1. IBC Overview
Identity-based cryptography (Identity-Based Cryptography) is abbreviated as IBC, which is another kind of public key cryptography with uniqueness compared with RSA and ECC. This uniqueness is manifested in the fact that its public key is the user's identity, which can be any meaningful character string, such as email address, telephone number, ID number, etc., instead of random random codes.
The concept of IBC originally appeared in Shamir's (Identity-based cryptosystems and signature schemes) in 1984. The public and private keys of IBC passwords are generated by a special method different from RSA and ECC, that is, the public key It is the user's identity, and the private key is generated by binding the identity to the system master key. IBC includes an identity-based encryption algorithm IBE (Identity-Based Encryption) and an identity-based signature algorithm IBS (Identity-Based Signature) and an identity-based key agreement algorithm IBKA (Identity-Based Key Agreement). After Shamir's IBC design idea was proposed in 1984, many satisfactory protocol algorithms for IBS and IBKA were born. Among them, the Hess IBS and Cha-Cheon IBS signature algorithms using bilinear pairs have been adopted by ISO and IEC (ISO / IEC 1488-3) as the first and second signature algorithms of IBS, respectively. The Smart-Chen-Kudel IBKA key agreement algorithm has been submitted to IEEE P1363.3.
After Shamir proposed the IBC cipher in 1984, 17 years later, three IBE cipher algorithms were born in 2001. They were proposed by Boneh and Franklin, Cocks, Sakai, etc. Cocks' IBE algorithm uses quadratic residue, and its security is based on the difficulty of factoring large numbers. The IBE designed by Boneh and Franklin and the IBE designed by Sakai and others both use bilinear pairing on elliptic curves, and their security is based on the difficulty of BDH (Bilinear Diffie-Hellman). Boneh-Franklin's IBE (ie, BF-IBE) is the first algorithm that has been proven safe in the random oracle model and has been recognized by the international cryptographic community. With the promotion of its application, the corresponding standardization The work has also been gradually carried out. RFC5091 will use BF-IBE, which is built on a super singular curve, as the IBC standard. BF-IBE is a combination of cryptography based on identification and cryptography based on bisexual pairs. In the following, without special instructions, IBC refers to the identification password with the BF-IBE encryption algorithm as the core (Note: This is different from the IBC standard being formulated in China).
As the development and supplement of PKI (Public Key Infrastructure) system, IBC, especially the integration of IBC and PKI system, not only guarantees the security characteristics of strong signature, but also meets the more flexible security requirements of various applications. The application of RSA and ECC in PKI requires the creation of a large number of digital certificates. The number of certificates in some application systems exceeds 10 million, and the management of certificates and the management of the corresponding databases have become a heavy task. IBC is certificateless in PKI. Because the identity itself is the entity's public key, such systems no longer rely on certificates, which greatly simplifies the application of PKI.
The application of IBC ciphers is simpler than that of traditional public key ciphers. However, the cost is that the design and calculation of IBC ciphers are much more complicated than other public key ciphers. In the IBC algorithm, in addition to the operations in RSA and ECC, the calculation of bilinear pairs is also added. Therefore, bilinear pairing arithmetic theory is an important content of IBC algorithm.
Early bilinear pairs on elliptic curves were used to attack the discrete logarithm problem (DLP) in ECC, the so-called Menes, Okamoto, Vanstone MOV attacks and Frey, Ruck FR attacks.
In 2000, Sakai, Ohgish, Kasahara and others in their paper "cryptosystems based on pairing" and Joux in their paper "A one Round protocol for tripartite Diffie-Hellman" independently proposed cryptographic protocols based on bilinear pairs , Which opened a new chapter in elliptic curve cryptography. Since then, the bilinear approach has shifted from applying to password attacks to applying to password design and has attracted the interest and attention of many cryptographers. Bilinear pairs are regarded as black boxes in cryptosystems, and their application in cryptography has developed rapidly at an unusual pace, especially the pioneering paper "Identity-Based Encryption from the Weil" by Boneh and Franklin Pairing ", successfully created a password IBE based on identity.
Because of the wide application of bilinear pairs in cryptographic protocol design, the effective calculation of bilinear pairs has become a research focus in this area.
Shortly after Miller created the Elliptic Curve Cryptography (ECC) in 1985, he first presented a polynomial time algorithm for calculating bilinear pairs in an unpublished manuscript "short programs for functions on curves". But because the bilinear pair had not been effectively applied in public key cryptography at that time, it did not attract researchers' attention. When bilinear pairs were used in public key cryptography, the importance of their calculations became more and more significant. After a lapse of 19 years, Miller reorganized the manuscript of the year in 2004 and introduced bilinear pairs in detail. Calculation and its application (see "the Weil paring, and its efficient calculation", Journal of Cryptology. Sep. 2004).
Most of the current bilinear algorithm research is focused on the optimization and improvement of the Miller algorithm. Among them, the work of Barreto, Scott and others is the most prominent. The most effective improvement has two aspects: In the linear pair calculation, the value of the rational function in the divisor can be replaced with the value of the point on the elliptic curve without affecting the calculation result, that is, repeating divisors by points, which I call "division by points"; the second is in In some cases, the denominator part of the steps of the bilinear pair Miller algorithm can be removed without affecting the final result, that is, denominators elimination optimization, which I call "dedenominator".
There are many articles on the arithmetic theory and calculation method of bilinear pairs. I recommend two papers to readers, one is the doctoral dissertation “Efficient Computation of Bilinear Pairs” by Dr. Zhao Changan, Department of Computer Science, Sun Yat-sen University, and the other is Dr. Ben Lynn, Department of Computer Science, Stanford University, USA His doctoral thesis "On the Implementation of Pairing-based Cryptosystems". These two papers not only have in-depth research in many aspects, but more importantly, and may attract more general readers, they cover the basic content of bilinear pairs, and Bilinear gives a comprehensive introduction and comprehensive discussion on the calculation.
2. The main algorithm module of IBC password
The IBC password contains algorithm modules such as system creation, private key extraction, encryption, decryption, signature, signature verification, and bilinear pair calculation. The encryption algorithm in the following IBC is BF-IBE, and the signature algorithm is Hess-IBS. The bilinear pair uses the Tate pair.
2.1. Setup (creation of password system)
This function module is used to create the IBC cryptosystem. The main task is to generate the cryptosystem parameters and the master key. Password system parameters include:
Based on the elliptic curve y2 = x3 + 1 prime number p, p = 11 mod 24;
The prime numbers q, q | (p + 1) make the elliptic curve addition group E (Fp) on Fp have a cyclic subgroup of order q;
A point P of order q on E (Fp) is called the base point;
E (Fp) is a point Pub of order q, which is called the system root public key;
The master key (also known as the root private key) is a random number less than q. The relationship between the master key (set as s), the base point P, and the root public key Pub is a multi-point multiplication relationship on the elliptic curve: Pub = [s] P.
The following is the bit size relationship between p and q.
| p |
512 |
1024 |
1536 |
3840 |
7680 |
| q |
160 |
224 |
256 |
384 |
512 |
The prime number q (where q | p + 1) takes the Solinas prime number [RFC5091], which is a prime number of the form: 2a + 2b + 1, where a depends on the bit size of q, assuming that the number of q bits is Qbit, then a = Qbit-1.
When creating the parameters of the cryptosystem, the prime number q is actually constructed first, and then the p is constructed according to the prime number q.
2.2. Private Key Extraction (extract the private key)
The function module generates the user's private key based on the system parameters, master key and user ID.
In BF_IBC, the first is to map the user's logo id to a point Q_id on the elliptic curve.
This mapping uses a hash function (may be called H1) to convert id to the number y = H1 (id) in Fp, and then y determines x according to the elliptic curve equation: y2 = x3 + 1, and then gets the point Q_id = (X, y).
Then, the master key s is multiplied by multiple points Q_id to obtain its private key D_id: D_id = [s] Q_id.
Note: The data type of the user's public key and private key is exactly opposite to the data type of the IBC root public key root private key. The user's public key is its identity (string type), and the private key is a point on the curve. The IBC's root public key is a point on the curve, and the root private key (master key) is a numeric type.
2.3. Encryption (encryption)
The algorithm encrypts the provided data m according to the password system parameters and user identification. The encryption process is:
1. Map the user ID id to the point Q_id on E (Fp) (how to map the previously explained);
2. Hash the message m to be encrypted to obtain t. This hash function may be set to H2, then t = H2 (m);
3. Select the random character string rho whose number of bytes is the same as the output size of hash algorithm H2;
4. Hash the rho and t and then modulo q to get r = H2 (rho || t)% q.
5. Calculate U = [r] P by calculating multiple points on the elliptic curve, where P is the base point in the parameters of the cryptosystem;
6. Bilinear pair calculation: g = e (Pub, Q_id), g is the number (complex number) in Fp2;
7. Calculate z = gr, z is the number in Fp2 (complex number);
8. Hash the z to get w = H2 (z);
9. Calculate V = w rho, the bit size of V is the same as the output bit size of H2;
10. Calculate W = HashBytes (| m |, rho, hashfcn) m , HashBytes is a random random number generator, which can generate a random string of random length according to the random source string. HashBytes (| m |, rho, hashfcn) means to generate a random string with the same byte length (ie | m |) as the data m to be encrypted according to the random source string rho, and the hash function may be called multiple times in the HashBytes function hashfcn.
11. Output (U, V, W) as the result of encrypting the data m.
2.4. De Cryption (decryption)
The algorithm obtains the plaintext m according to the user's private key D_id, password system parameters and secret data (U, V, W).
1. Pairing pair calculation, z = e (U, D_id);
2. Calculate w = H2 (z); // Note that this is lowercase w
3. Calculate rho = w V;
4. 计算m = HashBytes(|W|, rho, hashfcn) W;
5. Calculate t = H2 (m);
6. Calculate r = H2 (rho || t)% q;
7. Verify U = [r] P, if it is correct, output plaintext m, otherwise decryption fails and no plaintext is output.
2.5. Signature
The algorithm digitally signs the data m according to the user's private key D_id and system parameters.
1. Pairing calculation, g = e (P, D_id); // P is the system base point;
2. Choose a random number k less than q;
3. Calculate w = gk, w is the number (complex number) in Fp2;
4. Convert w to the string pad.
5. Hash pad and plaintext m, and then modulo q to get h = H2 (pad || m)% q;
6. Calculate S = [(kh)% q] D_id;
7. Output (h, S) as the signature result.
2.6. Verification
The algorithm verifies the signature result (h, S) of data m according to the user identification id and system parameters.
1. Map id to point Q_id on the elliptic curve;
2. Bilinear pairing calculation g = e (Pub, Q_id); // Pub is the root public key in the system parameters;
3. Bilinear pair calculation w1 = e (P, S); // P is the base point in the system parameters;
4. Calculate w = w1 * gh; // w1, g and w are all numbers in Fp2 (complex number);
5. Convert w to a string pad;
6. Calculate h '= H2 (pad || m)% q;
7. Verify that h = h ', if it is correct, the verification is successful, otherwise it fails.
2.7. Bilinear Pairing (Bilinear Pairing) calculation
The bilinear pair assumes that G1 and G2 are two addition groups and GT is a multiplicative group, and also assumes P G1, Q
G2 and g
GT. If there is a mapping e from G1 × G2 to GT, e (P, Q) = g And for any P1, P2
G1, Q1, Q2
G2, satisfy e (P1 + P2, Q1) = e (P1, Q1) * e (P2, Q1) and e (P1, Q1 + Q2) = e (P1 , Q1) * e (P1, Q2), then the mapping e is called a bilinear pair from G1 × G2 to GT. There are many types of bilinear pairs, and only Tate pairs are described below.
Tata assumes that q = pm, where p is a prime number, m is a positive integer, and Fq is a finite field containing q elements, then p is the characteristic of Fq, and m is the number of expansions. Let E be an elliptic curve defined on a finite field Fq, assuming P E (Fqk) [r], k is the embedding degree of curve E, QE (Fqk), fr, p are rational functions on E, Its corresponding divisor satisfies (fr, p) ~ r (P) -r (O), divisor DQ ~ (Q)-(O), and the divisor (fr, p) and the support of DQ (support) not intersect. The bilinear Tate pair is a non-degenerate bilinear map defined as follows:
tr: E (Fqk) [r] × E (Fqk) / rE (Fqk) -> F * qk / (F * qk) r
tr (P, Q) = fr, p (DQ)。
It can be seen from the above definition that the calculation result of the traditional bilinear Tate pair is the coset value, that is, calculating tr (P, Q) for the same P and Q may obtain different values, but these values belong to the same coset However, in practical applications, it is required to obtain a unique value after bilinear mapping, so the following bilinear Tate pair definition is defined:
tr’:E(Fqk)[r] ×E(Fqk)/rE(Fqk)—>
tr '(P, Q) = fr, p (DQ) . Where
is the r-th unit root group in F * qk.
If we define P E (Fq), we can further define the reduced bilinear Tate pair as follows:
tr^:E(Fq)[r] ×E(Fqk)/rE(Fqk)—>
tr ^ (P, Q) = fr, p (Q) 。
The function fr, p is calculated using the miller algorithm. The miller algorithm is not repeated here, readers can refer to the relevant literature.
From the definition, it can be seen that the two input variables of the Tate pair are taken from different addition groups. In the BF-IBC cipher, the elliptic curve used is a super-singular elliptic curve, so there is a distortion map. In order to optimize the algorithm, Tate pairs can be further encapsulated into the following mapping:
e: G × G—> Fqk (G is the addition group of elliptic curves, k is the number of embeddings, k = 2)
e (P, Q) = tr ^ (P, (Q)).
Deformation mapping:
Among them, is the conjugate (conjugate), z =
x,
is the non-degenerate solution of x3 = 1.
1) Both input variables of e are points on the base domain. In this way, the structure of the cryptosystem (parameters) is greatly simplified.
2) Because P and (Q) are always linearly independent, as long as P and Q are finite points on the curve, the packing function e can ensure that the value of the bilinear pair does not degenerate to unity 1.
3) Tate can "dedenominator" the calculation, that is, the denominator part of the miller algorithm can be removed.
4) The final powering of the Tate pair can be greatly reduced. In fact
The final index of the Tate pair is z = (p2-1) / r = ((p + 1) / r) (p-1). To calculate e = wz modp, calculate t = w (p + 1) / r = u + iv because
When p = 3 mod 4, ip = -i, so
Postscript: From the perspective of both efficiency and security, the elliptic curve selected by the IBC password may often be an MNT curve or a BN curve. The super-singular elliptic curve is selected here, the purpose is to simplify the implementation of the algorithm without complicating the narrative.
References
1. V.S.Miller Short Programs for Functions on Curves,1986.
2. Boneh et al. Identity-Based Encryption from the Weil Pairing,2001.
3. Barreto et al. Efficient Algorithms for Pairing-based Cryptosystems,2002.
4. Rfc5091: Identity-Based Cryptography Standard(IBCS) #1. 2007.
5. Scott. Faster Pairings using an Elliptic Curve with an Efficient Endomorphism. 2005.
6. Freeman,Scott et al. A Taxonomy of Pairing-Friendly Elliptic Curvers,2006.
7. Zhao Changan, Effective Calculation of Bilinear Pairs, 2008 Ph.D. Thesis, Department of Computer Science, Sun Yat-sen University.
8. Lynn. On the Implementation of Pairing Based Cryptosystems. 2007
9. rfc5409 .using the BF/BB-IBE with the cryptographic message syntax(CMS) 2009.
10. Scott et al , Implementing cryptographic pairings: a magma tutorial. 2009.
11. Scott. On the Efficient Implementation of Pairing-Based Protocols. 2011.
