By Jyh-haw Yeh Boise State University ICIKM 2013.
-
Upload
ginger-harris -
Category
Documents
-
view
217 -
download
1
Transcript of By Jyh-haw Yeh Boise State University ICIKM 2013.
Security Vulnerability in Identity-based Public Key Cryptosystems
from PairingsBy Jyh-haw Yeh
Boise State UniversityICIKM 2013
Identity-based Public Key Cryptosystems (IDPKC)How do you know the other party’s public
key is a valid one?Traditional PKC requires a certificate authority
(CA) to issue a public key certificate. With the certificate, the key can be verified.
IDPKC: all public keys are generated based on the owner’s identity. Thus, no CA required.
IDPKC from PairingsSetup: A PKG (public key generator)
Additive group , order , a generator Multiplicative group , order A bilinear map System private key s, system public key
),( 1 G
211: GGGe
),( 2 G
1GsPPpub **
21*
1 }1,0{:;}1,0{: qFHGH
q Pq
Bilinear Pairings BackgroundBilinearity:
Non-degeneracy:Computability: it’s efficient to compute
),(),(),(
),(),(),(
),(),(
,,,, *1
SQeRQeSRQe
aRbQeRQebRaQe
QReRQe
FbaGSRQ
ab
q
OQGRRQeGQ 11 ,1),(,
1,),,( GRQRQe
IDPKC from PairingsKey Generation: for each user
Public key , private keyBoth keys are points in
iU
)(1 ii IDHQ ii sQD
1G
IDPKC from PairingsSignature Generation: to sign a message
Pick a random numberCompute
, where is the x-
coordinate of the point The signature is
m*qi Fr
PrV ii
pubiixii PrDVmHS )][,(2 xiV ][
iV
),( ii SV
IDPKC from PairingsSignature Verification:
Verify signature on a messageUse the following equation
),(),(?),( )][,(2ipub
VmHipubi VPeQPeSPe xi
iU
Potential Security VulnerabilityTraditionally cryptographic hash function is
defined as Easy forwarding computationPre-image resistance: given a , it’s hard to
compute the pre-image Second pre-image resistance: given , it’s
hard to find another such that Collision resistance: it’s hard to find any pair of
and such that
)(mH
m
1m
2m )()( 21 mHmH 1m
2m
)()( 21 mHmH
Potential Security VulnerabilityThe hash function used to generate the
public key in IDPKC, , might be implemented incorrectly if only based on the traditional definition.
ii QIDH )(1
Potential Security VulnerabilityFor example, the implementer can construct
as follows: Use a traditional hash functionLet It can be proven that since satisfies the four
hash function properties, also satisfies the four hash properties.
Using such in IDPKC to generate public keys is not secure.
1H
**3 }1,0{: qFH
iii QPIDHIDH )()( 31
3H
1H
1H
Potential Security VulnerabilityAdversary can derive private key by
first computing
Since
can derive private key by computing
jU iU
qIDH
IDHc
j
i mod)(
)(
3
3
iiijj
ij
j
ij QIDHPIDHPIDH
IDH
IDHQ
IDH
IDHcQ )()()(
)(
)(
)(
)(133
3
3
3
3
jU
iijj DsQcsQcD iU
Contribution of the PaperPoints out the potential security vulnerability
of common IDPKC using pairings.To avoid the vulnerability, the paper defines
another property for the hash function used in IDPKC to generate the public key.Ratio resistance: Given any two public keys
, it’s hard to find the ratio such that ),( ji QQ
c ij QcQ