资源描述:
《Introduction to Identity-Based Encryption》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
IntroductiontoIdentity-BasedEncryptionLutherMartin LibraryofCongressCataloging-in-PublicationDataAcatalogrecordforthisbookisavailablefromtheU.S.LibraryofCongress.BritishLibraryCataloguinginPublicationDataAcataloguerecordforthisbookisavailablefromtheBritishLibrary.ISBN-13:978-1-59693-238-8CoverdesignbyYekaterinaRatner2008ARTECHHOUSE,INC.685CantonStreetNorwood,MA02062Allrightsreserved.PrintedandboundintheUnitedStatesofAmerica.Nopartofthisbookmaybereproducedorutilizedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,orbyanyinformationstorageandretrievalsystem,withoutpermissioninwritingfromthepublisher.Alltermsmentionedinthisbookthatareknowntobetrademarksorservicemarkshavebeenappropriatelycapitalized.ArtechHousecannotattesttotheaccuracyofthisinformation.Useofaterminthisbookshouldnotberegardedasaffectingthevalidityofanytrademarkorservicemark.10987654321 ContentsPrefacexiii1Introduction11.1WhatIsIBE?11.2WhyShouldICareAboutIBE?8References132BasicMathematicalConceptsandProperties152.1ConceptsfromNumberTheory152.1.1ComputingtheGCD162.1.2ComputingJacobiSymbols242.2ConceptsfromAbstractAlgebra25References393PropertiesofEllipticCurves413.1EllipticCurves413.2AddingPointsonEllipticCurves473.2.1AlgorithmforEllipticCurvePointAddition523.2.2ProjectiveCoordinates533.2.3AddingPointsinJacobianProjectiveCoordinates54v viIntroductiontoIdentity-BasedEncryption3.2.4DoublingaPointinJacobianProjectiveCoordinates553.3AlgebraicStructureofEllipticCurves553.3.1HigherDegreeTwists613.3.2ComplexMultiplication65References664DivisorsandtheTatePairing674.1Divisors674.1.1AnIntuitiveIntroductiontoDivisors684.2TheTatePairing764.2.1PropertiesoftheTatePairing814.3Miller’sAlgorithm84References875CryptographyandComputationalComplexity895.1Cryptography915.1.1Definitions915.1.2ProtectionProvidedbyEncryption935.1.3TheFujisaki-OkamotoTransform955.2RunningTimesofUsefulAlgorithms955.2.1FindingCollisionsforaHashFunction965.2.2Pollard’sRhoAlgorithm985.2.3TheGeneralNumberFieldSieve995.2.4TheIndexCalculusAlgorithm1025.2.5RelativeStrengthofAlgorithms1025.3UsefulComputationalProblems1045.3.1TheComputationalDiffie-HellmanProblem1055.3.2TheDecisionDiffie-HellmanProblem1065.3.3TheBilinearDiffie-HellmanProblem1075.3.4TheDecisionBilinearDiffie-HellmanProblem1075.3.5q-BilinearDiffie-HellmanInversion1085.3.6q-DecisionBilinearDiffie-HellmanInversion1095.3.7CobilinearDiffie-HellmanProblems109 Contentsvii5.3.8IntegerFactorization1095.3.9QuadraticResiduosity1095.4SelectingParameterSizes1105.4.1SecurityBasedonIntegerFactorizationandQuadraticResiduosity1105.4.2SecurityBasedonDiscreteLogarithms1105.5ImportantSpecialCases1115.5.1AnomalousCurves1125.5.2SupersingularEllipticCurves1125.5.3SingularEllipticCurves1135.5.4WeakPrimes1135.6ProvingSecurityofPublic-KeyAlgorithms1145.7QuantumComputing1165.7.1Grover’sAlgorithm1165.7.2Shor’sAlgorithm117References1186RelatedCryptographicAlgorithms1216.1Goldwasser-MichaliEncryption1216.2TheDiffie-HellmanKeyExchange1246.3EllipticCurveDiffie-Hellman1256.4Joux’sThree-WayKeyExchange1266.5ElGamalEncryption128References1297TheCocksIBEScheme1317.1SetupofParameters1317.2ExtractionofthePrivateKey1337.3EncryptingwithCocksIBE1337.4DecryptingwithCocksIBE1357.5Examples136 viiiIntroductiontoIdentity-BasedEncryption7.6SecurityoftheCocksIBEScheme1397.6.1RelationshiptotheQuadraticResiduosityProblem1397.6.2ChosenCiphertextSecurity1427.6.3ProofofSecurity1427.6.4SelectingParameterSizes1437.7Summary143References1458Boneh-FranklinIBE1478.1Boneh-FranklinIBE(BasicScheme)1498.1.1SetupofParameters(BasicScheme)1498.1.2ExtractionofthePrivateKey(BasicScheme)1508.1.3EncryptingwithBoneh-FranklinIBE(BasicScheme)1508.1.4DecryptingwithBoneh-FranklinIBE(BasicScheme)1518.1.5Examples(BasicScheme)1518.2Boneh-FranklinIBE(FullScheme)1568.2.1SetupofParameters(FullScheme)1568.2.2ExtractionofthePrivateKey(FullScheme)1578.2.3EncryptingwithBoneh-FranklinIBE(FullScheme)1578.2.4DecryptingwithBoneh-FranklinIBE(FullScheme)1588.3SecurityoftheBoneh-FranklinIBEScheme1588.4Summary159Reference1609Boneh-BoyenIBE1619.1Boneh-BoyenIBE(BasicScheme—AdditiveNotation)1629.1.1SetupofParameters(BasicScheme—AdditiveNotation)1629.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)164 Contentsix9.1.3EncryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)1649.1.4DecryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)1649.2Boneh-BoyenIBE(BasicScheme—MultiplicativeNotation)1689.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)1689.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)1709.2.3EncryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)1709.2.4DecryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)1709.3Boneh-BoyenIBE(FullScheme)1719.3.1SetupofParameters(FullScheme)1729.3.2ExtractionofthePrivateKey(FullScheme)1739.3.3EncryptingwithBoneh-BoyenIBE(FullScheme)1739.3.4DecryptingwithBoneh-BoyenIBE(FullScheme)1739.4SecurityoftheBoneh-BoyenIBEScheme1749.5Summary175Reference17610Sakai-KasaharaIBE17710.1Sakai-KasaharaIBE(BasicScheme—AdditiveNotation)17710.1.1SetupofParameters(BasicScheme—AdditiveNotation)17810.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)17810.1.3EncryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)18010.1.4DecryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)18010.2Sakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)182 xIntroductiontoIdentity-BasedEncryption10.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)18210.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)18310.2.3EncryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)18410.2.4DecryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)18410.3Sakai-KasaharaIBE(FullScheme)18510.3.1SetupofParameters(FullScheme)18510.3.2ExtractionofthePrivateKey(FullScheme)18510.3.3EncryptingwithSakai-KasaharaIBE(FullScheme)18510.3.4DecryptingwithSakai-KasaharaIBE(FullScheme)18710.4SecurityoftheSakai-KasaharaIBEScheme18710.5Summary188Reference18911HierarchialIBEandMasterSecretSharing19111.1HIBEBasedonBoneh-FranklinIBE19311.1.1GSHIBE(Basic)RootSetup19411.1.2GSHIBE(Basic)Lower-LevelSetup19411.1.3GSHIBE(Basic)Extract19411.1.4GSHIBE(Basic)Encrypt19411.1.5GSHIBE(Basic)Decrypt19511.2ExampleofaGSHIBESystem19511.2.1GSHIBE(Basic)RootSetup19611.2.2GSHIBE(Basic)Lower-LevelSetup19611.2.3GSHIBE(Basic)ExtractionofPrivateKey19611.2.4GSHIBE(Basic)Encryption19711.2.5GSHIBE(Basic)Decryption19711.3HIBEBasedonBoneh-BoyenIBE19711.3.1BBGHIBE(Basic)Setup19811.3.2BBGHIBE(Basic)Extract199 Contentsxi11.3.3BBGHIBE(Basic)Encryption19911.3.4BBGHIBE(Basic)Decryption19911.4ExampleofaBBGHIBESystem20011.4.1BBGHIBE(Basic)Setup20011.4.2BBGHIBE(Basic)ExtractionofPrivateKey20011.4.3BBGHIBE(Basic)Encryption20111.4.4BBGHIBE(Basic)Decryption20111.5MasterSecretSharing20111.6MasterSecretSharingExample202References20412CalculatingPairings20712.1Pairing-FriendlyCurves20712.1.1RelativeEfficiencyofParametersofPairing-FriendlyCurves20912.2EliminatingIrrelevantFactors21012.2.1EliminatingRandomComponents21112.2.2EliminatingExtensionFieldDivisions21412.2.3DenominatorElimination21512.3CalculatingtheProductofPairings21612.4TheShipsey-StangeAlgorithm21712.5Precomputation221References222Appendix:UsefulTestData225AbouttheAuthor229Index231 PrefaceThecontentofthisbookroughlyparallelsthecontentofaseriesoftalksthatIgaveattheVoltageSecurity‘‘brown-bag’’seminar,therandomlyoccurringseriesoftalksthattechnologistsatVoltagegavetoothersinthecompany,talksthatattemptedtoexplainwhatwasgoingonintheeastsideofthebuilding,thesidewherepeopleoftencametoworklate,routinelyworkeduntiltheearlymorning,andalwaysdranktoomuchcoffee.ThusthematerialisaimedatatypicalSiliconValleyengineer—apersonwhoprobablyhasanundergraduatedegreeincomputerscienceandhasbeenworkingforafewyears.Andalthoughtheyhaveusuallybeenexposedtoafairamountofdiscretemath,abstractalgebra,andcryptographyinthepast,theyhaveforgottenthedetailsofmostofit,butcanrecallitagainifremindedofthebasicfacts.Thistypeofpersonalsoseemstolikebeingshownconcreteexamplesofhowthingsworktoclarifynewconcepts;andI’vetriedtofollowthismodelwiththisbook,tryingtogivereadersagoodideaofhowidentity-basedencryptionalgorithmswork.Sobyreadingthisbookyoucanalmostexperienceabitofwhatit’sliketobeataSiliconValleystart-up,butwithoutfreefoodorthestressofwonderinghowlongyourcompanywillbeabletosurvive.Thetopicofthetalkswasidentity-basedencryption,or‘‘IBE’’asitiscommonlyknown.Theyearssince2001,whenDanBonehandMattFranklinwrotethepaper‘‘Identity-BasedEncryptionfromtheWeilPairing,’’havebeeninterestingones,atleasttothoseinthefieldofcryptography.Thetechniquesthattheydescribedinthispaperstartedwhatcouldprobablybecalledarevolutioninthefield,andtheirpaperhasbeencitedatahigherratethanexperiencedbyeitherofthetwootherground-breakingpapersinpublic-keycryptography,‘‘AMethodforObtainingDigitalSignaturesandPublic-KeyCryptosystems’’byRonRivest,AdiShamir,andLenAdleman,and‘‘NewDirectionsinCryptogra-xiii xivIntroductiontoIdentity-BasedEncryptionphy’’byWhitfieldDiffieandMartinHellman.ThepaperbyBonehandFranklinmightbeconsideredthebeginningofpairing-basedcryptographyinthesamewaythatChristopherColumbusmightbegivencreditfordiscoveringtheNewWorld;theymightnothavebeenthefirsttoactuallyaccomplishsomething,buttheiraccomplishmentswerealmostcertainlythemostsignificant.Whatmakesthenewfieldofpairing-basedcryptographyinterestingdependsonyourpointofview.Itcertainlyallowsfortheconstructionofinterestingcryptographicprimitivesthatwereunknownbeforetheuseofpair-ings,andidentity-basedencryptionisoneofthemostimportantofthese.Identity-basedencryptionisinturninterestingbecauseitallowsfortheimple-mentationofsystemsthataresimplerandeasiertousethanthealternatives,anditisprobablythisratherthananyotherbenefitsthathasledtotherapidacceptanceofthetechnology.Inthefewyearssinceitsfirstcommercialavailabilityin2003,therapidrateofadoptionofidentity-basedencryptionhasledtothesituationinwhichtherearecurrentlyalmostasmanyusersofthetechnologyasthereareusersoftraditionalpublic-keyinfrastructuretechnologies,andatthecurrentrateofadoption,thenumberofusersofidentity-basedencryptionwillsoonoutnumberthoseofcompetingtechnologies.Soifyouareauserofinformationsecuritytechnology,thetechnologyshouldbeinterestingtoyou,foryoumayseeitsoonerthanyoumighthaveexpected,andthisbookisdesignedtogivesuchpeopleawaytounderstandthetechnologythatisquickerandeasierthanreadingtheacademicpapersonthesubject.Thenumberofusersofencryptionhasincreaseddramaticallyinrecentyears,drivenbytheincreasinglystringentregulatoryenvironmentinwhichbusinessesnowoperate,andusingencryptionisaneasywaytoconvinceyourauditorsthatyouaretakingdatasecurityandprivacyseriouslyenoughforthemtoapproveofyouroveralldatasecurityanddataprivacyprogram.Thishasincreasedinterestinbothencryptioningeneralandinparticularencryptiontechnologieslikeidentity-basedencryption,whichprovideaneasywaytocomplywithdataprivacylawswhilestayingwithinyourbudgetandnotcausingsupportnightmaresforyourITorganization.Unfortunately,theonlywaytolearnaboutidentity-basedencryptionuntilnowhasbeentoreadresearchpapersonthetopic,arequirementthatmakesthetopicinaccessibletomostpeople,eventhosewithpotentialusesforthetechnology.Withanyluck,thisbookwillbridgethatgapabitandmakethetechnologymoreaccessible. 1IntroductionThisbookdescribesapublic-keyencryptiontechnologycalledidentity-basedencryption(IBE),andtriestoanswerafewofthecommonlyaskedquestionsaboutit.Theseincludethefollowing:1.WhatisIBEandhowdoesitdifferfromotherpublic-keytechnologies?2.WhyshouldIcareaboutIBE?3.WhyshouldIbelievethatIBEschemesaresecure?4.WhataresomeofthetechniquesthathavebeenusedtocreatepracticalandsecureIBEschemes?5.HowcanIefficientlyimplementIBEschemes?Theanswerstothefirsttwoofthesequestionsarerelativelysimple,andarecontainedinthischapter.Theotherthreerequireasignificantlevelofbackgroundbeforetheycanbeanswered.Chapters2,3,and4ofthisbookprovideaframeworkforunderstandingtheanswerstothemorecomplexques-tions.Chapters5and6provideananswertothethirdquestion.Chapters7through11collectivelyprovideananswertothefourthquestion.Chapter12providessomeanswerstothefifthquestion.1.1WhatIsIBE?IBEisapublic-keyencryptiontechnologythatallowsausertocalculateapublickeyfromanarbitrarystring.Weusuallythinkofthisstringasrepresentinganidentityofsomekind,butitisusuallyusefultousemorethanjustanidentity1 2IntroductiontoIdentity-BasedEncryptiontocalculatesuchapublickey.Forexample,toavoidauserhavingthesameIBEkeyforever,itisusefultoincludesomeinformationinthisstringaboutthevalidityperiodofthekey.Or,toensurethatauserwillreceivedifferentkeysfromdifferentIBEsystems,itmaybeusefultoincludeinformationinthisstringthatisuniquetoaparticularIBEimplementation,perhapsaURLthatidentifiesaserverthatisusedintheimplementationofeachofthedifferentIBEsystems.Becausethestringusedtocalculateakeyalmostalwayscontainsmorethanjustanidentity,itmaybemoreaccuratetousethetermidentifier-basedencryptioninstead,butthistermisnotwidelyusedtodescribethetechnol-ogy.TheabilitytocalculatekeysasneededgivesIBEsystemsdifferentpropertiesthanthoseoftraditionalpublic-keysystems,andthesepropertiesprovidesignifi-cantpracticaladvantagesinsomesituations.Soalthoughthereareprobablyfewsituationsinwhichitisimpossibletosolveanyproblemwithtraditionalpublic-keytechnologiesthatcanbesolvedwithIBE,thesolutionsthatuseIBEmaybemuchsimplertoimplementandmuchlessexpensivetosupportthanalternatives.Inimplementationsofatraditionalpublic-keysystemthatusesdigitalcertificatestomanagepublickeys,apublic-privatekeypairisgeneratedrandomlybyeitherauser,oranagentworkingonbehalfofauser,inwhichthepublickeycontainsalloftheparametersneededforusingitincryptographiccalculations.Randomgenerationofkeysisnotstrictlyrequiredbythepublic-keyalgorithmsthatareusedinsuchsystems,butisrequiredbytheexistingstandardsthatdefinetheuseofsuchalgorithms.Afteritiscreated,thepublickey,alongwiththeidentityoftheownerofthekey,isdigitallysignedbyacertificateauthority(CA)tocreateadigitalcertificatethatisthenusedtotransportandmanagethekey.Theowneroftheprivatekeythenreceivesacopyofthecertificateandacopyofthecertificateisstoredinacertificaterepositorythatisaccessiblebyotherswhomightneedtogetauser’skey.Inapplicationswhereitmaybenecessarytorecoverprivatekeysthatarelostorunavailableinsomeway,theprivatekeysarealsosecurelyarchivedbyakeyrecoveryagent.Ifanagentcreatedtheprivatekeyonbehalfofauser,likeoftenhappenswhenkeysarecentrallygeneratedsothatcopiescanbearchivedtoallowtherecoveryoflostorotherwiseunavailablekeys,theownerofthekeyalsoreceivestheprivatekeyfromtheCA.ThisisshowninFigure1.1.Inatraditionalpublic-keysystem,theidentityofauserisusuallycarefullyverifiedbeforeadigitalcertificateisissuedtohim,aprocessthatistypicallyrelativelyexpensive.Theprocessofgeneratingpublic-privatekeypairscanalsobecomputationallyexpensive.Generatingtwo512-bitprimenumbersthataresuitableforuseincreatinga1,024-bitRSAprivatekeyiscertainlyfeasible,butgeneratinglargerprimesgetsprogressivelymoreexpensive.Creatingtwo7,680-bitprimesthataresuitableforuseincreatinga15,360-bitRSAprivatekeyisnotanoperationthatwidelyusedcomputerscaneasilyperform,yetsuch Introduction3KeyrecoveryagentKeycreationCertificateauthorityCertificateagentrepositoryUserFigure1.1Generationofkeysinatraditionalpublic-keysystem.keysareneededtosecurelytransportthe256-bitAESkeysthatareusedtoday.Becausegeneratingkeysandverifyingusers’identitiescanbeexpensive,digitalcertificatesareoftenissuedwithfairlylongvalidityperiods,oftenbetweenoneandthreeyears.Becauseoftherelativelylongvalidityperiodofthepublickeysmanagedbydigitalcertificates,itisoftennecessarytocheckthekeyinacertificateforvaliditybeforeusingit.ThisisshowninFigure1.2.Therehavebeenmanysolutionsproposedforvalidatingpublickeys,buttheexistingtechnologiestodothisarestillrelativelyunprovenandhavepracticaldifficultieswhenusedforalargenumberofusers.Touseapublickeythatiscontainedinadigitalcertificate,auserqueriesthepublicrepositorywherethecertificatecanbefoundandretrievesthecertificate.Becauseapublickeymaybevalidforquiteawhile,itisoftennecessarytochecksuchapublickeyforvaliditybeforeusingit.Thismaybebycheckingalistofinvalidcertificatesorbyqueryinganonlineservicethatreturnsthe 4IntroductiontoIdentity-BasedEncryptionCertificateValidationrepositoryserverSenderRecipientFigure1.2Validationanduseofapublickeyinatraditionalpublic-keysystem.validitystatusofacertificate.Afteranynecessaryvaliditycheckingisdone,theuserthenusesthepublickeytoencryptinformationtotheownerofthepublickey.Becausetherecipienthastheprivatekeythatcorrespondstothepublickey,heisabletodecryptthisinformation.ThisisshowninFigure1.2.IBEwasfirstmentionedbyAdiShamirin1984[1],whenhedescribedaroughoutlineofthepropertiesthatsuchasystemshouldhaveandhowitcouldbeused,althoughhewasunabletofindasecureandfeasibletechnologythatworkedashedescribed.HeseemedtoseetheadvantagesofIBEtoberelatedtoitseaseofuserelativetoothertechnologieswhenhedescribedIBEinthisway:Anidentity-basedschemeresemblesanidealmailsystem:Ifyouknowsomebody’snameandaddressyoucansendhimmessagesthatonlyhecanread,andyoucanverifythesignaturesthatonlyhecouldhaveproduced.Itmakesthecryptographicaspectsofthecommunicationalmosttransparenttotheuser,anditcanbeusedeffectivelyevenbylaymenwhoknownothingaboutkeysorprotocols.AnIBEsystemhassimilaritiestotraditionalpublic-keysystems,butisalsoquitedifferentinotherways.Whiletraditionalpublickeyscontainalloftheparametersneededtousethekey,touseanIBEsystem,ausertypically Introduction5needstogetasetofpublicparametersfromatrustedthirdparty.Withtheseparameters,ausercanthencalculatetheIBEpubickeyofanyuseranduseittoencryptinformationtothatuser.ThisprocessisshowninFigure1.3.TherecipientofIBE-encryptedinformationthenauthenticatesinsomewaytoaprivatekeygenerator(PKG),atrustedthirdpartythatcalculatestheIBEprivatekeythatcorrespondstoaparticularIBEpublickey.ThePKGtypicallyusessecretinformationcalledamastersecret,plustheuser’sidentity,tocalculatesuchaprivatekey.Afterthisprivatekeyiscalculated,itissecurelydistributedtotheauthorizeduser.ThisisshowninFigure1.4.ThesedifferencesaresummarizedinTable1.1.Inatraditionalpublic-keyscheme,wecansummarizethealgorithmsinvolvedinthecreationanduseofapublic-privatekeypairaskeygeneration,encryption,anddecryption.Twoadditionalalgorithms,certificationandkeyvalidation,areoftenusedinmanyimplementationsofsuchschemes.Tofullyspecifytheoperationofsuchaschemeweneedtodefinetheoperationofeachofthesealgorithms.Inthekeygenerationstep,onekeyofthepublic-privatekeypairisgeneratedrandomlyandtheotherkeyinthepairiscalculatedfromit.Afterthis,thepublickeyandtheidentityofitsownerisdigitallysignedbyaCAtocreateadigitalcertificate.Encryptionisperformedusingthepublickeycontainedinthiscertificate.Decryptionisperformedusingtheprivatekeythatcorrespondstothepublickey.InanIBEschemetherearealsofouralgorithmsthatareusedtocreateanduseapublic-privatekeypair.Thesearetraditionallycalledsetup,extraction,PublicparameterserverSenderRecipientFigure1.3EncryptingwithanIBEsystem. 6IntroductiontoIdentity-BasedEncryptionPrivatekeygeneratorRecipientFigure1.4DecryptingwithanIBEsystem.Table1.1ComparisonofPropertiesofIBEandTraditionalPublic-KeySystemsIBETraditionalPublic-KeySystemsPublicparametersaredistributedbyaAllrequiredparametersarepartofaTTPpublickeyPKGmastersecretisusedtocalculateCAprivatekeyisusedtocreatedigitalprivatekeyscertificatesPrivatekeysgeneratedbyPKGPrivatekeysaregeneratedrandomlyPublickeyscanbecalculatedbyanyPublickeyscalculatedfromprivatekeysuserandtransportedinadigitalcertificateKeystypicallyshort-livedKeystypicallyvalidforlongperiodsOnlyencryptionDigitalsignaturesplusencryptionencryption,anddecryption.SetupisthealgorithmwithwhichtheparametersneededforIBEcalculationsareinitialized,includingthemastersecretthataPKGusestocalculateIBEprivatekeys.ExtractionisthealgorithmforcalculatinganIBEprivatekeyfromtheparametersestablishedinthesetupstep,alongwiththeidentityofauser,andusesthemastersecretofthePKGtodothis.EncryptionisperformedwithanIBEpublickeythatiscalculatedfromtheparametersfromthesetupstepandtheidentityofauser.DecryptionisperformedwithanIBEprivatekeythatiscalculatedfromauser’sidentityandtheprivate Introduction7keyofthePKG.ThesestepsaresummarizedinTable1.2.ThediscussionsofIBEschemesinthesubsequentchapterswilldescribetheoperationofIBEschemesintermsofthesefourparts:thealgorithmsthatimplementthesetup,extraction,encryption,anddecryptionsteps.Therearefivemainobjectivesthataninformationsecuritysolutioncanmeet:providingconfidentiality,integrity,availability,authentication,andnonre-pudiation.Confidentialitykeepsinformationsecretfromthosenotauthorizedtoseeit.Integrityensuresthatinformationhasnotbeenalteredbyunauthorizedorunknownmeans.Availabilityensuresthatinformationisintheplacerequiredbyauseratthetimethattheinformationisrequiredandintheformthatauserneedsit.Authenticationistheabilitytoverifytheidentityofauser.Nonrepudiationpreventsthedenialofpreviouscommitmentsoractions.Theuseofcryptographycansupportmostoftheseobjectives;theuseofIBEcansupportonlyoneoftheseobjectives.ThisissummarizedinTable1.3.Encryptionofdataisaneasywaytoprovideconfidentiality.Inawell-designedsystem,decryptingencrypteddataisinfeasibletoanyonenotpossessingthecorrectdecryptionkey.DigitalsignaturesprovidesolutionsfortheotherTable1.2FourAlgorithmsComprisinganIBESchemeStepSummarySetupInitializeallsystemparameters.ExtractionCalculateIBEprivatekeyfromPKGmastersecretandanidentityusingsystemparameters.EncryptEncryptinformationusinganIBEpublickeycalculatedfromsystemparametersandanidentity.DecryptDecryptinformationusinganIBEprivatekeycalculatedfromPKGmastersecretandanidentity.Table1.3ApplicabilityofDifferentEncryptionTechnologiesinAttainingInformationSecurityGoalsSecurityGoalIBETraditionalPublic-KeyTechnologiesConfidentialityYesYesIntegrityNoYesAvailabilityNoYesAuthenticationNoYesNonrepudiuationNoNo 8IntroductiontoIdentity-BasedEncryptionobjectivesofinformationsecurity.Theyprovideawaytoprovideintegrity,becausemodifyingdigitallysigneddatawhilekeepingthesignaturevalidisascomputationallyinfeasibleasdefeatingtheunderlyingcryptographythatisusedtocreatethesignature.Theycanalsoprovideatechnicalbasisfornonrepudiation,althoughdefiningexactlywhatnonrepudiationmeansisfairlydifficult.Notallwrittensignaturesarelegallybinding,afterall,andweshouldexpectthesamelimitationstothenonrepudiationprovidedbydigitalsignatures.Forallpracticalpurposes,nonrepudiationseemstobeanunattainablegoalforexistinginforma-tionsecuritytechnologies.Digitalsignaturesalsoprovideawaytoauthenticateusers;ausercreatingavaliddigitalsignatureneedstoeitherhavepossessionoftheprivatekeyusedtocreatethesignatureortohavedefeatedthecryptographyusedtocreatethesignature.Sousingdigitalsignaturestoauthenticateuserscanalsohelppreventdenial-of-serviceattacks,whichincreasestheavailabilityofdata.IBEprovidesaneasysolutionthatprovidesfortheconfidentialityofdata.Itdoesnotprovideintegrity,availability,authentication,andnonrepudiation.Thesearemoreeasilyprovidedbydigitalsignaturesusingkeysthatarecreatedandmanagedbyatraditionalpublic-keysystem.Aswewillsee,however,theadvantagesthatIBEprovidesmakeitaverygoodsolutionforsomeproblems,andahybridsolutionthatusedIBEforencryptionandatraditionalpublic-keysystemtoprovidedigitalsignaturesmaybeasolutionthatcombinesthebestfeaturesofeachtechnology.1.2WhyShouldICareAboutIBE?IBEisaninterestingtechnologybecauseotherpublic-keyalgorithmshaveencounteredpracticaldifficultiesinuse.Inparticular,implementationsoftradi-tionalpublic-keytechnologieshavegainedareputationforbeingdifficultandexpensive,atleastwhentheyareusedbypeople;themostsuccessfulapplicationofpublic-keytechnologyhasbeeninthewidespreaduseofSSL,whichrequiresminimalinteractionwithauserwhenitisusedtoauthenticateaserverandtoencryptcommunicationswiththesameserver.Applicationsthatrequireausertomangeorusepublickeyshavenotbeenassuccessful.Aclassicstudyin1999byAlmaWhittenandJ.D.Tygarthatwaspopularizedbythepaper‘‘WhyJohnnyCan’tEncrypt’’[2],foundthat75%ofuserswereunabletouseapublic-key-basedsystemtosendanencryptede-mail.Usabilityofpublic-keytechnologyseemstohaveincreasedsincethisstudy,butapparentlynotenough.Thetitlealoneofthe2006paper‘‘WhyJohnnyStillCan’tEncrypt’’[3]indicatesthatthetechnologyisstilltoodifficultformanyusers:noneofthesixtestsubjectsinthissecondstudywereabletoencrypte-mail.Poorusabilitycauseshigh-supportcostsforusersofthetechnol- Introduction9ogy,andhasprobablybeenoneofthemajorfactorshinderingthewidespreadadoptionofpublic-keytechnology.DanGeerevenconjecturedthathighcostsareunavoidablewhenusinganytypeofcryptography[4]:Bothsymmetriccryptosystems,likeKerberos,andasymmetriccryptosys-tems,likeRSA,dothesamething—thatistosaytheydokeydistribution—butthesemanticsarequitedifferent.Thefundamentalsecurity-enablingactivityofasecretkeysystemistoissuefreshkeysatlowlatencyandondemand.Thefundamentalsecurity-enablingactivityofanasymmetrickeysystemistoverifytheas-yet-unrevokedstatusofakeyalreadyincirculation,againwithlowlatencyandondemand.Thisiskeymanagementanditisasystemscost;asecretkeysystemlikeKerberoshasincurrednearlyallitscostsbythemomentofkeyissuance.Bycontrast,apublickeysystemincursnearlyallitscostswithrespecttokeyrevocation.Hence,aruleofthumb:Thecostofkeyissuanceplusthecostofkeyrevocationisaconstant,justyetanotherversionof‘‘Youcanpaymenoworyoucanpaymelater.Geer’sconjecturetellsusthatweshouldexpectanyuseofcryptographytobeexpensive.Becausetherearemanycaseswheretheuseofencryptionisdesirable,anewtypeofencryptiontechnologythatavoidssomeoftheproblemsassociatedwithtraditionalpublic-keytechnologiesisinherentlyinteresting,andthisisoneofthepromisesofIBE.IBEmaynotofferanynewcapabilitiesthattraditionalpublic-keytechnologiescannotprovide,butitallowsforthecreationofsolutionsthatwouldbeverydifficultandexpensivetoimplementwithearliertechnologies.Inparticular,thesesolutionsseemtoviolateGeer’sprinciplethatusingencryptionhastohaveahighcost.Keyvalidation,orcheckingtomakesurethataparticularkeyisvalidatsomepointinitslifetime,canbeanexpensiveanddifficultprocess,particularlywhenvalidatingusesofakeythattookplaceinthepast.Supposethatyouaredoingdigitallysignedandencryptedelectronictransactionsandyouneedtoverifywhetherornotaparticulartransactionhadavalidsignatureatsomepointinthepast,likewhenthetransactiontookplacetwoyearsago.Thevalidityofadigitalcertificatecanchangeduringitslifetimeasitistemporarilysuspendedorrevoked,soitisnecessarytobeabletoreconstructthevalidityofthekeymanagedbyanycertificateatanypointinthekey’slifetimetobeabletoanswersuchquestions.Doingsorequiresbeingabletoreconstructthestateofthesystemthatmanagesthevalidityofkeys,whichisacomplexanddifficultproblem.Toavoidthepracticaldifficultiesofkeyvalidation,IBEsystemstypicallyuseshort-livedkeys.SoifanIBEkeyisvalidforonlyoneday,thenweassumethatitisvalidforthatentireday,andthereisnoprovisionforrevokingorsuspendingakeyduringthatperiod.Thismaynotprovidethesamelevelof 10IntroductiontoIdentity-BasedEncryptionprecisionastheabilitytoimmediatelyrevokeorsuspendakey,butitmakesthevalidationofsuchkeystrivial.This,inturn,letsusbuildsimplerandlessexpensivesystems.Theabilitytoquicklyandeasilycalculatekeysmakesshort-livedkeysinIBEpractical,wheretheyareoftenimpractical,althoughnotimpossible,touseinasystembasedontraditionalPKItechnology.Keyrecovery,thecapabilitytorestorealostorotherwise-unavailablekey,isanessentialfeatureforcommerciallysuccessfulencryptiontechnology.Inpractice,mostkeyrecoveryisapparentlyperformedwhenpasswordsprotectingaccesstokeysarelostorforgotten[5]insteadofthescenarioinwhichtheownerofakeyisnotpresent,yetthereisanimmediateneedforinformationencryptedwithhiskey.Intraditionalpublic-keysystems,keyrecoveryistypicallyimplementedthroughhavingaTTPgeneratekeysonbehalfofauserandsecurelyarchivingacopyoftheuser’sprivatekeythatcanbeusedforkeyrecoveryasneeded.Suchkeyrecoverysystemsrequiresecurelystoringarchivalcopiesofallprivatekeysandcarefullycontrollingaccesstothearchiveofthesekeys.IBEsystems,ontheotherhand,calculatekeysasneeded,sothereisnoneedforarchivingkeysatall.Theonlyinformationthatneedstobebacked-upisthemastersecretthatisusedbythePKGtocalculateIBEprivatekeys.ThissimplerprocessmakesIBEsystemssimplerandeasierinmanyapplicationsthantraditionalpublic-keytechnologies,andcanmakethecostofsupportingandmaintaininganIBEsystemmuchlessthanthecostofsupportingandmaintainingasystemwiththesamecapabilitiesthatisbasedontraditionalpublic-keytechnology.ItalsoprovidesIBEsystemswithsomecapabilitiesthatcanbefairlydifficulttoimplementwithtraditionalpublic-keytechnologies.TheabilitytocalculatepublicandprivatekeysasneededisasubtledifferencebetweenIBEandtraditionalpublic-keytechnologies,butonethatprovidesmanyusefulproperties.Inparticular,itisnotnecessarytoenrollauserbeforeencryptinginformationtothem.Therefore,itiseasytoIBE-encryptinformationtoauserthatdoesnotexistyetandrelyonthefutureusertoproperlyauthenticatebeforehecandecrypttheinformation.Ifavalidityperiodispartofanidentity,itispossibletoencryptinformationthatcanonlybedecryptedatsomepointinthefuture,forexample.Or,inaresponsetoanaturaldisaster,respondersmaywanttosecurelycommunicatewithotherresponders,buttheymaynotknowwithwhomtheywillneedtocommunicatebeforeadisasterhappens.Becauseitisimpracticaltopre-enrolleverypotentialrespondertoeverytypeofdisaster,atechnologythatallowsencryptinginforma-tiontousersbeforetheyareenrolledcanbeusefulincircumstanceslikethis.IBEprovidesausefulwaytoaccomplishthis.E-mailmessaginghasbecomefairlydangerous.Thee-mailmessagesreceivedbyatypicaluserincludeannoyingunsolicitedcommerciale-mail,butalsoincludecomputervirusesaswellasmessagesthatarepartoforganized Introduction11effortstoacquiresensitivepersonalinformation,bankaccountnumbersorcreditcardnumbers.Tocombatthisgrowingthreat,manyorganizationsimplementfilteringonbothincomingandoutgoinge-mailmessagestoprotectusersfromsuchmaliciousmessages.Organizationsmayalsowanttosearchoutgoingmes-sagesforsensitiveinformationandprocessitinsomewaythatensuresthatnosensitivematerialissentunencryptedoverapublicnetwork.Someorganizationsreturntheoriginalmessagetothesenderwithawarningtoencryptsuchsensitivecontentinthefuture.Otherswanttoautomaticallyencryptsuchmessages.UsingIBE,itisnotdifficulttoscanevenencryptedmessagesforunsuitablecontent.DelegatetheauthoritytoretrieveIBEprivatekeystoascanningprocess,andthescanningprocesscanthenrequestIBEkeysonbehalfoftheowneroftheprivatekey,scanthedecryptedmessageforunsuitablecontent,andreencryptthemessageafteritisscannedbyusingtherecipient’sIBEpublickeythatitcaneasilycalculate.ThisisshownbelowinFigure1.5.Itispossibletoimplementasimilarsolutionusingtraditionalpublic-keytechnologies,butitistypicallymuchmorecomplexanddifficulttoimplement.PrivatekeygeneratorScanningEncryptedapplianceReencryptedmessagemessageDecryptedmessageFigure1.5ScanningthecontentofIBE-encryptede-mail. 12IntroductiontoIdentity-BasedEncryptionExistinginformationsecurityarchitecturesfocusoncreatingandmain-tainingasecurityperimeter.Insidetheperimeteritissupposedtoberelativelysecure,andtheperimeterisdesignedtokeepthreatsawayfromtheprotectednetwork.Trendsinboththeorganizationofbusinessesandtheevolutionoftechnologyhavemadethismodelmoreandmoredifficulttoimplement.Onetrendintheorganizationofbusinessesisthecontinuingintegrationofbusinesspartnerstohelpalloftheparticipantsgainfromthelowercostsoftightlyintegratedoperations.Inthecaseofcreditcardprocessing,forexample,thenetworksofthemerchantswhoacceptcreditcards,thebanksthatissuecreditcards,andthecreditcardcompaniesthemselvesarenowtightlyintegratedtomaketheprocessingofcreditcardtransactionsmoreefficient.Insituationslikethis,itcansometimesbedifficulttodetermineexactlywherethenetworkperimeteris,whichmakesitverydifficulttocreateandmaintainasecurityarchitecturethatreliesonastrongsecurityperimeter.Wirelessdevicesalsobroadcastdatawithoutregardforalogicalsecurityperimeter,andthusmakeitdifficulttoimplementsecuritythatisbasedonenforcingsuchaperimeterbecauseaneavesdroppercaneasilyinterceptwirelesstransmissionswithouthavingtophysicallyconnecttoanetwork.Situationsliketheseareleadingtoanalternativetoahighlysecureperimeter:asecurityarchitectureinwhichweprotectthedatathatresidesinthenetworkinsteadofthenetworkitself.Onewaytoimplementasecurityarchitectureinwhichweprotectdatainsteadofthenetworkisbyusingencryption,whereweencryptdatasothatonlytheauthorizeduserscandecryptit.IBEcanuseanyarbitrarydataforanidentity,includingstringsencodingroles.SoitispossibletouseIBEtoencryptsensitivemedicalrecordsusing‘‘doctor’’aspartofanidentity,forexample,andthentorequireuserstoprovethattheyareauthorizedtoaccesssuchdatawhentheyrequesttheIBEprivatekeyneededtodecryptit.Mostorganizationshavesomeexistingformofinfrastructureinplacetomanageidentities,evenifitisassimpleastheusername/passwordcombinationsneededtologintotheirnetwork.Morecomplexsystemsexistthatmanagemoregeneralformsofidentity,andthesesystemsprovideacommonwaytomanagemanydifferentformsofidentityinformation.SuchsystemsprovideaninterestingpossibilityforusewithIBE,inwhichmanydifferentsourcesofidentityinformationcouldbecombinedandusedtocalculateIBEkeysthatcouldthenenforceaccesstosensitiveinformationinwaysthatcorrespondtothepermissionsthatdifferentcombinationsofidentitiesmightgive.Justlikeane-mailmessagecanbeencryptedtomultiplerecipients,anyofwhichcandecryptit,wecanuseIBEtoencryptsensitiveinformationthatcouldbedecryptedbysomeonesatisfyinganyoneofseveralpossiblecombinationsofexistingidentityinformation.Astrendsinbothbusinessandtechnologymakeprotectingdatawithencryptionmoreandmoreinteresting,thepropertiesof Introduction13IBEmaymakeitparticularlyusefultosolvetheproblemsthatthisdifferentmodelofsecuritywillpresent.SoitappearsthatthepropertiesofIBEgivesystemsthatusethetechnologyinterestingpropertiesandallowforthecreationofsolutionsthatmaybeeasiertouseandlessexpensivetosupportthansolutionsprovidedbytraditionalpublic-keytechnologies.Ontheotherhand,IBEonlyprovidesthecapabilitytoencryptanddoesnotallowthecreationofdigitalsignatures.ThismeansthatacompleteinformationsecuritysolutionusingIBE,onethatprovidesconfidentiality,integrity,availability,authentication,andnonrepudiation,mayneedtobeahybridsolutionthatusesbothIBEandtraditionalpublic-keytechnologiestoprovideasolutionthattakesadvantageofthestrengthsofeachofthetechnologies.Suchsolutionsmayeventuallyreducethecostofusingencryptiontothepointwhereitwillbeusedonawidescale,violatingGeer’sprinciplethatanyuseofencryptionmustbeexpensive.ThepromiseofsuchsolutionsiswhatmotivatedtheexistingcommercialapplicationsofIBEandwillprobablyalsomotivatefutureapplicationsofthetechnology.References[1]Shamir,A.,‘‘Identity-BasedCryptosystemsandSignatureSchemes,’’ProceedingsofCRYPTO’84,SantaBarbara,CA,August19–22,1984,pp.47–53.[2]Whitten,A.,andJ.Tygar,‘‘WhyJohnnyCan’tEncrypt:AUsabilityEvaluationofPGP5.0,’’Proceedingsofthe8thUSENIXSecuritySymposium,Washington,D.C.,August23–26,1999,pp.169–184.[3]Sheng,S.,etal.,‘‘WhyJohnnyStillCan’tEncrypt:EvaluatingtheUsabilityofEmailEncryptionSoftware,’’Proceedingsofthe2006SymposiumonUsablePrivacyandSecurity,Pittsburgh,PA,July12–14,2006.[4]Geer,D.,‘‘RiskManagementIsWheretheMoneyIs,’’RisksDigest,Vol.20,No.6,1998,pp.1–9.[5]Nielsen,R.,‘‘ObservationsfromtheDeploymentofaLargeScalePKI,’’Proceedingsofthe4thAnnualPKIR&DWorkshop,Gaithersburg,MD,August19–21,2005,pp.159–165. 2BasicMathematicalConceptsandPropertiesThischaptercontainsareviewofallofthenecessarydefinitionsneededinthefollowingchaptersinwhichwediscussIBEalgorithms.Italsoprovidesalistofthenotationthatwewilluseinthefollowingchaptersandstateswithoutanyproofsvariousfactsthatwillbecitedinfollowingchapters.Proofsofthefactslistedinthischaptermaybefoundin[1,2].2.1ConceptsfromNumberTheoryNumbertheoryconcernsthepropertiesoftheintegersandtheirgeneralizations,andprovidesafoundationfortheotherconceptsthatfollowinlatersections.Thesetofnaturalnumbers{1,2,3,...}isdenotedbythesymbol�.Thesetofintegers{...,−3,−2,−1,0,1,2,3,...}isdenotedbythesymbol�.Thesetofrealnumbersisdenotedbythesymbol�.Thesetofcomplexnumbersisdenotedbythesymbol�.Elementsof�2canbewrittenasa+bi,whereaandbarerealnumbersandi=−1.DefinitionIfaandbareintegers,thenadividesboraisadivisorofbifthereexistsanintegercsuchthatb=ac.Inthiscasewewritea|bandwesaythataisafactorofb.Example2.1(i)Notethat1,001=7�11�13,sothat7|1,001and7isafactorof1,001.15 16IntroductiontoIdentity-BasedEncryption(iii)Wecanalsowrite1,001=(−7)�(−11)�13,so−7and−11arealsofactorsof1,001.Definition2.1Anintegerp≥2isaprimeifitsonlypositivedivisorsare1andp.Definition2.2abAprimepisaSolinasprimeifwecanwritep=2±2±1forsomepositiveintegersaandb.SuchprimesareusefulintheefficientimplementationofmanyIBEalgorithms,inwhichweneedtoperformadouble-and-additerationonthebinaryexpansionofaprime.IfweuseaSolinasprimeinsuchalgorithms,abthelowdensityofaSolinasprimeoftheformp=2+2+1willclearlyminimizethenumberofoperationsneededtoimplementsuchaniteration.Thecaseswherep=2a±2b±1canbesimilarlyimplementedveryefficientlybyrepresentingpinnonadjacentform[3].InthefollowingwewillalwaysabassumethataSolinasprimeisoftheformp=2+2+1.Example2.253(i)Theprime41=2+2+1isaSolinasprime.52(ii)Theprime29=2−2+1isaSolinasprime.Definition2.3LetF={p1,p2,...,pn}beasetofprimes.WesayanintegernisF-smoothisalloftheprimefactorsofnareelementsofF.Definition2.4Anonnegativeintegerdisthegreatestcommondivisorofintegersaandbifdisthelargestpositiveintegerthatdividesbothaandb.Thisisdenotedbyd=gcd(a,b).Example2.3(i)Ifa=1,001=7�11�13andb=−286=−2�11�13,thengcd(a,b)=11�13=143.(ii)Ifa=11andb=13,thengcd(a,b)=1.2.1.1ComputingtheGCDThegreatestcommondivisorofintegersaandbcanbecomputedbythefollowingAlgorithm2.1,knownastheextendedEuclideanalgorithm.Inaddition BasicMathematicalConceptsandProperties17togcd(a,b),thisalgorithmalsoreturnsintegersxandysuchthatgcd(a,b)=ax+by.Algorithm2.1:extended_gcdINPUT:integersa,bwitha≥bOUTPUT:gcd(a,b),integersxandysuchthatgcd(a,b)=ax+by1.Ifb=02.d←a,x←1,y←0,return(d,x,y)3.x1←0,x2←1,y1←1,y2←04.Whileb>05.q←a/b,r←a−qb,x←x2−qx1,y←y2−qy16.a←b,b←r,x2←x1,x1←x,y2←y1,y1←y7.d←a,x←x2,y←y2,return(d,x,y)Definition2.5Forintegersaandb,ifgcd(a,b)thenwesaythataandbarerelativelyprime.Example2.4(i)Ifa=1,001andb=286,thengcd(a,b)=77,soaandbarenotrelativelyprime.(ii)Ifa=11andb=13,thengcd(a,b)=1,soaandbarerelativelyprime.Definition2.6Ifa,b,andnareintegers,thenwesaythataiscongruenttobmodulonifndivides(b−a)andwewritea≡b(modn).Example2.5(i)7≡3(mod4)because4|(7−3).(ii)11≡3(mod4)because4|(11−3).(iii)−7≡2(mod3)because3|(−7−2).(iv)7≡11(mod4)because4|(7−11).Property2.1(ChineseRemainderTheorem)Letn1n2...nkbeintegersthatarepairwiserelativelyprime,thatis,gcd(ni,nj)=1wheni≠j.Thenthefollowingsystemofcongruenceshasauniquesolutionmodulotheproductn=n1n2...nk: 18IntroductiontoIdentity-BasedEncryptionx≡a1(modn1)x≡a2(modn2)�x≡ak(modnk)Property2.2(Gauss’Algorithm)ThesolutiontothesystemofcongruencesgiveninProperty2.1canbecomputedaskx=∑aiNiMimodn(2.1)i=1wherenNi=niandM−1i=NimodniGauss’algorithmcanbewritteninaslightlydifferentwaythatmakesiteasiertounderstand.Inparticular,notethatwecanalsowrite(2.1)askx=∑ai�eimodni=1whereeacheihasthepropertythat1(modni)ei≡�0(modnj),j≠iSowecanthinkofGauss’algorithmasbeingessentiallyanintegerversionofLagrangeinterpolation,wherewefitapolynomialtokpointsbycreatingasimilarsetofcoefficientsthatareeither0or1andthusforcethedesiredbehavioratthegivenpoints.Example2.6Considerthefollowingsystemofcongruences:x≡2(mod3)=a1(modn1)x≡3(mod4)=a2(modn2) BasicMathematicalConceptsandProperties19ApplyingGauss’algorithm,wefindthatn=n1n2=3�4=12n12N1===4n13n12N2===3n24M−1−1mod3=11=N1modn1=4M−1−1mod4=32=N2modn2=3sothatx=(a1N1M1+a2N2M2)mod12=(2�4�1+3�3�3)mod12=(2�4+3�9)mod12=(8+27)mod12=35mod12=11mod12InthisexamplewecanalsothinkofGauss’algorithmasfindingintegerse1ande2suchthatwehavex=(2�e1+3�e2)mod12Gauss’algorithmthenfindse1=4ande2=9,wherewehave1(mod3)e1=4≡�0(mod4)and0(mod3)e2=9≡�1(mod4)Definition2.7Forapositiveintegern,�(n)denotesthenumberofintegerslessthannthatarerelativelyprimeton.ThisfunctioniscalledEuler’sphifunction. 20IntroductiontoIdentity-BasedEncryptionProperty2.3Ifmandnarerelativelyprimethen�(mn)=�(m)�(n).Example2.7(i)�(7)=6becauseeachoftheintegers1,2,3,4,5,and6arerelativelyprimeto7.(ii)�(p)=p−1foranyprimepbecause1,2,3,...,p−1areallrelativelyprimetop.(iii)�(77)=�(7)�(11)=6�10=60.Property2.4(Fermat’sLittleTheorem)Letpbeaprimeandabeanyinteger.Thenwehavethatpa≡a(modp)Ifaisrelativelyprimetop,thenwealsohavethatp−1a≡1(modp)Example2.8p5(i)Forp=5anda=2,wehavethata=2=32≡2(mod5).p−14(ii)Forp=5anda=2,wehavethata2=16≡1(mod5).p5(iii)Forp=5anda=10,wehavethata=10=100,000≡0(mod5)≡10(mod5).p−14(iv)Forp=5anda=10,wehavethata2=10,000≡0(mod5)≡/1(mod5).Property2.5(Euler’stheorem)Letnbeanintegerandabeanintegerrelativelyprimeton.Thenwehavethata�(n)≡1(modn)Example2.98(i)Withn=3�5=15,wehave�(n)=8andthat2=256≡1(mod15). BasicMathematicalConceptsandProperties2124(ii)Withn=5�7,wehavethat�(n)=24andthat5≡1(mod35).120(iii)Withn=11�13=143,wehavethat�(n)=120andthat11≡1(mod143).Definition2.8Weuse�ntodenotethesetofintegers{0,1,...,n−1}.Wecanperformarithmeticonelementsof�nbyreducingasumorproducttotheremainderthatisleftafterdividingbyn,whichwecallreducingmodulon.In�nwehavea+b=cwhen(a+b)≡c(modn).Eventhoughwedefine�ntoonlyincludetheintegersfrom0throughn−1,itisoftenconvenienttothinkofn−1asbeing−1,eventhough−1isnotreallyanelementof�n.Example2.10(i)In�12wehavethat9+6=3,or9+6≡3(mod12).(ii)In�9wehavethat3�3=0,or3�3≡0(mod9).AsTable2.1shows,noteveryelementof�5hasasquarerootin�5.Inparticular,0,1,and4havesquarerootsin�5while2and3donot.Thismotivatesthefollowingdefinitions.Definition2.9Anonzeroelementa∈�niscalledaquadraticresiduemodulonifthereexists2somex∈�nwithx≡a(modn).Ifnosuchxexists,wesaythataisaquadraticnonresiduemodulon.Example2.11(i)FromTable2.1weseethat0,1,and4arequadraticresiduesmodulo5.(ii)FromTable2.1weseethat2and3arequadraticnonresiduesmodulo5.Table2.1Multiplicationin�5*01234000000101234202413303142404321 22IntroductiontoIdentity-BasedEncryptionLegendresymbolsareanotationthatindicateswhetherornotanintegerisaquadraticresidue.Definition2.10aLetpbeanoddprimeandaaninteger.ThentheLegendresymbol�p�isdefinedtobe(i)0ifpdividesa.(ii)+1ifaisaquadraticresiduemodulop.(iii)−1ifaisaquadraticnonresiduemodulop.Property2.6Letaandbbeintegersandpandqbeoddprimes.ThenLegendresymbolshavethefollowingproperties:a(p−1)/2(i)�p�≡a(modp)abab(ii)�p�=�p��p�ab(iii)Ifa≡b(modp)then�p�=�p�2(p2−1)/8(iv)�p�=(−1)pq(p−1)(q−1)/4(v)�q�=�p�(−1)Property2.6(i)tellsusthat−1isaquadraticresiduemodulopifp≡1(mod4)andthat−1isaquadraticnonresiduemodulopifp≡3(mod4).If−1isaquadraticnonresiduemodulop,thenwehavethat−aa−1�a�n�=�n��n=−�n�sothateitheraisaquadraticresidueor−aisaquadraticresidue.Inparticular,thisistruewhenp≡3(mod4).Property2.6(v)tellsusthat�p�qq=�p�unlessbothpandqarecongruentto3modulo4,inwhichcasewehavethat BasicMathematicalConceptsandProperties23�p�qq=−�p�Example2.126(i)�3�=0because3divides63(7−1)/23(ii)�7�=3=3=27≡−1(mod7)(iii)Because3and7arebothcongruentto3modulo4,wehavethat�7�33=−�7�=+1WecangeneralizethedefinitionofLegendresymbolstogetJacobisymbols,whicharedefinedforcompositedenominatorsasfollows.Definition2.11Letabeanintegerandnbeapositiveoddintegerwithkn=�pai=pa1pa2...paki12ki=1ThentheJacobisymbol�a�nisdefinedtobekaia1a2akaaaaa�n�=��p�=�p��p�...�p�i=1i12kwhereeachofthefactorsai�a�piisaLegendresymbolasdefinedinDefinition2.10.Property2.7Leta,bbeintegersandn≥3andm≥3beoddintegers.ThenJacobisymbolshavethefollowingproperties. 24IntroductiontoIdentity-BasedEncryptiona(i)�n�canbeeither0,+1or−1a(ii)�n�=0ifgcd(a,n)≠1abab(iii)�n�=�n��n�aaa(iv)�mn�=�m��n�ab(v)Ifa≡b(modn),then�n�=�n�1(vi)�n�=+1−1(n−1)/2(vii)�n�=(−1)2(n2−1)/8(viii)�n�=(−1)mn(m−1)(n−1)/4(ix)�n�=�m�(−1)Example2.1315(i)�21�=0becausegcd(15,21)≠12(112−1)/815(ii)�11�=(−1)=(−1)=−1711(11−1)(7−1)/4111511(iii)�11�=�7�(−1)=�7�(−1)=−�7�Property2.8Ifpandqanddistinctoddprimesandn=pq,thena∈�n*isaquadraticresiduemodulonifandonlyifaisaquadraticresiduemodulopandaisaquadraticresiduemodulop.2.1.2ComputingJacobiSymbolskSupposethatnisanoddintegerandwecanwritea=2bwherebisanoddinteger.Thenwehavethat BasicMathematicalConceptsandProperties25kkk�a�2b2b2bn=�n�=�n��n�=�n��n�k2n(b−1)(n−1)/4=�n��b�(−1)k2nmodb(b−1)(n−1)/4=�n��b�(−1)ThisgivesusthefollowingalgorithmforcomputingJacobisymbols.Notethatitisnotnecessarytoknowthefactorizationofntodothis.Algorithm2.2:JacobiSymbolINPUT:oddintegern≥3,integerawith0≤a0haveonecomponent,asshowninFigure3.5,whichcorrespondstotwooftherootsofthecubicin(3.2)havingnonzeroimaginarypartsothattheydonotappearonthex-axisofagraphofthecurve.Definition3.3Anellipticcurveforwhichthediscriminant�=0iscalledsingular.Anellipticcurveforwhichthediscriminant�≠0iscallednonsingular.Notethatanellipticcurvemaybenonsingularoveronefieldandsingularoveranother.Notethatthisdefinitionofthediscriminantisalwaysevensoitisalwayszeroinafieldofcharacteristic2.Inthiscase,theWeierstrassnormalformneedstobereplacedwithadifferentformforwhichthediscriminantisnotalwayszero.Example3.1(i)Theellipticcurvey23=x+x+1isnonsingularovertherealnum-bersbecauseithasdiscriminant�=−16(31)=−496. PropertiesofEllipticCurves47Figure3.5Graphoftheellipticcurvey2=x3−3x+3forwhich�>0.(ii)Theellipticcurvey23=x+x+1issingularoverafieldofchar-acteristic31becauseithasdiscriminant�=−16(31)sothat�≡0(mod31).GraphsofsingularellipticcurvesovertherealnumbersareshowninFigures3.6and3.7.Figure3.6showsanellipticcurveforwhichthecubichastworepeatedroots.Thistypeofellipticcurveissaidtohaveacuspattherepeatedroot.Figure3.7showsanellipticcurveforwhichthecubichasthreerepeatedroots.Thistypeofellipticcurveissaidtohaveanodeattherepeatedroot.Manydiscussionsofellipticcurvesrestrictthemeaningofthetermtoonlynonsingularcurves,aconventionthatwewillalsofollowhereafter.WewillseeinaChapter5thatcryptographicalgorithmsusingarithmeticonsingularellipticcurvesareextremelyweakcomparedtothoseusingarithmeticonnonsingularcurves.3.2AddingPointsonEllipticCurvesWecandefineageometricwaytoaddpointsonanellipticcurvethatisbasedon(3.1).Wedothisinthefollowingsteps.ToaddpointsP1andP2,construct 48IntroductiontoIdentity-BasedEncryptionFigure3.6Graphofthesingularellipticcurvey2=x3,anexampleofacusp.thelinethroughP1andP2andfindthethirdpointwhereitintersectstheellipticcurve.Toaddapointtoitself,usethelinetangenttothecurvethroughthepointinstead.Reflectthisthirdpointacrossthex-axistogetthesumofthepointsP1+P2.ThesestepsareshowninFigure3.8fortheellipticcurve23y=x+1.InFigure3.5,thelineurepresentsthelinethroughP1,P2and−(P1+P2)andvrepresentstheverticallinethrough−(P1+P2)andP1+P2,andthesamelinesuandvwillbeimportantinconstructingtheTatepairingthatwediscussinChapter4.Wealsoconsiderthepointatinfinitytobeonanellipticcurve,andwritethisspecialpointasO,andwehavethatP+O=Pforanypointonanellipticcurve,sothatthepointatinfinityactsmuchlikethenumber0doesintherealnumbers.Ifwehavetwopointsonanellipticcurve,P1=(x1,y1)andP2=(x2,y2),wecanwritethesumofthepointsP1+P2=P3=(x3,y3).TherearetwowaystofindP3:oneifP1≠P2andanotherifP1=P2.IfP1≠P2thenwecanfindtheslopeofthelinethroughP1andP2asy2−y1m=(3.3)x2−x1 PropertiesofEllipticCurves49Figure3.7Graphofthesingularellipticcurvey2=x3−3x+2,anexampleofanode.IfP1=P2thenwecanfindtheslopeofthelinethroughP1from23x1+am=(3.4)2y1Notethat(3.3)showswhywerestrictedanellipticcurvetobeingdefinedoverfieldswithcharacteristicotherthan2or3.Ineitherofthesetwocases,acharacteristicofeither2or3makestheexpression(3.3)inadequatewheremultiplyingby2or3isequivalenttomultiplyingby0,soalternateformsforellipticcurvesareneededotherthantheWeierstrassnormalform.IfwewritethelinethroughP1andP2asy=mx+�,thenthislineintersectstheellipticcurvewhen23(mx+�)=x+ax+borthat32x+ax+b−(mx+�)=0 50IntroductiontoIdentity-BasedEncryption−()P+P12uP2vP1P+P12Figure3.8Additionofpointsonanellipticcurve.or222x3−mx+(a−2m�)x+(b−�)=0Recallthatforamonicpolynomialordegreenthesumofitsrootsofn−1thepolynomialisthenegativeofthecoefficientofthexterm.Inthiscase,2thesumoftherootsmustbem,sothat2x1+x2+x3=morthat2x3=m−x1−x2(3.5)Becausethepoint(x3,−y3)isontheliney=mx+�wehave−y3=mx3+�=mx3+(y1−mx1)=m(x3−x1)+y1 PropertiesofEllipticCurves51sothaty3=m(x1−x3)−y1(3.6)Example3.2(i)ThepointsP1=(−1,0)=(x1,y1)andP2=(0,1)=(x2,y2)areon23theellipticcurvey=x+1overtherealnumbers.InthiscasewecanfindP3=(x3,y3)=P1+P2byfindingy2−y11−0m===1x2−x11−(−1)sothat22x3=m−x1−x2=1−(−1)−0=2andy3=m(x1−x3)−y1=1(−1−2)=0=−3sothatP3=(2,−3).(ii)ThepointsP1=(0,1)=(x1,y1)andP2=(2,8)=(x2,y2)areon23theellipticcurvey+x+1over�11.InthiscasewecanfindP3=(x3,y3)=P1+P2byfindingy2−y18−17−1m====7�2=7�6=56≡1(mod11)x2−x12−02sothat22x3=m−x1−x2=1−0−2≡10(mod11)andy3=m(x1−x3)−y1=1(0−10)≡0(mod11)sothatP3=(10,0). 52IntroductiontoIdentity-BasedEncryption(iii)LetP1=(x,y1)andP2=(x,y2)bepointsonanyellipticcurve.Becausethex-coordinatesofthesetwopointsareidentical,theirsumwillalwaysbeO,thepointatinfinity,sothatP1+P2=O.3.2.1AlgorithmforEllipticCurvePointAdditionThefollowingalgorithmdescribestheprocessforaddingpointsonanellipticcurve.Algorithm3.1:INPUT:P1=(x1,y1),P2=(x2,y2),pointsonanellipticcurve23y=x+ax+bOUTPUT:P3=P1+P31.Ifx1=x2returnO2.IfP1=P2then3.Ify1=0returnO23x1+a4.Elsem←2y1y2−y15.Elsem←x2−x126.x3←m−x1−x27.y3←m(x1−x3)−y18.ReturnP3=(x3,y3)Example3.3Wefindthatwehavethefollowingsixpointsonthecurve23E/�5:y=x+1(seeTable3.1).Table3.1PointsontheCurveE/�:y2=x3+15Point(x,y)Pˆ1(0,1)Pˆ2(0,4)Pˆ3(2,2)Pˆ4(2,3)Pˆ5(4,0) PropertiesofEllipticCurves53Table3.2AdditionofPointsontheCurvey2=x3+1over�5+OPˆ1Pˆ2Pˆ3Pˆ4Pˆ5OOPˆ1Pˆ2Pˆ3Pˆ4Pˆ5Pˆ1Pˆ1Pˆ2OPˆ4Pˆ5Pˆ3Pˆ2Pˆ2OPˆ1Pˆ5Pˆ3Pˆ4Pˆ3Pˆ3Pˆ4Pˆ5Pˆ2OPˆ1Pˆ4Pˆ4Pˆ5Pˆ3OPˆ1Pˆ2Pˆ5Pˆ5Pˆ3Pˆ4Pˆ1Pˆ2OandthataddingpointsonthecurveobeystherulesinTable3.2.3.2.2ProjectiveCoordinatesDealingwithO,thepointatinfinityonanellipticcurvecanbetroublesomeusingaffinecoordinates,theusual(x,y)coordinatesthatweusetodefinetheWeierstrassnormalformofanellipticcurve.Oneeasywaytohandlethispointisthroughtheuseofprojectivecoordinates.Projectivecoordinatesencodeapoint(x,y)withtwocoordinatesinthreecoordinates(x,y,z)where(x,y,z)representsanypointoftheform(x/z,y/z).Suchprojectivecoordinatesarecalledstandardprojectivecoordinates.Inparticular,wecanrepresentapointonanellipticcurveP=(x,y)as(x,y,1)andthepointatinfinitycanberepresentedby(0,1,0).Wecanalsoeasilyconvertfromprojectivecoordinates(x,y,z)wherez≠0intoaffinecoordinates(x/z,y/z).Inadditiontobeinganeasywaytohandlethepointatinfinity,projectivecoordinatesareoftenusefulinperformingcomputationsonellipticcurvesbecauseitispossibletoaddtwopointsonanellipticcurveusingprojectivecoordinateswithoutperforminganydivisions,whicharetypicallyveryexpensivecomputationallyinfinitefields.Finally,becausemanydifferentvaluesofzcanbeusedtorepresentthesameaffinepoint(x,y),soitispossibletouserandomvaluesofztoencodesuchpoints,thiswillprovideanadditionallevelofprotectionagainstside-channelattacks,attacksonanimplementationofacryptographicalgorithmthatseektofindinformationaboutthecryptographickeybeingusedthroughphysicalmeasurementsofanoperatingdeviceanditsenvironment.Incryptographicapplicationswherewemaywanttoperformoperationsin�qforfairlylargevaluesofq,determiningtheinverseofanelementof�qcanbefairlyexpensiverelativetomultiplicationsin�q,andusingprojectivecoordinateswilloftenprovideaperformanceadvantageoverusingaffinecoordi-nates.Notethatthereareotherformsofprojectivecoordinatesthatmayalsobeusefulforellipticcurvearithmetic.Theseformsofprojectivecoordinates 54IntroductiontoIdentity-BasedEncryptionrequiredifferentproceduresforaddingpointsthanthetechniquepresented2below.Inparticular,Jacobianprojectivecoordinatesencodeanaffinepoint(x/z,3y/z)astheprojectivepoint(x,y,z),andChudnovskyprojectivecoordinates2323encodeanaffinepoint(x/z,y/z)astheprojectivepoint(x,y,z,z,z)[4].Eachtypeofprojectivecoordinatesrequiresadifferentnumberoffieldoperationstoaddordoublepoints,whichissummarizedinTable3.3.Thechoiceofthemostefficientprojectivecoordinatesystemwilldependontheapplication.Ifonlypointadditionsneedtobeperformed,itismoreefficienttousestandardprojectivecoordinates.Ifonlypointdoublingsneedtobeperformed,itismoreefficienttouseChudnovskyprojectivecoordinates.Inmostcases,itismoreefficienttouseJacobianprojectivecoordinates.Pointdoublingoperationscanbefurtheroptimizedifthecoefficienta=−3intheWeierstrassnormalformofanellipticcurve.3.2.3AddingPointsinJacobianProjectiveCoordinatesIfwehavepointsinJacobiancoordinatesP1=(x1,y1,z1)andP2=(x2,y2,z2)andwanttofindP3=(x3,y3,z3)=P1+P2,thenwecanconverttotheprojectivepointtoaffinecoordinateswhere�x23�andQ�x23�,findthesumQQ1=1/z1,y1/z12=2/z2,y2/z23=�x23�=Q3/z3,y3/z31+Q2using(3.3),(3.5),and(3.6),andthenconvertQ3totheprojectiveP3.Thisissummarizedinthefollowingalgorithm.Notethatthisalgorithmisindependentofthecoefficientsaandbintheellipticcurvey2=x3+ax+b.Algorithm3.2:JacobianAddINPUT:P1=(x1,y1,z1),P2=(x2,y2,z2)onanellipticcurve23y=x+ax+boverafieldF.AlloperationsareperformedinthefieldFandthepointatinfinityisrepresentedas(0,1,0).OUTPUT:P3=(x3,y3,z3)=P1+P2Table3.3FieldOperationsNeededtoImplementEllipticCurveOperationsinDifferentCoordinateSystemsWherenFieldMultiplicationsandmFieldSquaringsIsIndicatedbytheNotationnX+mSandIIndicatesThatanInversionIsAlsoRequiredCoordinateSystemPointAdditionPointDoublingJacobian12M+4S4M+6SStandard12M+2S7M+5SChudnovsky11M+3S5M+6SAffineI+2M+2SI+2M+1S PropertiesofEllipticCurves5521.u1←x1�z222.u2←x2�z133.s1←y1�z234.s2←y2�z15.Ifu1=u26.Ifs1≠s27.Return(0,1,0)8.Else9.ReturnJacobianDouble(x1,y1,z1)10.h←u2−u111.r←s2−s123212.x3←r−h−2�u1�h2313.y3←r�(u1�h−x3)−s1�h14.z3←h�z1�z215.Return(x3,y3,z3)3.2.4DoublingaPointinJacobianProjectiveCoordinatesIfwehaveapointinJacobiancoordinatesP1=(x1,y1,z1)andwanttofindP2=(x2,y2,z2)=P1+P1=2P1,thenwecanconverttotheprojectivepoint�x23�findthesumtoaffinecoordinateswhereQ1=1/z1,y1/z1�x23�=QQ2=2/z2,y2/z21+Q1=2Q1using(3.3),(3.5),and(3.6),andthenconvertQ2totheprojectiveP2.Thisissummarizedinthefollowingalgorithm.Algorithm3.3:JacobianDouble23INPUT:P1=(x1,y1,z1),onanellipticcurvey=x+ax+boverafieldF.AlloperationsareperformedinthefieldF.OUTPUT:P2=(x2,y2,z2)=P1+P11.Ify1=02.Return(0,1,0)23.s←4�x1�y1244.m←3�x1+a�z125.x2←m−2�s46.y2←m�(s−x2)−8�y17.z2←2�y1�z18.Return(x2,y2,z2)3.3AlgebraicStructureofEllipticCurvesPointsonanellipticcurveprovideastructurethatwecandefineintheterminol-ogyofabstractalgebra. 56IntroductiontoIdentity-BasedEncryptionDefinition3.4IfEisanellipticcurveoverafieldFthenwewriteE(F)toindicatethesetofpointsonEalongwiththeoperationofaddingpointsdescribedinAlgorithm3.1.Property3.2IfFisafieldandEisanellipticcurvethenE(F)isagroup.Thepointatinfinityactsastheidentityelementforthisgroup.NotethatthereisonlyoneoperationdefinedforE(F),whichwearethinkingofasaddition,soitisimpossibletomultiplyordivideelementsofE(F).Thus,E(F)cannotbeafield,whichrequirestwooperationsthatwethinkofasbeingadditionandmultiplication.Definition3.5MultiplicationofapointPonanellipticcurvebyanintegernistheresultofaddingapointtoitselfntimes,sothatnP=P+P+...+P1442443ntimesDefinition3.6LetP∈E(F)forsomeellipticcurveE/F.WesaythattheorderofapointisnifnisthesmallestpositiveintegersuchthatnP=O.Definition3.7IfEisanellipticcurveoverafieldFandnisapositiveinteger,wewriteE(F)[n]forthesetofpointsoforderninE(F).IfthefieldFisclearfromthecontext,thiscanbeabbreviatedtoE[n].E(F)[n]isasubgroupofE(F).ThepointsinE(F)[n]arealsocalledthen-torsionpointsofthecurveE.Definition3.8Wewrite#E(F)toindicatetheorderofthegroupE(F),whichisthenumberofpointsonanellipticcurveEoverafieldF,includingthepointatinfinity,O.Determiningthevalueof#E(F)foranarbitraryellipticcurveisanontrivialproblem.Example3.423FromTable3.2weseethatfortheellipticcurvey=x+1wehavethat#E(�5)=6. PropertiesofEllipticCurves57Definition3.9IfEisanellipticcurveover�qandwehave#E(�q)=q+1−t,thentiscalledthetraceofFrobenius,orsimplythetrace.Weshouldexpecttohaveapproximatelyq+1pointsonanellipticcurve233E/�q.Theequationy=x+ax+bhasasolutionwhenx+ax+bisaquadraticresiduemoduloq,whichshouldhappenroughlyhalfthetime.Ineachofthesecases,wegetapairofsquareroots,soweshouldexpectarandomellipticcurvetohaveapproximatelyqfinitepointsplusthepointatinfinity,foratotalofq+1points.Hasse’stheoremtellsusthatanellipticcurveE/�qhastohaveapproximatelyq+1pointsonit,andthatthetracetellsusroughlyhowfarfromthisexpectedbehavioraparticularcurveis.Property3.3(Hasse’stheorem)ForanellipticcurveE/�q,thetraceofFrobeniussatisfiestheinequality|t|≤2√q.Thusthenumberofpointsonanellipticcurveover�qisapproxi-matelyq+1.Definition3.10IfEisanellipticcurveover�qandwehave#E(�q)=q,thenwesaythatEisanomalous.WewillseeinChapter5thatanomalouscurvesshouldbeavoidedforsomecryptographicapplications.Definition3.11Letpbethecharacteristicof�qandEbeanellipticcurveover�qandtbethetraceofE.IfpdividestthenwesaythattheellipticcurveEissupersingular.Acurvethatisnotsupersingularissaidtobeordinary.Notethattheconceptsofsingularandsupersingularareverydifferentandshouldnotbeconfused.Property3.42IfE:y=f(x)isanellipticcurveover�qthenEissupersingularexactlywhenp−1thecoefficientofxinp−12(f(x))iszero[2].Example3.5Aparticularellipticcurvecanbeeithersupersingularorordinary,dependingonwhatfielditisdefinedover.23(i)Ifpisaprimewithp≥5,thentheellipticcurvey=x+1overp−13(p−1)/2�pissupersingularwhenthecoefficientofxin(x+1) 58IntroductiontoIdentity-BasedEncryptioniszero.Ifp≡2(mod3)thenthiscoefficientiszeroandthecurveissupersingular.Whenp≡1(mod3),thenthiscoefficientisthebinomial(p−1)/2coefficient��whichisnonzero,sothecurveisordinary.(p−1)/323(ii)Ifpisaprimewithp>2,thentheellipticcurvey=x+xover�pp−13(p−1)/2issupersingularwhenthecoefficientofxin(x+x)iszero.Ifp≡3(mod4)thenthiscoefficientiszeroandthecurveissupersingular.Whenp≡1(mod4),thenthiscoefficientisthebinomial(p−1)/2coefficient��whichisnonzero,sothecurveisordinary.(p−1)/423(iii)Ifpisaprimewithp≡11(mod12),thenbothy=x+1and23y=x+xaresupersingularover�p.23(iv)Ifpisaprimewithp≡1(mod12),thenbothy=x+1and23y=x+xareordinaryover�p.Pointsonanellipticcurveformagroup,butweneedthestructureofafieldtoperformthecalculationsthatsomeIBEalgorithmsrequire.Todothis,wewanttoembedanellipticcurvegroupinafinitefield.Inmanycases,thiswillresultinafinitefieldthatistoolargetobepracticalforcomputations.Definition3.12LetE/�qbeanellipticcurveandnbeanintegersuchthatn|#E(�q).Ifkiskthesmallestpositiveintegersuchthatn|(q−1)thenkiscalledtheembeddingdegreeofEwithrespectton.Ifn=#E(�q)thenwecanabbreviatethistosayingthatkistheembeddingdegreeofE.IfkistheembeddingdegreeofE/�q,wecanthinkof�qkasbeinganextensionof�qinwhichE(�q)isasubgroupof�q*k.Thisgivesustheabilitytomultiplypoints,anoperationthatwecannotperforminanellipticcurvegroup,whereonlytheoperationofadditionisdefined.Example3.623LetE/�11betheellipticcurvey=x+1.Because#E(�11)=12divides211−1=120,wehavethattheembeddingdegreeofEisk=2.Theembeddingdegreeofmostellipticcurvegroupsisveryhigh.Thismeansthatitisimpracticaltodocalculationsintheextensionfield�qk,whereweneedtoperformoperationsonk-tuplesofcoordinates,eachofwhichisanelementof�q.Thefollowingpropertygivesanestimateforthechancesoftheembeddingdegreebeinglowenoughtomakecalculatingdiscretelogarithmsin�qkpossibleinpolynomialtime,whichhappenswiththeindexcalculus2algorithm[5]whenk≤(logq).Notethatthismaystillbefarfrombeingpracticaltoimplement. PropertiesofEllipticCurves59Property3.5(BalasubramanianandKoblitz)[6]LetqbearandomlychosenprimewithM/2≤q≤MandE/�qarandomlychosenellipticcurve.If#E(�q)=pforsomeprimep,thentheprobabilitythatp|(qk−1)forsomek≤(logq)2islessthan92c(logM)(loglogM)Mforsomeconstantc.Example3.7257(i)Ignoringtheconstantc,andusinga256-bitq(sothatM=2)anda256-bitp,whicharereasonableparametersforanIBEsystem,kwefindthattheprobabilityofhavingp|(q−1)forsomek≤2−56−185(logq)islessthanapproximately2×10,or2.2(ii)Anembeddingdegreek≤(logq)canstillbeveryimpractical.For2562q=2wehave(logq)=31,487,andperformingcalculationsinanextensionfieldofdegree31,487isalmostcertainlyimpractical.Thefollowingpropertymakessupersingularcurvesbothusefulaswellasgoodtoavoidincryptographicapplications,dependingonthewayinwhichthecurveisbeingused.ThiswillbediscussedindetailinChapter5.Asmallembeddingdegreemakessomeellipticcurvecryptographicalgorithmvulnerabletosomecryptanalyticattacks,anditisnecessarytoselectparametersofalgorithmsthatusesuchcurvescarefullytoavoidsuchweaknesses.Property3.6nIfE/�qisasupersingularcurvewithq=pandtracet,thenTable3.4liststhepossibleclassesofsupersingularcurves[7].Inparticular,anysupersingularTable3.4ClassificationofSupersingularCurvesClassTracetEmbeddingDegreekComments102E(Fq)≅�q+1202E(Fq)≅�(q+1)/2⊕�2andq≡3(mod4)3q3neven42q4p=2,nodd53q6p=3,nodd64q1neven 60IntroductiontoIdentity-BasedEncryptioncurvehasembeddingdegreek≤6,andforE/�qwithq>3wehavethattheonlythreepossiblecasesarek=1,k=2,andk=3.Definition3.1323IfE/FisanellipticcurveinWeierstrassnormalformy=x+ax+b,wesay23thatanellipticcurveE′/FinWeierstrassnormalformy=x+a′x+b′is46isomorphicoverFifthereexistsu∈F*witha′=uaandb′=ub.ThisdefinitionismotivatedbytheisomorphismoftheunderlyinglatticeinthecomplexplanethatisdefinedbytheintegermultipleofthetwoperiodsoftheWeierstrass℘function{�1,�2}.Suchalatticewithperiods{�1,�2}isisomorphictoanotherlatticeifbothperiodsdifferbythesameconstant,orthesecondlatticeisdefinedbyintegermultiplesofperiods{c��1,c��2}forsomec∈�.Isomorphicellipticcurvescomefromthe℘functiondefinedonsuchisomorphiclattices.ThediscriminantasdefinedinSection3.1.2onlytellsuswhenthecubicpartofanellipticcurvehasnorepeatedroots,andtherecanbemanynonisomorphicellipticcurveswiththesamediscriminant.Adifferentquantityisneededtodistinguishbetweenisomorphiccurves.Definition3.14Thej-invariantofanellipticcurveEinWeierstrassnormalformisgivenby83323aj(E)=324a+27bNotethatthej-invariantandthediscriminantarerelatedby12333−23a−1,728(4a)j(E)==��Property3.7TwoellipticcurvesthatareisomorphicoverFhavethesamej-invariantandellipticcurvesoverFwiththesamej-invariantareisomorphicoverthealgebraicclosureF.Example3.823(i)AnyellipticcurveEoftheformy=x+bhasj(E)=0.Suchcurvesaresometimesreferredtoas‘‘j=0’’curves.23(ii)AnyellipticcurveEoftheformy=x+axhasj(E)=1,728.Suchcurvesaresometimesreferredtoas‘‘j=1,728’’curves. PropertiesofEllipticCurves61(iii)Forj∈�q,j≠0,j≠1,728,letjk=1,728−j223ThenE/�q:y=x+3kcx+2kchasj-invariantjforc∈�q.Theobservationthatj-invariantdoesnotchangeunderthechangeof23variablesa→vaandb→vbleadstothefollowingdefinition.Definition3.1523LetE/�q:y=x+ax+bbeanellipticcurveandv∈�q*beaquadratic2323nonresiduein�q*.ThenE′/F:y=x+vax+vbiscalledthequadratictwistofE.Inthiscase,EisisomorphictoE′overanextensionofdegree2to�qbutnotover�qitself.Example3.92Over�5wehavethatv=2isaquadraticnonresiduesothatE′:y=323x+4x+3isthequadratictwistofE:y=x+x+1.3.3.1HigherDegreeTwistsForsomecurvesE/�qitispossibletocreatetwistsotherthanthequadratic234/dtwist.InthesecaseswehaveE′:y=x+a′x+b′wherea′=vaand6/db′=vb,andvisarootofdegreedbutnotarootoflessthandegreedoverF(soafourthrootisafourthrootbutnotasquareroot,forexample),whichwecancallatwistofdegreed.SuchtwistsareisomorphictoEover�qd,anextensionofdegreedto�q.Thepossibletwists,bothquadraticandofhigherdegree,aresummarizedinTables3.5and3.6.Ineachofthesecases,wemustalsohavethatq≡1(modd)forsuchatwisttoexist.WewillseeinChapter4thatmappings�d:E′→E,wheredisthedegreeofatwist,areusefulincreatingstructuresthatareusefulforimplementingTable3.5EllipticCurvesandTheirTwistsDegreeofTwistdFormofEFormofE′2y2=x3+ax+by2=x3+v2ax+v3b3y2=x3+by2=x3+vb4y2=x3+axy2=x3+vax6y2=x3+by2=x3+vb 62IntroductiontoIdentity-BasedEncryptionTable3.6PointsonTwistsofEllipticCurvesDegreeofTwistdTypicalPointonECorrespondingPointonE′2(x,y)(vx,v3/2y)3(x,y)(v1/3x,v1/2y)4(x,y)(v1/2x,v3/4y)6(x,y)(v1/3x,v1/2y)pairing-basedalgorithms.Changingtothispointofviewiseasy,andresultsinthemappingsshowninTable3.7.Notethatthesemappingsincreasethedimensionoftheiroutputbyafactorofd,sothatiftheinputsareelementsofsome�dthentheoutputsareelementsofsome�qd.Example3.1023(i)WehavethatE′/�11:y=x+10isthequadratictwistof23E/�11:y=x+1createdusingthequadraticnonresiduev=102sothati=v.Inthiscasewehavethatthepoint(2,3)∈E(�11)3/2while(v�2,v�3)=(10�2,10i�3)=(9,8i)∈E′(�11).23(ii)ForthequadratictwistE′/�11:y=x+10createdfrom23E/�11:y=x+1usingthequadraticnonresiduev=10sothat2−1−3/2i=v,wehavethat�2(x,y)=(vx,vy)=(10�x,i�y).SoforQ=(9,8i)∈E′(�11)wehavethat�2(Q)=(10�9,i�8i)=(2,3).Definition3.16LetE/�qbeanellipticcurveandnbeanintegerrelativelyprimetoq,andPapointoforderninE(�q).Adistortionmapwithrespectto(orfor)PisanTable3.7Mappings�d:E′→EDegreeofTwistd�d:E′→E2�(x,y)=(v−1x,v−3/2y)23�(x,y)=(v−1/3x,v−1/2y)34�(x,y)=(v−1/2x,v−3/4y)46�(x,y)=(v−1/3x,v−1/2y)6 PropertiesofEllipticCurves63endomorphism�thatmapsthepointPtoapoint�(P)thatislinearlyindependentfromP.Anotherusefulpointofviewisthatsuchadistortionmapisanonrationalendomorphism.Usefuldistortionmapsforcurvesover�qwhereqiseitheraprimepor2apowerofaprimeparesummarizedinTable3.8.Example3.1123(i)ForacurveoftheformE/�p:y=x+awherepisaprimewithp≡3(mod4),itispossibletowriteadistortionmapforEas�(x,y)=(�x,y)wherep−1(p+1)/4�=(1+3i)(3.7)2Forsucha�wehavethat33p−1�1+3(3(p+1)/4(p+1)/42(p+1)/43�(3.8)�=�2�i)+3(3i)+(3i)3p−1�1−3(p+3)/2(p+5)/4(3p+3)/4=�2�+i(3−3)�whichwewanttobeequalto1.FromEuler’stheoremwehavethatp−13≡1(modp)Table3.8UsefulDistortionMapsFieldCurveDistortionMap#E�py2=x3+ax�(x,y)=(−x,iy)p+1�py2=x3+ax�(x,y)=(�x,y)p+1�≠1,�3=12�p2y2=x3+axxpypp−p+1a∈�p�(x,y)=��(2p−1)/3,p−1�rr2r=a,r∈�p23�=r,�∈�p6 64IntroductiontoIdentity-BasedEncryptionsothatp−13(p−1)3≡3(modp)andthus(p−1)+63(p−1)+63≡3(modp)sothatp+53p+33≡3(modp)and(p+5)/4(3p+3)/43≡3(modp)and(p+5)/4(3p+3)/43−3≡0(modp)sothattheimaginarypartof(3.8)isequaltozero.Similarly,wehavethatp+3p−1+4p−1==+2222sothat12s≡(1−3)(modp)=1(modp)8byEuler’stheorem.Thustherealpartof(3.8)isequalto1,and(3.7)isindeedacuberootof1asneeded.23(ii)FortheellipticcurveE/�11:y=x+1,let�(x,y)=(�x,y),11−1(11+1)/2where�=�2�(1+3i)≡5(1+5i)(mod11)=3(5+3i)(mod11)whichhasthepropertiesthat�≠1and�=1.ThenforP=(2,3)wehavethat�(P)=((5+3�i)�2,3)=(10+6�i,3),whichislinearlyindependentfromP.This�isadistortionmaponEforthepointP. PropertiesofEllipticCurves6523(iii)Fortheellipticcurvey=x+xover�11,let�(x,y)=(−x,iy).ThenforP=(0,1)wehave�(P)=�(0,1)=(0,i)whichislinearlyindependentfromP=(0,1),making�adistortionmapwithrespecttoP.Distortionmapsareusefulincreatingstructuresthatareusefulforimple-mentingmanyIBEalgorithms.ThiswillbediscussedinChapter4.Theirapplicationisessentiallylimitedtosupersingularcurves,however,asthefollow-ingtwopropertiesdescribe.Property3.8(Verheul)[8]LetE/�qbeasupersingularellipticcurvewithP∈E(�q)[n].Ifnisrelativelyprimetothecharacteristicof�q,thentherealwaysexistsadistortionmapwithrespecttoP.Property3.9(Verheul)[8]LetE/�qbeanordinaryellipticcurveandletP∈E(�q)[n].Ifnisrelativelyprimetothecharacteristicof�qandE[n]⊄E(�q),thentherecannotexistadistortionmapwithrespecttoP.3.3.2ComplexMultiplicationAllellipticcurvegroupshavesomeendomorphisms:themultiplication-by-nmapsoftheformfn(P)=nP.Someellipticcurvegroupshaveadditionalendomorphismsthatarenotisomorphictosuchmultiplication-by-nmaps.Anellipticcurvewiththispropertyissaidtohavecomplexmultiplication,whichwecanabbreviateas‘‘CM.’’Theterm‘‘complexmultiplication’’comesfromthefactthatinmanycases,theseendomorphismsactmuchlikemultiplicationbyacomplexnumber.Sowemighthavethatf(f(P))=−D�Pforsome2D>0,sothatf�f=−Dorf=−Dsuggestingthatfactslikemultiplyingbytheimaginarynumber√−D.WewillseeinlaterchaptersthattherearetechniquesthatworkoncurveswithcomplexmultiplicationthatcanbeusedtogenerateellipticcurvessuitableforIBEcalculations.Example3.12(i)Anysupersingularellipticcurvehasadistortionmap,soallsuper-singularcurveshavecomplexmultiplication.23(ii)Theellipticcurvey=x+xhasanendomorphismgivenbyf:(x,y)→(−x,iy)sothat(f�f)(P)=(f�f)(x,y)=(x,−y)=−P.2Thus,f�f=factslikemultiplicationby−1,sowecanthinkoffasactinglikemultiplyingby√−1. 66IntroductiontoIdentity-BasedEncryption23(iii)Theellipticcurvey=x+1hasanendomorphismgivenby3f:(x,y)→(�x,y)where�=1,�≠1.Inthiscase,23(f�f�f)(P)=(�x,y)=(x,y)=P,orthatf�f�f=factslikemultiplicationby1,butf≠1,sowecanthinkoffasactinglikemultiplyingbythecomplexnumber�.References[1]Lang,S.,EllipticFunctions,NewYork:Springer-Verlag,1987.[2]Silverman,J.,TheArithmeticofEllipticCurves,NewYork:Springer-Verlag,1986.[3]Blake,I.,G.Seroussi,andN.Smart,EllipticCurvesinCryptography,Cambridge,U.K.:CambridgeUniversityPress,1999.[4]Chudnovsky,D.,andG.Chudnovsky,‘‘SequencesofNumbersGeneratedbyAdditioninFormalGroupandNewPrimalityandFactorizationTests,’’AdvancesinAppliedMathe-matics,Vol.7,No.4,1986,pp.385–434.[5]Stinson,D.,Cryptography:TheoryandPractice,NewYork:ChapmanandHall,2005.[6]Balasubramanian,R.,andN.Koblitz,‘‘TheImprobabilityThatanEllipticCurveHasSubexponentialDiscreteLogProblemUndertheMenezes-Okamoto-VanstoneAlgo-rithm,’’JournalofCryptology,Vol.11,No.2,1998,pp.141–145.[6]Stinson,D.,Cryptography:TheoryandPractice,NewYork:ChapmanandHall,2005.[7]Menezes,A.,EllipticCurvePublicKeyCryptosystems,NewYork:Springer-Verlag,1993.[8]Verheul,E.,‘‘EvidenceThatXTRIsMoreSecureThanSupersingularEllipticCurveCryptosystems,’’JournalofCryptology,Vol.17,No.4,2004,pp.277–296. 4DivisorsandtheTatePairingThischapterintroducesdivisors,whicharethenusedtoconstructtheTatepairing.TheTatepairinginturnprovidesthebasisformanyIBEschemes,includingtheBoneh-Franklin,Bohen-Boyen,andSakai-Kasaharaschemes.ThediscussionoftheTatepairinghereisdesignedtoprovideanoverviewofthepairing,itsproperties,andhowtocalculateit.FurtherdetailofthepropertiesoftheTatepairingcanbefoundin[1,2].TheTatepairingbyitselfturnsouttobeunsuitableforcryptographicapplicationsbecauseitfrequentlyreturnsthevalue1,butbymodifyingoneoftheinputstotheTatepairingusingeitheradistortionmaporapointonthetwistofanellipticcurve,itiseasytoovercomethislimitation.4.1DivisorsThedivisorsdiscussedinthissectionareverydifferentfromthosediscussedinChapter2,buttheyunfortunatelysharethesamename.Inthiscontext,adivisorisawayofcharacterizingafunctionfbasedonlyonitszeroes,wheref(x)=0,andpoles,wheref(x)=±∞,likewhendividingbyzero.Wesaythatafunctionf(x)hasapoleatinfinityiff(1/x)hasapoleatx=0,sothatapolynomialofdegreenhasapoleofdegreenatinfinity.Similarly,wesaythatafunctionf(x)hasazeroatinfinityiff(1/x)hasazeroatx=0.Forexample,thefunction2(x−1)2−3f(x)==(x−1)(x+2)3(x+2)67 68IntroductiontoIdentity-BasedEncryptionhasazerooforder2atx=1,azerooforder1atinfinity,andapoleoforder3atx=−2.Becauseadivisorcharacterizesafunctionbasedonitszeroesandpoles,twofunctionsthatdifferbyaconstantwillhavethesamedivisor.4.1.1AnIntuitiveIntroductiontoDivisorsWekeeptrackofthezeroesandpolesofarationalfunctionfinwhatwecalladivisor,whichwewriteasdiv(f).Wewritesuchadivisorasthesumofthepointswherefhasazeroorpoleweightedbythemultiplicitiesofthezeroesandpoles,withtheconventionthatzeroesgetpositiveweightsaccordingtotheirmultiplicitiesandpolesgetnegativeweightsaccordingtotheirmultiplicities.Intheexampleabove,wewritediv(f)=2(1)+(∞)−3(−2),toindicatethatfhasazerooforder2atx=1,azeroororder1atinfinity,andapoleoforder3atx=−2.Ingeneral,ifwecanwritef(x)=�(x−xaii)ithenwewritediv(f)=∑ai(xi)iThenotationfordivisorscanbeabittricky,andwewillneedtobeabletellfromthecontextthatwedealingwithdivisorsinsteadofnumbers,sothatwearenottemptedtotreatdivisorsasnumbers,tryingtosimplifyexpressionslike2(1)−3(−2)togetanumberinsteadofadivisor.Notethatmultiplyingrationalfunctionscorrespondstoadditionoftheirdivisorsanddivisionofrationalfunctionscorrespondstosubtractionoftheirdivisors.Soifwehavef(x)asdefinedaboveand3(x+2)g(x)=4(x+1)then23(x−1)(x+2)f(x)g(x)=34(x+2)(x+1)2(x−1)=4(x+1) DivisorsandtheTatePairing69whichcorrespondstoaddingthedivisors:div(fg)=div(f)+div(g)=2(1)+(∞)−3(−2)+3(−2)+(∞)−4(−1)=2(1)+2(∞)−4(−1)Wecanformalizethisinformaldescriptionofdivisorswiththefollowingdefinitions.Definition4.1AformalsumofasetSisseries{s0,s1,s2,...}ofelementsofS.Aformalsumisoftenwrittenusingaplaceholder,withtheunderstandingthattheplaceholderisnottobeevaluated.Example4.1(i)Apowerseriesisaformalsumwhichweusuallywriteas2a0+a1x+a2x+...,whereeachai∈SforsomesetS.Wewriteapowerserieswiththeunderstandingthattheplaceholderxisnottobeevaluated,andwecouldalsowritethesamepowerseriesas{a0,a1,a2,...}.(ii)IfP={P1,P2,...Pn}isasetofpointsonanellipticcurve,thenD=a1(P1)+a2(P2)+...+an(Pn)isaformalsumoftheele-mentsofP.Inthiscase,weunderstandthatinDthepointsinthesetParejustplaceholderslikethevariablexinapowerseries,andarenottobeevaluated.Definition4.2LetEbeanellipticcurve.AdivisoronEisaformalsumoftheformD=∑nP(P)P∈EwhereeachnPisanintegerandallbutfinitelymanynParezero.Example4.2ForpointsP1andP2onanellipticcurve,D=(P1)+2(P2)−3(O)isadivisor.Definition4.3WesaythatadivisorDisaprincipaldivisorifthereisarationalfunctionfsuchthatD=div(f).AnequivalentdefinitionisthatadivisorDonanellipticcurveisprincipalifwecanwrite 70IntroductiontoIdentity-BasedEncryptionD=∑ai(Pi)iwhere�ai=0and�aiPi=O,withthelastsumusingtheadditionofpointsonanellipticcurve.Inparticular,ifPisapointofordern,thenthedivisorn(P)−n(O)isaprincipaldivisor.Example4.3(i)LetP1,P2andP3bepointsonanellipticcurvewithP3=P1+P2.ThenD=(P1)+(P2)+(−P3)−3(O)isaprincipaldivisor.(ii)LetPbeapointonanellipticcurveofordern.ThenD=n(P)−n(O)isaprincipaldivisor.Definition4.4IfEisanellipticcurveandD=∑nP(P)P∈EisadivisorthenthesupportofDisthesetofallpointsPsuchthatnP≠0.Example4.4ForthedivisorD=(P1)+(P2)+(−P3)−3(O),thesupportofDistheset{P1,P2,−P3,O}.Definition4.5LetD1andD2bedivisors.ThenwesaythatD1andD2havedisjointsupportiftheintersectionofthesupportofD1andthesupportofD2istheemptyset,orD1∩D2=∅.Example4.5(i)ThedivisorsD1=(P1)−(O)andD2=(P1+R)−(R)havedis-jointsupportaslongas{P1,O}∩{P1+R,R}=∅.(ii)ThedivisorsD1=(P)−(O)andD2=(Q)−(O)donothavedis-jointsupport.WecanthinkofthedivisorsaskeepingtrackofwherethegraphofanellipticcurveEintersectsthegraphofafunctionf(x),orwhereE=f(x),sotheykeeptrackofzeroesandpolesofE=f(x).Inparticular,wegetazerowhenE=f(x),orwhenthefunctionf(x)crossestheellipticcurveEandwegetapolewhenf(x)hasapole. DivisorsandtheTatePairing71ThefunctionsuandvthatappearinFigure4.1areveryimportantinimplementingoperationsondivisors,andinthefollowing,uwillalwaysrepresentalinethroughtwopointsP1=(x1,y1)andP2=(x2,y2)onanellipticcurveandvwillalwaysrepresentaverticallinethatgoesthroughP3=(x3,y3),whereP3=P1+P2.SupposethatwedonothavethecasewhereP1+P2=OandneitherP1=OnorP2=O.Thenwecanwritethepoint-slopeformofalinethrough(x1,y1)asy−y1=m(x−x1)ory−y1=−mx+mx1=0whichgivesusanexplicitwaytofindthelineu.Similarly,thelinevisgivenbyx−x3=0−P3uP2vP1P3Figure4.1Illustrationofthelinesuandvintheadditionofpointsonanellipticcurve. 72IntroductiontoIdentity-BasedEncryptionIfoneofthetwopointsisO,thenuistheverticallinethroughthepointthatisnotO,andifthepoint(x3,y3)=Othenvistheverticallinex=0.Theseformsofthelines(x1,y1)and(x1,y1)areshowninFigure4.2.ThecaseswhereeitherP1=O,P2=O,orP1=P2areshowninAlgorithm4.2,4.3,and4.4.Theparticularpointsthatweusetodefinethelinesuandvshouldbeclearfromthecontext,sowewillusuallyomitthepointstokeepthenotationsimpler.Ifweneedtoclarifywhichpointsarebeingused,wewillwriteuP1,P2orvP3toindicatethelinethroughP1andP2ortheverticallinethroughP3,respectively.Withthisnotation,uandvhavethefollowingdivisors:div(u)=(P1)+(P2)+(−P3)−3(O)div(v)=(P3)+(−P3)−2(O)wherewehavenowaccountedforthepolesthatthelinesuandvhaveatO.Anotherusefulfactiswhatwegetwhenwesubtractthedivisorofufromthedivisorofv:u:y−−+=ymxmx0−P113P2vxx:0−=3P1P3Figure4.2Formsofthelinesuandvusedtoadddivisorsonanellipticcurve. DivisorsandtheTatePairing73div(u)−div(v)=div(u/v)(4.1)=(P1)+(P2)+(P3)−(O)Ifwehavetwodivisorsoftheform:D1=(P1)−(O)+div(f1)D2=(P2)−(O)+div(f2)wecanaddthetwodivisorstogetD1+D2=(P1)+(P2)−2(O)+div(f1f2)(4.2)Solvingfor(P1)+(P2)in(4.1)andsubstitutingtheresultinto(4.2)wefindthatD1+D2=(P3)−(O)+div(f1f2u/v)(4.3)Sothedivisorsofthelinesuandvprovideawaytoaddtwodivisorsandkeeptheresultintheform(P)−(O)+div(f).Toclarifyhowthisworks,wewillnowstepthroughacalculationofthe23sumoftwodivisors,wherethearithmeticisdoneonthecurvey=x+1over�5,asisdefinedinTable3.2.Inparticular,weconsiderthedivisorD=(Pˆ2)−(O)andseewhatwegetwhenweaddittoitself.Using(4.3)andthefactthatwecanalsowritethedivisorDasdiv(1)wefindthatD+D=(Pˆ2)−(O)+div(1)+(Pˆ2)−(O)+div(1)=(Pˆ1)−(O)+div(u/v)NowuisthelinetangenttotheellipticcurveatPˆ2,andvisthelineconnectingPˆ2+Pˆ2=Pˆ1and−(Pˆ2+Pˆ2)=Pˆ2.Solvingforuandvwefindthatwehavey−4=0forthelineu,ory+1=0in�5.Similarly,wehavex=0forthelinev.Substitutingtheseforuandvwegetthaty+1D+D=(Pˆ1)−(O)+div�x�IfweaddthedivisorDtothissumonemoretimewefindthatwearejustleftwiththedivisorofarationalfunctionwhenthetermsofthedivisorinvolvingpointsonthecurvecanceleachotherwhenwereach 74IntroductiontoIdentity-BasedEncryption3D=3(Pˆ2)−3(O)becausePˆ2isapointoforder3.Atthenextstep,thelineuthroughPˆ1andPˆ2istheverticallinex=0,sincex=0isthecommonxcoordinatethatPˆ1andPˆ2share.WedefinetheverticallinevthroughthepointPˆ1+Pˆ2=Otobe1.Thus,wehave3D=3(Pˆ2)−3(O)y+1u=(Pˆ2+Pˆ1)−(O)+div��xvy+1x=(O)−(O)+div�x1�=div(y+1)Definition4.6IfDisadivisoroftheformD=∑ai(Pi)ithenwedefinewhatitmeanstoevaluatearationalfunctionfatDbyf(D)=�f(Paii)iExample4.6(i)IfD=2(P1)−3(P2)then2−3f(D)=f(P1)f(P2)2f(P1)=3f(P2)(ii)IfP=(2,3)andQ=(0,1)arepointsonE/�11andDisthedivisorD=(P)−(Q)andfistherationalfunctionf(x,y)=y+1,then3+1−1f(D)==4�2=4�6≡2(mod11)1+1Inmanycases,itispossibletoexchangetherolesofafunctionfandadivisorDinexpressionslikef(D).Thisisformalizedinthefollowing. DivisorsandtheTatePairing75Property4.1(WeilReciprocity)LetfandgberationalfunctionsdefinedonsomefieldF.Ifdiv(f)anddiv(g)havedisjointsupportthenwehavethatf(div(g))=g(div(f)).Example4.7Supposethatwehavetworationalfunctionsfandgdefinedon�11wherex−2f(x)=x−7andx−6g(x)=x−5sothatwehavediv(f)=(2)−(7)anddiv(g)=(6)−(5)thenf(6)7f(div(g))===7�3=10(mod11)f(5)4andg(2)5g(div(f))===5�2=10(mod11)g(7)6Definition4.7DivisorsD1andD2areequivalentiftheydifferbyaprincipaldivisor,thatis,D=D1−D2isaprincipaldivisor.Example4.8(i)Iffisarationalfunction,thedivisors(P)−(O)and(P)−(O)+div(f)areequivalent. 76IntroductiontoIdentity-BasedEncryption(ii)Wecanseethat(P+R)−(R)isequivalentto(P)−(O)byusingthelineuthatgoesthroughthepointsP,Rand−(P+R)andthelinevthatgoesthroughthepoints−(P+R)andP+R.Thenwehavethatdiv(u)=(P)+(R)+(−(P+R))−3(O)div(v)=(−(P+R))+(P+R)−2(O)sothat(P)−(O)=(P+R)−(R)+div(u/v)Sothedifferencebetween(P+R)−(R)and(P)−(O)isaprincipaldivisor,sinceitisthedivisoroftherationalfunctionu/v,and(P+R)−(R)isequivalentto(P)−(O).4.2TheTatePairingNowthatwehavedefineddivisorsandhowtomanipulatethem,wecandefinetheTatepairinganddescribehowtocalculateit.TheTatepairingoperatesonpairsofpointsP∈E(�q)[n]andQ∈E(�qk),andproducesaresultin�q*k.Wewritee(P,Q)fortheTatepairingofthepointsPandQ.ForapointPofordern,togete(P,Q)wefirstfindarationalfunctionfPsothatdiv(fP)isequivalentton(P)−n(O)andthenevaluatefPatadivisorequivalentto(Q)−(O).Wecansummarizethisinthefollowing.Definition4.8LetE/�qbeanellipticcurve,P∈E(�q)[n]andQ∈E(�qk).LetfPbearationalfunctionwithdiv(fP)equivalentton(P)−n(O)andAQbeadivisorequivalentto(Q)−(O)withthesupportofdiv(fP)andAQdisjoint.ThentheTatepairingisdefinedtobee(P,Q)=fP(AQ).Thisdefinitiondoesnotproduceauniquevalue,andwillincludeaconstantthatisannthpowerofsomeelementof�qk.ItisnotimmediatelyobviouswhytheTatepairingiswelldefinedbythisdefinition.SoweshouldconvinceourselvesthatthisdefinitionisactuallyindependentofourchoicesforfPandAQ.Indoingso,wewillseewhytheTatepairingisonlydefineduptomultiplicationbyannthpowerofsomeconstant.Inthefollowingwewillseethatitiseasytogetridofthisunwantedconstant,leavingauniquevalue.NotethatfPisdefineduptoaconstantmultiple.Applyingthedefinitionofevaluatingadivisoratafunctiontosuchaconstantmultipleshowsthatthis DivisorsandtheTatePairing77hasnoinfluenceonthevalueoffP(AQ),soitisindependentofthechoiceoffP.NowsupposethatD1andD2arebothdivisorsequivalentto(Q)−(O),sayD1=D2+div(g)forsomerationalfunctiong.Tobecareful,wealsoneedtoassumethatthesupportofdiv(fP)isdisjointfromthesupportofdiv(g).ThenwehavethatfP(D1)=fP(D2+div(g))=fP(D2)fP(div(g))=fP(D2)g(div(fP))(byWeilreciprocity)=fP(D2)g(n(P)−n(O))n=fP(D2)g((P)−(O))WecanthenabusethenotationofcongruencesslightlytowritethisasfP(D1)≡fP(D2)whichwethinkofasmeaningthatfP(D1)=fP(D2)uptoaconstantthatisannthpower.Theexamplesofaddingdivisorsaboveshowhowtofindadivisorequiva-lentton(P)−n(O):wecanaddthedivisor(P)−(O)toitselfntimesbyusingthedivisorsdiv(u)anddiv(v)thatwegetfromthelinesthroughvariouspointsontheellipticcurve,andafterreachingn(P)−n(O)wewillbeleftwithadivisorofarationalfunctionthatwecallfPwhenallofthetermsinvolvingthepointPdisappear.Toavoidthetroubleswithevaluatingafunctionatthepointatinfinitythatappearsin(Q)−(O),wecanpickarandompointRonourellipticcurveandevaluatefPat(Q+R)−(R)instead,whichisequivalenttothedivisor(Q)−(O).BecausethepointPisofordern,ifwerepeatedlyaddthedivisor(P)−(O)togetn(P)−n(O)usingthetechniquethatissummarizedin(4.3),wefindthatweendupwithadivisorofarationalfunctionthatistheproductoftermsoftheformu/v,whereuisthelinethroughtwopoints(thepointsP1andP2inFigure4.1,forexample)onourellipticcurveandvistheverticallinethatpassesthoughthepointthatisthesumofthesametwopoints(thepointP3inFigure4.1,forexample).SupposethatAQisadivisoroftheform(Q+R)−(R)thatwegetfromarandomR≠O.Notethattherequirementthatthesupportofthedivisorsn(P)−n(O)andAQaredisjointmeansthatQ+R≠P,andR≠P.Weexcludethesecasesbecausetheyeitherreducethevalueofthepairingtozerobyintroducingafactorofzeroinacalculation,orcauseadivisionbyzero 78IntroductiontoIdentity-BasedEncryptionerror.AnexaminationofAlgorithms4.2through4.4shouldclarifythewaysinwhichthiscanhappen.Togiveanexampleofhowthisworks,wewillusethesameexamplethatweusedabovetofinde(Pˆ2,Pˆ2).Wefoundthat3(Pˆ2)−3(O)isequivalenttothedivisordiv(y+1),sowehavefPˆ=y+1.Next,weneedarandom2pointtoaddtoPˆ2,forwhichwepickPˆ4,sowewanttoevaluatefPˆat2(Pˆ2+Pˆ4)−(Pˆ4)=(Pˆ3)−(Pˆ4),orwewanttofindfPˆ(Pˆ3)/fPˆ(Pˆ4).Note22thatitispossibletopickarandompointthatcausesdivisionbyzero,forexampleifwepickedthepointPˆ2inthisexample.Ifthishappens,wecanjustpickanotherrandompointuntilwefindonethatworks.SubstitutingtheappropriatevaluesfromTable3.2,wefindthatˆfPˆ2(Pˆ3)3e(Pˆ2,P2)==(4.4)fPˆ2(Pˆ4)4=3�4−1=2∈�5Asmentionedabove,theTatepairinghasanadditionalmultiplicativennfactorofrforsomer∈�qk,sothatweactuallygete(P,Q)=a�rforwhenwecalculateit.FromProperty2.13wehavethatforany�∈�qkwehavethatqk−1nk�=1,soifweraisea�rtothepower(q−1)/nwegetthatn(qk−1)/n(qk−1)/n(qk−1)/n(a�r)=a�1=asothatsuchanexponentiationeliminatestheextramultiplicativefactorandleavesauniqueresult.Thuswhilee(P,Q)isnotunique,theadditionalexponen-tiationthatgivesus(qk−1)/ne(P,Q)determinesauniquevalue,andthusmoresuitableformanyuses.Theuseofsuchanexponentiationtodetermineauniquevalueiscalledthefinalexponentia-tionandtheuniquevalueiscalledthereducedpairing.Example4.923(i)ConsiderthecasewherewehaveE/�11:y=x+xandP=(5,3)∈E(�11)[3].TofindfP(x,y)wewanttofindtherationalfunctionsothatdiv(fP)isequivalenttothedivisor3(P)−3(O).Wegetthisthrougharepeatedapplicationof(4.3). DivisorsandtheTatePairing79Wewanttofind3(P)−3(O)=3((P)−(O))=((P)−(O))+((P)−(O))+((P)−(O))Wecanstartcalculatingthisbyfirstfinding2(P)−2(O)=2((P)−(O))=((P)−(O))+((P)−(O))by(P)−(O)+(P)−(O)=(P)−(O)+div(1)+(P)−(O)+div(1)=(2P)−(O)+div(y+2x+9)Then3(P)−3(O)=(2P)−(O)+div(y+2x+9)+(P)−(O)+div(1)=(3P)−(O)+div(y+2x+9)=(O)−(O)+div(y+2x+9)=div(y+2x+9)sothatfP(x,y)=y+2x+9IfwehaveQ=(7,8)andR=(10,3),thenQ+R=(9,10)andweevaluatefPatAQ=(Q+R)−(R)wegetfP(Q+R)4fP((Q+R)−(R)==fP(R)10=4�10−1=4�10≡7(mod11)Thuse(P,Q)=fP(AQ)=7.23(ii)ConsiderthecasewherewehaveE/�11:y=x+1andP=(5,4)∈E(�11)[4].BecausePisoforder4,tofindfP(x,y)wewanttofindtherationalfunctionsothatdiv(fP)isequivalenttothedivisor4(P)−4(O).Wegetthisthrougharepeatedapplicationof(4.3). 80IntroductiontoIdentity-BasedEncryptionWewanttofind4(P)−4(O)=4((P)−(O))=((P)−(O))+((P)−(O))+((P)−(O))+((P)−(O))Wecanstartcalculatingthisbyfirstfinding2(P)−2(O)=2((P)−(O))=((P)−(O))+((P)−(O))by(P)−(O)+(P)−(O)=(P)−(O)+div(1)+(P)−(O)+div(1)y+3x+3=(2P)−(O)+div�x+1�Theny+3x+33(P)−3(O)=(2P)−(O)+div�x+1�+(P)−(O)+div(1)2(y+3x+3)=(3P)−(O)+div�(x+1)(x+6)�Andfinally2(y+3x+3)4(P)−4(O)=(3P)−(O)+div�(x+1)(x+6)�+(P)−(O)+div(1)2(y+3x+3)=(4P)−(O)+div�x+1�2(y+3x+3)=(O)−(O)+div�x+1�2(y+3x+3)=div�x+1�sothat DivisorsandtheTatePairing812(y+3x+3)fP(x,y)=x+1IfwehaveQ=(5,7)andR=(9,9),thenQ+R=(0,1)andweevaluatefPatAQ=(Q+R)−(R)wegetfP(Q+R)5fP((Q+R)−(R))==fP(R)8=5�8−1=5�7≡2(mod11)Thuse(P,Q)=fP(AQ)=2.4.2.1PropertiesoftheTatePairingAsdefinedearlier,theTatepairinghasthefollowingproperties:1.TheTatepairingisnondegenerate,thatis,foreachP∈E(�q)[n]/{O}thereissomeQ∈E(�qk)withe(P,Q)≠1.2.TheTatepairingisbilinear,thatis,foreachP,P1,P2∈E(�q)[n]andQ,Q1,Q2∈E(�qk)wehavee(P1+P2,Q)=e(P1,Q)e(P2,Q)ande(P,Q1+Q2)=e(P,Q1)e(P,Q2).ToconvinceourselvesthattheTatepairingisbilinear,weneedtoconsidertwoseparatecases.ToseethattheTatepairingislinearinitsfirstparameter,letfP,fP,12andfP+Pberationalfunctionssuchthatwehave12div�fP1�=n(P1)−n(O)div�fP2�=n(P2)−n(O)anddiv�fP1+P2�=n(P1+P2)−n(O)NotethatthedivisorD=(P1+P2)−(P1)−(P2)+(O)isaprincipaldivisorsoitisthedivisorofsomerationalfunction,say 82IntroductiontoIdentity-BasedEncryptiondiv(g)=Dthendiv�fP1+P2�−div(f1)−div(f2)=n(P1+P2)−n(P1)−n(P2)−n(O)n=nD=ndiv(g)=div(g)sothat�ndiv�fP1+P2=div(f1)+div(f2)+div(g)sowecanwritenfP1+P2=f1f2gThusne(P1+P2,Q)=fP1+P2(AQ)=fP1(AQ)fP2(AQ)g(AQ)n=e(P1,Q)e(P2,Q)g(AQ)Soifweareignoringnthpowers,wefindthate(P1+P2,Q)=e(P1,Q)e(P2,Q)asdesired.ToseethattheTatepairingisbilinearinthesecondparameter,letAQ1+Q2beadivisorequivalentto(Q1+Q2)−(O),AQ1beadivisorequivalentto(Q1)−(O)andAQ2beadivisorequivalentto(Q1)−(O).ThenAQ1+Q2−AQ1−AQ2isequivalenttoD=(Q1+Q2)−(Q1)−(Q2)+(O)whichisaprincipaldivisor.SoAQ1+Q2isequivalenttoAQ1+AQ2becausetheydifferbyaprincipaldivisor.Thuswecanwritee(P,Q1+Q2)=fP�AQ1+Q2�=fP�AQ1+AQ2�=fP�AQ1�fP�AQ2�=e(P,Q1)e(P,Q2) DivisorsandtheTatePairing83Amappingthatisnondegenerateandbilinearandisalsoefficientlycom-putableiscalledapairing,andsuchmappingsarethefundamentalprimitivesfromwhichmanycryptographicalgorithmsareconstructed.Ontheotherhand,theTatepairingalsohasthefollowingpropertythatlimitsitsusefulnessbecauseitreturnsthevalue1inmanycases.Property4.2(Galbraith)[3]LetP∈E(�q)[n]{O}andnrelativelyprimetoq.Thentohavee(P,P)≠1,wemusthavek=1.Soforanembeddingdegreek>1wehavee(P,P)=1,whichalsomeansabthate(aP,bP)=e(P,P)=1forintegersaandb,sothattheTatepairingmaynotseemveryusefulatfirst.Thefollowingresultprovidesinsightintohowtoovercomethislimitation.Property4.3(Verheul)[4]Letnbeaprime,P∈E(�q)[n]{O},Q∈E(�qk)belinearlyindependentfromP,andk>1.Thenwehavethate(P,Q)isnondegenerate.SoifwehaveP∈E(�q)[n]andanontrivialembeddingdegree,thatis,wehavek>1,thenonewaytomakesurethattheTatepairinge(P,Q)isnondegenerateistomakesurethatQislinearlyindependentofP.Onewaytodothisistouseadistortionmap,sothatinsteadofcomputinge(P,Q),wecomputee(P,�(Q))instead,where�isanappropriatedistortionmap.Anotherwayistocomputee(P,�d(Q))whereQ∈E′isonthetwistoftheellipticcurveEand�d:E′→EisthemappingdefinedinSection3.3.1.Ineithercase,wedenotetheresultingpairingbyˆe(P,Q),whereeitherˆe(P,Q)=e(P,�(Q))orˆe(P,Q)=e(P,�d(Q))asappropriateandcallsuchanˆethemodifiedTatepairing.Example4.10(i)(DistortionMap).FromExample4.1(ii),wehavewhere23E/�11:y=x+1andP=(5,4)∈E(�11)[4],weget2(y+3x+3)fP(x,y)=x+1IfwehaveQ=(5,7)andR=(9,9),thenQ+R=(0,1)andweevaluatefPatAQ=(Q+R)−(R)wegete(P,Q)=fP(AQ)=2∈�11,sothatforthereducedTatepairingweget(qk−1)/n(112−1)/430e(P,Q)=2=2≡1(mod11) 84IntroductiontoIdentity-BasedEncryptionInthiscase,�(x,y)=(�x,y),where�=5+3�i,isadistortionmapforthepointQ,andwefindthat�(Q)=(3+4�i,7)andthat�(Q)+R=(1+4�i,5).Thus,wehavethatfP(�(Q)+R)fP((�(Q)+R)−(R))=fP(R)1+9i==7+8i8sothatforthereducedmodifiedTatepairingweget(qk−1)/n(112−1)/430e(P,�(Q))=(7+8i)=(7+8i)≡10(mod11)23(ii)(Twist).WehavethatE′:y=x+10isthequadratictwistof23E/�11:y=x+1thatiscreatedusingthequadraticnonresiduev=10.IfP=(5,4)∈E(�11)[4],thenfromExample4.1(ii)weget2(y+3x+3)fP(x,y)=x+1Inthiscase,wehave�−1x,v−3/2y)=(10�x,i�y)2(x,y)=(vIfwehaveQ=(3,2)∈E′andR=(9,9),then�2(Q)=(8,2i)then�2(Q)+R=(5+8i,8i).ThuswehavethatfP(�2(Q)+R)fP((�2(Q)+R)−(R)=fP(R)4+8i==5i6+8IsothatforthereducedmodifiedTatepairingweget(qk−1)/n(112−1)/430e((P,�2(Q))=(5i)=(5i)≡10(mod11)4.3Miller’sAlgorithmThetechniquethatweusedabovetofindadivisorequivalentton(P)−n(O),inwhichweiterativelyfinddivisorsequivalentto(P)−(O),2(P)−2(O), DivisorsandtheTatePairing85...,upton(P)−n(O)byarepeatedapplicationof(4.3)willcertainlywork,butitisextremelyinefficient.Inatypicalcryptographicapplication,nistypically160atleast2,soiteratinginthiswayisimpractical.Instead,thewaywecalculaten(P)−n(O)isbythedouble-and-addtechnique,andfindingadivisorequiva-lentton(P)−n(O)inthiswayiscalledMiller’salgorithm[5].Miller’salgorithmisbasedontheobservationthatitiseasytogeneralize(4.3)todivisorsD1=(aP)−(O)+div(f1)andD2=(bP)−(O)+div(f2)tofindthatuaP,bPD1+D2=(a+b)P−(O)+div�f1f2v�(a+b)PWecanformalizeMiller’salgorithmasfollows.PickanellipticcurveEonwhichallofthefollowingcalculationswillbeperformed.LetP∈E(�q)[n]andQ∈E(�qk)withtin=∑bi2si=0sothat(bi,...,b1,b0)isthebinaryexpansionofn.Westartwithf=1,S=P,andRarandompointonE.Wethendoadouble-and-additerationthroughthebinaryexpansionofn,performingthedoublingstepateachiterationandtheaddingstepifthebitweareatisa1.Thiswillletusbuildtherationalfunctionequivalentton(P)−n(O)outoftherepeatedlydoubledterms,andweevaluateeachofthesetermsat(Q+R)−(R)aswecalculatethem.Wedothisbythefollowingalgorithms.Algorithm4.1:TatePairing(Miller’salgorithmforcomputingtheTatepairing)23INPUT:EllipticcurveE:y=x+ax+b,P∈E[n]withtin=�i=0bi2,QOUTPUT:e(P,Q)1.f←1,t←log2n,S←P,R←arandompointofE,R≠O,Q+R≠O 86IntroductiontoIdentity-BasedEncryption2.Fori←t−1downto02uS,S(Q+R)v2S(R)3.f←fv2S(Q+R)uS,S(R)4.S←2S5.Ifbi=1uS,P(Q+R)vS+P(R)6.f←fvS+P(Q+R)uS,P(R)7.S←S+P8.ReturnfAlgorithm4.2:vINPUT:P,QOUTPUT:vP(Q)1.IfP=O2.Return13.ReturnxQ−xPAlgorithm4.3:tangent_u23INPUT:P,QonanellipticcurveE:y=x+ax+bOUTPUT:uP,P(Q)1.IfP=O2.Return13.IfyP=04.Returnv(P,Q)23xP+a5.m←2yP6.ReturnyQ−yP−mxQ+mxPAlgorithm4.4:uINPUT:P1,P2,QOUTPUT:uP,P(Q)121.IfP1=O2.Returnv(P2,Q)3.IfP2=OorP1+P2=O4.Returnv(P1,Q) DivisorsandtheTatePairing875.IfP1=P26.Returntangent_u(P1,Q)yP−yP217.m←xP−xP218.ReturnyQ−yP1−mxQ+mxP1References[1]Lang,S.,EllipticFunctions,NewYork:Springer-Verlag,1987.[2]Silverman,J.,TheArithmeticofEllipticCurves,NewYork:Springer-Verlag,1986.[3]Galbraith,S.,‘‘SupersingularCurvesinCryptography,’’ProceedingsofAsiacrypt2001,GoldCoast,Australia,December9–13,2001,pp.495–513.[4]Verheul,E.,‘‘EvidenceThatXTRIsMoreSecureThanSupersingularEllipticCurveCryptosystems,’’JournalofCryptology,Vol.17,No.4,2004,pp.277–296.[5]Miller,V.,‘‘TheWeilPairingandItsEfficientCalculation,’’JournalofCryptology,Vol.17,No.4,2004,pp.235–261. 5CryptographyandComputationalComplexityThegoalofthischapteristoprovideaframeworkforquantifyingthesecurityprovidedbyIBEalgorithms.Aswithanymethodofcommunicatingsecurely,believingthatthesecurityprovidedbyIBEisadequaterequiresmakingcertainassumptions.Ontheotherhand,anymethodofcommunicatingsecurelyrequiressometypeofassumption,andtheassumptionsthatwemakeinthecaseofIBEseemtobefairlyreasonablecomparedtotheassumptionsrequiredforotherwaysofcommunicatingsecurely.Onewaytocommunicatesecurelyistoexchangemessagesinsomesecurefashion,perhapsbytrustedcouriers.Thismethodcannotbedefeatedbycomput-ingpower,butcanbedefeatedthroughothermeans.Ifanadversarycaninterceptacouriercarryingamessagethentheycancertainlyreadit,forexample.Or,thecouriermaydecidetogivethemessagetotheadversaryinsteadoftotheintendedrecipient.So,anassumptionthatweneedtomaketotrustsuchasystemisthatthecouriersaretrustworthyandwillnotbeinterceptedbyanadversary.Aone-timepadoffersanotherwaytocommunicatesecurely.Inthiscase,wegeneratearandomkeythatisatleastasbigasthemessagethatwewanttoencryptandthensecurelydistributetherandomkeystotheuserswithwhomwewanttocommunicate.Thiscanbedoneinadvanceofthecommunicationoftheactualsecuremessages,sowecanassumethatusershavetheirone-timepadhandywhentheneedtocommunicatesecurelyarises.Theycanthenencrypttheirmessagesusingtheone-timepadandsendtheencryptedmessageoveranuntrustedchannel.Inthiscasewehaveassumedthattheone-timepadistruly89 90IntroductiontoIdentity-BasedEncryptionrandomandthatitwasdistributedinasecurefashion.Ifeitherofthesetwoassumptionsfails,thensuchasystemcaneasilybedefeated.WithsymmetricencryptionalgorithmslikeTriple-DESorAES,wereducethenumberofkeysthatneedtobesecurelydistributed.Inthiscase,weonlyneedtodistributethekeythatisusedinthesymmetricalgorithminsteadofakeythatisaslongasthemessagesthatwewanttoencrypt.Soinadditiontothesameassumptionsthatwemakeinthecaseofaone-timepadsystem,weneedtomakeanadditionalassumptionifweuseasymmetricencryptionalgorithm:thatitisinfeasibleforanadversarytorecovertheoriginalmessagefromtheencryptedmessage.Thiscanbeasignificantassumption.Therearetypicallynoproofsthatdecryptingamessagethathasbeenencryptedwithasymmetricalgorithmisdifficult,andweneedtorelyonthejudgmentofexpertswhohavedemonstratedanaptitudeforfindingweaknessesinsymmetricalgorithmsinthepast.Iftheseexpertscannotfindanyweaknesses,thenwecanassumethatthesymmetricalgorithmisreasonablysecure.Thisisanadditionalassumptionthatweneedtoacceptifwearegoingtotrustthesecurityofusingasymmetricalgorithm.Thetoolsavailabletoanadversarywillalsodeterminehowwellwecantrustasystemthatusesasymmetricalgorithm.Ifanadversarycanbuildalarge-scalequantumcomputer,forexample,thentheywillbeabletoperformcomputationsthatmightbeinfeasiblewithoutsuchadevice.Public-keyalgorithmsallowustocommunicatesecurelywithotherswithwhomwehavenotpreviouslyexchangedcryptographickeys,soitreducesthedifficultyandexpenseofmanagingkeys.Thisincreaseinconvenienceanddecreaseincostcomeswithanadditionalassumption.Inthecaseoftraditionalpublic-keyalgorithms,whereweuseadigitalcertificatetomanageauser’spublickey,weneedtoassumethattheTTPwhocreatedthecertificateistrustworthy.IftheTTPmakesanerrorandassociatesanincorrectnameofauserwithapublickey,wecaneasilybefooledintoencryptingamessagewiththeincorrectkey.Andsincemostusesoftraditionalpublic-keytechnologiesalsoarchivecopiesofusers’privatekeys,wealsoneedtotrustthattheTTPthatstoresthesekeysdoesnotprovidethemtounauthorizedusers.InthecaseofIBE,wehaveassumptionsthataredifferentthanthosethatwemakefortraditionalpublic-keytechnologies.AnyonecancalculateanIBEprivatekeyfromauser’sidentitywiththecorrectIBEpublicparameters,butweneedtoassumethatusersreceivethecorrectsetofIBEpublicparameters.Ifwecantrickauserintousingtheincorrectpublicparameters,wecantrickthemintosendingmessagesthatcaneasilybedecrypted.WealsoneedtoassumethattheIBEPKGisauthenticatingusersappropriatelybeforegrantingIBEprivatekeystothem.IfwecantrickthePKGintogivingusanIBEprivatekeythatismeantforadifferentuserthenwewillbeabletodecryptmessagesthenareencryptedwiththatuser’sIBEpublickey. CryptographyandComputationalComplexity91Inthecaseofbothtraditionalpublic-keytechnologiesandIBE,wealsomakeanassumptionabouttheintractabilityofcertainnumber-theoreticalcalcu-lations.Ifthesecalculationsaresufficientlydifficultforanadversarytoperform,thenwecanreasonablyassumethattheycannotperformthecalculations,andthatoursystemisreasonablysecure.Ontheotherhand,thisisalsoasignificantassumption,becauseitisbasedonthebest-knownalgorithmforperformingcertaincalculations.Ifanewalgorithmisdiscoveredthatcanfactorlargeintegersefficiently,forexample,thentheassumptionsbehindsomepublic-keytechnologieswillneedtobereexamined.Similarly,iflarge-scalequantumcomputerseverbecomeavailable,thentheassumptionsbehindmanypublic-keytechnologieswillneedtoberethoughtbecausetheexistenceofquantumcomputerswillmakeimplementingefficientalgorithmsforfactoringintegers[1]andcalculatingdiscretelogarithms[1,2]possible.5.1Cryptography5.1.1DefinitionsThefollowinginterrelateddefinitionsdefinetheconceptsfromcryptographythatwewillrefertoinlatersections.Definition5.1Anegligiblefunctionisonethatisasymptoticallysmallerthatthereciprocalofanypolynomial.Moreprecisely,afunction�:�→�isnegligibleifforanycc∈�thereisann0∈�suchthatwehave�(n)<1/nforalln>n0.Definition5.2Aprobabilisticalgorithmwhoserunningtimeispolynomialinlognissaidtobeefficient.Theuseoflogninsteadofnisduetothefactthattheparametersandkeysthatdeterminetheoperationofcryptographicfunctionsaretraditionallymeasuredinthenumberofbitscomprisingaparameterinsteadofinthesizeoftheparametersthemselves.Definition5.3Acalculationforwhichanyefficientalgorithmsucceedsonrandominputwithonlynegligibleprobabilityissaidtobehard.Acalculationthatisnothardiseasy.Soacalculationforwhichthereexistsanefficientalgorithmthatsucceedsonrandominputwithanonnegligibleprobabilityiseasy.Ausefulencryptionalgorithmhasthepropertythatbothencryptinganddecryptingdataiseasywiththerightkey,butdecryptingdatawithouttherightkeyishard. 92IntroductiontoIdentity-BasedEncryptionDefinition5.4Plaintextistheinformationforwhichencryptionprovidesprivacy.Anencryptionalgorithmtakesplaintextandakeyasinputsandproducesciphertextasanoutput.Definition5.5Ciphertextistheoutputofanencryptionalgorithm.Definition5.6Anencryptionalgorithmtakesplaintextandakeyasinputsandproducesciphertextasanoutput.Definition5.7Adecryptionalgorithmtakesciphertextandakeyasinputsandproducesplaintextasanoutput.Definition5.8Acryptographickeyisavaluethatdefinestheoperationofanencryptionordecryptionalgorithm.Valuesthatareusedforallusersofasystemarecalledparametersinstead.Whiletraditionalpublic-keyalgorithmshaveonlypublicandprivatekeys,IBEalgorithmstypicallyhaveasetofpublicparameters.Definition5.9Anasymmetricorpublic-keyencryptionalgorithmisanencryptionalgorithmthatusestworelatedkeys:apublickeyandaprivatekey,whichhavethepropertythatgiventhepublickeyitishardtofindtheprivatekey.Definition5.10Arandomizedencryptionalgorithmisonethatrequiresarandomnumberasaninputinadditiontoplaintextandakey.Definition5.11LetHbeahashfunctionwithinputsx1andx2andoutputsy1andy2.ThenHisacryptographichashfunctionifitisefficienttocomputeandhasthefollowingthreeproperties.Notethattheword‘‘difficult’’isintentionallyleftambiguousinthiscontextbecausethesecurityofmostcommonlyusedcrypto-graphichashfunctionsisnotbasedoncomputationalproblemsforwhichitiseasytogetaccurateestimatesofrunningtimes.1.Collisionresistance.Itisdifficulttofindx1andx2withx1≠x2andH(x1)=H(x2).2.Preimageresistance.Givenanyy1itisdifficulttofindanx1withy1=H(x1). CryptographyandComputationalComplexity933.Secondpreimageresistance.Givenanx1withy1=H(x1)itisdifficulttofindanx2withx1≠x2andy1=H(x2).5.1.2ProtectionProvidedbyEncryptionTherearesixgeneralcategoriesofattacksthattheuseofencryptioncanprotectagainst.Ineachofthesecases,anattackerattemptstoeitherdetermineakeyneededtodecryptamessageortheplaintextmessagethatwasencrypted.1.Ciphertext-onlyattack.Aciphertext-onlyattackiscarriedoutbyanadversarywhohasaccesstoonlyciphertext.Thisisthemostdifficultattackforanadversarytocarryout,andanycryptographicsystemneedstoberesistanttosuchanattacktoprovideanylevelofsecurityatall.2.Known-plaintextattack.Aknown-plaintextattackiscarriedoutbyanadversarywhohasaccesstobothplaintextandcorrespondingciphertext.Thematchingplaintextandciphertextneednotcompriseallofanencryptedmessage.Thistypeofattackisveryeasyforanadversarytocarryout,andprotectionagainstknown-plaintextattacksisessentialforanyusefulcryptographicsystem.Almostanytypeofinformationthatistransmittedelectronicallyhasenoughstructuretoguaranteesomelevelofmatchingplaintextandciphertext.Thestructurerequiredbydocumentorspreadsheetfileformatscanprovidethis,forexample,ascantheformatofe-mailorothermessageformats.Thestructureofdatacanalsoprovidethebasisforaknown-plaintextattack.BytesrepresentingASCIItexthavesomefixedbitswhileotherscanbeguessedwithahighprobability,forexample.3.Chosen-plaintextattack.Achosen-plaintextattackiscarriedoutbyanadversarywhocanselecttheplaintextandthenbegiventhecorrespond-ingciphertext.Suchanadversarycouldusethiscapability,forexample,tocreatealistofallpossibleplaintext-ciphertextpairsandthendecryptanyotherencryptedmessagesthatheobservesbylookingupthecorrectplaintextinthistable.Onewaytocountersuchacapabilityinanadversaryistoincluderandominformationwiththeplaintextthatgetsencrypted,sothatasingleplaintextmessagewilltypicallygetencryptedtoadifferentciphertexteachtimethatitisencrypted.4.Adaptivechosen-plaintextattack.Inanadaptivechosen-plaintextattack,anadversaryselectsaninitialplaintextmessagetoencryptandthenselectsthenextplaintextmessagesthatheencryptsbasedontheciphertextthathereceivesfromthepreviousencryption.Hecanrepeatthisprocessasoftenasneededtogathermoreinformationaboutthe 94IntroductiontoIdentity-BasedEncryptionkeybeingused.Otherwise,thisattackhasthesamepropertiesasachosen-plaintextattack.5.Chosen-ciphertextattack.Inachosen-ciphertextattack,anadversaryselectsaciphertextandisabletoobtainthecorrespondingplaintext.Ifanalgorithmencryptsaparticularplaintexttothesameciphertexteverytimeitisencryptedthenitisvulnerabletoachosen-ciphertextattack,somanyencryptionalgorithmsaddarandominputtotheplaintexttomakesuchanattackinfeasible.Portabledeviceslikesmartcardsmaybesusceptibletochosen-ciphertextattacks,becausetheycanoftenbeobtainedbyanadversary.Beingsecureagainstchosen-ciphertextattacksisthestandardlevelofsecuritythatiscurrentlyexpectedofpublic-keysystems.6.Adaptivechosen-ciphertextattack.Inanadaptivechosen-ciphertextattack,anadversaryselectsaninitialciphertextmessagetodecryptandthenselectsthenextciphertextmessagesthathedecryptsbasedontheplaintextthathereceivesfromthepreviousdecryption.InthecaseofIBE,thereareadditionalopportunitiesforattackers.Inparticular,whenanattackertriestorecovertheprivatekeyforaparticularidentityorrecoveraplaintextencryptedtoaparticularidentity,hemayalsohavetheprivatekeysthatcorrespondtootheridentities.ThisleadstothefollowingtwoadditionalcasesthatapplyonlytoIBEschemes.1.Chosen-identityattack.Inachosen-identityattack,alsocalledaselective-identityattack,anadversaryattemptingtoattackaparticularprivatekeyoraciphertextencryptedtoaparticularidentitycanchooseanyotheridentityandthenusetheprivatekeyforthisidentitytohelphiminhisattack.2.Adaptivechosen-identityattack.Inanadaptivechosen-identityattack,anadversarycancarryoutachosen-identityattack,andcanthenperformadditionalchosen-identityattacksbasedontheresultsofthefirstattack.HecanthenrepeatthisasoftenashelikesinanattempttorecoveranIBEprivatekey,mastersecret,orplaintext.Notallencryptionschemesprotectagainstallcategoriesofattacks.Inparticular,theIBEalgorithmsdescribedinthisbookaresusceptibletochosen-ciphertextattacks,sothatanadditionalstepofprocessingneedstobeaddedpasttheapplicationoftheencryptionalgorithmtogetasystemthatwillresistsuchattacks.ThiscanbeaccomplishedthroughusingtheFujisaki-Okamototransform. CryptographyandComputationalComplexity955.1.3TheFujisaki-OkamotoTransformAtechniqueduetoFujisakiandOkamoto[3]transformsapublic-keyencryptionalgorithmwithfairlyweakpropertiesintoonewhichissecureagainstchosen-ciphertextattacks.Somepublic-keyalgorithmsarevulnerabletochosen-ciphertextattacks,andthistransformationcanbeusedtocreateamoresecureschemefromalesssecurealgorithm.Inparticular,letE(P,X,R)bearandomizedpublic-keyencryptionalgorithmthatencryptstheplaintextXusingtherandominputrandthepublickeyP;letDbethedecryptionfunctionthatcorrespondstoE;andletH1andH2becryptographichashfunctions.ThenforaplaintextmessageM,theencryptionalgorithmE′isresistanttochosen-ciphertextattacks,whereE′(P,M,r)=(C1,C2)=CwhereC1=E(P,r,H1(r,M))andC2=H2(r)⊕MTodecryptamessagethatisencryptedwiththishybridscheme,therecipientperformsthefollowingsteps:1.CalculateD(C1)=s.2.CalculateH2(s)⊕C2=M.3.Setr=H1(s,M)andcheckthatE(P,s,r)=C1.Ifthisisnottrue,raiseanerrorconditionandexit.4.OutputMasthedecryptionofC.5.2RunningTimesofUsefulAlgorithmsOnegoalofthetheoryofcomputationistoprovidetheframeworkneededtoclassifycomputationalproblemsaccordingtotheresourcesneededtosolvethem.Inparticular,theresourcesneededforanadversarytodefeattheprotectionprovidedbyencryptionisofinteresthere,andwewillusethisframeworktojustifywhycertainIBEalgorithmsarereasonablysecurewhentheirparametersarechosenappropriately.Themainfocushereistherunningtimerequiredto 96IntroductiontoIdentity-BasedEncryptionsolvecertaincomputationalproblems,whichisthewaythatthemostwidelyacceptedstandard[4]definescryptographicstrength.Whilemanydiscussionsoftherunningtimesofalgorithmsfocusonthesizeofaninputn,inthecaseofcryptography,amoreusefulmeasureisintermsofthenumberofbitsthatittakestorepresentaninput.Thuswearemoreinterestedinrunningtimesthatareexpressedintermsoflogninsteadofintermsofn.So,analgorithmthatwouldoftenbethroughofashavingrunningtimeO�√n�ismoreusefullythoughtofashavingtheequivalentrunningtime1Ologn�e2�whichmakesitclearerthatwhileanalgorithmwithsucharunningtimemightbeconsideredrelativelyfastasafunctionofn,itmightbeconsideredrelativelyslowasafunctionoflogn.5.2.1FindingCollisionsforaHashFunctionFormosthashfunctions,findingacollisioniseasierthanfindingapreimageorasecondpreimage,sothestrengthofacryptographichashfunctionisusuallymeasuredbytheexpectednumberofoutputsthatneedtobecomputedtomaketheprobabilityoffindingacollisionequalto1/2.Findingtheprobabilityofacollisioninahashfunctionismuchliketheso-calledbirthdayproblem,inwhichwewanttofindtheprobabilitythattwopeopleinagroupofkpeoplesharethesamebirthday.Inthiscase,wecanthinkofthebirthdayasbeingtheoutputofahashfunctionthatmapspeopletothedayonwhichtheywereborn.Tofindthisprobability,itiseasiertofindtheprobabilitythatallkpeoplehavedifferentbirthdays.Thisisgivenby364363365−k+1p=...365365365k−1365−i=��365�i=1Sowewantthelargestkforwhichp<1/2,ork−1��365−i�1365<2i=1Nowwehave CryptographyandComputationalComplexity97k−1k−1k−1365−i1365−i��365�<�k−1∑�365��(5.1)i=1i=1k−1k−11=�(k−1)365)∑i�k−1i=11k(k−1)k−1=�k−1(k−1)365)�2��k−1k−1kk=�1−�<�e−2�365�(5.2)2�365k2−k−=e2�365(5.3)wheretheinequalityin(5.1)followsfromthepropertiesofthearithmetic-geometricmean,andtheinequalityin(5.2)followsfromthepropertythat1−x0wehave��xi,ifxi∈S12xi+1=�xi,ifxi∈S2��xi,ifxi∈S3 CryptographyandComputationalComplexity99Wecanthinkofthesequence{xi}asdefiningtwosequences{ai}and{bai�biwherei}wherexi=�ai,ifxi∈S1ai+1=�2aimodn,ifxi∈S2ai+1modn,ifxi∈S3andbi+1modn,ifxi∈S1bi+1=�2bimodn,ifxi∈S2bi,ifxi∈S3Thenifwefindxiandx2iwithxi=x2ithenwehavefoundacasewhere�ai�bi=�a2i�b2iorthat�bi−b2i=�a2i−ai(5.7)Takingthelogarithmof(5.7)tothebase�wegetthat(bi−b2i)log��≡(a2i−ai)(modn)ora2i−ailog��=(modn)bi−b2iThereareafewcaseswherethisalgorithmwillfail,likewhenbi≡b2i(modn),whichhappenwithaverysmallprobability.Ifthishappens,itispossibletorepeatthealgorithmwithadifferentstartingvalueuntilthefailureisavoided,usinganinitialstateofxa0�b0wherea0=�0andb0arerandomelementsofG.5.2.3TheGeneralNumberFieldSieveThegeneralnumberfieldsieve(GNFS)[7]iscurrentlythebest-knownalgorithmforfactoringlargeintegers.TheGNFSisoneafamilyoffactoringalgorithms 100IntroductiontoIdentity-BasedEncryptionthatarebasedonthe‘‘differenceofsquares’’technique,whichusestheobserva-tionthatifwehave(x−y)(x+y)≡0(modn)or22x≡y(modn)thengcd(x−y,n)andgcd(x+y,n)arefactorsofn,althoughtheymaybeeither1orn.Ifnistheproductoftwoprimespandq,thenTable5.1liststhepossiblecasesthatmayoccur.Most,butnotall,ofthesecasesresultineithergcd(x−y,n)orgcd(x+y,n)givinganontrivialfactorofn.TheGNFSextendsDixon’salgorithm[8]tonumberfields,extensionsofthefieldofrationalnumbers,andpicksparameterscleverlytogetimprovedperformance.ThefirststepinDixon’salgorithmistofixasetoffactors2F={p1,p2,...,pm}andtorandomlygenerateintegersrisuchthatriisF-smooth.Sowecanthinkofsuchintegersriasvectors(ei,1,ei,2,...,ei,m),thecomponentsofwhichindicatethepowersoftheelementsofFinthefactorizationofri,sothatmrpei,ji=�jj=1Oncewefindasuitableriwecalculateacorrespondingvectorvithatrepresentstheparityofeachoftheexponentsoftheprimesinthefactorizationofri,sothatvi,j=ei,jmod2.Ifwecanfindm+1suchvectorsvithenweTable5.1PossibleCasesforx2≡y2(modn)p|(x+y)p|(x−y)q|(x+y)q|(x−y)gcd(x+y,n)gcd(x−y,n)YesYesYesYesnnYesYesYesNonpYesYesNoYespnYesNoYesYesnqYesNoYesYesn1YesNoNoYespqNoYesYesYesqnNoYesYesNoqpNoYesNoYes1n CryptographyandComputationalComplexity101havem+1vectors,eachofdimensionm,sotheymustbelinearlydependent.ThusthereisanonemptysubsetU⊆{1,2,...,t+1}sothat∑vi≡0(mod2)i∈UThustheparityofeachoftheexponentsin2�rii∈Uiseven,sothatifwewritex=�rii∈Uandmeiy=�pii=1thenwehavethat222x=�ri≡y(modn)i∈UOncewehavefoundsuitablexandyinthisway,wethencalculategcd(x−y,n)orgcd(x+y,n),hopingtogetanontrivialfactorofn.Ifwegeteither1ornforbothoftheseresults,westartoverandcalculatenewrandomvaluesforri.TheGNFSincreasestheperformanceofthistechniquethroughacleverselectionofparametersandbygeneralizingthesetoffactors,butthealgorithmstillhasstepsthataresimilartothestepsdescribedearlier:pickasetofrandomvaluesthataresmoothrelativetosomeset,afterenoughsuchvaluesaregenerated,solveasystemofequationstofindadependencythatcanbemanipulatedtogetadifferenceofsquares,andthencalculateagreatestcommondivisortogetanontrivialfactor.TheGNFShasanexpectedrunningtimeof1/31/32/3O(exp((64/9)(logn)(loglogn)))ThusacryptanalyticattackbasedonusingtheGNFSisreasonablydifficultforanattackertocarryout. 102IntroductiontoIdentity-BasedEncryption5.2.4TheIndexCalculusAlgorithmTheindexcalculusalgorithmiscurrentlythebest-knownalgorithmforcalculat-ingdiscretelogarithmsinthemultiplicativegroupofafinitefield.ItusesideasthatareverysimilartothoseusedintheGNFS,andcanbetracedbacktotheworkofKraitchikin1922[9].Inparticular,letgbeaprimitiveelementof�p*andF={p1,p2,...,pm}beasetofprimes.Wethenpickrandomzzz∈�p*andcalculateg.IfgisF-smooththenwecanwecanwritemgz=�p�iii=1orthatmz=∑�i�loggpii=1whereweknowthevalueofzandallofthevaluesof�i.Wecontinuethiszprocessuntilwefindm+1suchvaluesofzforwhichgisF-smooth.Oncewehavem+1suchvalues,wesolvetheresultingsystemofequationstofindauniquesolutionforloggpi.Thiswillthenletusfindthediscretelogarithmofanyy∈�p*.Todothisweagaingeneraterandomvaluesofzuntilwefindzavalueofzsuchthaty�gisF-smooth.Usingthisvalueofzwefindthatmloggy≡−z+∑�i�loggpi(5.8)i=1Weknowallofthevaluesappearingontheright-handsideof(5.8),sothatwecanthuscalculateanysuchdiscretelogarithm.Theindexcalculusalgorithmhasanexpectedrunningtimeof1/31/32/3O(exp((64/9)(logn)(loglogn)))wheren=p−1istheorderofthegroup�p*.Thusacryptanalyticattackbasedonusingtheindexcalculusalgorithmisreasonablydifficultforanattackertocarryout.Althoughthisdiscussionisspecifictocalculatingdiscretelogarithmsin�p*,itisalsopossibletoextendthistechniqueto�p*n[10].5.2.5RelativeStrengthofAlgorithmsThetraditionalmetricforcomparingtherelativestrengthofcryptographicalgorithmsisanidealsymmetricalgorithmforwhichthereisnowaythatan CryptographyandComputationalComplexity103nattackercanrecoverasecretkeyofnbitsthatiseasierthantryingall2possiblen-bitkeystofindtheonethatproducesaknownplaintext-ciphertextpair.EquatingtherunningtimeofthiscomputationtothetimerequiredbyeitherPollard’srhoalgorithm,theGNFS,ortheindexcalculusalgorithm,wecangetanestimateforthebitstrengthor‘‘computationalentropy’’ofpublic-keyalgorithms.Therehavebeenmanyattempts[4,11–13]atcreatingsuchestimates,allofwhichhaveproducedslightlydifferentresults,buttheestimatesof[4]havebeenusedinthemostimportantcryptographicstandards[14,15].Theseestimatesseemtoassumethatanadversarywillcreateaspecial-purposemachinetoperformthecalculationsinsteadofusingwidelyavailablecomputingresourceslikecommoditydesktopcomputers,sothatpracticaldifficulties,likethestoragespacerequiredtosolvetheverylargesystemofequationsthattheGNFSandindexcalculusalgorithmsrequire,arenotconsidered.TheestimatesprovidedbythisapproacharesummarizedinTable5.2.So,accordingtothisapproach,calculatingadiscretelogarithminagroupwithasizeof256bitsbyPollard’srhoalgorithmtakesroughlythesametimeastryingallpossible128-bitsymmetrickeys,whichalsotakesroughlythesametimeasfactoringa3,072-bitintegerorcalculatingadiscretelogarithminafinitefieldwhichhasasizeof3,072bits.In1998,theElectronicFrontierFoundationsponsoredtheconstructionoftheDESCracker[16],aspecial-purposecomputerthatusedmassivelyparallelcomputationon36,864customprocessingunitstotestover92billionDESkeyspersecond,whichletittestallpossible56-bitDESkeysinabout9days.Ifwecouldbuildamachinethatcantestkeys1milliontimesfasterthanthis,perhapsthroughacombinationofmoreprocessingunitsandfasterclockspeeds,128wewouldfindthatitwilltakeover117trillionyearstotestall2possible128-bitkeys.Table5.3listsvariouseventsinthefuture[17]andhowmanybitsoutofthe128possiblebitswillhavebeentestedastheeventstakeplace.Thisseemstoindicatethat128bitsofstrengthisprobablyadequatefortheforeseeablefuture.Table5.2EquivalentCryptographicStrengthProvidedbyDifferentAlgorithms[4]SizeofIntegerBitStrengthSizeofGrouporFiniteField801601,0241122242,0481282563,0721923847,16825651215,360 104IntroductiontoIdentity-BasedEncryptionTable5.3ProgressTowardsTestingAll128-BitKeysonHypotheticalMachineBitsofKeyEventYearsintheFutureTestedEarth’scontinentscollide250million110MilkyWaycollideswiththeAndromedagalaxy3billion114Sunbecomesawhitedwarf8billion115Fundamentallimitsoncomputationtellusthata256-bitkeyisevenmoresecure,becausecomputationisnotjustlogical,butalsophysical.ConsideranANDgate:twobitsgoinbutonlyonebitcomesout.Ifwerepresenteachbitbyonlyasingleelectron,wecanhavetwoelectronsenteringthegatebutonlyoneleaving.Theenergycarriedbythisextraelectronhastogosomewhere,soweseethaterasingabitactuallyrequiresenergy.ThisissummarizedinLandauer’sprinciple[18],acorollaryofthesecondlawofthermodynamicsthattellsusthaterasingabitcostsatleastkTlog2inenergy,where−2322k=1.38×10mkg/sKisBoltzmann’sconstantandTisthetemperatureatwhichtheoperationtakesplace.ExistingtechnologiesarefarfrombeinglimitedbyLandauer’sprinciple,butitisafundamentallimittocomputationthatwecannotovercomeifweneedtoerasebitstoperformcalculations,likeallmoderncomputersdo.Ontheotherhand,ifwewanttobuildabiggerandfastercomputermuchliketheDESCracker,butonethattriesallpossible256-bitAESkeys,wefindthatLandauer’sprincipleactuallylimitsus,andthatthereisactuallynotenoughenergyinthevisibleuniversetotryallofthesekeys.Soalthough256isafairlysmallnumber,thenumberofpossible256-bitkeysisahugenumber,andthisnumberissolargethatwecanneverhopetotrythemall—fundamentallimitsoncomputationtellusthatwecanneverdoit,atleastnotwithtechnologywhichrequiresbitstobeerasedwhenitoperates.5.3UsefulComputationalProblemsSomecomputationalproblemshavethepropertythattheyaresuitablyhard,yetcanbestatedintermsofquantitiesthatcanbeusedtocreatepublic-keyalgorithmsthatgettheircryptographicstrengthfromthedifficultyofthehardproblem.Inparticular,computationalproblemswhosebest-knownsolutioniscalculatedbyPollard’srhoalgorithm,theGNFS,ortheindexcalculusalgorithmaresuitablydifficult.TheDiffie-Hellmankeyexchange[19],thefirstpractical CryptographyandComputationalComplexity105public-keyalgorithm,providesthemotivationformanyofthecomputationalproblems.IntheDiffie-Hellmankeyexchange,wehaveacyclicgroupGofprimeorderpwithgeneratorg.Theprivatekeyofauserisanelement�∈�p*andthecorrespondingpublickeyisg�.Supposethatwehavetwousers,AliceandBob,whowanttoagreeuponasharedsecret,andthatAlice’sprivatekeyisaaandBob’sprivatekeyisb,sothatAlice’spublickeyisgandBob’spublickeybbisg.AlicecanobtainBob’spublickeygandthencalculatebabaaba(g)=g=gfromit,whileBobcanobtainAlice’spublickeygandthenababcalculate(g)=gfromit.Bydoingthis,theybothendupwiththecommonababvaluegwhichtheycanthenuseasasharedsecret.Thevaluesg,g,andgarepublic,butwithouttheprivatevaluesaandb,itisbelievedtobehardforanadversarytocalculategab.Inthediscussionbelow,thisgeneralframeworkisusedtodescribeproblemsrelatedtotheDiffie-Hellmankeyexchange.Sothatgwillrepresentageneratorofamultiplicativecyclicgroup,anda,b,andcareelementsof�p*.Incaseswherethegroupisanadditivegroup,Pwillrepresentageneratorofthegroup.Whereapairingisneeded,wewillassumethatwehavee:G1×G1→GT.Caseswheree:G1×G2→GTcanbesimilarlydescribed.Inmanycasestherearetworelatedproblems:acomputationalproblemandadecisionproblem.Solvingacomputationalproblemisroughlyequivalenttocalculatingacorrectanswer,andiftherelevantcomputationalproblemishardthencalculatingacorrectanswerishard.Insomecases,thismaynotbegoodenough.Inparticular,wealsowantittobedifficulttoguessacorrectanswerortodeterminepartofthecorrectanswer.Iftherelevantdecisionproblemishardthenguessingacorrectanswerordeterminingpartofthecorrectanswerisalsohard.5.3.1TheComputationalDiffie-HellmanProblemThecomputationalDiffie-Hellmanproblem(CDHP)[20]modelsthesituationababinaDiffie-Hellmankeyexchange:giveng,.gandg,calculateg.Multiplica-tivenotationisusedbecausethemultiplicativegroupofafinitefieldistheusualsettingforimplementingtheDiffie-Hellmankeyexchange.TheCDHPcanalsobewritteninadditivenotationas:givenP,aP,bP,calculateabP.Oneobviouswaytosolvethisproblemistodeterminebbycalculatingbathediscretelogarithmofgandthentousethatvalueofbalongwithgababtocalculate(g)=g,sothatsolvingtheCDHPisnomoredifficultthancalculatingdiscretelogarithms.Ontheotherhand,thereisnoguaranteethatanadversarycannotdeterminesomeinformationaboutthesharedsecretfromg,gaandgb,perhapsbeingabletodetermineseveralofthebitsofgabbutnot 106IntroductiontoIdentity-BasedEncryptionallofthem.Toavoidsuchapossibility,anotherproblemneedstobehard:thedecisionDiffie-Hellmanproblem.5.3.2TheDecisionDiffie-HellmanProblemabThedecisionDiffie-Hellmanproblem(DDHP)[21]is:giveng,g,g,andx,abdeterminewhetherornotx=g.OneobviouswaytosolvethisproblemisababtodeterminebsolvingtheCDHPandthentocalculate(g)=g,andtoabthencomparethisvalueofgtothegivenvalueofx.ThussolvingtheDDHPisnomoredifficultthantheCDHP.IftheDDHPishardthenitishardtoababdistinguishbetweengandanyotherelementofG,sothatglookslikearandomelementofG.Insomecases,theDDHPismucheasier,particularlywhenapairingisababavailable.Ifwehaveapairing,thenwecanthencalculatee(g,g)=e(g,g).abababIfx=gthenwewillalsohavethate(g,x)=e(g,g)=e(g,g),sothatwecaneasilysolvetheDDHPproblembycomparinge(ga,gb)toe(g,x).BeingabletocalculateLegendresymbolsin�p*alsomakessolvingtheDDHPeasyin�p*.Thevaluegabwillbeasquaremodulopexactlywhentheproducta�biseven,whichhappenswheneitheraorbiseven,whichwillhappenwithprobability3/4forrandomaandb.Ontheotherhand,foraabrandomc,cisasquarewithprobability1/2.Sotheprobabilityof(g/p)and(c/p)beingdifferentisababPr((g/p)=+1∧(c/p)=−1)+Pr((g/p)=−1∧(c/p)=+1)=(3/4)(1/2)+(1/4)(1/2)=1/2abSocomparingtheLegendresymbols(g/p)and(c/p)hasa1/4probabilityabofdistinguishingbetweengandarandomc,whichisanonnegligibleprobabil-ityofsuccess,andsotheDDHPiseasyin�p*ifpisaprime,wherewecancalculateLegendresymbols.AlthoughtheDDHPiseasyin�p*,itisconjecturedtobedifficultin�p*n.forn>1.GroupsinwhichtheDDHPiseasyandtheCDHPisbelievedtobehardaresometimescalledgapDiffie-Hellmangroups.Figure5.1showstherelationshipsbetweenthevariousDiffie-Hellmanproblems,wherethenotation‘‘Problem1→Problem2’’indicatesthatasolutiontoProblem1makesfindingasolutiontoProblem2easy.DiscreteComputationalDecisionlogarithmDiffie-HellmanDiffie-HellmanproblemproblemproblemFigure5.1RelationshipbetweenthevariousDiffie-Hellmanproblems. CryptographyandComputationalComplexity1075.3.3TheBilinearDiffie-HellmanProblemThebilinearDiffie-Hellmanproblem(BDHP)[22]generalizestheCDHPtoabcgroupswithapairing.TheBDHPis:givenP,aP,bP,cP,calculatee(P,P).AdditivenotationisusedbecausethesettingfortheBDHPistypicallyanellipticcurvegroup,whereadditivenotationistraditional.TheBDHPcanalsoabcabcbewritteninmultiplicativenotationas:giveng,g,g,g,calculatee(g,g).SolvingtheBDHPisnomoredifficultthancalculatingdiscretelogarithmsineitherG1orGT.IfwecanfindthevalueofcbycalculatingthediscretecabclogarithmofcPinG1,thenwecancalculatee(aP,bP)=(e(P,P))=abce(P,P)or,ifwecanfindthevalueofcbycalculatingthediscretelogarithmcabcofe(P,cP)=e(P,P)inG2thenwealsocalculatee(P,P)inasimilarway.NotethatfP:G1→GTdefinedbyfP(Q)=e(P,Q)isanisomorphismofgroups.IffPiseasytoinvert,thatiswecaneasilycalculate−1fP(e(P,Q))=QthentheBDHPisalsoeasy.Wecanfirstcalculate−1g=e(aP,bP)=e(P,abP),andthenfP(g)=abP,andfinallye(abP,cP)=abce(P,P),solvingtheBDHP.Ontheotherhand,iffPiseasytoinvert,wecanalsoeasilysolvetheabDDHPinGT.Supposethatwehaveg,g,g,andx,inGT.If−1−1a−1bfP(g)=QthenwehavefP(g)=aQandfP(g)=bQ.Supposethat−1ab−1fP(x)=X.Ifx=gthenwewillhavefP(x)=abQ,sothate(Q,X)=ababe(Q,abQ)=e(Q,Q)whilee(aQ,bQ)=e(Q,Q),sothatife(Q,X)=abe(aQ,bQ)thenx=g.abcEvenifitishardforanadversarytocalculatee(P,P)fromP,aP,bP,andcP,hereisnoguaranteethatanadversarycannotdeterminesomeinformationabcaboute(P,P)fromP,aP,bP,andcP,perhapsbeingabletodetermineseveralabcofthebitsofe(P,P)butnotallofthem.Toavoidsuchapossibility,anotherproblemneedstobehard:thedecisionbilinearDiffie-Hellmanproblem.5.3.4TheDecisionBilinearDiffie-HellmanProblemThedecisionbilinearDiffie-Hellmanproblem(DBDHP)[22]generalizestheDDHP.TheDBDHPis:givenP,aP,bP,cP,andx,determinewhetherorabcnotx=e(P,P).SolvingtheDBDHPisnomoredifficultthatcalculatingdiscretelogarithmsineitherG1orGT.IfwecanfindthevalueofcbycalculatingthediscretelogarithmofcPinG1,thenwecancalculatecabcabce(aP,bP)=(e(P,P))=e(P,P)or,ifwecanfindthevalueofcbycalculatingthediscretelogarithmofcabce(P,cP)=e(P,P)inGTthenwealsocalculatee(P,P)inasimilarway.abcIftheDBDHPishardthenitishardtodistinguishbetweene(P,P)and 108IntroductiontoIdentity-BasedEncryptionabcanyotherelementofGT,sothate(P,P)lookslikearandomelementofGT.Figure5.2showstherelationshipbetweenthevariousDiffie-Hellmanproblemsandtheirbilinearvariants,wherethenotation‘‘Problem1→Problem2’’indicatesthatasolutiontoProblem1makesfindingasolutiontoProblem2easy.5.3.5q-BilinearDiffie-HellmanInversionTheq-bilinearDiffie-Hellmaninversionproblem(q-BDHIP)[23]is:givenP,2q1/aaP,aP,...,aP,calculatee(P,P).Solvingtheq-BDHIPisnomoredifficultthancalculatingdiscretelogarithmsineitherG1orG2.IfwecanfindthevalueofabycalculatingthediscretelogarithmofaPinG1,thenwecan1/acalculate1/aandthencalculatee(P,P).Orifwecanfindthevalueofabyacalculatingthediscretelogarithmofe(P,aP)=e(P,P)inGTthenwealso1/acalculatee(P,P)inasimilarway.1/a2Evenifitishardforanadversarytocalculatee(P,P)fromP,aP,aP,q...,aPcP,hereisnoguaranteethatanadversarycannotdeterminesome1/a2qinformationaboute(P,P)fromP,aP,aP,...,aPcP,perhapsbeingable1/atodetermineseveralofthebitsofe(P,P)butnotallofthem.Toavoidsuchapossibility,anotherproblemneedstobehard:theq-decisionbilinearDiffie-Hellmaninversionproblem.DiscreteComputationalDecisionlogarithmDiffie-HellmanDiffie-HellmanprobleminprobleminG1probleminG1G1BilinearDecisionbilinearDiffie-HellmanDiffie-HellmanproblemproblemDiscreteComputationalDecisionlogarithmDiffie-HellmanDiffie-HellmanprobleminprobleminGTprobleminGTGTFigure5.2RelationshipbetweenthevariousDiffie-Hellmanproblemsandtheirbilinearvariants. CryptographyandComputationalComplexity1095.3.6q-DecisionBilinearDiffie-HellmanInversionTheq-decisionbilinearDiffie-Hellmaninversionproblem(q-DBDHIP)is:2q1/agivenP,aP,aP,...,aPandx,decidewhetherornotx=e(P,P).Solvingtheq-DBDHIPisnomoredifficultthantheq-BDHP.Ifwecancalculate1/a2qe(P,P)fromP,aP,aP,...,aPwedosoandcompareittox.Ifthe1/aq-DBDHPishardthenitishardtodistinguishbetweene(P,P)andany1/aotherelementofGT,sothate(P,P)lookslikearandomelementofGT.5.3.7CobilinearDiffie-HellmanProblemsInthecasewherewehaveapairinge:G1×G2→GTwithG1≠G2,itisnecessarytomodifytheframeworkofalloftheproblemsthatuseapairing.ThisgivesthecobilinearDiffie-Hellmanproblem(co-BDHP),whichis:givenabP,aP,bP∈G1andQ∈G2,calculatee(P,Q).Theotherproblemsinvolvingapairinge:G1×G2→GTcanbegeneralizedtorelatedcoproblemsinasimilarway.Itisnomoredifficulttosolvetheco-BDHPthanitistocalculatediscretelogarithmsineitherGTorinG1,whichisthesameboundthatoccurswiththeBDHP.ThemoregeneralframeworkofthecobilinearDiffie-Hellmanproblemsismoreusefulfordescribinggeneralresults,andsomeresearchpublica-tionsusetheterm‘‘BDHP’’todescribewhatwecallthe‘‘co-BDHP’’tokeepthefamiliarterminologyinthemoregeneralsetting.InthefollowingwewilloftenstatesimplerresultsintermsoftheBDHPthatcaneasilybegeneralizedtotheco-BDHP.5.3.8IntegerFactorizationk�iIfnisacompositeintegerwithprimefactorizationn=�pithentheintegeri=1factorizationproblemistodetermineoneofthefactorsofn.Ifwecandothis,wecandividenbythisfactorandrepeattheprocessuntilwefindallofthefactorsofn.Foragivenintegerm,determiningwhetherornotnhasafactorlessthanmforsomeintegermisprobablythemostrelevantrelateddecisionproblem.TheproblemofdeterminingwhetherornotniscompositecanbeefficientlydeterminedbytheAKSprimalitytest[24].5.3.9QuadraticResiduosityIfnisacompositeinteger,thenthequadraticresiduosityproblemis:givenxmodulon,determinewhetherornotxisaquadraticresiduemodulon.Thequadraticresiduosityproblemhasbeenstudiedformanyyears,datingatleastto1801,whenGaussdiscussedtheprobleminhisDisquisitionesArithmeticae 110IntroductiontoIdentity-BasedEncryption[25],anditisbelievedtobeasdifficultasintegerfactorization.Supposethatwecanfactornintotheproductoftwodistinctoddprimespandq.Inthiscase,xisaquadraticresiduemodulonexactlywhenitisasquaremodulopandasquaremoduloq.Thiscanbegeneralizedtointegerswithmoregeneralfactorizations,sothatsolvingthequadraticresiduosityproblemisnomoredifficultthatintegerfactorization.5.4SelectingParameterSizes5.4.1SecurityBasedonIntegerFactorizationandQuadraticResiduosityIfthedifficultyofattackingacryptographicalgorithmisbasedonthedifficultyofeithertheintegerfactorizationproblemorthequadraticresiduosityproblem,thenweassumethatanadversaryattackingsuchsystemswillneedtofactoralargecompositeintegertodefeattheprotectionprovidedbysuchalgorithms.Table5.2givesthesizesofthecompositeintegerthatneedstobefactoredtoattainstandardlevelsofsecurityagainstsuchanattack.Example5.1(i)Supposethatwewantacompositemodulusforwhichsolvingtheintegerfactorizationproblemisasdifficultasattackinga128-bitsymmetrickey.A3,072-bitcompositeintegerwillaccomplishthis.(ii)Supposethatwewantacompositemodulusforwhichsolvingthequadraticresiduosityproblemisasdifficultasattackingan80-bitsymmetrickey.A1,024-bitcompositeintegerwillaccomplishthis.5.4.2SecurityBasedonDiscreteLogarithmsIfthedifficultyofattackingacryptographicalgorithmisbasedonthedifficultyofanyoftheDiffie-Hellmanproblems,thenweassumethatanadversaryattackingsuchsystemswillneedtocalculateadiscretelogarithmtodefeattheprotectionprovidedbysuchalgorithms.Theremaybemorethanonewaytocalculatesuchdiscretelogarithms,andtheparametersofasystemusingsuchalgorithmsneedtoreflectthis.SupposethatcalculationsaredoneinagroupG=〈g〉.AnadversarycanalwaysusePollard’srhoalgorithmtocalculatetheneces-sarydiscretelogarithms,sotobesufficientlysecure,allcalculationsshouldbedoneinagroupinwhichallsubgroupsareatleastasbigasthesizesshowninTable5.2.Usingasubgroupofprimeorderisaneasywaytoaccomplishthis.Ifcalculationsaredoneinasubgroupofthemultiplicativegroupofa CryptographyandComputationalComplexity111finitefield,thentheindexcalculusalgorithmcanalsobeusedtocalculatediscretelogarithms,soifthisisthecase,thenthesizeofthefinitefieldalsoneedstobeatleastasbigasthesizesshowninTable5.2.Finally,iftheadversarycancalculateapairinge:G×G→�q*k,hecanalsousetheMOVreductiontomapcalculatingdiscretelogarithmsinGtocalculatingdiscretelogarithmsinthegroupgeneratedbye(g,g),sosimilarconcernsaboutthesubgroupsizeandfinitefieldsizeneedtoalsobeaddressedin〈e(g,g)〉⊆�q*k.Table5.2givesthesizesofthesubgroupsandfinitefieldsthatneedtobeusedtoattainstandardlevelsofsecurityagainstsuchattacks.Example5.2(i)SupposethatwewantanellipticcurvegroupinwhichsolvingtheCDHPisasdifficultasattackingan80-bitsymmetrickey.Inanellipticcurvegroupinwhichcalculatingapairingisinfeasible,requiringa160-bitorderofagroupmakescalculatingdiscretelogarithmsasdifficultasattackingan80-bitsymmetrickeyandwillaccomplishthis.(ii)SupposethatwewantasubgroupGof�p*inwhichsolvingtheCDHPisasdifficultasattackingan80-bitsymmetrickey.IfpisaprimeandGisofprimeorder,thenrequiringtheorderofGbeatleast160bitsandthatphasatleast1,024bitswillmakescalculatingdiscretelogarithmsasdifficultasattackingan80-bitsymmetrickeyandwillaccomplishthis.(iii)SupposethatwewantgroupsG1⊆E(�q)forsomeellipticcurveE/�q,GT⊆�q*kandapairinge:G1×G1→GT,andwantsolvingtheBDHPtobeasdifficultasattackingan80-bitsymmetrickey.RequiringG1tobeofprimeorderofatleast160bitsandhavingkthatqhasatleast1,024bitswillmakecalculatingdiscretelogarithmsinbothG1andGTasdifficultasattackingan80-bitsymmetrickeyandwillaccomplishthis.5.5ImportantSpecialCasesTheestimatesofthedifficultyinfactoringanintegerorincalculatingadiscretelogarithmassumethatthereisnoadditionalstructurethatcanbeusedtomakethecalculationevenfaster.Thisisnottrueinafewcases,andinthesecasesitispossibletoeitherfactoranintegerorcalculateadiscretelogarithmmuchfasterthanintheaveragecase.Therearethreeparticularcasesthatapplytocalculatingdiscretelogarithmsinanellipticcurvegroupandadditionalcasesthatapplytofactoringintegers. 112IntroductiontoIdentity-BasedEncryption5.5.1AnomalousCurvesAnomalouscurvesareellipticcurvesforwhich#E(�p)=p.Thedescriptionofthealgorithmusedtoefficientlycalculatediscretelogarithmsonanomalouscurvesisbeyondthescopeofthisbook.Detailsaregivenin[26,27].Thisalgorithmrunsinlineartime,makingsuchcurvesunsuitableforuseinmostcryptographicapplications.5.5.2SupersingularEllipticCurvesSupersingularellipticcurves,aswellasanyotherellipticcurveswithalowembeddingdegree,aresusceptibletoanMOVreduction[28],inwhichitispossibletoreducetheproblemofcalculatingadiscretelogarithminanellipticcurvegrouptocalculatingthediscretelogarithminafinitefield.Thiscanbedoneasfollows.LetG1beanellipticcurvegroup,GTbeamultiplicativegroupofafinitefield,ande:G1×G1→GTapairing.SupposethatwehaveP∈G1andwanttocalculatethediscretelogarithmofaP.Ife(P,P)=gthenaaae(P,aP)=e(P,P)=g,sobycalculatingthediscretelogarithmofg∈GTwefindthevalueofa.IfG1isanellipticcurvegroupwithanorderofnbits,forexample,calculatingadiscretelogarithminG1byPollard’srhoalgorithmrequiresO�√n�time,whilecalculatingadiscretelogarithminGTusingtheindexcalculusalgorithmrequires1/31/32/3O(exp((64/9)(logn)(loglogn)))time,whichmaybemuchlessthanthetimetocalculateadiscretelogarithminG1.Toget80bitsofstrengthwithordinaryellipticcurve,asubgroupGofE(�q)withanorderof160bitsisadequate.ThisisbasedontherunningtimeofPollard’srhoalgorithm,whichisroughlythesamefora160-bitgrouporder,whichisalsoroughlythesameastherunningtimefortheindexcalculusalgorithmfora1,024-bitfinitefieldorder.IfwehavethatE/�qissupersingularwithanembeddingdegreeofk=2,forexample,thenwecanalsocalculateadiscretelogarithminGbycalculatingadiscretelogarithmin�q*2byusingtheindexcalculusalgorithm.Intypicalapplications,thesizeofqisroughlythesamesizeas#E(�q),beingnomorethanoneortwobitslarger,sowemighthavea162-bitqinthiscase.WithsuchaqwecouldusetheMOVreductiontocalculatediscretelogarithmsinGbycalculatingdiscretelogarithmsinafinitefieldwithanorderofonly2×162=324bits,acalculationthatismucheasierthancalculatingadiscretelogarithminafinitefieldwithanorderof1,024bits.Itis,however,possibletoattainthesamelevelsofbitsecuritywithsupersingularcurvesaswithordinarycurvesbyusinglargergrouporders.Increas-2ingthesizeofthisqtobe512bits,forexample,willincreaseqtoapproximately CryptographyandComputationalComplexity1131,024bits,makingcalculatingdiscretelogarithmsin�q*kasdifficultasattackingan80-bitsymmetrickey.NotethatthereisnothingaboutsupersingularcurvesasidefromtheirlowembeddingdegreethatallowstheMOVreductiontobecarriedout;evenanordinarycurvewithalowembeddingdegreeisvulnerabletotheMOVreduction.Becausethecalculationofparingsrequiresacurvewithlowembed-dingdegreetomakethepairingcalculationfeasible,allsuchcurvesneedtohavetheirparameterschosensothattheyaresecureevenifanMOVreductionispossible.5.5.3SingularEllipticCurvesSingularellipticcurveshavediscriminant�=0.LetE/�qbeasingularellipticcurvewithsingularpointP.ThendiscretelogarithmsinE(�q){P}canbecalculatedasdiscretelogarithmsinafinitefieldasfollows[29]:1.IfPisanode,thendiscretelogarithmsinE(�q){P}canbecalculatedasdiscretelogarithmsineither�q*or�q*2,dependingonthestructureoftheellipticcurve.2.IfPisacusp,thendiscretelogarithmsinE(�q){P}canbereduced+todiscretelogarithmsin�q,theadditivegroupofthefinitefield�q.Muchlikeinthecaseofsupersingularellipticcurves,itispossibletoincreasethesizeofthegrouptocompensateforthereducedsecuritythatsingularcurveswithanodehave.Ontheotherhand,thecasewithasingularcurvewithacuspmakesiteasytocalculatediscretelogarithmsinE(�q){P},makingthemessentiallyuselessforcryptographicapplications.Becausethestructureofthegroupofpointsonasingularellipticcurvebehavesmorelikeafinitefieldthananellipticcurvegroup,thedefinitionofanellipticcurvesometimesexplicitlyexcludessingularcurves.5.5.4WeakPrimesTherearealsocaseswhereintegerfactorizationismucheasierthanthegeneralcaseduetoeitherthestructureofprimefactorsortherelationshipbetweenprimefactors.Oneofthesecaseshappenswhenoneoftheprimefactorspofanintegernhasthepropertythatp−1issmoothrelativetosomesetofprimepowersF=p�1�2�l.Thealgorithmthatcanusethisinformation1,p2,...,plisPollard’sp−1algorithm[30].Thisalgorithmworksinthefollowingway.Letl�im=�pii=1 114IntroductiontoIdentity-BasedEncryptionandsupposethat(p−1)|m,sothatwecanwritem=d(p−1).Thenforanyvalueofawithgcd(a,p)=1wehaveM(p−1)dp−1da=a=(a)≡1(modp)Msothatwecanwritea−1=pkforsomek.AndsincepisafactorofnweMcanalsowriten=pq.Thusgcd(a−1,n)=gcd(pk,pq)isadivisorofnthatisstrictlygreaterthan1,atleasthavingpasafactor,possiblybeingnitself.Soifwecanfindavalueofmsuchthat(p−1)|mwefindafactorofMnbycalculatinggcd(a−1,n).SomevaluesofawillnotprovideanyusefulMinformationonthis,resultingingcd(a−1,n)=n.Inthiscase,wecanpickanotherrandomawithgcd(a,p)=1andtryagain.Othertechniquescantakeadvantageofotherstructuresofprimefactorsortherelationshipbetweenprimefactors.Becauseofthesetechniques,somestandardsrequiretheuseof‘‘strongprimes’’tocreatekeysforalgorithmsthatrelyonintegerfactorization.Inparticular,[31]requiresthefollowingconditionstobemetforsuchprimeswheretwoprimespandqareneededtocalculateacompositenwhichmustbedifficulttofactor:1001.Allofp±1andq±1mustcontainaprimefactorgreaterthan2.2.gcd(p−1,q−1)mustbesmall.3.Ifp�qhas1,024+256sbits,thenp/qmustnotbeclosetoasmall412+128sintegerand|p−q|>2.1004.p−qmustcontainaprimefactorgreaterthan2.Requiringsuchstrongprimesisveryconservative.Weakprimesarefairlyrare,soattemptstofactoranintegerthattrytotakeadvantageoftheuseofweakprimesareveryunlikelytosucceedwithmostrandomlygeneratedprimes.Despitethis,someusersofpublic-keycryptographyfeelthatrequiringtheuseofstrongprimesisnecessaryfortheirparticularuses.Whenimplementingcryptography,itisimportanttounderstandwhatassumptionstheusersoftheresultingsystemarewillingtomakebecausetheyaretheoneswhowilltrustthesystemtoprotecttheirdata.5.6ProvingSecurityofPublic-KeyAlgorithmsInsomecasesitiseasytoseethecorrespondencebetweenbeingabletooneofthecomputationalproblemsandtheabilityofanadversarytoattackapublic-keysystem.TheCDHP,forexample,ismodeledafterwhatanadversaryobservesinaDiffie-Hellmankeyexchangeandwhattheadversarywantstoobtaininordertodefeatthesystem.Inothercases,however,thecorrespondenceisnot CryptographyandComputationalComplexity115asclear.ThefactthatthestrengthofsomeoftheIBEalgorithmsthatwillbediscussedinthefollowingchaptersisatleastasstrongascertaincomputationalproblemsmaybeunclearduetothecomplexityofthealgorithms,forexample,anditisgoodtoknowthatthereareproofsthatdefeatingthemisatleastashardascomputationalproblemsthatarebelievedtobehard.Toprovethatacryptographicalgorithmisatleastasstrongasacertaincomputationalproblem,thetypicaltechniqueistoassumethatanadversarywhohasanalgorithmcapableofdefeatingthecryptographicalgorithmofinterestandtoshowthathecanthenusehisattackalgorithmtoconstructanalgorithmthatwillsolvethecomputationalproblemofinterest.Thusifwebelievethatthecomputationalproblemishardtosolve,itisalsohardtodefeatthecryptographicalgorithm.Notethatthisdoesnotshowthatthecryptographicalgorithmisactuallysecure;ifwecansolvetherelatedcomputationalproblemthenwecandefeatthecryptographicalgorithms.SotoshowthattheDiffie-HellmankeyexchangeisatleastasstrongastheCDHP,wecouldshowthatanattackercapableofdefeatingtheDiffie-HellmankeyexchangecanusehisalgorithmfordoingthistosolvetheCDHP.ThiswouldnotshowthattheDiffie-Hellmankeyexchangeissecure,butinsteadshowsthatifanattackercandefeattheDiffie-Hellmankeyexchangethenhecouldalsoaccomplishsomethingthatisbelievedtobehardtodo.IfwebelievethattheCDHPisindeedhardtosolve,thensuchaproofwouldalsoconvinceusthatdefeatingtheDiffie-Hellmankeyexchangeisalsohard.Therearetwogeneralclassesofproofsthatcryptographicalgorithmsareatleastasdifficulttodefeatastheyaretosolvetherelatedcomputationalproblem.Onetypeofproofmodelspartsofthealgorithmasoracleswhoseoutputsaretrulyrandom.Truerandomoraclesareimpossibletoimplement,soonceaproofisobtainedinthismodel,therandomoraclesarereplacedbyfunctionswhosebehaviorissimilarenoughthatthesecurityofthesystemstillseemsplausible.Cryptographichashfunctionsaretypicallyusedforthis.Therearepathologicalcases[32]wheresuchpracticalimplementationsarealwaysinsecuredespitetheproofofsecurityusingrandomoracles,butsuchbehaviorseemstoappearinonlythemostcontrivedofcases.Wesaythatsuchaproofisobtainedusingtherandomoraclemodel[33].Aproofthatdoesnotusesuchrandomoraclesissaidtousethestandardmodel.InthediscussionsofIBEschemes,theirproofsofsecuritywillbesummarizedbylistingacomputationalproblemandaprooftechnique.Anexampleofthisisthat,‘‘defeatingtheABCschemehasbeenprovenintherandomoraclemodeltobeatleastasdifficultassolvingtheXYZproblem.’’BythiswemeanthataproofhasshownthatanadversarycapableofconstructinganalgorithmthatletshimdefeattheABCschemecanusethisalgorithmtoefficientlysolvetheXYZproblem.SothatifwebelievethattheXYZproblemisappropriatelyhardthenitmustalsobehardtodefeattheABCscheme. 116IntroductiontoIdentity-BasedEncryption5.7QuantumComputingAlloftheruntimesmentionedearlierassumethatthealgorithmsareimple-mentedonacomputerthatcanbeimplementedusingexistingtechnology.Thistechnologyisimplementedusingdevicesthathavetheinternalstatesthatareeitheralogical‘‘0’’oralogical‘‘1’’thatarecommonlycalled‘‘bits.’’Theframeworkofquantummechanicsassumesthataquantumdeviceexistsinmultiplestatesatonce,withadevicehavingprobabilitiesofbeingineachofitsstates.Withsuchadeviceasinglestateisnotdecideduponuntilthestateismeasured,atwhichtimetheresultofthemeasurementisdeterminedbytheprobabilitiesofbeingineachofthepossiblestates.Thisallowsforthecreationofquantumbits,orqubits,thatarebothalogical‘‘0’’andalogical‘‘1’’atthensametime,andallowsforthecreationofcomputersthatcancalculateall2valuesofafunctiononnqubitsinasingleoperation.Acomputerbuiltofqubitsinsteadofclassicalbitsallowsfortheimplemen-tationofalgorithmsthatrunmuchmorequicklythanthebest-knownalgorithmsonclassicalcomputers.Inparticular,Grover’salgorithmcanbeusedtodefeatsymmetricalgorithmsandShor’salgorithmcanbeusedtodefeatmanysymmet-ricalgorithms.Eachofthesealgorithmsarerandom,reflectingtheprobabilisticnatureoftheunderlyingqubits,sothebestthattheycandoistoreturnthecorrectresultwithahighprobability,afterwhichtheresultcaneasilybeverifiedbyadditionaltesting.5.7.1Grover’sAlgorithmnLetf:{0,1}→{0,1}beanefficientlycomputablefunction.ThenGrover’snalgorithm[34]findsastringa∈{0,1}suchthatf(a)=1,ifsuchastringn/2exists,inO(2)time.So,ifwehaveasymmetricencryptionalgorithmthatusesnbitsofkeyandwehaveamatchedplaintext-ciphertextpair,wecanusethefunction1,aproducesthegivenplaintext-ciphertextpairf(a)=0,otherwiseinGrover’salgorithmsothatfindingf(a)=1correspondstofindingthedesiredsymmetrickey.Sobeingabletoimplementsuchanattackreducesthelevelofsecurityprovidedthissymmetricalgorithmtonomorethann/2bits.Althoughthisisasignificantincreaseinperformanceoverclassicalcomputers,beingabletouseGrover’salgorithmdoesnotmakeiteasytodefeatsymmetricalgorithms;suchareductioniseasytodealwith,andwecanattainagoalofnbitsofstrengthbyusingasymmetricalgorithmwith2nbitsofstrengthagainstanadversaryequippedwithnonquantumcomputers. CryptographyandComputationalComplexity1175.7.2Shor’sAlgorithmShor’salgorithm[1]usesafastimplementationofaFouriertransformusingqubitstofactoraninteger,andsimilaralgorithmsareknownthatcanbeusedtocalculatediscretelogarithmsinafinitefield[1]orinanellipticcurvegroup[2].Supposethatwewanttofactortheintegern.Shor’salgorithmfirstusestheFouriertransformtofindtheperiodofanintegeramodulonwherergcd(a,n)=1,orthesmallestintegerrsuchthata≡1(modn),orthatrn|(a−1).Ifriseventhenwecanuseittowriterr/2r/2a−1=(a−1)(a+1)sothatr/2r/2n|(a−1)(a+1)rBecauseristhesmallestintegersuchthatn|(a−1),wecannothaver/2r/2r/2eithern|(a−1)orn|(a+1),soaslongasa≠−1,nmustsharear/2r/2nontrivialfactorwitheachofa−1anda+1,andcalculatingr/2r/2gcd(n,a−1)andgcd(n,a+1)willfindthesefactors.Shor’salgorithmhasanexpectedrunningtimeof2O((logn)(loglogn)(logloglogn))whichmakesanattackbasedoniteasyforanattackertocarryout.Thusthesecurityofanalgorithmwhichreliesonintegerfactorizationbeinghardisnolongerreasonablysecureifanadversarycanuseaquantumcomputer.And,unlikethecaseofusingGrover’salgorithmtoattackasymmetricalgorithm,itwouldnotbepossibletosimplyincreasethesizeofakeytocompensateforthisattack:itwouldnowbenomoredifficulttofactoranintegerthanitistomultiplyintegers.Ontheotherhand,implementingShor’srequiresaquantumcomputerwith2nqubitstofactorann-bitinteger.Constructingquantumcomputerscurrentlyseemsadauntingengineeringtaskbecauseoftheextremelyprecisecontrolthatisrequiredofthequbitsduringquantumcalculations.Ifthequbitsinteractwitheachotherorwiththeworldoutsidethequantumcomputer,theeffectisjustlikemeasuringthestateofaqubit,causingsomethequantuminformationthatitcarriestobelostwhenthequbitcollapsestoasinglestate.Becauseofthis,thedifficultyofconstructingquantumcomputerswithlargenumbersofqubitsseemstoincreaserapidlyasthenumberofqubitsincreases.Thiswillmakeitextremelydifficult,ifnotimpossible,tobuildaquantumcomputerthatiscapableoffactoringintegersofthesizesthataretypicallyused 118IntroductiontoIdentity-BasedEncryptioninpublic-keycryptography.Soevenifitwaspossibletobuildaquantumcomputercapableoffactoringa1,024-bitinteger,itmightbethecasethataddingjustafewadditionalbitstothesizeoftheintegerwouldbeenoughtomakefactoringtheslightlylargerintegerimpracticaluntilquantumcomputingtechnologyadvancesenough.References[1]Shor,P.,‘‘Polynomial-TimeAlgorithmsforPrimeFactorizationandDiscreteLogarithmsonaQuantumComputer,’’SIAMJournalofComputing,Vol.26,No.5,1997,pp.1484–1509.[2]Garcia,J.,andR.Menchaca,‘‘QuantumCryptoanalysisofEllipticCurveSystems,’’Computacio´nySistemas,Vol.4,No.3,2001,pp.242–248.[3]Fujisaki,E.,andT.Okamoto,‘‘SecureIntegrationofAsymmetricandSymmetricEncryptionSchemes,’’ProceedingsofCRYPTO’99,SantaBarbara,CA,August20–24,1999,pp.537–554.[4]Barker,E.,etal.,RecommendationforKeyManagement—Part1:General(Revised),Washing-ton,NISTSpecialPublication800-57,Part1,Washington,D.C.:U.S.GovernmentPrintingOffice,2007.[5]Pollard,J.,‘‘MonteCarloMethodsforIndexComputation(modp),’’MathematicsofComputation,Vol.32,No.143,1978,pp.918–924.[6]Floyd,J.,‘‘Non-DeterministicAlgorithms,’’JournaloftheACM,Vol.14,No.4,1967,pp.636–644.[7]Buhler,J.,H.Lenstra,andC.Pomerance,‘‘FactoringIntegerswiththeNumberFieldSieve,’’inTheDevelopmentoftheNumberFieldSieve,H.Lenstra,(ed.),Heidelberg,Germany:Springer-Verlag,1993,pp.50–94.[8]Dixon,J.,‘‘AsymptoticallyFastFactorizationofIntegers,’’MathmaticsofComputing,Vol.36,No.153,1981,pp.255–260.[9]Kraitchick,M.,The´oriedesNombres,Vol.1,Paris:Gauthier-Villars,1922.[10]Hellman,M.,andJ.Reyneri,‘‘FastComputationofDiscreteLogarithmsinGF(q),’’ProceedingsofCRYPTO’82,SantaBarbara,CA,August23–25,1982,pp.3–13.[11]Lenstra,A.,andE.Verheul,‘‘SelectingCryptographicKeySizes,’’JournalofCryptology,Vol.14,No.4,2001,pp.255–293.[12]Gehrmann,C.,andM.Na¨slund,ECRYPTYearlyReportonAlgorithmsandKeysizes(2006),EuropeanNetworkofExcellenceforCryptologyReportD.SPA.21,2007.[13]Orman,H.,andP.Hoffman,‘‘DeterminingStrengthsforPublicKeysUsedforExchangingSymmetricKeys,’’RFC3766,2004.[14]NationalInstituteofStandardsandTechnology,SecurityRequirementsforCryptographicModules,FederalInformationProcessingStandard140–2,Washington,D.C.:U.S.Govern-mentPrintingOffice,2001. CryptographyandComputationalComplexity119[15]AmericanNationalStandardsInstitute,PublicKeyCryptographyfortheFinancialServicesIndustry:AgreementofSymmetricKeysUsingDiscreteLogarithmCryptography,AmericanNationalStandardforFinancialServicesX9.42-2003,Annapolis,MD:AmericanNationalStandardsInstitute,2003.[16]ElectronicFreedomFoundation,CrackingDES:SecretsofEncryptionResearch,WiretapPolitics&ChipDesign,Sebastapol,CA:O’Reilly,1998.[17]Barrow,J.,andF.Tipler,TheAnthropicCosmologicalPrinciple,Oxford,U.K.:OxfordUniversityPress,1988.[18]Landauer,R.,’’IrreversibilityandHeatGenerationintheComputingProcess,’’IBMJournalofResearchandDevelopment,Vol.5,No.3,1961,pp.183–191.[19]Diffie,W.,andM.Hellman,‘‘NewDirectionsinCryptography,’’IEEETransactionsonInformationTheory,IT-22,No.6,1976,pp.644–654.[20]Joux,A.,andK.Nguyen,‘‘SeparatingDecisionDiffie-HellmanfromDiffie-HellmaninCryptographicGroups,’’JournalofCryptology,Vol.16,No.4,2003,pp.239–247.[21]Boneh,D.,‘‘TheDecisionDiffie-HellmanProblem,’’AlgorithmicNumberTheoryThirdInternationalSymposium,Portland,OR,June21–25,1998,pp.48–63.[22]Boneh,D.,andM.Franklin,‘‘IdentityBasedEncryptionfromtheWeilPairing,’’SIAMJournalofComputing,Vol.32,No.3,pp.586–615.[23]Boneh,D.,andX.Boyen,‘‘EfficientSelective-IDSecureIdentity-BasedEncryptionwithoutRandomOracles,’’ProceedingsofEUROCRYPT2004,Interlaken,Switzerland,May2–6,2004,pp.223–238.[24]Agrawal,M.,N.Kayal,andN.Saxena,‘‘PRIMESIsinP,’’AnnalsofMathematics,Vol.160,No.2,2004,pp.781–793.[25]Gauss,K.,DisquisitionesArithmeticae,Fleisher:Leipzig,1801.[26]Blake,I.,G.Seroussi,andN.Smart,AdvancesinEllipticCurveCryptography,Cambridge,U.K.:CambridgeUniversityPress,2005.[27]Silverman,J.,TheArithmeticofEllipticCurves,NewYork:Springer-Verlag,1985.[28]Menezes,A.,T.Okamoto,andS.Vanstone,‘‘ReducingEllipticCurveLogarithmstoLogarithmsinaFiniteField,’’IEEETransactionsonInformationTheory,Vol.39,No.5,1993,pp.1639–1646.[29]Menezes,A.,andS.Vanstone,‘‘ANoteonCyclicGroups,FiniteFields,andtheDiscreteLogarithmProblem,’’ApplicableAlgebrainEngineering,CommunicationandComputing,Vol.3,No.1,1992,pp.67–74.[30]Pollard,J.,‘‘TheoremsonFactorizationandPrimalityTesting,’’ProceedingsoftheCam-bridgePhilosophical.Society,Vol.76,1974,pp521–528.[31]AmericanNationalStandardsInstitute,DigitalSignaturesUsingReversiblePublicKeyCryptographyfortheFinancialServicesIndustry(rDSA),AmericanNationalStandardforFinancialServicesX9.31-1998,Annapolis,MD:AmericanNationalStandardsInstitute,1998.[32]Canetti,R.,O.Goldreich,andS.Halevi,‘‘TheRandomOracleMethodology,Revisited,’’ProceedingsoftheACMSymposiumonTheoryofComputing,Dallas,TX,May23–26,1998,pp.209–218. 120IntroductiontoIdentity-BasedEncryption[33]Bellare,M.,andP.Rogaway,‘‘RandomOraclesArePractical:AParadigmforDesigningEfficientProtocols,’’ProceedingsoftheACMConferenceonComputerandCommunicationsSecurity,Fairfax,VA,November3–5,1993,pp.62–73.[34]Grover,L.,‘‘FromSchro¨dinger’sEquationtoQuantumSearchAlgorithm,’’AmericanJournalofPhysics,Vol.69,No.7,2001,pp.769–777. 6RelatedCryptographicAlgorithmsIBEalgorithmsareverysimilartootherpublic-keyalgorithms,andunderstand-ingtheseotheralgorithmsmayprovidesomeinsightintothenatureoftheIBEalgorithms.Inparticular,Goldwasser-MichaliencryptionusesJacobisymbolstoencryptinformationonabit-by-bitbasis,andprovidestheframeworkforunderstandingtheCocksIBEalgorithmthatisdiscussedinChapter7.TheDiffie-Hellmankeyexchangeanditsellipticcurvevariantprovidethebasicframeworkforusingthedifficultyofcalculatingdiscretelogarithmstocreateapublic-keyencryptionscheme.Joux’sgeneralizationoftheseschemesusesapairingtoallowthreeuserstosecurelyagreeuponacommonsharedsecret.ThecombinationoftheDiffie-HellmanschemeandJoux’sschemeprovidessomeinsightintooperationoftheBoneh-FrankinIBEschemethatisdiscussedinChapter8,andprovidessomeinsightintotheoperationofSakai-KasaharaIBEschemethatisdiscussedinChapter10.ElGamalencryptionprovidessomeinsightintotheoperationoftheBoneh-BoyenIBEschemethatisdiscussedinChapter9.Allofthefollowingdescriptionsofalgorithmsassumethattwoparticipants,traditionallycalledAliceandBob,wanttocommunicatesecurely,whileaneavesdroppernamedEvedoesherbesttodeterminethecontentofthesecretmessagesthatAliceandBobexchange.Inthecasewhereathirdlegitimateparticipantisneeded,CharlieisassumedtohavejoinedAliceandBob.6.1Goldwasser-MichaliEncryptionGoldwasser-Michaliencryption[1]usesthequadraticresiduosityproblemtocreateapublic-keyscheme.Itworksinthefollowingway.Bobstartsbygenerat-121 122IntroductiontoIdentity-BasedEncryptioningapairofrandomprimespandqandcalculatingn=p�q.Hethenpicksarandomy∈�*nandsothatyisaquadraticnonresiduemodulon,buttheJacobisymbol(y/n)=+1.Todothis,Bobcanfirstfindonequadraticnonresidueamodulopandanotherquadraticnonresiduebmoduloqandthencalculateybysolvingthesystemofcongruencesy≡a(modp)y≡b(modq)byGauss’algorithmtofindy.Thisywillthenhavethepropertythat(y/n)=(y/p)(y/q)=(−1)(−1)=+1asdesired.Onceyiscomputed,Bob’spublickeyisthepair(y,n)andhisprivatekeyisthepair(p,q).AlicethenencryptshermessageabitatatimetoBob,whothendecryptsthereceivedmessageabitatatime.ToencryptamessagebitmtoBob,Aliceperformsthefollowingsteps:1.Alicepicksarandomx∈�*n.222.Ifm=1,thenAlicesetsc=y�x,otherwiseshesetsc=x(modn).3.AlicesendstheciphertextctoBob.Todecrypttheciphertextc,Bobperformsthefollowingsteps:1.BobcalculatestheLegendresymbole=(c/p).2.Ife=1,thenBobdecryptscto0,otherwisehedecryptscto1.2IfthemessagebitsentbyAliceism=0,thenc=x(modn)isaquadraticresiduemodulon.ByProperty2.8wehavethatcisaquadraticresiduemodulopifandonlyifcisaquadraticresiduemodulon,sothatBobwillcalculate22e=(c/p)=(x/p)=(x/n)=+1anddecryptcto0correctly.2IfthemessagebitsentbyAliceism=1,thenc=y�x(modn)isaquadraticnonresiduemodulon,sothatBobwillcalculate222e=(c/p)=(y�x/p)=(y�x/n)=(y/n)(x/n)=(−1)(+1)=−1anddecryptcto1correctly. RelatedCryptographicAlgorithms123Ontheotherhand,ifEveobservestheciphertextc,sheneedstodeterminewhetherornotcisaquadraticresiduemodulonornot,whichisexactlythequadraticresiduosityproblem.Becauseitencryptsasinglebitatatime,theGoldwasser-Micaliencryptionschemeisvulnerabletoanadaptivechosen-ciphertextattack.SupposethatEvehastheplaintext(m1,m2,...,mk)andcorrespondingciphertext(c1,c2,...,ck)thatisencryptedtoBob,andthatshewantstoobtaintheplaintextcorrespondingtotheciphertext(c1′,c2′,...,ck′).Shecanthensendthemes-sage(c1′,c2,...,ck)toBobandobservehisreaction.IfBobusestheciphertextasasharedsecretthatheusestoderiveasessionkey,forexample,EvecanchecktoseeifBobcreatesthesamesessionkeyfrom(c1′,c2,...,ck)thathedoesfrom(c1,c2,...,ck)todeterminewhetherthedecryptionofc1andc1′arethesameordifferent.Evecanthenrepeatthisprocesstorecovertheadditionalbitsofthedecryptionof(c1′,c2′,...,ck′),recoveringasinglebiteverytimesherepeatsthisprocess.Example6.1SupposethatBobwantstogenerateaGoldwasser-Micalipublicandprivatekey.FirstBobpickstwoprimespandq.Supposethathepicksp=7andq=11,sothatn=p�q=77.HethenpicksaquadraticnonresiduemodulopandanotherquadraticnonresiduemoduloqandusestheChineseremaindertheoremtofindthevalueofy.Supposethathepicksthequadraticnonresidues3modulo7and2modulo11.Inthiscasehesolvesthecongruencesy≡3(mod7)y≡2(mod11)togety≡24(mod77).ThusBob’spublickeyis(y,n)=(24,77)andhisprivatekeyis(p,q)=(7,11).SupposethatAlicewantstoencryptthebit‘‘1’’toBob.SheobtainsBob’spublickey(y,n)=(24,77)andpicksarandomy∈�*77.Inthiscase,supposethatshepicksx=17.Thentoencryptthebit‘‘1’’toBobshecalculatesthe22ciphertextc=y�x(modn)=24�17(mod77)≡6(mod77).Shethensendstheciphertext6toBob.Uponreceivingtheciphertext6,BobcalculatestheJacobisymbole=(c/p)=(6/7)=−1whichhethendecryptsto‘‘1.’’ 124IntroductiontoIdentity-BasedEncryption6.2TheDiffie-HellmanKeyExchangeTheDiffie-Hellmankeyexchange[2]wasthefirstpracticalpublic-keyalgorithm.TheDiffie-HellmankeyexchangeproducesasecretthatissharedbetweenAliceandBobthatisdifficultforEvetodeterminefromwhatsheobservesbywatchingthecommunicationsbetweenAliceandBob.Itssecurityisbasedonthedifficultyofcalculatingdiscretelogarithmsinaprime-ordersubgroupGofthemultiplicativegroup�q*.LetgbeageneratorofGandGbeoforderp.ThentheDiffie-Hellmankeyexchangehasthefollowingfoursteps:a1.Alicechoosesarandoma∈�*p−1,calculatesg,whichshesendstoBob.b2.Bobchoosesarandomb∈�*p−1,calculatesg,whichhesendstoAlice.bba3.AlicereceivesgandcalculatesthesharedsecretK=(g).aab4.BobreceivesgandcalculatesthesharedsecretK=(g).Notethattherangeallowedfortheintegersaandbisfrom1top−2.Ifawasallowedtobep−1,forexample,thenbyEuler’stheoremwewouldahavethatg≡1(modp),sothatthesharedsecretKendsupbeing1,andanaadversaryobservingthetransmissionofgwillthenbeabletoeasilyrecoverK.Attheendofthesesteps,AliceandBobbothhavethesharedsecretabababK=g.Eve’staskistorecoverK=ggiveng,gandg,whichisexactlytheCDHP,whichisassumedtobeashardascalculatingdiscretelogarithmsineitherG.Ontheotherhand,becausethereisabsolutelynoauthenticationforeitherAliceorBobinthestepslistedabove,itiseasyforEvetomountaman-in-the-middleattackagainstAliceandBob.ShedoesthisbypositioningherselfbetweenAliceandBobandcarryingoutalegitimateDiffie-HellmankeyexchangewitheachofAliceandBob,afterwhichsheusesthesharedsecretsconstructedinthiswaytosecurelycommunicatewitheachtheunsuspectingpair.Eve’sman-in-the-middleattackiscarriedoutinthefollowingsteps:a1.Alicechoosesarandoma∈�*p−1,calculatesgmodp,whichsheunknowinglysendstoEve.e2.Evechoosesarandome∈�*p−1,calculatesgmodp,whichshesendstoAlice.e3.AlicereceivesgmodpfromEveandcalculatesthesharedsecreteaK1=(g)modp.a4.EvereceivesgmodpfromAliceandcalculatesthesharedsecretaeK1=(g)modp. RelatedCryptographicAlgorithms125e5.EvesendsgmodptoBob.b6.Bobchoosesarandomb∈�*p−1,calculatesg,whichhesendstoEve,believinghertobeAlice.bbe7.EvereceivesgfromBobandcalculatesthesharedsecretK2=(g).eeb8.BobreceivesgfromEveandcalculatesthesharedsecretK2=(g).AtthispointEvehasestablishedtwosharedsecrets:K1,whichissharedwithAliceandK2,whichissharedwithBob.SupposethatAlicesendsamessagetoBobthatisencryptedusingthesharedsecretK1.EvecantheninterceptthismessageandthenusethesharedsecretK1todecryptmessagesfromAlicethatareencryptedusingthesharedsecretK1,thenreencryptthemessageusingthesharedsecretK2whichsheshareswithBob.BobwillthenbeabletodecryptthemessageusingthesharedsecretK2,whichhebelievesisonlyinthepossessionofhimandAlice.Example6.2SupposethatAliceandBobwanttousetheDiffie-Hellmankeyexchangetocreateasharedsecret.Supposethatallcalculationsaredoneinthesubgroupof�59*oforder29,whichhasgeneratorg=2.Theycandothisinthefollowingsteps.a71.Alicechoosesarandoma∈�*28,saya=7,andcalculatesg=2≡10(mod59),whichshesendstoBob.b232.Bobchoosesarandomb∈�*28,sayb=23,andcalculatesg=2≡47(mod59),whichhesendstoAlice.3.Alicereceivesthevalue47fromBobandcalculatesthesharedsecretb7K=47=47≡13(mod59).4.Bobreceivesthevalue10fromAliceandcalculatesthesharedsecretb23K=10=10≡13(mod59).6.3EllipticCurveDiffie-HellmanThereisnothingspecialaboutthegroup�q*thatisusedintheDiffie-Hellmankeyexchange,andanyothergroupinwhichitishardtocalculatediscretelogarithmscanbeusedinitsplace.Inparticular,anellipticcurvegroupE(�q)canbeusedinthisway.ThesecurityoftheresultingalgorithmisthenbasedonthedifficultyofcalculatingdiscretelogarithmsinthegroupE(�q).LetGbeasubgroupofE(�q)ofprimeorderpgeneratedbyP.ThentheellipticcurveDiffie-Hellmankeyexchange[3]hasthefollowingfivesteps: 126IntroductiontoIdentity-BasedEncryption1.Alicechoosesarandoma∈�*pandcalculatesaP,whichshesendstoBob.2.Bobchoosesarandomb∈�*pandcalculatesbP,whichhesendstoAlice.3.AlicereceivesbPandcalculatesthesharedsecretK=a(bP).4.BobreceivesaPandcalculatesthesharedsecretK=b(aP).5.IfK=Othenraiseanerrorconditionandrestartatstep1.Attheendofthesesteps,AliceandBobbothhavethesharedsecretK=b(aP).Eve’staskistorecoverK=a(bP)givenP,aP,andbP,whichisexactlytheCDHP,whichisassumedtobeashardascalculatingdiscretelogarithmsinG.TheellipticcurveDiffie-Hellmankeyexchangeisvulnerabletoaman-in-the-middleattackjustliketheDiffie-Hellmankeyexchangeis.Example6.3SupposethatAliceandBobwanttousetheellipticcurveDiffie-Hellmankeyexchangetocreateasharedsecret.SupposethatEistheellipticcurveE:y2=x3+1,andGbethesubgroupoforder11ofE(�131)generatedbyP=(98,58).Theycandothisinthefollowingsteps.1.Alicechoosesarandoma∈�*11,saya=7,andcalculatesaP=7�(98,58)=(33,100),whichshesendstoBob.2.Bobchoosesarandomintegerbwithb∈�*11,sayb=5,andcalculatesbP=5�(98,58)=(34,23),whichhesendstoAlice.3.Alicereceives(34,23)fromBobandcalculatesthesharedsecretK=a�(34,23)=7�(34,23)=(128,57).4.Bobreceives(33,100)fromAliceandcalculatesK=b�(33,100)=5�(33,100)=(128,57).5.K≠Osothatnoerrorconditionisraised.6.4Joux’sThree-WayKeyExchangeAnothergeneralizationoftheDiffie-HellmankeyexchangeisduetoJoux[4],whonoticedthatacleveruseofapairingallowsforthecreationofawaytoallowthreeparticipantstoagreeuponasharedsecretinasecureway.Todothis,letG1andGTbegroupsofprimeorderp=|G1|=|GT|andˆe:G1×G1→GTbeapairing,andletPbeageneratorofG1.ThenJoux’sthree-waykeyexchangehasthefollowingsevensteps: RelatedCryptographicAlgorithms1271.Alicechoosesarandoma∈�*p,calculatesaP,whichshesendstoBobandCharlie.2.Bobchoosesarandomb∈�*p,calculatesbP,whichhesendstoAliceandCharlie.3.Charliechoosesarandomc∈�*p,calculatesbP,whichhesendstoAliceandCharlie.4.AlicereceivesbPandcPandcalculatesthesharedsecretK=aabcˆe(bP,cP)=ˆe(P,P).b5.BobreceivesaPandcPandcalculatesthesharedsecretK=ˆe(aP,cP)abc=ˆe(P,P).6.CharliereceivesaPandbPandcalculatesthesharedsecretK=cabcˆe(aP,bP)=ˆe(P,P).7.IfK=O,raiseanerrorconditionandrestartatstep1.Attheendofthesesteps,eachofAlice,Bob,andCharliehavethesharedabcabcsecretˆe(P,P).Eve’staskistorecoverK=ˆe(P,P)givenP,aP,bP,andcPwhichisexactlytheBDHP,whichisassumedtobeashardascalculatingdiscretelogarithmsineitherG1orGT.Joux’sthree-waykeyexchangeisvulnera-bletoaman-in-the-middleattackjustliketheDiffie-Hellmankeyexchangeis.Example6.4SupposethatAlice,Bob,andCharliewanttouseJoux’sthree-waykeyexchange2tocreateasharedsecret.SupposethatEistheellipticcurveE/�131:y=3x+1.LetG1bethesubgroupoforder11ofE(�131)withgeneratorP=(98,58)andletGTbethesubgroupof(�112)*generatedbyˆe(P,P)=28+93i,where�112isrepresentedby�11[x]/(x2+1).Letˆe:G1×G1→GTbethereducedmodifiedTatepairing,whereˆe:G1×G1→GTistheTate1560pairing,andˆe(P,Q)=e(P,�(Q))where�isthedistortionmapgivenby�(x,y)=(�x,y),where�=65+112i.ThenAlice,Bob,andCharliecancarryoutJoux’sthree-waykeyexchangeasfollows.1.Alicepickstherandoma∈�*11,saya=3,andcalculatesaP=(113,8),whichshesendstoBobandCharlie.2.Bobpickstherandomb∈�*11,sayb=5,andcalculatesbP=(34,23),whichhesendstoAliceandCharlie.3.Charliepickstherandomc∈�*11,sayc=7,andcalculatescP=(33,100),whichhesendstoAliceandBob.4.AlicereceivesbP=(34,23)andcP=(33,100)andcalculatesK=aˆe(bP,cP)=39+107i. 128IntroductiontoIdentity-BasedEncryption5.BobreceivesaP=(113,8)andcP=(33,100)andcalculatesK=bˆe(aP,cP)=39+107i.6.CharliereceivesaP=(113,8)andbP=(34,23)andcalculatesK=cˆe(aP,bP)=39+107i.7.K≠Osonoerrorconditionisraised.6.5ElGamalEncryptionElGamalencryption[5]createsanencryptionalgorithmfromtheDiffie-Hell-mankeyexchange,essentiallyusingaDiffie-HellmansharedsecrettoencryptablockofplaintextbymultiplyingtheplaintextbytheDiffie-Hellmansharedsecret.Todecrypttheresultingciphertext,theintendedrecipientthendividesbytheDiffie-Hellmansharedsecrettorecovertheplaintext.Moreprecisely,theElGamalencryptionworksasfollows.LetBobhavethepublickeyb(p,g,g),wherepisaprime,Gaprime-ordersubgroupof�*p,andb∈�*p−1.Bob’scorrespondingprivatekeyisb.ToencryptamessageM∈�*ptoBob,Aliceperformsthefollowingsteps:b1.AliceobtainsBob’spublickey(p,g,g),picksaa∈�*p−1andthenbaabcalculates(g)=g.ababa2.AlicecalculatesMgandthensendsciphertextC=(Mg,g)toaBob.ThevalueofgthatAlicesendsinthisciphertextissometimescalleda‘‘hint.’’abaTodecrypttheciphertextC=(Mg,g)Bobperformsthefollowingsteps:abab1.Bobcalculates(g)=g.2.BobcalculatesabMg=MabgtorecoverthemessageM.NotethatElGamalencryptionissubjecttoachosen-ciphertextattack.IfabaanadversaryknowsthattheciphertextC=(Mg,g)correspondstotheaplaintextMencryptedwiththerandomvalueg,thenhecaneasilydecryptabaanyotherciphertextC′=((kM)g,g)bycalculating RelatedCryptographicAlgorithms129abMgab=gMfromtheciphertextCandthenab(kM)g=kMabgfromtheciphertextC′.ItisnomoredifficulttorecovertheplaintextMfromtheciphertextabaC=(Mg,g)thanitistocalculatediscretelogarithmsinG:ifanadversarybcandeterminebfromBob’spublickeyghecanthendecrypttheciphertextaseasilyasBobcan.Example6.5bSupposethatBob’spublickeyis(p,g,g)=(59,2,47),andhisprivatekeyisb=23,andthatAlicewantstoencryptthemessageM=17toBob.Shecandothisinthefollowingsteps.b1.AliceobtainsBob’spublickey(p,g,g)=(59,2,47).Alicethenba7choosesarandoma,saya=7,andcalculates(g)=47≡13(mod37).aba72.AlicecalculatesMg=17�13≡44(mod59)andg=2≡aba10(mod59)andthensendstheciphertextC=(Mg,g)=(44,10).WhenBobreceivestheciphertextC=(44,10)heperformsthefollowingsteps.abb231.Bobcalculates(g)=10=10≡13(mod59).2.BobcalculatesabMg44−1M===44�9=44�50≡17(mod59)gab13torecoverthemessageM.References[1]Goldwasser,S.,andS.Micali,‘‘ProbabilisticEncryption,’’JournalofComputerandSystemSciences,Vol.28,No.2,1984,pp.270–299. 130IntroductiontoIdentity-BasedEncryption[2]Diffie,W.,andM.Hellman,‘‘NewDirectionsinCryptography,’’IEEETransactionsonInformationTheory,Vol.IT-22,No.6,1976,pp.644–654.[3]AmericanNationalStandardsInstitute,KeyAgreementandKeyTransportusingEllipticCurveCryptography,AmericanNationalStandardforFinancialServicesX9.63-2001,Annapolis,MD:AmericanNationalStandardsInstitute,2001.[4]Joux,A.,‘‘AOne-RoundProtocolforTripartiteDiffie-Hellman,’’Proceedingsofthe4thInternationalAlgorihtmicNumberTheorySymposium,Leider,theNetherlands,July2–7,2000,pp.385–394.[5]ElGamal,T.,‘‘APublic-KeyCryptosystemandaSignatureSchemeBasedonDiscreteLogarithms,’’IEEETransactionsonInformationTheory,Vol.IT-31,No.4,1985,pp.469–472. 7TheCocksIBESchemeTheCocksIBEschemewasinventedbyCliffordCocksoftheCommunications-ElectronicsSecurityGroup(CESG)oftheUnitedKingdomgovernment,thesamegentlemanwhohasafairlystrongclaimtohavinginventedthefirstpublic-keyalgorithmin1973,whenhepublishedaclassified(nowdeclassified)CESGreport[1],whichdescribedaschemeroughlycomparabletotheRSAscheme.ThesecurityoftheCocksIBEschemeisbasedonboththecomputationaldifficultyofintegerfactorizationandonthequadraticresiduosityproblem.TheCocksIBEschemewasfirstdescribedin[2].TheCocksIBEschemeencryptseachbitoftheplaintextasapairofintegersmoduloacompositenumber,eachaslargeasanintegerwhichissuitablydifficulttofactor.Forexample,toencrypta128-bitsymmetrickey,perTable5.2,eachoftheseintegersmustbe3,072bitsinlengthtoprovidethesamebitstrengthasa128-bitsymmetrickey.TheCocksIBEschemeusesmanyofthesameideasastheGoldwasser-Micalischeme,andisnotableforbeinganIBEschemethatdoesnotuseapairinginitsoperation,aswellastheIBEschememostlikelytogetyoufiredforsearchingtheInternetforitwhileatwork.7.1SetupofParametersTheCocksschemerequiresapublicvaluenwhichistheproductoftwoprimespandq,eachofwhicharecongruentto3modulo4.Whilethevaluenispublic,itsfactorspandqareknownonlytothePKG.Italsorequiresawell-knowncryptographichashfunctionH1:{0,1}*→�n.WealsorequirethatforanidentityID,ifH1(ID)=a,thenwehavetheJacobisymbol(a/n)=+1,131 132IntroductiontoIdentity-BasedEncryptionwhichwillguaranteethateitheraor−aisasquaremodulon.Thiscaneasilybedone,forexample,byusingacryptographichashfunctionHhashanidentitytoanintegeramodulonandthenincrementingauntil(a/n)=+1.Becausewehavethat�a�aan=�p��q�(7.1)wemusthavethateitherbothJacobisymbolshavethevalue+1orbothhavethevalue−1in(7.1).Whenbothhavethevalue+1wehave�a�aan=�p��q�=(+1)(+1)=+1sothataisasquaremodulonbecauseitisasquaremodulobothpandq.Intheothercasewehave�a�aan=�p��q�=(−1)(−1)=+1Ifthishappens,thenitturnsoutthat−amustbeasquaremodulon.Becausewehavethatpandqarecongruentto3modulo4,wehave�−1�−1p=�q�=−1sothat�−a�−a−aa−1a−1�n=�p��q�=�p��p��q��qaaaa=�p�(−1)�q�(−1)=�p��q�=(+1)(+1)=+1Sothat−aisasquarebecauseitistheproductoftwonumbersthataresquares.Theambiguityintroducedbynotknowingwhetheraor−aisasquarecausessomeinefficiencywhenCocksIBEisusedtoencrypt,andresultsindoublingthesizeoftheciphertexttoaccountforeachofthetwocases.Ineithercase,thevalueathenisthepublickeycorrespondingtotheidentityID.NotethatusingAlgorithm2.2,itispossibletocalculatetheJacobisymbol TheCocksIBEScheme133�a�nwithoutknowingthefactorsofn.7.2ExtractionofthePrivateKeyThePKGthencalculatestheprivatekeycorrespondingtothepublickeyabycalculatingthesquarerootofeitheraor−amodulon.Becausepandqarebothcongruentto3modulo4,p−1andq−1arebothcongruentto2modulo4sothatwecanwritep=4k1+2andq=4k2+2.Becausewehaven=p�q,wehavethat�(n)=(p−1)(q−1),sothat�(n)+4=(p−1)(q−1)+4=(4k1+2)(4k2+2)+4=(2k1k2+k1+k2+1)8sothat8divides�(n).Wecanusethisfacttocalculateasquarerootmodulonas(�(N)+4)/8r=amodn(7.2)Thisgivesasquarerootofamodulonbecause22(�(N)+4)/8�(N)+4)/4�(n)1/4r=a=a=(a)a≡±a(modn)byEuler’stheorem.Ifaisasquarerootmodulon,thenrwillsatisfy22r≡a(modn)andif−aisasquarerootmodulon,thenrwillsatisfyr≡−a(modn).Ineithercase,thevalueractsastheprivatekeycorrespondingtothepublickeya.TheparametersoftheCocksIBEschemearesummarizedinTable7.1.7.3EncryptingwithCocksIBETheCocksIBEschemeencryptsasinglebitatatimeasapairofintegers.Bothofthepairareneededbecausewedonotknowwhichofaor−aisasquarerootmodulon.Ontheotherhand,therecipientcaneasilycheckwhetherr2≡a(modn)orr2≡−a(modn),soheknowswhichofthetwochoicestomdecrypt.Foramessagebitmwefirstencodethebitasx=(−1),whichencodes 134IntroductiontoIdentity-BasedEncryptionTable7.1SummaryofCocksIBEParametersTypeofParameterParameterPropertiesPrivateglobalparametersp,qprimes≡3(mod4)Publicglobalparameternn=p�qPublichashfunctionH1H1:{0,1}*→�n,(H1(ID)/n)=+1Per-userpublickeya(a/n)=+1Per-userprivatekeyrr2≡+a(modn)thebit‘‘0’’as+1andthebit‘‘1’’as−1.Wethenpickrandomt1andt2withboth�t1�n=xand�t2�n=xandthensendtheciphertext(s1,s2)totherecipient,whereas1=�t1+t�modn1andas2=�t2−t�modN2Therecipientwilltheneitherdecrypts1ors2,choosings1ifaisasquarerootmodulonands2if−aisasquarerootmodulon.Notethattwodifferentrandomvaluest1andt2areneeded.Ifthesamevaluetisusedtocalculatebothas1=�t+t�modnand TheCocksIBEScheme135as2=�t−t�modnthenanadversarycouldcalculates1+s21aa2=2�t+t�+�t−t�modn=tmodnandthencalculate�t�n=xtodecrypttheciphertext.7.4DecryptingwithCocksIBEAfterreceivingthepairs1ands2,therecipientdecideswhichofthetwochoices22heneedstodecrypt,lettings=s1ifr≡a(modn)ands=s2ifr≡2−a(modn).Ifr≡a(modn)hecalculatess+2rx=�n�(7.3)2Inthecasethatr≡a(modn),wenotethataas+2r=�t1−t�+2r=t1+2r−t1122ra2rr=t1�1+t−2�≡t1�1+t+2�(modn)1t11t12r≡t1�1+t�(modn)1sothats+2risasquaremodulonexactlywhent1is,sothatwehave�s+2r�t1n=�n�=xsothat(7.3)recoverstheplaintextbitx. 136IntroductiontoIdentity-BasedEncryption2Inthecasethatr≡−a(modn),wenotethataas+2r=�t2+t�+2r=t2+2r+t2222ra2rr=t2�1+t+2�=t2�1+t+2�(modn)2t22t22r=t1�1+t�(modn)1sothatwestillhavethats+2risasquaremodulonexactlywhent2is,sothat�s+2r�t2n=�n�=xsothat(7.3)willcorrectlydecryptanencryptedbitinbothpossiblecases.7.5Examples(i)Letp=7andq=11,sothatn=77.Ifwehavea=9forthepublickey,wefindthat(7.2)givesusr=25forthecorrespondingprivate2key,andthatinthiscaser≡a(modn).Toencryptthebit‘‘0’’withthispublickeythesenderfirstencodesthebit‘‘0’’as+1andpicksarandomtthatsatisfies�t�n=+1Inthiscase,werandomlypickt1=4andt2=6notethat�4�677=�77�=+1Thesenderthencalculatesthetwovaluesa9s1=�t1+t�modn=�4+4�mod77=641 TheCocksIBEScheme137anda9s2=�t2−t�modn=�6−6�mod77=432andthensendstheciphertextpair(s1,s2)=(64,43)totherecipient.2Therecipientknowsthathisprivatekeysatisfiesr≡a(modn),sohepickss1todecrypt.Hethencalculates�s1+2r�64+50114N=�77�=�77�=+1whichhethendecodestothebit‘‘0’’ashisplaintext.(ii)Letp=7andq=11,sothatn=77.Ifwehavea=10forthepublickey,wefindthat(7.2)givesusr=23forthecorresponding2privatekey,andthatinthiscaser≡−a(modn).Toencryptthebit‘‘1’’withthispublickeythesenderfirstencodesthebit‘‘1’’as−1andpicksarandomtthatsatisfies�t�n=−1Inthiscase,werandomlypickt1=8andt2=2andnotethat82��77�=�77=−1Thesenderthencalculatesthetwovaluesa10s1=�t1+t�modn=�8+8�mod77=671anda10s2=�t2−t�modn=�2−2�mod77=742andthensendstheciphertextpair(s1,s2)=(67,74)totherecipient.2Therecipientknowsthathisprivatekeysatisfiesr≡−a(modn),sohepickss2todecrypt.Hethencalculates 138IntroductiontoIdentity-BasedEncryption�s2+2r�74+46120n=�77�=�77�=−1whichhethendecodestothebit‘‘1’’ashisplaintext.(iii)Letp=7andq=11,sothatn=77.Ifwehavea=10forthepublickey,wefindthat(7.2)givesusr=23forthecorresponding2privatekey,andthatinthiscaser≡−a(modn).Toencryptthebit‘‘1’’withthispublickeythesenderfirstencodesthebit‘‘1’’as−1andpicksarandomtthatsatisfies�t�n=−1Inthiscase,werandomlypickt1=12andt2=5andnotethat�12�577=�77�=−1Thesenderthencalculatesthetwovaluesa10s1=�t1+t�modn=�12+12�mod77=01anda10s2=�t−t�modn=�5−5�mod77=3andthensendstheciphertextpair(s1,s2)=(0,3)totherecipient.2Therecipientknowsthathisprivatekeysatisfiesr≡−a(modn),sohepickss2todecrypt.Hethencalculates�s2+2r�3+4649n=�77�=�77�=0Inthiscasethedecryptionfails,becausegcd(s2+2r,n)≠1.Thiswillhappenwhenevereitherporqdividess1+2r(ors2+2r,ifitiscalculatedinstead).Thereareq−1multiplesofpforwhichthiscanhappenandp−1multiplesofqforwhichthiscanhappen.Notethatthiscounts0twice,once TheCocksIBEScheme139asamultipleofpandagainasamultipleofq,sothereareatotalof(p−1)+(q−1)−1waysforthistohappen.Ifweassumethatisuniformlydistributedin{0,1,...,n−1},thisgivesaprobabilityof(p−1)+(q−1)−1Pr(decryptionfailure)=nofthishappening.Foratypicaluse,saywitha1,024-bitnand512-bitvaluesforpandq,thisprobabilityisextremelysmall.So,althoughthismayhappen,ithappenssorarelythatitisprobablynotworthhandlingasaspecialcaseinanimplementationoftheCocksIBEscheme,althoughitmayoccurinexampleswithartificiallysmallparameters.7.6SecurityoftheCocksIBEScheme7.6.1RelationshiptotheQuadraticResiduosityProblemAnadversarycandefeattheCocksIBEsystemifhecanfactorthemodulusn.Ifhecandothis,hecancalculatearbitraryprivatekeysby(7.2)andthendecryptanymessagesthatheintercepts.AsdiscussedinChapter5,thebest-knownalgorithmforfactoringintegersissufficientlydifficulttoprovidethesecuritylevelslistedinTable5.2.ThefactthatthesecurityoftheCocksIBEschemerelatestothequadraticresiduosityproblem,however,isnotimmediatelyobvious.ThefactthatitdoesrelatestothefactthattheabilitytodecryptamessageencryptedwithCocksIBErequiresdecidingwhetherornottheper-userpublickeyaisasquaremodulon.Notethat�1�t1/tn=�n��n�=+1sothat�t�1/tn=�n�andthus�a/t�a1/tatn=�n��n�=�n��n� 140IntroductiontoIdentity-BasedEncryptionNowconsiderthefollowingfoursystemsofcongruences:t1=tmodp�(7.4)t1=tmodqt2=tmodp�(7.5)t2=(a/t)modqt3=(a/t)modp�(7.6)t3=tmodqt4=(a/t)modp�(7.7)t4=(a/t)modqBytheChineseremaindertheorem,thesehavethefollowingsolutions:t1=t�e1+t�e2t2=t�e1+(a/t)�e2t3=(a/t)�e1+t�e2t4=(a/t)�e1+(a/t)�e2wheree1ande2havethepropertythat1(modp)e1≡�0(modq)and0(modp)e2≡�1(modq)Thesolutionsto(7.4)through(7.7)alsohavethefollowingproperties: TheCocksIBEScheme141�t1�ttn=�p��q�t2�ta/ttat�n=�p��q�=�p��q��q�t3�a/ttatt�n=�p��q�=�p��p��q�t4�a/ta/tatat�n=�p��q�=�p��p��q��q�Inthecasewhereaisasquare,wehave�a�ap=�q�=+1sothat�t1�t2t3t4n=�n�=�n�=�n�Butinthecasewhereaisnotasquare,wehave�a�ap=�q�=−1sothatt1�t4�n=�n�and�t2�t3n=�n�but�t1�t2n=−�n� 142IntroductiontoIdentity-BasedEncryptionNotethatifanyoft1throught4areusedastherandominputusedinaCocksIBEencryption,thenthesameciphertextiscreated.Fortherandominputt1,forexample,thesenderwillcalculateaaas=�t1+t�=�t�e1+t�e2+t�e�=t+t11+t�e2whilefortherandominputt2thesenderwillcalculateaaaas=�t2+t�=�t�e1+t�e2+a=t+t2�t�e1+�e2tSimilarly,therandominputst3andt4,thesenderwillcalculatethesamevaluefors.Sointhecasewhereaisnotasquare,wehavecaseswherethesameciphertextcancomefromdifferentplaintextvalues,andtheonlywaytodistin-guishbetweenthesecasesistobeabletodeterminewhetherornotaisasquaremodulon,whichisthequadraticresiduosityproblem.7.6.2ChosenCiphertextSecurityBecausetheCocksIBEschemeencryptsasinglebitatatime,itisvulnerabletoanadaptivechosenciphertextattack,forthesamereasonthattheGoldwasser-Micalischemeis.SupposethatanattackerEvehastheplaintext(m1,m2,...,mk)andcorrespondingciphertext(c1,c2,...,ck)thatisencryptedtotheuserBob,andthatshewantstoobtaintheplaintextcorrespond-ingtotheciphertext(c1′,c2′,...,ck′).Shecanthensendthemessage(c1′,c2,...,ck)toBobandobservehisreaction.IfBobusestheciphertextasasharedsecretthatheusestoderiveasessionkey,forexample,EvecanchecktoseeifBobcreatesthesamesessionkeyfrom(c1′,c2,...,ck)thathedoesfrom(c1,c2,...,ck)todeterminewhetherthedecryptionofc1andc1′arethesameordifferent.Evecanthenrepeatthisprocesstorecovertheadditionalbitsofthedecryptionof(c1′,c2′,...,ck′),recoveringasinglebiteverytimesherepeatsthisprocess.7.6.3ProofofSecurityUsingtherandomoraclemodel,itispossibletoprovethatdefeatingthesecurityoftheCocksIBEschemeisnomoredifficultthatsolvingthequadraticresiduosityproblem,sothatanadversarywhocandecryptamessagethatis TheCocksIBEScheme143encryptedwiththeCocksIBEschemecanusehisdecryptionalgorithmtosolvethequadraticresiduosityproblem.So,ifwebelievethatthequadraticresiduosityproblemissufficientlyintractableweshouldalsobelievethattheCocksIBEschemeisadequatelysecure.7.6.4SelectingParameterSizesSupposethatwewanttousetheCocksIBEschemetotransporta128-bitsymmetrickey.PerTable5.2,togetthesamecryptographicstrengthasa128-bitsymmetrickey,thismodulusneedstobe3,072bits.Soforeachofthe128bitsinthesymmetrickeyweneedtotransmit2×3,072=6,144bitsofciphertext,foratotalof786,432bitsofciphertext.Totransporta256-bitsymmetrickey,thismodulusneedstobe15,360bits.Soforeachofthe256bitsinthesymmetrickeyweneedtotransmit2×15,360=30,720bitsofciphertext,foratotalof7,864,320bitsofciphertext.Thismaymaketheuseoftheschemeimpracticalformanyuses.ThenumberofbitsofciphertextneededbytheCocksIBEschemefortransportingvariouslengthsofsymmetrickeysissummarizedinTable7.2.7.7SummaryThefollowingsummarizesthealgorithmscomprisingintheCocksIBEscheme.Algorithm7.1:CocksIBESetup(globalparameters)INPUT:Asecurityparameter�OUTPUT:p,q,n,H11.Randomlypickaprimepwithp≡3(mod4)largeenoughtosatisfythesecurityparameter.Table7.2SizeofCocksIBECiphertextforSelectedSymmetricKeyLengthsSymmetricKeyLengthCocksIBECiphertextSize80bits166,710bits112bits458,752bits128bits768,432bits256bits7,864,320bits 144IntroductiontoIdentity-BasedEncryption2.Randomlypickaprimeqwithq≡3(mod4)largeenoughtosatisfythesecurityparameter.3.Letn=p�q.4.SelectanappropriatehashfunctionH1:{0,1}*→�nsuchthat(H1(ID)/n)=+1foranyID∈{0,1}*.Algorithm7.2:CocksPublicKeyCalculationINPUT:n,astringIDrepresentinganidentity,hashfunctionH11.CalculateH1(ID)Algorithm7.3:CocksIBEPrivateKeyExtractionINPUT:a,p,qOUTPUT:r1.Calculateras:(�(n)+4)/8(pq−p−q+5)/8r=amodn=amodnAlgorithm7.4:CocksIBEEncryptionINPUT:n,plaintextbitmOUTPUT:Ciphertext(s1,s2),eachcomponentanintegermodulonm1.Encodemasx=(−1).2.Pickarandomt1andt2with�t1�t2n=�n�=x3.Calculates1byas1=�t1+t�modn14.Calculates2byas2=�t2−t�modn2 TheCocksIBEScheme145Algorithm7.5:CocksIBEDecryptionINPUT:Privatekeyr,ciphertext(s1,s2),nOUTPUT:Plaintextbitm21.Ifr≡a(modn)thenlets=s1elselets=s2.2.Calculatetheencodedplaintextbitxbys+2rx=�n�3.Ifx=−1thenletm=0elseletm=1.References[1]Cocks,C.,‘‘ANoteonNon-SecretEncryption,’’CESGReport,1973.[2]Cocks,C.,‘‘AnIdentityBasedEncryptionSchemeBasedonQuadraticResidues,’’Proceed-ingsoftheEighthIMAInternationalConferenceonCryptographyandCoding,Cirencester,U.K.,December17–19,2001,pp.360–363.[3]Goldwasser,S.,andS.Micali,‘‘ProbabilisticEncryption,’’JournalofComputerandSystemSciences,Vol.28,No.2,1984,pp.270–299. 8Boneh-FranklinIBEThischapterdiscussesBoneh-FranklinIBE[1],thefirstpracticalandsecureIBEschemethatwasinvented.Boneh-FranklinIBEisanexampleofthefull-domainhashfamilyofIBEschemes,schemesinwhichanidentityIDismappedtoapointQIDonanellipticcurvethatisthenusedintheencryptionanddecryptionalgorithmsofthescheme.Mappinganidentitytoapointonanellipticcurvetypicallyrequiresamodularexponentiationthatisfairlyexpensivetocalculate,sofull-domainhashschemesoftenhaveadisadvantageinperfor-mancerelativetosomeothertypesofIBEschemes.Becauseofthis,currentresearchseemstohaveabandonedfull-domainhashschemesinfavorofothertechniqueswhereitisonlynecessarytomapanidentitytoaninteger.Boneh-FranklinIBEalsorequiresthecalculationofapairing,anexpensivecalculationthataccountsforalmostallofthecomputationrequiredforaBoneh-FranklindecryptionandmostofthecomputationrequiredforaBoneh-Franklinencryption.TheBoneh-FranklinIBEschemehasfeaturesofbothJoux’sthree-waykeyexchangeandElGamalencryption.Joux’sthree-waykeyexchangegeneralizedtheDiffie-Hellmankeyexchangetothreeparticipants,eachwiththeirownsecretintegervalues.InBoneh-FranklinIBE,therearealsothreesecretintegervalues:oneofthemisthemastersecretoftheIBEsystem,oneisrandomlygeneratedbythesender,andthethirdisneverknown,butisthediscretelogarithmoftheidentityoftherecipient.BothuseapublicparameterP,whichisapointonanellipticcurve,andapairingˆe.ThiscomparisonisshowninTable8.1andTable8.2.InthecaseofJoux’sthree-waykeyexchange,thesharedsecretabcˆe(P,P)iscalculatedfromthreepointsaP,bPandcP,whileinthecaseofrstBoneh-FranklinIBE,thesharedsecretˆe(P,P)iscalculatedfromasimilarsetofthreepointsrP,sPandtP.InthecaseofBoneh-FranklinIBE,thevalueof147 148IntroductiontoIdentity-BasedEncryptionTable8.1SummaryofPublicandPrivateValuesinJoux’sThree-WayKeyExchangeSourcePrivateValuePublicValueAliceaaPBobbbPCharlieccPTable8.2SummaryofPublicandPrivateValuesinBoneh-FranklinIBESourcePrivateValuePublicValueAlicerrPSystemparametersssPBobs�tP=sQIDtP=QIDtisneverknown;itonlyappearsinthevaluetP=QIDwhichiscalculatedfromtherecipient’sidentity.MuchlikeElGamalencryptionusesthesharedsecretfromaDiffie-Hellmankeyexchangetoencryptaplaintextmessage,Boneh-FranklinIBEusesthesharedsecretfromthisvariantofJoux’sthree-waykeyexchangetoencryptrstaplaintextmessage.So,aftercalculatingthesharedsecretˆe(P,P),Alicehashesthesharedsecretintoaformatcompatiblewiththeplaintext.Thevalueofrstˆe(P,P)isanelementofsome�q,forexample,whileatypicalmessageisanrstelementof{0,1}*,sothatˆe(P,P)needstobemappedinto{0,1}*sothatitcanbecombinedwiththeplaintexttoproducetheciphertext.So,rstAlicehashesthesharedsecretˆe(P,P)tothemessagespaceandcombinestheresultinghashwiththeplaintextMtogettheciphertextC=M⊕rstrstHash(ˆe(P,P)).Bobthencalculatesthesharedsecretˆe(P,P),hashesittorstthemessagespace,andrecoversM=C⊕Hash(ˆe(P,P)).Therestofthischapterdefinesthesestepsmorecarefullyandaddsrefinementstomaketheresultingschememoresecure.TheoriginalBoneh-Franklinpaper[1]usedaslightlydifferentnotationthantheconventionfollowedhere.Inparticular,therolesofpandqwerereversed.Intheoriginalpaper,thevalueofpdefinedtheorderofthefinitefield�pwhileqwasaprimethatdefinedtheorderofthegroupE(�p)[q].Laterpublicationsswitchedtheseroles,usingqtodefinetheorderofthefinitefield�qandptodefinetheorderofthegroupG1,theconventionthatmost Boneh-FranklinIBE149pairing-basedcryptographyliteraturenowfollows.SowhenreadingdescriptionsoftheBohen-FranklinIBEsystem,itmaybenecessarytocarefullynotethemeaningofthesystemparameters.8.1Boneh-FranklinIBE(BasicScheme)TheBoneh-Franklinbasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage.WhileitiseasiertounderstandthanthefullBoneh-FranklinIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection8.2.8.1.1SetupofParameters(BasicScheme)ToimplementBoneh-FranklinIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/�qwithembeddingdegreek,andaprimepsuchthat2p|#E(�q).Wealsorequirethatp|#E(�q)toensurethatthesubgroupoforderpthatwewillhashidentitiesintoisunique.TheparameterpistheorderofthegroupsG1andGT,andGTisasubgroupof�q*k.Toattainaparticularlevelofsecurity,theseparametersneedtobechosenasdescribedinSection5.4.WethenrandomlypickapointP∈E(�q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsofprimeorderp.Next,wepickarandomintegers∈�p*anduseittocalculatesP.TomapanidentityIDtoapointQIDwealsoneedacryptographichashfunctionH1:{0,1}*→G1.ToencryptamessageofnbitsusingBoneh-FranklinIBEwealsoneedanotherncryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.TheseelementsformthepublicparametersandmastersecretasshowninTable8.3andTable8.4.Theintegersisthemastersecret;allothervaluescomprisethepublicparameters.TherearedependenciesamongtheelementsofTable8.3.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparam-eterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-FranklinIBEsystem(basicscheme)tobeBFBasicParams=(G1,GT,ˆe,n,sP,H1,H2)withoutintroducinganyambiguity. 150IntroductiontoIdentity-BasedEncryptionTable8.3PublicParametersofBoneh-FranklinIBESystem(BasicScheme)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�),p2q|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈P〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnIntegerLengthofplaintext(inbits)PPointonellipticcurveP∈G1sPPointonellipticcurvesP∈G1H1CryptographichashfunctionH1:{0,1}*→G1H2CryptographichashfunctionH:G→{0,1}n2TTable8.4MasterSecretforBoneh-FranklinIBESystem(BasicScheme)ElementTypeCommentssIntegers∈�*p8.1.2ExtractionofthePrivateKey(BasicScheme)OncethepublicparameterslistedinTable8.3andthemastersecretlistedinTable8.4aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoapointonthecurveEbycalculatingQID=H1(ID)andthenbymultiplyingthispointQIDbythemastersecretstogettheprivatekeysQID.ThisissummarizedinTable8.5.8.1.3EncryptingwithBoneh-FranklinIBE(BasicScheme)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderfollowsthefollowingsteps.Table8.5PrivateKeyforBoneh-FranklinIBESystemElementTypeCommentssQIDPointonellipticcurvePrivatekeycorrespondingtoidentityID,QID=H1(ID) Boneh-FranklinIBE1511.Generatesarandomintegerr∈�p*andcalculatesrP.2.CalculatesQID=H1(ID)fromtherecipient’sidentityIDandusesittocalculateK=H2(ˆe(rQID,sP))(8.1)3.SetstheciphertextcorrespondingtothepairC=(C1,C2)whereC1=rPandC2=M⊕K.8.1.4DecryptingwithBoneh-FranklinIBE(BasicScheme)WhentherecipientreceivestheciphertextC=(rP,M⊕H2(ˆe(rQID,sP))=(C1,C2)heperformsthefollowingsteps.1.CalculatesK=H2(ˆe(sQID,C1))fromtheciphertextcomponentC1andhisprivatekeysQID.2.CalculatesM=C2⊕K.ThisrecoverstheplaintextMbecausethesendercalculatesKasrsK=H2(ˆe(rQID,sP))=H2(ˆe(QID,sP))andtherecipientcalculatesKassrK=H2(ˆe(sQID,C1))=H2(ˆe(QID,P))8.1.5Examples(BasicScheme)23(i)SupposethatEistheellipticcurveE/�q:y=x+1,withqaprimeandq≡11(mod12),andG1asubgroupoforderpofE(�q).WecancreateasuitablehashfunctionH1:{0,1}*→G1fromacryptographichashfunctionHasfollows.First,useHtomapastringthatrepresentsanidentityintotheintegersmoduloq,perhapsbyeitheriteratingHuntilwegetaresultinthecorrectrangeorbyinterpretingtheoutputofHasanintegerandthenreducingthisintegermoduloq.Wecanthenusethisresultasthey-coordinateofapointQ∈E(�q)andcalculatethecorrespondingx-coordinateofapointonthecurvefrom21/3x=(y−1) 152IntroductiontoIdentity-BasedEncryptionFromEuler’stheorem,wehavethatq−1a≡1(modq)sothat2q−1a≡a(modq)andthus(2q−1)/31/3a≡a(modq)wheneverwehavethat3|(2q−1).Thisisthecasewhenq≡11(mod12),sowecancalculatethex-coordinateofthepointQthisway.OnewaytogetQID∈E(�q)[p]fromsuchaQistomultiplyitbyanappropriateconstanttoget#E(�q)QID=Qp23WiththecurveE/�q:y=x+1,wehavethat#E(�q)=q+1whenq≡11(mod12),sowecalculateQID∈E(�q)[p]asq+1QID=Qp2Becausewerequirethatp|#E(�q)butp|#E(�q),weknowthatwehaveauniquesubgroupofE(�q)ororderp,sothismustresultinQID∈G1asneeded.23(ii)SupposethatEistheellipticcurveE/�q:y=x+x,withqaprimeandq≡11(mod12),andG1asubgroupoforderpofE(�q).WecancreateasuitablehashfunctionH1:{0,1}*→G1fromacryptographichashfunctionHasfollows.First,useHtomapastringthatrepresentsanidentityintotheintegersmoduloq.Wecanthenusethisresultasthex-coordinateofapointQ∈E(�q)[p]andcalculatethecorrespondingy-coordinateofQfromandthencalculat-ingthecorrespondingx-coordinateofapointonthecurvefrom31/2y=(x+x) Boneh-FranklinIBE1533Wecanonlydothisifx+xisaquadraticresiduemoduloq,3butbecauseq≡3(mod4)wehavethatifx+xisaquadratic3nonresiduemoduloqthenwehavethat−(x+x)isaquadraticresiduemoduloq.FromEuler’stheorem,wehavethatq−1a≡1(modq)sothatq−12q+12aa=a≡a(modq)andthus(q+1)/41/2a≡a(modq)wheneverwehavethat4|(q+1).Thisisthecasewhenq≡11(mod12),sowecancalculatethey-coordinateofthepointQthisway.23WiththecurveE/�q:y=x+x,wehavethat#E(�q)=q+1whenq≡11(mod12),sowecalculateQID∈E(�q)[p]asq+1QID=Qp(iii)Supposethatwewanttoavoidhashinganidentitytoapointonanellipticcurve,andtrytoavoidthisbyhashingtheidentityIDtoanintegertandthenusingthepointtPasthecorrespondingpublickey.This,however,willallowanadversarytocalculatethesharedrsttrstsecretˆe(P,P)as(ˆe(rP,sP))=ˆe(P,P),whichdefeatsthesecurityprovidedbytheBoneh-FranklinIBEscheme.(iv)ElementsofGTareelementsofthefinitefield�qk,sowecanwriteatypicalelementofGTas�=(�1,�2,...,�k)whereeachn�i∈�q.SoforaplaintextmessageM∈{0,1},onewaytocreatenausefulhashfunctionH2:{0,1}→GTistousetheconcatenationofthecoordinatesof�astheinputtoacryptographichashfunctionHandthentoreduceH(�1|�2|...|�k)totherange0ton2−1,perhapsbytruncatingH(�1|�2|...|�k)tonbits.(v)SupposethatAlicewantstouseBohen-FranklinIBEtoencryptamessagetoBob.SupposethatEistheellipticcurve23E/�131:y=x+1,andP=(98,58)∈E(�131)[11],G1=〈P〉,andGT=〈ˆe(P,P)〉,whereˆe:G1×G1→GTisthereducedmodi-1560fiedTatepairingwhereˆe(P,Q)=e(P,�(Q)),where�isthe 154IntroductiontoIdentity-BasedEncryptiondistortionmapgivenby�(x,y)=(�x,y)for�=65+112i.Letthemastersecretofthissystembetheintegers=7,sothatsP=(33,100),andsupposethatBob’sidentitygivesusthatH2(IDBob)=QID=(128,57),sothatBob’sprivatekeyissQID=(113,8).ThevaluesusedinthisexamplearesummarizedinTable8.6.Alicecanusethesevaluestoencryptthemessages=7toBob.Supposethatshegeneratestherandomr=5∈�11*todothis.AlicethencalculatesrQID=(5)(128,57)=(98,73)andusesittocalculaterP=5P=(34,23)andK=H2(ˆe(rQID,sP))=H2(ˆe(98,73),(33,100)))=H2(49+58i)whichshethenusestocreatetheciphertext(C1,C2)whereC1=rPandC2=M⊕K.WhenBobreceivesthisciphertext,hethencalculatesK=H2(ˆe(sQID,C1))=H2(ˆe(113,8),(34,23)))=H2(49+58i)whichhethenusestorecovertheplaintextMbycalculatingM=C2⊕K=(M⊕K)⊕K=MTable8.6SummaryofValuesUsedinExample8.1.5(v)ParametersTypeValueCommentsPPointonellipticcurve(98,58)P∈E(�131)[11]sPPointonellipticcurve(33,100)QIDPointonellipticcurve(128,57)QID∈E(�131)[11]sQIDPointonellipticcurve(113,8)Bob’sprivatekeyrInteger5GeneratedrandomlybyAlicesInteger7Mastersecret Boneh-FranklinIBE15523(vi)SupposethatEistheellipticcurveE/�131:y=x+1,andwewanttousethepairingˆe:G1×G2→GTtoimplementtheBoneh-FranklinschemewhereG1isasubgroupofE(�131)andG2isa23subgroupofE′(�131)whereE′/�131:y=x+130isthequadratictwistofE/�131constructedusingthequadraticnonresiduev=130.ThiswillrequirethepublicparametersPandsPtobeelementsofE′(�131).WecanuseP=(4,71)∈E′(�131)togenerateG2forthis,givingsP=(56,72)fors=7.SowecanuseG1=〈Q〉=〈(98,58)〉andG2=〈P〉=〈(4,71)〉.Letˆe:G1×G2→GTbethe1560reducedmodifiedTatepairingwhereˆe(P,Q)=e(P,�2(Q)),where�2:E′→Eisthemappinggivenby�(x,y)=(130�x,i�y).Letthemastersecretofthissystembetheintegers=7,sothatsP=(56,72),andsupposethatBob’sidentitygivesusthatH2(IDBob)=QID=(128,57),sothatBob’sprivatekeyissQID=(113,8).ThevaluesusedinthisexamplearesummarizedinTable8.7.AlicecanusethesevaluestoencryptthemessageMtoBob.Supposethatshegeneratestherandomr=5∈�11*todothis.AlicethencalculatesrQID=(5)(128,57)=(98,73)andusesittocalculaterP=5P=(54,1)andK=H2(ˆe(rQID,sP))=H2(ˆe((98,73),(56,72)))=H2(39+107i)whichshethenusestocreatetheciphertext(C1,C2)whereC1=rPandC2=M⊕K.WhenBobreceivesthisciphertext,hethencalculatesTable8.7SummaryofValuesUsedinExample8.1.5(vi)ParametersTypeValueCommentsPPointonellipticcurve(4,71)P∈E′(�131)[11]sPPointonellipticcurve(56,72)QIDPointonellipticcurve(128,57)QID∈E(�131)[11]sQIDPointonellipticcurve(113,8)Bob’sprivatekeyrInteger5GeneratedrandomlybyAlicesInteger7Mastersecret 156IntroductiontoIdentity-BasedEncryptionK=H2(ˆe(sQID,C1))=H2(ˆe((113,8),(54,1)))=H2(39+107i)whichhethenusestorecovertheplaintextMbycalculatingM=C2⊕K=(M⊕K)⊕K=M8.2Boneh-FranklinIBE(FullScheme)Thebasicschemeisalsovulnerabletoachosen-ciphertextattackbecausethevalueofKcalculatedin(8.1)isnotafunctionoftheplaintextmessageM.Soifanadversarywantstodecrypttheciphertext(C1,C2)whichencryptsthemessageMhecandothisbydecryptingtheciphertext(C1,C2⊕�)togettheplaintextmessageM⊕�andthenrecoverMasM=(M⊕�)⊕�.TheFujisaki-Okamototransformcaneasilyeliminatethisvulnerability;addingtheadditionallevelofhashingthattheFujisaki-Okamototransformrequirescreatesthemorecomplex‘‘fullscheme’’thatisdescribedbelowthatisnotvulnerabletosuchanattack.AddingtheFujisaki-Okamototransformtocreateaschemethatisresistanttochosen-ciphertextattacksmakesamorecomplexsystem.Twoadditionalcryptographichashfunctionsarerequired,andboththeencryptionanddecryptionprocessesgetmorecomplex.8.2.1SetupofParameters(FullScheme)InadditiontotheparameterslistedinTable8.3,wealsoneedtwoadditionalhashfunctionstoimplementtheFujisaki-Okamototransform.Inparticular,nnweneedtohashfunctionsH3:{0,1}×{0,1}→�*pandnnH4:{0,1}×{0,1}→�*p.AddingthesehashfunctionsbringsthelistofpublicparametersforthefullschemetothepublicparametersthatarelistedinTable8.8.Themastersecretisunchangedfromthebasicscheme,andisshowninTable8.9.TherearedependenciesamongtheelementsofTable8.8.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-FranklinIBEsystemtobeBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4)withoutintroducinganyambiguity. Boneh-FranklinIBE157Table8.8PublicParametersofBoneh-FranklinIBESystem(FullScheme)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�),p2q|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈P〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnIntegerLengthofplaintextPPointonellipticcurveP∈E(�q)[p]sPPointonellipticcurvesP∈E(�q)[p]H1CryptographichashfunctionH1:{0,1}*→G1HCryptographichashfunctionH:G→{0,1}n22THCryptographichashfunctionH:{0,1}n×{0,1}n→�*33pHCryptographichashfunctionH:{0,1}n×{0,1}n→�*44pTable8.9MasterSecretforBoneh-FranklinIBESystem(FullScheme)ElementTypeCommentssIntegers∈�*p8.2.2ExtractionofthePrivateKey(FullScheme)Theextractionoftheprivatekeyforthefullschemeisidenticaltotheextractionoftheprivatekeyinthebasicscheme(Section8.1.2).ThisissummarizedinTable8.10.8.2.3EncryptingwithBoneh-FranklinIBE(FullScheme)ToencryptthemessageMtotherecipientwithidentityID,thesenderperformsthefollowingsteps:Table8.10PrivateKeyforBoneh-FranklinIBESystemElementTypeCommentssQIDPointonellipticcurvePrivatekeycorrespondingtoidentityID,QID=H1(ID) 158IntroductiontoIdentity-BasedEncryption1.CalculatesQID=H1(ID).n2.Picksarandom�∈{0,1}.3.Calculatesr=H3(�,M).4.CalculatesC1=rP.5.CalculatesC1=�⊕H2(ˆe(rQID,sP)).6.CalculatesC3=M⊕H4(�).7.SetstheciphertexttoC=(C1,C2,C3).8.2.4DecryptingwithBoneh-FranklinIBE(FullScheme)TodecrypttheciphertextC=(C1,C2,C3),therecipientperformsthefollowingsteps:1.Calculates�=C2⊕H2(ˆe(sQID,C1)).2.CalculatesM=C3⊕H4(�),whichistheplaintextmessage.3.Calculatesr=H3(�,M).4.CalculatesrP.IfC1≠rPthenrejectstheciphertextasinvalid.8.3SecurityoftheBoneh-FranklinIBESchemeNotethatwecanwriteQID=tPforsome(unknown)t,sowehaveˆe(rQID,rstsP)=ˆe(rtP,sP)=ˆe(P,P).So,wecanalsothinkoftheciphertextasbeingrstC=(rP,M⊕H2(ˆe(P,P)).AnadversarycanobtainPandsPfromthepublicparameters,cancalculateQID=tPfromtherecipient’sidentity,andobservesrstrPintheciphertext.Ifhecancalculateˆe(P,P)fromP,rP,sP,andtPthenrsthecanrecovertheplaintextmessageMbycalculating(M⊕H2(ˆe(P,P))⊕rstrstH2(ˆe(P,P)=M,butcalculatingˆe(P,P)inthiswayisexactlytheBDHP.So,iftheBDHPissufficientlydifficultthenitwillbedifficultforanadversarytorecoveraplaintextmessagefromacorrespondingciphertext.BychoosingG1andGTcarefullythiscaneasilybeaccomplished.TheoriginalBoneh-Franklinpaper[1]usedtherandomoraclemodeltoprovethatanadversaryabletodecryptamessagethathasbeenencryptedwithBoneh-FranklinIBEcanusehisdecryptionalgorithmtosolvetheBDHP,soifwebelievethattheBDHPissufficientlydifficulttosolvethenBoneh-FranklinIBEmustalsobesufficientlydifficulttodecrypt.ThebasicBoneh-Franklinschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullBoneh-Franklinschemeisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks. Boneh-FranklinIBE1598.4SummaryThefollowingsummarizesthestepsintheBoneh-FranklinIBEscheme(fullscheme).Algorithm8.1:Boneh-FranklinIBESetupINPUT:asecurityparameter�,anellipticcurveE,aplaintextbitlengthnOUTPUT:BFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4)andmastersecrets1.Selectaprimepandprimepowerqwithp|#E(�q)and2p|#E(�q)andsuchthatthebitsecuritylevelprovidedbypandqmeetstherequiredsecurityparameter�.Forbestperformance,pshouldbeaSolinasprime.2.SelectarandomP∈E(�q)[p]andletG1=〈P〉.3.LetkbetheembeddingdegreeofE/�q;selectapairingˆe:G1×G1→�q*k.4.LetGT=〈ˆe(P,P)〉.5.Selectarandoms∈�p*andcalculatesP.6.SelectappropriatecryptographichashfunctionsH1:{0,1}*→G1,nnnH2:GT→{0,1},H3:{0,1}×{0,1}→�*pandnnH4:{0,1}×{0,1}→�*p.7.Themastersecretisthevalues.8.ThepublicparametersareBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4).Algorithm8.2:Boneh-FranklinIBEPrivateKeyExtractionINPUT:AstringIDrepresentinganidentityandasetofpublicparametersBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4).OUTPUT:TheprivatekeysQID1.CalculatesQID=sH1(ID).Algorithm8.3:Boneh-FranklinIBEEncryptionINPUT:AplaintextmessageMoflengthnbits,astringIDrepresentingtheidentityoftherecipientoftheciphertext,asetofpublicparametersBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4).OUTPUT:AciphertextC=(C1,C2,C3) 160IntroductiontoIdentity-BasedEncryption1.CalculateQID=H1(ID).n2.Selectarandom�∈{0,1}.3.Calculater=H3(�,M).4.CalculateC1=rP.5.CalculateC2=�⊕H2(ˆe(rQID,sP)).6.CalculateC3=M⊕H4(�).Algorithm8.4:Boneh-FranklinIBEDecryptionINPUT:AciphertextC=(C1,C2,C3),asetofpublicparametersBFParams=(G1,GT,ˆe,n,P,sP,H1,H2,H3,H4),aprivatekeysQID.OUTPUT:AplaintextmessageMoranerrorcondition1.Calculate�=C2⊕H2(ˆe(sQID,C1)).2.CalculateM=C3⊕H4(�).3.Calculater=H3(�,M)andthencalculaterP.IfC1≠rPthenraiseanerrorconditionthatindicatesaninvalidciphertext.Otherwise,returntheplaintextM.Reference[1]Boneh,D.,andM.Franklin,‘‘IdentityBasedEncryptionfromtheWeilPairing,’’SIAMJournalofComputing,Vol.32,No.3,pp.586–615. 9Boneh-BoyenIBEThischapterdiscussesBoneh-BoyenIBE[1],anexampleofthefamilyof‘‘commutativeblinding’’schemes.Thenameisduetothecommutingofcoeffi-cientsthatoccurswhencomputingtheratiooftwopairingsthatisroughlyoftheforme(aP,bQ)e(bP,aQ)AvaluethatusedtoencryptaplaintextmessageiscalculatedbythesenderusingpublicparametersofaBoneh-BoyenIBEscheme,andtherecipientoftheresultingciphertextcalculatesthesamevaluefromtheciphertextandhisprivatekeybycalculatingsucharatioofpairings.Calculatingtheratiooftwopairingscanbedonemoreefficientlythancalculatingthetwopairingsseparatelyandthencalculatingtheratio,analgorithmforwhichisdiscussedinChapter12.IntheBoneh-BoyenIBEschemeandothercommutativeblindingschemes,anidentityIDishashedtoanintegerthatisthenusedintheencryptionanddecryptionoperations.Thisavoidsamodularexponentiation,whichgenerallymakessuchschemesfasterthenfull-domainhashschemes,liketheBoneh-FranklinschemeofChapter8,whichrequirehashinganidentitytoapointonanellipticcurve.NotethattwoIBEschemesweredescribedinthesamepaperbyBonehandBoyen[1],sothename‘‘Boneh-BoyenIBEscheme’’canbeambiguous.TheIBEschemedescribedhereisthefirstofthetwoschemesthatweredescribedinthispaper,andisoftenabbreviatedBB1whilethesecondschemeisoftenabbreviatedBB2.ThischapteronlydiscussestheBB1IBEscheme.161 162IntroductiontoIdentity-BasedEncryptionTwowaystodescribethebasicBoneh-Boyenschemearegiveninthefollowingsections.AsimplifiedversionoftheschemeisdescribedinSection9.1usingtheadditivenotationthatiscommonlyusedforoperationsinellipticcurvegroupsandisusedinthemanycryptographicstandards.InSection9.2thesameschemeisdescribedusingthemultiplicativenotationthatiscommonlyusedinmorerecentliteratureonpairing-basedcryptography.Thebasicschemeisvulnerabletoachosen-ciphertextattackandafullysecureversionoftheschemeisdescribedinSection9.3.9.1Boneh-BoyenIBE(BasicScheme—AdditiveNotation)TheBoneh-Boyenbasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;thesenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullBoneh-BoyenIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection9.3.ThefollowingdescriptionoftheBoneh-Boyenschemeusestheadditivenotationthatiscommonlyusedforoperationsinellipticcurvegroups.SothatifPandQareelementsofanellipticcurvegroupE(�q)thenwewillwriteP+QtoindicatethegroupoperationofE(�q)appliedtothegroupselementsPandQandaPtoindicatethemultiplicationofthepointPbytheintegera.Thisnotationisusedbymanycryptographicstandards,butisrarelyusedintheliteratureofpairing-basedcryptography,wherethemultiplicativenotationthatisusedinSection9.2ismorecommon.9.1.1SetupofParameters(BasicScheme—AdditiveNotation)ToimplementBoneh-BoyenIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/�qwithembeddingdegreek,andaprimepsuchthatp|#E(�q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection9.5.WethenrandomlypickapointP∈E(�q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→�ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingBoneh-BoyenIBEwealsoneednanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichis Boneh-BoyenIBE163abitstringoflengthn.Threeintegers�,�,�∈�parethemastersecretandareusedtocalculatethethreeadditionalpublicparameters�P,�P,and�P.Thereisalsoaconstantv=ˆe(P��whichis1,P2)=ˆe(�P,�P)=ˆe(P,P)neededbytheBoneh-Boyenscheme.ThisconstantcaneitherbedistributedtousersaspartofthepublicparametersorcanbeprecomputedbyusersbeforetheyperformaBoneh-Boyenencryption.Wewillassumethatthisconstantvispartofthepublicparameters,inwhichcasetheparameter�PdoesnotneedtobelistedinthepublicparametersbecauseitsonlyuseoutsideaPKGisincalculatingv.TheseelementsformthepublicparametersandmastersecretasshowninTable9.1andTable9.2.TherearedependenciesamongtheelementsofTable9.1.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.BecauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoaTable9.1ParametersofBoneh-BoyenIBESystem(BasicScheme—AdditiveNotation)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈P〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)PPointonellipticcurveP∈G1P1PointonellipticcurveP1=�PP2PointonellipticcurveP2=�PP3PointonellipticcurveP3=�PH1CryptographichashfunctionH1:{0,1}*→�pH2CryptographichashfunctionH:G→{0,1}n2T��vElementof�q*kv=eˆ(P1,P2)=eˆ(�P,�P)=eˆ(P,P)Table9.2MasterSecretforBoneh-BoyenIBESystem(BasicScheme—AdditiveNotation)ElementTypeComments�,�,�Integers�,�,�∈�p 164IntroductiontoIdentity-BasedEncryptionmuchshorterlist,andwecandefinethepublicparametersofaBoneh-BoyenIBEsystem(basicscheme—additivenotation)tobeBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)withoutintroducinganyambiguity.9.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)OncethepublicparameterslistedinTable9.1andthemastersecretlistedinTable9.2aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoanintegerqID∈�pbycalculatingqID=H1(ID).Arandomper-uservaluer∈�pisthengenerated,whichisthenusedtocalculatethetwocomponentsoftheprivatekeyDID=(qID�rP1+�P2+rP3,rP)=(D0,D1).ThisissummarizedinTable9.3.9.1.3EncryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Pickrandoms∈�p.s3.Calculatek=v.4.Calculatec=M⊕H2(k).5.CalculateC0=sP.6.CalculateC1=qID(sP1)+sP3.7.SetciphertexttoC=(c,C0,C1).9.1.4DecryptingwithBoneh-BoyenIBE(BasicScheme—AdditiveNotation)WhentherecipientreceivestheciphertextC=(c,C0,C1)heperformsthefollowingsteps.Table9.3PrivateKeyforBoneh-BoyenIBESystemElementCommentsDID=(qID�rP1+�P2+rP3,rP)=(D0,D1)PrivatekeycorrespondingtoidentityID,qID=H1(ID) Boneh-BoyenIBE165ˆe(C0,D0)1.Calculatek=.ˆe(C1,D1)2.CalculateM=c⊕H2(k).Notethatˆe(C0,D0)=ˆe(sP,qID�rP1+�P2+rP3)=ˆe(sP,qID�rP1)ˆe(sP,�P2)ˆe(sP,rP3)=ˆe(sP,�qID�rP)ˆe(sP,��P)ˆe(sP,�rP)=ˆe(P,P)�qID�rsˆe(P,P)��sˆe(P,P)�rsandˆe(C1,D1)=ˆe(qID�sP1+sP3,rP)=ˆe(�qID�sP+�sP,rP)=ˆe(�qID�sP,rP)ˆe(�sP,rP)=ˆe(P,P)�qID�rsˆe(P,P)�rssothatwehaveˆe(Cˆe(P,P)�qID�rsˆe(P,P)��sˆe(P,P)�rs0,D0)=ˆe(C1,D1)ˆe(P,P)�qID�rsˆe(P,P)�rs��ss=ˆe(P,P)=vsothatstep3ofSection9.1.3andstep1ofSection9.1.4calculatethesamesvalueofv,whichallowstherecipienttodecrypttheciphertextcorrectly.Example9.1(Boneh-BoyenBasicScheme—AdditiveNotation)(i)TocreateasuitablehashfunctionH1:{0,1}*→�p,supposethatwehaveacryptographichashfunctionHthatcreatesanoutputofatleastlog2pbitsandwanttocalculateH1(ID).WecancreateasuitableH1fromHbyeitherrepeatedlyapplyingHtoH(ID)untilweobtainavalueinthecorrectrangeorbyreducingH(ID)modulop.n(ii)TocreateasuitablehashfunctionH2:GT→{0,1},supposethatwehaveacryptographichashfunctionHthatcreatesanoutputof 166IntroductiontoIdentity-BasedEncryptionatleastnbits,andthatGTisasubgroupof�q*k,sothatwecanwriteatypicalelementofGTas�=(x1,x2,...,xk),wherexi∈�q*.WecancreateasuitableH2fromHbycalculatingH(x1|x2|...xk)andthentruncatingtheresulttonbits,forexample.(iii)SupposethatAlicewantstouseBohen-BoyenIBEtoencryptamessage23toBob.SupposethatEistheellipticcurveE:y=x+1,andG1bethesubgroupoforder11ofE(�131)withgeneratorP=(98,58).LetGTbeasubgroupof�131*2generatedbyˆe(P,P)=28+93i,2where�1312isrepresentedby�131[i]wherei=−1≡130(mod131).Letˆe:G1×G1→GTbethereducedmodifiedTatepairing,wheree:G1×G1→GTistheTatepairing,and1560ˆe(P,Q)≡e(P,�(Q))where�isthedistortionmapgivenby�(x,y)=(�x,y)where�=65+112i.Let�=3,�=4,and�=5bethemastersecret,givingtheadditionalparametersP1=�P=(113,8),P2=�P=(33,31)andP3=�P=(34,23),sothatv=ˆe(P1,P2)=ˆe(�P,�P)=28+93i.SupposethatqID=H1(IDBob)=6.ForBob’sprivatekey,supposethatthePKGpickstherandomr=8andthencalculatesD0=qID�rP1+�P2+rP3=(98,58)+(98,58)+(33,100)=(128,74)andD1=rP=8P=(113,123)SupposethatAlicewantstoencrypttheshortmessageMtoBobusingthisIBEsystem.Todothisshepicksarandoms,says=7.ShethencalculatesC0=sP=7P=(33,100)andC1=qID�sP1+sP3=(34,23)+(128,57)=(33,100)s7Shethencalculatesk=v=v=49+73i.ThenAlicecalculatesk=H2(49+73i)whichshethenXORswiththeplaintextMtogettheciphertextcomponentc=M⊕H2(k). Boneh-BoyenIBE167AlicethensendsciphertextC=(c,C0,C1)=(M⊕H2(k),(33,100),(33,100))toBob.BobreceivestheciphertextC=(c,C0,C1)=(M⊕H2(k),(33,100),(33,100))andcalculatesˆe(C0,D0)=85+51iandˆe(C1,D1)=28+93iandthencalculatestheratioofthetwopairings85+51ik==49+73i28+93iHethencalculatesk=H2(49+73i)whichhethenusestorecovertheplaintextbycalculatingc⊕k=(M⊕H2(k))⊕H2(k)=MThevaluesusedinthisexamplearesummarizedinTable9.4.(iv)LetE/�qbeanordinaryellipticcurvewithE′/�qatwistoforderdofE/�q.Wecanthenuseapairingˆe:G1×G2→GTwherewe(qk−1)/phave�d:E′→Eandˆe(P,Q)=ˆe(P,�d(Q))toimplementtheBoneh-Boyenscheme.WecanthenmakeG1asubgroupofE(�q),G2asubgroupofE′(�qk/d),andGTasubgroupof�q*k.Inthiscase,wewillneedfouradditionalparameters,pointsQ,Q1,Q2,Table9.4SummaryofParametersUsedinExample9.1(iii)ParametersTypeValueCommentsE/�Ellipticcurvey2=x3+1131PPointonellipticcurve(98,58)Pointoforder11P1Pointonellipticcurve(113,8)P2Pointonellipticcurve(33,31)P3Pointonellipticcurve(34,23)vElementof�*131228+93iv=eˆ(P1,P2)qIDInteger6(D0,D1)Pointsonellipticcurve((128,74),(113,123))Bob’sprivatekey 168IntroductiontoIdentity-BasedEncryptionandQ3,allelementsofE′(�qk/d),andwewillneedtocalculateD0asD0=qID�rQ1+�Q2+rQ3andD1asD1=rQ.Notethatweneedtohaveelementsof�qk/dG2because�d:E′→EmustmappointsonE′topointssuitableforuseinthepairing,sothattheymustendinasubgroupofE(�qk).Themapping�d:E′→Eincreasesthedimensionofthecoordinatesofitsoutputbyafactorofd,sotoendupinE(�qk)weneedtostartinE(�qk/d).9.2Boneh-BoyenIBE(BasicScheme—MultiplicativeNotation)TheBoneh-Boyenbasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;thesenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullBoneh-BoyenIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection9.4.ThefollowingdescriptionoftheBoneh-Boyenschemeusesthemultiplica-tivenotationthatiscommonlyusedintheliteratureofpairing-basedcryptogra-phy.Sothatifg1andg2areelementsofanellipticcurvegroupE(�q)thenwewillwriteg1g2toindicatethegroupoperationofE(�q)appliedtotheagroup’selementsg1andg2andg,toindicatemultiplyingthepointg1bytheintegera.9.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)ToimplementBoneh-BoyenIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GTTodothiswepickanellipticcurveE/�qwithembeddingdegreek,andaprimepsuchthatp|#E(�q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection9.5.WethenrandomlypickapointP∈E(�q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→�ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingBoneh-BoyenIBEwealsoneednanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.Threeintegers�,�,�∈�parethemastersecretandareusedtocalculatethethreeadditionalpublicparameters�P,�P,and�P. Boneh-BoyenIBE169Thereisanadditionalconstantv=ˆe(g�,g�)=ˆe(g,g)��which1,g2)=ˆe(gisneededbytheBoneh-Boyenscheme.ThisconstantcaneitherbedistributedtousersaspartofthepublicparametersorcanbeprecomputedbyusersbeforetheyperformaBoneh-Boyenencryption.Wewillassumethatthisconstantvispartofthepublicparameters.Wewillassumethatthisconstantvispartofthepublicparameters,inwhichtheparameterg2doesnotneedtobelistedinthepublicparametersbecauseitsonlyuseoutsideaPKGisincalculatingv.TheseelementsformthepublicparametersandmastersecretasshowninTable9.5andTable9.6.TherearedependenciesamongtheelementsofTable9.5.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-BoyenTable9.5ParametersofBoneh-BoyenIBESystem(BasicScheme—AdditiveNotation)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈g〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(g,g)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gPointonellipticcurveg=g�11gPointonellipticcurveg=g�22gPointonellipticcurveg=g�33H1CryptographichashfunctionH1:{0,1}*→�pH2CryptographichashfunctionH:G→{0,1}n2T��vElementof�q*kv=eˆ(P1,P2)=eˆ(�P,�P)=eˆ(P,P)Table9.6MasterSecretforBoneh-BoyenIBESystem(BasicScheme—MultiplicativeNotation)ElementTypeComments�,�,�Integers�,�,�∈�p 170IntroductiontoIdentity-BasedEncryptionIBEsystem(basicscheme—multiplicativenotation)tobeBB1BasicParamsMultiplicative=(G1,GT,ˆe,n,g,g1,g3,H1,H2,v)withoutintroducinganyambiguity.9.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)OncethepublicparameterslistedinTable9.5andthemastersecretlistedinTable9.6aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoanintegerqID∈�pbycalculatingqID=H1(ID).Arandomper-uservaluer∈�pisthengenerated,whichisthenusedtocalculatethetwocomponentsoftheprivatekey�gqID�r�rr�=(ddID=1g2g3,g0,d1).ThisissummarizedinTable9.7.9.2.3EncryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Pickrandoms∈�p.s3.Calculatek=v.4.Calculatec=M⊕H2(k).s5.Calculatec0=g.qID�ss6.Calculatec1=g1g3.7.SetciphertexttoC=(c,c0,c1).9.2.4DecryptingwithBoneh-BoyenIBE(BasicScheme—MultiplicativeNotation)WhentherecipientreceivestheciphertextC=(c,c0,c1)heperformsthefollowingsteps.Table9.7PrivateKeyforBoneh-BoyenIBESystem(BasicScheme—MultiplicativeNotation)ElementCommentsq�r�rrPrivatekeycorrespondingtoidentityID,dID=(g1IDg2g3,g)=(d0,d1)qID=H1(ID) Boneh-BoyenIBE171ˆe(c0,d0)1.Calculatek=.ˆe(c1,d1)2.CalculateM=c⊕H2(k).NotethatsqID�r�rˆe(c0,d0)=ˆe(g,g1g2g3)sqID�rs�sr=ˆe(g,g1)ˆe(g,g2)ˆe(g,g3)sqID�rs��s�r=ˆe(g,g1)ˆe(g,g)ˆe(g,g)=ˆe(g,g)�qID�rsˆe(g,g)��sˆe(g,g)�rsandqID�rsrˆe(c1,d1)=ˆe(g1g3,g)=ˆe(g�qID�sg�s,gr)=ˆe(g�qID�s,gr)ˆe(g�s,gr)=ˆe(g,g)�qID�rsˆe(g,g)�rssothatˆe(cˆe(g,g)�qID�rsˆe(g,g)��sˆe(g,g)�rs0,d0)=ˆe(c1,d1)ˆe(g,g)�qID�rsˆe(g,g)�rs��ss=ˆe(g,g)=vsothatstep3ofSection9.2.3andstep1ofSection9.2.4calculatethesamesvalueofv,whichallowstherecipienttodecrypttheciphertextcorrectly.9.3Boneh-BoyenIBE(FullScheme)ThebasicBoneh-Boyenschemeisvulnerabletoachosen-ciphertextattack:ifanadversarywantstodecrypttheciphertext(c,c0,c1)whichcorrespondstotheplaintextmessageMhecandothisbydecryptingtheciphertext(c+�,c0,c1)togettheplaintextmessageM⊕�andthenrecoverMasM=(M⊕�)⊕�.TheFujisaki-Okamototransformcaneasilyeliminatethisvulnerability. 172IntroductiontoIdentity-BasedEncryptionTheoriginalspecificationoftheBoneh-BoyenschemedefinedahashingschemetailoredtotheschemethataccomplishesthesamegoalastheFujisaki-Okamototransform.ThistailoredschemeisusedinthedescriptionofthefullschemethatisdescribedinSection9.4.ThefullBoneh-BoyenschemeistypicallydescribedusingthemultiplicativenotationthatwasusedinSection9.2,aconventionthatwefollowhere.Thefullschemeisresistanttochosen-ciphertextattacksandadaptivechosenidentityattacks.9.3.1SetupofParameters(FullScheme)InadditiontotheparameterslistedinTable9.5,wealsoneedanadditionalhashfunctiontoaddchosen-ciphertextsecurity.Inparticular,weneedahashnfunctionH3:GT×{0,1}×G1×G1→�p.AddingthishashfunctionbringsthelistofpublicparametersforthefullschemetothepublicparametersthatarelistedinTable9.8.Themastersecretisunchangedfromthebasicscheme,andisshowninTable9.9.TherearedependenciesamongtheelementsofTable9.8.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaBoneh-BoyenIBEsystemtobeBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)withoutintroducinganyambiguity.Table9.8ParametersofBoneh-BoyenIBESystem(FullScheme)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈P〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gPointonellipticcurveg=g�11gPointonellipticcurveg=g�22gPointonellipticcurveg=g�33H1CryptographichashfunctionH1:{0,1}*→�pH2CryptographichashfunctionH:G→{0,1}n2TH3CryptographichashfunctionH:G×{0,1}n×G×G→�3T11p��vElementof�q*kv=eˆ(P1,P2)=eˆ(�P,�P)=eˆ(P,P) Boneh-BoyenIBE173Table9.9MasterSecretforBoneh-BoyenIBESystem(FullScheme)ElementTypeComments�,�,�Integers�,�,�∈�p9.3.2ExtractionofthePrivateKey(FullScheme)Theextractionoftheprivatekeyforthefullschemeisidenticaltotheextractionoftheprivatekeyinthebasicscheme(Section9.2.2).ThisissummarizedinTable9.10.9.3.3EncryptingwithBoneh-BoyenIBE(FullScheme)ToencryptthemessageMtotherecipientwithidentityID,thesenderperformsthefollowingsteps:1.CalculateqID=H1(ID).2.Pickrandoms∈�p.s3.Calculatek=v.4.Calculatec=M⊕H2(k).s5.Calculatec0=g.qID�ss6.Calculatec1=g1g3.7.Calculatet=s+H3(k,c,c0,c1)8.SetciphertexttoC=(c,c0,c1,t).9.3.4DecryptingwithBoneh-BoyenIBE(FullScheme)TodecrypttheciphertextC=(c,c0,c1,t),therecipientperformsthefollowingsteps:Table9.10PrivateKeyforBoneh-BoyenIBESystemElementCommentsq�r�rrPrivatekeycorrespondingtoidentityID,dID=(g1IDg2g3,g)=(d0,d1)qID=H1(ID) 174IntroductiontoIdentity-BasedEncryptionˆe(c0,d)1.Calculatek=.ˆe(c1,d1)2.Calculates=t−H3(k,c,c0,c1)ss3.Verifythatk=vandc0=g.Ifeitherconditionfails,raiseanerrorconditionandexit.4.CalculateM=c⊕H2(k).9.4SecurityoftheBoneh-BoyenIBESchemeAnadversaryobservingamessagethatisencryptedwiththeBoneh-Boyenschemehasaccesstog,g�,g�,andv=ˆe(g,g)��fromthepublic1=g3=gparametersofthesystem.HealsoobservesgsandgqID�ss�qID�rs+�s=1g3=ggs(�qID+�)fromtheciphertext.Fromthesevalueshewantstorecovers��sv=ˆe(g,g).Hecanaccomplishthisinatleasttwoways.First,hecansscalculatesfromgbycalculatingadiscretelogarithmginG1,andthenscalculatingvwiththisresult.Hecanalsocalculate�asthediscretelogarithm��s�s���sofv=(ˆe(g,g))inGTandthencalculatev=(ˆe(g,g))=ˆe(g,g)withthisvalue.So,anadversarywhocancalculatediscretelogarithmsineitherG1orGTcandecryptmessagesthatareencryptedwiththeBoneh-Boyenscheme.ThisisveryclosetosolvingtheBDHP,andBonehandBoyenhave[1]proventwoseparatecasesofthis,dependingonwhethertherandomoracleorthestandardmodelisusedintheproof.Inparticular,theyshowedusingthestandardmodelthatanadversaryabletoefficientlydecryptamessagethathasbeenencryptedwithBoneh-BoyenIBEcanusetheirdecryptionalgorithmtosolvetheDBDHP,soifwebelievethattheDBDHPissufficientlydifficulttosolvethenBoneh-BoyenIBEmustalsobesufficientlydifficulttodecrypt.TheyalsoshowedusingtherandomoraclemodelthatanadversaryabletoefficientlydecryptamessagethathasbeenencryptedwithBoneh-BoyenIBEcanusetheirdecryptionalgorithmtosolvetheBDHP.SoifwearewillingtoacceptthestrongerassumptionoftheDBDHPthenaproofispossibleusingthestandardmodel,butiftheweakerBDHPassumptionisadequatethenaproofispossibleusingtherandomoraclemodel.ThebasicBoneh-Boyenschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullBoneh-Boyenisresistanttochosen-ciphertextattacksandadaptivechosenidentityattacks.NotethatintheextractionofaBoneh-Boyenprivatekeyarandomvalueisused.Duetothewayinwhichthetwocomponentsofsuchaprivatekeyareusedindecryption,aprivatekeygeneratedwithanyotherrandomvaluewillalsoworkinthesamedecryptionoperation.ThisallowskeyrecoverytobeperformedinaBoneh-Boyensystemeventhougharandomcomponentis Boneh-BoyenIBE175usedineachprivatekey.Thesecurityprovidedbythesystem,however,requiresthatthesamerandomvalueisnotreusedtocreateprivatekeysfordifferentusers.9.5SummaryThefollowingsummarizesthestepsintheBoneh-BoyenIBEscheme(fullscheme).Algorithm9.1:Boneh-BoyenIBESetupINPUT:asecurityparameter,anellipticcurveE,aplaintextlengthnOUTPUT:BB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)andmastersecret(�,�,�)1.Selectaprimepandprimepowerqwithp|#E(�q)andsuchthatthebitsecuritylevelprovidedbypandqmeetstherequiredsecurityparameter(usingTable9.10,forexample).Forbestperformance,pshouldbeaSolinasprime.2.Selectarandomg∈E(�q)[p]andletG1=〈g〉.3.LetkbetheembeddingdegreeofE/�q;selectapairingˆe:G1×G1→�q*k.4.LetGT=〈ˆe(g,g)〉.5.Selectrandom�,�,�∈��,g�,g�.pandcalculateg6.SelectappropriatecryptographichashfunctionsH1:{0,1}*→G1,nnH2:GT→{0,1},andH3:GT×{0,1}×G1×G1→�p.7.Themastersecretis(�,�,�).8.ThepublicparametersareBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v).Algorithm9.2:Boneh-BoyenIBEPrivateKeyExtractionINPUT:AstringIDrepresentinganidentityandasetofpublicparametersBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)OUTPUT:TheprivatekeydID=(d0,d1)1.CalculateqID=sH1(ID).2.Selectarandomr∈�p.qID�r�r3.Calculated0=g1g2g3.r4.Calculated1=g.5.SettheprivatekeytodID=(d0,d1). 176IntroductiontoIdentity-BasedEncryptionAlgorithm9.3:Boneh-BoyenIBEEncryptionINPUT:AplaintextmessageMoflengthnbits,astringIDrepresentingtheidentityoftherecipientoftheciphertext,asetofpublicparametersBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v)OUTPUT:AciphertextC=(c,c0,c1)1.CalculateqID=H1(ID).2.Pickrandoms∈�p.3.Calculatek=H2(k).4.Calculatec=M⊕H2(k).s5.Calculatec0=g.qID�ss6.Calculatec1=g1g3.7.Calculatet=s+H3(k,c,c0,c1).8.SetciphertexttoC=(c,c0,c1,t).Algorithm9.4:Boneh-BoyenIBEDecryptionINPUT:AciphertextC=(c,c0,c1,t),asetofpublicparametersBB1params=(G1,GT,ˆe,n,g,g1,g3,H1,H2,H3,v),aprivatekeydID=(d0,d1)OUTPUT:AplaintextmessageMoranerrorconditionˆe(c0,d0)1.Calculatek=.ˆe(c1,d1)2.Calculates=t−H3(k,c,c0,c1).ss3.Verifythatk=vandc0=g.Ifeitherconditionfails,raiseanerrorconditionandexit.4.CalculateM=c⊕H2(k).5.SetplaintexttoM.Reference[1]Boneh,D.,andX.Boyen,‘‘EfficientSelective-IDSecureIdentityBasedEncryptionWith-outRandomOracles,’’ProceedingsofEUROCRYPT2004,Interlaken,Switzerland,May2–6,2004,pp.223–238. 10Sakai-KasaharaIBEThischapterdiscussesSakai-KasaharaIBE[1],anexampleofthefamilyof1/a‘‘exponentinversion’’schemes,inwhichaprivatekeyoftheformgisusedtodecryptaciphertext.Intheseschemes,astringrepresentinganidentityishashedtoanintegerthatisthenusedintheencryptionanddecryptionopera-tions.Thisavoidsamodularexponentiation,whichgenerallymakessuchschemesfasterthenfull-domainhashschemes,liketheBoneh-FranklinalgorithmofChapter8,whichrequirehashinganidentitytoapointonanellipticcurve.ThenameoftheSakai-Kasaharaschemeisduetothewayinwhichcalculatingkeysisdone,whichismotivatedbytheworkofSakaiandKasahara,althoughthealgorithmsthatcompriseSakai-KasaharaIBEschemearequitedifferentfromthoseoriginallydescribedbySakaiandKasahara.TwowaystodescribethebasicSakai-Kasaharaschemearegiveninthefollowingsections.AsimplifiedversionofthealgorithmisdescribedinSection10.1usingtheadditivenotationthatiscommonlyusedforoperationsinellipticcurvegroupsandisusedinmanycryptographicstandards,andinSection10.2itisdescribedusingthemultiplicativenotationthatiscommonlyusedinmorerecentliteratureonpairing-basedcryptography.Thebasicschemeisvulnerabletoachosen-ciphertextattack.AfullysecureversionofthealgorithmisdescribedinSection10.3.10.1Sakai-KasaharaIBE(BasicScheme—AdditiveNotation)TheSakai-Kasaharabasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;the177 178IntroductiontoIdentity-BasedEncryptionsenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullSakai-KasaharaIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection10.3.ThefollowingdescriptionoftheSakai-Kasaharaschemeusesadditivenotation,sothatifP1andP2areelementsofanellipticcurvegroupE(�q)thenwewillwriteP1+P2toindicatethegroupoperationofE(�q)appliedtothegroup’selementsP1andP2,andaPtoindicatemultiplyingthepointPbytheintegera.10.1.1SetupofParameters(BasicScheme—AdditiveNotation)ToimplementSakai-KasaharaIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/�qwithembeddingdegreek,andaprimepsuchthatp|#E(�q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection5.4.WethenrandomlypickapointP∈E(�q)[p]andletG1=〈P〉andGT=〈ˆe(P,P)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→�ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingSakai-KasaharaIBEwealsoneednanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.Anintegers∈�pisthemastersecret.TheseelementsformthepublicparametersandmastersecretasshowninTable10.1andTable10.2.TherearedependenciesamongtheelementsofTable10.1.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaSakai-KasaharaIBEscheme(basicscheme)tobeBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,sP,H1,H2,v)withoutintroducinganyambiguity.10.1.2ExtractionofthePrivateKey(BasicScheme—AdditiveNotation)OncethepublicparameterslistedinTable10.1andthemastersecretlistedinTable10.2aredetermined,theprivatekeyassociatedwiththeidentityIDiscalculatedbymappingtheidentitytoanintegerqID∈�pbycalculatingqID=H1(ID).Themastersecretsisthenusedtocalculatetheprivatekey Sakai-KasaharaIBE179Table10.1ParametersofSakai-KasaharaIBEScheme(BasicScheme—AdditiveNotation)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈P〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(P,P)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)PPointonellipticcurveP∈G1sPPointonellipticcurvesP∈G1H1CryptographichashfunctionH1:{0,1}*→�pH2CryptographichashfunctionH:G→{0,1}n2TvElementof�*kv=eˆ(P,P)qTable10.2MasterSecretforSakai-KasaharaIBEScheme(BasicScheme—AdditiveNotation)ElementTypeCommentssIntegers∈�p1DID=Ps+qID1wherethevalueofiscalculatedin�*p.ThisissummarizedinTables+qID10.3.Table10.3PrivateKeyforSakai-KasaharaIBEScheme(BasicScheme—AdditiveNotation)ElementComments1PrivatekeycorrespondingtoidentityID,qID=H1(ID)DID=Ps+qID 180IntroductiontoIdentity-BasedEncryption10.1.3EncryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Selectarandomr∈�p.3.CalculateU=r(sP+qIDP)=r(s+qID)P.r4.Calculatek=H2(v).5.CalculateV=M⊕k.6.SettheciphertexttoC=(U,V).10.1.4DecryptingwithSakai-KasaharaIBE(BasicScheme—AdditiveNotation)WhentherecipientreceivestheciphertextC=(U,V)heperformsthefollowingsteps.1.CalculateK=H2(ˆe(U,DID))2.CalculateM=V⊕kNotethat1rˆe(U,DID)=ˆe�r(s+qID)P,s+qP�=ˆe(g,g)IDsothatstep5ofSection10.1.3andstep1ofSection10.1.4calculatethesamevalueofk,whichallowstherecipienttodecrypttheciphertextcorrectly.Example10.1(i)ThehashfunctionsH1andH2canbeconstructedsimilarlytothosedescribedinExamples9.1(i)and9.1(ii).(ii)SupposethatAlicewantstouseSakai-KasaharaIBEtoencrypta2messagetoBob.SupposethatEistheellipticcurveE/�131:y=3x+1,andG1bethesubgroupoforder11ofE(�131)withgeneratorP=(98,58).LetGTbeasubgroupof�131*2generatedbyv=ˆe(P,P)=28+93i,where�1312isrepresentedby�131[i]where2i=−1≡130(mod131).(SeeTable10.4).Letˆe:G1×G1→GTbethereducedmodifiedTatepairing,wheree:G1×G1→GTistheTatepairing,and Sakai-KasaharaIBE181Table10.4SummaryofParametersUsedinExample10.1(ii)ParametersTypeValueCommentsE/�Ellipticcurvey2=x3+1131PPointonellipticcurve(98,58)Pointoforder11sPPointonellipticcurve(33,100)Pointoforder11vElementof�*131228+93iv=eˆ(P,P)qIDInteger6sInteger7DIDPointonellipticcurve(34,108)Bob’sprivatekey1560ˆe(P,Q)=e(P,�(Q))where�isthedistortionmapgivenby�(x,y)=(�x,y)where�=65+112i.Lets=7bethemastersecret,givingtheadditionalparameterssP=(33,100).SupposethatforBob’sidentitywehavethatqID=6.TocalculateBob’sprivatekey,thePKGcalculates111DID=P=P≡P(mod11)s+qID132=2−1(mod11)P=6P=(34,108)SupposethatAlicewantstoencrypttheshortmessageMtoBobusingthisIBEscheme.Todothisshepicksarandomr,sayr=5.ShefirstcalculatesU=r(sP+qIDP)=5((33,100)+6(34,108))=(98,73)55andv=(28+93i)=39+24i,sothatAlicefindsthatk=H2(39+24i)whichshethenusestocalculatetheciphertextcompo-nentV=M⊕k=M⊕H2(39+24i)Alicethensendstheciphertext(U,V)toBob.BobreceivestheciphertextC=(U,V)andcalculatesˆe(U,DID)=ˆe((98,73),(34,108))=39+24i 182IntroductiontoIdentity-BasedEncryptionfromwhichhecalculatesk=H2(39+24i)whichhethenXORswiththeciphertextcomponentVtorecovertheplaintextmessage,findingthatV⊕k=(M⊕k)⊕k=M(iii)Ifwewanttouseapairingˆe:G1×G2→GTthenwewillneedtoaddanadditionalparameterQwhereG2=〈Q〉andthencalculate1DIDasDID=Qandvasv=ˆe(P,Q).s+qID10.2Sakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)TheSakai-Kasaharabasicschemeusesasharedsecretthatcanbecalculatedbyboththesenderandreceiverofamessagetoencryptaplaintextmessage;thesenderofthemessagecalculatesthesharedsecretfrompublicparametersandtherecipient’sidentity,whiletherecipientcalculatesthesharedsecretfromtheirprivatekeyandtheciphertext.WhileitiseasiertounderstandthanthefullSakai-KasaharaIBEscheme,italsoisnotassecure.ThefullysecureandmorecomplicatedschemeisdescribedinSection10.3.ThefollowingdescriptionoftheSakai-Kasaharaalgorithmusesthemulti-plicativenotationthatiscommonlyusedintheliteratureofpairing-basedcryptography.Sothatifg1andg2areelementsofanellipticcurvegroupE(�q)thenwewillwriteg1g2toindicatethegroupoperationofE(�q)appliedtoathegroup’selementsg1andg2,andgtoindicatemultiplyingthepointgbytheintegera.10.2.1SetupofParameters(BasicScheme—MultiplicativeNotation)ToimplementSakai-KasaharaIBEwefirstneedasecurityparameterthatdefinesthelevelofbitstrengththattheencryptionwillprovide.ThenweneedtodefinegroupsG1andGTandapairingˆe:G1×G1→GT.TodothiswepickanellipticcurveE/�qwithembeddingdegreek,andaprimepsuchthatp|#E(�q).ThesecurityparameterwilldefinethesizeofthegroupsG1andGTasdescribedinSection5.4.Wethenrandomlypickapointg∈E(�q)[p]andletG1=〈g〉andGT=〈ˆe(g,g)〉,whicharecyclicgroupsoforderp.WeneedacryptographichashfunctionH1:{0,1}*→�ptomapstringsrepresentingidentitiestointe-gers.ToencryptamessageofnbitsusingSakai-KasaharaIBEwealsoneed Sakai-KasaharaIBE183nanothercryptographichashfunctionH2:GT→{0,1}thathasheselementsofGTintoaformthatwecancombinewiththeplaintextmessage,whichisabitstringoflengthn.Anintegers∈�pisthemastersecret.TheseelementsformthepublicparametersandmastersecretasshowninTable10.5andTable10.6.TherearedependenciesamongtheelementsofTable10.1.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaSakai-KasaharaIBEscheme(basicscheme)tobeSKBasicParamsMultiplicative=s(G1,GT,ˆe,n,g,g,H1,H2,v)withoutintroducinganyambiguity.10.2.2ExtractionofthePrivateKey(BasicScheme—MultiplicativeNotation)OncethepublicparameterslistedinTable10.1andthemastersecretlistedinTable10.2aredetermined,theprivatekeyassociatedwiththeidentityIDisTable10.5ParametersofSakai-KasaharaIBEScheme(BasicScheme—MultiplicativeNotation)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈g〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(g,g)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gsPointonellipticcurvegs∈G1H1CryptographichashfunctionH1:{0,1}*→�pH2CryptographichashfunctionH:G→{0,1}n2TvElementof�*kv=eˆ(g,g)qTable10.6MasterSecretforSakai-KasaharaIBEScheme(BasicScheme—MultiplicativeNotation)ElementTypeCommentssIntegers∈�p 184IntroductiontoIdentity-BasedEncryptioncalculatedbymappingtheidentitytoanintegerqID∈�pbycalculatingqID=H1(ID).Themastersecretsisthenusedtocalculatetheprivatekeyd1/(s+qID)ID=gThisissummarizedinTable10.7.10.2.3EncryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)nToencryptthemessageM∈{0,1}totherecipientwithidentityID,thesenderperformsthefollowingsteps.1.CalculateqID=H1(ID).2.Selectarandomr∈�p.3.CalculateU=(gsgqID)r=gr(s+qID).r4.CalculateK=H2(v).5.CalculateV=M⊕K.6.SettheciphertexttoC=(U,V).10.2.4DecryptingwithSakai-KasaharaIBE(BasicScheme—MultiplicativeNotation)WhentherecipientreceivestheciphertextC=(U,V),heperformsthefollowingstep.1.CalculateK=H(ˆe(U,dID)).2.CalculateM=V⊕K.Notethatˆe(U,dr(s+qID),g1/(s+qID)=ˆe(g,g)rID)=ˆe(gTable10.7PrivateKeyforSakai-KasaharaIBEScheme(BasicScheme—MultiplicativeNotation)ElementCommentsd=g1/(s+qID)PrivatekeycorrespondingtoidentityID,qID=H1(ID)ID Sakai-KasaharaIBE185sothatstep5ofSection10.2.3andstep1ofSection10.2.4calculatethesamevalueofK,whichallowstherecipienttodecrypttheciphertextcorrectly.10.3Sakai-KasaharaIBE(FullScheme)Thebasicschemeisalsovulnerabletoachosen-ciphertextattack:ifanadversarywantstodecrypttheciphertextC=(U,V)whichcorrespondstotheplaintextmessageMhecandothisbydecryptingtheciphertextC=(U,V⊕�)togettheplaintextmessageM⊕�andthenrecoverMasM=(M⊕�).TheFujisaki-Okamototransformcaneasilyeliminatethisvulnerability.AddingtheFujisaki-Okamototransformtothebasicschemegivesthefullschemethatisdescribednext.ThefullSakai-Kasaharaschemeisresistanttochosen-ciphertextattacks,andistypicallydescribedusingthemultiplicativenotationthatwasusedinSection10.2,aconventionthatwefollowhere.10.3.1SetupofParameters(FullScheme)InadditiontotheparameterslistedinTable10.1,wealsoneedadditionalhashfunctionstoaddchosen-ciphertextsecurity.Inparticular,weneedtwonnnhashfunctionsH3:{0,1}→�pandH4:{0,1}→{0,1}.AddingthesehashfunctionsbringsthelistofpublicparametersforthefullschemetothepublicparametersthatarelistedinTable10.8.Themastersecretisunchangedfromthebasicscheme,andisshowninTable10.9.TherearedependenciesamongtheelementsofTable10.8.Thevaluesofp,q,andE,forexample,areimplicitinthedefinitionofthegroupG1.Becauseofthisitispossibletoreducethenumberofrequiredpublicparameterstoamuchshorterlist,andwecandefinethepublicparametersofaSakai-sKasaharaIBEschemetobeSKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v)withoutintroducinganyambiguity.10.3.2ExtractionofthePrivateKey(FullScheme)Theextractionofaprivatekeyforthefullschemeisidenticaltotheextractionofaprivatekeyforthebasicscheme.ThisissummarizedinTable10.10.10.3.3EncryptingwithSakai-KasaharaIBE(FullScheme)ToencryptthemessageMtotherecipientwithidentityID,thesenderperformsthefollowingsteps: 186IntroductiontoIdentity-BasedEncryptionTable10.8ParametersofSakai-KasaharaIBEScheme(FullScheme)ElementTypeCommentsqPrimepowerOrderoffinitefield�qE/�qEllipticcurveE(�q)hasembeddingdegreekpPrimep|#E(�q)G1CyclicgroupSubgroupofE(�q),G1=〈g〉GTCyclicgroupSubgroupof�q*k,GT=〈eˆ(g,g)〉eˆPairingeˆ:G1×G1→GTnPositiveintegerLengthofplaintext(inbits)gPointonellipticcurveg∈G1gsPointonellipticcurvegs∈G1H1CryptographichashfunctionH1:{0,1}*→�pH2CryptographichashfunctionH:G→{0,1}n2TH3CryptographichashfunctionH:{0,1}n→�*3pH4CryptographichashfunctionH:{0,1}n→{0,1}n4vElementof�*kv=eˆ(g,g)qTable10.9MasterSecretforSakai-KasaharaIBEScheme(FullScheme)ElementTypeCommentssIntegers∈�pTable10.10PrivateKeyforSakai-KasaharaIBEScheme(FullScheme)ElementCommentsd=g1/(s+qID)PrivatekeycorrespondingtoidentityID,qID=H1(ID)ID1.CalculateqID=H1(ID).n2.Selectarandom�∈{0,1}.3.Calculater=H3(�,M).4.CalculateU=(gsgqID)r=gr(s+qID).r5.CalculateV=�⊕H2(v). Sakai-KasaharaIBE1876.CalculateV=M⊕H4(�).7.CalculateW=H4(M).8.SetciphertexttoC=(U,V,W).10.3.4DecryptingwithSakai-KasaharaIBE(FullScheme)TodecrypttheciphertextC=(U,V,W),therecipientperformsthefollowingsteps:1.CalculateqID=H1(ID).2.Calculate�=ˆe(U,dID).3.Calculate�=V⊕H2(�).4.CalculateM=W⊕H4(�).5.Calculater=H3(�,M).6.IfU≠(gqIDgs)rthenraiseanerrorconditionandexit.7.OtherwisesettheplaintexttoM.10.4SecurityoftheSakai-KasaharaIBESchemeNotethatanadversaryobservingamessagethatisencryptedwiththeSakai-KasaharaIBEhasaccesstog,g�,g�,andv=ˆe(g,g)��fromthe1=g3=gsqID�sspublicparametersofthescheme.Healsoobservesgandg1g3=g�qID�s+�s=gs(�qID+�)fromtheciphertext.Fromthesevalueshewantstos��srecoverv=ˆe(g,g).Hecanaccomplishthisinatleasttwoways.First,hesscancalculatesfromgbycalculatingadiscretelogarithmginG1,andthenscalculatingvwiththisresult.Hecanalsocalculate�asthediscretelogarithm��s�s���sofv=(ˆe(g,g))inGTandthencalculatev=(ˆe(g,g))=ˆe(g,g)withthisvalue.SoanadversarywhocancalculatediscretelogarithmsineitherG1orGTcandecryptmessagesthatareencryptedwiththeSakai-Kasaharaalgo-rithm.Theqpowersthatareassumedintheq-BDHIParenotdirectlyavailabletoanadversarywhointerceptsanencryptedmessage,butarerequiredintheproofofselectiveidentitysecurity,withthevalueofqindicatinghowmanyotherprivatekeysanattackerhasaccessto.ThepaperthatdescribestheversionoftheSakai-KasaharaIBEalgorithmdiscussedinthischapter[1]provedthatanadversaryabletodecryptamessagethathasbeenencryptedwithSakai-KasaharaIBEcanusetheirdecryptionalgorithmtosolvetheq-BDHIP.So,ifwebelievethattheq-BDHIPissuffi-cientlydifficulttosolvethenSakai-KasaharaIBEmustalsobesufficientlydifficulttodecrypt.ThebasicSakai-Kasaharaschemeisresistanttochosen- 188IntroductiontoIdentity-BasedEncryptionplaintextattacksandadaptivechosen-identityattacks;thefullSakai-Kasaharaisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks.10.5SummaryThefollowingsummarizesthestepsintheSakai-KasaharaIBEalgorithm(fullscheme).Algorithm10.1:Sakai-KasaharaIBESetupINPUT:asecurityparameter,anellipticcurveE,aplaintextlengthnsOUTPUT:SKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v)andmastersecrets1.Selectaprimepandprimepowerqwithp|#E(�q)andsuchthatthebitsecuritylevelprovidedbypandqmeetstherequiredsecurityparameter(usingTable5.2,forexample).Forbestperformance,pshouldbeaSolinasprime.2.Selectarandomg∈E(�q)[p]andletG1=〈g〉.3.LetkbetheembeddingdegreeofE/�q;selectapairingˆe:G1×G1→�q*k.4.LetGT=〈ˆe(g,g)〉.5.Selectarandoms∈�*p.6.SelectappropriatecryptographichashfunctionsH1:{0,1}*→G1,nnnnGT→{0,1},H3:{0,1}→�*pandH4:{0,1}→{0,1}.7.Themastersecretiss.s8.ThepublicparametersareSKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v).Algorithm10.2:Sakai-KasaharaIBEPrivateKeyExtractionINPUT:AstringIDrepresentinganidentity,asetofpublicparameterssSKParams=(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v)andamastersecretsOUTPUT:AprivatekeydID1.Calculated1/(s+qID).ID=gAlgorithm10.3:Sakai-KasaharaIBEEncryptionnINPUT:AplaintextmessageM∈{0,1},astringIDrepresentingtheidentityoftherecipientoftheciphertext,asetofpublicparametersSKParams=s(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v) Sakai-KasaharaIBE189OUTPUT:AciphertextC=(U,V,W)1.CalculateqID=H1(ID).n2.Selectarandom�∈{0,1}.3.Calculater=H3(�,M).4.CalculateU=(gsgqID)r=gr(s+qID).r5.CalculateV=�⊕H2(v).6.CalculateV=M⊕H4(�).7.CalculateW=H4(M).8.SetciphertexttoC=(U,V,W).Algorithm10.4:Sakai-KasaharaIBEDecryptionINPUT:AciphertextC=(U,V,W),asetofpublicparametersSKParams=s(G1,GT,ˆe,n,g,g,H1,H2,H3,H4,v),aprivatekeydIDOUTPUT:AplaintextmessageMoranerrorcondition1.CalculateqID=H1(ID).2.Calculate�=ˆe(U,dID).3.Calculate�=V⊕H2(�).4.CalculateM=W⊕H4(�).5.Calculater=H3(�,M).6.IfU≠(gqIDgs)r,thenraiseanerrorconditionandexit.7.OtherwisesettheplaintexttoM.Reference[1]Chen,L.,etal.,‘‘AnEfficientID-KEMBasedontheSakai-KasaharaKeyConstruction,’’IEEProceedingsInformationTheory,Vol.153,No.1,2006,pp.19–26. 11HierarchicalIBEandMasterSecretSharingTheIBEschemesdiscussedinChapters7through10shareacommonproperty:theyuseasinglePKGtogenerateallprivatekeys.Thishassomeundesirablesideeffects.Inparticular,itisimpossibletocreatehierarchiesofPKGs,inwhichahigher-levelPKGcancontrolthekeysgrantedtoallPKGssubordinatetoit.ItalsocreatesasinglepointwhereanattackercansubvertthesecurityofanIBEsystembycompromisinganIBEmastersecret.HierarchicalIBE(HIBE)canaddressthefirstoftheseconcernswhilesharinganIBEmastersecretamongseveraldifferentPKGscanaddressthesecond.Thetwoconceptsareverysimilar:inbothcasesallprivatekeysarecalculatedusingthemastersecretofmorethanonePKG.TheconceptofanHIBEsystemwasfirstdescribedbyHorwitzandLynn[1].HIBEallowsforthecreationofhierarchiesofPKGsliketheoneshowninFigure11.1,inwhichtheoperationofaPKGataparticularleveldependsontheoperationofthePKGsaboveitinthehierarchy.Thisallowsorganizationstoimplementdifferentsecuritypolicies,whileallowingupperlevelsofthehierarchytoenforcetheirsecuritypolicyonallsubordinateorganizations.ItcanalsoenhancethesecurityofasystemusingIBEbecauseacompromisethataffectspartofahierarchywillnotnecessarilyaffectotherparts.Recoveringfromacompromiseisalsoeasier,becauseitisonlynecessarytorecreatetheaffectedpartsofthehierarchyinsteadoftheentiresystem.AnHIBEschemeisformallydefinedbyfivealgorithms:rootsetup,lower-levelsetup,extract,encrypt,anddecrypt.Rootsetupcreatestheparametersnecessaryforoperationofthetoplevelofthehierarchywhilelower-levelsetupcreatestheadditionalparametersnecessaryforoperationofeachoftheother191 192IntroductiontoIdentity-BasedEncryptionRootPKGLevel1PKGLevel1userLevel2PKGLevel2userFigure11.1HierarchicalIBEsystem.levelsandmaybeneededtobeexecutedonceforeachlowerlevel.Extract,encrypt,anddecrypthavethesamefunctionsthattheydoinasingle-levelIBEsystem,althoughtheiroperationataparticularlevelinahierarchymayrequireparametersthatarecreatedbylevelsabovethem.NotallHIBEsystemswillrequiredifferentalgorithmsforrootsetupandlower-levelsetup,inwhichcaseasinglesetupalgorithmwillbesufficient.InanHIBEscheme,asingleusercanhavedifferentidentitiesforeachleveloftheHIBE,sothatforanHIBEschemewithamaximumofllevels,anidentitycanhavetheformID=(ID1,ID2,...,IDl).whereeachoftheIDiarepotentiallydifferent.ThefirstHIBEschemethatwasdevisedandproventobesecurewasinventedbyGentryandSilverberg[2],andextendedtheBoneh-FranklinIBEschemetoarbitraryhierarchies.TheBoneh-BoyenIBEschemewasactuallyfirstdescribedasanHIBEsystem,andtheversionoftheBoneh-BoyenIBEschemedescribedinChapter9isactuallyacaseoflimitingtheHIBEconstructiontoasinglelevel.Morerecentwork[3]hasshownthatextensionsofexponent-inversionIBEalgorithmstoHIBEconstructionsarealsopossible.InanIBEsystemthatusesmastersecretsharing,asinglemastersecretisdistributedamongnPKGswhicheachreturnacomponentofauser’sprivate HierarchicalIBEandMasterSecretSharing193keycalledashare.Ausercanthencalculatehisprivatekeyfrominformationthathereceivesfromanytofthenpossibleshares,yetitisinfeasibletocalculatethesameprivatekeywithanyt−1shares.Mastersecretsharingalsomakesitinfeasibleforanyt−1PKGsthatmightcolludetoreconstructthemastersecret.ThisisillustratedbelowinFigure11.2.UseofmastersecretsharingmakesthecompromiseofoneormoreofthenPKGsmuchlessdamagingthanthecompromiseofalonesingle-levelPKGwouldbe.Withasingle-levelPKG,ifanattackercompromisesthesinglePKGthenhegainstheabilitytocreatearbitraryprivatekeys.Ifmastersecretsharingisused,anattackerwillneedtocompromiseanytofthenpossiblePKGsinordertogainthisability.11.1HIBEBasedonBoneh-FranklinIBESupposethatwehaveasingle-levelBoneh-FranklinIBEschemewithparametersBFBasicParams=(G1,GT,ˆe,n,P,s0P,H1,H2)asdefinedinSection8.1,andwithamastersecrets0whereweassumethat|G1|=p.Thefollowingsectionsdescribehowsuchaschemecanbeextendedtoanl-levelHIBEschemeusingthetechniquedescribedbyGentryandSilverberg(GS)[2].BecausesuchanHIBEschemewillbebasedonthebasicBoneh-Franklinscheme,itwillbevulnerabletochosen-ciphertextattacks,buttheextensionofwhatfollowstoasystemwithchosen-ciphertextsecuritycaneasilybeaccomplishedbyusingtheFujisaki-Okamototransform.ThesecurityoftheresultingHIBEsystemdependsPKG1PKG2PKGnShare1nShare2ShareAnyofsharestnPrivatekeyUserFigure11.2UseofmastersecretsharinginanIBEsystem. 194IntroductiontoIdentity-BasedEncryptiononthedifficultyoftheBDHP.AnadversarycapableofdecryptingsuchasystemcanalsosolvetheBDHP;foraproofofthis,see[2].AssumingtheBDHPishard,thebasicGSschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullGSisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks.NotethatthelengthoftheciphertextoftheGSHIBEschemeincreasesasthenumberoflevelsincreases.11.1.1GSHIBE(Basic)RootSetupTheparametersneededfortherootPKGarethesameasthoseneededforthesingle-levelIBEsystem:GSHIBEBasicParams=(G1,GT,ˆe,n,P,s0P,H1,H2)withacorrespondingmastersecrets0.ThesetupprocedurefortheBoneh-FranklinIBE(basicscheme)isalsotherootsetupprocedureforaGSHIBEsystem.11.1.2GSHIBE(Basic)Lower-LevelSetupEachlower-levelPKGalsohastheparametersfortherootPKG.TheonlyadditionalparameterneededforeachlowerlevelPKGisthemastersecretforitslevel.Forleveltthisparameterisstwherestisarandomlychosenelementof�p.11.1.3GSHIBE(Basic)ExtractSupposethatauserhasidentityID=(ID1,ID2,...,IDk)inanl-levelHIBEwherek≤l,andletQIDi=H1(ID1,ID2,...,IDi).ThentheprivatekeyK=(K0,K1,...Kk−1)correspondingtothissequenceofidentitieshaskcomponents.ThefirstcomponentoftheprivatekeyiscalculatedaslK0=∑si−1QIDii=1andtheremainingk−1componentsarecalculatedasKi=siPfor1≤i≤k−1.11.1.4GSHIBE(Basic)EncryptSupposethatwewanttoencryptthemessageMtotheidentityID=(ID1,ID2,...,IDk)inanl-levelHIBEwherek≤l.Letg=ˆe�s0P,QID1�.Thesenderpicksarandomrin�pandthencalculatesk+1componentsoftheciphertextC=(V,U0,U2,...Uk)whicharegivenbythefollowing: HierarchicalIBEandMasterSecretSharing195rV=M⊕H2(g)U0=rPUi=rQIDiforeach2≤i≤k11.1.5GSHIBE(Basic)DecryptWhentherecipientreceivestheciphertextC=(V,U0,U2,...Uk)herecoversthemessageMbycalculatinglˆe�rP,∑si−1QIDi�i=1ˆe(U0,K0)V⊕H2=V⊕H2l�l���ˆe(Ki−1,Ui)��ˆe�si−1P,rQIDi�i=2i=2l�ˆe�rP,si−1QIDi�i=1=V⊕H2l��ˆe�si−1P,rQIDi��i=2l�rsi−1�ˆe�P,QIDii=1=V⊕H2l��rsi−1��ˆe�P,QIDii=2�rs0r=V⊕H2ˆe�P,QIDi��=V⊕H2(g)rr=M⊕H2(g)⊕H2(g)=M11.2ExampleofaGSHIBESystemThefollowingexampleillustratestheoperationofGentryandSilverman’sHIBEsystembasedontheBoneh-FranklinIBE.SupposethatthesenderAlicewantstoencryptamessageMtoBobusinganHIBEwiththreesubordinatelevelsinwhichBob’sidentityhascomponentsID1,ID2,andID3forwhichwehave 196IntroductiontoIdentity-BasedEncryptionQID1=H1(ID1)=(128,57)QID2=H1(ID2)=(34,108)QID3=H1(ID3)=(33,100)11.2.1GSHIBE(Basic)RootSetupThesetupfortherootPKGisaccomplishedbygeneratingtheparametersGSHIBEBasicParams=(G1,GT,ˆe,n,P,s0P,H1,H2)withacorrespondingmastersecrets0.TheparametersusedinthisexamplearelistedinTable11.1.11.2.2GSHIBE(Basic)Lower-LevelSetupThesetupforeachofthesubordinatePKGlevelsisaccomplishedbygeneratingthemastersecretsforeachlevel.ThevaluesusedinthisexamplearelistedbelowinTable11.1.11.2.3GSHIBE(Basic)ExtractionofPrivateKeyBob’sprivatekeyhasthreecomponentsthatarecalculatedas3K0=∑si−1QIDii=1=s0QID1+s1QID2+s2QID3=7(128,57)+3(34,108)+4(33,100)=(113,8)+(33,100)+(128,57)=(98,58)K1=s1P=3(98,58)=(113,8)K2=s2P=4(98,58)=(34,23)Table11.1ParametersUsedinExampleofGSHIBEParameterValueCommentsl3NumberofsubordinatelevelsinHIBEs07Rootmastersecrets13Mastersecretforsubordinatelevel1s24Mastersecretforsubordinatelevel2P(98,58)G1=〈P〉,GT=〈eˆ(P,P)〉s0P(33,100) HierarchicalIBEandMasterSecretSharing19711.2.4GSHIBE(Basic)EncryptionSupposethatAlicepickstherandomvaluer=6tousetoencryptthemessageMtoBob.Shethencalculatesg=ˆe�s0P,QIDi�=ˆe((33,100),(128,57))=85+80isothatr6g=(85+80i)=49+73iAlicethancalculatesthefourcomponentsoftheciphertextasrV=M⊕H2(g)=M⊕H2(49+73i)U0=rP=6(98,58)=(34,108)U2=rQID2=6(34,108)=(113,8)U3=rQID3=6(33,100)=(128,74)11.2.5GSHIBE(Basic)DecryptionAfterreceivingtheciphertext(V,U0,U2,U3),BobrecoverstheplaintextmessageMbycalculatingˆe(U0,K0)V⊕H23��ˆe(Ki−1,Ui)�i=2ˆe(U0,K0)V⊕H2�ˆe(K�1,U2)ˆe(K2,U3)39+104iV⊕H2�(126+32i)(28+93i)�V⊕H2(49+73i)=M⊕H2(49+73i)⊕H2(49+73i)=M11.3HIBEBasedonBoneh-BoyenIBETwodifferentnotationsareoftenusedfortheBoneh-BoyenIBEalgorithm.Inmostacademicpublications,themultiplicativenotationisusuallyused,while 198IntroductiontoIdentity-BasedEncryptioninstandardsthatdefinetheimplementationofpairing-basedalgorithms,theadditivenotationthatiscommonlyusedforellipticcurveoperationsisusuallyused.Thissectionusesonlytheadditivenotation,butconvertingtothemultipli-cativenotationshouldnotbeundulydifficult.Supposethatwehaveasingle-levelBoneh-BoyenIBEschemewithparame-tersBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)asdefinedinSection9.1andwithamastersecret�whereweassumethat|G1|=p.Thefollowingsectionsdescribehowsuchaschemecanbeextendedtoanl-levelHIBEschemeusingthetechniquedescribedbyBoneh,Boyen,andGoh(BBG)[4].BecausesuchanHIBEschemewillbebasedonthebasicBoneh-Boyenscheme,itwillbevulnerabletochosen-ciphertextattacks,buttheextensionofwhatfollowstoaschemewithchosen-ciphertextsecuritycaneasilybeaccom-plishedbyusingtheFujisaki-Okamototransform.ThesecurityoftheresultingHIBEschemedependsonthedifficultyoftheBDHP.AnadversarycapableofdecryptingsuchasystemcanalsosolvetheBDHP;foraproofofthis,see[5].AssumingtheBDHPishard,thebasicBBGschemeisresistanttochosen-plaintextattacksandadaptivechosen-identityattacks;thefullBBGisresistanttochosen-ciphertextattacksandadaptivechosen-identityattacks.TheBoneh-BoyenIBEschemethatwasdescribedinChapter9wascreatedbylimitingaHIBEconstructiontoasinglelevelofPKG.ThisHIBEconstructionalsohadthepropertythatthelengthoftheciphertextincreasedasthenumberoflevelsintheHIBEincreased.TheHIBEconstructionthatfollowsisalsobasedontheBoneh-BoyenIBEscheme,buthastheadditionalpropertythatthelengthoftheciphertextisconstant,neitherincreasingnordecreasingasthenumberoflevelsintheHIBEchanges.11.3.1BBGHIBE(Basic)SetupSupposethatwehaveasingle-levelBoneh-BoyenIBEschemewithparametersBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)ToextendthissystemtoanHIBEschemeweneedadditionalrandomlygeneratedparametersQ1,Q2,...,QlthatareeachelementsofG1.ThisbringstheparametersfortheHIBEschemetoBBGHIBEBasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,Q1,Q2,...,Ql,H1,H2,v) HierarchicalIBEandMasterSecretSharing19911.3.2BBGHIBE(Basic)ExtractTocalculatetheprivatekeyDID=(D1,D2)fortheidentityID=(ID1,ID2,...,IDl),therootPKGrandomlygeneratesr∈�p,calcu-latesqIDi=H1(ID1)for1≤i≤kandusesthesevaluestocalculateD1=rPandkD2=�P2+r∑qIDiQki=111.3.3BBGHIBE(Basic)EncryptionToencryptthemessageMtoBobwhereBobhastheidentityID=(ID1,ID2,...,IDk)foranyk≤l,Alicepicksarandoms∈�pandcalculatestheciphertextc=(c0,C1,C2)wheresc0=M⊕H2(v)C1=sPandkC2=s∑qIDkQki=111.3.4BBGHIBE(Basic)DecryptionTodecrypttheciphertextc=(c0,C1,C2)Bobcalculatesˆe(C1,D2)c0⊕H2�ˆe(D�1,C2)kˆe�sP,�P2+r�∑qIDiQi+P3��i=1=c0⊕H2�k�ˆe�rP,s�∑qIDiQi+P3��i=1=c�s)0⊕H2(ˆe(sP,�P2))=c0⊕H2(ˆe(P,P2)ss=c0⊕H2(ˆe(�P,P2))=c0⊕H2(v)ss=M⊕H2(v)⊕H2(v)=M 200IntroductiontoIdentity-BasedEncryption11.4ExampleofaBBGHIBESystemThefollowingexampleillustratestheoperationofanHIBEsystembasedontheBoneh-BoyenIBEusingatechniquedevelopedbyBoneh,Boyen,andGoh.SupposethatthesenderAlicewantstoencryptamessageMtoBobusingathree-levelHIBEinwhichBob’sidentityhascomponentsID1,ID2,andID3forwhichwehaveqID1=H1(ID1)=2qID2=H1(ID2)=6qID3=H1(ID3)=811.4.1BBGHIBE(Basic)SetupSupposethatwehaveasingle-levelBoneh-BoyenIBEsystemwithparametersBB1BasicParamsAdditive=(G1,GT,ˆe,n,P,P1,P3,H1,H2,v)andthatwepickadditionalpointsQ1,Q2,andQ3tocreatetheparametersfortheBBGHIBEsystemwiththeparametersshowninTable11.2.11.4.2BBGHIBE(Basic)ExtractionofPrivateKeySupposethePKGpickstherandomvaluer=5,whichitthendeterminesthetwocomponentsofBob’sprivatekey(D1,D2)thatcorrespondtotheidentityID=(ID1,ID2,D3)bycalculatingTable11.2ParametersUsedinExampleofBBGHIBEParameterValueCommentsl3NumberofsubordinatelevelsinHIBEP(98,58)G1=〈P〉,GT=〈eˆ(P,P)〉�7P1=�P(33,100)P2(113,123)P3(98,73)Q1(33,100)Q2(33,31)Q3(127,74)v=eˆ(P1,P2)28+93i HierarchicalIBEandMasterSecretSharing201D1=rP=5(98,58)=(34,23)andD2=�P2+r�qID1Q1+qID2Q2+qID3Q3+P3�=7(113,123)+5[2(128,57)+6(33,31)+8(127,74)+(98,73)]=(98,58)11.4.3BBGHIBE(Basic)EncryptionSupposethatAlicepickstherandomvaluer=5whichshethenusestoencryptthemessageMtoBobbycalculatingthethreecomponentsoftheciphertext(c0,C1,C2)assc0=M⊕H2(v)=M⊕H2(126+32i)C1=sP=9(98,58)=(128,74)C2=s�qID1Q1+qID2Q2+qID3Q3+P3�=9[2(128,57)+6(33,31)+8(127,74)+(98,73)]=O11.4.4BBGHIBE(Basic)DecryptionTodecrypttheciphertext(c0,C1,C2)Bobcalculatesˆe(C1,D2)126+32ic0⊕H2�ˆe(D�=c0⊕H2�1�1,C2)=M⊕H2(126+32i)⊕H2(126+32i)=M11.5MasterSecretSharingShamir’ssecretsharing[2]providesthebasisforsharinganIBEmastersecretamongnPKGsfromwhichauserwillneedtoreceivetsharestocalculatehisprivatekey.Thistechniqueencodesamastersecretasacoefficientofapolynomialofdegreet−1.EachPKGhasapoint(xi,yi)thatsatisfiesthispolynomial,sothatauserwithtofthesepointscanuniquelydeterminethecoefficientsofthepolynomialandthushisprivatekeywhileanyt−1PKGsthatcolludewillbeunabletodeterminethesameprivatekey.SupposethatamasterPKGwantstocreatensharesofaBoneh-FranklinmastersecretssothatanytofthesesharescanbeusedtodetermineanIBE 202IntroductiontoIdentity-BasedEncryptionprivatekey.Todothis,hepickst−1randomcoefficentstodeterminethepolynomialt−1f(x)=s+a1x+...+at−1xinwhichthemastersecretisusedastheconstantcoefficientofthepolynomialandwehavethatf(0)=s.ThemasterPKGthenrandomlygeneratesnvaluesxifor1≤i≤nanddistributesthepair(xi,yi)=(xi,f(xi))totheithPKG.WhenauserrequestsashareofaprivatekeyfromPKGnumberiforidentityQID,thePKGrespondswiththepair(xi,yiQID).FromasetoftsuchpairsausercanuniquelycalculatehisprivatekeysQID.HedoesthisbydeterminingthevalueofsQID=f(0)QIDusingLagrangeinterpolation.Becausewehavethatf(x)=∑ei(x)yiiwehavethatf(x)QID=∑ei(x)yiQIDisothatsQID=f(0)QID=∑ei(0)yiQIDiandthusauserwhoreceivestpairsoftheform(xi,yiQID)cancalculatetheLagrangecoefficientsei(0)andthenusethesetocalculatehisprivatekeysQID.SimilarconstructionsarepossibleforotherIBEalgorithms.11.6MasterSecretSharingExampleSupposethatwehaveanIBEsystemthatusestheBoneh-FranklinschemeinwhichwewantausertohavetogetanythreecomponentsoutofapossiblefivethatwillallowhimtocalculatehisprivatekeysQID,andthatthemasterPKGhasthemastersecrets=5whichisencodedastheconstantcoefficient2inthepolynomialf(x)=x+2x+5.ToimplementShamirsecretsharingamongfivePKGs,themasterPKGcancreateanddistributetheelementsshowninTable11.3,whereeachofthevaluesofxiarechosenrandomly. HierarchicalIBEandMasterSecretSharing203Table11.3SetupforShamirSecretSharingforThreeOutofFivePKGsPKGNumber(i)xiyi=f(xi)122239347488595SupposethatourIBEschemeusesoperationsoftheellipticcurveE/�131:23y=x+1andthatauserwithidentityQID=(98,58)getscomponentsfromPKGsnumberedonethroughthreeandwantstocalculatehisprivatekeyfromthesharedsecretsthathereceives.HewillreceivethecomponentsfromthethreePKGsthathehasselectedthatareshowninTable11.4.TocalculatehisprivatekeyassQID=∑ei(0)yiQIDi=1,2,3theuserthenneedstocalculatethevaluesofei(0)whichhefindsbyfirstcalculatingtheLagrangepolynomialsei(x).Hethenfindsthat(x−x2)(x−x3)(x−3)(x−4)e1(x)==(x1−x2)(x1−x3)(2−3)(2−4)≡6(x−3)(x−4)(mod11)sothate1(0)=6(−3)(−4)≡6(mod11)Table11.4SharesofPrivateKeyReceivedbyUserPKGNumberxiyiQID122QID=2(98,58)=(128,57)239QID=9(98,58)=(128,74)347QID=7(98,58)=(33,100) 204IntroductiontoIdentity-BasedEncryptionSimilarly,(x−x1)(x−x3)(x−2)(x−4)e2(x)==(x2−x1)(x2−x3)(3−2)(3−4)≡10(x−2)(x−4)(mod11)sothate2(0)=10(−2)(−4)≡3(mod11)and(x−x1)(x−x2)(x−2)(x−3)e3(x)==(x3−x1)(x3−x2)(4−2)(4−3)≡6(x−2)(x−3)(mod11)sothate3(0)=6(−2)(−3)≡3(mod11)TheuserthencalculateshisprivatekeyassQID=∑ei(0)yiQIDi=1,2,3=6�(128,57)+3�(128,74)+3�(33,100)=(98,58)+(34,23)+(98,73)=(34,23)whichisequaltosQID=5QID=5(98,58)=(34,23)AnythreesharesofthemastersecretwillalsoreconstructthesameprivatekeysQID.SotheuserwillalsobeabletoreconstructthesamevalueofsQIDbyusinganythreeofthefivePKGslistedinTable11.3.References[1]Horwitz,J.,andB.Lynn,‘‘TowardHierarchicalIdentity-BasedEncryption,’’ProceedingsofEUROCRYPT2002,Amsterdam,theNetherlands,April28–May2,2002,pp.466–481. HierarchicalIBEandMasterSecretSharing205[2]Gentry,C.,andA.Silverberg,‘‘HierarchicalID-BasedCryptography,’’ProceedingsofASIACRYPT2002,Queenstown,NewZealand,December1–5,2002,pp.548–566.[3]Boyen,X.,‘‘GeneralAdHocEncryptionfromExponentInversionIBE,’’ProceedingsofEUROCRYPT2007,Barcelona,Spain,May20–24,2007,pp.394–411.[4]Boneh,D.,X.Boyen,andE.Goh,‘‘HierarchicalIdentity-BasedEncryptionwithConstantSizeCiphertext,’’ProceedingsofEUROCRYPT2005,Aarhus,Denmark,May22–26,pp.440–456.[5]Shamir,A.,‘‘HowtoShareaSecret,’’CommunicationsoftheACM,Vol.22,No.1,1979,pp.612–613. 12CalculatingPairingsWiththeoneexceptionoftheCocksIBEschemethatisdescribedinChapter7,theoperationofallIBEschemesrelyonthepropertiesofapairing.Calculatingthevalueofapairingistypicallythemostcomputationallyexpensivepartofimplementingsuchalgorithmsanditmaybenecessarytocarefullyoptimizethecalculationofpairingstomakethempractical.Thischapterdiscussesseveralaspectsofthis.Someellipticcurvesaresuitableforimplementingpairingswhileothersarenot.Thecurvesthataresuitableforsuchusearecalled‘‘pairing-friendly’’curves,andfindingpairing-friendlyordinarycurvesisanactiveareaofresearch.ThestructureoffinitefieldsalsoprovidessomeshortcutsthatmaybeusedtospeedpairingcalculationswhensomefactorsbecomeirrelevantafterthefinalexponentiationthatisusedtomaketheTatepairingunique.Bycarefullyreusingintermediateresults,itispossibletocalculatetheproductofmorethanonepairingsmoreefficientlythancalculatingeachofthepairingsseparately,afactthatisparticularlyusefulintheimplementationofbothHIBEsystemsandtheBoneh-BoyenIBEscheme.Finally,analternativetoMiller’salgorithmforcalculatingtheTatepairingthatisnotbasedonmanipulatingdivisorsisalsodiscussed.12.1Pairing-FriendlyCurvesAsdiscussedinChapter3,atypicalellipticcurveE/�qprovidesastructureunsuitableforcalculatingapairingbecausetheembeddingdegreeofsubgroupsofE(�q)oflargeprimeorderistypicallytoohightomakecalculatingapairingpractical.Toprovideastructuresuitableforimplementingpairing-basedalgorithms,wewantthefollowingproperties:207 208IntroductiontoIdentity-BasedEncryption1.TheexistenceofasubgroupofE(�q)oflargeprimeorderp.2.AlowembeddingdegreeofE(�q).Thefirstoftheseconditionsiseasytodefinecarefully:thedesiredsecurityparametersofasystemwilldeterminethenecessaryorderofG1.Definingalowembeddingdegreerequiresthecreationofasomewhatarbitrarythreshold,2however.Althoughanembeddingdegreek<(logq)islowenoughtomakethecalculationofdiscretelogarithmsin�qkefficientinatheoreticalsense,asubgroupwithsuchanembeddingdegreecanstillprovideanimpracticalstruc-tureforimplementingapairing.AmorepracticalrequirementisthattheembeddingdegreeofG1withrespecttopislessthan(log2p)/8,wheretheconstant(log2p)/8ischosensomewhatarbitrarily,althoughitattemptstoreflectaroughconsensusamongstimplementersofpairing-basedalgorithms.Thisprovidesthemotivationforthefollowingdefinition.Definition12.1AnellipticcurveE/�qispairing-friendlyifwehavethat1.ThereisasubgroupofE(�q)ofasuitablylargeprimeorderp.2.TheembeddingdegreeofE(�q)withrespecttopislessthan(log2p)/8.NotethatifE/�qissupersingularandE(�q)hasasubgroupofthenecessaryorderthenE/�qisautomaticallypairing-friendlybecausewemusthavek≤6fortheembeddingdegreeofE(�q).Findingpairing-friendlyordinarycurves,ontheotherhand,isanactiveareaofresearch,butenoughprogresshasbeenmadetoprovideenoughcurvestoallowtherelativelyefficientimple-mentationofpairing-basedcryptographyatthemostcommonlyusedlevelsofbitstrength.Amongthesealternatives,somechoicesaremoreefficientthatothers,however.Existingtechniquesforgeneratingpairing-friendlyordinarycurvesuseavariantofthetechniqueforgeneratingellipticcurvegroupsofaknownorderthatarecalledthecomplexmultiplication(CM)algorithm,thedetailsofwhicharebeyondthescopeofthisbook.GeneratingsuitableellipticcurvesusingtheCMalgorithm[1]isbasedonthefollowingproperty,inwhichtheintegerDistheCMdiscriminantoftheresultingcurveandtheintegertrepresentsitstrace.Property12.1(AtkinandMorain[2])22Letqbeanoddprimesuchthat4q=t+Dsforintegerss,t,andD.ThenthereisanellipticcurveE/�qwith#E(�q)=q+1−t.Anellipticcurvecanbeconstructedwiththesepropertiesifandonlyifthefollowingconditionshold[3],noneofwhichposeaproblemforgeneratingordinarycurvesforuseinpairing-basedalgorithms. CalculatingPairings2091.qisaprimeorprimepower.2.pisaprime.3.pdividesq+1−t.ki4.p|(q−1)butp|(q−1)fori≤i1istheembeddingdegreeofsomegroupG1oforderpthenwedmusthavep|(q−1)(otherwisetheembeddingdegreewouldbenomorethand)sothatk/d−1i�dp|q∑i=0andthuskdq−1(q−1)|porthatkq−1d=m(q−1)pforsomeintegerm.ThenwecanappealtoFermat’slittletheoremtofindthatfactorsoftheform(qk−1)/p(qd−1)mx=x=1reducetothevalueof1afterafinalexponentiation,sothattheycanbedroppedfromsomecalculationswithoutchangingthefinalvalue.NowfP′isarationalfunctionwithneitherazeronorpoleatthepointO,soifthepointPhascoordinatesin�qthenfP′(O)doesalso.Thus,fP′(O)isafactorwhatwillreducetothevalueof1afterafinalexponentiationkby(q−1)/psowecanomititfromcalculationswithoutintroducinganyerrorandwecancalculatethereducedTatepairingas(qk−1)/p(qk−1)/pe(P,Q)=(fP′(AQ))=fP′((Q)−(O))(qk−1)/pfP′(Q)(qk−1)/p=��=fP′(Q)fP′(O)SupposethatR∈E(�q)withR∉{O,−P,Q,Q−P}.Then(P+R)−(R)isequivalentto(P)−(O)becausetheydifferbythedivisorofsomerationalfunction,say CalculatingPairings213(P+R)−(R)=(P)−(O)+div(g)sothatdiv(fP′)=p((P+R)−(R))=p((P)−(O)+div(g))=div(fP)+p�div(g)PorthatfP′=fPg.SinceQnotapoleorzeroofeitherfP′orfP,theng(Q)∈�q*k,sowecanwrite(qk−1)/p(qk−1)/pqk−1(qk−1)/pfP′(Q)=fP(Q)g(Q)=fP(Q)becauseFermat’slittletheoremguaranteesthatqk−1g(Q)=1SoafterthefinalexponentiationthereisessentiallynodifferencebetweenfP′andfP,andwecanignoreanyofthetermsinvolvingtherandompointRinMiller’salgorithm,givingthemoreefficientversionofitthatisdefinedbyAlgorithm12.1,whichusesthesamenotationinAlgorithm4.1.Algorithm12.1:SimplifiedTatePairing(simplifiedMiller’salgorithmforcomput-ingtheTatepairing)tiINPUT:EllipticcurveE/�q,P∈E(�q)[n]withn=∑bi2,Q∈E(�qk)i=0OUTPUT:e(P,Q)1.f←1,t←log2n,S←P2.Fori←t−1downto02uS,S(Q)3.f←fv2,S(Q)4.S←2S5.Ifbi=1uS,P(Q)6.f←fvS+P(Q)7.S←S+P8.ReturnfExample12.123SupposethatwehavetheellipticcurveE/�11:y=x+x.LetP=(5,8)∈E(�11)[3]andletQ=(4,3i)∈E��112�.Using(4.3)wefindthat 214IntroductiontoIdentity-BasedEncryptionfP(x,y)=y+9x+2wherediv(fP)=3(P)−3(O)sothatfP(Q)=5+3iwhichgives(qk−1)/p40fP(Q)=(5+3i)=5+3iforthereducedpairing.12.2.2EliminatingExtensionFieldDivisionsInsomecases,itispossibletoreplacetheextensionfielddivisionthathappeninsteps3and6ofAlgorithm12.1.Inthecasewheretheembeddingdegreekiseven,itispossibletoreplacethesedivisionswithacomplexconjugationinawaythatwillresultinthecorrectresultafterthefinalexponentiation[10].Thiscanbeverybeneficialbecauseinversionsaretypicallyveryexpensiveoperationsinalargefinitefield.Thebasisforthisistoconsiderthefield�qkasanextensionofdegree2of�qdwhered=k/2,sothatelementsof�qkcanberepresentedasa+ibwhereaandbareelementsof�qd.qdExpanding(a+ib)asqdqdqdqd−kk(a+ib)=∑��a(ib)k=0kweseethatmostofthetermsareequaltozeromoduloqsothatwehaveqd(a+ib)=a−ibsothatwehavethatqd−11a+ib=�a+ib�qd−1(a+ib)qda+ib(a−ib)qd−1===(a−ib)a−iba−ib CalculatingPairings215AndsincewecanwritethefinalexponentiationafteraTatepairingas(qk−1)/pqd−1�(qk−1)/px=�xweseethatwecanreplacetheextensionfielddivisionsinsteps3and6bycomplexconjugation,whichisequivalenttodivisionintheextensionfieldafterthefinalexponentiationisapplied.ThissuggeststhemodificationtoMiller’salgorithmthatisshowninAlgorithm12.2.Algorithm12.2:SimplifiedTatePairingConjugation(simplifiedMiller’salgo-rithmforcomputingtheTatepairingreplacingextensionfielddivisionswithcomplexconjugation)tiINPUT:EllipticcurveE/�q,P∈E(�q)[n]withn=∑bi2,Q∈E(�qk)i=0OUTPUT:e(P,Q)1.f←1,t←log2n,S←P2.Fori←t−1downto023.f←f�uS,S(Q)�v2,S(Q)4.S←2S5.Ifbi=16.f←f�uS,P(Q)�vS+P(Q)7.S←S+P8.Returnf12.2.3DenominatorEliminationIneitherthebasicalgorithmfortheTatepairing(Algorithm4.1)orthemoreefficientversionshownabove(Algorithm12.1),thedenominatorsthatappearinMiller’salgorithmarealltermsoftheformvP(Q)forsomepointP,wherevP(Q)=xQ−xP.Ifwehavethatthex-coordinatesofbothPandQareelementsof�q,thentheirdifferenceisalsoanelementof�qandwillbeeliminatedbyafinalexponentiation.Ifthishappens,thenthecalculationoftheTatepairingcanbefurthersimplifiedtotheversionshowninAlgorithm12.3,whichfurthersimplifiesAlgorithm12.1.Algorithm12.3:SimplifiedTatePairingWithDenomElim(simplifiedMiller’salgorithmforcomputingtheTatepairingusingdenominatorelimination)tiINPUT:EllipticcurveE/�q,P∈E(�q)[n]withn=∑bi2,Q∈E(�qk)i=0OUTPUT:e(P,Q) 216IntroductiontoIdentity-BasedEncryption1.f←1,t←log2n,S←P2.Fori←t−1downto023.f←f�uS,S(Q)4.S←2S5.Ifbi=16.f←f�uS,P(Q)7.S←S+P8.Returnf.UnliketheeliminationoftherandomcomponentthatproducesAlgorithm12.1,denominatoreliminationonlyworksinspecialcases,thoseinwhichwecanguaranteethatthex-coordinateoftheinputQtobeanelementof�q.Thiswillhappen,forexample,inthecasewherethesupersingularcurveE/�q:y2=x3+xisused,andwecalculateˆe(P,Q)=e(P,�(Q))(qk−1)/pwhere�isthedistortionmapgivenby�(x,y)=(−x,iy).Inthiscase,thex-coordinateoftheoutputofthedistortionmapisanelementof�q,sodenominator2eliminationcanbeused.InthecaseofthesupersingularcurveE/�q:y=3x+1,ontheotherhand,wherewehaveadistortionmapoftheform3�(x,y)=(�x,y)where�=1,�≠1,wedonothavethex-coordinateoftheoutputofthedistortionmapbeinganelementof�q,sodenominatoreliminationcannotbeused.12.3CalculatingtheProductofPairingsCalculatingtheproductofpairingscanbeusefulintwoimportantcases.ProductsofpairingsarerequiredintheimplementationofmanyHIBEschemes,andbecausewecanwritee(P1,Q1)=e(P1,Q1)e(P2,−Q2)e(P2,Q2)thesametechniquethatwillallowtheefficientcalculationoftheproductofpairingscanalsobeusedtocalculatetheratioofpairings,whichisrequiredintheBoneh-BoyenIBEscheme.Toefficientlycalculatetheproductofpairingsoftheformn�e(Pi,Qi)i=1 CalculatingPairings217weassumethatallofthevaluesPiareelementsofthesameorder.ThisguaranteesthattheloopindexvariableiinAlgorithm12.1issharedbyeachofthecalculationsofe(Pi,Qi)sothatwecancombinesomeoftheoperationsthatarerequiredinthecalculationofeachoftheseparatepairings[9–11].Inparticular,theaccumulationstepsthattakeplaceinsteps3and6ofAlgorithm12.1canbecombinedintoasingleaccumulationthatreturnstheproductofthepairings.Oncethisvalueiscalculated,asinglefinalexponentiationisthenrequired.Inanimportantspecialcase,thecomputationalefficiencygainedbycom-biningtheseoperationsmakescalculatingtheratiooftwopairings,likeisrequiredintheBoneh-BoyenIBEalgorithm,approximately20%slowerthancalculatingasinglepairinginsteadoftwiceasslow.Algorithm12.4:ProductOfPairings(simplifiedMiller’salgorithmforcomputingtheproductofTatepairings)INPUT:EllipticcurveE/�q,P1,P2,...Pm∈E(�q)[n]withtin=∑bi2,Q1,Q2,...Qm∈E(�qk)i=0nOUTPUT:�e(Pi,Qi)i=11.f←1,t←log2n,S1←P1,S2←P2,...Sm←Pm2.Fori←t−1downto0m2uSi,Si(Qi)3.f←f�i=1v2,Si(Qi)4.S1←2S1,S2←2S2,...,Sm←2Sm5.Ifbi=1muSi,Pi(Qi)6.f←f�i=1vSi+Pi(Qi)7.S1←2S1+P1,S2←2S2+P2,...,Sm←Sm+Pm8.Returnf12.4TheShipsey-StangeAlgorithmAlthoughmostresearchtodateonefficientimplementationsoftheTatepairinghavefocusedonoptimizingMiller’salgorithm,therehasbeenanalternativetoMiller’salgorithmthathasbeenrecentlydiscoveredthatprovidesawayto 218IntroductiontoIdentity-BasedEncryptioncalculatetheTatepairingwithoutrequiringanymanipulationofdivisors.ThisalgorithmisduetoKatherineStange[12],andusesthepropertiesofellipticnetstocreateanalgorithmforcalculatingtheTatepairing.AnellipticnetisafunctionthatsatisfiesthefollowingrecursionW(p+q+s)W(p−q)W(r+s)W(r)+W(q+r+s)W(q−r)W(p+s)W(p)+W(r+p+s)W(r−p)W(q+s)W(q)=0Ellipticnetsarecloselyrelatedtoellipticcurves,andcanbedefinedintermsofthesame℘functionthatunderliesanellipticcurve.Stange’sremarkableresultwasthatitispossibletocalculatetheTatepairingforP∈E(�q)[n]withandQ∈E(�qk)asW(s+np+q)W(s)e(P,Q)=W(s+np)W(s+q)wherealloftheinitialconditionsoftheellipticnetcanbecalculatedfrom23eitherthecoefficientsaandboftheellipticcurveE/�q:y=x+ax+borfromthepointsP=(xP,yP)andQ=(xQ,yQ).Thiscanbedoneasfollows.FirstcalculatethreeconstantsA,B,andCas1A=(12.1)xP−xQ1B=(12.2)22(2xP−xQ)(xP−xQ)−(yP+yQ)1C=(12.3)2yPThendeterminetheinitialconditionsoftwosequences{ci}and{di}asc−2=−2yP(12.4)c−1=−1(12.5)c0=0(12.6)c1=1(12.7) CalculatingPairings219c2=2yP(12.8)422c3=3xP+6axP+12bxP−a(12.9)�x6432223�c4=4yPP+5axP+20bxP−5axP−4abxP−8b−a(12.10)andd0=1(12.11)d1=1(12.12)2yQ−yPd2=(2xP−xQ)−�x�(12.13)Q−xPAdditionaltermsofthesequences{ci}and{di}canthenbecalculatedusingtherecursions33c2k−1=c2k+1ck−1−ck−2ck(12.14)�c22�(12.15)c2k=Ckck+2ck−1−ckck−2ck+1and22d2k−1=dk+1dk−1ck−1−dkck−2ck(12.16)22d2k=dk+1dk−1ck=dkck−1ck+1(12.17)�d22d2k+1=Ak+1dk−1ck+1−dkckck+2(12.18)�d22d2k+2=Bk+1dk−1ck+2−dkck+1ck+3(12.19)Oncethevaluescn+1anddn+1havebeencalculated,itisthenpossibletocalculatethevalueoftheTatepairingasdn+1e(P,Q)=cn+1 220IntroductiontoIdentity-BasedEncryptionExample12.223SupposethatwehavetheellipticcurveE/�11:y=x+x.LetP=(5,8)∈E(�11)[3]sothatxP=5andyP=8,andletQ=(4,3i)∈E(�112)sothatxQ=4andyQ=3i.Thisgivesthefollowingconstants:A=1B=9+6iC=9andthefollowinginitialconditionsfortheellipticnet:c−2=6c−1=−1c0=0c1=1c2=5c3=0c4=10d0=1d1=1d2=3+4id3=9+id4=5+3iBecausetheorderofthepointPissolow,wecanimmediatelycalculatethevalueofd45+3ie(P,Q)===6+8ic410 CalculatingPairings221whichgivesthevalueof(112−1)/3ˆe(P,Q)=(6+8i)=5+3iforthereducedpairing,thesameresultasfoundinExample12.1.RachelShipsey[13]inventedadouble-and-addtechniqueforcalculatingthevaluesofrecursionslike(12.14),(12.15),and(12.16)through(12.19).ThistechniquegivestheShipsey-StangealgorithmforcalculatingtheTatepairingusingellipticnetswhichisdefinedinAlgorithm12.5.TheShipsey-StangealgorithmislessefficientatcalculatingtheTatepairingthanoptimizedversionsofMiller’salgorithmare,butfutureresearchmayclosethisgapandmakethealgorithmmoreuseful.Algorithm12.5:TateShipseyStange(Shipsey-StangealgorithmfortheTatepair-ingusingellipticnets)23INPUT:EllipticcurveE/�q:y=x+ax+b,P∈E(�q)[n]withtin=∑bi2,Q∈E(�qk)i=0OUTPUT:e(P,Q)1.k←1,t←log2n2.CalculateA,B,Cusing(12.1)through(12.2)3.Calculatec−2,c−1,...c4using(12.4)through(12.10)4.Calculated0,d1,d2using(12.11)through(12.13)5.Fori←t−1downto06.Ifbi=0then7.Calculatec2k−3,...,c2k+4using(12.14)and(12.15)8.Calculated2k−1,d2k,d2k+1using(12.16)through(12.19)9.k←2k10.else11.Calculatec2k−2,...,c2k+5using(12.14)and(12.15)12.Calculated2k,d2k+1,d2k+2using(12.16)through(12.19)13.k←2k+114.Returndr+1/cr+112.5PrecomputationInmanycalculationsofpairings,thevalueofPinˆe(P,Q)isrelativelyfixed.IntheBoneh-FranklinIBEsystem,forexample,ifweneedtocalculate 222IntroductiontoIdentity-BasedEncryptionˆe(sP,rQID),wheresPispartofthepublicparametersofthesystem,whichwillrarelychange.Becausewecalculatethevalueofthepairingase(P,Q)=fP(Q),ifthevalueofthepointPisfixedthenthefunctionsuandvthatareusedincalculatingthevalueofthepairing,likeinstep3ofAlgorithm12.1,arealsofixed,sowecancalculatethevaluesneededtoevaluateuandvonce,savingsignificantcomputationaleffort.WiththevalueofthepointPisfixed,theordernofthepointPisalsofixed,sothattheiterationonthebinaryexpansionofnisalsofixed,sothatthefunctionsofPthatarecalculatedinthedouble-and-additerationoftheTatepairing,likethevaluesofSthatarecalculatedinsteps4and7ofAlgorithm12.1arealsofixed.CalculatingthesevaluesonceandreusingthemwillalsosavesignificantcomputationaleffortinevaluatingtheTatepairing.References[1]IEEEStandardNumber1363-2000,‘‘StandardSpecificationsforPublic-KeyCryptogra-phy,’’2000.[2]Atkin,A.,andF.Morain,‘‘EllipticCurvesandPrimalityProving,’’MathematicsofCompu-tation,Vol.61,No.203,1993,pp.29–68.[3]Lay,G.,andH.Zimmer,‘‘ConstructingEllipticCurveswithGivenGroupOrderoverLargeFiniteFields,’’ProceedingsoftheFirstInternationalSymposiumonAlgorithmicNumberTheory,Ithaca,NY,May6–9,1994,pp.250–263.[4]Miyaji,A.,M.Nakabayashi,andS.Tanako,‘‘NewExplicitConstructionsofEllipticCurveTracesforFR-Reduction,’’IEICETransactionsonFundamentals,Vol.E84-A,No.5,2001,pp.1234–1243.[5]Freeman,D.,‘‘ConstructingPairing-FriendlyEllipticCurveswithEmbeddingDegree10,’’Proceedingsofthe4thAlgorithmicNumberTheorySymposium,Leiden,theNetherlands,July2–7,2000,pp.452–465.[6]Baretto,P.,andM.Naehrig,‘‘Pairing-FriendlyEllipticCurvesofPrimeOrder,’’Proceedingsofthe12thAnnualWorkshoponSelectedAreasinCryptography,Kingston,Canada,August11–23,2005,pp.319–331.[7]Brezing,F.,andA.Weng,‘‘EllipticCurvesSuitableforPairing-BasedCryptography,’’Designs,CodesandCryptography,Vol.37,No.1,2005,pp.133–141.[8]Baretto,P.,B.Lynn,andM.Scott,‘‘ConstructingEllipticCurveswithPrescribedEmbed-dingDegrees,’’Proceedingsofthe3rdConferenceonSecurityinNetworks,Amalfi,Italy,September12–13,2002,pp.263–273.[9]Baretto,P.,H.Kim,B.Lynn,andM.Scott,‘‘EfficientAlgorithmsforPairing-BasedCryptosystems,’’ProceedingsofCRYPTO2002,SantaBarbara,CA,August18–22,2002,pp.23–36.[10]Kobayashi,T.,K.Aoki,andH.Imai,‘‘EfficientAlgorithmsfortheTatePairing,’’IEICETransactionsonFundamentals,Vol.E89-A,No.1,2006,pp.134–143. CalculatingPairings223[11]Scott,M.,‘‘ComputingtheTatePairing,’’ProceedingsoftheCryptographers’TrackattheRSAConference2005,SanJose,CA,February13–17,2005,pp.293–304.[12]Stange,K.,‘‘TheTatePairingViaEllipticNets,’’Proceedingsofthe1stInternationalConferenceonPairing-BasedCryptography,Tokyo,Japan,July2–4,2007,pp.329–384.[13]Shipsey,R.,‘‘EllipticDivisibilitySequences,’’Ph.D.thesis,UniversityofLondon,2000. Appendix:UsefulTestDataValuesUsefulforTestingPairingCalculationsThefollowingvaluesareprovidedtohelptestsoftwarethatimplementstheTatepairing.TheycanalsobeusedtohelpmanuallycalculatetheencryptionanddecryptionalgorithmsdescribedinChapters8,9,10,and11.23A.1PointsonE/�131:y=x+123FortheellipticcurveE/�131:y=x+1andP=(98,58)∈E(�131)[11],wehavethat�(x,y)=(�x,y),where�=65+112i,isadistortionmapforfinitepointsin〈P〉.Theelementsof〈P〉,thevalueofthedistortionmapatn1560thepointsof〈P〉,aswellasthevaluesˆe(P,P),whereˆe(P,Q)=e(P,�(Q))arelistedhere.nnnP�(nP)ˆe(P,P)1(98,58)(82+103i,58)28+93i2(128,57)(67+57i,57)126+99i3(113,8)(9+80i,8)85+80i4(33,31)(49+28i,31)49+58i5(34,23)(114+9i,23)39+24i6(34,108)(114+9i,108)39+107i7(33,100)(49+28i,100)49+73i8(113,123)(9+80i,123)85+51i9(128,74)(67+57i,74)126+32i10(98,73)(82+103i,73)28+38i11OO1225 226IntroductiontoIdentity-BasedEncryption23A.2PointsonE/�131:y=x+x23FortheellipticcurveE/�131:y=x+1andP=(55,45)∈E(�131)[11],wehavethat�(x,y)=(130�x,i�y),where�=65+112i,isadistortionmapforfinitepointsin〈P〉.Theelementsof〈P〉,thevalueofthedistortionnmapatthepointsof〈P〉,aswellasthevaluesˆe(P,P),whereˆe(P,Q)=1560e(P,�(Q))arelistedhere.nnnP�(nP)ˆe(P,P)1(55,45)(76,45i)126+32i2(60,33)(71,33i)49+73i3(27,45)(104,45i)39+24i4(49,86)(82,86i)85+80i5(121,13)(10,13i)28+93i6(121,118)(10,118i)28+38i7(49,45)(82,45i)85+51i8(27,86)(104,86i)39+107i9(60,98)(71,98i)49+58i10(55,86)(76,86i)126+99i11OO123A.3RationalFunctionsofDivisorsforE/�11:y=x+123FortheellipticcurveE/�11:y=x+1wehavethat#E(�11)=12.EachofthefiniteelementsofE(�11)arelistednextalongwiththerationalfunctionfP(x,y)suchthatdiv(n(P)−n(O))=div(fP(x,y))forapointPofordern.PointOrderfP(x,y)244(y+3x+3)(y+4x+6)(y+8x+3)(9,12)1244(x+1)(x+6)(x+9)22(y+x+1)(y+2x+10)(2,8)62x(x+1)2(y+3x+3)(5,4)4x+1(0,10)3y+1244(y+3x+3)(y+6x+7)(y+7x)(7,6)1244(x+1)(x+6)(x+9) Appendix227(10,0)2x+1244(y+4x)(y+5x+4)(y+8x+8)(7,5)1244(x+1)(x+6)(x+9)(0,1)3y+102(y+8x+8)(5,7)4x+122(y+9x+1)(y+10x+10)(2,3)62x(x+1)244(y+8x+8)(y+7x+5)(y+3x+8)(9,9)1244(x+1)(x+6)(x+9)A.4RationalFunctionsofDivisorsforSelectedPoints23onE/�11:y=x+x23FortheellipticcurveE/�11:y=x+xwehavethat#E(�131)=132.EachofthefiniteelementsofE(�131)[11]arelistednextalongwiththerationalfunctionfP(x,y)suchthatdiv(11(P)−11(O))=div(fP(x,y))forapointP.PointOrderfP(x,y)244(y+8x)(y+9x+6)(y+10x+10)(7,8)1244x(x+1)(x+2)22(y+6x)(y+10x+8)(9,1)62x(x+6)2(y+8x)(10,8)4x(5,3)3y+2x+9244(y+8x)(y+7x+4)(y+5x+9)(8,6)1244x(x+1)(x+2)(0,0)2x244(y+3x)(y+4x+7)(y+6x+2)(8,5)1244x(x+1)(x+2)(5,8)3y+9x+22(y+3x)(10,3)4x 228IntroductiontoIdentity-BasedEncryption22(y+5x)(y+x+3)(9,10)62x(x+6)244(y+3x)(y+2x+5)(y+x+1)(7,3)1244x(x+1)(x+2)A.5RationalFunctionsofDivisorsforSelectedPointson23E/�131:y=x+123FortheellipticcurveE/�131:y=x+1wehavethat#E(�131)=132.EachofthefiniteelementsofE(�131)[11]arelistednextalongwiththerationalfunctionfP(x,y)suchthatdiv(n(P)−n(O))=div(fP(x,y))forapointofordern.P=(98,58)∈E(�131)[11]244(y+54x+21)(y+67x+57)(y+113x+3)(y+17x+125)(98,58)244(x+3)(x+97)(x+98)224(y+18x+128)(y+83x+61)(y+110x+17)(y+17x+125)(128,57)224(x+18)(x+33)(x+98)224(y+110x+7)(y+47x+52)(y+64x+74)(y+103x+12)(113,8)244(x+33)(x+97)(x+98)224(y+114x+6)(y+8x+98)(y+28x+119)(y+110x+7)(33,31)224(x+3)(x+97)(x+18)224(y+103x+112)(y+12x+93)(y+18x+128)(y+67x+57)(34,23)224(x+3)(x+18)(x+33)224(y+28x+119)(y+113x+3)(y+119x+38)(y+64x+74)(34,108)224(x+3)(x+18)(x+33)224(y+17x+125)(y+123x+33)(y+103x+12)(y+21x+124)(33,100)224(x+3)(x+97)(x+18)224(y+21x+124)(y+84x+79)(y+57x+67)(y+28x+119)(113,123)242(x+33)(x+97)(x+98)224(y+113x+3)(y+48x+70)(y+21x+124)(y+114x+6)(128,74)224(x+18)(x+33)(x+98)244(y+64x+74)(y+77x+110)(y+114x+6)(y+18x+128)(98,73)244(x+3)(x+97)(x+98) AbouttheAuthorLutherMartinisasecurityarchitectatVoltageSecurityinPaloAlto,California.Hehaspublishednumerousarticlesonthetopicsofinformationsecurityandriskmanagement,isthetechnicaleditoroftheIEEEP1363.3standardforidentity-basedencryption,andistheprincipalauthoroftheIETFstandardsthatdefineidentity-basedencryptionalgorithmsandtheiruseinencryptinge-mail.Mr.MartinholdsanM.S.inmathematicsfromtheUniversityofCincinnatiandanM.S.inelectricalengineeringfromTheJohnsHopkinsUniversity.229 IndexAdaptivechosen-ciphertextattack,94Disjointsupport,70Adaptivechosen-identityattack,94Distortionmap,62Adaptivechosen-plaintextattack,93Divisor,15,67,69Divisor,principal,69Bilinear,81BilinearDiffie-Hellmanproblem,107Easycalculation,91BNcurve,209,211Efficientalgorithm,91Boneh-BoyenIBEscheme,147ElGamalencryption,128Boneh-Boyen-GohHIBE,198Ellipticcurve,41,44Boneh-FranklinIBEscheme,147Ellipticcurve,Diffie-Hellman,125BWcurve,209,211Ellipticcurve,ordinary,57Ellipticcurve,singular,113Characteristic(ofafield),31Ellipticcurve,supersingular,57Chineseremaindertheorem,17Ellipticnet,218Chosen-identityattack,94Embeddingdegree,58Chosen-plaintextattack,93Encryption,92Ciphertext,92Endomorphism,29Ciphertext-onlyattack,93CobilinearDiffie-Hellmanproblems,109Fermat’slittletheorem,20CocksIBEscheme,131Field,30Complexmultiplication,79,208Finalexponentiation,78ComputationalDiffie-Hellmanproblem,105Freemancurve,209,211Fujisaki-Okamototransform,95DecisionbilinearDiffie-Hellmanproblem,107Gauss’algorithm,18DecisionDiffie-Hellmanproblem,106Generalnumberfieldsieve,99Decryption,92Generator(ofagroup),28Degree(fieldextension),33Gentry-SilverbergHIBE,192,193Denominatorelimination,215Goldwasser-Michaliencryption,121Diffie-Hellmankeyexchange,124Group,26Discretelogarithm,29Group,Abelian,26Discriminant,45Grover’salgorithm,116231 232IntroductiontoIdentity-BasedEncryptionHardcalculation,91Plaintext,92Hashfunction,cryptographic,92Pointaddition,ellipticcurve,47Hasse’stheorem,57Pollard’srhoalgorithm,98HierarchialIBE(HIBE),191Prime,Solinas,16Homomorphism(offields),31Productofpairings,calculating,216Homomorphism(ofgroups),29Projectivecoordinates,53Provingsecurity,114Indexcalculusalgorithm,102Integerfactorizationproblem,109q-bilinearDiffie-HellmaninversionIsomorphism(ofellipticcurves),60problem,108Isomorphism(ofgroups),29q-decisionbilinearDiffie-HellmaninversionIsomosphism(offields),32problem,109Quadraticnonresidue,21Jacobisymbol,23Quadraticresidue,21Jacobisymbol,computing,24Quadraticresiduosityproblem,109J-invariant,60Quadratictwist,61Joux’sthree-waykeyexchange,126Quantumcomputing,116Key,cryptographic,92Known-plaintexattack,93Randomoraclemodel,115Reducedpairing,78Lagrangeinterpolation,18,38,202Legendresymbol,22Sakai-KasaharaIBEscheme,177Linearlyindependent,34Shipsey-Stangealgorithm,217Logarithm,discrete,29Shor’salgorithm,117Singularellipticcurve,113Mastersecretsharing,201Solinasprime,16Miller’salgorithm,84Standardmodel,115MNTcurve,209,211Subgroup,27Negligiblefunction,91Supersingular(ellipticcurve),57Nondegenerate,81Support(ofadivisor),70Order(field),31Tatepairing,76Order(groupelement),26Three-waykeyexchange,Joux’s,126Order(group),28Trace(ofanellipticcurve),57Ordinary(ellipticcurve),57TraceofFrobenius,57Twist,61Pairing,83Pairing-friendlycurve,207Weierstrassnormalform,44Phifunction,Euler’s,19Weilreciprocity,75
