Identity Based Encryption

Debdeep MukhopadhyayAssociate Professor

Dept of Computer Sc and Engg, IIT Kharagpur

Public Key Setting

• Alice and Bob might not have a prior shared secret.• Each participant has a pair of public and private key

for certain pre-specified cryptosystem or signature scheme.• It is always necessary to authenticate the public

keys of other people in the network.• This requires some kind of Public Key Infrastructure (PKI)• We assume there is a Trusted Authoruty (TA) or

Certification Authority (CA) who signs the public keys of all people in the network.• The public verification key, verTA of the TA is known to all.

Certificates

• A certificate for someone in the network will consist of:• some identifying information for a person (eg, name,

email address, etc.),• their public keys, and • the signature of the TA on that information.

• The certificate allows network users to verify the authenticity of each other’s keys.• How does Alice obtain a certificate from the TA

which contains a copy of Alice’s public verification key for a signature scheme?

A Protocol to Issue a Certificate to Alice• The TA establishes Alice’s identity by means of

conventional forms of identification like birth certificate, passport etc. Then the TA forms a string ID(Alice), which contains Alice’s identification.• A private signing key for Alice, signAlice, and a corresponding

public verification key verAlice are determined.• The TA determines its signature:

• s=sigTA(ID(Alice)||verAlice)on Alice’s identity string and verification key. The certificate Cert(Alice)=(ID(Alice)||verAlice||s)is given to Alice, along with Alice’s private key, sigAlice.

Verification of the Public Key• Any one who has the TA’s verification key, verTA can verify

anyone else’s certificate.• Suppose, Bob wants to be sure that Alice’s public key is

authentic:• Alice gives her certificate to Bob.• Bob can then verify the signature of the TA by checking:verTA(ID(Alice)||verAlice||s)=true

Note: • The purpose of verifying a certificate is to authenticate the public key. • Verifying the signature allows someone to verify that the certificate was issued

by the CA.• Having verified the signature, a user would then believe the information

provided the CA can be trusted of verifying the information before signing.

X.509 v3

• Version number• Serial number• Signature algorithm ID• Issuer name• Validity period• Subject name (ie. Signature owner)• Public key of owner• Signature of CA on all the fields

Problems of PKI

• Many difficulties associated with practical large scale deployments of PKI• Who is responsible for its deployment,

maintenance, and regulations?• Govt or Industry?

• What standards should be used?: certificate formats, cryptographic algorithms, revocation, etc.• Lack of PKI compatible applications has slowed

down its deployment.

Alternative to PKI

• Identity Based Encryption (IBE):• Refers to Public Key Cryptography where the values of

the public key are computed from the identity of the owners.• Renders certificates unnecessary, and hence the need

for an infrastructure to verify public keys is avoided.

ID-based Encryption

• Public Key for a user U is obtained by applying a public hash function h to the user’s identity string, ID(U).• The corresponding private key would be generated by a

central trusted authority (denoted by TA). • The private key would then be supplied to the user U

after that user proves his or her identity to the TA. • Issuance of private key by the TA replaces the issuing of a

certificate.• The resulting private and public keys are used in an encryption

scheme, signature scheme, or other scheme.• The scheme uses some fixed public parameters, incluiding a

certain master key.

IBE and PKI

• IBE removes the need for certificates.• However, still need a convenient and reliable method for

associating an identity string with a person.• However IBE alleviates many of the problems of PKI.• Note that unlike PKI, in IBE any user, say Bob, can encrypt a

message for Alice (using the IDA and the public key of the TA) before Alice has received her private key from the TA.

• Also Bob could include in the IDA any set of conditions that should be met before the TA issues the private key.• Could include credit ratings, employment status, minimum age

requirement, etc.• Date in the IDA to solve the key revocation problem (ie. Private key will be

issued only if it has not been revoked).

Designing an IBE

• Can a Public Key Cryptosystem be converted to an IBE?• Let us try with RSA.• The TA chooses the RSA modulus n=pq, as the

public master key.• The factors p and q are known only to the TA, and

work as the master private key.• How does a user U obtain its key pair?

RSA converted to IBE?

• Public Key of a user U is an encryption exponent and a private key is a decryption exponent.• However, once U has a public key and private key pair,

it can factor n.• Once U knows the private master key, it can

impersonate the TA.• Can compute any one else’s private key.• The IBE fails!

• Thus IBE necessitates that a user’s public key and private key cannot be used to determine the private master key of the TA.

Components of an IBE

• System Parameters:• Master key generation: The TA generates the master

public key Mpub and a corresponding master private key Mpriv. Master key, M=(Mpub,Mpriv).

• A hash function h is also public.

User Key Generation

• When a user U identifies himself to the TA, the TA uses a function extract to compute to compute U’s private key private key Ku

priv:Ku

priv=extract(M,Kupub),

where U’s public key is Kupub=h(ID(U)).

User U’s key is KU=(Kupub, Ku

priv).

Encryption and Decryption

• Encryption:• User U’s public key Ku

pub defines a public encryption rule, eKU, that can be used by anyone to encrypt messages sent to U.

• Decryption:• U’s private key Ku

priv defines a private decryption rule dKU, that U will use to decrypt messages he receives.

The Cocks IBE

• Based on certain properties of the Jacobi symbols.

• It uses certain number theoretic properties of quadratic residues.

Quadratic Residues

• Suppose p is an odd prime and a is an integer. • Quadratic Residue: a is defined to be a Quadratic

Residue (QR) modulo p if and the congruence has a solution .• a is defined as the quadratic non-residue modulo p

if and a is not a quadratic residue modulo p.

Example

• Z11

12=122=432=942=552=362=372=582=992=4102=1

There are exactly (p-1)/2 QR (Quadratic Residues)

Note, that the QR forms a palindrome

There are exactly (11-1)/2=5 QRs.

The QR Problem

• We have a polynomial time deterministic algorithm to solve this decision problem.

Euler comes to the rescue again

• The time complexity of this check is O(log p)3 by applying square and multiply method to raise an element to a power.• Note that if then a is a non-quadratic

residue. ( 1) / 2 1(mod )pa p

Legendre Symbol

Jacobi Symbol: Generalization of Legendre Symbol

Example

• Compute

• Note 9975=3x52x7x19 (prime power factorization)

6278

9975

2

2

2

6278 6278 6278 6278 6278

9975 3 5 7 19

2 3 6 8

3 5 7 19

( 1)( 1) ( 1)( 1) 1

Properties of Jacobi

Example

An Example

Computing Jacobi without factorization of n• Input: m≥0, n≥1, n odd• Output: JacobiSymbol(m,n)if(m==0)

{ if(n==1) return 1; else return 0;}

else if (m>n)

return JacobiSymbol(m mod n, n);

else{ m=2δm’; (where m’≥1, m’ odd) return ±[JacobiSymbol(2,n)]δ[JacobiSymbol(n,m’)]

/* Use -, if m’≡n≡3 (mod n), + otherwise */}

Complexity

• Roughly O(log n)3

• Only arithmetic operations are factoring out powers of two and modular reductions.• Former depends on number of trailing zeros if the

number is encoded as binary.• So, dominated by modular reduction.• Roughly O(log n) modular reductions necessary,

each can be done in O(log n)2

QR(n)

• QR(n)={x2mod n: x ϵ Zn*}, where n=pq.

• Note that x is a quadratic residue modulo n iff :

Define: =1}.

Thus, }.

The later are called as pseudo-square modulo n. The cardinality of both the sets are same, ie. (p-1)(q-1)/4.

Composite Quadratic Residues• A positive integer n that is the product of two

unknown distinct odd primes p and q, and an integer xϵZn

* such that =1.• Question: Is x ϵ QR(n)?• This can be no difficult that factorizing n. • If you can factorize n, then you can solve it!

• However if the factorization of n is not known, there does not seem to be an efficient way.

An easy algorithm to compute square root of y mod p, for • Note p+1/4 is an integer.• Also, note that • Note, if y is a quadratic residue (from Euler’s

Criteria), we have .• Hence, the two square roots are • Note, for cases where , there is no polynomial time

deterministic algorithm.

Cocks Identity Based Encryption• Let p, q be two primes such that and define .• System Parameters: • The master key M=(Mpub,Mpriv), where Mpub=n, and

Mpriv=(p,q).• Hash function h: {0,1}* Zn is a public hash function with

the property that for all .

User Key Generation

• For a user U, the key KU=(KUpub,KU

priv), where:Ku

pub=h(ID(U))and:

Encryption

• A plaintext is an element in the set {-1,1}.• To encrypt perform the following steps:• Choose two random values t1,t2ϵZn, such that the Jacobi

symbols • Compute • The ciphertext y=(y1,y2)

Decryption

• Given the ciphertext y=(y1,y2), y is decrypted as follows:• If then define s=y1, else define s=y2.• Compute the Jacobi symbol: The decrypted plaintext is x.

Proof of Decryption CorrectnessSuppose U receives a ciphertext, (y1,y2), and that , then we show that:

• =

=Note, we use the fact that second Jacobi is 1, as the top part is a quadratic residue for sure.

Cocks IBE is IND-CPA Secure• Quadratic Residue Assumption:

Jn*={aϵZn

*|(a/n)=1}. Note: |QRn*|=|Jn*\QRn

*| =1/2|Jn

*|

<nS(1*),aQRn*>≈<nS(1*), aJn

*\QRn*>

It is hard to distinguish between a random quadratic residue and a random non-quadratic residue, given both has Jacobi symbol 1)

Cocks IBE is IND-CPA Secure• If =a=Jn

*\QRn*, then Enc(a,+1) ≈Enc(a,-1), ie.

• ie. Pr[Enc(a,1)=c]=Pr[Enc(a,-1)=c]

• Note, ==-1.• Let c=t+a/t, for some t=t0ϵZn

*. Note c is the ciphertext produced for a message, m ϵ{-1,1} using t, where =m.• Each possible value of t, thus relates to a message,

and thus let us see the probability distribution of this Jacobi.

Indistinguishability of the cipher• There could be 4 possible solutions to the above

equations. We write them using CRT in Zn* and have

4 solutions:• < • <has Jacobi symbol, -1 • <> has Jacobi symbol, -1

• Let in form of CR, t1=, t1=• ===-=-1 • Note, =

• Also note, =-1, ===

Indistinguishability of the cipher• <has Jacobi symbol • Note, it means that there is an equal chance st. is

inferred.• Or, -1 is inferred.• Thus the indistinguishability of the probability

distribution.

IND-CPA-security

• Under the assumption of QRA, we can prove the IND-CPA security of the scheme.

<n,aQRn*,Enc(a,+1) >≈<n, aJn

*\QRn* ,Enc(a,+1) >

≡ <n, aJn*\QRn

* ,Enc(a,-1)>

≡ <n, aQRn* ,Enc(a,-1)>