Cryptography Reference
In-Depth Information
• Bilinearity. Let (
x
1
,
x
2
, and
y
)
G
1
. Then
e
(
x
1
+
x
2
,
y
) =
e
(
x
1
, y).e(
x
2
,
y
).
• Nondegeneracy. There exist
x
G
1
and y
G
1
such that e(
x
, y) ≠ 1.
In fact,
G
1
is a point subgroup on an elliptic curve over a finite field and
G
2
is a sub-
group of a cyclic group of a larger finite field. The pairings are derived from the Weil-
Tate or
T
pairing. The PKG chooses a private key
Î
*
s
Z
and computes the master
0
q
public key:
P
0
=
P
where
Î
1
PG
(4.41)
The security of the master public key is dependent on the elliptic curve discrete log
problem. The PKG publishes the description of the groups
G
1
and
G
2
, public key
P
0
,
hash functions (
H
1
,
H
2
, and
H
3
), the bilinear map
e
, and the group element
P
. Alice
and Bob choose their secrets to compute their blinding factors. Alice, with identity
IDA, chooses a random secret
Î
q
xZ
and computes a blinding factor
X
=
xP
. An
eavesdropper will not be able to generate the private key, since he has no knowledge of
the secret
x
. She then requests the PKG to issue a partial private key by sending
X
and
IDA. The PKG will use some preshared credentials to verify the authenticity of an end
user's identity.
The PKG validates Alice's identity (
ID
A
) and computes the public key of Alice as
QHID
=
1
(
)
(4.42)
ID
A
A
It computes a blinded partial private key as
QHe s XP
=
3
[(
,
)]
s Q
(4.43)
bl
0
0
0
ID
A
A
It then generates a signature
Sig Q
(
)
for integrity protection:
bl
A
Sig Q
(
)
=
0
s Q
(4.44)
bl
bl
A
A
It sends
( )
A
bl
Q
to Alice.
Alice verifies the signature using the formula
Sig Q
and
bl
A
?
eSigQ
(( ,
P
) ( ,
=
eQ
P
)
(4.45)
bl
bl
0
A
A
and finally retrieves her private key
D
by unblinding
Q
as follows:
ID
bl
A
A
Q
bl
D
=
(4.46)
A
ID
x
HePP
[( ,
)]
A
3
0
0
Hence, there is a secure key exchange between the PKG and the end users.
Search WWH ::
Custom Search