diff --git a/report.tex b/report.tex index 4241387..5683aa5 100644 --- a/report.tex +++ b/report.tex @@ -44,7 +44,7 @@ % Use dash instead of bullets for itemize \renewcommand\labelitemi{--} -\author{Alexander Munch-Hansen \\ 201505956} +\author{\large{Alexander Munch-Hansen} \\ 201505956 \\[1cm]{\small Supervised by:} \\Claudio Orlandi \\ Sophia Yakoubov} \title{ \normalfont \normalsize @@ -59,12 +59,13 @@ \date{\today} \begin{document} \maketitle +\newpage \tableofcontents \newpage \section{Introduction} -By definition, \emph{Encryption} is the process of converting information into a \emph{ciphertext} with the purpose of preventing unauthorized access \cite{oxford}. Traditionally, the way this was accomplished was via some a priori established secret key $k$, which could then be used both for \emph{encryption} to turn some \emph{plaintext} into the ciphertext, but also for \emph{decryption}, to turn the ciphertext back into the plaintext. This concept was then challenged by the concept of \emph{Public Key Encryption}, \texttt{PKE}, which allows two parties to communicate with each other in a secure and private fashion, without having already shared the aforementioned secret key. This allowed each party to have a \emph{Public Key} and a \emph{Secret Key}, which could then be used to encrypt and decrypt, respectively. This works well and is used in many applications, such as \emph{SSH} and \emph{SSL}. It does however have one caveat. \emph{Public Key Encryption} is notoriusly slow, compared to the \emph{Symmetric}-scheme with only a single key. Thus, we introduce the concept of \emph{Key Encapsulation Mechanisms}, or \texttt{KEM}, in which a decryption key is now what is sent, rather than a message. This naturally solves one of the underlying issues of \texttt{PKE}, as we can now encrypt a symmetric key and change our way of communication after the first message. +By definition, \emph{Encryption} is the process of converting information into a \emph{ciphertext} with the purpose of preventing unauthorised access \cite{oxford}. Traditionally, the way this was accomplished was via some a priori established secret key $k$, which could then be used both for \emph{encryption} to turn some \emph{plaintext} into the ciphertext, but also for \emph{decryption}, to turn the ciphertext back into the plaintext. This concept was however eventually challenged by the new idea of \emph{Public Key Encryption}, \texttt{PKE}, which allows two parties to communicate with each other in a secure and private fashion, without having already shared the aforementioned secret key. This allowed each party to have a \emph{Public Key} and a \emph{Secret Key}, which could then be used to encrypt and decrypt, respectively. This works well and is used in many applications, such as \emph{SSH} and \emph{SSL}. It does however have one caveat. \emph{Public Key Encryption} is notoriusly slow, compared to the \emph{Symmetric}-scheme with only a single key. Thus, we introduce the concept of \emph{Key Encapsulation Mechanisms}, or \texttt{KEM}, in which a decryption key is now what is sent, rather than a message. This naturally solves one of the underlying issues of \texttt{PKE}, as we can now encrypt a symmetric key and change our way of communication after the first message. -Now, imagine a scenario where a user has an entire network of people in which he only wishes to send to a subset of these at a time. In the world of \texttt{PKE}, this user will have to fetch each users public key and encrypt the same symmetrical key for each user, resulting in a ciphertext for the same key for each user. This is highly inefficient, and becomes even worse if the \emph{authorised set} of receivers changes, at which point a new symmetrical key must be created and sent to each user. To this end, \emph{Broadcast Encryption}, \texttt{BE}, can be adopted as a solution. In such a scheme, a user will pick his set of recievers, $S$, fetch their public keys, but only encrypt the key once and broadcast this. Thus, the resulting ciphertext of the key, does not depend in any way on the number of users. Hence, there is only a single message and this can be broadcasted to all users of the system, but only those users within the set $S$ can decrypt it. +Now, imagine a scenario where a user has an entire network of people in which he only wishes to send to a subset of these at a time. In the world of \texttt{PKE}, this user will have to fetch each users public key and encrypt the same symmetric key for each user, resulting in a ciphertext for the same key for each user. This is highly inefficient, and becomes even worse if the \emph{authorised set} of receivers change, at which point a new symmetric key must be created and sent to each user. To this end, \emph{Broadcast Encryption}, \texttt{BE}, can be adopted as a solution. In such a scheme, a user will pick his set of recievers $S$, fetch their public keys, but only encrypt the key once and broadcast this. Thus, the resulting ciphertext of the key does not depend in any way on the number of users, and there is only a single message which can easily be broadcasted to all users of the system, but only those users within the set $S$ can decrypt it. In this paper we first cover the concept of \emph{Identity Based Encryption}, \texttt{IBE}, as an introduction to some of the mathmatical concepts used within the paper, such as that of \emph{bilinear maps} and the mathmatical assumption that is the \emph{Bilinear Diffie Hellman}-problem. These two concepts can be extended and applied to many branches of encryption, such as \texttt{BE} or \emph{Threshold Public Key Encryption}, \texttt{TPKE}, both of which will also be introduced in this paper. Thus, we wish to introduce three different types of encryption schemes, \texttt{IBE, BE} and \texttt{TE}, give a notion of what security is defined to be for these as well as an actual construction. @@ -72,7 +73,7 @@ In this paper we first cover the concept of \emph{Identity Based Encryption}, \t \section{Syntax and Preliminaries} \subsection{Bilinear Maps} -Let $p$ be a large prime number. Let $\mathbb{G}_1, \mathbb{G}_2$ be two groups of order $p$ and let $\mathbb{G}_T$ also be a group of order $p$. Let $g_1$ be a generator of $\mathbb{G}_1$ and let $g_2$ be a generator of $\mathbb{G}_2$. $e : \mathbb{G}_1 \times \mathbb{G}_2 \ra \mathbb{G}_T$ is then a bilinear map satisfying the following properties \cite{BMDef}: +Let $p$ be a large prime number. Let $\mathbb{G}_1, \mathbb{G}_2, \mathbb{G}_T$ be three groups of order $p$. Let $g_1$ be a generator of $\mathbb{G}_1$ and let $g_2$ be a generator of $\mathbb{G}_2$. $e : \mathbb{G}_1 \times \mathbb{G}_2 \ra \mathbb{G}_T$ is then a bilinear map satisfying the following properties \cite{BMDef}: \begin{itemize} \item \emph{Bilinearity}: For all $u \in \mathbb{G}_1$, $v \in \mathbb{G}_2$ and $a,b \in \mathbb{Z}$; $e(u^a, v^b) = e(u,v)^{ab}$ \item \emph{Non-degeneracy}: $e(g_1,g_2) \neq $The identity of $\mathbb{G}_T$ @@ -83,7 +84,7 @@ A bilinear map satisfying all the above three properties is said to be \emph{adm Intuitively, a bilinear map is simply a linear map, or function, taking two arguments, such that if either is lifted to an exponent within the transformation, the transformation can be applied first and the result lifted to the same exponent instead. \subsection{Mathmatical Assumptions} -All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this. We note that the \emph{Decisional Diffie-Hellman} problem is easy within the setting of bilinear maps, as, given some generator $g$ and $g^a$, $g^b$ and $g^c$ where the question is if $c = ab$, it is straightforward to check if $e(g,g^c) = e(g^a,g^b)$, which holds for the case where $c = ab$. As such, new assumptions which are difficult within this setting, are required. +All of the following mathmatical assumptions are derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this. We note that the \emph{Decisional Diffie-Hellman} problem is easy within the setting of bilinear maps, as, given some generator $g$ and $g^a$, $g^b$ and $g^c$ where the question is if $c = ab$, it is straightforward to check if $e(g,g^c) = e(g^a,g^b)$, which holds for the case where $c = ab$, as $e(g^a,g^b) = e(g,g)^{ab} = e(g,g)^c$, if and only if $c = ab$. As such, new assumptions which are difficult within this setting, are required. \subsubsection{The BDH Problem} \label{sec:BDHProb} @@ -116,7 +117,7 @@ and finally a $Z \in \Gm_T$. The deciding part is then to decide whether $Z$ is We want to note that the paper does not define either $\alpha$ or $\gamma$, which essentially means this problem is not well defined. We assume however, that both $\alpha$ and $\gamma$ have to come from $\mathbb{Z}^*_p$, whenever this problem is referenced. \subsubsection{Notation} -We would like to note that whenever something is prefixed with a capital B, it is in the context of \emph{Broadcast Encryption}. Furthermore we would like to note that for all setup algorithms mentioned, the security parameter will be implicit, but naturally all schemes relies on one in some shape or form, to either denote a bit length, graph size of whatever makes sense within the context. +We would like to note that whenever something is prefixed with a capital B, it is in the context of \emph{Broadcast Encryption}. Furthermore we would like to note that for all setup algorithms mentioned, the security parameter will be implicit, but naturally all schemes relies on one in some shape or form, to either denote a bit length, graph size or whatever makes sense within the context. % TODO: Write up all of the mathematical assumptions @@ -129,7 +130,7 @@ We will cover an identity based encryption scheme which illustrates a basic usag \label{sec:IBEStruct} \textbf{Identity-Based Encryption.} \quad An Identity-Based encryption scheme is specified by four different algorithms, all containing some sort of randomness: \texttt{Setup, Extract, Encrypt, Decrypt}: \begin{description} -\item[Setup$()$] Uses some security parameter $k$ and returns the system parameters, $\text{params}$, and a master-key, $MK$. These system parameters include a description of a finite message space $\mathcal{M}$ as well as a description of a finite ciphertext space $\mathcal{C}$. These parameters are known publicly, wherre the master-key is known only to the trusted authority, the so called Private Key Generator (\texttt{PKF}). +\item[Setup$()$] Uses some security parameter $k$ and returns the system parameters, \textbf{params}, and a master-key, $MK$. These system parameters include a description of some finite message space $\mathcal{M}$ as well as a description of some finite ciphertext space $\mathcal{C}$. These parameters are known publicly, where as the master-key is known only to the trusted authority, the so called Private Key Generator (\texttt{PKG}). \item[Extract$(\text{params}, MK, \mathtt{ID})$] Takes the system parameters, the master-key and an arbitrary \texttt{ID} $\in \{0,1\}^*$ and returns a private key $d$. \texttt{ID} is essentially any arbitrary string which will be used a public key and $d$ is the corresponding decryption key, which can be used by the owner of the \texttt{ID}. Thus, the \texttt{extract} algorithm extracts a private key from the given public key. \item[Encrypt$(\text{params}, \mathtt{ID}, M)$] Takes the system parameters, \texttt{ID}, and $M \in \mathcal{M}$. Returns some ciphertext $C \in \mathcal{C}$. \item[Decrypt$(\text{params}, C, d)$] Takes the system parameters, some private key $d$ and $C \in \mathcal{C}$. Returns the plaintext $M \in \mathcal{M}$.