestpositiveintegerthatdividesbothaandb.Thisisdenotedbyd=gcd(a,b).Example2.3(i)Ifa=1,001=71113andb=−286=−21113,thengcd(a,b)=1113=143.(ii)Ifa=11andb=13,thengcd(a,b)=1.2.1.1ComputingtheGCDThegreatestcommondivisorofintegersaandbcanbecomputedbythefollowingAlgorithm2.1,knownastheextendedEuclideanalgorithm.Inaddition BasicMathematicalConceptsandProperties17togcd(a,b),thisalgorithmalsoreturnsintegersxandysuchthatgcd(a,b)=ax+by.Algorithm2.1:extended_gcdINPUT:integersa,bwitha≥bOUTPUT:gcd(a,b),integersxandysuchthatgcd(a,b)=ax+by1.Ifb=02.d←a,x←1,y←0,return(d,x,y)3.x1←0,x2←1,y1←1,y2←04.Whileb>05.q←a/b,r←a−qb,x←x2−qx1,y←y2−qy16.a←b,b←r,x2←x1,x1←x,y2←y1,y1←y7.d←a,x←x2,y←y2,return(d,x,y)Definition2.5Forintegersaandb,ifgcd(a,b)thenwesaythataandbarerelativelyprime.Example2.4(i)Ifa=1,001andb=286,thengcd(a,b)=77,soaandbarenotrelativelyprime.(ii)Ifa=11andb=13,thengcd(a,b)=1,soaandbarerelativelyprime.Definition2.6Ifa,b,andnareintegers,thenwesaythataiscongruenttobmodulonifndivides(b−a)andwewritea≡b(modn).Example2.5(i)7≡3(mod4)because4|(7−3).(ii)11≡3(mod4)because4|(11−3).(iii)−7≡2(mod3)because3|(−7−2).(iv)7≡11(mod4)because4|(7−11).Property2.1(ChineseRemainderTheorem)Letn1n2...nkbeintegersthatarepairwiserelativelyprime,thatis,gcd(ni,nj)=1wheni≠j.Thenthefollowingsystemofcongruenceshasauniquesolutionmodulotheproductn=n1n2...nk: 18IntroductiontoIdentity-BasedEncryptionx≡a1(modn1)x≡a2(modn2)x≡ak(modnk)Property2.2(Gauss’Algorithm)ThesolutiontothesystemofcongruencesgiveninProperty2.1canbecomputedaskx=∑aiNiMimodn(2.1)i=1wherenNi=niandM−1i=NimodniGauss’algorithmcanbewritteninaslightlydifferentwaythatmakesiteasiertounderstand.Inparticular,notethatwecanalsowrite(2.1)askx=∑aieimodni=1whereeacheihasthepropertythat1(modni)ei≡0(modnj),j≠iSowecanthinkofGauss’algorithmasbeingessentiallyanintegerversionofLagrangeinterpolation,wherewefitapolynomialtokpointsbycreatingasimilarsetofcoefficientsthatareeither0or1andthusforcethedesiredbehavioratthegivenpoints.Example2.6Considerthefollowingsystemofcongruences:x≡2(mod3)=a1(modn1)x≡3(mod4)=a2(modn2) BasicMathematicalConceptsandProperties19ApplyingGauss’algorithm,wefindthatn=n1n2=34=12n12N1===4n13n12N2===3n24M−1−1mod3=11=N1modn1=4M−1−1mod4=32=N2modn2=3sothatx=(a1N1M1+a2N2M2)mod12=(241+333)mod12=(24+39)mod12=(8+27)mod12=35mod12=11mod12InthisexamplewecanalsothinkofGauss’algorithmasfindingintegerse1ande2suchthatwehavex=(2e1+3e2)mod12Gauss’algorithmthenfindse1=4ande2=9,wherewehave1(mod3)e1=4≡0(mod4)and0(mod3)e2=9≡1(mod4)Definition2.7Forapositiveintegern,(n)denotesthenumberofintegerslessthannthatarerelativelyprimeton.ThisfunctioniscalledEuler’sphifunction. 20IntroductiontoIdentity-BasedEncryptionProperty2.3Ifmandnarerelativelyprimethen(mn)=(m)(n).Example2.7(i)(7)=6becauseeachoftheintegers1,2,3,4,5,and6arerelativelyprimeto7.(ii)(p)=p−1foranyprimepbecause1,2,3,...,p−1areallrelativelyprimetop.(iii)(77)=(7)(11)=610=60.Property2.4(Fermat’sLittleTheorem)Letpbeaprimeandabeanyinteger.Thenwehavethatpa≡a(modp)Ifaisrelativelyprimetop,thenwealsohavethatp−1a≡1(modp)Example2.8p5(i)Forp=5anda=2,wehavethata=2=32≡2(mod5).p−14(ii)Forp=5anda=2,wehavethata2=16≡1(mod5).p5(iii)Forp=5anda=10,wehavethata=10=100,000≡0(mod5)≡10(mod5).p−14(iv)Forp=5anda=10,wehavethata2=10,000≡0(mod5)≡/1(mod5).Property2.5(Euler’stheorem)Letnbeanintegerandabeanintegerrelativelyprimeton.Thenwehavethata(n)≡1(modn)Example2.98(i)Withn=35=15,wehave(n)=8andthat2=256≡1(mod15). BasicMathematicalConceptsandProperties2124(ii)Withn=57,wehavethat(n)=24andthat5≡1(mod35).120(iii)Withn=1113=143,wehavethat(n)=120andthat11≡1(mod143).Definition2.8Weusentodenotethesetofintegers{0,1,...,n−1}.Wecanperformarithmeticonelementsofnbyreducingasumorproducttotheremainderthatisleftafterdividingbyn,whichwecallreducingmodulon.Innwehavea+b=cwhen(a+b)≡c(modn).Eventhoughwedefinentoonlyincludetheintegersfrom0throughn−1,itisoftenconvenienttothinkofn−1asbeing−1,eventhough−1isnotreallyanelementofn.Example2.10(i)In12wehavethat9+6=3,or9+6≡3(mod12).(ii)In9wehavethat33=0,or33≡0(mod9).AsTable2.1shows,noteveryelementof5hasasquarerootin5.Inparticular,0,1,and4havesquarerootsin5while2and3donot.Thismotivatesthefollowingdefinitions.Definition2.9Anonzeroelementa∈niscalledaquadraticresiduemodulonifthereexists2somex∈nwithx≡a(modn).Ifnosuchxexists,wesaythataisaquadraticnonresiduemodulon.Example2.11(i)FromTable2.1weseethat0,1,and4arequadraticresiduesmodulo5.(ii)FromTable2.1weseethat2and3arequadraticnonresiduesmodulo5.Table2.1Multiplicationin5*01234000000101234202413303142404321 22IntroductiontoIdentity-BasedEncryptionLegendresymbolsareanotationthatindicateswhetherornotanintegerisaquadraticresidue.Definition2.10aLetpbeanoddprimeandaaninteger.ThentheLegendresymbolpisdefinedtobe(i)0ifpdividesa.(ii)+1ifaisaquadraticresiduemodulop.(iii)−1ifaisaquadraticnonresiduemodulop.Property2.6Letaandbbeintegersandpandqbeoddprimes.ThenLegendresymbolshavethefollowingproperties:a(p−1)/2(i)p≡a(modp)abab(ii)p=ppab(iii)Ifa≡b(modp)thenp=p2(p2−1)/8(iv)p=(−1)pq(p−1)(q−1)/4(v)q=p(−1)Property2.6(i)tellsusthat−1isaquadraticresiduemodulopifp≡1(mod4)andthat−1isaquadraticnonresiduemodulopifp≡3(mod4).If−1isaquadraticnonresiduemodulop,thenwehavethat−aa−1an=nn=−nsothateitheraisaquadraticresidueor−aisaquadraticresidue.Inparticular,thisistruewhenp≡3(mod4).Property2.6(v)tellsusthatpqq=punlessbothpandqarecongruentto3modulo4,inwhichcasewehavethat BasicMathematicalConceptsandProperties23pqq=−pExample2.126(i)3=0because3divides63(7−1)/23(ii)7=3=3=27≡−1(mod7)(iii)Because3and7arebothcongruentto3modulo4,wehavethat733=−7=+1WecangeneralizethedefinitionofLegendresymbolstogetJacobisymbols,whicharedefinedforcompositedenominatorsasfollows.Definition2.11Letabeanintegerandnbeapositiveoddintegerwithkn=pai=pa1pa2...paki12ki=1ThentheJacobisymbolanisdefinedtobekaia1a2akaaaaan=p=pp...pi=1i12kwhereeachofthefactorsaiapiisaLegendresymbolasdefinedinDefinition2.10.Property2.7Leta,bbeintegersandn≥3andm≥3beoddintegers.ThenJacobisymbolshavethefollowingproperties. 24IntroductiontoIdentity-BasedEncryptiona(i)ncanbeeither0,+1or−1a(ii)n=0ifgcd(a,n)≠1abab(iii)n=nnaaa(iv)mn=mnab(v)Ifa≡b(modn),thenn=n1(vi)n=+1−1(n−1)/2(vii)n=(−1)2(n2−1)/8(viii)n=(−1)mn(m−1)(n−1)/4(ix)n=m(−1)Example2.1315(i)21=0becausegcd(15,21)≠12(112−1)/815(ii)11=(−1)=(−1)=−1711(11−1)(7−1)/4111511(iii)11=7(−1)=7(−1)=−7Property2.8Ifpandqanddistinctoddprimesandn=pq,thena∈n*isaquadraticresiduemodulonifandonlyifaisaquadraticresiduemodulopandaisaquadraticresiduemodulop.2.1.2ComputingJacobiSymbolskSupposethatnisanoddintegerandwecanwritea=2bwherebisanoddinteger.Thenwehavethat BasicMathematicalConceptsandProperties25kkka2b2b2bn=n=nn=nnk2n(b−1)(n−1)/4=nb(−1)k2nmodb(b−1)(n−1)/4=nb(−1)ThisgivesusthefollowingalgorithmforcomputingJacobisymbols.Notethatitisnotnecessarytoknowthefactorizationofntodothis.Algorithm2.2:JacobiSymbolINPUT:oddintegern≥3,integerawith0≤a0haveonecomponent,asshowninFigure3.5,whichcorrespondstotwooftherootsofthecubicin(3.2)havingnonzeroimaginarypartsothattheydonotappearonthex-axisofagraphofthecurve.Definition3.3Anellipticcurveforwhichthediscriminant=0iscalledsingular.Anellipticcurveforwhichthediscriminant≠0iscallednonsingular.Notethatanellipticcurvemaybenonsingularoveronefieldandsingularoveranother.Notethatthisdefinitionofthediscriminantisalwaysevensoitisalwayszeroinafieldofcharacteristic2.Inthiscase,theWeierstrassnormalformneedstobereplacedwithadifferentformforwhichthediscriminantisnotalwayszero.Example3.1(i)Theellipticcurvey23=x+x+1isnonsingularovertherealnum-bersbecauseithasdiscriminant=−16(31)=−496. PropertiesofEllipticCurves47Figure3.5Graphoftheellipticcurvey2=x3−3x+3forwhich>0.(ii)Theellipticcurvey23=x+x+1issingularoverafieldofchar-acteristic31becauseithasdiscriminant=−16(31)sothat≡0(mod31).GraphsofsingularellipticcurvesovertherealnumbersareshowninFigures3.6and3.7.Figure3.6showsanellipticcurveforwhichthecubichastworepeatedroots.Thistypeofellipticcurveissaidtohaveacuspattherepeatedroot.Figure3.7showsanellipticcurveforwhichthecubichasthreerepeatedroots.Thistypeofellipticcurveissaidtohaveanodeattherepeatedroot.Manydiscussionsofellipticcurvesrestrictthemeaningofthetermtoonlynonsingularcurves,aconventionthatwewillalsofollowhereafter.WewillseeinaChapter5thatcryptographicalgorithmsusingarithmeticonsingularellipticcurvesareextremelyweakcomparedtothoseusingarithmeticonnonsingularcurves.3.2AddingPointsonEllipticCurvesWecandefineageometricwaytoaddpointsonanellipticcurvethatisbasedon(3.1).Wedothisinthefollowingsteps.ToaddpointsP1andP2,construct 48IntroductiontoIdentity-BasedEncryptionFigure3.6Graphofthesingularellipticcurvey2=x3,anexampleofacusp.thelinethroughP1andP2andfindthethirdpointwhereitintersectstheellipticcurve.Toaddapointtoitself,usethelinetangenttothecurvethroughthepointinstead.Reflectthisthirdpointacrossthex-axistogetthesumofthepointsP1+P2.ThesestepsareshowninFigure3.8fortheellipticcurve23y=x+1.InFigure3.5,thelineurepresentsthelinethroughP1,P2and−(P1+P2)andvrepresentstheverticallinethrough−(P1+P2)andP1+P2,andthesamelinesuandvwillbeimportantinconstructingtheTatepairingthatwediscussinChapter4.Wealsoconsiderthepointatinfinitytobeonanellipticcurve,andwritethisspecialpointasO,andwehavethatP+O=Pforanypointonanellipticcurve,sothatthepointatinfinityactsmuchlikethenumber0doesintherealnumbers.Ifwehavetwopointsonanellipticcurve,P1=(x1,y1)andP2=(x2,y2),wecanwritethesumofthepointsP1+P2=P3=(x3,y3).TherearetwowaystofindP3:oneifP1≠P2andanotherifP1=P2.IfP1≠P2thenwecanfindtheslopeofthelinethroughP1andP2asy2−y1m=(3.3)x2−x1 PropertiesofEllipticCurves49Figure3.7Graphofthesingularellipticcurvey2=x3−3x+2,anexampleofanode.IfP1=P2thenwecanfindtheslopeofthelinethroughP1from23x1+am=(3.4)2y1Notethat(3.3)showswhywerestrictedanellipticcurvetobeingdefinedoverfieldswithcharacteristicotherthan2or3.Ineitherofthesetwocases,acharacteristicofeither2or3makestheexpression(3.3)inadequatewheremultiplyingby2or3isequivalenttomultiplyingby0,soalternateformsforellipticcurvesareneededotherthantheWeierstrassnormalform.IfwewritethelinethroughP1andP2asy=mx+,thenthislineintersectstheellipticcurvewhen23(mx+)=x+ax+borthat32x+ax+b−(mx+)=0 50IntroductiontoIdentity-BasedEncryption−()P+P12uP2vP1P+P12Figure3.8Additionofpointsonanellipticcurve.or222x3−mx+(a−2m)x+(b−)=0Recallthatforamonicpolynomialordegreenthesumofitsrootsofn−1thepolynomialisthenegativeofthecoefficientofthexterm.Inthiscase,2thesumoftherootsmustbem,sothat2x1+x2+x3=morthat2x3=m−x1−x2(3.5)Becausethepoint(x3,−y3)isontheliney=mx+wehave−y3=mx3+=mx3+(y1−mx1)=m(x3−x1)+y1 PropertiesofEllipticCurves51sothaty3=m(x1−x3)−y1(3.6)Example3.2(i)ThepointsP1=(−1,0)=(x1,y1)andP2=(0,1)=(x2,y2)areon23theellipticcurvey=x+1overtherealnumbers.InthiscasewecanfindP3=(x3,y3)=P1+P2byfindingy2−y11−0m===1x2−x11−(−1)sothat22x3=m−x1−x2=1−(−1)−0=2andy3=m(x1−x3)−y1=1(−1−2)=0=−3sothatP3=(2,−3).(ii)ThepointsP1=(0,1)=(x1,y1)andP2=(2,8)=(x2,y2)areon23theellipticcurvey+x+1over11.InthiscasewecanfindP3=(x3,y3)=P1+P2byfindingy2−y18−17−1m====72=76=56≡1(mod11)x2−x12−02sothat22x3=m−x1−x2=1−0−2≡10(mod11)andy3=m(x1−x3)−y1=1(0−10)≡0(mod11)sothatP3=(10,0). 52IntroductiontoIdentity-BasedEncryption(iii)LetP1=(x,y1)andP2=(x,y2)bepointsonanyellipticcurve.Becausethex-coordinatesofthesetwopointsareidentical,theirsumwillalwaysbeO,thepointatinfinity,sothatP1+P2=O.3.2.1AlgorithmforEllipticCurvePointAdditionThefollowingalgorithmdescribestheprocessforaddingpointsonanellipticcurve.Algorithm3.1:INPUT:P1=(x1,y1),P2=(x2,y2),pointsonanellipticcurve23y=x+ax+bOUTPUT:P3=P1+P31.Ifx1=x2returnO2.IfP1=P2then3.Ify1=0returnO23x1+a4.Elsem←2y1y2−y15.Elsem←x2−x126.x3←m−x1−x27.y3←m(x1−x3)−y18.ReturnP3=(x3,y3)Example3.3Wefindthatwehavethefollowingsixpointsonthecurve23E/5:y=x+1(seeTable3.1).Table3.1PointsontheCurveE/:y2=x3+15Point(x,y)Pˆ1(0,1)Pˆ2(0,4)Pˆ3(2,2)Pˆ4(2,3)Pˆ5(4,0) PropertiesofEllipticCurves53Table3.2AdditionofPointsontheCurvey2=x3+1over5+OPˆ1Pˆ2Pˆ3Pˆ4Pˆ5OOPˆ1Pˆ2Pˆ3Pˆ4Pˆ5Pˆ1Pˆ1Pˆ2OPˆ4Pˆ5Pˆ3Pˆ2Pˆ2OPˆ1Pˆ5Pˆ3Pˆ4Pˆ3Pˆ3Pˆ4Pˆ5Pˆ2OPˆ1Pˆ4Pˆ4Pˆ5Pˆ3OPˆ1Pˆ2Pˆ5Pˆ5Pˆ3Pˆ4Pˆ1Pˆ2OandthataddingpointsonthecurveobeystherulesinTable3.2.3.2.2ProjectiveCoordinatesDealingwithO,thepointatinfinityonanellipticcurvecanbetroublesomeusingaffinecoordinates,theusual(x,y)coordinatesthatweusetodefinetheWeierstrassnormalformofanellipticcurve.Oneeasywaytohandlethispointisthroughtheuseofprojectivecoordinates.Projectivecoordinatesencodeapoint(x,y)withtwocoordinatesinthreecoordinates(x,y,z)where(x,y,z)representsanypointoftheform(x/z,y/z).Suchprojectivecoordinatesarecalledstandardprojectivecoordinates.Inparticular,wecanrepresentapointonanellipticcurveP=(x,y)as(x,y,1)andthepointatinfinitycanberepresentedby(0,1,0).Wecanalsoeasilyconvertfromprojectivecoordinates(x,y,z)wherez≠0intoaffinecoordinates(x/z,y/z).Inadditiontobeinganeasywaytohandlethepointatinfinity,projectivecoordinatesareoftenusefulinperformingcomputationsonellipticcurvesbecauseitispossibletoaddtwopointsonanellipticcurveusingprojectivecoordinateswithoutperforminganydivisions,whicharetypicallyveryexpensivecomputationallyinfinitefields.Finally,becausemanydifferentvaluesofzcanbeusedtorepresentthesameaffinepoint(x,y),soitispossibletouserandomvaluesofztoencodesuchpoints,thiswillprovideanadditionallevelofprotectionagainstside-channelattacks,attacksonanimplementationofacryptographicalgorithmthatseektofindinformationaboutthecryptographickeybeingusedthroughphysicalmeasurementsofanoperatingdeviceanditsenvironment.Incryptographicapplicationswherewemaywanttoperformoperationsinqforfairlylargevaluesofq,determiningtheinverseofanelementofqcanbefairlyexpensiverelativetomultiplicationsinq,andusingprojectivecoordinateswilloftenprovideaperformanceadvantageoverusingaffinecoordi-nates.Notethatthereareotherformsofprojectivecoordinatesthatmayalsobeusefulforellipticcurvearithmetic.Theseformsofprojectivecoordinates 54IntroductiontoIdentity-BasedEncryptionrequiredifferentproceduresforaddingpointsthanthetechniquepresented2below.Inparticular,Jacobianprojectivecoordinatesencodeanaffinepoint(x/z,3y/z)astheprojectivepoint(x,y,z),andChudnovskyprojectivecoordinates2323encodeanaffinepoint(x/z,y/z)astheprojectivepoint(x,y,z,z,z)[4].Eachtypeofprojectivecoordinatesrequiresadifferentnumberoffieldoperationstoaddordoublepoints,whichissummarizedinTable3.3.Thechoiceofthemostefficientprojectivecoordinatesystemwilldependontheapplication.Ifonlypointadditionsneedtobeperformed,itismoreefficienttousestandardprojectivecoordinates.Ifonlypointdoublingsneedtobeperformed,itismoreefficienttouseChudnovskyprojectivecoordinates.Inmostcases,itismoreefficienttouseJacobianprojectivecoordinates.Pointdoublingoperationscanbefurtheroptimizedifthecoefficienta=−3intheWeierstrassnormalformofanellipticcurve.3.2.3AddingPointsinJacobianProjectiveCoordinatesIfwehavepointsinJacobiancoordinatesP1=(x1,y1,z1)andP2=(x2,y2,z2)andwanttofindP3=(x3,y3,z3)=P1+P2,thenwecanconverttotheprojectivepointtoaffinecoordinateswherex23andQx23,findthesumQQ1=1/z1,y1/z12=2/z2,y2/z23=x23=Q3/z3,y3/z31+Q2using(3.3),(3.5),and(3.6),andthenconvertQ3totheprojectiveP3.Thisissummarizedinthefollowingalgorithm.Notethatthisalgorithmisindependentofthecoefficientsaandbintheellipticcurvey2=x3+ax+b.Algorithm3.2:JacobianAddINPUT:P1=(x1,y1,z1),P2=(x2,y2,z2)onanellipticcurve23y=x+ax+boverafieldF.AlloperationsareperformedinthefieldFandthepointatinfinityisrepresentedas(0,1,0).OUTPUT:P3=(x3,y3,z3)=P1+P2Table3.3FieldOperationsNeededtoImplementEllipticCurveOperationsinDifferentCoordinateSystemsWherenFieldMultiplicationsandmFieldSquaringsIsIndicatedbytheNotationnX+mSandIIndicatesThatanInversionIsAlsoRequiredCoordinateSystemPointAdditionPointDoublingJacobian12M+4S4M+6SStandard12M+2S7M+5SChudnovsky11M+3S5M+6SAffineI+2M+2SI+2M+1S PropertiesofEllipticCurves5521.u1←x1z222.u2←x2z133.s1←y1z234.s2←y2z15.Ifu1=u26.Ifs1≠s27.Return(0,1,0)8.Else9.ReturnJacobianDouble(x1,y1,z1)10.h←u2−u111.r←s2−s123212.x3←r−h−2u1h2313.y3←r(u1h−x3)−s1h14.z3←hz1z215.Return(x3,y3,z3)3.2.4DoublingaPointinJacobianProjectiveCoordinatesIfwehaveapointinJacobiancoordinatesP1=(x1,y1,z1)andwanttofindP2=(x2,y2,z2)=P1+P1=2P1,thenwecanconverttotheprojectivepointx23findthesumtoaffinecoordinateswhereQ1=1/z1,y1/z1x23=QQ2=2/z2,y2/z21+Q1=2Q1using(3.3),(3.5),and(3.6),andthenconvertQ2totheprojectiveP2.Thisissummarizedinthefollowingalgorithm.Algorithm3.3:JacobianDouble23INPUT:P1=(x1,y1,z1),onanellipticcurvey=x+ax+boverafieldF.AlloperationsareperformedinthefieldF.OUTPUT:P2=(x2,y2,z2)=P1+P11.Ify1=02.Return(0,1,0)23.s←4x1y1244.m←3x1+az125.x2←m−2s46.y2←m(s−x2)−8y17.z2←2y1z18.Return(x2,y2,z2)3.3AlgebraicStructureofEllipticCurvesPointsonanellipticcurveprovideastructurethatwecandefineintheterminol-ogyofabstractalgebra. 56IntroductiontoIdentity-BasedEncryptionDefinition3.4IfEisanellipticcurveoverafieldFthenwewriteE(F)toindicatethesetofpointsonEalongwiththeoperationofaddingpointsdescribedinAlgorithm3.1.Property3.2IfFisafieldandEisanellipticcurvethenE(F)isagroup.Thepointatinfinityactsastheidentityelementforthisgroup.NotethatthereisonlyoneoperationdefinedforE(F),whichwearethinkingofasaddition,soitisimpossibletomultiplyordivideelementsofE(F).Thus,E(F)cannotbeafield,whichrequirestwooperationsthatwethinkofasbeingadditionandmultiplication.Definition3.5MultiplicationofapointPonanellipticcurvebyanintegernistheresultofaddingapointtoitselfntimes,sothatnP=P+P+...+P1442443ntimesDefinition3.6LetP∈E(F)forsomeellipticcurveE/F.WesaythattheorderofapointisnifnisthesmallestpositiveintegersuchthatnP=O.Definition3.7IfEisanellipticcurveoverafieldFandnisapositiveinteger,wewriteE(F)[n]forthesetofpointsoforderninE(F).IfthefieldFisclearfromthecontext,thiscanbeabbreviatedtoE[n].E(F)[n]isasubgroupofE(F).ThepointsinE(F)[n]arealsocalledthen-torsionpointsofthecurveE.Definition3.8Wewrite#E(F)toindicatetheorderofthegroupE(F),whichisthenumberofpointsonanellipticcurveEoverafieldF,includingthepointatinfinity,O.Determiningthevalueof#E(F)foranarbitraryellipticcurveisanontrivialproblem.Example3.423FromTable3.2weseethatfortheellipticcurvey=x+1wehavethat#E(5)=6. PropertiesofEllipticCurves57Definition3.9IfEisanellipticcurveoverqandwehave#E(q)=q+1−t,thentiscalledthetraceofFrobenius,orsimplythetrace.Weshouldexpecttohaveapproximatelyq+1pointsonanellipticcurve233E/q.Theequationy=x+ax+bhasasolutionwhenx+ax+bisaquadraticresiduemoduloq,whichshouldhappenroughlyhalfthetime.Ineachofthesecases,wegetapairofsquareroots,soweshouldexpectarandomellipticcurvetohaveapproximatelyqfinitepointsplusthepointatinfinity,foratotalofq+1points.Hasse’stheoremtellsusthatanellipticcurveE/qhastohaveapproximatelyq+1pointsonit,andthatthetracetellsusroughlyhowfarfromthisexpectedbehavioraparticularcurveis.Property3.3(Hasse’stheorem)ForanellipticcurveE/q,thetraceofFrobeniussatisfiestheinequality|t|≤2√q.Thusthenumberofpointsonanellipticcurveoverqisapproxi-matelyq+1.Definition3.10IfEisanellipticcurveoverqandwehave#E(q)=q,thenwesaythatEisanomalous.WewillseeinChapter5thatanomalouscurvesshouldbeavoidedforsomecryptographicapplications.Definition3.11LetpbethecharacteristicofqandEbeanellipticcurveoverqandtbethetraceofE.IfpdividestthenwesaythattheellipticcurveEissupersingular.Acurvethatisnotsupersingularissaidtobeordinary.Notethattheconceptsofsingularandsupersingularareverydifferentandshouldnotbeconfused.Property3.42IfE:y=f(x)isanellipticcurveoverqthenEissupersingularexactlywhenp−1thecoefficientofxinp−12(f(x))iszero[2].Example3.5Aparticularellipticcurvecanbeeithersupersingularorordinary,dependingonwhatfielditisdefinedover.23(i)Ifpisaprimewithp≥5,thentheellipticcurvey=x+1overp−13(p−1)/2pissupersingularwhenthecoefficientofxin(x+1) 58IntroductiontoIdentity-BasedEncryptioniszero.Ifp≡2(mod3)thenthiscoefficientiszeroandthecurveissupersingular.Whenp≡1(mod3),thenthiscoefficientisthebinomial(p−1)/2coefficientwhichisnonzero,sothecurveisordinary.(p−1)/323(ii)Ifpisaprimewithp>2,thentheellipticcurvey=x+xoverpp−13(p−1)/2issupersingularwhenthecoefficientofxin(x+x)iszero.Ifp≡3(mod4)thenthiscoefficientiszeroandthecurveissupersingular.Whenp≡1(mod4),thenthiscoefficientisthebinomial(p−1)/2coefficientwhichisnonzero,sothecurveisordinary.(p−1)/423(iii)Ifpisaprimewithp≡11(mod12),thenbothy=x+1and23y=x+xaresupersingularoverp.23(iv)Ifpisaprimewithp≡1(mod12),thenbothy=x+1and23y=x+xareordinaryoverp.Pointsonanellipticcurveformagroup,butweneedthestructureofafieldtoperformthecalculationsthatsomeIBEalgorithmsrequire.Todothis,wewanttoembedanellipticcurvegroupinafinitefield.Inmanycases,thiswillresultinafinitefieldthatistoolargetobepracticalforcomputations.Definition3.12LetE/qbeanellipticcurveandnbeanintegersuchthatn|#E(q).Ifkiskthesmallestpositiveintegersuchthatn|(q−1)thenkiscalledtheembeddingdegreeofEwithrespectton.Ifn=#E(q)thenwecanabbreviatethistosayingthatkistheembeddingdegreeofE.IfkistheembeddingdegreeofE/q,wecanthinkofqkasbeinganextensionofqinwhichE(q)isasubgroupofq*k.Thisgivesustheabilitytomultiplypoints,anoperationthatwecannotperforminanellipticcurvegroup,whereonlytheoperationofadditionisdefined.Example3.623LetE/11betheellipticcurvey=x+1.Because#E(11)=12divides211−1=120,wehavethattheembeddingdegreeofEisk=2.Theembeddingdegreeofmostellipticcurvegroupsisveryhigh.Thismeansthatitisimpracticaltodocalculationsintheextensionfieldqk,whereweneedtoperformoperationsonk-tuplesofcoordinates,eachofwhichisanelementofq.Thefollowingpropertygivesanestimateforthechancesoftheembeddingdegreebeinglowenoughtomakecalculatingdiscretelogarithmsinqkpossibleinpolynomialtime,whichhappenswiththeindexcalculus2algorithm[5]whenk≤(logq).Notethatthismaystillbefarfrombeingpracticaltoimplement. PropertiesofEllipticCurves59Property3.5(BalasubramanianandKoblitz)[6]LetqbearandomlychosenprimewithM/2≤q≤MandE/qarandomlychosenellipticcurve.If#E(q)=pforsomeprimep,thentheprobabilitythatp|(qk−1)forsomek≤(logq)2islessthan92c(logM)(loglogM)Mforsomeconstantc.Example3.7257(i)Ignoringtheconstantc,andusinga256-bitq(sothatM=2)anda256-bitp,whicharereasonableparametersforanIBEsystem,kwefindthattheprobabilityofhavingp|(q−1)forsomek≤2−56−185(logq)islessthanapproximately2×10,or2.2(ii)Anembeddingdegreek≤(logq)canstillbeveryimpractical.For2562q=2wehave(logq)=31,487,andperformingcalculationsinanextensionfieldofdegree31,487isalmostcertainlyimpractical.Thefollowingpropertymakessupersingularcurvesbothusefulaswellasgoodtoavoidincryptographicapplications,dependingonthewayinwhichthecurveisbeingused.ThiswillbediscussedindetailinChapter5.Asmallembeddingdegreemakessomeellipticcurvecryptographicalgorithmvulnerabletosomecryptanalyticattacks,anditisnecessarytoselectparametersofalgorithmsthatusesuchcurvescarefullytoavoidsuchweaknesses.Property3.6nIfE/qisasupersingularcurvewithq=pandtracet,thenTable3.4liststhepossibleclassesofsupersingularcurves[7].Inparticular,anysupersingularTable3.4ClassificationofSupersingularCurvesClassTracetEmbeddingDegreekComments102E(Fq)≅q+1202E(Fq)≅(q+1)/2⊕2andq≡3(mod4)3q3neven42q4p=2,nodd53q6p=3,nodd64q1neven 60IntroductiontoIdentity-BasedEncryptioncurvehasembeddingdegreek≤6,andforE/qwithq>3wehavethattheonlythreepossiblecasesarek=1,k=2,andk=3.Definition3.1323IfE/FisanellipticcurveinWeierstrassnormalformy=x+ax+b,wesay23thatanellipticcurveE′/FinWeierstrassnormalformy=x+a′x+b′is46isomorphicoverFifthereexistsu∈F*witha′=uaandb′=ub.ThisdefinitionismotivatedbytheisomorphismoftheunderlyinglatticeinthecomplexplanethatisdefinedbytheintegermultipleofthetwoperiodsoftheWeierstrass℘function{1,2}.Suchalatticewithperiods{1,2}isisomorphictoanotherlatticeifbothperiodsdifferbythesameconstant,orthesecondlatticeisdefinedbyintegermultiplesofperiods{c1,c2}forsomec∈.Isomorphicellipticcurvescomefromthe℘functiondefinedonsuchisomorphiclattices.ThediscriminantasdefinedinSection3.1.2onlytellsuswhenthecubicpartofanellipticcurvehasnorepeatedroots,andtherecanbemanynonisomorphicellipticcurveswiththesamediscriminant.Adifferentquantityisneededtodistinguishbetweenisomorphiccurves.Definition3.14Thej-invariantofanellipticcurveEinWeierstrassnormalformisgivenby83323aj(E)=324a+27bNotethatthej-invariantandthediscriminantarerelatedby12333−23a−1,728(4a)j(E)==Property3.7TwoellipticcurvesthatareisomorphicoverFhavethesamej-invariantandellipticcurvesoverFwiththesamej-invariantareisomorphicoverthealgebraicclosureF.Example3.823(i)AnyellipticcurveEoftheformy=x+bhasj(E)=0.Suchcurvesaresometimesreferredtoas‘‘j=0’’curves.23(ii)AnyellipticcurveEoftheformy=x+axhasj(E)=1,728.Suchcurvesaresometimesreferredtoas‘‘j=1,728’’curves. PropertiesofEllipticCurves61(iii)Forj∈q,j≠0,j≠1,728,letjk=1,728−j223ThenE/q:y=x+3kcx+2kchasj-invariantjforc∈q.Theobservationthatj-invariantdoesnotchangeunderthechangeof23variablesa→vaandb→vbleadstothefollowingdefinition.Definition3.1523LetE/q:y=x+ax+bbeanellipticcurveandv∈q*beaquadratic2323nonresidueinq*.ThenE′/F:y=x+vax+vbiscalledthequadratictwistofE.Inthiscase,EisisomorphictoE′overanextensionofdegree2toqbutnotoverqitself.Example3.92Over5wehavethatv=2isaquadraticnonresiduesothatE′:y=323x+4x+3isthequadratictwistofE:y=x+x+1.3.3.1HigherDegreeTwistsForsomecurvesE/qitispossibletocreatetwistsotherthanthequadratic234/dtwist.InthesecaseswehaveE′:y=x+a′x+b′wherea′=vaand6/db′=vb,andvisarootofdegreedbutnotarootoflessthandegreedoverF(soafourthrootisafourthrootbutnotasquareroot,forexample),whichwecancallatwistofdegreed.SuchtwistsareisomorphictoEoverqd,anextensionofdegreedtoq.Thepossibletwists,bothquadraticandofhigherdegree,aresummarizedinTables3.5and3.6.Ineachofthesecases,wemustalsohavethatq≡1(modd)forsuchatwisttoexist.WewillseeinChapter4thatmappingsd:E′→E,wheredisthedegreeofatwist,areusefulincreatingstructuresthatareusefulforimplementingTable3.5EllipticCurvesandTheirTwistsDegreeofTwistdFormofEFormofE′2y2=x3+ax+by2=x3+v2ax+v3b3y2=x3+by2=x3+vb4y2=x3+axy2=x3+vax6y2=x3+by2=x3+vb 62IntroductiontoIdentity-BasedEncryptionTable3.6PointsonTwistsofEllipticCurvesDegreeofTwistdTypicalPointonECorrespondingPointonE′2(x,y)(vx,v3/2y)3(x,y)(v1/3x,v1/2y)4(x,y)(v1/2x,v3/4y)6(x,y)(v1/3x,v1/2y)pairing-basedalgorithms.Changingtothispointofviewiseasy,andresultsinthemappingsshowninTable3.7.Notethatthesemappingsincreasethedimensionoftheiroutputbyafactorofd,sothatiftheinputsareelementsofsomedthentheoutputsareelementsofsomeqd.Example3.1023(i)WehavethatE′/11:y=x+10isthequadratictwistof23E/11:y=x+1createdusingthequadraticnonresiduev=102sothati=v.Inthiscasewehavethatthepoint(2,3)∈E(11)3/2while(v2,v3)=(102,10i3)=(9,8i)∈E′(11).23(ii)ForthequadratictwistE′/11:y=x+10createdfrom23E/11:y=x+1usingthequadraticnonresiduev=10sothat2−1−3/2i=v,wehavethat2(x,y)=(vx,vy)=(10x,iy).SoforQ=(9,8i)∈E′(11)wehavethat2(Q)=(109,i8i)=(2,3).Definition3.16LetE/qbeanellipticcurveandnbeanintegerrelativelyprimetoq,andPapointoforderninE(q).Adistortionmapwithrespectto(orfor)PisanTable3.7Mappingsd:E′→EDegreeofTwistdd:E′→E2(x,y)=(v−1x,v−3/2y)23(x,y)=(v−1/3x,v−1/2y)34(x,y)=(v−1/2x,v−3/4y)46(x,y)=(v−1/3x,v−1/2y)6 PropertiesofEllipticCurves63endomorphismthatmapsthepointPtoapoint(P)thatislinearlyindependentfromP.Anotherusefulpointofviewisthatsuchadistortionmapisanonrationalendomorphism.Usefuldistortionmapsforcurvesoverqwhereqiseitheraprimepor2apowerofaprimeparesummarizedinTable3.8.Example3.1123(i)ForacurveoftheformE/p:y=x+awherepisaprimewithp≡3(mod4),itispossibletowriteadistortionmapforEas(x,y)=(x,y)wherep−1(p+1)/4=(1+3i)(3.7)2Forsuchawehavethat33p−11+3(3(p+1)/4(p+1)/42(p+1)/43(3.8)=2i)+3(3i)+(3i)3p−11−3(p+3)/2(p+5)/4(3p+3)/4=2+i(3−3)whichwewanttobeequalto1.FromEuler’stheoremwehavethatp−13≡1(modp)Table3.8UsefulDistortionMapsFieldCurveDistortionMap#Epy2=x3+ax(x,y)=(−x,iy)p+1py2=x3+ax(x,y)=(x,y)p+1≠1,3=12p2y2=x3+axxpypp−p+1a∈p(x,y)=(2p−1)/3,p−1rr2r=a,r∈p23=r,∈p6 64IntroductiontoIdentity-BasedEncryptionsothatp−13(p−1)3≡3(modp)andthus(p−1)+63(p−1)+63≡3(modp)sothatp+53p+33≡3(modp)and(p+5)/4(3p+3)/43≡3(modp)and(p+5)/4(3p+3)/43−3≡0(modp)sothattheimaginarypartof(3.8)isequaltozero.Similarly,wehavethatp+3p−1+4p−1==+2222sothat12s≡(1−3)(modp)=1(modp)8byEuler’stheorem.Thustherealpartof(3.8)isequalto1,and(3.7)isindeedacuberootof1asneeded.23(ii)FortheellipticcurveE/11:y=x+1,let(x,y)=(x,y),11−1(11+1)/2where=2(1+3i)≡5(1+5i)(mod11)=3(5+3i)(mod11)whichhasthepropertiesthat≠1and=1.ThenforP=(2,3)wehavethat(P)=((5+3i)2,3)=(10+6i,3),whichislinearlyindependentfromP.ThisisadistortionmaponEforthepointP. PropertiesofEllipticCurves6523(iii)Fortheellipticcurvey=x+xover11,let(x,y)=(−x,iy).ThenforP=(0,1)wehave(P)=(0,1)=(0,i)whichislinearlyindependentfromP=(0,1),makingadistortionmapwithrespecttoP.Distortionmapsareusefulincreatingstructuresthatareusefulforimple-mentingmanyIBEalgorithms.ThiswillbediscussedinChapter4.Theirapplicationisessentiallylimitedtosupersingularcurves,however,asthefollow-ingtwopropertiesdescribe.Property3.8(Verheul)[8]LetE/qbeasupersingularellipticcurvewithP∈E(q)[n].Ifnisrelativelyprimetothecharacteristicofq,thentherealwaysexistsadistortionmapwithrespecttoP.Property3.9(Verheul)[8]LetE/qbeanordinaryellipticcurveandletP∈E(q)[n].IfnisrelativelyprimetothecharacteristicofqandE[n]⊄E(q),thentherecannotexistadistortionmapwithrespecttoP.3.3.2ComplexMultiplicationAllellipticcurvegroupshavesomeendomorphisms:themultiplication-by-nmapsoftheformfn(P)=nP.Someellipticcurvegroupshaveadditionalendomorphismsthatarenotisomorphictosuchmultiplication-by-nmaps.Anellipticcurvewiththispropertyissaidtohavecomplexmultiplication,whichwecanabbreviateas‘‘CM.’’Theterm‘‘complexmultiplication’’comesfromthefactthatinmanycases,theseendomorphismsactmuchlikemultiplicationbyacomplexnumber.Sowemighthavethatf(f(P))=−DPforsome2D>0,sothatff=−Dorf=−Dsuggestingthatfactslikemultiplyingbytheimaginarynumber√−D.WewillseeinlaterchaptersthattherearetechniquesthatworkoncurveswithcomplexmultiplicationthatcanbeusedtogenerateellipticcurvessuitableforIBEcalculations.Example3.12(i)Anysupersingularellipticcurvehasadistortionmap,soallsuper-singularcurveshavecomplexmultiplication.23(ii)Theellipticcurvey=x+xhasanendomorphismgivenbyf:(x,y)→(−x,iy)sothat(ff)(P)=(ff)(x,y)=(x,−y)=−P.2Thus,ff=factslikemultiplicationby−1,sowecanthinkoffasactinglikemultiplyingby√−1. 66IntroductiontoIdentity-BasedEncryption23(iii)Theellipticcurvey=x+1hasanendomorphismgivenby3f:(x,y)→(x,y)where=1,≠1.Inthiscase,23(fff)(P)=(x,y)=(x,y)=P,orthatfff=factslikemultiplicationby1,butf≠1,sowecanthinkoffasactinglikemultiplyingbythecomplexnumber.References[1]Lang,S.,EllipticFunctions,NewYork:Springer-Verlag,1987.[2]Silverman,J.,TheArithmeticofEllipticCurves,NewYork:Springer-Verlag,1986.[3]Blake,I.,G.Seroussi,andN.Smart,EllipticCurvesinCryptography,Cambridge,U.K.:CambridgeUniversityPress,1999.[4]Chudnovsky,D.,andG.Chudnovsky,‘‘SequencesofNumbersGeneratedbyAdditioninFormalGroupandNewPrimalityandFactorizationTests,’’AdvancesinAppliedMathe-matics,Vol.7,No.4,1986,pp.385–434.[5]Stinson,D.,Cryptography:TheoryandPractice,NewYork:ChapmanandHall,2005.[6]Balasubramanian,R.,andN.Koblitz,‘‘TheImprobabilityThatanEllipticCurveHasSubexponentialDiscreteLogProblemUndertheMenezes-Okamoto-VanstoneAlgo-rithm,’’JournalofCryptology,Vol.11,No.2,1998,pp.141–145.[6]Stinson,D.,Cryptography:TheoryandPractice,NewYork:ChapmanandHall,2005.[7]Menezes,A.,EllipticCurvePublicKeyCryptosystems,NewYork:Springer-Verlag,1993.[8]Verheul,E.,‘‘EvidenceThatXTRIsMoreSecureThanSupersingularEllipticCurveCryptosystems,’’JournalofCryptology,Vol.17,No.4,2004,pp.277–296. 4DivisorsandtheTatePairingThischapterintroducesdivisors,whicharethenusedtoconstructtheTatepairing.TheTatepairinginturnprovidesthebasisformanyIBEschemes,includingtheBoneh-Franklin,Bohen-Boyen,andSakai-Kasaharaschemes.ThediscussionoftheTatepairinghereisdesignedtoprovideanoverviewofthepairing,itsproperties,andhowtocalculateit.FurtherdetailofthepropertiesoftheTatepairingcanbefoundin[1,2].TheTatepairingbyitselfturnsouttobeunsuitableforcryptographicapplicationsbecauseitfrequentlyreturnsthevalue1,butbymodifyingoneoftheinputstotheTatepairingusingeitheradistortionmaporapointonthetwistofanellipticcurve,itiseasytoovercomethislimitation.4.1DivisorsThedivisorsdiscussedinthissectionareverydifferentfromthosediscussedinChapter2,buttheyunfortunatelysharethesamename.Inthiscontext,adivisorisawayofcharacterizingafunctionfbasedonlyonitszeroes,wheref(x)=0,andpoles,wheref(x)=±∞,likewhendividingbyzero.Wesaythatafunctionf(x)hasapoleatinfinityiff(1/x)hasapoleatx=0,sothatapolynomialofdegreenhasapoleofdegreenatinfinity.Similarly,wesaythatafunctionf(x)hasazeroatinfinityiff(1/x)hasazeroatx=0.Forexample,thefunction2(x−1)2−3f(x)==(x−1)(x+2)3(x+2)67 68IntroductiontoIdentity-BasedEncryptionhasazerooforder2atx=1,azerooforder1atinfinity,andapoleoforder3atx=−2.Becauseadivisorcharacterizesafunctionbasedonitszeroesandpoles,twofunctionsthatdifferbyaconstantwillhavethesamedivisor.4.1.1AnIntuitiveIntroductiontoDivisorsWekeeptrackofthezeroesandpolesofarationalfunctionfinwhatwecalladivisor,whichwewriteasdiv(f).Wewritesuchadivisorasthesumofthepointswherefhasazeroorpoleweightedbythemultiplicitiesofthezeroesandpoles,withtheconventionthatzeroesgetpositiveweightsaccordingtotheirmultiplicitiesandpolesgetnegativeweightsaccordingtotheirmultiplicities.Intheexampleabove,wewritediv(f)=2(1)+(∞)−3(−2),toindicatethatfhasazerooforder2atx=1,azeroororder1atinfinity,andapoleoforder3atx=−2.Ingeneral,ifwecanwritef(x)=(x−xaii)ithenwewritediv(f)=∑ai(xi)iThenotationfordivisorscanbeabittricky,andwewillneedtobeabletellfromthecontextthatwedealingwithdivisorsinsteadofnumbers,sothatwearenottemptedtotreatdivisorsasnumbers,tryingtosimplifyexpressionslike2(1)−3(−2)togetanumberinsteadofadivisor.Notethatmultiplyingrationalfunctionscorrespondstoadditionoftheirdivisorsanddivisionofrationalfunctionscorrespondstosubtractionoftheirdivisors.Soifwehavef(x)asdefinedaboveand3(x+2)g(x)=4(x+1)then23(x−1)(x+2)f(x)g(x)=34(x+2)(x+1)2(x−1)=4(x+1) DivisorsandtheTatePairing69whichcorrespondstoaddingthedivisors:div(fg)=div(f)+div(g)=2(1)+(∞)−3(−2)+3(−2)+(∞)−4(−1)=2(1)+2(∞)−4(−1)Wecanformalizethisinformaldescriptionofdivisorswiththefollowingdefinitions.Definition4.1AformalsumofasetSisseries{s0,s1,s2,...}ofelementsofS.Aformalsumisoftenwrittenusingaplaceholder,withtheunderstandingthattheplaceholderisnottobeevaluated.Example4.1(i)Apowerseriesisaformalsumwhichweusuallywriteas2a0+a1x+a2x+...,whereeachai∈SforsomesetS.Wewriteapowerserieswiththeunderstandingthattheplaceholderxisnottobeevaluated,andwecouldalsowritethesamepowerseriesas{a0,a1,a2,...}.(ii)IfP={P1,P2,...Pn}isasetofpointsonanellipticcurve,thenD=a1(P1)+a2(P2)+...+an(Pn)isaformalsumoftheele-mentsofP.Inthiscase,weunderstandthatinDthepointsinthesetParejustplaceholderslikethevariablexinapowerseries,andarenottobeevaluated.Definition4.2LetEbeanellipticcurve.AdivisoronEisaformalsumoftheformD=∑nP(P)P∈EwhereeachnPisanintegerandallbutfinitelymanynParezero.Example4.2ForpointsP1andP2onanellipticcurve,D=(P1)+2(P2)−3(O)isadivisor.Definition4.3WesaythatadivisorDisaprincipaldivisorifthereisarationalfunctionfsuchthatD=div(f).AnequivalentdefinitionisthatadivisorDonanellipticcurveisprincipalifwecanwrite 70IntroductiontoIdentity-BasedEncryptionD=∑ai(Pi)iwhereai=0andaiPi=O,withthelastsumusingtheadditionofpointsonanellipticcurve.Inparticular,ifPisapointofordern,thenthedivisorn(P)−n(O)isaprincipaldivisor.Example4.3(i)LetP1,P2andP3bepointsonanellipticcurvewithP3=P1+P2.ThenD=(P1)+(P2)+(−P3)−3(O)isaprincipaldivisor.(ii)LetPbeapointonanellipticcurveofordern.ThenD=n(P)−n(O)isaprincipaldivisor.Definition4.4IfEisanellipticcurveandD=∑nP(P)P∈EisadivisorthenthesupportofDisthesetofallpointsPsuchthatnP≠0.Example4.4ForthedivisorD=(P1)+(P2)+(−P3)−3(O),thesupportofDistheset{P1,P2,−P3,O}.Definition4.5LetD1andD2bedivisors.ThenwesaythatD1andD2havedisjointsupportiftheintersectionofthesupportofD1andthesupportofD2istheemptyset,orD1∩D2=∅.Example4.5(i)ThedivisorsD1=(P1)−(O)andD2=(P1+R)−(R)havedis-jointsupportaslongas{P1,O}∩{P1+R,R}=∅.(ii)ThedivisorsD1=(P)−(O)andD2=(Q)−(O)donothavedis-jointsupport.WecanthinkofthedivisorsaskeepingtrackofwherethegraphofanellipticcurveEintersectsthegraphofafunctionf(x),orwhereE=f(x),sotheykeeptrackofzeroesandpolesofE=f(x).Inparticular,wegetazerowhenE=f(x),orwhenthefunctionf(x)crossestheellipticcurveEandwegetapolewhenf(x)hasapole. DivisorsandtheTatePairing71ThefunctionsuandvthatappearinFigure4.1areveryimportantinimplementingoperationsondivisors,andinthefollowing,uwillalwaysrepresentalinethroughtwopointsP1=(x1,y1)andP2=(x2,y2)onanellipticcurveandvwillalwaysrepresentaverticallinethatgoesthroughP3=(x3,y3),whereP3=P1+P2.SupposethatwedonothavethecasewhereP1+P2=OandneitherP1=OnorP2=O.Thenwecanwritethepoint-slopeformofalinethrough(x1,y1)asy−y1=m(x−x1)ory−y1=−mx+mx1=0whichgivesusanexplicitwaytofindthelineu.Similarly,thelinevisgivenbyx−x3=0−P3uP2vP1P3Figure4.1Illustrationofthelinesuandvintheadditionofpointsonanellipticcurve. 72IntroductiontoIdentity-BasedEncryptionIfoneofthetwopointsisO,thenuistheverticallinethroughthepointthatisnotO,andifthepoint(x3,y3)=Othenvistheverticallinex=0.Theseformsofthelines(x1,y1)and(x1,y1)areshowninFigure4.2.ThecaseswhereeitherP1=O,P2=O,orP1=P2areshowninAlgorithm4.2,4.3,and4.4.Theparticularpointsthatweusetodefinethelinesuandvshouldbeclearfromthecontext,sowewillusuallyomitthepointstokeepthenotationsimpler.Ifweneedtoclarifywhichpointsarebeingused,wewillwriteuP1,P2orvP3toindicatethelinethroughP1andP2ortheverticallinethroughP3,respectively.Withthisnotation,uandvhavethefollowingdivisors:div(u)=(P1)+(P2)+(−P3)−3(O)div(v)=(P3)+(−P3)−2(O)wherewehavenowaccountedforthepolesthatthelinesuandvhaveatO.Anotherusefulfactiswhatwegetwhenwesubtractthedivisorofufromthedivisorofv:u:y−−+=ymxmx0−P113P2vxx:0−=3P1P3Figure4.2Formsofthelinesuandvusedtoadddivisorsonanellipticcurve. DivisorsandtheTatePairing73div(u)−div(v)=div(u/v)(4.1)=(P1)+(P2)+(P3)−(O)Ifwehavetwodivisorsoftheform:D1=(P1)−(O)+div(f1)D2=(P2)−(O)+div(f2)wecanaddthetwodivisorstogetD1+D2=(P1)+(P2)−2(O)+div(f1f2)(4.2)Solvingfor(P1)+(P2)in(4.1)andsubstitutingtheresultinto(4.2)wefindthatD1+D2=(P3)−(O)+div(f1f2u/v)(4.3)Sothedivisorsofthelinesuandvprovideawaytoaddtwodivisorsandkeeptheresultintheform(P)−(O)+div(f).Toclarifyhowthisworks,wewillnowstepthroughacalculationofthe23sumoftwodivisors,wherethearithmeticisdoneonthecurvey=x+1over5,asisdefinedinTable3.2.Inparticular,weconsiderthedivisorD=(Pˆ2)−(O)andseewhatwegetwhenweaddittoitself.Using(4.3)andthefactthatwecanalsowritethedivisorDasdiv(1)wefindthatD+D=(Pˆ2)−(O)+div(1)+(Pˆ2)−(O)+div(1)=(Pˆ1)−(O)+div(u/v)NowuisthelinetangenttotheellipticcurveatPˆ2,andvisthelineconnectingPˆ2+Pˆ2=Pˆ1and−(Pˆ2+Pˆ2)=Pˆ2.Solvingforuandvwefindthatwehavey−4=0forthelineu,ory+1=0in5.Similarly,wehavex=0forthelinev.Substitutingtheseforuandvwegetthaty+1D+D=(Pˆ1)−(O)+divxIfweaddthedivisorDtothissumonemoretimewefindthatwearejustleftwiththedivisorofarationalfunctionwhenthetermsofthedivisorinvolvingpointsonthecurvecanceleachotherwhenwereach 74IntroductiontoIdentity-BasedEncryption3D=3(Pˆ2)−3(O)becausePˆ2isapointoforder3.Atthenextstep,thelineuthroughPˆ1andPˆ2istheverticallinex=0,sincex=0isthecommonxcoordinatethatPˆ1andPˆ2share.WedefinetheverticallinevthroughthepointPˆ1+Pˆ2=Otobe1.Thus,wehave3D=3(Pˆ2)−3(O)y+1u=(Pˆ2+Pˆ1)−(O)+divxvy+1x=(O)−(O)+divx1=div(y+1)Definition4.6IfDisadivisoroftheformD=∑ai(Pi)ithenwedefinewhatitmeanstoevaluatearationalfunctionfatDbyf(D)=f(Paii)iExample4.6(i)IfD=2(P1)−3(P2)then2−3f(D)=f(P1)f(P2)2f(P1)=3f(P2)(ii)IfP=(2,3)andQ=(0,1)arepointsonE/11andDisthedivisorD=(P)−(Q)andfistherationalfunctionf(x,y)=y+1,then3+1−1f(D)==42=46≡2(mod11)1+1Inmanycases,itispossibletoexchangetherolesofafunctionfandadivisorDinexpressionslikef(D).Thisisformalizedinthefollowing. DivisorsandtheTatePairing75Property4.1(WeilReciprocity)LetfandgberationalfunctionsdefinedonsomefieldF.Ifdiv(f)anddiv(g)havedisjointsupportthenwehavethatf(div(g))=g(div(f)).Example4.7Supposethatwehavetworationalfunctionsfandgdefinedon11wherex−2f(x)=x−7andx−6g(x)=x−5sothatwehavediv(f)=(2)−(7)anddiv(g)=(6)−(5)thenf(6)7f(div(g))===73=10(mod11)f(5)4andg(2)5g(div(f))===52=10(mod11)g(7)6Definition4.7DivisorsD1andD2areequivalentiftheydifferbyaprincipaldivisor,thatis,D=D1−D2isaprincipaldivisor.Example4.8(i)Iffisarationalfunction,thedivisors(P)−(O)and(P)−(O)+div(f)areequivalent. 76IntroductiontoIdentity-BasedEncryption(ii)Wecanseethat(P+R)−(R)isequivalentto(P)−(O)byusingthelineuthatgoesthroughthepointsP,Rand−(P+R)andthelinevthatgoesthroughthepoints−(P+R)andP+R.Thenwehavethatdiv(u)=(P)+(R)+(−(P+R))−3(O)div(v)=(−(P+R))+(P+R)−2(O)sothat(P)−(O)=(P+R)−(R)+div(u/v)Sothedifferencebetween(P+R)−(R)and(P)−(O)isaprincipaldivisor,sinceitisthedivisoroftherationalfunctionu/v,and(P+R)−(R)isequivalentto(P)−(O).4.2TheTatePairingNowthatwehavedefineddivisorsandhowtomanipulatethem,wecandefinetheTatepairinganddescribehowtocalculateit.TheTatepairingoperatesonpairsofpointsP∈E(q)[n]andQ∈E(qk),andproducesaresultinq*k.Wewritee(P,Q)fortheTatepairingofthepointsPandQ.ForapointPofordern,togete(P,Q)wefirstfindarationalfunctionfPsothatdiv(fP)isequivalentton(P)−n(O)andthenevaluatefPatadivisorequivalentto(Q)−(O).Wecansummarizethisinthefollowing.Definition4.8LetE/qbeanellipticcurve,P∈E(q)[n]andQ∈E(qk).LetfPbearationalfunctionwithdiv(fP)equivalentton(P)−n(O)andAQbeadivisorequivalentto(Q)−(O)withthesupportofdiv(fP)andAQdisjoint.ThentheTatepairingisdefinedtobee(P,Q)=fP(AQ).Thisdefinitiondoesnotproduceauniquevalue,andwillincludeaconstantthatisannthpowerofsomeelementofqk.ItisnotimmediatelyobviouswhytheTatepairingiswelldefinedbythisdefinition.SoweshouldconvinceourselvesthatthisdefinitionisactuallyindependentofourchoicesforfPandAQ.Indoingso,wewillseewhytheTatepairingisonlydefineduptomultiplicationbyannthpowerofsomeconstant.Inthefollowingwewillseethatitiseasytogetridofthisunwantedconstant,leavingauniquevalue.NotethatfPisdefineduptoaconstantmultiple.Applyingthedefinitionofevaluatingadivisoratafunctiontosuchaconstantmultipleshowsthatthis DivisorsandtheTatePairing77hasnoinfluenceonthevalueoffP(AQ),soitisindependentofthechoiceoffP.NowsupposethatD1andD2arebothdivisorsequivalentto(Q)−(O),sayD1=D2+div(g)forsomerationalfunctiong.Tobecareful,wealsoneedtoassumethatthesupportofdiv(fP)isdisjointfromthesupportofdiv(g).ThenwehavethatfP(D1)=fP(D2+div(g))=fP(D2)fP(div(g))=fP(D2)g(div(fP))(byWeilreciprocity)=fP(D2)g(n(P)−n(O))n=fP(D2)g((P)−(O))WecanthenabusethenotationofcongruencesslightlytowritethisasfP(D1)≡fP(D2)whichwethinkofasmeaningthatfP(D1)=fP(D2)uptoaconstantthatisannthpower.Theexamplesofaddingdivisorsaboveshowhowtofindadivisorequiva-lentton(P)−n(O):wecanaddthedivisor(P)−(O)toitselfntimesbyusingthedivisorsdiv(u)anddiv(v)thatwegetfromthelinesthroughvariouspointsontheellipticcurve,andafterreachingn(P)−n(O)wewillbeleftwithadivisorofarationalfunctionthatwecallfPwhenallofthetermsinvolvingthepointPdisappear.Toavoidthetroubleswithevaluatingafunctionatthepointatinfinitythatappearsin(Q)−(O),wecanpickarandompointRonourellipticcurveandevaluatefPat(Q+R)−(R)instead,whichisequivalenttothedivisor(Q)−(O).BecausethepointPisofordern,ifwerepeatedlyaddthedivisor(P)−(O)togetn(P)−n(O)usingthetechniquethatissummarizedin(4.3),wefindthatweendupwithadivisorofarationalfunctionthatistheproductoftermsoftheformu/v,whereuisthelinethroughtwopoints(thepointsP1andP2inFigure4.1,forexample)onourellipticcurveandvistheverticallinethatpassesthoughthepointthatisthesumofthesametwopoints(thepointP3inFigure4.1,forexample).SupposethatAQisadivisoroftheform(Q+R)−(R)thatwegetfromarandomR≠O.Notethattherequirementthatthesupportofthedivisorsn(P)−n(O)andAQaredisjointmeansthatQ+R≠P,andR≠P.Weexcludethesecasesbecausetheyeitherreducethevalueofthepairingtozerobyintroducingafactorofzeroinacalculation,orcauseadivisionbyzero 78IntroductiontoIdentity-BasedEncryptionerror.AnexaminationofAlgorithms4.2through4.4shouldclarifythewaysinwhichthiscanhappen.Togiveanexampleofhowthisworks,wewillusethesameexamplethatweusedabovetofinde(Pˆ2,Pˆ2).Wefoundthat3(Pˆ2)−3(O)isequivalenttothedivisordiv(y+1),sowehavefPˆ=y+1.Next,weneedarandom2pointtoaddtoPˆ2,forwhichwepickPˆ4,sowewanttoevaluatefPˆat2(Pˆ2+Pˆ4)−(Pˆ4)=(Pˆ3)−(Pˆ4),orwewanttofindfPˆ(Pˆ3)/fPˆ(Pˆ4).Note22thatitispossibletopickarandompointthatcausesdivisionbyzero,forexampleifwepickedthepointPˆ2inthisexample.Ifthishappens,wecanjustpickanotherrandompointuntilwefindonethatworks.SubstitutingtheappropriatevaluesfromTable3.2,wefindthatˆfPˆ2(Pˆ3)3e(Pˆ2,P2)==(4.4)fPˆ2(Pˆ4)4=34−1=2∈5Asmentionedabove,theTatepairinghasanadditionalmultiplicativennfactorofrforsomer∈qk,sothatweactuallygete(P,Q)=arforwhenwecalculateit.FromProperty2.13wehavethatforany∈qkwehavethatqk−1nk=1,soifweraiseartothepower(q−1)/nwegetthatn(qk−1)/n(qk−1)/n(qk−1)/n(ar)=a1=asothatsuchanexponentiationeliminatestheextramultiplicativefactorandleavesauniqueresult.Thuswhilee(P,Q)isnotunique,theadditionalexponen-tiationthatgivesus(qk−1)/ne(P,Q)determinesauniquevalue,andthusmoresuitableformanyuses.Theuseofsuchanexponentiationtodetermineauniquevalueiscalledthefinalexponentia-tionandtheuniquevalueiscalledthereducedpairing.Example4.923(i)ConsiderthecasewherewehaveE/11:y=x+xandP=(5,3)∈E(11)[3].TofindfP(x,y)wewanttofindtherationalfunctionsothatdiv(fP)isequivalenttothedivisor3(P)−3(O).Wegetthisthrougharepeatedapplicationof(4.3). DivisorsandtheTatePairing79Wewanttofind3(P)−3(O)=3((P)−(O))=((P)−(O))+((P)−(O))+((P)−(O))Wecanstartcalculatingthisbyfirstfinding2(P)−2(O)=2((P)−(O))=((P)−(O))+((P)−(O))by(P)−(O)+(P)−(O)=(P)−(O)+div(1)+(P)−(O)+div(1)=(2P)−(O)+div(y+2x+9)Then3(P)−3(O)=(2P)−(O)+div(y+2x+9)+(P)−(O)+div(1)=(3P)−(O)+div(y+2x+9)=(O)−(O)+div(y+2x+9)=div(y+2x+9)sothatfP(x,y)=y+2x+9IfwehaveQ=(7,8)andR=(10,3),thenQ+R=(9,10)andweevaluatefPatAQ=(Q+R)−(R)wegetfP(Q+R)4fP((Q+R)−(R)==fP(R)10=410−1=410≡7(mod11)Thuse(P,Q)=fP(AQ)=7.23(ii)ConsiderthecasewherewehaveE/11:y=x+1andP=(5,4)∈E(11)[4].BecausePisoforder4,tofindfP(x,y)wewanttofindtherationalfunctionsothatdiv(fP)isequivalenttothedivisor4(P)−4(O).Wegetthisthrougharepeatedapplicationof(4.3). 80IntroductiontoIdentity-BasedEncryptionWewanttofind4(P)−4(O)=4((P)−(O))=((P)−(O))+((P)−(O))+((P)−(O))+((P)−(O))Wecanstartcalculatingthisbyfirstfinding2(P)−2(O)=2((P)−(O))=((P)−(O))+((P)−(O))by(P)−(O)+(P)−(O)=(P)−(O)+div(1)+(P)−(O)+div(1)y+3x+3=(2P)−(O)+divx+1Theny+3x+33(P)−3(O)=(2P)−(O)+divx+1+(P)−(O)+div(1)2(y+3x+3)=(3P)−(O)+div(x+1)(x+6)Andfinally2(y+3x+3)4(P)−4(O)=(3P)−(O)+div(x+1)(x+6)+(P)−(O)+div(1)2(y+3x+3)=(4P)−(O)+divx+12(y+3x+3)=(O)−(O)+divx+12(y+3x+3)=divx+1sothat DivisorsandtheTatePairing812(y+3x+3)fP(x,y)=x+1IfwehaveQ=(5,7)andR=(9,9),thenQ+R=(0,1)andweevaluatefPatAQ=(Q+R)−(R)wegetfP(Q+R)5fP((Q+R)−(R))==fP(R)8=58−1=57≡2(mod11)Thuse(P,Q)=fP(AQ)=2.4.2.1PropertiesoftheTatePairingAsdefinedearlier,theTatepairinghasthefollowingproperties:1.TheTatepairingisnondegenerate,thatis,foreachP∈E(q)[n]/{O}thereissomeQ∈E(qk)withe(P,Q)≠1.2.TheTatepairingisbilinear,thatis,foreachP,P1,P2∈E(q)[n]andQ,Q1,Q2∈E(qk)wehavee(P1+P2,Q)=e(P1,Q)e(P2,Q)ande(P,Q1+Q2)=e(P,Q1)e(P,Q2).ToconvinceourselvesthattheTatepairingisbilinear,weneedtoconsidertwoseparatecases.ToseethattheTatepairingislinearinitsfirstparameter,letfP,fP,12andfP+Pberationalfunctionssuchthatwehave12divfP1=n(P1)−n(O)divfP2=n(P2)−n(O)anddivfP1+P2=n(P1+P2)−n(O)NotethatthedivisorD=(P1+P2)−(P1)−(P2)+(O)isaprincipaldivisorsoitisthedivisorofsomerationalfunction,say 82IntroductiontoIdentity-BasedEncryptiondiv(g)=DthendivfP1+P2−div(f1)−div(f2)=n(P1+P2)−n(P1)−n(P2)−n(O)n=nD=ndiv(g)=div(g)sothatndivfP1+P2=div(f1)+div(f2)+div(g)sowecanwritenfP1+P2=f1f2gThusne(P1+P2,Q)=fP1+P2(AQ)=fP1(AQ)fP2(AQ)g(AQ)n=e(P1,Q)e(P2,Q)g(AQ)Soifweareignoringnthpowers,wefindthate(P1+P2,Q)=e(P1,Q)e(P2,Q)asdesired.ToseethattheTatepairingisbilinearinthesecondparameter,letAQ1+Q2beadivisorequivalentto(Q1+Q2)−(O),AQ1beadivisorequivalentto(Q1)−(O)andAQ2beadivisorequivalentto(Q1)−(O).ThenAQ1+Q2−AQ1−AQ2isequivalenttoD=(Q1+Q2)−(Q1)−(Q2)+(O)whichisaprincipaldivisor.SoAQ1+Q2isequivalenttoAQ1+AQ2becausetheydifferbyaprincipaldivisor.Thuswecanwritee(P,Q1+Q2)=fPAQ1+Q2=fPAQ1+AQ2=fPAQ1fPAQ2=e(P,Q1)e(P,Q2) DivisorsandtheTatePairing83Amappingthatisnondegenerateandbilinearandisalsoefficientlycom-putableiscalledapairing,andsuchmappingsarethefundamentalprimitivesfromwhichmanycryptographicalgorithmsareconstructed.Ontheotherhand,theTatepairingalsohasthefollowingpropertythatlimitsitsusefulnessbecauseitreturnsthevalue1inmanycases.Property4.2(Galbraith)[3]LetP∈E(q)[n]{O}andnrelativelyprimetoq.Thentohavee(P,P)≠1,wemusthavek=1.Soforanembeddingdegreek>1wehavee(P,P)=1,whichalsomeansabthate(aP,bP)=e(P,P)=1forintegersaandb,sothattheTatepairingmaynotseemveryusefulatfirst.Thefollowingresultprovidesinsightintohowtoovercomethislimitation.Property4.3(Verheul)[4]Letnbeaprime,P∈E(q)[n]{O},Q∈E(qk)belinearlyindependentfromP,andk>1.Thenwehavethate(P,Q)isnondegenerate.SoifwehaveP∈E(q)[n]andanontrivialembeddingdegree,thatis,wehavek>1,thenonewaytomakesurethattheTatepairinge(P,Q)isnondegenerateistomakesurethatQislinearlyindependentofP.Onewaytodothisistouseadistortionmap,sothatinsteadofcomputinge(P,Q),wecomputee(P,(Q))instead,whereisanappropriatedistortionmap.Anotherwayistocomputee(P,d(Q))whereQ∈E′isonthetwistoftheellipticcurveEandd:E′→EisthemappingdefinedinSection3.3.1.Ineithercase,wedenotetheresultingpairingbyˆe(P,Q),whereeitherˆe(P,Q)=e(P,(Q))orˆe(P,Q)=e(P,d(Q))asappropriateandcallsuchanˆethemodifiedTatepairing.Example4.10(i)(DistortionMap).FromExample4.1(ii),wehavewhere23E/11:y=x+1andP=(5,4)∈E(11)[4],weget2(y+3x+3)fP(x,y)=x+1IfwehaveQ=(5,7)andR=(9,9),thenQ+R=(0,1)andweevaluatefPatAQ=(Q+R)−(R)wegete(P,Q)=fP(AQ)=2∈11,sothatforthereducedTatepairingweget(qk−1)/n(112−1)/430e(P,Q)=2=2≡1(mod11) 84IntroductiontoIdentity-BasedEncryptionInthiscase,(x,y)=(x,y),where=5+3i,isadistortionmapforthepointQ,andwefindthat(Q)=(3+4i,7)andthat(Q)+R=(1+4i,5).Thus,wehavethatfP((Q)+R)fP(((Q)+R)−(R))=fP(R)1+9i==7+8i8sothatforthereducedmodifiedTatepairingweget(qk−1)/n(112−1)/430e(P,(Q))=(7+8i)=(7+8i)≡10(mod11)23(ii)(Twist).WehavethatE′:y=x+10isthequadratictwistof23E/11:y=x+1thatiscreatedusingthequadraticnonresiduev=10.IfP=(5,4)∈E(11)[4],thenfromExample4.1(ii)weget2(y+3x+3)fP(x,y)=x+1Inthiscase,wehave−1x,v−3/2y)=(10x,iy)2(x,y)=(vIfwehaveQ=(3,2)∈E′andR=(9,9),then2(Q)=(8,2i)then2(Q)+R=(5+8i,8i).ThuswehavethatfP(2(Q)+R)fP((2(Q)+R)−(R)=fP(R)4+8i==5i6+8IsothatforthereducedmodifiedTatepairingweget(qk−1)/n(112−1)/430e((P,2(Q))=(5i)=(5i)≡10(mod11)4.3Miller’sAlgorithmThetechniquethatweusedabovetofindadivisorequivalentton(P)−n(O),inwhichweiterativelyfinddivisorsequivalentto(P)−(O),2(P)−2(O), DivisorsandtheTatePairing85...,upton(P)−n(O)byarepeatedapplicationof(4.3)willcertainlywork,butitisextremelyinefficient.Inatypicalcryptographicapplication,nistypically160atleast2,soiteratinginthiswayisimpractical.Instead,thewaywecalculaten(P)−n(O)isbythedouble-and-addtechnique,andfindingadivisorequiva-lentton(P)−n(O)inthiswayiscalledMiller’salgorithm[5].Miller’salgorithmisbasedontheobservationthatitiseasytogeneralize(4.3)todivisorsD1=(aP)−(O)+div(f1)andD2=(bP)−(O)+div(f2)tofindthatuaP,bPD1+D2=(a+b)P−(O)+divf1f2v(a+b)PWecanformalizeMiller’salgorithmasfollows.PickanellipticcurveEonwhichallofthefollowingcalculationswillbeperformed.LetP∈E(q)[n]andQ∈E(qk)withtin=∑bi2si=0sothat(bi,...,b1,b0)isthebinaryexpansionofn.Westartwithf=1,S=P,andRarandompointonE.Wethendoadouble-and-additerationthroughthebinaryexpansionofn,performingthedoublingstepateachiterationandtheaddingstepifthebitweareatisa1.Thiswillletusbuildtherationalfunctionequivalentton(P)−n(O)outoftherepeatedlydoubledterms,andweevaluateeachofthesetermsat(Q+R)−(R)aswecalculatethem.Wedothisbythefollowingalgorithms.Algorithm4.1:TatePairing(Miller’salgorithmforcomputingtheTatepairing)23INPUT:EllipticcurveE:y=x+ax+b,P∈E[n]withtin=i=0bi2,QOUTPUT:e(P,Q)1.f←1,t←log2n,S←P,R←arandompointofE,R≠O,Q+R≠O 86IntroductiontoIdentity-BasedEncryption2.Fori←t−1downto02uS,S(Q+R)v2S(R)3.f←fv2S(Q+R)uS,S(R)4.S←2S5.Ifbi=1uS,P(Q+R)vS+P(R)6.f←fvS+P(Q+R)uS,P(R)7.S←S+P8.ReturnfAlgorithm4.2:vINPUT:P,QOUTPUT:vP(Q)1.IfP=O2.Return13.ReturnxQ−xPAlgorithm4.3:tangent_u23INPUT:P,QonanellipticcurveE:y=x+ax+bOUTPUT:uP,P(Q)1.IfP=O2.Return13.IfyP=04.Returnv(P,Q)23xP+a5.m←2yP6.ReturnyQ−yP−mxQ+mxPAlgorithm4.4:uINPUT:P1,P2,QOUTPUT:uP,P(Q)121.IfP1=O2.Returnv(P2,Q)3.IfP2=OorP1+P2=O4.Returnv(P1,Q) DivisorsandtheTatePairing875.IfP1=P26.Returntangent_u(P1,Q)yP−yP217.m←xP−xP218.ReturnyQ−yP1−mxQ+mxP1References[1]Lang,S.,EllipticFunctions,NewYork:Springer-Verlag,1987.[2]Silverman,J.,TheArithmeticofEllipticCurves,NewYork:Springer-Verlag,1986.[3]Galbraith,S.,‘‘SupersingularCurvesinCryptography,’’ProceedingsofAsiacrypt2001,GoldCoast,Australia,December9–13,2001,pp.495–513.[4]Verheul,E.,‘‘EvidenceThatXTRIsMoreSecureThanSupersingularEllipticCurveCryptosystems,’’JournalofCryptology,Vol.17,No.4,2004,pp.277–296.[5]Miller,V.,‘‘TheWeilPairingandItsEfficientCalculation,’’JournalofCryptology,Vol.17,No.4,2004,pp.235–261. 5CryptographyandComputationalComplexityThegoalofthischapteristoprovideaframeworkforquantifyingthesecurityprovidedbyIBEalgorithms.Aswithanymethodofcommunicatingsecurely,believingthatthesecurityprovidedbyIBEisadequaterequiresmakingcertainassumptions.Ontheotherhand,anymethodofcommunicatingsecurelyrequiressometypeofassumption,andtheassumptionsthatwemakeinthecaseofIBEseemtobefairlyreasonablecomparedtotheassumptionsrequiredforotherwaysofcommunicatingsecurely.Onewaytocommunicatesecurelyistoexchangemessagesinsomesecurefashion,perhapsbytrustedcouriers.Thismethodcannotbedefeatedbycomput-ingpower,butcanbedefeatedthroughothermeans.Ifanadversarycaninterceptacouriercarryingamessagethentheycancertainlyreadit,forexample.Or,thecouriermaydecidetogivethemessagetotheadversaryinsteadoftotheintendedrecipient.So,anassumptionthatweneedtomaketotrustsuchasystemisthatthecouriersaretrustworthyandwillnotbeinterceptedbyanadversary.Aone-timepadoffersanotherwaytocommunicatesecurely.Inthiscase,wegeneratearandomkeythatisatleastasbigasthemessagethatwewanttoencryptandthensecurelydistributetherandomkeystotheuserswithwhomwewanttocommunicate.Thiscanbedoneinadvanceofthecommunicationoftheactualsecuremessages,sowecanassumethatusershavetheirone-timepadhandywhentheneedtocommunicatesecurelyarises.Theycanthenencrypttheirmessagesusingtheone-timepadandsendtheencryptedmessageoveranuntrustedchannel.Inthiscasewehaveassumedthattheone-timepadistruly89 90IntroductiontoIdentity-BasedEncryptionrandomandthatitwasdistributedinasecurefashion.Ifeitherofthesetwoassumptionsfails,thensuchasystemcaneasilybedefeated.WithsymmetricencryptionalgorithmslikeTriple-DESorAES,wereducethenumberofkeysthatneedtobesecurelydistributed.Inthiscase,weonlyneedtodistributethekeythatisusedinthesymmetricalgorithminsteadofakeythatisaslongasthemessagesthatwewanttoencrypt.Soinadditiontothesameassumptionsthatwemakeinthecaseofaone-timepadsystem,weneedtomakeanadditionalassumptionifweuseasymmetricencryptionalgorithm:thatitisinfeasibleforanadversarytorecovertheoriginalmessagefromtheencryptedmessage.Thiscanbeasignificantassumption.Therearetypicallynoproofsthatdecryptingamessagethathasbeenencryptedwithasymmetricalgorithmisdifficult,andweneedtorelyonthejudgmentofexpertswhohavedemonstratedanaptitudeforfindingweaknessesinsymmetricalgorithmsinthepast.Iftheseexpertscannotfindanyweaknesses,thenwecanassumethatthesymmetricalgorithmisreasonablysecure.Thisisanadditionalassumptionthatweneedtoacceptifwearegoingtotrustthesecurityofusingasymmetricalgorithm.Thetoolsavailabletoanadversarywillalsodeterminehowwellwecantrustasystemthatusesasymmetricalgorithm.Ifanadversarycanbuildalarge-scalequantumcomputer,forexample,thentheywillbeabletoperformcomputationsthatmightbeinfeasiblewithoutsuchadevice.Public-keyalgorithmsallowustocommunicatesecurelywithotherswithwhomwehavenotpreviouslyexchangedcryptographickeys,soitreducesthedifficultyandexpenseofmanagingkeys.Thisincreaseinconvenienceanddecreaseincostcomeswithanadditionalassumption.Inthecaseoftraditionalpublic-keyalgorithms,whereweuseadigitalcertificatetomanageauser’spublickey,weneedtoassumethattheTTPwhocreatedthecertificateistrustworthy.IftheTTPmakesanerrorandassociatesanincorrectnameofauserwithapublickey,wecaneasilybefooledintoencryptingamessagewiththeincorrectkey.Andsincemostusesoftraditionalpublic-keytechnologiesalsoarchivecopiesofusers’privatekeys,wealsoneedtotrustthattheTTPthatstoresthesekeysdoesnotprovidethemtounauthorizedusers.InthecaseofIBE,wehaveassumptionsthataredifferentthanthosethatwemakefortraditionalpublic-keytechnologies.AnyonecancalculateanIBEprivatekeyfromauser’sidentitywiththecorrectIBEpublicparameters,butweneedtoassumethatusersreceivethecorrectsetofIBEpublicparameters.Ifwecantrickauserintousingtheincorrectpublicparameters,wecantrickthemintosendingmessagesthatcaneasilybedecrypted.WealsoneedtoassumethattheIBEPKGisauthenticatingusersappropriatelybeforegrantingIBEprivatekeystothem.IfwecantrickthePKGintogivingusanIBEprivatekeythatismeantforadifferentuserthenwewillbeabletodecryptmessagesthenareencryptedwiththatuser’sIBEpublickey. CryptographyandComputationalComplexity91Inthecaseofbothtraditionalpublic-keytechnologiesandIBE,wealsomakeanassumptionabouttheintractabilityofcertainnumber-theoreticalcalcu-lations.Ifthesecalculationsaresufficientlydifficultforanadversarytoperform,thenwecanreasonablyassumethattheycannotperformthecalculations,andthatoursystemisreasonablysecure.Ontheotherhand,thisisalsoasignificantassumption,becauseitisbasedonthebest-knownalgorithmforperformingcertaincalculations.Ifanewalgorithmisdiscoveredthatcanfactorlargeintegersefficiently,forexample,thentheassumptionsbehindsomepublic-keytechnologieswillneedtobereexamined.Similarly,iflarge-scalequantumcomputerseverbecomeavailable,thentheassumptionsbehindmanypublic-keytechnologieswillneedtoberethoughtbecausetheexistenceofquantumcomputerswillmakeimplementingefficientalgorithmsforfactoringintegers[1]andcalculatingdiscretelogarithms[1,2]possible.5.1Cryptography5.1.1DefinitionsThefollowinginterrelateddefinitionsdefinetheconceptsfromcryptographythatwewillrefertoinlatersections.Definition5.1Anegligiblefunctionisonethatisasymptoticallysmallerthatthereciprocalofanypolynomial.Moreprecisely,afunction:→isnegligibleifforanycc∈thereisann0∈suchthatwehave(n)<1/nforalln>n0.Definition5.2Aprobabilisticalgorithmwhoserunningtimeispolynomialinlognissaidtobeefficient.Theuseoflogninsteadofnisduetothefactthattheparametersandkeysthatdeterminetheoperationofcryptographicfunctionsaretraditionallymeasuredinthenumberofbitscomprisingaparameterinsteadofinthesizeoftheparametersthemselves.Definition5.3Acalculationforwhichanyefficientalgorithmsucceedsonrandominputwithonlynegligibleprobabilityissaidtobehard.Acalculationthatisnothardiseasy.Soacalculationforwhichthereexistsanefficientalgorithmthatsucceedsonrandominputwithanonnegligibleprobabilityiseasy.Ausefulencryptionalgorithmhasthepropertythatbothencryptinganddecryptingdataiseasywiththerightkey,butdecryptingdatawithouttherightkeyishard. 92IntroductiontoIdentity-BasedEncryptionDefinition5.4Plaintextistheinformationforwhichencryptionprovidesprivacy.Anencryptionalgorithmtakesplaintextandakeyasinputsandproducesciphertextasanoutput.Definition5.5Ciphertextistheoutputofanencryptionalgorithm.Definition5.6Anencryptionalgorithmtakesplaintextandakeyasinputsandproducesciphertextasanoutput.Definition5.7Adecryptionalgorithmtakesciphertextandakeyasinputsandproducesplaintextasanoutput.Definition5.8Acryptographickeyisavaluethatdefinestheoperationofanencryptionordecryptionalgorithm.Valuesthatareusedforallusersofasystemarecalledparametersinstead.Whiletraditionalpublic-keyalgorithmshaveonlypublicandprivatekeys,IBEalgorithmstypicallyhaveasetofpublicparameters.Definition5.9Anasymmetricorpublic-keyencryptionalgorithmisanencryptionalgorithmthatusestworelatedkeys:apublickeyandaprivatekey,whichhavethepropertythatgiventhepublickeyitishardtofindtheprivatekey.Definition5.10Arandomizedencryptionalgorithmisonethatrequiresarandomnumberasaninputinadditiontoplaintextandakey.Definition5.11LetHbeahashfunctionwithinputsx1andx2andoutputsy1andy2.ThenHisacryptographichashfunctionifitisefficienttocomputeandhasthefollowingthreeproperties.Notethattheword‘‘difficult’’isintentionallyleftambiguousinthiscontextbecausethesecurityofmostcommonlyusedcrypto-graphichashfunctionsisnotbasedoncomputationalproblemsforwhichitiseasytogetaccurateestimatesofrunningtimes.1.Collisionresistance.Itisdifficulttofindx1andx2withx1≠x2andH(x1)=H(x2).2.Preimageresistance.Givenanyy1itisdifficulttofindanx1withy1=H(x1). CryptographyandComputationalComplexity933.Secondpreimageresistance.Givenanx1withy1=H(x1)itisdifficulttofindanx2withx1≠x2andy1=H(x2).5.1.2ProtectionProvidedbyEncryptionTherearesixgeneralcategoriesofattacksthattheuseofencryptioncanprotectagainst.Ineachofthesecases,anattackerattemptstoeitherdetermineakeyneededtodecryptamessageortheplaintextmessagethatwasencrypted.1.Ciphertext-onlyattack.Aciphertext-onlyattackiscarriedoutbyanadversarywhohasaccesstoonlyciphertext.Thisisthemostdifficultattackforanadversarytocarryout,andanycryptographicsystemneedstoberesistanttosuchanattacktoprovideanylevelofsecurityatall.2.Known-plaintextattack.Aknown-plaintextattackiscarriedoutbyanadversarywhohasaccesstobothplaintextandcorrespondingciphertext.Thematchingplaintextandciphertextneednotcompriseallofanencryptedmessage.Thistypeofattackisveryeasyforanadversarytocarryout,andprotectionagainstknown-plaintextattacksisessentialforanyusefulcryptographicsystem.Almostanytypeofinformationthatistransmittedelectronicallyhasenoughstructuretoguaranteesomelevelofmatchingplaintextandciphertext.Thestructurerequiredbydocumentorspreadsheetfileformatscanprovidethis,forexample,ascantheformatofe-mailorothermessageformats.Thestructureofdatacanalsoprovidethebasisforaknown-plaintextattack.BytesrepresentingASCIItexthavesomefixedbitswhileotherscanbeguessedwithahighprobability,forexample.3.Chosen-plaintextattack.Achosen-plaintextattackiscarriedoutbyanadversarywhocanselecttheplaintextandthenbegiventhecorrespond-ingciphertext.Suchanadversarycouldusethiscapability,forexample,tocreatealistofallpossibleplaintext-ciphertextpairsandthendecryptanyotherencryptedmessagesthatheobservesbylookingupthecorrectplaintextinthistable.Onewaytocountersuchacapabilityinanadversaryistoincluderandominformationwiththeplaintextthatgetsencrypted,sothatasingleplaintextmessagewilltypicallygetencryptedtoadifferentciphertexteachtimethatitisencrypted.4.Adaptivechosen-plaintextattack.Inanadaptivechosen-plaintextattack,anadversaryselectsaninitialplaintextmessagetoencryptandthenselectsthenextplaintextmessagesthatheencryptsbasedontheciphertextthathereceivesfromthepreviousencryption.Hecanrepeatthisprocessasoftenasneededtogathermoreinformationaboutthe 94IntroductiontoIdentity-BasedEncryptionkeybeingused.Otherwise,thisattackhasthesamepropertiesasachosen-plaintextattack.5.Chosen-ciphertextattack.Inachosen-ciphertextattack,anadversaryselectsaciphertextandisabletoobtainthecorrespondingplaintext.Ifanalgorithmencryptsaparticularplaintexttothesameciphertexteverytimeitisencryptedthenitisvulnerabletoachosen-ciphertextattack,somanyencryptionalgorithmsaddarandominputtotheplaintexttomakesuchanattackinfeasible.Portabledeviceslikesmartcardsmaybesusceptibletochosen-ciphertextattacks,becausetheycanoftenbeobtainedbyanadversary.Beingsecureagainstchosen-ciphertextattacksisthestandardlevelofsecuritythatiscurrentlyexpectedofpublic-keysystems.6.Adaptivechosen-ciphertextattack.Inanadaptivechosen-ciphertextattack,anadversaryselectsaninitialciphertextmessagetodecryptandthenselectsthenextciphertextmessagesthathedecryptsbasedontheplaintextthathereceivesfromthepreviousdecryption.InthecaseofIBE,thereareadditionalopportunitiesforattackers.Inparticular,whenanattackertriestorecovertheprivatekeyforaparticularidentityorrecoveraplaintextencryptedtoaparticularidentity,hemayalsohavetheprivatekeysthatcorrespondtootheridentities.ThisleadstothefollowingtwoadditionalcasesthatapplyonlytoIBEschemes.1.Chosen-identityattack.Inachosen-identityattack,alsocalledaselective-identityattack,anadversaryattemptingtoattackaparticularprivatekeyoraciphertextencryptedtoaparticularidentitycanchooseanyotheridentityandthenusetheprivatekeyforthisidentitytohelphiminhisattack.2.Adaptivechosen-identityattack.Inanadaptivechosen-identityattack,anadversarycancarryoutachosen-identityattack,andcanthenperformadditionalchosen-identityattacksbasedontheresultsofthefirstattack.HecanthenrepeatthisasoftenashelikesinanattempttorecoveranIBEprivatekey,mastersecret,orplaintext.Notallencryptionschemesprotectagainstallcategoriesofattacks.Inparticular,theIBEalgorithmsdescribedinthisbookaresusceptibletochosen-ciphertextattacks,sothatanadditionalstepofprocessingneedstobeaddedpasttheapplicationoftheencryptionalgorithmtogetasystemthatwillresistsuchattacks.ThiscanbeaccomplishedthroughusingtheFujisaki-Okamototransform. CryptographyandComputationalComplexity955.1.3TheFujisaki-OkamotoTransformAtechniqueduetoFujisakiandOkamoto[3]transformsapublic-keyencryptionalgorithmwithfairlyweakpropertiesintoonewhichissecureagainstchosen-ciphertextattacks.Somepublic-keyalgorithmsarevulnerabletochosen-ciphertextattacks,andthistransformationcanbeusedtocreateamoresecureschemefromalesssecurealgorithm.Inparticular,letE(P,X,R)bearandomizedpublic-keyencryptionalgorithmthatencryptstheplaintextXusingtherandominputrandthepublickeyP;letDbethedecryptionfunctionthatcorrespondstoE;andletH1andH2becryptographichashfunctions.ThenforaplaintextmessageM,theencryptionalgorithmE′isresistanttochosen-ciphertextattacks,whereE′(P,M,r)=(C1,C2)=CwhereC1=E(P,r,H1(r,M))andC2=H2(r)⊕MTodecryptamessagethatisencryptedwiththishybridscheme,therecipientperformsthefollowingsteps:1.CalculateD(C1)=s.2.CalculateH2(s)⊕C2=M.3.Setr=H1(s,M)andcheckthatE(P,s,r)=C1.Ifthisisnottrue,raiseanerrorconditionandexit.4.OutputMasthedecryptionofC.5.2RunningTimesofUsefulAlgorithmsOnegoalofthetheoryofcomputationistoprovidetheframeworkneededtoclassifycomputationalproblemsaccordingtotheresourcesneededtosolvethem.Inparticular,theresourcesneededforanadversarytodefeattheprotectionprovidedbyencryptionisofinteresthere,andwewillusethisframeworktojustifywhycertainIBEalgorithmsarereasonablysecurewhentheirparametersarechosenappropriately.Themainfocushereistherunningtimerequiredto 96IntroductiontoIdentity-BasedEncryptionsolvecertaincomputationalproblems,whichisthewaythatthemostwidelyacceptedstandard[4]definescryptographicstrength.Whilemanydiscussionsoftherunningtimesofalgorithmsfocusonthesizeofaninputn,inthecaseofcryptography,amoreusefulmeasureisintermsofthenumberofbitsthatittakestorepresentaninput.Thuswearemoreinterestedinrunningtimesthatareexpressedintermsoflogninsteadofintermsofn.So,analgorithmthatwouldoftenbethroughofashavingrunningtimeO√nismoreusefullythoughtofashavingtheequivalentrunningtime1Ologne2whichmakesitclearerthatwhileanalgorithmwithsucharunningtimemightbeconsideredrelativelyfastasafunctionofn,itmightbeconsideredrelativelyslowasafunctionoflogn.5.2.1FindingCollisionsforaHashFunctionFormosthashfunctions,findingacollisioniseasierthanfindingapreimageorasecondpreimage,sothestrengthofacryptographichashfunctionisusuallymeasuredbytheexpectednumberofoutputsthatneedtobecomputedtomaketheprobabilityoffindingacollisionequalto1/2.Findingtheprobabilityofacollisioninahashfunctionismuchliketheso-calledbirthdayproblem,inwhichwewanttofindtheprobabilitythattwopeopleinagroupofkpeoplesharethesamebirthday.Inthiscase,wecanthinkofthebirthdayasbeingtheoutputofahashfunctionthatmapspeopletothedayonwhichtheywereborn.Tofindthisprobability,itiseasiertofindtheprobabilitythatallkpeoplehavedifferentbirthdays.Thisisgivenby364363365−k+1p=...365365365k−1365−i=365i=1Sowewantthelargestkforwhichp<1/2,ork−1365−i1365<2i=1Nowwehave CryptographyandComputationalComplexity97k−1k−1k−1365−i1365−i365<k−1∑365(5.1)i=1i=1k−1k−11=(k−1)365)∑ik−1i=11k(k−1)k−1=k−1(k−1)365)2k−1k−1kk=1−<e−2365(5.2)2365k2−k−=e2365(5.3)wheretheinequalityin(5.1)followsfromthepropertiesofthearithmetic-geometricmean,andtheinequalityin(5.2)followsfromthepropertythat1−x0wehavexi,ifxi∈S12xi+1=xi,ifxi∈S2xi,ifxi∈S3 CryptographyandComputationalComplexity99Wecanthinkofthesequence{xi}asdefiningtwosequences{ai}and{baibiwherei}wherexi=ai,ifxi∈S1ai+1=2aimodn,ifxi∈S2ai+1modn,ifxi∈S3andbi+1modn,ifxi∈S1bi+1=2bimodn,ifxi∈S2bi,ifxi∈S3Thenifwefindxiandx2iwithxi=x2ithenwehavefoundacasewhereaibi=a2ib2iorthatbi−b2i=a2i−ai(5.7)Takingthelogarithmof(5.7)tothebasewegetthat(bi−b2i)log≡(a2i−ai)(modn)ora2i−ailog=(modn)bi−b2iThereareafewcaseswherethisalgorithmwillfail,likewhenbi≡b2i(modn),whichhappenwithaverysmallprobability.Ifthishappens,itispossibletorepeatthealgorithmwithadifferentstartingvalueuntilthefailureisavoided,usinganinitialstateofxa0b0wherea0=0andb0arerandomelementsofG.5.2.3TheGeneralNumberFieldSieveThegeneralnumberfieldsieve(GNFS)[7]iscurrentlythebest-knownalgorithmforfactoringlargeintegers.TheGNFSisoneafamilyoffactoringalgorithms 100IntroductiontoIdentity-BasedEncryptionthatarebasedonthe‘‘differenceofsquares’’technique,whichusestheobserva-tionthatifwehave(x−y)(x+y)≡0(modn)or22x≡y(modn)thengcd(x−y,n)andgcd(x+y,n)arefactorsofn,althoughtheymaybeeither1orn.Ifnistheproductoftwoprimespandq,thenTable5.1liststhepossiblecasesthatmayoccur.Most,butnotall,ofthesecasesresultineithergcd(x−y,n)orgcd(x+y,n)givinganontrivialfactorofn.TheGNFSextendsDixon’salgorithm[8]tonumberfields,extensionsofthefieldofrationalnumbers,andpicksparameterscleverlytogetimprovedperformance.ThefirststepinDixon’salgorithmistofixasetoffactors2F={p1,p2,...,pm}andtorandomlygenerateintegersrisuchthatriisF-smooth.Sowecanthinkofsuchintegersriasvectors(ei,1,ei,2,...,ei,m),thecomponentsofwhichindicatethepowersoftheelementsofFinthefactorizationofri,sothatmrpei,ji=jj=1Oncewefindasuitableriwecalculateacorrespondingvectorvithatrepresentstheparityofeachoftheexponentsoftheprimesinthefactorizationofri,sothatvi,j=ei,jmod2.Ifwecanfindm+1suchvectorsvithenweTable5.1PossibleCasesforx2≡y2(modn)p|(x+y)p|(x−y)q|(x+y)q|(x−y)gcd(x+y,n)gcd(x−y,n)YesYesYesYesnnYesYesYesNonpYesYesNoYespnYesNoYesYesnqYesNoYesYesn1YesNoNoYespqNoYesYesYesqnNoYesYesNoqpNoYesNoYes1n CryptographyandComputationalComplexity101havem+1vectors,eachofdimensionm,sotheymustbelinearlydependent.ThusthereisanonemptysubsetU⊆{1,2,...,t+1}sothat∑vi≡0(mod2)i∈UThustheparityofeachoftheexponentsin2rii∈Uiseven,sothatifwewritex=rii∈Uandmeiy=pii=1thenwehavethat222x=ri≡y(modn)i∈UOncewehavefoundsuitablexandyinthisway,wethencalculategcd(x−y,n)orgcd(x+y,n),hopingtogetanontrivialfactorofn.Ifwegeteither1ornforbothoftheseresults,westartoverandcalculatenewrandomvaluesforri.TheGNFSincreasestheperformanceofthistechniquethroughacleverselectionofparametersandbygeneralizingthesetoffactors,butthealgorithmstillhasstepsthataresimilartothestepsdescribedearlier:pickasetofrandomvaluesthataresmoothrelativetosomeset,afterenoughsuchvaluesaregenerated,solveasystemofequationstofindadependencythatcanbemanipulatedtogetadifferenceofsquares,andthencalculateagreatestcommondivisortogetanontrivialfactor.TheGNFShasanexpectedrunningtimeof1/31/32/3O(exp((64/9)(logn)(loglogn)))ThusacryptanalyticattackbasedonusingtheGNFSisreasonablydifficultforanattackertocarryout. 102IntroductiontoIdentity-BasedEncryption5.2.4TheIndexCalculusAlgorithmTheindexcalculusalgorithmiscurrentlythebest-knownalgorithmforcalculat-ingdiscretelogarithmsinthemultiplicativegroupofafinitefield.ItusesideasthatareverysimilartothoseusedintheGNFS,andcanbetracedbacktotheworkofKraitchikin1922[9].Inparticular,letgbeaprimitiveelementofp*andF={p1,p2,...,pm}beasetofprimes.Wethenpickrandomzzz∈p*andcalculateg.IfgisF-smooththenwecanwecanwritemgz=piii=1orthatmz=∑iloggpii=1whereweknowthevalueofzandallofthevaluesofi.Wecontinuethiszprocessuntilwefindm+1suchvaluesofzforwhichgisF-smooth.Oncewehavem+1suchvalues,wesolvetheresultingsystemofequationstofindauniquesolutionforloggpi.Thiswillthenletusfindthediscretelogarithmofanyy∈p*.TodothisweagaingeneraterandomvaluesofzuntilwefindzavalueofzsuchthatygisF-smooth.Usingthisvalueofzwefindthatmloggy≡−z+∑iloggpi(5.8)i=1Weknowallofthevaluesappearingontheright-handsideof(5.8),sothatwecanthuscalculateanysuchdiscretelogarithm.Theindexcalculusalgorithmhasanexpectedrunningtimeof1/31/32/3O(exp((64/9)(logn)(loglogn)))wheren=p−1istheorderofthegroupp*.Thusacryptanalyticattackbasedonusingtheindexcalculusalgorithmisreasonablydifficultforanattackertocarryout.Althoughthisdiscussionisspecifictocalculatingdiscretelogarithmsinp*,itisalsopossibletoextendthistechniquetop*n[10].5.2.5RelativeStrengthofAlgorithmsThetraditionalmetricforcomparingtherelativestrengthofcryptographicalgorithmsisanidealsymmetricalgorithmforwhichthereisnowaythatan CryptographyandComputationalComplexity103nattackercanrecoverasecretkeyofnbitsthatiseasierthantryingall2possiblen-bitkeystofindtheonethatproducesaknownplaintext-ciphertextpair.EquatingtherunningtimeofthiscomputationtothetimerequiredbyeitherPollard’srhoalgorithm,theGNFS,ortheindexcalculusalgorithm,wecangetanestimateforthebitstrengthor‘‘computationalentropy’’ofpublic-keyalgorithms.Therehavebeenmanyattempts[4,11–13]atcreatingsuchestimates,allofwhichhaveproducedslightlydifferentresults,buttheestimatesof[4]havebeenusedinthemostimportantcryptographicstandards[14,15].Theseestimatesseemtoassumethatanadversarywillcreateaspecial-purposemachinetoperformthecalculationsinsteadofusingwidelyavailablecomputingresourceslikecommoditydesktopcomputers,sothatpracticaldifficulties,likethestoragespacerequiredtosolvetheverylargesystemofequationsthattheGNFSandindexcalculusalgorithmsrequire,arenotconsidered.TheestimatesprovidedbythisapproacharesummarizedinTable5.2.So,accordingtothisapproach,calculatingadiscretelogarithminagroupwithasizeof256bitsbyPollard’srhoalgorithmtakesroughlythesametimeastryingallpossible128-bitsymmetrickeys,whichalsotakesroughlythesametimeasfactoringa3,072-bitintegerorcalculatingadiscretelogarithminafinitefieldwhichhasasizeof3,072bits.In1998,theElectronicFrontierFoundationsponsoredtheconstructionoftheDESCracker[16],aspecial-purposecomputerthatusedmassivelyparallelcomputationon36,864customprocessingunitstotestover92billionDESkeyspersecond,whichletittestallpossible56-bitDESkeysinabout9days.Ifwecouldbuildamachinethatcantestkeys1milliontimesfasterthanthis,perhapsthroughacombinationofmoreprocessingunitsandfasterclockspeeds,128wewouldfindthatitwilltakeover117trillionyearstotestall2possible128-bitkeys.Table5.3listsvariouseventsinthefuture[17]andhowmanybitsoutofthe128possiblebitswillhavebeentestedastheeventstakeplace.Thisseemstoindicatethat128bitsofstrengthisprobablyadequatefortheforeseeablefuture.Table5.2EquivalentCryptographicStrengthProvidedbyDifferentAlgorithms[4]SizeofIntegerBitStrengthSizeofGrouporFiniteField801601,0241122242,0481282563,0721923847,16825651215,360 104IntroductiontoIdentity-BasedEncryptionTable5.3ProgressTowardsTestingAll128-BitKeysonHypotheticalMachineBitsofKeyEventYearsintheFutureTestedEarth’scontinentscollide250million110MilkyWaycollideswiththeAndromedagalaxy3billion114Sunbecomesawhitedwarf8billion115Fundamentallimitsoncomputationtellusthata256-bitkeyisevenmoresecure,becausecomputationisnotjustlogical,butalsophysical.ConsideranANDgate:twobitsgoinbutonlyonebitcomesout.Ifwerepresenteachbitbyonlyasingleelectron,wecanhavetwoelectronsenteringthegatebutonlyoneleaving.Theenergycarriedbythisextraelectronhastogosomewhere,soweseethaterasingabitactuallyrequiresenergy.ThisissummarizedinLandauer’sprinciple[18],acorollaryofthesecondlawofthermodynamicsthattellsusthaterasingabitcostsatleastkTlog2inenergy,where−2322k=1.38×10mkg/sKisBoltzmann’sconstantandTisthetemperatureatwhichtheoperationtakesplace.ExistingtechnologiesarefarfrombeinglimitedbyLandauer’sprinciple,butitisafundamentallimittocomputationthatwecannotovercomeifweneedtoerasebitstoperformcalculations,likeallmoderncomputersdo.Ontheotherhand,ifwewanttobuildabiggerandfastercomputermuchliketheDESCracker,butonethattriesallpossible256-bitAESkeys,wefindthatLandauer’sprincipleactuallylimitsus,andthatthereisactuallynotenoughenergyinthevisibleuniversetotryallofthesekeys.Soalthough256isafairlysmallnumber,thenumberofpossible256-bitkeysisahugenumber,andthisnumberissolargethatwecanneverhopetotrythemall—fundamentallimitsoncomputationtellusthatwecanneverdoit,atleastnotwithtechnologywhichrequiresbitstobeerasedwhenitoperates.5.3UsefulComputationalProblemsSomecomputationalproblemshavethepropertythattheyaresuitablyhard,yetcanbestatedintermsofquantitiesthatcanbeusedtocreatepublic-keyalgorithmsthatgettheircryptographicstrengthfromthedifficultyofthehardproblem.Inparticular,computationalproblemswhosebest-knownsolutioniscalculatedbyPollard’srhoalgorithm,theGNFS,ortheindexcalculusalgorithmaresuitablydifficult.TheDiffie-Hellmankeyexchange[19],thefirstpractical CryptographyandComputationalComplexity105public-keyalgorithm,providesthemotivationformanyofthecomputationalproblems.IntheDiffie-Hellmankeyexchange,wehaveacyclicgroupGofprimeorderpwithgeneratorg.Theprivatekeyofauserisanelement∈p*andthecorrespondingpublickeyisg.Supposethatwehavetwousers,AliceandBob,whowanttoagreeuponasharedsecret,andthatAlice’sprivatekeyisaaandBob’sprivatekeyisb,sothatAlice’spublickeyisgandBob’spublickeybbisg.AlicecanobtainBob’spublickeygandthencalculatebabaaba(g)=g=gfromit,whileBobcanobtainAlice’spublickeygandthenababcalculate(g)=gfromit.Bydoingthis,theybothendupwiththecommonababvaluegwhichtheycanthenuseasasharedsecret.Thevaluesg,g,andgarepublic,butwithouttheprivatevaluesaandb,itisbelievedtobehardforanadversarytocalculategab.Inthediscussionbelow,thisgeneralframeworkisusedtodescribeproblemsrelatedtotheDiffie-Hellmankeyexchange.Sothatgwillrepresentageneratorofamultiplicativecyclicgroup,anda,b,andcareelementsofp*.Incaseswherethegroupisanadditivegroup,Pwillrepresentageneratorofthegroup.Whereapairingisneeded,wewillassumethatwehavee:G1×G1→GT.Caseswheree:G1×G2→GTcanbesimilarlydescribed.Inmanycasestherearetworelatedproblems:acomputationalproblemandadecisionproblem.Solvingacomputationalproblemisroughlyequivalenttocalculatingacorrectanswer,andiftherelevantcomputationalproblemishardthencalculatingacorrectanswerishard.Insomecases,thismaynotbegoodenough.Inparticular,wealsowantittobedifficulttoguessacorrectanswerortodeterminepartofthecorrectanswer.Iftherelevantdecisionproblemishardthenguessingacorrectanswerordeterminingpartofthecorrectanswerisalsohard.5.3.1TheComputationalDiffie-HellmanProblemThecomputationalDiffie-Hellmanproblem(CDHP)[20]modelsthesituationababinaDiffie-Hellmankeyexchange:giveng,.gandg,calculateg.Multiplica-tivenotationisusedbecausethemultiplicativegroupofafinitefieldistheusualsettingforimplementingtheDiffie-Hellmankeyexchange.TheCDHPcanalsobewritteninadditivenotationas:givenP,aP,bP,calculateabP.Oneobviouswaytosolvethisproblemistodeterminebbycalculatingbathediscretelogarithmofgandthentousethatvalueofbalongwithgababtocalculate(g)=g,sothatsolvingtheCDHPisnomoredifficultthancalculatingdiscretelogarithms.Ontheotherhand,thereisnoguaranteethatanadversarycannotdeterminesomeinformationaboutthesharedsecretfromg,gaandgb,perhapsbeingabletodetermineseveralofthebitsofgabbutnot 106IntroductiontoIdentity-BasedEncryptionallofthem.Toavoidsuchapossibility,anotherproblemneedstobehard:thedecisionDiffie-Hellmanproblem.5.3.2TheDecisionDiffie-HellmanProblemabThedecisionDiffie-Hellmanproblem(DDHP)[21]is:giveng,g,g,andx,abdeterminewhetherornotx=g.OneobviouswaytosolvethisproblemisababtodeterminebsolvingtheCDHPandthentocalculate(g)=g,andtoabthencomparethisvalueofgtothegivenvalueofx.ThussolvingtheDDHPisnomoredifficultthantheCDHP.IftheDDHPishardthenitishardtoababdistinguishbetweengandanyotherelementofG,sothatglookslikearandomelementofG.Insomecases,theDDHPismucheasier,particularlywhenapairingisababavailable.Ifwehaveapairing,thenwecanthencalculatee(g,g)=e(g,g).abababIfx=gthenwewillalsohavethate(g,x)=e(g,g)=e(g,g),sothatwecaneasilysolvetheDDHPproblembycomparinge(ga,gb)toe(g,x).BeingabletocalculateLegendresymbolsinp*alsomakessolvingtheDDHPeasyinp*.Thevaluegabwillbeasquaremodulopexactlywhentheproductabiseven,whichhappenswheneitheraorbiseven,whichwillhappenwithprobability3/4forrandomaandb.Ontheotherhand,foraabrandomc,cisasquarewithprobability1/2.Sotheprobabilityof(g/p)and(c/p)beingdifferentisababPr((g/p)=+1∧(c/p)=−1)+Pr((g/p)=−1∧(c/p)=+1)=(3/4)(1/2)+(1/4)(1/2)=1/2abSocomparingtheLegendresymbols(g/p)and(c/p)hasa1/4probabilityabofdistinguishingbetweengandarandomc,whichisanonnegligibleprobabil-ityofsuccess,andsotheDDHPiseasyinp*ifpisaprime,wherewecancalculateLegendresymbols.AlthoughtheDDHPiseasyinp*,itisconjecturedtobedifficultinp*n.forn>1.GroupsinwhichtheDDHPiseasyandtheCDHPisbelievedtobehardaresometimescalledgapDiffie-Hellmangroups.Figure5.1showstherelationshipsbetweenthevariousDiffie-Hellmanproblems,wherethenotation‘‘Problem1→Problem2’’indicatesthatasolutiontoProblem1makesfindingasolutiontoProblem2easy.DiscreteComputationalDecisionlogarithmDiffie-HellmanDiffie-HellmanproblemproblemproblemFigure5.1RelationshipbetweenthevariousDiffie-Hellmanproblems. CryptographyandComputationalComplexity1075.3.3TheBilinearDiffie-HellmanProblemThebilinearDiffie-Hellmanproblem(BDHP)[22]generalizestheCDHPtoabcgroupswithapairing.TheBDHPis:givenP,aP,bP,cP,calculatee(P,P).AdditivenotationisusedbecausethesettingfortheBDHPistypicallyanellipticcurvegroup,whereadditivenotationistraditional.TheBDHPcanalsoabcabcbewritteninmultiplicativenotationas:giveng,g,g,g,calculatee(g,g).SolvingtheBDHPisnomoredifficultthancalculatingdiscretelogarithmsineitherG1orGT.IfwecanfindthevalueofcbycalculatingthediscretecabclogarithmofcPinG1,thenwecancalculatee(aP,bP)=(e(P,P))=abce(P,P)or,ifwecanfindthevalueofcbycalculatingthediscretelogarithmcabcofe(P,cP)=e(P,P)inG2thenwealsocalculatee(P,P)inasimilarway.NotethatfP:G1→GTdefinedbyfP(Q)=e(P,Q)isanisomorphismofgroups.IffPiseasytoinvert,thatiswecaneasilycalculate−1fP(e(P,Q))=QthentheBDHPisalsoeasy.Wecanfirstcalculate−1g=e(aP,bP)=e(P,abP),andthenfP(g)=abP,andfinallye(abP,cP)=abce(P,P),solvingtheBDHP.Ontheotherhand,iffPiseasytoinvert,wecanalsoeasilysolvetheabDDHPinGT.Supposethatwehaveg,g,g,andx,inGT.If−1−1a−1bfP(g)=QthenwehavefP(g)=aQandfP(g)=bQ.Supposethat−1ab−1fP(x)=X.Ifx=gthenwewillhavefP(x)=abQ,sothate(Q,X)=ababe(Q,abQ)=e(Q,Q)whilee(aQ,bQ)=e(Q,Q),sothatife(Q,X)=abe(aQ,bQ)thenx=g.abcEvenifitishardforanadversarytocalculatee(P,P)fromP,aP,bP,andcP,hereisnoguaranteethatanadversarycannotdeterminesomeinformationabcaboute(P,P)fromP,aP,bP,andcP,perhapsbeingabletodetermineseveralabcofthebitsofe(P,P)butnotallofthem.Toavoidsuchapossibility,anotherproblemneedstobehard:thedecisionbilinearDiffie-Hellmanproblem.5.3.4TheDecisionBilinearDiffie-HellmanProblemThedecisionbilinearDiffie-Hellmanproblem(DBDHP)[22]generalizestheDDHP.TheDBDHPis:givenP,aP,bP,cP,andx,determinewhetherorabcnotx=e(P,P).SolvingtheDBDHPisnomoredifficultthatcalculatingdiscretelogarithmsineitherG1orGT.IfwecanfindthevalueofcbycalculatingthediscretelogarithmofcPinG1,thenwecancalculatecabcabce(aP,bP)=(e(P,P))=e(P,P)or,ifwecanfindthevalueofcbycalculatingthediscretelogarithmofcabce(P,cP)=e(P,P)inGTthenwealsocalculatee(P,P)inasimilarway.abcIftheDBDHPishardthenitishardtodistinguishbetweene(P,P)and 108IntroductiontoIdentity-BasedEncryptionabcanyotherelementofGT,sothate(P,P)lookslikearandomelementofGT.Figure5.2showstherelationshipbetweenthevariousDiffie-Hellmanproblemsandtheirbilinearvariants,wherethenotation‘‘Problem1→Problem2’’indicatesthatasolutiontoProblem1makesfindingasolutiontoProblem2easy.5.3.5q-BilinearDiffie-HellmanInversionTheq-bilinearDiffie-Hellmaninversionproblem(q-BDHIP)[23]is:givenP,2q1/aaP,aP,...,aP,calculatee(P,P).Solvingtheq-BDHIPisnomoredifficultthancalculatingdiscretelogarithmsineitherG1orG2.IfwecanfindthevalueofabycalculatingthediscretelogarithmofaPinG1,thenwecan1/acalculate1/aandthencalculatee(P,P).Orifwecanfindthevalueofabyacalculatingthediscretelogarithmofe(P,aP)=e(P,P)inGTthenwealso1/acalculatee(P,P)inasimilarway.1/a2Evenifitishardforanadversarytocalculatee(P,P)fromP,aP,aP,q...,aPcP,hereisnoguaranteethatanadversarycannotdeterminesome1/a2qinformationaboute(P,P)fromP,aP,aP,...,aPcP,perhapsbeingable1/atodetermineseveralofthebitsofe(P,P)butnotallofthem.Toavoidsuchapossibility,anotherproblemneedstobehard:theq-decisionbilinearDiffie-Hellmaninversionproblem.DiscreteComputationalDecisionlogarithmDiffie-HellmanDiffie-HellmanprobleminprobleminG1probleminG1G1BilinearDecisionbilinearDiffie-HellmanDiffie-HellmanproblemproblemDiscreteComputationalDecisionlogarithmDiffie-HellmanDiffie-HellmanprobleminprobleminGTprobleminGTGTFigure5.2RelationshipbetweenthevariousDiffie-Hellmanproblemsandtheirbilinearvariants. CryptographyandComputationalComplexity1095.3.6q-DecisionBilinearDiffie-HellmanInversionTheq-decisionbilinearDiffie-Hellmaninversionproblem(q-DBDHIP)is:2q1/agivenP,aP,aP,...,aPandx,decidewhetherornotx=e(P,P).Solvingtheq-DBDHIPisnomoredifficultthantheq-BDHP.Ifwecancalculate1/a2qe(P,P)fromP,aP,aP,...,aPwedosoandcompareittox.Ifthe1/aq-DBDHPishardthenitishardtodistinguishbetweene(P,P)andany1/aotherelementofGT,sothate(P,P)lookslikearandomelementofGT.5.3.7CobilinearDiffie-HellmanProblemsInthecasewherewehaveapairinge:G1×G2→GTwithG1≠G2,itisnecessarytomodifytheframeworkofalloftheproblemsthatuseapairing.ThisgivesthecobilinearDiffie-Hellmanproblem(co-BDHP),whichis:givenabP,aP,bP∈G1andQ∈G2,calculatee(P,Q).Theotherproblemsinvolvingapairinge:G1×G2→GTcanbegeneralizedtorelatedcoproblemsinasimilarway.Itisnomoredifficulttosolvetheco-BDHPthanitistocalculatediscretelogarithmsineitherGTorinG1,whichisthesameboundthatoccurswiththeBDHP.ThemoregeneralframeworkofthecobilinearDiffie-Hellmanproblemsismoreusefulfordescribinggeneralresults,andsomeresearchpublica-tionsusetheterm‘‘BDHP’’todescribewhatwecallthe‘‘co-BDHP’’tokeepthefamiliarterminologyinthemoregeneralsetting.InthefollowingwewilloftenstatesimplerresultsintermsoftheBDHPthatcaneasilybegeneralizedtotheco-BDHP.5.3.8IntegerFactorizationkiIfnisacompositeintegerwithprimefactorizationn=pithentheintegeri=1factorizationproblemistodetermineoneofthefactorsofn.Ifwecandothis,wecandividenbythisfactorandrepeattheprocessuntilwefindallofthefactorsofn.Foragivenintegerm,determiningwhetherornotnhasafactorlessthanmforsomeintegermisprobablythemostrelevantrelateddecisionproblem.TheproblemofdeterminingwhetherornotniscompositecanbeefficientlydeterminedbytheAKSprimalitytest[24].5.3.9QuadraticResiduosityIfnisacompositeinteger,thenthequadraticresiduosityproblemis:givenxmodulon,determinewhetherornotxisaquadraticresiduemodulon.Thequadraticresiduosityproblemhasbeenstudiedformanyyears,datingatleastto1801,whenGaussdiscussedtheprobleminhisDisquisitionesArithmeticae 110IntroductiontoIdentity-BasedEncryption[25],anditisbelievedtobeasdifficultasintegerfactorization.Supposethatwecanfactornintotheproductoftwodistinctoddprimespandq.Inthiscase,xisaquadraticresiduemodulonexactlywhenitisasquaremodulopandasquaremoduloq.Thiscanbegeneralizedtointegerswithmoregeneralfactorizations,sothatsolvingthequadraticresiduosityproblemisnomoredifficultthatintegerfactorization.5.4SelectingParameterSizes5.4.1SecurityBasedonIntegerFactorizationandQuadraticResiduosityIfthedifficultyofattackingacryptographicalgorithmisbasedonthedifficultyofeithertheintegerfactorizationproblemorthequadraticresiduosityproblem,thenweassumethatanadversaryattackingsuchsystemswillneedtofactoralargecompositeintegertodefeattheprotectionprovidedbysuchalgorithms.Table5.2givesthesizesofthecompositeintegerthatneedstobefactoredtoattainstandardlevelsofsecurityagainstsuchanattack.Example5.1(i)Supposethatwewantacompositemodulusforwhichsolvingtheintegerfactorizationproblemisasdifficultasattackinga128-bitsymmetrickey.A3,072-bitcompositeintegerwillaccomplishthis.(ii)Supposethatwewantacompositemodulusforwhichsolvingthequadraticresiduosityproblemisasdifficultasattackingan80-bitsymmetrickey.A1,024-bitcompositeintegerwillaccomplishthis.5.4.2SecurityBasedonDiscreteLogarithmsIfthedifficultyofattackingacryptographicalgorithmisbasedonthedifficultyofanyoftheDiffie-Hellmanproblems,thenweassumethatanadversaryattackingsuchsystemswillneedtocalculateadiscretelogarithmtodefeattheprotectionprovidedbysuchalgorithms.Theremaybemorethanonewaytocalculatesuchdiscretelogarithms,andtheparametersofasystemusingsuchalgorithmsneedtoreflectthis.SupposethatcalculationsaredoneinagroupG=〈g〉.AnadversarycanalwaysusePollard’srhoalgorithmtocalculatetheneces-sarydiscretelogarithms,sotobesufficientlysecure,allcalculationsshouldbedoneinagroupinwhichallsubgroupsareatleastasbigasthesizesshowninTable5.2.Usingasubgroupofprimeorderisaneasywaytoaccomplishthis.Ifcalculationsaredoneinasubgroupofthemultiplicativegroupofa CryptographyandComputationalComplexity111finitefield,thentheindexcalculusalgorithmcanalsobeusedtocalculatediscretelogarithms,soifthisisthecase,thenthesizeofthefinitefieldalsoneedstobeatleastasbigasthesizesshowninTable5.2.Finally,iftheadversarycancalculateapairinge:G×G→q*k,hecanalsousetheMOVreductiontomapcalculatingdiscretelogarithmsinGtocalculatingdiscretelogarithmsinthegroupgeneratedbye(g,g),sosimilarconcernsaboutthesubgroupsizeandfinitefieldsizeneedtoalsobeaddressedin〈e(g,g)〉⊆q*k.Table5.2givesthesizesofthesubgroupsandfinitefieldsthatneedtobeusedtoattainstandardlevelsofsecurityagainstsuchattacks.Example5.2(i)SupposethatwewantanellipticcurvegroupinwhichsolvingtheCDHPisasdifficultasattackingan80-bitsymmetrickey.Inanellipticcurvegroupinwhichcalculatingapairingisinfeasible,requiringa160-bitorderofagroupmakescalculatingdiscretelogarithmsasdifficultasattackingan80-bitsymmetrickeyandwillaccomplishthis.(ii)SupposethatwewantasubgroupGofp*inwhichsolvingtheCDHPisasdifficultasattackingan80-bitsymmetrickey.IfpisaprimeandGisofprimeorder,thenrequiringtheorderofGbeatleast160bitsandthatphasatleast1,024bitswillmakescalculatingdiscretelogarithmsasdifficultasattackingan80-bitsymmetrickeyandwillaccomplishthis.(iii)SupposethatwewantgroupsG1⊆E(q)forsomeellipticcurveE/q,GT⊆q*kandapairinge:G1×G1→GT,andwantsolvingtheBDHPtobeasdifficultasattackingan80-bitsymmetrickey.RequiringG1tobeofprimeorderofatleast160bitsandhavingkthatqhasatleast1,024bitswillmakecalculatingdiscretelogarithmsinbothG1andGTasdifficultasattackingan80-bitsymmetrickeyandwillaccomplishthis.5.5ImportantSpecialCasesTheestimatesofthedifficultyinfactoringanintegerorincalculatingadiscretelogarithmassumethatthereisnoadditionalstructurethatcanbeusedtomakethecalculationevenfaster.Thisisnottrueinafewcases,andinthesecasesitispossibletoeitherfactoranintegerorcalculateadiscretelogarithmmuchfasterthanintheaveragecase.Therearethreeparticularcasesthatapplytocalculatingdiscretelogarithmsinanellipticcurvegroupandadditionalcasesthatapplytofactoringintegers. 112IntroductiontoIdentity-BasedEncryption5.5.1AnomalousCurvesAnomalouscurvesareellipticcurvesforwhich#E(p)=p.Thedescriptionofthealgorithmusedtoefficientlycalculatediscretelogarithmsonanomalouscurvesisbeyondthescopeofthisbook.Detailsaregivenin[26,27].Thisalgorithmrunsinlineartime,makingsuchcurvesunsuitableforuseinmostcryptographicapplications.5.5.2SupersingularEllipticCurvesSupersingularellipticcurves,aswellasanyotherellipticcurveswithalowembeddingdegree,aresusceptibletoanMOVreduction[28],inwhichitispossibletoreducetheproblemofcalculatingadiscretelogarithminanellipticcurvegrouptocalculatingthediscretelogarithminafinitefield.Thiscanbedoneasfollows.LetG1beanellipticcurvegroup,GTbeamultiplicativegroupofafinitefield,ande:G1×G1→GTapairing.SupposethatwehaveP∈G1andwanttocalculatethediscretelogarithmofaP.Ife(P,P)=gthenaaae(P,aP)=e(P,P)=g,sobycalculatingthediscretelogarithmofg∈GTwefindthevalueofa.IfG1isanellipticcurvegroupwithanorderofnbits,forexample,calculatingadiscretelogarithminG1byPollard’srhoalgorithmrequiresO√ntime,whilecalculatingadiscretelogarithminGTusingtheindexcalculusalgorithmrequires1/31/32/3O(exp((64/9)(logn)(loglogn)))time,whichmaybemuchlessthanthetimetocalculateadiscretelogarithminG1.Toget80bitsofstrengthwithordinaryellipticcurve,asubgroupGofE(q)withanorderof160bitsisadequate.ThisisbasedontherunningtimeofPollard’srhoalgorithm,whichisroughlythesamefora160-bitgrouporder,whichisalsoroughlythesameastherunningtimefortheindexcalculusalgorithmfora1,024-bitfinitefieldorder.IfwehavethatE/qissupersingularwithanembeddingdegreeofk=2,forexample,thenwecanalsocalculateadiscretelogarithminGbycalculatingadiscretelogarithminq*2byusingtheindexcalculusalgorithm.Intypicalapplications,thesizeofqisroughlythesamesizeas#E(q),beingnomorethanoneortwobitslarger,sowemighthavea162-bitqinthiscase.WithsuchaqwecouldusetheMOVreductiontocalculatediscretelogarithmsinGbycalculatingdiscretelogarithmsinafinitefieldwithanorderofonly2×162=324bits,acalculationthatismucheasierthancalculatingadiscretelogarithminafinitefieldwithanorderof1,024bits.Itis,however,possibletoattainthesamelevelsofbitsecuritywithsupersingularcurvesaswithordinarycurvesbyusinglargergrouporders.Increas-2ingthesizeofthisqtobe512bits,forexample,willincreaseqtoapproximately CryptographyandComputationalComplexity1131,024bits,makingcalculatingdiscretelogarithmsinq*kasdifficultasattackingan80-bitsymmetrickey.NotethatthereisnothingaboutsupersingularcurvesasidefromtheirlowembeddingdegreethatallowstheMOVreductiontobecarriedout;evenanordinarycurvewithalowembeddingdegreeisvulnerabletotheMOVreduction.Becausethecalculationofparingsrequiresacurvewithlowembed-dingdegreetomakethepairingcalculationfeasible,allsuchcurvesneedtohavetheirparameterschosensothattheyaresecureevenifanMOVreductionispossible.5.5.3SingularEllipticCurvesSingularellipticcurveshavediscriminant=0.LetE/qbeasingularellipticcurvewithsingularpointP.ThendiscretelogarithmsinE(q){P}canbecalculatedasdiscretelogarithmsinafinitefieldasfollows[29]:1.IfPisanode,thendiscretelogarithmsinE(q){P}canbecalculatedasdiscretelogarithmsineitherq*orq*2,dependingonthestructureoftheellipticcurve.2.IfPisacusp,thendiscretelogarithmsinE(q){P}canbereduced+todiscretelogarithmsinq,theadditivegroupofthefinitefieldq.Muchlikeinthecaseofsupersingularellipticcurves,itispossibletoincreasethesizeofthegrouptocompensateforthereducedsecuritythatsingularcurveswithanodehave.Ontheotherhand,thecasewithasingularcurvewithacuspmakesiteasytocalculatediscretelogarithmsinE(q){P},makingthemessentiallyuselessforcryptographicapplications.Becausethestructureofthegroupofpointsonasingularellipticcurvebehavesmorelikeafinitefieldthananellipticcurvegroup,thedefinitionofanellipticcurvesometimesexplicitlyexcludessingularcurves.5.5.4WeakPrimesTherearealsocaseswhereintegerfactorizationismucheasierthanthegeneralcaseduetoeitherthestructureofprimefactorsortherelationshipbetweenprimefactors.Oneofthesecaseshappenswhenoneoftheprimefactorspofanintegernhasthepropertythatp−1issmoothrelativetosomesetofprimepowersF=p12l.Thealgorithmthatcanusethisinformation1,p2,...,plisPollard’sp−1algorithm[30].Thisalgorithmworksinthefollowingway.Letlim=pii=1 114IntroductiontoIdentity-BasedEncryptionandsupposethat(p−1)|m,sothatwecanwritem=d(p−1).Thenforanyvalueofawithgcd(a,p)=1wehaveM(p−1)dp−1da=a=(a)≡1(modp)Msothatwecanwritea−1=pkforsomek.AndsincepisafactorofnweMcanalsowriten=pq.Thusgcd(a−1,n)=gcd(pk,pq)isadivisorofnthatisstrictlygreaterthan1,atleasthavingpasafactor,possiblybeingnitself.Soifwecanfindavalueofmsuchthat(p−1)|mwefindafactorofMnbycalculatinggcd(a−1,n).SomevaluesofawillnotprovideanyusefulMinformationonthis,resultingingcd(a−1,n)=n.Inthiscase,wecanpickanotherrandomawithgcd(a,p)=1andtryagain.Othertechniquescantakeadvantageofotherstructuresofprimefactorsortherelationshipbetweenprimefactors.Becauseofthesetechniques,somestandardsrequiretheuseof‘‘strongprimes’’tocreatekeysforalgorithmsthatrelyonintegerfactorization.Inparticular,[31]requiresthefollowingconditionstobemetforsuchprimeswheretwoprimespandqareneededtocalculateacompositenwhichmustbedifficulttofactor:1001.Allofp±1andq±1mustcontainaprimefactorgreaterthan2.2.gcd(p−1,q−1)mustbesmall.3.Ifpqhas1,024+256sbits,thenp/qmustnotbeclosetoasmall412+128sintegerand|p−q|>2.1004.p−qmustcontainaprimefactorgreaterthan2.Requiringsuchstrongprimesisveryconservative.Weakprimesarefairlyrare,soattemptstofactoranintegerthattrytotakeadvantageoftheuseofweakprimesareveryunlikelytosucceedwithmostrandomlygeneratedprimes.Despitethis,someusersofpublic-keycryptographyfeelthatrequiringtheuseofstrongprimesisnecessaryfortheirparticularuses.Whenimplementingcryptography,itisimportanttounderstandwhatassumptionstheusersoftheresultingsystemarewillingtomakebecausetheyaretheoneswhowilltrustthesystemtoprotecttheirdata.5.6ProvingSecurityofPublic-KeyAlgorithmsInsomecasesitiseasytoseethecorrespondencebetweenbeingabletooneofthecomputationalproblemsandtheabilityofanadversarytoattackapublic-keysystem.TheCDHP,forexample,ismodeledafterwhatanadversaryobservesinaDiffie-Hellmankeyexchangeandwhattheadversarywantstoobtaininordertodefeatthesystem.Inothercases,however,thecorrespondenceisnot CryptographyandComputationalComplexity115asclear.ThefactthatthestrengthofsomeoftheIBEalgorithmsthatwillbediscussedinthefollowingchaptersisatleastasstrongascertaincomputationalproblemsmaybeunclearduetothecomplexityofthealgorithms,forexample,anditisgoodtoknowthatthereareproofsthatdefeatingthemisatleastashardascomputationalproblemsthatarebelievedtobehard.Toprovethatacryptographicalgorithmisatleastasstrongasacertaincomputationalproblem,thetypicaltechniqueistoassumethatanadversarywhohasanalgorithmcapableofdefeatingthecryptographicalgorithmofinterestandtoshowthathecanthenusehisattackalgorithmtoconstructanalgorithmthatwillsolvethecomputationalproblemofinterest.Thusifwebelievethatthecomputationalproblemishardtosolve,itisalsohardtodefeatthecryptographicalgorithm.Notethatthisdoesnotshowthatthecryptographicalgorithmisactuallysecure;ifwecansolvetherelatedcomputationalproblemthenwecandefeatthecryptographicalgorithms.SotoshowthattheDiffie-HellmankeyexchangeisatleastasstrongastheCDHP,wecouldshowthatanattackercapableofdefeatingtheDiffie-HellmankeyexchangecanusehisalgorithmfordoingthistosolvetheCDHP.ThiswouldnotshowthattheDiffie-Hellmankeyexchangeissecure,butinsteadshowsthatifanattackercandefeattheDiffie-Hellmankeyexchangethenhecouldalsoaccomplishsomethingthatisbelievedtobehardtodo.IfwebelievethattheCDHPisindeedhardtosolve,thensuchaproofwouldalsoconvinceusthatdefeatingtheDiffie-Hellmankeyexchangeisalsohard.Therearetwogeneralclassesofproofsthatcryptographicalgorithmsareatleastasdifficulttodefeatastheyaretosolvetherelatedcomputationalproblem.Onetypeofproofmodelspartsofthealgorithmasoracleswhoseoutputsaretrulyrandom.Truerandomoraclesareimpossibletoimplement,soonceaproofisobtainedinthismodel,therandomoraclesarereplacedbyfunctionswhosebehaviorissimilarenoughthatthesecurityofthesystemstillseemsplausible.Cryptographichashfunctionsaretypicallyusedforthis.Therearepathologicalcases[32]wheresuchpracticalimplementationsarealwaysinsecuredespitetheproofofsecurityusingrandomoracles,butsuchbehaviorseemstoappearinonlythemostcontrivedofcases.Wesaythatsuchaproofisobtainedusingtherandomoraclemodel[33].Aproofthatdoesnotusesuchrandomoraclesissaidtousethestandardmodel.InthediscussionsofIBEschemes,theirproofsofsecuritywillbesummarizedbylistingacomputationalproblemandaprooftechnique.Anexampleofthisisthat,‘‘defeatingtheABCschemehasbeenprovenintherandomoraclemodeltobeatleastasdifficultassolvingtheXYZproblem.’’BythiswemeanthataproofhasshownthatanadversarycapableofconstructinganalgorithmthatletshimdefeattheABCschemecanusethisalgorithmtoefficientlysolvetheXYZproblem.SothatifwebelievethattheXYZproblemisappropriatelyhardthenitmustalsobehardtodefeattheABCscheme. 116IntroductiontoIdentity-BasedEncryption5.7QuantumComputingAlloftheruntimesmentionedearlierassumethatthealgorithmsareimple-mentedonacomputerthatcanbeimplementedusingexistingtechnology.Thistechnologyisimplementedusingdevicesthathavetheinternalstatesthatareeitheralogical‘‘0’’oralogical‘‘1’’thatarecommonlycalled‘‘bits.’’Theframeworkofquantummechanicsassumesthataquantumdeviceexistsinmultiplestatesatonce,withadevicehavingprobabilitiesofbeingineachofitsstates.Withsuchadeviceasinglestateisnotdecideduponuntilthestateismeasured,atwhichtimetheresultofthemeasurementisdeterminedbytheprobabilitiesofbeingineachofthepossiblestates.Thisallowsforthecreationofquantumbits,orqubits,thatarebothalogical‘‘0’’andalogical‘‘1’’atthensametime,andallowsforthecreationofcomputersthatcancalculateall2valuesofafunctiononnqubitsinasingleoperation.Acomputerbuiltofqubitsinsteadofclassicalbitsallowsfortheimplemen-tationofalgorithmsthatrunmuchmorequicklythanthebest-knownalgorithmsonclassicalcomputers.Inparticular,Grover’salgorithmcanbeusedtodefeatsymmetricalgorithmsandShor’salgorithmcanbeusedtodefeatmanysymmet-ricalgorithms.Eachofthesealgorithmsarerandom,reflectingtheprobabilisticnatureoftheunderlyingqubits,sothebestthattheycandoistoreturnthecorrectresultwithahighprobability,afterwhichtheresultcaneasilybeverifiedbyadditionaltesting.5.7.1Grover’sAlgorithmnLetf:{0,1}→{0,1}beanefficientlycomputablefunction.ThenGrover’snalgorithm[34]findsastringa∈{0,1}suchthatf(a)=1,ifsuchastringn/2exists,inO(2)time.So,ifwehaveasymmetricencryptionalgorithmthatusesnbitsofkeyandwehaveamatchedplaintext-ciphertextpair,wecanusethefunction1,aproducesthegivenplaintext-ciphertextpairf(a)=0,otherwiseinGrover’salgorithmsothatfindingf(a)=1correspondstofindingthedesiredsymmetrickey.Sobeingabletoimplementsuchanattackreducesthelevelofsecurityprovidedthissymmetricalgorithmtonomorethann/2bits.Althoughthisisasignificantincreaseinperformanceoverclassicalcomputers,beingabletouseGrover’salgorithmdoesnotmakeiteasytodefeatsymmetricalgorithms;suchareductioniseasytodealwith,andwecanattainagoalofnbitsofstrengthbyusingasymmetricalgorithmwith2nbitsofstrengthagainstanadversaryequippedwithnonquantumcomputers. CryptographyandComputationalComplexity1175.7.2Shor’sAlgorithmShor’salgorithm[1]usesafastimplementationofaFouriertransformusingqubitstofactoraninteger,andsimilaralgorithmsareknownthatcanbeusedtocalculatediscretelogarithmsinafinitefield[1]orinanellipticcurvegroup[2].Supposethatwewanttofactortheintegern.Shor’salgorithmfirstusestheFouriertransformtofindtheperiodofanintegeramodulonwherergcd(a,n)=1,orthesmallestintegerrsuchthata≡1(modn),orthatrn|(a−1).Ifriseventhenwecanuseittowriterr/2r/2a−1=(a−1)(a+1)sothatr/2r/2n|(a−1)(a+1)rBecauseristhesmallestintegersuchthatn|(a−1),wecannothaver/2r/2r/2eithern|(a−1)orn|(a+1),soaslongasa≠−1,nmustsharear/2r/2nontrivialfactorwitheachofa−1anda+1,andcalculatingr/2r/2gcd(n,a−1)andgcd(n,a+1)willfindthesefactors.Shor’salgorithmhasanexpectedrunningtimeof2O((logn)(loglogn)(logloglogn))whichmakesanattackbasedoniteasyforanattackertocarryout.Thusthesecurityofanalgorithmwhichreliesonintegerfactorizationbeinghardisnolongerreasonablysecureifanadversarycanuseaquantumcomputer.And,unlikethecaseofusingGrover’salgorithmtoattackasymmetricalgorithm,itwouldnotbepossibletosimplyincreasethesizeofakeytocompensateforthisattack:itwouldnowbenomoredifficulttofactoranintegerthanitistomultiplyintegers.Ontheotherhand,implementingShor’srequiresaquantumcomputerwith2nqubitstofactorann-bitinteger.Constructingquantumcomputerscurrentlyseemsadauntingengineeringtaskbecauseoftheextremelyprecisecontrolthatisrequiredofthequbitsduringquantumcalculations.Ifthequbitsinteractwitheachotherorwiththeworldoutsidethequantumcomputer,theeffectisjustlikemeasuringthestateofaqubit,causingsomethequantuminformationthatitcarriestobelostwhenthequbitcollapsestoasinglestate.Becauseofthis,thedifficultyofconstructingquantumcomputerswithlargenumbersofqubitsseemstoincreaserapidlyasthenumberofqubitsincreases.Thiswillmakeitextremelydifficult,ifnotimpossible,tobuildaquantumcomputerthatiscapableoffactoringintegersofthesizesthataretypicallyused 118IntroductiontoIdentity-BasedEncryptioninpublic-keycryptography.Soevenifitwaspossibletobuildaquantumcomputercapableoffactoringa1,024-bitinteger,itmightbethecasethataddingjustafewadditionalbitstothesizeoftheintegerwouldbeenoughtomakefactoringtheslightlylargerintegerimpracticaluntilquantumcomputingtechnologyadvancesenough.References[1]Shor,P.,‘‘Polynomial-TimeAlgorithmsforPrimeFactorizationandDiscreteLogarithmsonaQuantumComputer,’’SIAMJournalofComputing,Vol.26,No.5,1997,pp.1484–1509.[2]Garcia,J.,andR.Menchaca,‘‘QuantumCryptoanalysisofEllipticCurveSystems,’’Computacio´nySistemas,Vol.4,No.3,2001,pp.242–248.[3]Fujisaki,E.,andT.Okamoto,‘‘SecureIntegrationofAsymmetricandSymmetricEncryptionSchemes,’’ProceedingsofCRYPTO’99,SantaBarbara,CA,August20–24,1999,pp.537–554.[4]Barker,E.,etal.,RecommendationforKeyManagement—Part1:General(Revised),Washing-ton,NISTSpecialPublication800-57,Part1,Washington,D.C.:U.S.GovernmentPrintingOffice,2007.[5]Pollard,J.,‘‘MonteCarloMethodsforIndexComputation(modp),’’MathematicsofComputation,Vol.32,No.143,1978,pp.918–924.[6]Floyd,J.,‘‘Non-DeterministicAlgorithms,’’JournaloftheACM,Vol.14,No.4,1967,pp.636–644.[7]Buhler,J.,H.Lenstra,andC.Pomerance,‘‘FactoringIntegerswiththeNumberFieldSieve,’’inTheDevelopmentoftheNumberFieldSieve,H.Lenstra,(ed.),Heidelberg,Germany:Springer-Verlag,1993,pp.50–94.[8]Dixon,J.,‘‘AsymptoticallyFastFactorizationofIntegers,’’MathmaticsofComputing,Vol.36,No.153,1981,pp.255–260.[9]Kraitchick,M.,The´oriedesNombres,Vol.1,Paris:Gauthier-Villars,1922.[10]Hellman,M.,andJ.Reyneri,‘‘FastComputationofDiscreteLogarithmsinGF(q),’’ProceedingsofCRYPTO’82,SantaBarbara,CA,August23–25,1982,pp.3–13.[11]Lenstra,A.,andE.Verheul,‘‘SelectingCryptographicKeySizes,’’JournalofCryptology,Vol.14,No.4,2001,pp.255–293.[12]Gehrmann,C.,andM.Na¨slund,ECRYPTYearlyReportonAlgorithmsandKeysizes(2006),EuropeanNetworkofExcellenceforCryptologyReportD.SPA.21,2007.[13]Orman,H.,andP.Hoffman,‘‘DeterminingStrengthsforPublicKeysUsedforExchangingSymmetricKeys,’’RFC3766,2004.[14]NationalInstituteofStandardsandTechnology,SecurityRequirementsforCryptographicModules,FederalInformationProcessingStandard140–2,Washington,D.C.:U.S.Govern-mentPrintingOffice,2001. CryptographyandComputationalComplexity119[15]AmericanNationalStandardsInstitute,PublicKeyCryptographyfortheFinancialServicesIndustry:AgreementofSymmetricKeysUsingDiscreteLogarithmCryptography,AmericanNationalStandardforFinancialServicesX9.42-2003,Annapolis,MD:AmericanNationalStandardsInstitute,2003.[16]ElectronicFreedomFoundation,CrackingDES:SecretsofEncryptionResearch,WiretapPolitics&ChipDesign,Sebastapol,CA:O’Reilly,1998.[17]Barrow,J.,andF.Tipler,TheAnthropicCosmologicalPrinciple,Oxford,U.K.:OxfordUniversityPress,1988.[18]Landauer,R.,’’IrreversibilityandHeatGenerationintheComputingProcess,’’IBMJournalofResearchandDevelopment,Vol.5,No.3,1961,pp.183–191.[19]Diffie,W.,andM.Hellman,‘‘NewDirectionsinCryptography,’’IEEETransactionsonInformationTheory,IT-22,No.6,1976,pp.644–654.[20]Joux,A.,andK.Nguyen,‘‘SeparatingDecisionDiffie-HellmanfromDiffie-HellmaninCryptographicGroups,’’JournalofCryptology,Vol.16,No.4,2003,pp.239–247.[21]Boneh,D.,‘‘TheDecisionDiffie-HellmanProblem,’’AlgorithmicNumberTheoryThirdInternationalSymposium,Portland,OR,June21–25,1998,pp.48–63.[22]Boneh,D.,andM.Franklin,‘‘IdentityBasedEncryptionfromtheWeilPairing,’’SIAMJournalofComputing,Vol.32,No.3,pp.586–615.[23]Boneh,D.,andX.Boyen,‘‘EfficientSelective-IDSecureIdentity-BasedEncryptionwithoutRandomOracles,’’ProceedingsofEUROCRYPT2004,Interlaken,Switzerland,May2–6,2004,pp.223–238.[24]Agrawal,M.,N.Kayal,andN.Saxena,‘‘PRIMESIsinP,’’AnnalsofMathematics,Vol.160,No.2,2004,pp.781–793.[25]Gauss,K.,DisquisitionesArithmeticae,Fleisher:Leipzig,1801.[26]Blake,I.,G.Seroussi,andN.Smart,AdvancesinEllipticCurveCryptography,Cambridge,U.K.:CambridgeUniversityPress,2005.[27]Silverman,J.,TheArithmeticofEllipticCurves,NewYork:Springer-Verlag,1985.[28]Menezes,A.,T.Okamoto,andS.Vanstone,‘‘ReducingEllipticCurveLogarithmstoLogarithmsinaFiniteField,’’IEEETransactionsonInformationTheory,Vol.39,No.5,1993,pp.1639–1646.[29]Menezes,A.,andS.Vanstone,‘‘ANoteonCyclicGroups,FiniteFields,andtheDiscreteLogarithmProblem,’’ApplicableAlgebrainEngineering,CommunicationandComputing,Vol.3,No.1,1992,pp.67–74.[30]Pollard,J.,‘‘TheoremsonFactorizationandPrimalityTesting,’’ProceedingsoftheCam-bridgePhilosophical.Society,Vol.76,1974,pp521–528.[31]AmericanNationalStandardsInstitute,DigitalSignaturesUsingReversiblePublicKeyCryptographyfortheFinancialServicesIndustry(rDSA),AmericanNationalStandardforFinancialServicesX9.31-1998,Annapolis,MD:AmericanNationalStandardsInstitute,1998.[32]Canetti,R.,O.Goldreich,andS.Halevi,‘‘TheRandomOracleMethodology,Revisited,’’ProceedingsoftheACMSymposiumonTheoryofComputing,Dallas,TX,May23–26,1998,pp.209–218. 120IntroductiontoIdentity-BasedEncryption[33]Bellare,M.,andP.Rogaway,‘‘RandomOraclesArePractical:AParadigmforDesigningEfficientProtocols,’’ProceedingsoftheACMConferenceonComputerandCommunicationsSecurity,Fairfax,VA,November3–5,1993,pp.62–73.[34]Grover,L.,‘‘FromSchro¨dinger’sEquationtoQuantumSearchAlgorithm,’’AmericanJournalofPhysics,Vol.69,No.7,2001,pp.769–777. 6RelatedCryptographicAlgorithmsIBEalgorithmsareverysimilartootherpublic-keyalgorithms,andunderstand-ingtheseotheralgorithmsmayprovidesomeinsightintothenatureoftheIBEalgorithms.Inparticular,Goldwasser-MichaliencryptionusesJacobisymbolstoencryptinformationonabit-by-bitbasis,andprovidestheframeworkforunderstandingtheCocksIBEalgorithmthatisdiscussedinChapter7.TheDiffie-Hellmankeyexchangeanditsellipticcurvevariantprovidethebasicframeworkforusingthedifficultyofcalculatingdiscretelogarithmstocreateapublic-keyencryptionscheme.Joux’sgeneralizationoftheseschemesusesapairingtoallowthreeuserstosecurelyagreeuponacommonsharedsecret.ThecombinationoftheDiffie-HellmanschemeandJoux’sschemeprovidessomeinsightintooperationoftheBoneh-FrankinIBEschemethatisdiscussedinChapter8,andprovidessomeinsightintotheoperationofSakai-KasaharaIBEschemethatisdiscussedinChapter10.ElGamalencryptionprovidessomeinsightintotheoperationoftheBoneh-BoyenIBEschemethatisdiscussedinChapter9.Allofthefollowingdescriptionsofalgorithmsassumethattwoparticipants,traditionallycalledAliceandBob,wanttocommunicatesecurely,whileaneavesdroppernamedEvedoesherbesttodeterminethecontentofthesecretmessagesthatAliceandBobexchange.Inthecasewhereathirdlegitimateparticipantisneeded,CharlieisassumedtohavejoinedAliceandBob.6.1Goldwasser-MichaliEncryptionGoldwasser-Michaliencryption[1]usesthequadraticresiduosityproblemtocreateapublic-keyscheme.Itworksinthefollowingway.Bobstartsbygenerat-121 122IntroductiontoIdentity-BasedEncryptioningapairofrandomprimespandqandcalculatingn=pq.Hethenpicksarandomy∈*nandsothatyisaquadraticnonresiduemodulon,buttheJacobisymbol(y/n)=+1.Todothis,Bobcanfirstfindonequadraticnonresidueamodulopandanotherquadraticnonresiduebmoduloqandthencalculateybysolvingthesystemofcongruencesy≡a(modp)y≡b(modq)byGauss’algorithmtofindy.Thisywillthenhavethepropertythat(y/n)=(y/p)(y/q)=(−1)(−1)=+1asdesired.Onceyiscomputed,Bob’spublickeyisthepair(y,n)andhisprivatekeyisthepair(p,q).AlicethenencryptshermessageabitatatimetoBob,whothendecryptsthereceivedmessageabitatatime.ToencryptamessagebitmtoBob,Aliceperformsthefollowingsteps:1.Alicepicksarandomx∈*n.222.Ifm=1,thenAlicesetsc=yx,otherwiseshesetsc=x(modn).3.AlicesendstheciphertextctoBob.Todecrypttheciphertextc,Bobperformsthefollowingsteps:1.BobcalculatestheLegendresymbole=(c/p).2.Ife=1,thenBobdecryptscto0,otherwisehedecryptscto1.2IfthemessagebitsentbyAliceism=0,thenc=x(modn)isaquadraticresiduemodulon.ByProperty2.8wehavethatcisaquadraticresiduemodulopifandonlyifcisaquadraticresiduemodulon,sothatBobwillcalculate22e=(c/p)=(x/p)=(x/n)=+1anddecryptcto0correctly.2IfthemessagebitsentbyAliceism=1,thenc=yx(modn)isaquadraticnonresiduemodulon,sothatBobwillcalculate222e=(c/p)=(yx/p)=(yx/n)=(y/n)(x/n)=(−1)(+1)=−1anddecryptcto1correctly. RelatedCryptographicAlgorithms123Ontheotherhand,ifEveobservestheciphertextc,sheneedstodeterminewhetherornotcisaquadraticresiduemodulonornot,whichisexactlythequadraticresiduosityproblem.Becauseitencryptsasinglebitatatime,theGoldwasser-Micaliencryptionschemeisvulnerabletoanadaptivechosen-ciphertextattack.SupposethatEvehastheplaintext(m1,m2,...,mk)andcorrespondingciphertext(c1,c2,...,ck)thatisencryptedtoBob,andthatshewantstoobtaintheplaintextcorrespondingtotheciphertext(c1′,c2′,...,ck′).Shecanthensendthemes-sage(c1′,c2,...,ck)toBobandobservehisreaction.IfBobusestheciphertextasasharedsecretthatheusestoderiveasessionkey,forexample,EvecanchecktoseeifBobcreatesthesamesessionkeyfrom(c1′,c2,...,ck)thathedoesfrom(c1,c2,...,ck)todeterminewhetherthedecryptionofc1andc1′arethesameordifferent.Evecanthenrepeatthisprocesstorecovertheadditionalbitsofthedecryptionof(c1′,c2′,...,ck′),recoveringasinglebiteverytimesherepeatsthisprocess.Example6.1SupposethatBobwantstogenerateaGoldwasser-Micalipublicandprivatekey.FirstBobpickstwoprimespandq.Supposethathepicksp=7andq=11,sothatn=pq=77.HethenpicksaquadraticnonresiduemodulopandanotherquadraticnonresiduemoduloqandusestheChineseremaindertheoremtofindthevalueofy.Supposethathepicksthequadraticnonresidues3modulo7and2modulo11.Inthiscasehesolvesthecongruencesy≡3(mod7)y≡2(mod11)togety≡24(mod77).ThusBob’spublickeyis(y,n)=(24,77)andhisprivatekeyis(p,q)=(7,11).SupposethatAlicewantstoencryptthebit‘‘1’’toBob.SheobtainsBob’spublickey(y,n)=(24,77)andpicksarandomy∈*77.Inthiscase,supposethatshepicksx=17.Thentoencryptthebit‘‘1’’toBobshecalculatesthe22ciphertextc=yx(modn)=2417(mod77)≡6(mod77).Shethensendstheciphertext6toBob.Uponreceivingtheciphertext6,BobcalculatestheJacobisymbole=(c/p)=(6/7)=−1whichhethendecryptsto‘‘1.’’ 124IntroductiontoIdentity-BasedEncryption6.2TheDiffie-HellmanKeyExchangeTheDiffie-Hellmankeyexchange[2]wasthefirstpracticalpublic-keyalgorithm.TheDiffie-HellmankeyexchangeproducesasecretthatissharedbetweenAliceandBobthatisdifficultforEvetodeterminefromwhatsheobservesbywatchingthecommunicationsbetweenAliceandBob.Itssecurityisbasedonthedifficultyofcalculatingdiscretelogarithmsinaprime-ordersubgroupGofthemultiplicativegroupq*.LetgbeageneratorofGandGbeoforderp.ThentheDiffie-Hellmankeyexchangehasthefollowingfoursteps:a1.Alicechoosesarandoma∈*p−1,calculatesg,whichshesendstoBob.b2.Bobchoosesarandomb∈*p−1,calculatesg,whichhesendstoAlice.bba3.AlicereceivesgandcalculatesthesharedsecretK=(g).aab4.BobreceivesgandcalculatesthesharedsecretK=(g).Notethattherangeallowedfortheintegersaandbisfrom1top−2.Ifawasallowedtobep−1,forexample,thenbyEuler’stheoremwewouldahavethatg≡1(modp),sothatthesharedsecretKendsupbeing1,andanaadversaryobservingthetransmissionofgwillthenbeabletoeasilyrecoverK.Attheendofthesesteps,AliceandBobbothhavethesharedsecretabababK=g.Eve’staskistorecoverK=ggiveng,gandg,whichisexactlytheCDHP,whichisassumedtobeashardascalculatingdiscretelogarithmsineitherG.Ontheotherhand,becausethereisabsolutelynoauthenticationforeitherAliceorBobinthestepslistedabove,itiseasyforEvetomountaman-in-the-middleattackagainstAliceandBob.ShedoesthisbypositioningherselfbetweenAliceandBobandcarryingoutalegitimateDiffie-HellmankeyexchangewitheachofAliceandBob,afterwhichsheusesthesharedsecretsconstructedinthiswaytosecurelycommunicatewitheachtheunsuspectingpair.Eve’sman-in-the-middleattackiscarriedoutinthefollowingsteps:a1.Alicechoosesarandoma∈*p−1,calculatesgmodp,whichsheunknowinglysendstoEve.e2.Evechoosesarandome∈*p−1,calculatesgmodp,whichshesendstoAlice.e3.AlicereceivesgmodpfromEveandcalculatesthesharedsecreteaK1=(g)modp.a4.EvereceivesgmodpfromAliceandcalculatesthesharedsecretaeK1=(g)modp. RelatedCryptographicAlgorithms125e5.EvesendsgmodptoBob.b6.Bobchoosesarandomb∈*p−1,calculatesg,whichhesendstoEve,believinghertobeAlice.bbe7.EvereceivesgfromBobandcalculatesthesharedsecretK2=(g).eeb8.BobreceivesgfromEveandcalculatesthesharedsecretK2=(g).AtthispointEvehasestablishedtwosharedsecrets:K1,whichissharedwithAliceandK2,whichissharedwithBob.SupposethatAlicesendsamessagetoBobthatisencryptedusingthesharedsecretK1.EvecantheninterceptthismessageandthenusethesharedsecretK1todecryptmessagesfromAlicethatareencryptedusingthesharedsecretK1,thenreencryptthemessageusingthesharedsecretK2whichsheshareswithBob.BobwillthenbeabletodecryptthemessageusingthesharedsecretK2,whichhebelievesisonlyinthepossessionofhimandAlice.Example6.2SupposethatAliceandBobwanttousetheDiffie-Hellmankeyexchangetocreateasharedsecret.Supposethatallcalculationsaredoneinthesubgroupof59*oforder29,whichhasgeneratorg=2.Theycandothisinthefollowingsteps.a71.Alicechoosesarandoma∈*28,saya=7,andcalculatesg=2≡10(mod59),whichshesendstoBob.b232.Bobchoosesarandomb∈*28,sayb=23,andcalculatesg=2≡47(mod59),whichhesendstoAlice.3.Alicereceivesthevalue47fromBobandcalculatesthesharedsecretb7K=47=47≡13(mod59).4.Bobreceivesthevalue10fromAliceandcalculatesthesharedsecretb23K=10=10≡13(mod59).6.3EllipticCurveDiffie-HellmanThereisnothingspecialaboutthegroupq*thatisusedintheDiffie-Hellmankeyexchange,andanyothergroupinwhichitishardtocalculatediscretelogarithmscanbeusedinitsplace.Inparticular,anellipticcurvegroupE(q)canbeusedinthisway.ThesecurityoftheresultingalgorithmisthenbasedonthedifficultyofcalculatingdiscretelogarithmsinthegroupE(q).LetGbeasubgroupofE(q)ofprimeorderpgeneratedbyP.ThentheellipticcurveDiffie-Hellmankeyexchange[3]hasthefollowingfivesteps: 126IntroductiontoIdentity-BasedEncryption1.Alicechoosesarandoma∈*pandcalculatesaP,whichshesendstoBob.2.Bobchoosesarandomb∈*pandcalculatesbP,whichhesendstoAlice.3.AlicereceivesbPandcalculatesthesharedsecretK=a(bP).4.BobreceivesaPandcalculatesthesharedsecretK=b(aP).5.IfK=Othenraiseanerrorconditionandrestartatstep1.Attheendofthesesteps,AliceandBobbothhavethesharedsecretK=b(aP).Eve’staskistorecoverK=a(bP)givenP,aP,andbP,whichisexactlytheCDHP,whichisassumedtobeashardascalculatingdiscretelogarithmsinG.TheellipticcurveDiffie-Hellmankeyexchangeisvulnerabletoaman-in-the-middleattackjustliketheDiffie-Hellmankeyexchangeis.Example6.3SupposethatAliceandBobwanttousetheellipticcurveDiffie-Hellmankeyexchangetocreateasharedsecret.SupposethatEistheellipticcurveE:y2=x3+1,andGbethesubgroupoforder11ofE(131)generatedbyP=(98,58).Theycandothisinthefollowingsteps.1.Alicechoosesarandoma∈*11,saya=7,andcalculatesaP=7(98,58)=(33,100),whichshesendstoBob.2.Bobchoosesarandomintegerbwithb∈*11,sayb=5,andcalculatesbP=5(98,58)=(34,23),whichhesendstoAlice.3.Alicereceives(34,23)fromBobandcalculatesthesharedsecretK=a(34,23)=7(34,23)=(128,57).4.Bobreceives(33,100)fromAliceandcalculatesK=b(33,100)=5(33,100)=(128,57).5.K≠Osothatnoerrorconditionisraised.6.4Joux’sThree-WayKeyExchangeAnothergeneralizationoftheDiffie-HellmankeyexchangeisduetoJoux[4],whonoticedthatacleveruseofapairingallowsforthecreationofawaytoallowthreeparticipantstoagreeuponasharedsecretinasecureway.Todothis,letG1andGTbegroupsofprimeorderp=|G1|=|GT|andˆe:G1×G1→GTbeapairing,andletPbeageneratorofG1.ThenJoux’sthree-waykeyexchangehasthefollowingsevensteps: RelatedCryptographicAlgorithms1271.Alicechoosesarandoma∈*p,calculatesaP,whichshesendstoBobandCharlie.2.Bobchoosesarandomb∈*p,calculatesbP,whichhesendstoAliceandCharlie.3.Charliechoosesarandomc∈*p,calculatesbP,whichhesendstoAliceandCharlie.4.AlicereceivesbPandcPandcalculatesthesharedsecretK=aabcˆe(bP,cP)=ˆe(P,P).b5.BobreceivesaPandcPandcalculatesthesharedsecretK=ˆe(aP,cP)abc=ˆe(P,P).6.CharliereceivesaPandbPandcalculatesthesharedsecretK=cabcˆe(aP,bP)=ˆe(P,P).7.IfK=O,raiseanerrorconditionandrestartatstep1.Attheendofthesesteps,eachofAlice,Bob,andCharliehavethesharedabcabcsecretˆe(P,P).Eve’staskistorecoverK=ˆe(P,P)givenP,aP,bP,andcPwhichisexactlytheBDHP,whichisassumedtobeashardascalculatingdiscretelogarithmsineitherG1orGT.Joux’sthree-waykeyexchangeisvulnera-bletoaman-in-the-middleattackjustliketheDiffie-Hellmankeyexchangeis.Example6.4SupposethatAlice,Bob,andCharliewanttouseJoux’sthree-waykeyexchange2tocreateasharedsecret.SupposethatEistheellipticcurveE/131:y=3x+1.LetG1bethesubgroupoforder11ofE(131)withgeneratorP=(98,58)andletGTbethesubgroupof(112)*generatedbyˆe(P,P)=28+93i,where112isrepresentedby11[x]/(x2+1).Letˆe:G1×G1→GTbethereducedmodifiedTatepairing,whereˆe:G1×G1→GTistheTate1560pairing,andˆe(P,Q)=e(P,(Q))whereisthedistortionmapgivenby(x,y)=(x,y),where=65+112i.ThenAlice,Bob,andCharliecancarryoutJoux’sthree-waykeyexchangeasfollows.1.Alicepickstherandoma∈*11,saya=3,andcalculatesaP=(113,8),whichshesendstoBobandCharlie.2.Bobpickstherandomb∈*11,sayb=5,andcalculatesbP=(34,23),whichhesendstoAliceandCharlie.3.Charliepickstherandomc∈*11,sayc=7,andcalculatescP=(33,100),whichhesendstoAliceandBob.4.AlicereceivesbP=(34,23)andcP=(33,100)andcalculatesK=aˆe(bP,cP)=39+107i. 128IntroductiontoIdentity-BasedEncryption5.BobreceivesaP=(113,8)andcP=(33,100)andcalculatesK=bˆe(aP,cP)=39+107i.6.CharliereceivesaP=(113,8)andbP=(34,23)andcalculatesK=cˆe(aP,bP)=39+107i.7.K≠Osonoerrorconditionisraised.6.5ElGamalEncryptionElGamalencryption[5]createsanencryptionalgorithmfromtheDiffie-Hell-mankeyexchange,essentiallyusingaDiffie-HellmansharedsecrettoencryptablockofplaintextbymultiplyingtheplaintextbytheDiffie-Hellmansharedsecret.Todecrypttheresultingciphertext,theintendedrecipientthendividesbytheDiffie-Hellmansharedsecrettorecovertheplaintext.Moreprecisely,theElGamalencryptionworksasfollows.LetBobhavethepublickeyb(p,g,g),wherepisaprime,Gaprime-ordersubgroupof*p,andb∈*p−1.Bob’scorrespondingprivatekeyisb.ToencryptamessageM∈*ptoBob,Aliceperformsthefollowingsteps:b1.AliceobtainsBob’spublickey(p,g,g),picksaa∈*p−1andthenbaabcalculates(g)=g.ababa2.AlicecalculatesMgandthensendsciphertextC=(Mg,g)toaBob.ThevalueofgthatAlicesendsinthisciphertextissometimescalleda‘‘hint.’’abaTodecrypttheciphertextC=(Mg,g)Bobperformsthefollowingsteps:abab1.Bobcalculates(g)=g.2.BobcalculatesabMg=MabgtorecoverthemessageM.NotethatElGamalencryptionissubjecttoachosen-ciphertextattack.IfabaanadversaryknowsthattheciphertextC=(Mg,g)correspondstotheaplaintextMencryptedwiththerandomvalueg,thenhecaneasilydecryptabaanyotherciphertextC′=((kM)g,g)bycalculating RelatedCryptographicAlgorithms129abMgab=gMfromtheciphertextCandthenab(kM)g=kMabgfromtheciphertextC′.ItisnomoredifficulttorecovertheplaintextMfromtheciphertextabaC=(Mg,g)thanitistocalculatediscretelogarithmsinG:ifanadversarybcandeterminebfromBob’spublickeyghecanthendecrypttheciphertextaseasilyasBobcan.Example6.5bSupposethatBob’spublickeyis(p,g,g)=(59,2,47),andhisprivatekeyisb=23,andthatAlicewantstoencryptthemessageM=17toBob.Shecandothisinthefollowingsteps.b1.AliceobtainsBob’spublickey(p,g,g)=(59,2,47).Alicethenba7choosesarandoma,saya=7,andcalculates(g)=47≡13(mod37).aba72.AlicecalculatesMg=1713≡44(mod59)andg=2≡aba10(mod59)andthensendstheciphertextC=(Mg,g)=(44,10).WhenBobreceivestheciphertextC=(44,10)heperformsthefollowingsteps.abb231.Bobcalculates(g)=10=10≡13(mod59).2.BobcalculatesabMg44−1M===449=4450≡17(mod59)gab13torecoverthemessageM.References[1]Goldwasser,S.,andS.Micali,‘‘ProbabilisticEncryption,’’JournalofComputerandSystemSciences,Vol.28,No.2,1984,pp.270–299. 130IntroductiontoIdentity-BasedEncryption[2]Diffie,W.,andM.Hellman,‘‘NewDirectionsinCryptography,’’IEEETransactionsonInformationTheory,Vol.IT-22,No.6,1976,pp.644–654.[3]AmericanNationalStandardsInstitute,KeyAgreementandKeyTransportusingEllipticCurveCryptography,AmericanNationalStandardforFinancialServicesX9.63-2001,Annapolis,MD:AmericanNationalStandardsInstitute,2001.[4]Joux,A.,‘‘AOne-RoundProtocolforTripartiteDiffie-Hellman,’’Proceedingsofthe4thInternationalAlgorihtmicNumberTheorySymposium,Leider,theNetherlands,July2–7,2000,pp.385–394.[5]ElGamal,T.,‘‘APublic-KeyCryptosystemandaSignatureSchemeBasedonDiscreteLogarithms,’’IEEETransactionsonInformationTheory,Vol.IT-31,No.4,1985,pp.469–472. 7TheCocksIBESchemeTheCocksIBEschemewasinventedbyCliffordCocksoftheCommunications-ElectronicsSecurityGroup(CESG)oftheUnitedKingdomgovernment,thesamegentlemanwhohasafairlystrongclaimtohavinginventedthefirstpublic-keyalgorithmin1973,whenhepublishedaclassified(nowdeclassified)CESGreport[1],whichdescribedaschemeroughlycomparabletotheRSAscheme.ThesecurityoftheCocksIBEschemeisbasedonboththecomputationaldifficultyofintegerfactorizationandonthequadraticresiduosityproblem.TheCocksIBEschemewasfirstdescribedin[2].TheCocksIBEschemeencryptseachbitoftheplaintextasapairofintegersmoduloacompositenumber,eachaslargeasanintegerwhichissuitablydifficulttofactor.Forexample,toencrypta128-bitsymmetrickey,perTable5.2,eachoftheseintegersmustbe3,072bitsinlengthtoprovidethesamebitstrengthasa128-bitsymmetrickey.TheCocksIBEschemeusesmanyofthesameideasastheGoldwasser-Micalischeme,andisnotableforbeinganIBEschemethatdoesnotuseapairinginitsoperation,aswellastheIBEschememostlikelytogetyoufiredforsearchingtheInternetforitwhileatwork.7.1SetupofParametersTheCocksschemerequiresapublicvaluenwhichistheproductoftwoprimespandq,eachofwhicharecongruentto3modulo4.Whilethevaluenispublic,itsfactorspandqareknownonlytothePKG.Italsorequiresawell-knowncryptographichashfunctionH1:{0,1}*→n.WealsorequirethatforanidentityID,ifH1(ID)=a,thenwehavetheJacobisymbol(a/n)=+1,131 132IntroductiontoIdentity-BasedEncryptionwhichwillguaranteethateitheraor−aisasquaremodulon.Thiscaneasilybedone,forexample,byusingacryptographichashfunctionHhashanidentitytoanintegeramodulonandthenincrementingauntil(a/n)=+1.Becausewehavethataaan=pq(7.1)wemusthavethateitherbothJacobisymbolshavethevalue+1orbothhavethevalue−1in(7.1).Whenbothhavethevalue+1wehaveaaan=pq=(+1)(+1)=+1sothataisasquaremodulonbecauseitisasquaremodulobothpandq.Intheothercasewehaveaaan=pq=(−1)(−1)=+1Ifthishappens,thenitturnsoutthat−amustbeasquaremodulon.Becausewehavethatpandqarecongruentto3modulo4,wehave−1−1p=q=−1sothat−a−a−aa−1a−1n=pq=ppqqaaaa=p(−1)q(−1)=pq=(+1)(+1)=+1Sothat−aisasquarebecauseitistheproductoftwonumbersthataresquares.Theambiguityintroducedbynotknowingwhetheraor−aisasquarecausessomeinefficiencywhenCocksIBEisusedtoencrypt,andresultsindoublingthesizeoftheciphertexttoaccountforeachofthetwocases.Ineithercase,thevalueathenisthepublickeycorrespondingtotheidentityID.NotethatusingAlgorithm2.2,itispossibletocalculatetheJacobisymbol TheCocksIBEScheme133anwithoutknowingthefactorsofn.7.2ExtractionofthePrivateKeyThePKGthencalculatestheprivatekeycorrespondingtothepublickeyabycalculatingthesquarerootofeitheraor−amodulon.Becausepandqarebothcongruentto3modulo4,p−1andq−1arebothcongruentto2modulo4sothatwecanwritep=4k1+2andq=4k2+2.Becausewehaven=pq,wehavethat(n)=(p−1)(q−1),sothat(n)+4=(p−1)(q−1)+4=(4k1+2)(4k2+2)+4=(2k1k2+k1+k2+1)8sothat8divides(n).Wecanusethisfacttocalculateasquarerootmodulonas((N)+4)/8r=amodn(7.2)Thisgivesasquarerootofamodulonbecause22((N)+4)/8(N)+4)/4(n)1/4r=a=a=(a)a≡±a(modn)byEuler’stheorem.Ifaisasquarerootmodulon,thenrwillsatisfy22r≡a(modn)andif−aisasquarerootmodulon,thenrwillsatisfyr≡−a(modn).Ineithercase,thevalueractsastheprivatekeycorrespondingtothepublickeya.TheparametersoftheCocksIBEschemearesummarizedinTable7.1.7.3EncryptingwithCocksIBETheCocksIBEschemeencryptsasinglebitatatimeasapairofintegers.Bothofthepairareneededbecausewedonotknowwhichofaor−aisasquarerootmodulon.Ontheotherhand,therecipientcaneasilycheckwhetherr2≡a(modn)orr2≡−a(modn),soheknowswhichofthetwochoicestomdecrypt.Foramessagebitmwefirstencodethebitasx=(−1),whichencodes 134IntroductiontoIdentity-BasedEncryptionTable7.1SummaryofCocksIBEParametersTypeofParameterParameterPropertiesPrivateglobalparametersp,qprimes≡3(mod4)Publicglobalparameternn=pqPublichashfunctionH1H1:{0,1}*→n,(H1(ID)/n)=+1Per-userpublickeya(a/n)=+1Per-userprivatekeyrr2≡+a(modn)thebit‘‘0’’as+1andthebit‘‘1’’as−1.Wethenpickrandomt1andt2withbotht1n=xandt2n=xandthensendtheciphertext(s1,s2)totherecipient,whereas1=t1+tmodn1andas2=t2−tmodN2Therecipientwilltheneitherdecrypts1ors2,choosings1ifaisasquarerootmodulonands2if−aisasquarerootmodulon.Notethattwodifferentrandomvaluest1andt2areneeded.Ifthesamevaluetisusedtocalculatebothas1=t+tmodnand TheCocksIBEScheme135as2=t−tmodnthenanadversarycouldcalculates1+s21aa2=2t+t+t−tmodn=tmodnandthencalculatetn=xtodecrypttheciphertext.7.4DecryptingwithCocksIBEAfterreceivingthepairs1ands2,therecipientdecideswhichofthetwochoices22heneedstodecrypt,lettings=s1ifr≡a(modn)ands=s2ifr≡2−a(modn).Ifr≡a(modn)hecalculatess+2rx=n(7.3)2Inthecasethatr≡a(modn),wenotethataas+2r=t1−t+2r=t1+2r−t1122ra2rr=t11+t−2≡t11+t+2(modn)1t11t12r≡t11+t(modn)1sothats+2risasquaremodulonexactlywhent1is,sothatwehaves+2rt1n=n=xsothat(7.3)recoverstheplaintextbitx. 136IntroductiontoIdentity-BasedEncryption2Inthecasethatr≡−a(modn),wenotethataas+2r=t2+t+2r=t2+2r+t2222ra2rr=t21+t+2=t21+t+2(modn)2t22t22r=t11+t(modn)1sothatwestillhavethats+2risasquaremodulonexactlywhent2is,sothats+2rt2n=n=xsothat(7.3)willcorrectlydecryptanencryptedbitinbothpossiblecases.7.5Examples(i)Letp=7andq=11,sothatn=77.Ifwehavea=9forthepublickey,wefindthat(7.2)givesusr=25forthecorrespondingprivate2key,andthatinthiscaser≡a(modn).Toencryptthebit‘‘0’’withthispublickeythesenderfirstencodesthebit‘‘0’’as+1andpicksarandomtthatsatisfiestn=+1Inthiscase,werandomlypickt1=4andt2=6notethat4677=77=+1Thesenderthencalculatesthetwovaluesa9s1=t1+tmodn=4+4mod77=641 TheCocksIBEScheme137anda9s2=t2−tmodn=6−6mod77=432andthensendstheciphertextpair(s1,s2)=(64,43)totherecipient.2Therecipientknowsthathisprivatekeysatisfiesr≡a(modn),sohepickss1todecrypt.Hethencalculatess1+2r64+50114N=77=77=+1whichhethendecodestothebit‘‘0’’ashisplaintext.(ii)Letp=7andq=11,sothatn=77.Ifwehavea=10forthepublickey,wefindthat(7.2)givesusr=23forthecorresponding2privatekey,andthatinthiscaser≡−a(modn).Toencryptthebit‘‘1’’withthispublickeythesenderfirstencodesthebit‘‘1’’as−1andpicksarandomtthatsatisfiestn=−1Inthiscase,werandomlypickt1=8andt2=2andnotethat8277=77=−1Thesenderthencalculatesthetwovaluesa10s1=t1+tmodn=8+8mod77=671anda10s2=t2−tmodn=2−2mod77=742andthensendstheciphertextpair(s1,s2)=(67,74)totherecipient.2Therecipientknowsthathisprivatekeysatisfiesr≡−a(modn),sohepickss2todecrypt.Hethencalculates 138IntroductiontoIdentity-BasedEncryptions2+2r74+46120n=77=77=−1whichhethendecodestothebit‘‘1’’ashisplaintext.(iii)Letp=7andq=11,sothatn=77.Ifwehavea=10forthepublickey,wefindthat(7.2)givesusr=23forthecorresponding2privatekey,andthatinthiscaser≡−a(modn).Toencryptthebit‘‘1’’withthispublickeythesenderfirstencodesthebit‘‘1’’as−1andpicksarandomtthatsatisfiestn=−1Inthiscase,werandomlypickt1=12andt2=5andnotethat12577=77=−1Thesenderthencalculatesthetwovaluesa10s1=t1+tmodn=12+12mod77=01anda10s2=t−tmodn=5−5mod77=3andthensendstheciphertextpair(s1,s2)=(0,3)totherecipient.2Therecipientknowsthathisprivatekeysatisfiesr≡−a(modn),sohepickss2todecrypt.Hethencalculatess2+2r3+4649n=77=77=0Inthiscasethedecryptionfails,becausegcd(s2+2r,n)≠1.Thiswillhappenwhenevereitherporqdividess1+2r(ors2+2r,ifitiscalculatedinstead).Thereareq−1multiplesofpforwhichthiscanhappenandp−1multiplesofqforwhichthiscanhappen.Notethatthiscounts0twice,once TheCocksIBEScheme139asamultipleofpandagainasamultipleofq,sothereareatotalof(p−1)+(q−1)−1waysforthistohappen.Ifweassumethatisuniformlydistributedin{0,1,...,n−1},thisgivesaprobabilityof(p−1)+(q−1)−1Pr(decryptionfailure)=nofthishappening.Foratypicaluse,saywitha1,024-bitnand512-bitvaluesforpandq,thisprobabilityisextremelysmall.So,althoughthismayhappen,ithappenssorarelythatitisprobablynotworthhandlingasaspecialcaseinanimplementationoftheCocksIBEscheme,althoughitmayoccurinexampleswithartificiallysmallparameters.7.6SecurityoftheCocksIBEScheme7.6.1RelationshiptotheQuadraticResiduosityProblemAnadversarycandefeattheCocksIBEsystemifhecanfactorthemodulusn.Ifhecandothis,hecancalculatearbitraryprivatekeysby(7.2)andthendecryptanymessagesthatheintercepts.AsdiscussedinChapter5,thebest-knownalgorithmforfactoringintegersissufficientlydifficulttoprovidethesecuritylevelslistedinTable5.2.ThefactthatthesecurityoftheCocksIBEschemerelatestothequadraticresiduosityproblem,however,isnotimmediatelyobvious.ThefactthatitdoesrelatestothefactthattheabilitytodecryptamessageencryptedwithCocksIBErequiresdecidingwhetherornottheper-userpublickeyaisasquaremodulon.Notethat1t1/tn=nn=+1sothatt1/tn=nandthusa/ta1/tatn=nn=nn 140IntroductiontoIdentity-BasedEncryptionNowconsiderthefollowingfoursystemsofcongruences:t1=tmodp(7.4)t1=tmodqt2=tmodp(7.5)t2=(a/t)modqt3=(a/t)modp(7.6)t3=tmodqt4=(a/t)modp(7.7)t4=(a/t)modqBytheChineseremaindertheorem,thesehavethefollowingsolutions:t1=te1+te2t2=te1+(a/t)e2t3=(a/t)e1+te2t4=(a/t)e1+(a/t)e2wheree1ande2havethepropertythat1(modp)e1≡0(modq)and0(modp)e2≡1(modq)Thesolutionsto(7.4)through(7.7)alsohavethefollowingproperties: TheCocksIBEScheme141t1ttn=pqt2ta/ttatn=pq=pqqt3a/ttattn=pq=ppqt4a/ta/tatatn=pq=ppqqInthecasewhereaisasquare,wehaveaap=q=+1sothatt1t2t3t4n=n=n=nButinthecasewhereaisnotasquare,wehaveaap=q=−1sothatt1t4n=nandt2t3n=nbutt1t2n=−n 142IntroductiontoIdentity-BasedEncryptionNotethatifanyoft1throught4areusedastherandominputusedinaCocksIBEencryption,thenthesameciphertextiscreated.Fortherandominputt1,forexample,thesenderwillcalculateaaas=t1+t=te1+te2+te=t+t11+te2whilefortherandominputt2thesenderwillcalculateaaaas=t2+t=te1+te2+a=t+t2te1+e2tSimilarly,therandominputst3andt4,thesenderwillcalculatethesamevaluefors.Sointhecasewhereaisnotasquare,wehavecaseswherethesameciphertextcancomefromdifferentplaintextvalues,andtheonlywaytodistin-guishbetweenthesecasesistobeabletodeterminewhetherornotaisasquaremodulon,whichisthequadraticresiduosityproblem.7.6.2ChosenCiphertextSecurityBecausetheCocksIBEschemeencryptsasinglebitatatime,itisvulnerabletoanadaptivechosenciphertextattack,forthesamereasonthattheGoldwasser-Micalischemeis.SupposethatanattackerEvehastheplaintext(m1,m2,...,mk)andcorrespondingciphertext(c1,c2,...,ck)thatisencryptedtotheuserBob,andthatshewantstoobtaintheplaintextcorrespond-ingtotheciphertext(c1′,c2′,...,ck′).Shecanthensendthemessage(c1′,c2,...,ck)toBobandobservehisreaction.IfBobusestheciphertextasasharedsecretthatheusestoderiveasessionkey,forexample,EvecanchecktoseeifBobcreatesthesamesessionkeyfrom(c1′,c2,...,ck)thathedoesfrom(c1,c2,...,ck)todeterminewhetherthedecryptionofc1andc1′arethesameordifferent.Evecanthenrepeatthisprocesstorecovertheadditionalbitsofthedecryptionof(c1′,c2′,...,ck′),recoveringasinglebiteverytimesherepeatsthisprocess.7.6.3ProofofSecurityUsingtherandomoraclemodel,itispossibletoprovethatdefeatingthesecurityoftheCocksIBEschemeisnomoredifficultthatsolvingthequadraticresiduosityproblem,sothatanadversarywhocandecryptamessagethatis TheCocksIBEScheme143encryptedwiththeCocksIBEschemecanusehisdecryptionalgorithmtosolvethequadraticresiduosityproblem.So,ifwebelievethatthequadraticresiduosityproblemissufficientlyintractableweshouldalsobelievethattheCocksIBEschemeisadequatelysecure.7.6.4SelectingParameterSizesSupposethatwewanttousetheCocksIBEschemetotransporta128-bitsymmetrickey.PerTable5.2,togetthesamecryptographicstrengthasa128-bitsymmetrickey,thismodulusneedstobe3,072bits.Soforeachofthe128bitsinthesymmetrickeyweneedtotransmit2×3,072=6,144bitsofciphertext,foratotalof786,432bitsofciphertext.Totransporta256-bitsymmetrickey,thismodulusneedstobe15,360bits.Soforeachofthe256bitsinthesymmetrickeyweneedtotransmit2×15,360=30,720bitsofciphertext,foratotalof7,864,320bitsofciphertext.Thismaymaketheuseoftheschemeimpracticalformanyuses.ThenumberofbitsofciphertextneededbytheCocksIBEschemefortransportingvariouslengthsofsymmetrickeysissummarizedinTable7.2.7.7SummaryThefollowingsummarizesthealgorithmscomprisingintheCocksIBEscheme.Algorithm7.1:CocksIBESetup(globalparameters)INPUT:AsecurityparameterOUTPUT:p,q,n,H11.Randomlypickaprimepwithp≡3(mod4)largeenoughtosatisfythesecurityparameter.Table7.2SizeofCocksIBECiphertextforSelectedSymmetricKeyLengthsSymmetricKeyLengthCocksIBECiphertextSize80bits166,710bits112bits458,752bits128bits768,432bits256bits7,864,320bits 144IntroductiontoIdentity-BasedEncryption2.Randomlypickaprimeqwithq≡3(mod4)largeenoughtosatisfythesecurityparameter.3.Letn=pq.4.SelectanappropriatehashfunctionH1:{0,1}*→nsuchthat(H1(ID)/n)=+1foranyID∈{0,1}*.Algorithm7.2:CocksPublicKeyCalculationINPUT:n,astringIDrepresentinganidentity,hashfunctionH11.CalculateH1(ID)Algorithm7.3:CocksIBEPrivateKeyExtractionINPUT:a,p,qOUTPUT:r1.Calculateras:((n)+4)/8(pq−p−q+5)/8r=amodn=amodnAlgorithm7.4:CocksIBEEncryptionINPUT:n,plaintextbitmOUTPUT:Ciphertext(s1,s2),eachcomponentanintegermodulonm1.Encodemasx=(−1).2.Pickarandomt1andt2witht1t2n=n=x3.Calculates1byas1=t1+tmodn14.Calculates2byas2=t2−tmodn2 TheCocksIBEScheme145Algorithm7.5:CocksIBEDecryptionINPUT:Privatekeyr,ciphertext(s1,s2),nOUTPUT:Plaintextbitm21.Ifr≡a(modn)thenlets=s1elselets=s2.2.Calculatetheencodedplaintextbitxbys+2rx=n3.Ifx=−1thenletm=0elseletm=1.References[1]Cocks,C.,‘‘ANoteonNon-SecretEncryption,’’CESGReport,1973.[2]Cocks,C.,‘‘AnIdentityBasedEncryptionSchemeBasedonQuadraticResidues,’’Proceed-ingsoftheEighthIMAInternationalConferenceonCryptographyandCoding,Cirencester,U.K.,December17–19,2001,pp.360–363.[3]Goldwasser,S.,andS.Micali,‘‘ProbabilisticEncryption,’’JournalofComputerandSystemSciences,Vol.28,No.2,1984,pp.270–299. 8Boneh-FranklinIBEThischapterdiscussesBoneh-FranklinIBE[1],thefirstpracticalandsecureIBEschemethatwasinvented.Boneh-FranklinIBEisanexampleofthefull-domainhashfamilyofIBEschemes,schemesinwhichanidentityIDismappedtoapointQIDonanellipticcurvethatisthenusedintheencryptionanddecryptionalgorithmsofthescheme.Mappinganidentitytoapointonanellipticcurvetypicallyrequiresamodularexponentiationthatisfairlyexpensivetocalculate,sofull-domainhashschemesoftenhaveadisadvantageinperfor-mancerelativetosomeothertypesofIBEschemes.Becauseofthis,currentresearchseemstohaveabandonedfull-domainhashschemesinfavorofothertechniqueswhereitisonlynecessarytomapanidentitytoaninteger.Boneh-FranklinIBEalsorequiresthecalculationofapairing,anexpensivecalculationthataccountsforalmostallofthecomputationrequiredforaBoneh-FranklindecryptionandmostofthecomputationrequiredforaBoneh-Franklinencryption.TheBoneh-FranklinIBEschemehasfeaturesofbothJoux’sthree-waykeyexchangeandElGamalencryption.Joux’sthree-waykeyexchangegeneralizedtheDiffie-Hellmankeyexchangetothreeparticipants,eachwiththeirownsecretintegervalues.InBoneh-FranklinIBE,therearealsothreesecretintegervalues:oneofthemisthemastersecretoftheIBEsystem,oneisrandomlygeneratedbythesender,andthethirdisneverknown,butisthediscretelogarithmoftheidentityoftherecipient.BothuseapublicparameterP,whichisapointonanellipticcurve,andapairingˆe.ThiscomparisonisshowninTable8.1andTable8.2.InthecaseofJoux’sthree-waykeyexchange,thesharedsecretabcˆe(P,P)iscalculatedfromthreepointsaP,bPandcP,whileinthecaseofrstBoneh-FranklinIBE,thesharedsecretˆe(P,P)iscalculatedfromasimilarsetofthreepointsrP,sPandtP.InthecaseofBoneh-FranklinIBE,thevalueof147 148IntroductiontoIdentity-BasedEncryptionTable8.1SummaryofPublicandPrivateValuesinJoux’sThree-WayKeyExchangeSourcePrivateValuePublicValueAliceaaPBobbbPCharlieccPTable8.2SummaryofPublicandPrivateValuesinBoneh-FranklinIBESourcePrivateValuePublicValueAlicerrPSystemparametersssPBobstP=sQIDtP=QIDtisneverknown;itonlyappearsinthevaluetP=QIDwhichiscalculatedfromtherecipient’sidentity.MuchlikeElGamalencryptionusesthesharedsecretfromaDiffie-Hellmankeyexchangetoencryptaplaintextmessage,Boneh-FranklinIBEusesthesharedsecretfromthisvariantofJoux’sthree-waykeyexchangetoencryptrstaplaintextmessage.So,aftercalculatingthesharedsecretˆe(P,P),Alicehashesthesharedsecretintoaformatcompatiblewiththeplaintext.Thevalueofrstˆe(P,P)isanelementofsomeq,forexample,whileatypicalmessageisanrstelementof{0,1}*,sothatˆe(P,P)needstobemappedinto{0,1}*sothatitcanbecombinedwiththeplaintexttoproducetheciphertext.So,rstAlicehashesthesharedsecretˆe(P,P)tothemessagespaceandcombinestheresultinghashwiththeplaintextMtogettheciphertextC=M⊕rstrstHash(ˆe(P,P)).Bobthencalculatesthesharedsecretˆe(P,P),hashesittorstthemessagespace,andrecoversM=C⊕Hash(ˆe(P,P)).Therestofthischapterdefinesthesestepsmorecarefullyandaddsrefinementstomaketheresultingschememoresecure.TheoriginalBoneh-Franklinpaper[1]usedaslightlydifferentnotationthantheconventionfollowedhere.Inparticular,therolesofpandqwerereversed.Intheoriginalpaper,thevalueofpdefinedtheorderofthefinitefieldpwhileqwasaprimethatdefinedtheorderofthegroupE(p)[q].Laterpublicationsswitchedtheseroles,usingqtodefinetheorderofthefinitefieldqandptodefinetheorderofthegroupG1,theconventionthatmost Boneh-FranklinIBE149pairing-basedcryptographyliteraturenowfollows.SowhenreadingdescriptionsoftheBohen-FranklinIBEsystem,itmaybenecessarytocarefullynotethemeaningofthesystemparameters.8.1Boneh-FranklinIBE(BasicScheme)TheBoneh-Franklinbasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage.WhileitiseasiertounderstandthanthefullBoneh-FranklinIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection8.2.8.1.1SetupofParameters(BasicScheme)ToimplementBoneh-FranklinIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/qwithembeddingdegreek,andaprimepsuchthat2p|#E(q).Wealsorequirethatp|#E(q)toensurethatthesubgroupoforderpthatwewillhashidentitiesintoisunique.TheparameterpistheorderofthegroupsG1andGT,andGTisasubgroupofq*k.Toattainaparticularlevelofsecurity,theseparametersneedtobechosenasdescribedinSection5.4.WethenrandomlypickapointP∈E(q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsofprimeorderp.Next,wepickarandomintegers∈p*anduseittocalculatesP.TomapanidentityIDtoapointQIDwealsoneedacryptographichashfunctionH1:{0,1}*→G1.ToencryptamessageofnbitsusingBoneh-FranklinIBEwealsoneedanotherncryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.TheseelementsformthepublicparametersandmastersecretasshowninTable8.3andTable8.4.Theintegersisthemastersecret;allothervaluescomprisethepublicparameters.TherearedependenciesamongtheelementsofTable8.3.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparam-eterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-FranklinIBEsystem(basicscheme)tobeBFBasicParams=(G1,GT,ˆe,n,sP,H1,H2)withoutintroducinganyambiguity. 150IntroductiontoIdentity-BasedEncryptionTable8.3PublicParametersofBoneh-FranklinIBESystem(BasicScheme)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(),p2q|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈P〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnIntegerLengthofplaintext(inbits)PPointonellipticcurveP∈G1sPPointonellipticcurvesP∈G1H1CryptographichashfunctionH1:{0,1}*→G1H2CryptographichashfunctionH:G→{0,1}n2TTable8.4MasterSecretforBoneh-FranklinIBESystem(BasicScheme)ElementTypeCommentssIntegers∈*p8.1.2ExtractionofthePrivateKey(BasicScheme)OncethepublicparameterslistedinTable8.3andthemastersecretlistedinTable8.4aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoapointonthecurveEbycalculatingQID=H1(ID)andthenbymultiplyingthispointQIDbythemastersecretstogettheprivatekeysQID.ThisissummarizedinTable8.5.8.1.3EncryptingwithBoneh-FranklinIBE(BasicScheme)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderfollowsthefollowingsteps.Table8.5PrivateKeyforBoneh-FranklinIBESystemElementTypeCommentssQIDPointonellipticcurvePrivatekeycorrespondingtoidentityID,QID=H1(ID) Boneh-FranklinIBE1511.Generatesarandomintegerr∈p*andcalculatesrP.2.CalculatesQID=H1(ID)fromtherecipient’sidentityIDandusesittocalculateK=H2(ˆe(rQID,sP))(8.1)3.SetstheciphertextcorrespondingtothepairC=(C1,C2)whereC1=rPandC2=M⊕K.8.1.4DecryptingwithBoneh-FranklinIBE(BasicScheme)WhentherecipientreceivestheciphertextC=(rP,M⊕H2(ˆe(rQID,sP))=(C1,C2)heperformsthefollowingsteps.1.CalculatesK=H2(ˆe(sQID,C1))fromtheciphertextcomponentC1andhisprivatekeysQID.2.CalculatesM=C2⊕K.ThisrecoverstheplaintextMbecausethesendercalculatesKasrsK=H2(ˆe(rQID,sP))=H2(ˆe(QID,sP))andtherecipientcalculatesKassrK=H2(ˆe(sQID,C1))=H2(ˆe(QID,P))8.1.5Examples(BasicScheme)23(i)SupposethatEistheellipticcurveE/q:y=x+1,withqaprimeandq≡11(mod12),andG1asubgroupoforderpofE(q).WecancreateasuitablehashfunctionH1:{0,1}*→G1fromacryptographichashfunctionHasfollows.First,useHtomapastringthatrepresentsanidentityintotheintegersmoduloq,perhapsbyeitheriteratingHuntilwegetaresultinthecorrectrangeorbyinterpretingtheoutputofHasanintegerandthenreducingthisintegermoduloq.Wecanthenusethisresultasthey-coordinateofapointQ∈E(q)andcalculatethecorrespondingx-coordinateofapointonthecurvefrom21/3x=(y−1) 152IntroductiontoIdentity-BasedEncryptionFromEuler’stheorem,wehavethatq−1a≡1(modq)sothat2q−1a≡a(modq)andthus(2q−1)/31/3a≡a(modq)wheneverwehavethat3|(2q−1).Thisisthecasewhenq≡11(mod12),sowecancalculatethex-coordinateofthepointQthisway.OnewaytogetQID∈E(q)[p]fromsuchaQistomultiplyitbyanappropriateconstanttoget#E(q)QID=Qp23WiththecurveE/q:y=x+1,wehavethat#E(q)=q+1whenq≡11(mod12),sowecalculateQID∈E(q)[p]asq+1QID=Qp2Becausewerequirethatp|#E(q)butp|#E(q),weknowthatwehaveauniquesubgroupofE(q)ororderp,sothismustresultinQID∈G1asneeded.23(ii)SupposethatEistheellipticcurveE/q:y=x+x,withqaprimeandq≡11(mod12),andG1asubgroupoforderpofE(q).WecancreateasuitablehashfunctionH1:{0,1}*→G1fromacryptographichashfunctionHasfollows.First,useHtomapastringthatrepresentsanidentityintotheintegersmoduloq.Wecanthenusethisresultasthex-coordinateofapointQ∈E(q)[p]andcalculatethecorrespondingy-coordinateofQfromandthencalculat-ingthecorrespondingx-coordinateofapointonthecurvefrom31/2y=(x+x) Boneh-FranklinIBE1533Wecanonlydothisifx+xisaquadraticresiduemoduloq,3butbecauseq≡3(mod4)wehavethatifx+xisaquadratic3nonresiduemoduloqthenwehavethat−(x+x)isaquadraticresiduemoduloq.FromEuler’stheorem,wehavethatq−1a≡1(modq)sothatq−12q+12aa=a≡a(modq)andthus(q+1)/41/2a≡a(modq)wheneverwehavethat4|(q+1).Thisisthecasewhenq≡11(mod12),sowecancalculatethey-coordinateofthepointQthisway.23WiththecurveE/q:y=x+x,wehavethat#E(q)=q+1whenq≡11(mod12),sowecalculateQID∈E(q)[p]asq+1QID=Qp(iii)Supposethatwewanttoavoidhashinganidentitytoapointonanellipticcurve,andtrytoavoidthisbyhashingtheidentityIDtoanintegertandthenusingthepointtPasthecorrespondingpublickey.This,however,willallowanadversarytocalculatethesharedrsttrstsecretˆe(P,P)as(ˆe(rP,sP))=ˆe(P,P),whichdefeatsthesecurityprovidedbytheBoneh-FranklinIBEscheme.(iv)ElementsofGTareelementsofthefinitefieldqk,sowecanwriteatypicalelementofGTas=(1,2,...,k)whereeachni∈q.SoforaplaintextmessageM∈{0,1},onewaytocreatenausefulhashfunctionH2:{0,1}→GTistousetheconcatenationofthecoordinatesofastheinputtoacryptographichashfunctionHandthentoreduceH(1|2|...|k)totherange0ton2−1,perhapsbytruncatingH(1|2|...|k)tonbits.(v)SupposethatAlicewantstouseBohen-FranklinIBEtoencryptamessagetoBob.SupposethatEistheellipticcurve23E/131:y=x+1,andP=(98,58)∈E(131)[11],G1=〈P〉,andGT=〈ˆe(P,P)〉,whereˆe:G1×G1→GTisthereducedmodi-1560fiedTatepairingwhereˆe(P,Q)=e(P,(Q)),whereisthe 154IntroductiontoIdentity-BasedEncryptiondistortionmapgivenby(x,y)=(x,y)for=65+112i.Letthemastersecretofthissystembetheintegers=7,sothatsP=(33,100),andsupposethatBob’sidentitygivesusthatH2(IDBob)=QID=(128,57),sothatBob’sprivatekeyissQID=(113,8).ThevaluesusedinthisexamplearesummarizedinTable8.6.Alicecanusethesevaluestoencryptthemessages=7toBob.Supposethatshegeneratestherandomr=5∈11*todothis.AlicethencalculatesrQID=(5)(128,57)=(98,73)andusesittocalculaterP=5P=(34,23)andK=H2(ˆe(rQID,sP))=H2(ˆe(98,73),(33,100)))=H2(49+58i)whichshethenusestocreatetheciphertext(C1,C2)whereC1=rPandC2=M⊕K.WhenBobreceivesthisciphertext,hethencalculatesK=H2(ˆe(sQID,C1))=H2(ˆe(113,8),(34,23)))=H2(49+58i)whichhethenusestorecovertheplaintextMbycalculatingM=C2⊕K=(M⊕K)⊕K=MTable8.6SummaryofValuesUsedinExample8.1.5(v)ParametersTypeValueCommentsPPointonellipticcurve(98,58)P∈E(131)[11]sPPointonellipticcurve(33,100)QIDPointonellipticcurve(128,57)QID∈E(131)[11]sQIDPointonellipticcurve(113,8)Bob’sprivatekeyrInteger5GeneratedrandomlybyAlicesInteger7Mastersecret Boneh-FranklinIBE15523(vi)SupposethatEistheellipticcurveE/131:y=x+1,andwewanttousethepairingˆe:G1×G2→GTtoimplementtheBoneh-FranklinschemewhereG1isasubgroupofE(131)andG2isa23subgroupofE′(131)whereE′/131:y=x+130isthequadratictwistofE/131constructedusingthequadraticnonresiduev=130.ThiswillrequirethepublicparametersPandsPtobeelementsofE′(131).WecanuseP=(4,71)∈E′(131)togenerateG2forthis,givingsP=(56,72)fors=7.SowecanuseG1=〈Q〉=〈(98,58)〉andG2=〈P〉=〈(4,71)〉.Letˆe:G1×G2→GTbethe1560reducedmodifiedTatepairingwhereˆe(P,Q)=e(P,2(Q)),where2:E′→Eisthemappinggivenby(x,y)=(130x,iy).Letthemastersecretofthissystembetheintegers=7,sothatsP=(56,72),andsupposethatBob’sidentitygivesusthatH2(IDBob)=QID=(128,57),sothatBob’sprivatekeyissQID=(113,8).ThevaluesusedinthisexamplearesummarizedinTable8.7.AlicecanusethesevaluestoencryptthemessageMtoBob.Supposethatshegeneratestherandomr=5∈11*todothis.AlicethencalculatesrQID=(5)(128,57)=(98,73)andusesittocalculaterP=5P=(54,1)andK=H2(ˆe(rQID,sP))=H2(ˆe((98,73),(56,72)))=H2(39+107i)whichshethenusestocreatetheciphertext(C1,C2)whereC1=rPandC2=M⊕K.WhenBobreceivesthisciphertext,hethencalculatesTable8.7SummaryofValuesUsedinExample8.1.5(vi)ParametersTypeValueCommentsPPointonellipticcurve(4,71)P∈E′(131)[11]sPPointonellipticcurve(56,72)QIDPointonellipticcurve(128,57)QID∈E(131)[11]sQIDPointonellipticcurve(113,8)Bob’sprivatekeyrInteger5GeneratedrandomlybyAlicesInteger7Mastersecret 156IntroductiontoIdentity-BasedEncryptionK=H2(ˆe(sQID,C1))=H2(ˆe((113,8),(54,1)))=H2(39+107i)whichhethenusestorecovertheplaintextMbycalculatingM=C2⊕K=(M⊕K)⊕K=M8.2Boneh-FranklinIBE(FullScheme)Thebasicschemeisalsovulnerabletoachosen-ciphertextattackbecausethevalueofKcalculatedin(8.1)isnotafunctionoftheplaintextmessageM.Soifanadversarywantstodecrypttheciphertext(C1,C2)whichencryptsthemessageMhecandothisbydecryptingtheciphertext(C1,C2⊕)togettheplaintextmessageM⊕andthenrecoverMasM=(M⊕)⊕.TheFujisaki-Okamototransformcaneasilyeliminatethisvulnerability;addingtheadditionallevelofhashingthattheFujisaki-Okamototransformrequirescreatesthemorecomplex‘‘fullscheme’’thatisdescribedbelowthatisnotvulnerabletosuchanattack.AddingtheFujisaki-Okamototransformtocreateaschemethatisresistanttochosen-ciphertextattacksmakesamorecomplexsystem.Twoadditionalcryptographichashfunctionsarerequired,andboththeencryptionanddecryptionprocessesgetmorecomplex.8.2.1SetupofParameters(FullScheme)InadditiontotheparameterslistedinTable8.3,wealsoneedtwoadditionalhashfunctionstoimplementtheFujisaki-Okamototransform.Inparticular,nnweneedtohashfunctionsH3:{0,1}×{0,1}→*pandnnH4:{0,1}×{0,1}→*p.AddingthesehashfunctionsbringsthelistofpublicparametersforthefullschemetothepublicparametersthatarelistedinTable8.8.Themastersecretisunchangedfromthebasicscheme,andisshowninTable8.9.TherearedependenciesamongtheelementsofTable8.8.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-FranklinIBEsystemtobeBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4)withoutintroducinganyambiguity. Boneh-FranklinIBE157Table8.8PublicParametersofBoneh-FranklinIBESystem(FullScheme)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(),p2q|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈P〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnIntegerLengthofplaintextPPointonellipticcurveP∈E(q)[p]sPPointonellipticcurvesP∈E(q)[p]H1CryptographichashfunctionH1:{0,1}*→G1HCryptographichashfunctionH:G→{0,1}n22THCryptographichashfunctionH:{0,1}n×{0,1}n→*33pHCryptographichashfunctionH:{0,1}n×{0,1}n→*44pTable8.9MasterSecretforBoneh-FranklinIBESystem(FullScheme)ElementTypeCommentssIntegers∈*p8.2.2ExtractionofthePrivateKey(FullScheme)Theextractionoftheprivatekeyforthefullschemeisidenticaltotheextractionoftheprivatekeyinthebasicscheme(Section8.1.2).ThisissummarizedinTable8.10.8.2.3EncryptingwithBoneh-FranklinIBE(FullScheme)ToencryptthemessageMtotherecipientwithidentityID,thesenderperformsthefollowingsteps:Table8.10PrivateKeyforBoneh-FranklinIBESystemElementTypeCommentssQIDPointonellipticcurvePrivatekeycorrespondingtoidentityID,QID=H1(ID) 158IntroductiontoIdentity-BasedEncryption1.CalculatesQID=H1(ID).n2.Picksarandom∈{0,1}.3.Calculatesr=H3(,M).4.CalculatesC1=rP.5.CalculatesC1=⊕H2(ˆe(rQID,sP)).6.CalculatesC3=M⊕H4().7.SetstheciphertexttoC=(C1,C2,C3).8.2.4DecryptingwithBoneh-FranklinIBE(FullScheme)TodecrypttheciphertextC=(C1,C2,C3),therecipientperformsthefollowingsteps:1.Calculates=C2⊕H2(ˆe(sQID,C1)).2.CalculatesM=C3⊕H4(),whichistheplaintextmessage.3.Calculatesr=H3(,M).4.CalculatesrP.IfC1≠rPthenrejectstheciphertextasinvalid.8.3SecurityoftheBoneh-FranklinIBESchemeNotethatwecanwriteQID=tPforsome(unknown)t,sowehaveˆe(rQID,rstsP)=ˆe(rtP,sP)=ˆe(P,P).So,wecanalsothinkoftheciphertextasbeingrstC=(rP,M⊕H2(ˆe(P,P)).AnadversarycanobtainPandsPfromthepublicparameters,cancalculateQID=tPfromtherecipient’sidentity,andobservesrstrPintheciphertext.Ifhecancalculateˆe(P,P)fromP,rP,sP,andtPthenrsthecanrecovertheplaintextmessageMbycalculating(M⊕H2(ˆe(P,P))⊕rstrstH2(ˆe(P,P)=M,butcalculatingˆe(P,P)inthiswayisexactlytheBDHP.So,iftheBDHPissufficientlydifficultthenitwillbedifficultforanadversarytorecoveraplaintextmessagefromacorrespondingciphertext.BychoosingG1andGTcarefullythiscaneasilybeaccomplished.TheoriginalBoneh-Franklinpaper[1]usedtherandomoraclemodeltoprovethatanadversaryabletodecryptamessagethathasbeenencryptedwithBoneh-FranklinIBEcanusehisdecryptionalgorithmtosolvetheBDHP,soifwebelievethattheBDHPissufficientlydifficulttosolvethenBoneh-FranklinIBEmustalsobesufficientlydifficulttodecrypt.ThebasicBoneh-Franklinschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullBoneh-Franklinschemeisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks. Boneh-FranklinIBE1598.4SummaryThefollowingsummarizesthestepsintheBoneh-FranklinIBEscheme(fullscheme).Algorithm8.1:Boneh-FranklinIBESetupINPUT:asecurityparameter,anellipticcurveE,aplaintextbitlengthnOUTPUT:BFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4)andmastersecrets1.Selectaprimepandprimepowerqwithp|#E(q)and2p|#E(q)andsuchthatthebitsecuritylevelprovidedbypandqmeetstherequiredsecurityparameter.Forbestperformance,pshouldbeaSolinasprime.2.SelectarandomP∈E(q)[p]andletG1=〈P〉.3.LetkbetheembeddingdegreeofE/q;selectapairingˆe:G1×G1→q*k.4.LetGT=〈ˆe(P,P)〉.5.Selectarandoms∈p*andcalculatesP.6.SelectappropriatecryptographichashfunctionsH1:{0,1}*→G1,nnnH2:GT→{0,1},H3:{0,1}×{0,1}→*pandnnH4:{0,1}×{0,1}→*p.7.Themastersecretisthevalues.8.ThepublicparametersareBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4).Algorithm8.2:Boneh-FranklinIBEPrivateKeyExtractionINPUT:AstringIDrepresentinganidentityandasetofpublicparametersBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4).OUTPUT:TheprivatekeysQID1.CalculatesQID=sH1(ID).Algorithm8.3:Boneh-FranklinIBEEncryptionINPUT:AplaintextmessageMoflengthnbits,astringIDrepresentingtheidentityoftherecipientoftheciphertext,asetofpublicparametersBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4).OUTPUT:AciphertextC=(C1,C2,C3) 160IntroductiontoIdentity-BasedEncryption1.CalculateQID=H1(ID).n2.Selectarandom∈{0,1}.3.Calculater=H3(,M).4.CalculateC1=rP.5.CalculateC2=⊕H2(ˆe(rQID,sP)).6.CalculateC3=M⊕H4().Algorithm8.4:Boneh-FranklinIBEDecryptionINPUT:AciphertextC=(C1,C2,C3),asetofpublicparametersBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4),aprivatekeysQID.OUTPUT:AplaintextmessageMoranerrorcondition1.Calculate=C2⊕H2(ˆe(sQID,C1)).2.CalculateM=C3⊕H4().3.Calculater=H3(,M)andthencalculaterP.IfC1≠rPthenraiseanerrorconditionthatindicatesaninvalidciphertext.Otherwise,returntheplaintextM.Reference[1]Boneh,D.,andM.Franklin,‘‘IdentityBasedEncryptionfromtheWeilPairing,’’SIAMJournalofComputing,Vol.32,No.3,pp.586–615. 9Boneh-BoyenIBEThischapterdiscussesBoneh-BoyenIBE[1],anexampleofthefamilyof‘‘commutativeblinding’’schemes.Thenameisduetothecommutingofcoeffi-cientsthatoccurswhencomputingtheratiooftwopairingsthatisroughlyoftheforme(aP,bQ)e(bP,aQ)AvaluethatusedtoencryptaplaintextmessageiscalculatedbythesenderusingpublicparametersofaBoneh-BoyenIBEscheme,andtherecipientoftheresultingciphertextcalculatesthesamevaluefromtheciphertextandhisprivatekeybycalculatingsucharatioofpairings.Calculatingtheratiooftwopairingscanbedonemoreefficientlythancalculatingthetwopairingsseparatelyandthencalculatingtheratio,analgorithmforwhichisdiscussedinChapter12.IntheBoneh-BoyenIBEschemeandothercommutativeblindingschemes,anidentityIDishashedtoanintegerthatisthenusedintheencryptionanddecryptionoperations.Thisavoidsamodularexponentiation,whichgenerallymakessuchschemesfasterthenfull-domainhashschemes,liketheBoneh-FranklinschemeofChapter8,whichrequirehashinganidentitytoapointonanellipticcurve.NotethattwoIBEschemesweredescribedinthesamepaperbyBonehandBoyen[1],sothename‘‘Boneh-BoyenIBEscheme’’canbeambiguous.TheIBEschemedescribedhereisthefirstofthetwoschemesthatweredescribedinthispaper,andisoftenabbreviatedBB1whilethesecondschemeisoftenabbreviatedBB2.ThischapteronlydiscussestheBB1IBEscheme.161 162IntroductiontoIdentity-BasedEncryptionTwowaystodescribethebasicBoneh-Boyenschemearegiveninthefollowingsections.AsimplifiedversionoftheschemeisdescribedinSection9.1usingtheadditivenotationthatiscommonlyusedforoperationsinellipticcurvegroupsandisusedinthemanycryptographicstandards.InSection9.2thesameschemeisdescribedusingthemultiplicativenotationthatiscommonlyusedinmorerecentliteratureonpairing-basedcryptography.Thebasicschemeisvulnerabletoachosen-ciphertextattackandafullysecureversionoftheschemeisdescribedinSection9.3.9.1Boneh-BoyenIBE(BasicScheme—AdditiveNotation)TheBoneh-Boyenbasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;thesenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullBoneh-BoyenIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection9.3.ThefollowingdescriptionoftheBoneh-Boyenschemeusestheadditivenotationthatiscommonlyusedforoperationsinellipticcurvegroups.SothatifPandQareelementsofanellipticcurvegroupE(q)thenwewillwriteP+QtoindicatethegroupoperationofE(q)appliedtothegroupselementsPandQandaPtoindicatethemultiplicationofthepointPbytheintegera.Thisnotationisusedbymanycryptographicstandards,butisrarelyusedintheliteratureofpairing-basedcryptography,wherethemultiplicativenotationthatisusedinSection9.2ismorecommon.9.1.1SetupofParameters(BasicScheme—AdditiveNotation)ToimplementBoneh-BoyenIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/qwithembeddingdegreek,andaprimepsuchthatp|#E(q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection9.5.WethenrandomlypickapointP∈E(q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingBoneh-BoyenIBEwealsoneednanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichis Boneh-BoyenIBE163abitstringoflengthn.Threeintegers,,∈parethemastersecretandareusedtocalculatethethreeadditionalpublicparametersP,P,andP.Thereisalsoaconstantv=ˆe(Pwhichis1,P2)=ˆe(P,P)=ˆe(P,P)neededbytheBoneh-Boyenscheme.ThisconstantcaneitherbedistributedtousersaspartofthepublicparametersorcanbeprecomputedbyusersbeforetheyperformaBoneh-Boyenencryption.Wewillassumethatthisconstantvispartofthepublicparameters,inwhichcasetheparameterPdoesnotneedtobelistedinthepublicparametersbecauseitsonlyuseoutsideaPKGisincalculatingv.TheseelementsformthepublicparametersandmastersecretasshowninTable9.1andTable9.2.TherearedependenciesamongtheelementsofTable9.1.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.BecauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoaTable9.1ParametersofBoneh-BoyenIBESystem(BasicScheme—AdditiveNotation)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈P〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)PPointonellipticcurveP∈G1P1PointonellipticcurveP1=PP2PointonellipticcurveP2=PP3PointonellipticcurveP3=PH1CryptographichashfunctionH1:{0,1}*→pH2CryptographichashfunctionH:G→{0,1}n2TvElementofq*kv=eˆ(P1,P2)=eˆ(P,P)=eˆ(P,P)Table9.2MasterSecretforBoneh-BoyenIBESystem(BasicScheme—AdditiveNotation)ElementTypeComments,,Integers,,∈p 164IntroductiontoIdentity-BasedEncryptionmuchshorterlist,andwecandefinethepublicparametersofaBoneh-BoyenIBEsystem(basicscheme—additivenotation)tobeBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)withoutintroducinganyambiguity.9.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)OncethepublicparameterslistedinTable9.1andthemastersecretlistedinTable9.2aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoanintegerqID∈pbycalculatingqID=H1(ID).Arandomper-uservaluer∈pisthengenerated,whichisthenusedtocalculatethetwocomponentsoftheprivatekeyDID=(qIDrP1+P2+rP3,rP)=(D0,D1).ThisissummarizedinTable9.3.9.1.3EncryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Pickrandoms∈p.s3.Calculatek=v.4.Calculatec=M⊕H2(k).5.CalculateC0=sP.6.CalculateC1=qID(sP1)+sP3.7.SetciphertexttoC=(c,C0,C1).9.1.4DecryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)WhentherecipientreceivestheciphertextC=(c,C0,C1)heperformsthefollowingsteps.Table9.3PrivateKeyforBoneh-BoyenIBESystemElementCommentsDID=(qIDrP1+P2+rP3,rP)=(D0,D1)PrivatekeycorrespondingtoidentityID,qID=H1(ID) Boneh-BoyenIBE165ˆe(C0,D0)1.Calculatek=.ˆe(C1,D1)2.CalculateM=c⊕H2(k).Notethatˆe(C0,D0)=ˆe(sP,qIDrP1+P2+rP3)=ˆe(sP,qIDrP1)ˆe(sP,P2)ˆe(sP,rP3)=ˆe(sP,qIDrP)ˆe(sP,P)ˆe(sP,rP)=ˆe(P,P)qIDrsˆe(P,P)sˆe(P,P)rsandˆe(C1,D1)=ˆe(qIDsP1+sP3,rP)=ˆe(qIDsP+sP,rP)=ˆe(qIDsP,rP)ˆe(sP,rP)=ˆe(P,P)qIDrsˆe(P,P)rssothatwehaveˆe(Cˆe(P,P)qIDrsˆe(P,P)sˆe(P,P)rs0,D0)=ˆe(C1,D1)ˆe(P,P)qIDrsˆe(P,P)rsss=ˆe(P,P)=vsothatstep3ofSection9.1.3andstep1ofSection9.1.4calculatethesamesvalueofv,whichallowstherecipienttodecrypttheciphertextcorrectly.Example9.1(Boneh-BoyenBasicScheme—AdditiveNotation)(i)TocreateasuitablehashfunctionH1:{0,1}*→p,supposethatwehaveacryptographichashfunctionHthatcreatesanoutputofatleastlog2pbitsandwanttocalculateH1(ID).WecancreateasuitableH1fromHbyeitherrepeatedlyapplyingHtoH(ID)untilweobtainavalueinthecorrectrangeorbyreducingH(ID)modulop.n(ii)TocreateasuitablehashfunctionH2:GT→{0,1},supposethatwehaveacryptographichashfunctionHthatcreatesanoutputof 166IntroductiontoIdentity-BasedEncryptionatleastnbits,andthatGTisasubgroupofq*k,sothatwecanwriteatypicalelementofGTas=(x1,x2,...,xk),wherexi∈q*.WecancreateasuitableH2fromHbycalculatingH(x1|x2|...xk)andthentruncatingtheresulttonbits,forexample.(iii)SupposethatAlicewantstouseBohen-BoyenIBEtoencryptamessage23toBob.SupposethatEistheellipticcurveE:y=x+1,andG1bethesubgroupoforder11ofE(131)withgeneratorP=(98,58).LetGTbeasubgroupof131*2generatedbyˆe(P,P)=28+93i,2where1312isrepresentedby131[i]wherei=−1≡130(mod131).Letˆe:G1×G1→GTbethereducedmodifiedTatepairing,wheree:G1×G1→GTistheTatepairing,and1560ˆe(P,Q)≡e(P,(Q))whereisthedistortionmapgivenby(x,y)=(x,y)where=65+112i.Let=3,=4,and=5bethemastersecret,givingtheadditionalparametersP1=P=(113,8),P2=P=(33,31)andP3=P=(34,23),sothatv=ˆe(P1,P2)=ˆe(P,P)=28+93i.SupposethatqID=H1(IDBob)=6.ForBob’sprivatekey,supposethatthePKGpickstherandomr=8andthencalculatesD0=qIDrP1+P2+rP3=(98,58)+(98,58)+(33,100)=(128,74)andD1=rP=8P=(113,123)SupposethatAlicewantstoencrypttheshortmessageMtoBobusingthisIBEsystem.Todothisshepicksarandoms,says=7.ShethencalculatesC0=sP=7P=(33,100)andC1=qIDsP1+sP3=(34,23)+(128,57)=(33,100)s7Shethencalculatesk=v=v=49+73i.ThenAlicecalculatesk=H2(49+73i)whichshethenXORswiththeplaintextMtogettheciphertextcomponentc=M⊕H2(k). Boneh-BoyenIBE167AlicethensendsciphertextC=(c,C0,C1)=(M⊕H2(k),(33,100),(33,100))toBob.BobreceivestheciphertextC=(c,C0,C1)=(M⊕H2(k),(33,100),(33,100))andcalculatesˆe(C0,D0)=85+51iandˆe(C1,D1)=28+93iandthencalculatestheratioofthetwopairings85+51ik==49+73i28+93iHethencalculatesk=H2(49+73i)whichhethenusestorecovertheplaintextbycalculatingc⊕k=(M⊕H2(k))⊕H2(k)=MThevaluesusedinthisexamplearesummarizedinTable9.4.(iv)LetE/qbeanordinaryellipticcurvewithE′/qatwistoforderdofE/q.Wecanthenuseapairingˆe:G1×G2→GTwherewe(qk−1)/phaved:E′→Eandˆe(P,Q)=ˆe(P,d(Q))toimplementtheBoneh-Boyenscheme.WecanthenmakeG1asubgroupofE(q),G2asubgroupofE′(qk/d),andGTasubgroupofq*k.Inthiscase,wewillneedfouradditionalparameters,pointsQ,Q1,Q2,Table9.4SummaryofParametersUsedinExample9.1(iii)ParametersTypeValueCommentsE/Ellipticcurvey2=x3+1131PPointonellipticcurve(98,58)Pointoforder11P1Pointonellipticcurve(113,8)P2Pointonellipticcurve(33,31)P3Pointonellipticcurve(34,23)vElementof*131228+93iv=eˆ(P1,P2)qIDInteger6(D0,D1)Pointsonellipticcurve((128,74),(113,123))Bob’sprivatekey 168IntroductiontoIdentity-BasedEncryptionandQ3,allelementsofE′(qk/d),andwewillneedtocalculateD0asD0=qIDrQ1+Q2+rQ3andD1asD1=rQ.Notethatweneedtohaveelementsofqk/dG2becaused:E′→EmustmappointsonE′topointssuitableforuseinthepairing,sothattheymustendinasubgroupofE(qk).Themappingd:E′→Eincreasesthedimensionofthecoordinatesofitsoutputbyafactorofd,sotoendupinE(qk)weneedtostartinE(qk/d).9.2Boneh-BoyenIBE(BasicScheme—MultiplicativeNotation)TheBoneh-Boyenbasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;thesenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullBoneh-BoyenIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection9.4.ThefollowingdescriptionoftheBoneh-Boyenschemeusesthemultiplica-tivenotationthatiscommonlyusedintheliteratureofpairing-basedcryptogra-phy.Sothatifg1andg2areelementsofanellipticcurvegroupE(q)thenwewillwriteg1g2toindicatethegroupoperationofE(q)appliedtotheagroup’selementsg1andg2andg,toindicatemultiplyingthepointg1bytheintegera.9.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)ToimplementBoneh-BoyenIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GTTodothiswepickanellipticcurveE/qwithembeddingdegreek,andaprimepsuchthatp|#E(q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection9.5.WethenrandomlypickapointP∈E(q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingBoneh-BoyenIBEwealsoneednanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.Threeintegers,,∈parethemastersecretandareusedtocalculatethethreeadditionalpublicparametersP,P,andP. Boneh-BoyenIBE169Thereisanadditionalconstantv=ˆe(g,g)=ˆe(g,g)which1,g2)=ˆe(gisneededbytheBoneh-Boyenscheme.ThisconstantcaneitherbedistributedtousersaspartofthepublicparametersorcanbeprecomputedbyusersbeforetheyperformaBoneh-Boyenencryption.Wewillassumethatthisconstantvispartofthepublicparameters.Wewillassumethatthisconstantvispartofthepublicparameters,inwhichtheparameterg2doesnotneedtobelistedinthepublicparametersbecauseitsonlyuseoutsideaPKGisincalculatingv.TheseelementsformthepublicparametersandmastersecretasshowninTable9.5andTable9.6.TherearedependenciesamongtheelementsofTable9.5.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-BoyenTable9.5ParametersofBoneh-BoyenIBESystem(BasicScheme—AdditiveNotation)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈g〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(g,g)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gPointonellipticcurveg=g11gPointonellipticcurveg=g22gPointonellipticcurveg=g33H1CryptographichashfunctionH1:{0,1}*→pH2CryptographichashfunctionH:G→{0,1}n2TvElementofq*kv=eˆ(P1,P2)=eˆ(P,P)=eˆ(P,P)Table9.6MasterSecretforBoneh-BoyenIBESystem(BasicScheme—MultiplicativeNotation)ElementTypeComments,,Integers,,∈p 170IntroductiontoIdentity-BasedEncryptionIBEsystem(basicscheme—multiplicativenotation)tobeBB1BasicParamsMultiplicative=(G1,GT,ˆe,n,g,g1,g3,H1,H2,v)withoutintroducinganyambiguity.9.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)OncethepublicparameterslistedinTable9.5andthemastersecretlistedinTable9.6aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoanintegerqID∈pbycalculatingqID=H1(ID).Arandomper-uservaluer∈pisthengenerated,whichisthenusedtocalculatethetwocomponentsoftheprivatekeygqIDrrr=(ddID=1g2g3,g0,d1).ThisissummarizedinTable9.7.9.2.3EncryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Pickrandoms∈p.s3.Calculatek=v.4.Calculatec=M⊕H2(k).s5.Calculatec0=g.qIDss6.Calculatec1=g1g3.7.SetciphertexttoC=(c,c0,c1).9.2.4DecryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)WhentherecipientreceivestheciphertextC=(c,c0,c1)heperformsthefollowingsteps.Table9.7PrivateKeyforBoneh-BoyenIBESystem(BasicScheme—MultiplicativeNotation)ElementCommentsqrrrPrivatekeycorrespondingtoidentityID,dID=(g1IDg2g3,g)=(d0,d1)qID=H1(ID) Boneh-BoyenIBE171ˆe(c0,d0)1.Calculatek=.ˆe(c1,d1)2.CalculateM=c⊕H2(k).NotethatsqIDrrˆe(c0,d0)=ˆe(g,g1g2g3)sqIDrssr=ˆe(g,g1)ˆe(g,g2)ˆe(g,g3)sqIDrssr=ˆe(g,g1)ˆe(g,g)ˆe(g,g)=ˆe(g,g)qIDrsˆe(g,g)sˆe(g,g)rsandqIDrsrˆe(c1,d1)=ˆe(g1g3,g)=ˆe(gqIDsgs,gr)=ˆe(gqIDs,gr)ˆe(gs,gr)=ˆe(g,g)qIDrsˆe(g,g)rssothatˆe(cˆe(g,g)qIDrsˆe(g,g)sˆe(g,g)rs0,d0)=ˆe(c1,d1)ˆe(g,g)qIDrsˆe(g,g)rsss=ˆe(g,g)=vsothatstep3ofSection9.2.3andstep1ofSection9.2.4calculatethesamesvalueofv,whichallowstherecipienttodecrypttheciphertextcorrectly.9.3Boneh-BoyenIBE(FullScheme)ThebasicBoneh-Boyenschemeisvulnerabletoachosen-ciphertextattack:ifanadversarywantstodecrypttheciphertext(c,c0,c1)whichcorrespondstotheplaintextmessageMhecandothisbydecryptingtheciphertext(c+,c0,c1)togettheplaintextmessageM⊕andthenrecoverMasM=(M⊕)⊕.TheFujisaki-Okamototransformcaneasilyeliminatethisvulnerability. 172IntroductiontoIdentity-BasedEncryptionTheoriginalspecificationoftheBoneh-BoyenschemedefinedahashingschemetailoredtotheschemethataccomplishesthesamegoalastheFujisaki-Okamototransform.ThistailoredschemeisusedinthedescriptionofthefullschemethatisdescribedinSection9.4.ThefullBoneh-BoyenschemeistypicallydescribedusingthemultiplicativenotationthatwasusedinSection9.2,aconventionthatwefollowhere.Thefullschemeisresistanttochosen-ciphertextattacksandadaptivechosenidentityattacks.9.3.1SetupofParameters(FullScheme)InadditiontotheparameterslistedinTable9.5,wealsoneedanadditionalhashfunctiontoaddchosen-ciphertextsecurity.Inparticular,weneedahashnfunctionH3:GT×{0,1}×G1×G1→p.AddingthishashfunctionbringsthelistofpublicparametersforthefullschemetothepublicparametersthatarelistedinTable9.8.Themastersecretisunchangedfromthebasicscheme,andisshowninTable9.9.TherearedependenciesamongtheelementsofTable9.8.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-BoyenIBEsystemtobeBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)withoutintroducinganyambiguity.Table9.8ParametersofBoneh-BoyenIBESystem(FullScheme)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈P〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gPointonellipticcurveg=g11gPointonellipticcurveg=g22gPointonellipticcurveg=g33H1CryptographichashfunctionH1:{0,1}*→pH2CryptographichashfunctionH:G→{0,1}n2TH3CryptographichashfunctionH:G×{0,1}n×G×G→3T11pvElementofq*kv=eˆ(P1,P2)=eˆ(P,P)=eˆ(P,P) Boneh-BoyenIBE173Table9.9MasterSecretforBoneh-BoyenIBESystem(FullScheme)ElementTypeComments,,Integers,,∈p9.3.2ExtractionofthePrivateKey(FullScheme)Theextractionoftheprivatekeyforthefullschemeisidenticaltotheextractionoftheprivatekeyinthebasicscheme(Section9.2.2).ThisissummarizedinTable9.10.9.3.3EncryptingwithBoneh-BoyenIBE(FullScheme)ToencryptthemessageMtotherecipientwithidentityID,thesenderperformsthefollowingsteps:1.CalculateqID=H1(ID).2.Pickrandoms∈p.s3.Calculatek=v.4.Calculatec=M⊕H2(k).s5.Calculatec0=g.qIDss6.Calculatec1=g1g3.7.Calculatet=s+H3(k,c,c0,c1)8.SetciphertexttoC=(c,c0,c1,t).9.3.4DecryptingwithBoneh-BoyenIBE(FullScheme)TodecrypttheciphertextC=(c,c0,c1,t),therecipientperformsthefollowingsteps:Table9.10PrivateKeyforBoneh-BoyenIBESystemElementCommentsqrrrPrivatekeycorrespondingtoidentityID,dID=(g1IDg2g3,g)=(d0,d1)qID=H1(ID) 174IntroductiontoIdentity-BasedEncryptionˆe(c0,d)1.Calculatek=.ˆe(c1,d1)2.Calculates=t−H3(k,c,c0,c1)ss3.Verifythatk=vandc0=g.Ifeitherconditionfails,raiseanerrorconditionandexit.4.CalculateM=c⊕H2(k).9.4SecurityoftheBoneh-BoyenIBESchemeAnadversaryobservingamessagethatisencryptedwiththeBoneh-Boyenschemehasaccesstog,g,g,andv=ˆe(g,g)fromthepublic1=g3=gparametersofthesystem.HealsoobservesgsandgqIDssqIDrs+s=1g3=ggs(qID+)fromtheciphertext.Fromthesevalueshewantstorecoverssv=ˆe(g,g).Hecanaccomplishthisinatleasttwoways.First,hecansscalculatesfromgbycalculatingadiscretelogarithmginG1,andthenscalculatingvwiththisresult.Hecanalsocalculateasthediscretelogarithmsssofv=(ˆe(g,g))inGTandthencalculatev=(ˆe(g,g))=ˆe(g,g)withthisvalue.So,anadversarywhocancalculatediscretelogarithmsineitherG1orGTcandecryptmessagesthatareencryptedwiththeBoneh-Boyenscheme.ThisisveryclosetosolvingtheBDHP,andBonehandBoyenhave[1]proventwoseparatecasesofthis,dependingonwhethertherandomoracleorthestandardmodelisusedintheproof.Inparticular,theyshowedusingthestandardmodelthatanadversaryabletoefficientlydecryptamessagethathasbeenencryptedwithBoneh-BoyenIBEcanusetheirdecryptionalgorithmtosolvetheDBDHP,soifwebelievethattheDBDHPissufficientlydifficulttosolvethenBoneh-BoyenIBEmustalsobesufficientlydifficulttodecrypt.TheyalsoshowedusingtherandomoraclemodelthatanadversaryabletoefficientlydecryptamessagethathasbeenencryptedwithBoneh-BoyenIBEcanusetheirdecryptionalgorithmtosolvetheBDHP.SoifwearewillingtoacceptthestrongerassumptionoftheDBDHPthenaproofispossibleusingthestandardmodel,butiftheweakerBDHPassumptionisadequatethenaproofispossibleusingtherandomoraclemodel.ThebasicBoneh-Boyenschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullBoneh-Boyenisresistanttochosen-ciphertextattacksandadaptivechosenidentityattacks.NotethatintheextractionofaBoneh-Boyenprivatekeyarandomvalueisused.Duetothewayinwhichthetwocomponentsofsuchaprivatekeyareusedindecryption,aprivatekeygeneratedwithanyotherrandomvaluewillalsoworkinthesamedecryptionoperation.ThisallowskeyrecoverytobeperformedinaBoneh-Boyensystemeventhougharandomcomponentis Boneh-BoyenIBE175usedineachprivatekey.Thesecurityprovidedbythesystem,however,requiresthatthesamerandomvalueisnotreusedtocreateprivatekeysfordifferentusers.9.5SummaryThefollowingsummarizesthestepsintheBoneh-BoyenIBEscheme(fullscheme).Algorithm9.1:Boneh-BoyenIBESetupINPUT:asecurityparameter,anellipticcurveE,aplaintextlengthnOUTPUT:BB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)andmastersecret(,,)1.Selectaprimepandprimepowerqwithp|#E(q)andsuchthatthebitsecuritylevelprovidedbypandqmeetstherequiredsecurityparameter(usingTable9.10,forexample).Forbestperformance,pshouldbeaSolinasprime.2.Selectarandomg∈E(q)[p]andletG1=〈g〉.3.LetkbetheembeddingdegreeofE/q;selectapairingˆe:G1×G1→q*k.4.LetGT=〈ˆe(g,g)〉.5.Selectrandom,,∈,g,g.pandcalculateg6.SelectappropriatecryptographichashfunctionsH1:{0,1}*→G1,nnH2:GT→{0,1},andH3:GT×{0,1}×G1×G1→p.7.Themastersecretis(,,).8.ThepublicparametersareBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v).Algorithm9.2:Boneh-BoyenIBEPrivateKeyExtractionINPUT:AstringIDrepresentinganidentityandasetofpublicparametersBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)OUTPUT:TheprivatekeydID=(d0,d1)1.CalculateqID=sH1(ID).2.Selectarandomr∈p.qIDrr3.Calculated0=g1g2g3.r4.Calculated1=g.5.SettheprivatekeytodID=(d0,d1). 176IntroductiontoIdentity-BasedEncryptionAlgorithm9.3:Boneh-BoyenIBEEncryptionINPUT:AplaintextmessageMoflengthnbits,astringIDrepresentingtheidentityoftherecipientoftheciphertext,asetofpublicparametersBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)OUTPUT:AciphertextC=(c,c0,c1)1.CalculateqID=H1(ID).2.Pickrandoms∈p.3.Calculatek=H2(k).4.Calculatec=M⊕H2(k).s5.Calculatec0=g.qIDss6.Calculatec1=g1g3.7.Calculatet=s+H3(k,c,c0,c1).8.SetciphertexttoC=(c,c0,c1,t).Algorithm9.4:Boneh-BoyenIBEDecryptionINPUT:AciphertextC=(c,c0,c1,t),asetofpublicparametersBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v),aprivatekeydID=(d0,d1)OUTPUT:AplaintextmessageMoranerrorconditionˆe(c0,d0)1.Calculatek=.ˆe(c1,d1)2.Calculates=t−H3(k,c,c0,c1).ss3.Verifythatk=vandc0=g.Ifeitherconditionfails,raiseanerrorconditionandexit.4.CalculateM=c⊕H2(k).5.SetplaintexttoM.Reference[1]Boneh,D.,andX.Boyen,‘‘EfficientSelective-IDSecureIdentityBasedEncryptionWith-outRandomOracles,’’ProceedingsofEUROCRYPT2004,Interlaken,Switzerland,May2–6,2004,pp.223–238. 10Sakai-KasaharaIBEThischapterdiscussesSakai-KasaharaIBE[1],anexampleofthefamilyof1/a‘‘exponentinversion’’schemes,inwhichaprivatekeyoftheformgisusedtodecryptaciphertext.Intheseschemes,astringrepresentinganidentityishashedtoanintegerthatisthenusedintheencryptionanddecryptionopera-tions.Thisavoidsamodularexponentiation,whichgenerallymakessuchschemesfasterthenfull-domainhashschemes,liketheBoneh-FranklinalgorithmofChapter8,whichrequirehashinganidentitytoapointonanellipticcurve.ThenameoftheSakai-Kasaharaschemeisduetothewayinwhichcalculatingkeysisdone,whichismotivatedbytheworkofSakaiandKasahara,althoughthealgorithmsthatcompriseSakai-KasaharaIBEschemearequitedifferentfromthoseoriginallydescribedbySakaiandKasahara.TwowaystodescribethebasicSakai-Kasaharaschemearegiveninthefollowingsections.AsimplifiedversionofthealgorithmisdescribedinSection10.1usingtheadditivenotationthatiscommonlyusedforoperationsinellipticcurvegroupsandisusedinmanycryptographicstandards,andinSection10.2itisdescribedusingthemultiplicativenotationthatiscommonlyusedinmorerecentliteratureonpairing-basedcryptography.Thebasicschemeisvulnerabletoachosen-ciphertextattack.AfullysecureversionofthealgorithmisdescribedinSection10.3.10.1Sakai-KasaharaIBE(BasicScheme—AdditiveNotation)TheSakai-Kasaharabasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;the177 178IntroductiontoIdentity-BasedEncryptionsenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullSakai-KasaharaIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection10.3.ThefollowingdescriptionoftheSakai-Kasaharaschemeusesadditivenotation,sothatifP1andP2areelementsofanellipticcurvegroupE(q)thenwewillwriteP1+P2toindicatethegroupoperationofE(q)appliedtothegroup’selementsP1andP2,andaPtoindicatemultiplyingthepointPbytheintegera.10.1.1SetupofParameters(BasicScheme—AdditiveNotation)ToimplementSakai-KasaharaIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/qwithembeddingdegreek,andaprimepsuchthatp|#E(q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection5.4.WethenrandomlypickapointP∈E(q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingSakai-KasaharaIBEwealsoneednanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.Anintegers∈pisthemastersecret.TheseelementsformthepublicparametersandmastersecretasshowninTable10.1andTable10.2.TherearedependenciesamongtheelementsofTable10.1.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaSakai-KasaharaIBEscheme(basicscheme)tobeBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,sP,H1,H2,v)withoutintroducinganyambiguity.10.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)OncethepublicparameterslistedinTable10.1andthemastersecretlistedinTable10.2aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoanintegerqID∈pbycalculatingqID=H1(ID).Themastersecretsisthenusedtocalculatetheprivatekey Sakai-KasaharaIBE179Table10.1ParametersofSakai-KasaharaIBEScheme(BasicScheme—AdditiveNotation)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈P〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)PPointonellipticcurveP∈G1sPPointonellipticcurvesP∈G1H1CryptographichashfunctionH1:{0,1}*→pH2CryptographichashfunctionH:G→{0,1}n2TvElementof*kv=eˆ(P,P)qTable10.2MasterSecretforSakai-KasaharaIBEScheme(BasicScheme—AdditiveNotation)ElementTypeCommentssIntegers∈p1DID=Ps+qID1wherethevalueofiscalculatedin*p.ThisissummarizedinTables+qID10.3.Table10.3PrivateKeyforSakai-KasaharaIBEScheme(BasicScheme—AdditiveNotation)ElementComments1PrivatekeycorrespondingtoidentityID,qID=H1(ID)DID=Ps+qID 180IntroductiontoIdentity-BasedEncryption10.1.3EncryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Selectarandomr∈p.3.CalculateU=r(sP+qIDP)=r(s+qID)P.r4.Calculatek=H2(v).5.CalculateV=M⊕k.6.SettheciphertexttoC=(U,V).10.1.4DecryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)WhentherecipientreceivestheciphertextC=(U,V)heperformsthefollowingsteps.1.CalculateK=H2(ˆe(U,DID))2.CalculateM=V⊕kNotethat1rˆe(U,DID)=ˆer(s+qID)P,s+qP=ˆe(g,g)IDsothatstep5ofSection10.1.3andstep1ofSection10.1.4calculatethesamevalueofk,whichallowstherecipienttodecrypttheciphertextcorrectly.Example10.1(i)ThehashfunctionsH1andH2canbeconstructedsimilarlytothosedescribedinExamples9.1(i)and9.1(ii).(ii)SupposethatAlicewantstouseSakai-KasaharaIBEtoencrypta2messagetoBob.SupposethatEistheellipticcurveE/131:y=3x+1,andG1bethesubgroupoforder11ofE(131)withgeneratorP=(98,58).LetGTbeasubgroupof131*2generatedbyv=ˆe(P,P)=28+93i,where1312isrepresentedby131[i]where2i=−1≡130(mod131).(SeeTable10.4).Letˆe:G1×G1→GTbethereducedmodifiedTatepairing,wheree:G1×G1→GTistheTatepairing,and Sakai-KasaharaIBE181Table10.4SummaryofParametersUsedinExample10.1(ii)ParametersTypeValueCommentsE/Ellipticcurvey2=x3+1131PPointonellipticcurve(98,58)Pointoforder11sPPointonellipticcurve(33,100)Pointoforder11vElementof*131228+93iv=eˆ(P,P)qIDInteger6sInteger7DIDPointonellipticcurve(34,108)Bob’sprivatekey1560ˆe(P,Q)=e(P,(Q))whereisthedistortionmapgivenby(x,y)=(x,y)where=65+112i.Lets=7bethemastersecret,givingtheadditionalparameterssP=(33,100).SupposethatforBob’sidentitywehavethatqID=6.TocalculateBob’sprivatekey,thePKGcalculates111DID=P=P≡P(mod11)s+qID132=2−1(mod11)P=6P=(34,108)SupposethatAlicewantstoencrypttheshortmessageMtoBobusingthisIBEscheme.Todothisshepicksarandomr,sayr=5.ShefirstcalculatesU=r(sP+qIDP)=5((33,100)+6(34,108))=(98,73)55andv=(28+93i)=39+24i,sothatAlicefindsthatk=H2(39+24i)whichshethenusestocalculatetheciphertextcompo-nentV=M⊕k=M⊕H2(39+24i)Alicethensendstheciphertext(U,V)toBob.BobreceivestheciphertextC=(U,V)andcalculatesˆe(U,DID)=ˆe((98,73),(34,108))=39+24i 182IntroductiontoIdentity-BasedEncryptionfromwhichhecalculatesk=H2(39+24i)whichhethenXORswiththeciphertextcomponentVtorecovertheplaintextmessage,findingthatV⊕k=(M⊕k)⊕k=M(iii)Ifwewanttouseapairingˆe:G1×G2→GTthenwewillneedtoaddanadditionalparameterQwhereG2=〈Q〉andthencalculate1DIDasDID=Qandvasv=ˆe(P,Q).s+qID10.2Sakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)TheSakai-Kasaharabasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;thesenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullSakai-KasaharaIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection10.3.ThefollowingdescriptionoftheSakai-Kasaharaalgorithmusesthemulti-plicativenotationthatiscommonlyusedintheliteratureofpairing-basedcryptography.Sothatifg1andg2areelementsofanellipticcurvegroupE(q)thenwewillwriteg1g2toindicatethegroupoperationofE(q)appliedtoathegroup’selementsg1andg2,andgtoindicatemultiplyingthepointgbytheintegera.10.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)ToimplementSakai-KasaharaIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/qwithembeddingdegreek,andaprimepsuchthatp|#E(q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection5.4.Wethenrandomlypickapointg∈E(q)[p]andletG1=〈g〉andGT=〈ˆe(g,g)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingSakai-KasaharaIBEwealsoneed Sakai-KasaharaIBE183nanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.Anintegers∈pisthemastersecret.TheseelementsformthepublicparametersandmastersecretasshowninTable10.5andTable10.6.TherearedependenciesamongtheelementsofTable10.1.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaSakai-KasaharaIBEscheme(basicscheme)tobeSKBasicParamsMultiplicative=s(G1,GT,ˆe,n,g,g,H1,H2,v)withoutintroducinganyambiguity.10.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)OncethepublicparameterslistedinTable10.1andthemastersecretlistedinTable10.2aredetermined,theprivatekeyassociatedwiththeidentityIDisTable10.5ParametersofSakai-KasaharaIBEScheme(BasicScheme—MultiplicativeNotation)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈g〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(g,g)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gsPointonellipticcurvegs∈G1H1CryptographichashfunctionH1:{0,1}*→pH2CryptographichashfunctionH:G→{0,1}n2TvElementof*kv=eˆ(g,g)qTable10.6MasterSecretforSakai-KasaharaIBEScheme(BasicScheme—MultiplicativeNotation)ElementTypeCommentssIntegers∈p 184IntroductiontoIdentity-BasedEncryptioncalculatedbymappingtheidentitytoanintegerqID∈pbycalculatingqID=H1(ID).Themastersecretsisthenusedtocalculatetheprivatekeyd1/(s+qID)ID=gThisissummarizedinTable10.7.10.2.3EncryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Selectarandomr∈p.3.CalculateU=(gsgqID)r=gr(s+qID).r4.CalculateK=H2(v).5.CalculateV=M⊕K.6.SettheciphertexttoC=(U,V).10.2.4DecryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)WhentherecipientreceivestheciphertextC=(U,V),heperformsthefollowingstep.1.CalculateK=H(ˆe(U,dID)).2.CalculateM=V⊕K.Notethatˆe(U,dr(s+qID),g1/(s+qID)=ˆe(g,g)rID)=ˆe(gTable10.7PrivateKeyforSakai-KasaharaIBEScheme(BasicScheme—MultiplicativeNotation)ElementCommentsd=g1/(s+qID)PrivatekeycorrespondingtoidentityID,qID=H1(ID)ID Sakai-KasaharaIBE185sothatstep5ofSection10.2.3andstep1ofSection10.2.4calculatethesamevalueofK,whichallowstherecipienttodecrypttheciphertextcorrectly.10.3Sakai-KasaharaIBE(FullScheme)Thebasicschemeisalsovulnerabletoachosen-ciphertextattack:ifanadversarywantstodecrypttheciphertextC=(U,V)whichcorrespondstotheplaintextmessageMhecandothisbydecryptingtheciphertextC=(U,V⊕)togettheplaintextmessageM⊕andthenrecoverMasM=(M⊕).TheFujisaki-Okamototransformcaneasilyeliminatethisvulnerability.AddingtheFujisaki-Okamototransformtothebasicschemegivesthefullschemethatisdescribednext.ThefullSakai-Kasaharaschemeisresistanttochosen-ciphertextattacks,andistypicallydescribedusingthemultiplicativenotationthatwasusedinSection10.2,aconventionthatwefollowhere.10.3.1SetupofParameters(FullScheme)InadditiontotheparameterslistedinTable10.1,wealsoneedadditionalhashfunctionstoaddchosen-ciphertextsecurity.Inparticular,weneedtwonnnhashfunctionsH3:{0,1}→pandH4:{0,1}→{0,1}.AddingthesehashfunctionsbringsthelistofpublicparametersforthefullschemetothepublicparametersthatarelistedinTable10.8.Themastersecretisunchangedfromthebasicscheme,andisshowninTable10.9.TherearedependenciesamongtheelementsofTable10.8.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaSakai-sKasaharaIBEschemetobeSKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v)withoutintroducinganyambiguity.10.3.2ExtractionofthePrivateKey(FullScheme)Theextractionofaprivatekeyforthefullschemeisidenticaltotheextractionofaprivatekeyforthebasicscheme.ThisissummarizedinTable10.10.10.3.3EncryptingwithSakai-KasaharaIBE(FullScheme)ToencryptthemessageMtotherecipientwithidentityID,thesenderperformsthefollowingsteps: 186IntroductiontoIdentity-BasedEncryptionTable10.8ParametersofSakai-KasaharaIBEScheme(FullScheme)ElementTypeCommentsqPrimepowerOrderoffinitefieldqE/qEllipticcurveE(q)hasembeddingdegreekpPrimep|#E(q)G1CyclicgroupSubgroupofE(q),G1=〈g〉GTCyclicgroupSubgroupofq*k,GT=〈eˆ(g,g)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gsPointonellipticcurvegs∈G1H1CryptographichashfunctionH1:{0,1}*→pH2CryptographichashfunctionH:G→{0,1}n2TH3CryptographichashfunctionH:{0,1}n→*3pH4CryptographichashfunctionH:{0,1}n→{0,1}n4vElementof*kv=eˆ(g,g)qTable10.9MasterSecretforSakai-KasaharaIBEScheme(FullScheme)ElementTypeCommentssIntegers∈pTable10.10PrivateKeyforSakai-KasaharaIBEScheme(FullScheme)ElementCommentsd=g1/(s+qID)PrivatekeycorrespondingtoidentityID,qID=H1(ID)ID1.CalculateqID=H1(ID).n2.Selectarandom∈{0,1}.3.Calculater=H3(,M).4.CalculateU=(gsgqID)r=gr(s+qID).r5.CalculateV=⊕H2(v). Sakai-KasaharaIBE1876.CalculateV=M⊕H4().7.CalculateW=H4(M).8.SetciphertexttoC=(U,V,W).10.3.4DecryptingwithSakai-KasaharaIBE(FullScheme)TodecrypttheciphertextC=(U,V,W),therecipientperformsthefollowingsteps:1.CalculateqID=H1(ID).2.Calculate=ˆe(U,dID).3.Calculate=V⊕H2().4.CalculateM=W⊕H4().5.Calculater=H3(,M).6.IfU≠(gqIDgs)rthenraiseanerrorconditionandexit.7.OtherwisesettheplaintexttoM.10.4SecurityoftheSakai-KasaharaIBESchemeNotethatanadversaryobservingamessagethatisencryptedwiththeSakai-KasaharaIBEhasaccesstog,g,g,andv=ˆe(g,g)fromthe1=g3=gsqIDsspublicparametersofthescheme.Healsoobservesgandg1g3=gqIDs+s=gs(qID+)fromtheciphertext.Fromthesevalueshewantstossrecoverv=ˆe(g,g).Hecanaccomplishthisinatleasttwoways.First,hesscancalculatesfromgbycalculatingadiscretelogarithmginG1,andthenscalculatingvwiththisresult.Hecanalsocalculateasthediscretelogarithmsssofv=(ˆe(g,g))inGTandthencalculatev=(ˆe(g,g))=ˆe(g,g)withthisvalue.SoanadversarywhocancalculatediscretelogarithmsineitherG1orGTcandecryptmessagesthatareencryptedwiththeSakai-Kasaharaalgo-rithm.Theqpowersthatareassumedintheq-BDHIParenotdirectlyavailabletoanadversarywhointerceptsanencryptedmessage,butarerequiredintheproofofselectiveidentitysecurity,withthevalueofqindicatinghowmanyotherprivatekeysanattackerhasaccessto.ThepaperthatdescribestheversionoftheSakai-KasaharaIBEalgorithmdiscussedinthischapter[1]provedthatanadversaryabletodecryptamessagethathasbeenencryptedwithSakai-KasaharaIBEcanusetheirdecryptionalgorithmtosolvetheq-BDHIP.So,ifwebelievethattheq-BDHIPissuffi-cientlydifficulttosolvethenSakai-KasaharaIBEmustalsobesufficientlydifficulttodecrypt.ThebasicSakai-Kasaharaschemeisresistanttochosen- 188IntroductiontoIdentity-BasedEncryptionplaintextattacksandadaptivechosen-identityattacks;thefullSakai-Kasaharaisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks.10.5SummaryThefollowingsummarizesthestepsintheSakai-KasaharaIBEalgorithm(fullscheme).Algorithm10.1:Sakai-KasaharaIBESetupINPUT:asecurityparameter,anellipticcurveE,aplaintextlengthnsOUTPUT:SKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v)andmastersecrets1.Selectaprimepandprimepowerqwithp|#E(q)andsuchthatthebitsecuritylevelprovidedbypandqmeetstherequiredsecurityparameter(usingTable5.2,forexample).Forbestperformance,pshouldbeaSolinasprime.2.Selectarandomg∈E(q)[p]andletG1=〈g〉.3.LetkbetheembeddingdegreeofE/q;selectapairingˆe:G1×G1→q*k.4.LetGT=〈ˆe(g,g)〉.5.Selectarandoms∈*p.6.SelectappropriatecryptographichashfunctionsH1:{0,1}*→G1,nnnnGT→{0,1},H3:{0,1}→*pandH4:{0,1}→{0,1}.7.Themastersecretiss.s8.ThepublicparametersareSKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v).Algorithm10.2:Sakai-KasaharaIBEPrivateKeyExtractionINPUT:AstringIDrepresentinganidentity,asetofpublicparameterssSKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v)andamastersecretsOUTPUT:AprivatekeydID1.Calculated1/(s+qID).ID=gAlgorithm10.3:Sakai-KasaharaIBEEncryptionnINPUT:AplaintextmessageM∈{0,1},astringIDrepresentingtheidentityoftherecipientoftheciphertext,asetofpublicparametersSKParams=s(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v) Sakai-KasaharaIBE189OUTPUT:AciphertextC=(U,V,W)1.CalculateqID=H1(ID).n2.Selectarandom∈{0,1}.3.Calculater=H3(,M).4.CalculateU=(gsgqID)r=gr(s+qID).r5.CalculateV=⊕H2(v).6.CalculateV=M⊕H4().7.CalculateW=H4(M).8.SetciphertexttoC=(U,V,W).Algorithm10.4:Sakai-KasaharaIBEDecryptionINPUT:AciphertextC=(U,V,W),asetofpublicparametersSKParams=s(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v),aprivatekeydIDOUTPUT:AplaintextmessageMoranerrorcondition1.CalculateqID=H1(ID).2.Calculate=ˆe(U,dID).3.Calculate=V⊕H2().4.CalculateM=W⊕H4().5.Calculater=H3(,M).6.IfU≠(gqIDgs)r,thenraiseanerrorconditionandexit.7.OtherwisesettheplaintexttoM.Reference[1]Chen,L.,etal.,‘‘AnEfficientID-KEMBasedontheSakai-KasaharaKeyConstruction,’’IEEProceedingsInformationTheory,Vol.153,No.1,2006,pp.19–26. 11HierarchicalIBEandMasterSecretSharingTheIBEschemesdiscussedinChapters7through10shareacommonproperty:theyuseasinglePKGtogenerateallprivatekeys.Thishassomeundesirablesideeffects.Inparticular,itisimpossibletocreatehierarchiesofPKGs,inwhichahigher-levelPKGcancontrolthekeysgrantedtoallPKGssubordinatetoit.ItalsocreatesasinglepointwhereanattackercansubvertthesecurityofanIBEsystembycompromisinganIBEmastersecret.HierarchicalIBE(HIBE)canaddressthefirstoftheseconcernswhilesharinganIBEmastersecretamongseveraldifferentPKGscanaddressthesecond.Thetwoconceptsareverysimilar:inbothcasesallprivatekeysarecalculatedusingthemastersecretofmorethanonePKG.TheconceptofanHIBEsystemwasfirstdescribedbyHorwitzandLynn[1].HIBEallowsforthecreationofhierarchiesofPKGsliketheoneshowninFigure11.1,inwhichtheoperationofaPKGataparticularleveldependsontheoperationofthePKGsaboveitinthehierarchy.Thisallowsorganizationstoimplementdifferentsecuritypolicies,whileallowingupperlevelsofthehierarchytoenforcetheirsecuritypolicyonallsubordinateorganizations.ItcanalsoenhancethesecurityofasystemusingIBEbecauseacompromisethataffectspartofahierarchywillnotnecessarilyaffectotherparts.Recoveringfromacompromiseisalsoeasier,becauseitisonlynecessarytorecreatetheaffectedpartsofthehierarchyinsteadoftheentiresystem.AnHIBEschemeisformallydefinedbyfivealgorithms:rootsetup,lower-levelsetup,extract,encrypt,anddecrypt.Rootsetupcreatestheparametersnecessaryforoperationofthetoplevelofthehierarchywhilelower-levelsetupcreatestheadditionalparametersnecessaryforoperationofeachoftheother191 192IntroductiontoIdentity-BasedEncryptionRootPKGLevel1PKGLevel1userLevel2PKGLevel2userFigure11.1HierarchicalIBEsystem.levelsandmaybeneededtobeexecutedonceforeachlowerlevel.Extract,encrypt,anddecrypthavethesamefunctionsthattheydoinasingle-levelIBEsystem,althoughtheiroperationataparticularlevelinahierarchymayrequireparametersthatarecreatedbylevelsabovethem.NotallHIBEsystemswillrequiredifferentalgorithmsforrootsetupandlower-levelsetup,inwhichcaseasinglesetupalgorithmwillbesufficient.InanHIBEscheme,asingleusercanhavedifferentidentitiesforeachleveloftheHIBE,sothatforanHIBEschemewithamaximumofllevels,anidentitycanhavetheformID=(ID1,ID2,...,IDl).whereeachoftheIDiarepotentiallydifferent.ThefirstHIBEschemethatwasdevisedandproventobesecurewasinventedbyGentryandSilverberg[2],andextendedtheBoneh-FranklinIBEschemetoarbitraryhierarchies.TheBoneh-BoyenIBEschemewasactuallyfirstdescribedasanHIBEsystem,andtheversionoftheBoneh-BoyenIBEschemedescribedinChapter9isactuallyacaseoflimitingtheHIBEconstructiontoasinglelevel.Morerecentwork[3]hasshownthatextensionsofexponent-inversionIBEalgorithmstoHIBEconstructionsarealsopossible.InanIBEsystemthatusesmastersecretsharing,asinglemastersecretisdistributedamongnPKGswhicheachreturnacomponentofauser’sprivate HierarchicalIBEandMasterSecretSharing193keycalledashare.Ausercanthencalculatehisprivatekeyfrominformationthathereceivesfromanytofthenpossibleshares,yetitisinfeasibletocalculatethesameprivatekeywithanyt−1shares.Mastersecretsharingalsomakesitinfeasibleforanyt−1PKGsthatmightcolludetoreconstructthemastersecret.ThisisillustratedbelowinFigure11.2.UseofmastersecretsharingmakesthecompromiseofoneormoreofthenPKGsmuchlessdamagingthanthecompromiseofalonesingle-levelPKGwouldbe.Withasingle-levelPKG,ifanattackercompromisesthesinglePKGthenhegainstheabilitytocreatearbitraryprivatekeys.Ifmastersecretsharingisused,anattackerwillneedtocompromiseanytofthenpossiblePKGsinordertogainthisability.11.1HIBEBasedonBoneh-FranklinIBESupposethatwehaveasingle-levelBoneh-FranklinIBEschemewithparametersBFBasicParams=(G1,GT,ˆe,n,P,s0P,H1,H2)asdefinedinSection8.1,andwithamastersecrets0whereweassumethat|G1|=p.Thefollowingsectionsdescribehowsuchaschemecanbeextendedtoanl-levelHIBEschemeusingthetechniquedescribedbyGentryandSilverberg(GS)[2].BecausesuchanHIBEschemewillbebasedonthebasicBoneh-Franklinscheme,itwillbevulnerabletochosen-ciphertextattacks,buttheextensionofwhatfollowstoasystemwithchosen-ciphertextsecuritycaneasilybeaccomplishedbyusingtheFujisaki-Okamototransform.ThesecurityoftheresultingHIBEsystemdependsPKG1PKG2PKGnShare1nShare2ShareAnyofsharestnPrivatekeyUserFigure11.2UseofmastersecretsharinginanIBEsystem. 194IntroductiontoIdentity-BasedEncryptiononthedifficultyoftheBDHP.AnadversarycapableofdecryptingsuchasystemcanalsosolvetheBDHP;foraproofofthis,see[2].AssumingtheBDHPishard,thebasicGSschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullGSisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks.NotethatthelengthoftheciphertextoftheGSHIBEschemeincreasesasthenumberoflevelsincreases.11.1.1GSHIBE(Basic)RootSetupTheparametersneededfortherootPKGarethesameasthoseneededforthesingle-levelIBEsystem:GSHIBEBasicParams=(G1,GT,ˆe,n,P,s0P,H1,H2)withacorrespondingmastersecrets0.ThesetupprocedurefortheBoneh-FranklinIBE(basicscheme)isalsotherootsetupprocedureforaGSHIBEsystem.11.1.2GSHIBE(Basic)Lower-LevelSetupEachlower-levelPKGalsohastheparametersfortherootPKG.TheonlyadditionalparameterneededforeachlowerlevelPKGisthemastersecretforitslevel.Forleveltthisparameterisstwherestisarandomlychosenelementofp.11.1.3GSHIBE(Basic)ExtractSupposethatauserhasidentityID=(ID1,ID2,...,IDk)inanl-levelHIBEwherek≤l,andletQIDi=H1(ID1,ID2,...,IDi).ThentheprivatekeyK=(K0,K1,...Kk−1)correspondingtothissequenceofidentitieshaskcomponents.ThefirstcomponentoftheprivatekeyiscalculatedaslK0=∑si−1QIDii=1andtheremainingk−1componentsarecalculatedasKi=siPfor1≤i≤k−1.11.1.4GSHIBE(Basic)EncryptSupposethatwewanttoencryptthemessageMtotheidentityID=(ID1,ID2,...,IDk)inanl-levelHIBEwherek≤l.Letg=ˆes0P,QID1.Thesenderpicksarandomrinpandthencalculatesk+1componentsoftheciphertextC=(V,U0,U2,...Uk)whicharegivenbythefollowing: HierarchicalIBEandMasterSecretSharing195rV=M⊕H2(g)U0=rPUi=rQIDiforeach2≤i≤k11.1.5GSHIBE(Basic)DecryptWhentherecipientreceivestheciphertextC=(V,U0,U2,...Uk)herecoversthemessageMbycalculatinglˆerP,∑si−1QIDii=1ˆe(U0,K0)V⊕H2=V⊕H2llˆe(Ki−1,Ui)ˆesi−1P,rQIDii=2i=2lˆerP,si−1QIDii=1=V⊕H2lˆesi−1P,rQIDii=2lrsi−1ˆeP,QIDii=1=V⊕H2lrsi−1ˆeP,QIDii=2rs0r=V⊕H2ˆeP,QIDi=V⊕H2(g)rr=M⊕H2(g)⊕H2(g)=M11.2ExampleofaGSHIBESystemThefollowingexampleillustratestheoperationofGentryandSilverman’sHIBEsystembasedontheBoneh-FranklinIBE.SupposethatthesenderAlicewantstoencryptamessageMtoBobusinganHIBEwiththreesubordinatelevelsinwhichBob’sidentityhascomponentsID1,ID2,andID3forwhichwehave 196IntroductiontoIdentity-BasedEncryptionQID1=H1(ID1)=(128,57)QID2=H1(ID2)=(34,108)QID3=H1(ID3)=(33,100)11.2.1GSHIBE(Basic)RootSetupThesetupfortherootPKGisaccomplishedbygeneratingtheparametersGSHIBEBasicParams=(G1,GT,ˆe,n,P,s0P,H1,H2)withacorrespondingmastersecrets0.TheparametersusedinthisexamplearelistedinTable11.1.11.2.2GSHIBE(Basic)Lower-LevelSetupThesetupforeachofthesubordinatePKGlevelsisaccomplishedbygeneratingthemastersecretsforeachlevel.ThevaluesusedinthisexamplearelistedbelowinTable11.1.11.2.3GSHIBE(Basic)ExtractionofPrivateKeyBob’sprivatekeyhasthreecomponentsthatarecalculatedas3K0=∑si−1QIDii=1=s0QID1+s1QID2+s2QID3=7(128,57)+3(34,108)+4(33,100)=(113,8)+(33,100)+(128,57)=(98,58)K1=s1P=3(98,58)=(113,8)K2=s2P=4(98,58)=(34,23)Table11.1ParametersUsedinExampleofGSHIBEParameterValueCommentsl3NumberofsubordinatelevelsinHIBEs07Rootmastersecrets13Mastersecretforsubordinatelevel1s24Mastersecretforsubordinatelevel2P(98,58)G1=〈P〉,GT=〈eˆ(P,P)〉s0P(33,100) HierarchicalIBEandMasterSecretSharing19711.2.4GSHIBE(Basic)EncryptionSupposethatAlicepickstherandomvaluer=6tousetoencryptthemessageMtoBob.Shethencalculatesg=ˆes0P,QIDi=ˆe((33,100),(128,57))=85+80isothatr6g=(85+80i)=49+73iAlicethancalculatesthefourcomponentsoftheciphertextasrV=M⊕H2(g)=M⊕H2(49+73i)U0=rP=6(98,58)=(34,108)U2=rQID2=6(34,108)=(113,8)U3=rQID3=6(33,100)=(128,74)11.2.5GSHIBE(Basic)DecryptionAfterreceivingtheciphertext(V,U0,U2,U3),BobrecoverstheplaintextmessageMbycalculatingˆe(U0,K0)V⊕H23ˆe(Ki−1,Ui)i=2ˆe(U0,K0)V⊕H2ˆe(K1,U2)ˆe(K2,U3)39+104iV⊕H2(126+32i)(28+93i)V⊕H2(49+73i)=M⊕H2(49+73i)⊕H2(49+73i)=M11.3HIBEBasedonBoneh-BoyenIBETwodifferentnotationsareoftenusedfortheBoneh-BoyenIBEalgorithm.Inmostacademicpublications,themultiplicativenotationisusuallyused,while 198IntroductiontoIdentity-BasedEncryptioninstandardsthatdefinetheimplementationofpairing-basedalgorithms,theadditivenotationthatiscommonlyusedforellipticcurveoperationsisusuallyused.Thissectionusesonlytheadditivenotation,butconvertingtothemultipli-cativenotationshouldnotbeundulydifficult.Supposethatwehaveasingle-levelBoneh-BoyenIBEschemewithparame-tersBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)asdefinedinSection9.1andwithamastersecretwhereweassumethat|G1|=p.Thefollowingsectionsdescribehowsuchaschemecanbeextendedtoanl-levelHIBEschemeusingthetechniquedescribedbyBoneh,Boyen,andGoh(BBG)[4].BecausesuchanHIBEschemewillbebasedonthebasicBoneh-Boyenscheme,itwillbevulnerabletochosen-ciphertextattacks,buttheextensionofwhatfollowstoaschemewithchosen-ciphertextsecuritycaneasilybeaccom-plishedbyusingtheFujisaki-Okamototransform.ThesecurityoftheresultingHIBEschemedependsonthedifficultyoftheBDHP.AnadversarycapableofdecryptingsuchasystemcanalsosolvetheBDHP;foraproofofthis,see[5].AssumingtheBDHPishard,thebasicBBGschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullBBGisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks.TheBoneh-BoyenIBEschemethatwasdescribedinChapter9wascreatedbylimitingaHIBEconstructiontoasinglelevelofPKG.ThisHIBEconstructionalsohadthepropertythatthelengthoftheciphertextincreasedasthenumberoflevelsintheHIBEincreased.TheHIBEconstructionthatfollowsisalsobasedontheBoneh-BoyenIBEscheme,buthastheadditionalpropertythatthelengthoftheciphertextisconstant,neitherincreasingnordecreasingasthenumberoflevelsintheHIBEchanges.11.3.1BBGHIBE(Basic)SetupSupposethatwehaveasingle-levelBoneh-BoyenIBEschemewithparametersBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)ToextendthissystemtoanHIBEschemeweneedadditionalrandomlygeneratedparametersQ1,Q2,...,QlthatareeachelementsofG1.ThisbringstheparametersfortheHIBEschemetoBBGHIBEBasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,Q1,Q2,...,Ql,H1,H2,v) HierarchicalIBEandMasterSecretSharing19911.3.2BBGHIBE(Basic)ExtractTocalculatetheprivatekeyDID=(D1,D2)fortheidentityID=(ID1,ID2,...,IDl),therootPKGrandomlygeneratesr∈p,calcu-latesqIDi=H1(ID1)for1≤i≤kandusesthesevaluestocalculateD1=rPandkD2=P2+r∑qIDiQki=111.3.3BBGHIBE(Basic)EncryptionToencryptthemessageMtoBobwhereBobhastheidentityID=(ID1,ID2,...,IDk)foranyk≤l,Alicepicksarandoms∈pandcalculatestheciphertextc=(c0,C1,C2)wheresc0=M⊕H2(v)C1=sPandkC2=s∑qIDkQki=111.3.4BBGHIBE(Basic)DecryptionTodecrypttheciphertextc=(c0,C1,C2)Bobcalculatesˆe(C1,D2)c0⊕H2ˆe(D1,C2)kˆesP,P2+r∑qIDiQi+P3i=1=c0⊕H2kˆerP,s∑qIDiQi+P3i=1=cs)0⊕H2(ˆe(sP,P2))=c0⊕H2(ˆe(P,P2)ss=c0⊕H2(ˆe(P,P2))=c0⊕H2(v)ss=M⊕H2(v)⊕H2(v)=M 200IntroductiontoIdentity-BasedEncryption11.4ExampleofaBBGHIBESystemThefollowingexampleillustratestheoperationofanHIBEsystembasedontheBoneh-BoyenIBEusingatechniquedevelopedbyBoneh,Boyen,andGoh.SupposethatthesenderAlicewantstoencryptamessageMtoBobusingathree-levelHIBEinwhichBob’sidentityhascomponentsID1,ID2,andID3forwhichwehaveqID1=H1(ID1)=2qID2=H1(ID2)=6qID3=H1(ID3)=811.4.1BBGHIBE(Basic)SetupSupposethatwehaveasingle-levelBoneh-BoyenIBEsystemwithparametersBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)andthatwepickadditionalpointsQ1,Q2,andQ3tocreatetheparametersfortheBBGHIBEsystemwiththeparametersshowninTable11.2.11.4.2BBGHIBE(Basic)ExtractionofPrivateKeySupposethePKGpickstherandomvaluer=5,whichitthendeterminesthetwocomponentsofBob’sprivatekey(D1,D2)thatcorrespondtotheidentityID=(ID1,ID2,D3)bycalculatingTable11.2ParametersUsedinExampleofBBGHIBEParameterValueCommentsl3NumberofsubordinatelevelsinHIBEP(98,58)G1=〈P〉,GT=〈eˆ(P,P)〉7P1=P(33,100)P2(113,123)P3(98,73)Q1(33,100)Q2(33,31)Q3(127,74)v=eˆ(P1,P2)28+93i HierarchicalIBEandMasterSecretSharing201D1=rP=5(98,58)=(34,23)andD2=P2+rqID1Q1+qID2Q2+qID3Q3+P3=7(113,123)+5[2(128,57)+6(33,31)+8(127,74)+(98,73)]=(98,58)11.4.3BBGHIBE(Basic)EncryptionSupposethatAlicepickstherandomvaluer=5whichshethenusestoencryptthemessageMtoBobbycalculatingthethreecomponentsoftheciphertext(c0,C1,C2)assc0=M⊕H2(v)=M⊕H2(126+32i)C1=sP=9(98,58)=(128,74)C2=sqID1Q1+qID2Q2+qID3Q3+P3=9[2(128,57)+6(33,31)+8(127,74)+(98,73)]=O11.4.4BBGHIBE(Basic)DecryptionTodecrypttheciphertext(c0,C1,C2)Bobcalculatesˆe(C1,D2)126+32ic0⊕H2ˆe(D=c0⊕H211,C2)=M⊕H2(126+32i)⊕H2(126+32i)=M11.5MasterSecretSharingShamir’ssecretsharing[2]providesthebasisforsharinganIBEmastersecretamongnPKGsfromwhichauserwillneedtoreceivetsharestocalculatehisprivatekey.Thistechniqueencodesamastersecretasacoefficientofapolynomialofdegreet−1.EachPKGhasapoint(xi,yi)thatsatisfiesthispolynomial,sothatauserwithtofthesepointscanuniquelydeterminethecoefficientsofthepolynomialandthushisprivatekeywhileanyt−1PKGsthatcolludewillbeunabletodeterminethesameprivatekey.SupposethatamasterPKGwantstocreatensharesofaBoneh-FranklinmastersecretssothatanytofthesesharescanbeusedtodetermineanIBE 202IntroductiontoIdentity-BasedEncryptionprivatekey.Todothis,hepickst−1randomcoefficentstodeterminethepolynomialt−1f(x)=s+a1x+...+at−1xinwhichthemastersecretisusedastheconstantcoefficientofthepolynomialandwehavethatf(0)=s.ThemasterPKGthenrandomlygeneratesnvaluesxifor1≤i≤nanddistributesthepair(xi,yi)=(xi,f(xi))totheithPKG.WhenauserrequestsashareofaprivatekeyfromPKGnumberiforidentityQID,thePKGrespondswiththepair(xi,yiQID).FromasetoftsuchpairsausercanuniquelycalculatehisprivatekeysQID.HedoesthisbydeterminingthevalueofsQID=f(0)QIDusingLagrangeinterpolation.Becausewehavethatf(x)=∑ei(x)yiiwehavethatf(x)QID=∑ei(x)yiQIDisothatsQID=f(0)QID=∑ei(0)yiQIDiandthusauserwhoreceivestpairsoftheform(xi,yiQID)cancalculatetheLagrangecoefficientsei(0)andthenusethesetocalculatehisprivatekeysQID.SimilarconstructionsarepossibleforotherIBEalgorithms.11.6MasterSecretSharingExampleSupposethatwehaveanIBEsystemthatusestheBoneh-FranklinschemeinwhichwewantausertohavetogetanythreecomponentsoutofapossiblefivethatwillallowhimtocalculatehisprivatekeysQID,andthatthemasterPKGhasthemastersecrets=5whichisencodedastheconstantcoefficient2inthepolynomialf(x)=x+2x+5.ToimplementShamirsecretsharingamongfivePKGs,themasterPKGcancreateanddistributetheelementsshowninTable11.3,whereeachofthevaluesofxiarechosenrandomly. HierarchicalIBEandMasterSecretSharing203Table11.3SetupforShamirSecretSharingforThreeOutofFivePKGsPKGNumber(i)xiyi=f(xi)122239347488595SupposethatourIBEschemeusesoperationsoftheellipticcurveE/131:23y=x+1andthatauserwithidentityQID=(98,58)getscomponentsfromPKGsnumberedonethroughthreeandwantstocalculatehisprivatekeyfromthesharedsecretsthathereceives.HewillreceivethecomponentsfromthethreePKGsthathehasselectedthatareshowninTable11.4.TocalculatehisprivatekeyassQID=∑ei(0)yiQIDi=1,2,3theuserthenneedstocalculatethevaluesofei(0)whichhefindsbyfirstcalculatingtheLagrangepolynomialsei(x).Hethenfindsthat(x−x2)(x−x3)(x−3)(x−4)e1(x)==(x1−x2)(x1−x3)(2−3)(2−4)≡6(x−3)(x−4)(mod11)sothate1(0)=6(−3)(−4)≡6(mod11)Table11.4SharesofPrivateKeyReceivedbyUserPKGNumberxiyiQID122QID=2(98,58)=(128,57)239QID=9(98,58)=(128,74)347QID=7(98,58)=(33,100) 204IntroductiontoIdentity-BasedEncryptionSimilarly,(x−x1)(x−x3)(x−2)(x−4)e2(x)==(x2−x1)(x2−x3)(3−2)(3−4)≡10(x−2)(x−4)(mod11)sothate2(0)=10(−2)(−4)≡3(mod11)and(x−x1)(x−x2)(x−2)(x−3)e3(x)==(x3−x1)(x3−x2)(4−2)(4−3)≡6(x−2)(x−3)(mod11)sothate3(0)=6(−2)(−3)≡3(mod11)TheuserthencalculateshisprivatekeyassQID=∑ei(0)yiQIDi=1,2,3=6(128,57)+3(128,74)+3(33,100)=(98,58)+(34,23)+(98,73)=(34,23)whichisequaltosQID=5QID=5(98,58)=(34,23)AnythreesharesofthemastersecretwillalsoreconstructthesameprivatekeysQID.SotheuserwillalsobeabletoreconstructthesamevalueofsQIDbyusinganythreeofthefivePKGslistedinTable11.3.References[1]Horwitz,J.,andB.Lynn,‘‘TowardHierarchicalIdentity-BasedEncryption,’’ProceedingsofEUROCRYPT2002,Amsterdam,theNetherlands,April28–May2,2002,pp.466–481. HierarchicalIBEandMasterSecretSharing205[2]Gentry,C.,andA.Silverberg,‘‘HierarchicalID-BasedCryptography,’’ProceedingsofASIACRYPT2002,Queenstown,NewZealand,December1–5,2002,pp.548–566.[3]Boyen,X.,‘‘GeneralAdHocEncryptionfromExponentInversionIBE,’’ProceedingsofEUROCRYPT2007,Barcelona,Spain,May20–24,2007,pp.394–411.[4]Boneh,D.,X.Boyen,andE.Goh,‘‘HierarchicalIdentity-BasedEncryptionwithConstantSizeCiphertext,’’ProceedingsofEUROCRYPT2005,Aarhus,Denmark,May22–26,pp.440–456.[5]Shamir,A.,‘‘HowtoShareaSecret,’’CommunicationsoftheACM,Vol.22,No.1,1979,pp.612–613. 12CalculatingPairingsWiththeoneexceptionoftheCocksIBEschemethatisdescribedinChapter7,theoperationofallIBEschemesrelyonthepropertiesofapairing.Calculatingthevalueofapairingistypicallythemostcomputationallyexpensivepartofimplementingsuchalgorithmsanditmaybenecessarytocarefullyoptimizethecalculationofpairingstomakethempractical.Thischapterdiscussesseveralaspectsofthis.Someellipticcurvesaresuitableforimplementingpairingswhileothersarenot.Thecurvesthataresuitableforsuchusearecalled‘‘pairing-friendly’’curves,andfindingpairing-friendlyordinarycurvesisanactiveareaofresearch.ThestructureoffinitefieldsalsoprovidessomeshortcutsthatmaybeusedtospeedpairingcalculationswhensomefactorsbecomeirrelevantafterthefinalexponentiationthatisusedtomaketheTatepairingunique.Bycarefullyreusingintermediateresults,itispossibletocalculatetheproductofmorethanonepairingsmoreefficientlythancalculatingeachofthepairingsseparately,afactthatisparticularlyusefulintheimplementationofbothHIBEsystemsandtheBoneh-BoyenIBEscheme.Finally,analternativetoMiller’salgorithmforcalculatingtheTatepairingthatisnotbasedonmanipulatingdivisorsisalsodiscussed.12.1Pairing-FriendlyCurvesAsdiscussedinChapter3,atypicalellipticcurveE/qprovidesastructureunsuitableforcalculatingapairingbecausetheembeddingdegreeofsubgroupsofE(q)oflargeprimeorderistypicallytoohightomakecalculatingapairingpractical.Toprovideastructuresuitableforimplementingpairing-basedalgorithms,wewantthefollowingproperties:207 208IntroductiontoIdentity-BasedEncryption1.TheexistenceofasubgroupofE(q)oflargeprimeorderp.2.AlowembeddingdegreeofE(q).Thefirstoftheseconditionsiseasytodefinecarefully:thedesiredsecurityparametersofasystemwilldeterminethenecessaryorderofG1.Definingalowembeddingdegreerequiresthecreationofasomewhatarbitrarythreshold,2however.Althoughanembeddingdegreek<(logq)islowenoughtomakethecalculationofdiscretelogarithmsinqkefficientinatheoreticalsense,asubgroupwithsuchanembeddingdegreecanstillprovideanimpracticalstruc-tureforimplementingapairing.AmorepracticalrequirementisthattheembeddingdegreeofG1withrespecttopislessthan(log2p)/8,wheretheconstant(log2p)/8ischosensomewhatarbitrarily,althoughitattemptstoreflectaroughconsensusamongstimplementersofpairing-basedalgorithms.Thisprovidesthemotivationforthefollowingdefinition.Definition12.1AnellipticcurveE/qispairing-friendlyifwehavethat1.ThereisasubgroupofE(q)ofasuitablylargeprimeorderp.2.TheembeddingdegreeofE(q)withrespecttopislessthan(log2p)/8.NotethatifE/qissupersingularandE(q)hasasubgroupofthenecessaryorderthenE/qisautomaticallypairing-friendlybecausewemusthavek≤6fortheembeddingdegreeofE(q).Findingpairing-friendlyordinarycurves,ontheotherhand,isanactiveareaofresearch,butenoughprogresshasbeenmadetoprovideenoughcurvestoallowtherelativelyefficientimple-mentationofpairing-basedcryptographyatthemostcommonlyusedlevelsofbitstrength.Amongthesealternatives,somechoicesaremoreefficientthatothers,however.Existingtechniquesforgeneratingpairing-friendlyordinarycurvesuseavariantofthetechniqueforgeneratingellipticcurvegroupsofaknownorderthatarecalledthecomplexmultiplication(CM)algorithm,thedetailsofwhicharebeyondthescopeofthisbook.GeneratingsuitableellipticcurvesusingtheCMalgorithm[1]isbasedonthefollowingproperty,inwhichtheintegerDistheCMdiscriminantoftheresultingcurveandtheintegertrepresentsitstrace.Property12.1(AtkinandMorain[2])22Letqbeanoddprimesuchthat4q=t+Dsforintegerss,t,andD.ThenthereisanellipticcurveE/qwith#E(q)=q+1−t.Anellipticcurvecanbeconstructedwiththesepropertiesifandonlyifthefollowingconditionshold[3],noneofwhichposeaproblemforgeneratingordinarycurvesforuseinpairing-basedalgorithms. CalculatingPairings2091.qisaprimeorprimepower.2.pisaprime.3.pdividesq+1−t.ki4.p|(q−1)butp|(q−1)fori≤i1istheembeddingdegreeofsomegroupG1oforderpthenwedmusthavep|(q−1)(otherwisetheembeddingdegreewouldbenomorethand)sothatk/d−1idp|q∑i=0andthuskdq−1(q−1)|porthatkq−1d=m(q−1)pforsomeintegerm.ThenwecanappealtoFermat’slittletheoremtofindthatfactorsoftheform(qk−1)/p(qd−1)mx=x=1reducetothevalueof1afterafinalexponentiation,sothattheycanbedroppedfromsomecalculationswithoutchangingthefinalvalue.NowfP′isarationalfunctionwithneitherazeronorpoleatthepointO,soifthepointPhascoordinatesinqthenfP′(O)doesalso.Thus,fP′(O)isafactorwhatwillreducetothevalueof1afterafinalexponentiationkby(q−1)/psowecanomititfromcalculationswithoutintroducinganyerrorandwecancalculatethereducedTatepairingas(qk−1)/p(qk−1)/pe(P,Q)=(fP′(AQ))=fP′((Q)−(O))(qk−1)/pfP′(Q)(qk−1)/p==fP′(Q)fP′(O)SupposethatR∈E(q)withR∉{O,−P,Q,Q−P}.Then(P+R)−(R)isequivalentto(P)−(O)becausetheydifferbythedivisorofsomerationalfunction,say CalculatingPairings213(P+R)−(R)=(P)−(O)+div(g)sothatdiv(fP′)=p((P+R)−(R))=p((P)−(O)+div(g))=div(fP)+pdiv(g)PorthatfP′=fPg.SinceQnotapoleorzeroofeitherfP′orfP,theng(Q)∈q*k,sowecanwrite(qk−1)/p(qk−1)/pqk−1(qk−1)/pfP′(Q)=fP(Q)g(Q)=fP(Q)becauseFermat’slittletheoremguaranteesthatqk−1g(Q)=1SoafterthefinalexponentiationthereisessentiallynodifferencebetweenfP′andfP,andwecanignoreanyofthetermsinvolvingtherandompointRinMiller’salgorithm,givingthemoreefficientversionofitthatisdefinedbyAlgorithm12.1,whichusesthesamenotationinAlgorithm4.1.Algorithm12.1:SimplifiedTatePairing(simplifiedMiller’salgorithmforcomput-ingtheTatepairing)tiINPUT:EllipticcurveE/q,P∈E(q)[n]withn=∑bi2,Q∈E(qk)i=0OUTPUT:e(P,Q)1.f←1,t←log2n,S←P2.Fori←t−1downto02uS,S(Q)3.f←fv2,S(Q)4.S←2S5.Ifbi=1uS,P(Q)6.f←fvS+P(Q)7.S←S+P8.ReturnfExample12.123SupposethatwehavetheellipticcurveE/11:y=x+x.LetP=(5,8)∈E(11)[3]andletQ=(4,3i)∈E112.Using(4.3)wefindthat 214IntroductiontoIdentity-BasedEncryptionfP(x,y)=y+9x+2wherediv(fP)=3(P)−3(O)sothatfP(Q)=5+3iwhichgives(qk−1)/p40fP(Q)=(5+3i)=5+3iforthereducedpairing.12.2.2EliminatingExtensionFieldDivisionsInsomecases,itispossibletoreplacetheextensionfielddivisionthathappeninsteps3and6ofAlgorithm12.1.Inthecasewheretheembeddingdegreekiseven,itispossibletoreplacethesedivisionswithacomplexconjugationinawaythatwillresultinthecorrectresultafterthefinalexponentiation[10].Thiscanbeverybeneficialbecauseinversionsaretypicallyveryexpensiveoperationsinalargefinitefield.Thebasisforthisistoconsiderthefieldqkasanextensionofdegree2ofqdwhered=k/2,sothatelementsofqkcanberepresentedasa+ibwhereaandbareelementsofqd.qdExpanding(a+ib)asqdqdqdqd−kk(a+ib)=∑a(ib)k=0kweseethatmostofthetermsareequaltozeromoduloqsothatwehaveqd(a+ib)=a−ibsothatwehavethatqd−11a+ib=a+ibqd−1(a+ib)qda+ib(a−ib)qd−1===(a−ib)a−iba−ib CalculatingPairings215AndsincewecanwritethefinalexponentiationafteraTatepairingas(qk−1)/pqd−1(qk−1)/px=xweseethatwecanreplacetheextensionfielddivisionsinsteps3and6bycomplexconjugation,whichisequivalenttodivisionintheextensionfieldafterthefinalexponentiationisapplied.ThissuggeststhemodificationtoMiller’salgorithmthatisshowninAlgorithm12.2.Algorithm12.2:SimplifiedTatePairingConjugation(simplifiedMiller’salgo-rithmforcomputingtheTatepairingreplacingextensionfielddivisionswithcomplexconjugation)tiINPUT:EllipticcurveE/q,P∈E(q)[n]withn=∑bi2,Q∈E(qk)i=0OUTPUT:e(P,Q)1.f←1,t←log2n,S←P2.Fori←t−1downto023.f←fuS,S(Q)v2,S(Q)4.S←2S5.Ifbi=16.f←fuS,P(Q)vS+P(Q)7.S←S+P8.Returnf12.2.3DenominatorEliminationIneitherthebasicalgorithmfortheTatepairing(Algorithm4.1)orthemoreefficientversionshownabove(Algorithm12.1),thedenominatorsthatappearinMiller’salgorithmarealltermsoftheformvP(Q)forsomepointP,wherevP(Q)=xQ−xP.Ifwehavethatthex-coordinatesofbothPandQareelementsofq,thentheirdifferenceisalsoanelementofqandwillbeeliminatedbyafinalexponentiation.Ifthishappens,thenthecalculationoftheTatepairingcanbefurthersimplifiedtotheversionshowninAlgorithm12.3,whichfurthersimplifiesAlgorithm12.1.Algorithm12.3:SimplifiedTatePairingWithDenomElim(simplifiedMiller’salgorithmforcomputingtheTatepairingusingdenominatorelimination)tiINPUT:EllipticcurveE/q,P∈E(q)[n]withn=∑bi2,Q∈E(qk)i=0OUTPUT:e(P,Q) 216IntroductiontoIdentity-BasedEncryption1.f←1,t←log2n,S←P2.Fori←t−1downto023.f←fuS,S(Q)4.S←2S5.Ifbi=16.f←fuS,P(Q)7.S←S+P8.Returnf.UnliketheeliminationoftherandomcomponentthatproducesAlgorithm12.1,denominatoreliminationonlyworksinspecialcases,thoseinwhichwecanguaranteethatthex-coordinateoftheinputQtobeanelementofq.Thiswillhappen,forexample,inthecasewherethesupersingularcurveE/q:y2=x3+xisused,andwecalculateˆe(P,Q)=e(P,(Q))(qk−1)/pwhereisthedistortionmapgivenby(x,y)=(−x,iy).Inthiscase,thex-coordinateoftheoutputofthedistortionmapisanelementofq,sodenominator2eliminationcanbeused.InthecaseofthesupersingularcurveE/q:y=3x+1,ontheotherhand,wherewehaveadistortionmapoftheform3(x,y)=(x,y)where=1,≠1,wedonothavethex-coordinateoftheoutputofthedistortionmapbeinganelementofq,sodenominatoreliminationcannotbeused.12.3CalculatingtheProductofPairingsCalculatingtheproductofpairingscanbeusefulintwoimportantcases.ProductsofpairingsarerequiredintheimplementationofmanyHIBEschemes,andbecausewecanwritee(P1,Q1)=e(P1,Q1)e(P2,−Q2)e(P2,Q2)thesametechniquethatwillallowtheefficientcalculationoftheproductofpairingscanalsobeusedtocalculatetheratioofpairings,whichisrequiredintheBoneh-BoyenIBEscheme.Toefficientlycalculatetheproductofpairingsoftheformne(Pi,Qi)i=1 CalculatingPairings217weassumethatallofthevaluesPiareelementsofthesameorder.ThisguaranteesthattheloopindexvariableiinAlgorithm12.1issharedbyeachofthecalculationsofe(Pi,Qi)sothatwecancombinesomeoftheoperationsthatarerequiredinthecalculationofeachoftheseparatepairings[9–11].Inparticular,theaccumulationstepsthattakeplaceinsteps3and6ofAlgorithm12.1canbecombinedintoasingleaccumulationthatreturnstheproductofthepairings.Oncethisvalueiscalculated,asinglefinalexponentiationisthenrequired.Inanimportantspecialcase,thecomputationalefficiencygainedbycom-biningtheseoperationsmakescalculatingtheratiooftwopairings,likeisrequiredintheBoneh-BoyenIBEalgorithm,approximately20%slowerthancalculatingasinglepairinginsteadoftwiceasslow.Algorithm12.4:ProductOfPairings(simplifiedMiller’salgorithmforcomputingtheproductofTatepairings)INPUT:EllipticcurveE/q,P1,P2,...Pm∈E(q)[n]withtin=∑bi2,Q1,Q2,...Qm∈E(qk)i=0nOUTPUT:e(Pi,Qi)i=11.f←1,t←log2n,S1←P1,S2←P2,...Sm←Pm2.Fori←t−1downto0m2uSi,Si(Qi)3.f←fi=1v2,Si(Qi)4.S1←2S1,S2←2S2,...,Sm←2Sm5.Ifbi=1muSi,Pi(Qi)6.f←fi=1vSi+Pi(Qi)7.S1←2S1+P1,S2←2S2+P2,...,Sm←Sm+Pm8.Returnf12.4TheShipsey-StangeAlgorithmAlthoughmostresearchtodateonefficientimplementationsoftheTatepairinghavefocusedonoptimizingMiller’salgorithm,therehasbeenanalternativetoMiller’salgorithmthathasbeenrecentlydiscoveredthatprovidesawayto 218IntroductiontoIdentity-BasedEncryptioncalculatetheTatepairingwithoutrequiringanymanipulationofdivisors.ThisalgorithmisduetoKatherineStange[12],andusesthepropertiesofellipticnetstocreateanalgorithmforcalculatingtheTatepairing.AnellipticnetisafunctionthatsatisfiesthefollowingrecursionW(p+q+s)W(p−q)W(r+s)W(r)+W(q+r+s)W(q−r)W(p+s)W(p)+W(r+p+s)W(r−p)W(q+s)W(q)=0Ellipticnetsarecloselyrelatedtoellipticcurves,andcanbedefinedintermsofthesame℘functionthatunderliesanellipticcurve.Stange’sremarkableresultwasthatitispossibletocalculatetheTatepairingforP∈E(q)[n]withandQ∈E(qk)asW(s+np+q)W(s)e(P,Q)=W(s+np)W(s+q)wherealloftheinitialconditionsoftheellipticnetcanbecalculatedfrom23eitherthecoefficientsaandboftheellipticcurveE/q:y=x+ax+borfromthepointsP=(xP,yP)andQ=(xQ,yQ).Thiscanbedoneasfollows.FirstcalculatethreeconstantsA,B,andCas1A=(12.1)xP−xQ1B=(12.2)22(2xP−xQ)(xP−xQ)−(yP+yQ)1C=(12.3)2yPThendeterminetheinitialconditionsoftwosequences{ci}and{di}asc−2=−2yP(12.4)c−1=−1(12.5)c0=0(12.6)c1=1(12.7) CalculatingPairings219c2=2yP(12.8)422c3=3xP+6axP+12bxP−a(12.9)x6432223c4=4yPP+5axP+20bxP−5axP−4abxP−8b−a(12.10)andd0=1(12.11)d1=1(12.12)2yQ−yPd2=(2xP−xQ)−x(12.13)Q−xPAdditionaltermsofthesequences{ci}and{di}canthenbecalculatedusingtherecursions33c2k−1=c2k+1ck−1−ck−2ck(12.14)c22(12.15)c2k=Ckck+2ck−1−ckck−2ck+1and22d2k−1=dk+1dk−1ck−1−dkck−2ck(12.16)22d2k=dk+1dk−1ck=dkck−1ck+1(12.17)d22d2k+1=Ak+1dk−1ck+1−dkckck+2(12.18)d22d2k+2=Bk+1dk−1ck+2−dkck+1ck+3(12.19)Oncethevaluescn+1anddn+1havebeencalculated,itisthenpossibletocalculatethevalueoftheTatepairingasdn+1e(P,Q)=cn+1 220IntroductiontoIdentity-BasedEncryptionExample12.223SupposethatwehavetheellipticcurveE/11:y=x+x.LetP=(5,8)∈E(11)[3]sothatxP=5andyP=8,andletQ=(4,3i)∈E(112)sothatxQ=4andyQ=3i.Thisgivesthefollowingconstants:A=1B=9+6iC=9andthefollowinginitialconditionsfortheellipticnet:c−2=6c−1=−1c0=0c1=1c2=5c3=0c4=10d0=1d1=1d2=3+4id3=9+id4=5+3iBecausetheorderofthepointPissolow,wecanimmediatelycalculatethevalueofd45+3ie(P,Q)===6+8ic410 CalculatingPairings221whichgivesthevalueof(112−1)/3ˆe(P,Q)=(6+8i)=5+3iforthereducedpairing,thesameresultasfoundinExample12.1.RachelShipsey[13]inventedadouble-and-addtechniqueforcalculatingthevaluesofrecursionslike(12.14),(12.15),and(12.16)through(12.19).ThistechniquegivestheShipsey-StangealgorithmforcalculatingtheTatepairingusingellipticnetswhichisdefinedinAlgorithm12.5.TheShipsey-StangealgorithmislessefficientatcalculatingtheTatepairingthanoptimizedversionsofMiller’salgorithmare,butfutureresearchmayclosethisgapandmakethealgorithmmoreuseful.Algorithm12.5:TateShipseyStange(Shipsey-StangealgorithmfortheTatepair-ingusingellipticnets)23INPUT:EllipticcurveE/q:y=x+ax+b,P∈E(q)[n]withtin=∑bi2,Q∈E(qk)i=0OUTPUT:e(P,Q)1.k←1,t←log2n2.CalculateA,B,Cusing(12.1)through(12.2)3.Calculatec−2,c−1,...c4using(12.4)through(12.10)4.Calculated0,d1,d2using(12.11)through(12.13)5.Fori←t−1downto06.Ifbi=0then7.Calculatec2k−3,...,c2k+4using(12.14)and(12.15)8.Calculated2k−1,d2k,d2k+1using(12.16)through(12.19)9.k←2k10.else11.Calculatec2k−2,...,c2k+5using(12.14)and(12.15)12.Calculated2k,d2k+1,d2k+2using(12.16)through(12.19)13.k←2k+114.Returndr+1/cr+112.5PrecomputationInmanycalculationsofpairings,thevalueofPinˆe(P,Q)isrelativelyfixed.IntheBoneh-FranklinIBEsystem,forexample,ifweneedtocalculate 222IntroductiontoIdentity-BasedEncryptionˆe(sP,rQID),wheresPispartofthepublicparametersofthesystem,whichwillrarelychange.Becausewecalculatethevalueofthepairingase(P,Q)=fP(Q),ifthevalueofthepointPisfixedthenthefunctionsuandvthatareusedincalculatingthevalueofthepairing,likeinstep3ofAlgorithm12.1,arealsofixed,sowecancalculatethevaluesneededtoevaluateuandvonce,savingsignificantcomputationaleffort.WiththevalueofthepointPisfixed,theordernofthepointPisalsofixed,sothattheiterationonthebinaryexpansionofnisalsofixed,sothatthefunctionsofPthatarecalculatedinthedouble-and-additerationoftheTatepairing,likethevaluesofSthatarecalculatedinsteps4and7ofAlgorithm12.1arealsofixed.CalculatingthesevaluesonceandreusingthemwillalsosavesignificantcomputationaleffortinevaluatingtheTatepairing.References[1]IEEEStandardNumber1363-2000,‘‘StandardSpecificationsforPublic-KeyCryptogra-phy,’’2000.[2]Atkin,A.,andF.Morain,‘‘EllipticCurvesandPrimalityProving,’’MathematicsofCompu-tation,Vol.61,No.203,1993,pp.29–68.[3]Lay,G.,andH.Zimmer,‘‘ConstructingEllipticCurveswithGivenGroupOrderoverLargeFiniteFields,’’ProceedingsoftheFirstInternationalSymposiumonAlgorithmicNumberTheory,Ithaca,NY,May6–9,1994,pp.250–263.[4]Miyaji,A.,M.Nakabayashi,andS.Tanako,‘‘NewExplicitConstructionsofEllipticCurveTracesforFR-Reduction,’’IEICETransactionsonFundamentals,Vol.E84-A,No.5,2001,pp.1234–1243.[5]Freeman,D.,‘‘ConstructingPairing-FriendlyEllipticCurveswithEmbeddingDegree10,’’Proceedingsofthe4thAlgorithmicNumberTheorySymposium,Leiden,theNetherlands,July2–7,2000,pp.452–465.[6]Baretto,P.,andM.Naehrig,‘‘Pairing-FriendlyEllipticCurvesofPrimeOrder,’’Proceedingsofthe12thAnnualWorkshoponSelectedAreasinCryptography,Kingston,Canada,August11–23,2005,pp.319–331.[7]Brezing,F.,andA.Weng,‘‘EllipticCurvesSuitableforPairing-BasedCryptography,’’Designs,CodesandCryptography,Vol.37,No.1,2005,pp.133–141.[8]Baretto,P.,B.Lynn,andM.Scott,‘‘ConstructingEllipticCurveswithPrescribedEmbed-dingDegrees,’’Proceedingsofthe3rdConferenceonSecurityinNetworks,Amalfi,Italy,September12–13,2002,pp.263–273.[9]Baretto,P.,H.Kim,B.Lynn,andM.Scott,‘‘EfficientAlgorithmsforPairing-BasedCryptosystems,’’ProceedingsofCRYPTO2002,SantaBarbara,CA,August18–22,2002,pp.23–36.[10]Kobayashi,T.,K.Aoki,andH.Imai,‘‘EfficientAlgorithmsfortheTatePairing,’’IEICETransactionsonFundamentals,Vol.E89-A,No.1,2006,pp.134–143. CalculatingPairings223[11]Scott,M.,‘‘ComputingtheTatePairing,’’ProceedingsoftheCryptographers’TrackattheRSAConference2005,SanJose,CA,February13–17,2005,pp.293–304.[12]Stange,K.,‘‘TheTatePairingViaEllipticNets,’’Proceedingsofthe1stInternationalConferenceonPairing-BasedCryptography,Tokyo,Japan,July2–4,2007,pp.329–384.[13]Shipsey,R.,‘‘EllipticDivisibilitySequences,’’Ph.D.thesis,UniversityofLondon,2000. Appendix:UsefulTestDataValuesUsefulforTestingPairingCalculationsThefollowingvaluesareprovidedtohelptestsoftwarethatimplementstheTatepairing.TheycanalsobeusedtohelpmanuallycalculatetheencryptionanddecryptionalgorithmsdescribedinChapters8,9,10,and11.23A.1PointsonE/131:y=x+123FortheellipticcurveE/131:y=x+1andP=(98,58)∈E(131)[11],wehavethat(x,y)=(x,y),where=65+112i,isadistortionmapforfinitepointsin〈P〉.Theelementsof〈P〉,thevalueofthedistortionmapatn1560thepointsof〈P〉,aswellasthevaluesˆe(P,P),whereˆe(P,Q)=e(P,(Q))arelistedhere.nnnP(nP)ˆe(P,P)1(98,58)(82+103i,58)28+93i2(128,57)(67+57i,57)126+99i3(113,8)(9+80i,8)85+80i4(33,31)(49+28i,31)49+58i5(34,23)(114+9i,23)39+24i6(34,108)(114+9i,108)39+107i7(33,100)(49+28i,100)49+73i8(113,123)(9+80i,123)85+51i9(128,74)(67+57i,74)126+32i10(98,73)(82+103i,73)28+38i11OO1225 226IntroductiontoIdentity-BasedEncryption23A.2PointsonE/131:y=x+x23FortheellipticcurveE/131:y=x+1andP=(55,45)∈E(131)[11],wehavethat(x,y)=(130x,iy),where=65+112i,isadistortionmapforfinitepointsin〈P〉.Theelementsof〈P〉,thevalueofthedistortionnmapatthepointsof〈P〉,aswellasthevaluesˆe(P,P),whereˆe(P,Q)=1560e(P,(Q))arelistedhere.nnnP(nP)ˆe(P,P)1(55,45)(76,45i)126+32i2(60,33)(71,33i)49+73i3(27,45)(104,45i)39+24i4(49,86)(82,86i)85+80i5(121,13)(10,13i)28+93i6(121,118)(10,118i)28+38i7(49,45)(82,45i)85+51i8(27,86)(104,86i)39+107i9(60,98)(71,98i)49+58i10(55,86)(76,86i)126+99i11OO123A.3RationalFunctionsofDivisorsforE/11:y=x+123FortheellipticcurveE/11:y=x+1wehavethat#E(11)=12.EachofthefiniteelementsofE(11)arelistednextalongwiththerationalfunctionfP(x,y)suchthatdiv(n(P)−n(O))=div(fP(x,y))forapointPofordern.PointOrderfP(x,y)244(y+3x+3)(y+4x+6)(y+8x+3)(9,12)1244(x+1)(x+6)(x+9)22(y+x+1)(y+2x+10)(2,8)62x(x+1)2(y+3x+3)(5,4)4x+1(0,10)3y+1244(y+3x+3)(y+6x+7)(y+7x)(7,6)1244(x+1)(x+6)(x+9) Appendix227(10,0)2x+1244(y+4x)(y+5x+4)(y+8x+8)(7,5)1244(x+1)(x+6)(x+9)(0,1)3y+102(y+8x+8)(5,7)4x+122(y+9x+1)(y+10x+10)(2,3)62x(x+1)244(y+8x+8)(y+7x+5)(y+3x+8)(9,9)1244(x+1)(x+6)(x+9)A.4RationalFunctionsofDivisorsforSelectedPoints23onE/11:y=x+x23FortheellipticcurveE/11:y=x+xwehavethat#E(131)=132.EachofthefiniteelementsofE(131)[11]arelistednextalongwiththerationalfunctionfP(x,y)suchthatdiv(11(P)−11(O))=div(fP(x,y))forapointP.PointOrderfP(x,y)244(y+8x)(y+9x+6)(y+10x+10)(7,8)1244x(x+1)(x+2)22(y+6x)(y+10x+8)(9,1)62x(x+6)2(y+8x)(10,8)4x(5,3)3y+2x+9244(y+8x)(y+7x+4)(y+5x+9)(8,6)1244x(x+1)(x+2)(0,0)2x244(y+3x)(y+4x+7)(y+6x+2)(8,5)1244x(x+1)(x+2)(5,8)3y+9x+22(y+3x)(10,3)4x 228IntroductiontoIdentity-BasedEncryption22(y+5x)(y+x+3)(9,10)62x(x+6)244(y+3x)(y+2x+5)(y+x+1)(7,3)1244x(x+1)(x+2)A.5RationalFunctionsofDivisorsforSelectedPointson23E/131:y=x+123FortheellipticcurveE/131:y=x+1wehavethat#E(131)=132.EachofthefiniteelementsofE(131)[11]arelistednextalongwiththerationalfunctionfP(x,y)suchthatdiv(n(P)−n(O))=div(fP(x,y))forapointofordern.P=(98,58)∈E(131)[11]244(y+54x+21)(y+67x+57)(y+113x+3)(y+17x+125)(98,58)244(x+3)(x+97)(x+98)224(y+18x+128)(y+83x+61)(y+110x+17)(y+17x+125)(128,57)224(x+18)(x+33)(x+98)224(y+110x+7)(y+47x+52)(y+64x+74)(y+103x+12)(113,8)244(x+33)(x+97)(x+98)224(y+114x+6)(y+8x+98)(y+28x+119)(y+110x+7)(33,31)224(x+3)(x+97)(x+18)224(y+103x+112)(y+12x+93)(y+18x+128)(y+67x+57)(34,23)224(x+3)(x+18)(x+33)224(y+28x+119)(y+113x+3)(y+119x+38)(y+64x+74)(34,108)224(x+3)(x+18)(x+33)224(y+17x+125)(y+123x+33)(y+103x+12)(y+21x+124)(33,100)224(x+3)(x+97)(x+18)224(y+21x+124)(y+84x+79)(y+57x+67)(y+28x+119)(113,123)242(x+33)(x+97)(x+98)224(y+113x+3)(y+48x+70)(y+21x+124)(y+114x+6)(128,74)224(x+18)(x+33)(x+98)244(y+64x+74)(y+77x+110)(y+114x+6)(y+18x+128)(98,73)244(x+3)(x+97)(x+98) AbouttheAuthorLutherMartinisasecurityarchitectatVoltageSecurityinPaloAlto,California.Hehaspublishednumerousarticlesonthetopicsofinformationsecurityandriskmanagement,isthetechnicaleditoroftheIEEEP1363.3standardforidentity-basedencryption,andistheprincipalauthoroftheIETFstandardsthatdefineidentity-basedencryptionalgorithmsandtheiruseinencryptinge-mail.Mr.MartinholdsanM.S.inmathematicsfromtheUniversityofCincinnatiandanM.S.inelectricalengineeringfromTheJohnsHopkinsUniversity.229 IndexAdaptivechosen-ciphertextattack,94Disjointsupport,70Adaptivechosen-identityattack,94Distortionmap,62Adaptivechosen-plaintextattack,93Divisor,15,67,69Divisor,principal,69Bilinear,81BilinearDiffie-Hellmanproblem,107Easycalculation,91BNcurve,209,211Efficientalgorithm,91Boneh-BoyenIBEscheme,147ElGamalencryption,128Boneh-Boyen-GohHIBE,198Ellipticcurve,41,44Boneh-FranklinIBEscheme,147Ellipticcurve,Diffie-Hellman,125BWcurve,209,211Ellipticcurve,ordinary,57Ellipticcurve,singular,113Characteristic(ofafield),31Ellipticcurve,supersingular,57Chineseremaindertheorem,17Ellipticnet,218Chosen-identityattack,94Embeddingdegree,58Chosen-plaintextattack,93Encryption,92Ciphertext,92Endomorphism,29Ciphertext-onlyattack,93CobilinearDiffie-Hellmanproblems,109Fermat’slittletheorem,20CocksIBEscheme,131Field,30Complexmultiplication,79,208Finalexponentiation,78ComputationalDiffie-Hellmanproblem,105Freemancurve,209,211Fujisaki-Okamototransform,95DecisionbilinearDiffie-Hellmanproblem,107Gauss’algorithm,18DecisionDiffie-Hellmanproblem,106Generalnumberfieldsieve,99Decryption,92Generator(ofagroup),28Degree(fieldextension),33Gentry-SilverbergHIBE,192,193Denominatorelimination,215Goldwasser-Michaliencryption,121Diffie-Hellmankeyexchange,124Group,26Discretelogarithm,29Group,Abelian,26Discriminant,45Grover’salgorithm,116231 232IntroductiontoIdentity-BasedEncryptionHardcalculation,91Plaintext,92Hashfunction,cryptographic,92Pointaddition,ellipticcurve,47Hasse’stheorem,57Pollard’srhoalgorithm,98HierarchialIBE(HIBE),191Prime,Solinas,16Homomorphism(offields),31Productofpairings,calculating,216Homomorphism(ofgroups),29Projectivecoordinates,53Provingsecurity,114Indexcalculusalgorithm,102Integerfactorizationproblem,109q-bilinearDiffie-HellmaninversionIsomorphism(ofellipticcurves),60problem,108Isomorphism(ofgroups),29q-decisionbilinearDiffie-HellmaninversionIsomosphism(offields),32problem,109Quadraticnonresidue,21Jacobisymbol,23Quadraticresidue,21Jacobisymbol,computing,24Quadraticresiduosityproblem,109J-invariant,60Quadratictwist,61Joux’sthree-waykeyexchange,126Quantumcomputing,116Key,cryptographic,92Known-plaintexattack,93Randomoraclemodel,115Reducedpairing,78Lagrangeinterpolation,18,38,202Legendresymbol,22Sakai-KasaharaIBEscheme,177Linearlyindependent,34Shipsey-Stangealgorithm,217Logarithm,discrete,29Shor’salgorithm,117Singularellipticcurve,113Mastersecretsharing,201Solinasprime,16Miller’salgorithm,84Standardmodel,115MNTcurve,209,211Subgroup,27Negligiblefunction,91Supersingular(ellipticcurve),57Nondegenerate,81Support(ofadivisor),70Order(field),31Tatepairing,76Order(groupelement),26Three-waykeyexchange,Joux’s,126Order(group),28Trace(ofanellipticcurve),57Ordinary(ellipticcurve),57TraceofFrobenius,57Twist,61Pairing,83Pairing-friendlycurve,207Weierstrassnormalform,44Phifunction,Euler’s,19Weilreciprocity,75