Cryptographic Building Blocks¶

A short overview of the cryptographic primitives used by CrowdNotifier.

Basic Primitives¶

SHA256 - The usual hash function
HKDF - Hash-Based Key Derivation Function based on HMAC and SHA256.

Symmetric-key Encryption¶

CrowdNotifier uses symmetric encryption to send data that only visitors of (notified) locations can read. For this, we use a authenticated encryption scheme given by the algorithms \(\aeenc\) and \(\aedec\). We construct these using XSalsa20 (as stream cipher) and Poly1305 (as MAC).

As implementation, we use the following algorithms from libsodium:

\(\aeenc\): crypto_secretbox_easy

\(\aedec\): crypto_secretbox_open_easy

Public-key Encryption¶

CrowdNotifier relies on a regular CCA2 secure public-key scheme given by the algorithms \(\keygen\), \(\enc\), and \(\dec\) with the usual semantics:

\((\pk, \sk) \gets \keygen()\). Generates a public-private key-pair.
\(\ctxt \gets \enc(\pk, m)\). Given a public key \(\pk\) and a message \(m\) outputs a ciphertext \(\ctxt\).
\(m \gets \dec(\sk, \ctxt)\). Given a private key \(\sk\) and a ciphertext \(\ctxt\) outputs a message \(m\) or a failure symbol \(\bot\).

We construct these using X25519 for key-exchange and XSalsa20-Poly1305 for the subsequent symmetric encryption.

As implementation, we use the following algorithms from libsodium:

\(\keygen\): crypto_box_keypair
\(\enc\): crypto_box_seal
\(\dec\): crypto_box_seal_open

Identity-Based Encryption¶

CrowdNotifier relies on an identity-based encryption scheme to provide its most important properties. In an identity-based encryption scheme, messages can be encrypted against identities without requiring a specific key-pair to be generated for each identity. Instead, a trusted authority – in our case usually a location owner or organization – generates a master public key \(\masterpk\) and a corresponding master private key \(\mastersk\) by running the \(\ibekeygen\) algorithm. We emphasize that each location has its own corresponding public key \(\masterpk\).

To encrypt a message \(m\) against an identity \(\id\) under the public key \(\masterpk\), a party (in our case a visitor) runs \(\ctxt \gets \ibeenc(\masterpk, \id, m)\). To decrypt this ciphertext, the trust authority (e.g., location or organization) first computes the corresponding identity-based decryption key \(\skid \gets \ibekeyder(\masterpk, \mastersk, \id)\). Given the identity-based decryption key \(\skid\) a visitor (user) can then decrypt a ciphertext \(\ctxt\) encrypted under an identity \(\id\) by running \(m \gets \ibedec(\id,\allowbreak \skid,\allowbreak \ctxt)\).

We refer to the Identity-based Encryption section for the full details. For completeness, we introduce the full syntax that we use:

\(\pp \gets \ibecommonsetup(1^\secpar)\). Generates the common parameters \(\pp\). Typically these parameters are part of the implementation.
\((\masterpk, \mastersk) \gets \ibekeygen(\pp)\). Generates a master public-private key pair.
\(\skid \gets \ibekeyder(\masterpk, \mastersk, \id)\). On input of a master public key \(\masterpk\), a master private key \(\mastersk\), and an identity \(\id\); outputs private decryption key \(\skid\) corresponding to this identity.
\(\ctxt \gets \ibeenc(\masterpk, \id, m)\). On input of a master public key \(\masterpk\), an identity \(\id\), and a message \(m\), outputs a ciphertext \(\ctxt\).
\(m \gets \ibedec(\id, \skid, \ctxt)\). On input of an identity \(\id\), a private key \(\skid\), and a ciphertext \(\ctxt\), either outputs the decryption \(m\) of \(\ctxt\), or \(\bot\) if decryption fails.

We implement the concrete Identity-based Encryption scheme over the BLS12-381 curve. As instantiation we use the mcl library. We refer to later sections for more information on the implementation.