news

斯坦福大学密码学家Boneh的基于身份的公钥密码系统

    Sliding windows in group_times(): 8 seconds.

    [ibe-0.1.tgz]

    Fixed an off-by-one bug: I had i<windowsizepower in the for loop. Why
    didn't this stop group_times() working correctly?

    Sliding windows in miller(): 7.5 seconds. I believe it's faster to
    have a few divisions rather than introduce gdenom.

    Specialized group_times(): 7 seconds

    (Can get better times by closing xmms, X windows, etc.: by doing this
    I have achieved 6 seconds.)

    Disturbing: can't view page with IE any more. Complains about no
    shared cipher. (Problem goes away if SSLv2 is used.)


Sun Mar  4 19:11:48 PST 2001
    Fixed "bug" in miller. m = numbits was off by one (because the bits are
    numbered starting from 0, not 1). For some reason it doesn't matter!
    Also handles odd numbers properly.


Fri Mar  2 19:09:57 PST 2001
    Finally figured out how to work with small subgroup: must make sure
    R1 and R2 are order q. But it still takes 41 seconds. Can shave a little
    more off by random points shortcut. And maybe by speeding up group_times.


Wed Feb 28 14:31:56 PST 2001
    Recap: without any optimization: 228 seconds,
    removing some divisions: 158 seconds,
    dedicated class: 118 seconds.
    Shaved another 4 seconds off by simplifying make_order_q()

    Changed curve:
    Old: E = y^2 = x^3 + x. Phi: (x,y) --> (-x, iy). -1 = non q.r.
    p = 3 mod 4, q = (p+1) / 4, prime gen: p = 3 mod 8
    to find random (x,y): random x, then solve y^2 = x^3 + x. If that
    doesn't work, negate x and repeat.

    New: E = y^2 = x^3 + 1. Phi: (x,y) --> (zeta * x, y). -3 = non q.r.
    p = 2 mod 3, q = (p+1) / 6, prime gen: p = 5 mod 12
    to find random (x,y): random y, solve x^3 = y^2 - 1, via
    x^(1/3) = x^((2p-1)/3)

    (Lost some generality; replaced weil_init_irred with weil_init_nqr)

    Have to change: init(), apply_Phi, calls to force_F_p()

    Fixed bug in Horner's rule in weil.cc (wasn't negating a6).
    Didn't matter before because a6 was 0.

    After changing curves: takes 97 seconds
    Improved IBE_setup.
    No noticeable change after changing 2 *, 3 * to adds, and precalculating
    2 * *a2 in weil.cc
    Perhaps slight speedup after removing most if's from miller; I'm gambling
    that we're lucky most of the time.
    About a second saved from combining get_line/get_vertical & eval


Tue Feb 27 14:44:39 PST 2001
    Found bug with dedicated class; was testing for 0 incorrectly causing
    miller() to be run 10x more. Have to fix y_from_x and operator<< before
    it's fully functional. And sqrtminus1 (why doesn't compiler warn about it?)


Mon Feb 26 19:30:17 PST 2001
    Tried to optimize by replace ZZ_pE's with a dedicated Fp2 class but
    it's really slow now!


Sun Feb 25 17:33:02 PST 2001
    Finally finished homeworks/projects. Added MIME header.
    Changed a few divisions to mults in miller() in weil.cc
    Removed divisions in get_line, get_vertical.
    Got rid of PEM_write, PEM_read to avoid Windows problems.

    [ibe-0.09.tgz]


Sun Feb 11 20:13:34 PST 2001
    Found out about delete[] from Bob. Fixed some memory leaks
    and changed delete's to delete[]. There were a couple of places
    I didn't change the dynamic array declarations.

    Found problem with request.cc; forgot to shutdown sockfd. But
    SSL_connect should return some error message instead of quitting.

    [ibe-0.08.tgz]


Sat Feb 10 15:07:57 PST 2001
    Got rid of one y_from_x (in force_F_p).
    Removed power2 code and replaced with bit testing. (Back then I didn't
    know about it.)

    Changed library interface to share files. Loading sharefiles is now
    separate.
    Shares now pass the index in the robustx array rather than its value.
    index is unencrypted since the server gives the same index to everyone.

    [ibe-0.07.tgz]

    Added password reading to request and combine. Having trouble doing
    a GET before a POST in request.cc. SSL_connect exits for no reason.


Fri Feb  9 14:00:51 PST 2001
    To compile under Solaris: socklen_t has to be changed to
    size_t, must have -lxnet for network stuff. Doesn't have /dev/urandom,
    which causes OpenSSL problems: have to modify hack.c, pkghtml.cc (need
    to use RAND_seed or similar to seed the PRNG).
    mail command acts differently.


Thu Feb  8 14:34:56 PST 2001
    Started putting together user interface to system:

    encrypt - encrypts input file and mails to address
    request - sends requests for key pieces
    combine - combines saved pieces into a private key
    decrypt - decrypts input file given key

    Added IBE_version(), IBE_system(), IBE_threshold()

    [ibe-0.065.tgz]

    Combined the four programs into one multipurpose tool.
    (Similar to openssl.)

    Made minor changes for porting to VC++.
    (Got rid of for(int i... and dynamic arrays.)


Wed Feb  7 13:37:00 PST 2001
    How do we encrypt blocks in this system? Is it ok to use ECB-style since
    we pick random numbers for each block?


Tue Feb  6 13:48:16 PST 2001
    Passwords are now ASCIIZ strings. (and char *)
    Now have to provide system name to IBE_setup.
    Changed version to version.h, will be used in version field code later.

    [ibe-0.06.tgz]


Mon Feb  5 22:40:38 PST 2001
    Got PKCS#12 to work.

    Can't defeat email eavesdroppers in its current state. Recommend first
    encrypted mail to be something unimportant. Receiver then answers ASAP
    that their key has been compromised.

    Before key expires, should send server new password, encrypted with
    current key?


Fri Feb  2 15:21:20 PST 2001
    Having trouble getting Dan's pkcs12 code to compile.
    Added %XX, '+' translation to POST query code.

    ID string should be of the form
    mail=blynn@cs.stanford.edu&date=02/01&foo=bar
    put it in alphabetical order? (to avoid searching for all permutations)
    or how about mail field always first, then alphabetical order?
    make mail= optional?
    what if reserved word fields are missing?
    just recommend that all reserved words are included, if they aren't,
    system still works but you don't know which version/system etc. you're
    encrypting under.
    pkg appends system and version automatically.


Thu Feb  1 16:50:21 PST 2001
    pkghtml accepts POST queries now.
    Added a few comments to weil.cc, now supports negative scalars in
    group_times.

    For robustness, I'll publish a list of x_i, f(x_i)P_pub.
    TODO: number the master secrets?
    TODO: make a key struct. If I do this, I should have key share struct,
    master share struct, params struct, robust struct (?)

    Decided to combine robustness info with params.
    For default setup, t = n = 1, x_0 = 1.

    TODO: add button to mail administrator

    Can't seem to delete arrays of ZZ. As a result I have a few memory leaks.
    Added robustness check.
    Finished mailer.cc, mailshare.cc. pkg, pkghtml don't use it yet.

    [ibe-0.05.tgz]


Wed Jan 31 14:55:30 PST 2001
    Dan found cgi++. A bit old, but probably useable, I'll give it a shot.
    Had to "cd mini-g++; make ../libmini-g++.a" to compile it.

    Changed my mind again, found lots of libraries at:
    http://cgi.resourceindex.com/Programs_and_Scripts/C_and_C++/Libraries_and_Classes/

    cgicc looks good because it's "official" FSF.

    Actually none of them are what I'm looking for because I need code that
    handles the POST query itself, not after it's been partly translated.

    TODO: pipe thing is still a hack

    TODO: use pkcs#12. This takes care of iv, encryption, MAC.

    TODO: pkg POST query processing is a really bad hack.


Tue Jan 30 20:15:46 PST 2001
    Uses select now. There's a pipe that children send a 4-bytes string to
    the parent, and then the parent waits for a child to exit.

    Found cgic library on the web, looks promising.
    
    TODO: add robustness

    PEM needs docs. Should I be freeing name, header and data after I've
    finished with them? What do the return codes mean?

    [ibe-0.04.tgz]

    TODO: encrypt private key when saved to file!

    Finally added length checks in *_from_string routines.

    Changed mind about cgic. Not quite what I want.
    Added mailshare program.


Mon Jan 29 18:01:53 PST 2001
    Changed blowfish to 3DES (for share files) on request.

    TODO: add config files, fix iv hole, fix crashes caused by bad data
    (i.e. add string length argument to *_from_string functions),
    add http support, clean up shutdown, generate temp filename,
    get rid of zombies (probably have to use select).

    Added config files for pkg, gen.
    Using tempnam for temp files even though it says not to. Can't avoid
    because I need to change file pointer into file descriptor.
    Changed encryption of third part from XOR to 3DES. This means hash
    H1 is from {0,1}^n x {0,1}^* now.

    TODO: add SetSeed somewhere.


Sat Jan 27 16:30:33 PST 2001
    Added master splitting, key share file I/O routines, email.
    Can't get rid of zombie processes?

    I didn't realize I had to have an iv for blowfish - it was throwing off
    the first two characters.

    Need to make *_from_string more robust so it can handle bad input. This
    means more function arguments.
    New problem: y_from_x does not return the same y from x every time, will
    now choose the one whose (+ve) representative is closest to 0.

    My test case didn't work because I miscounted the letters in my
    own email address! (blynn@cs.stanford.edu has 21 letters, not 20!)
    Now seems to be working fine.

    [ibe-0.03.tgz]


Fri Jan 26 19:17:27 PST 2001
    Got help from Dan today, I wasn't able to complete the handshake because
    I didn't have a certificate or private key. You make one via:
    openssl req -new -x509 -keyout keyfile -out certfile

    Basic OpenSSL server/client works. Now have to fool around with PEM.

    [ibe-0.02.tgz]

    It's going to be hard to stick to SSL-style libraries for IBE
    because NTL has a state. It might be easier to stick with a
    global params object.

    Problems: can't shutdown SSL connection gracefully.
    BIO_free doesn't seem to close the file even though BIO_CLOSE is set.

    Implemented simple PEM save/load for params.
    Librarised IBE routines.
    Convert everything to char * before passing around.
    Current policy:
	Global p = current prime,
	Must call init(p) as soon as p is changed.
	params = current parameters
	common format: [2 bytes = length of x in bigendian] [x]

    Fixed a bad bug in the hash functions that I made while cleaning up
    code.


Thu Jan 25 20:33:23 PST 2001
    Wrote a simple server, just to refresh my memory.
    Now adding SSL to it.


Wed Jan 24 17:47:35 PST 2001
    Finished full system, more code cleanup.
    [ibe-0.01.tgz]


Sun Jan 21 17:27:45 PST 2001
    Added comments, made some parts of code neater
    e.g. found out about NumBytes function.
    Added master secret splitter.
    Fixed bug in hash function H.
    Improved makefile.


Fri Jan 19 14:53:48 PST 2001
    Moved Phi from weil.c to basic.c. Now generates random points by
    trying random x until it has a corresponding y.
    All curve-dependent code removed from weil.c. There are 3 initialization
    functions that need to be called in order. (Init prime, irreducible and
    then the curve.)


Thu Jan 18 17:41:46 PST 2001
    Talked with Dan again, we are now using a different curve. I'll take
    this opportunity to make my code more general. (But I'll still only
    handle curves with a1 = a3 = 0.)

    Realized I made another mistake before; random point only takes
    one of the square roots for y.

    Another bad bug in old version; zeta wasn't done properly as
    roots is a local variable.

    setup just about done. Need to clarify some details.

    ...

    Basic system finished, but with n=160 and hash functions that need
    improvement.


Thu Jan 18 14:45:21 PST 2001
    according to my number theory book (J. Hunter), -3 is always a
    quadratic nonresidue if p = 5 mod 6 (which it is if it's > 2 and
    = 2 mod 3), so there's no need to put in quadratic reciprocity stuff
    this also means (p-1)/2(1 + sqrt(-3)) is always a cube root of unity.

    made header files, made weil.c more library-like.
    started setup. p = 2 mod 3 and p = 2q - 1 for prime q seems rare.
    I have only found one so far (5).
    BTW, p = 5 mod 12 because p = 11 mod 12 ==> q is odd hence not prime
    So in fact 3 is also always a quadratic nonresidue for our p, but
    I'll stick with -3 all the same to make it easier to test weil.c

    IDIOT! I just realized why: p = 2 mod 3 ==> (p+1)/2 = 0 mod 3!
    So it's never prime (after 5)!!!


Wed Jan 17 17:03:32 PST 2001
    finished (now called weildebug.c)
    random_point can't pick certain points
    should choose irreducible polynomial to be x^2 - a for some nonresidue a


Tue Jan 16 16:12:39 PST 2001
    started (see bak?.c)