Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups Essam Ghadafi University of the West of England Jens Groth University.

Slides:



Advertisements
Similar presentations
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Advertisements

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Short Non-interactive Zero-Knowledge Proofs
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
ElGamal Security Public key encryption from Diffie-Hellman
Individual Position Slides: Jonathan Katz (University of Maryland) (Apologies I can’t be here in person)
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
7. Asymmetric encryption-
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts.
Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.
Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Cryptography Lecture 8 Stefan Dziembowski
Logarithmic Functions y = log a x, is read “the logarithm, base a, of x,” or “log, base a, of x,” means “the exponent to which we raise a to get x.”
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.
Quantum Computing MAS 725 Hartmut Klauck NTU TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A.
Public key ciphers 2 Session 6.
Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists Stephanie Bayer Jens Groth University College London TexPoint fonts used.
On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.
Radicals Solving Radical Equations Target Goals : Solve equations containing radicals or fraction exponents.
多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei.
Topic 36: Zero-Knowledge Proofs
On the Notion of Pseudo-Free Groups
Topic 26: Discrete LOG Applications
On the Size of Pairing-based Non-interactive Arguments
Cryptographic hash functions
B504/I538: Introduction to Cryptography
Certificateless signature revisited
Index, exponential, power
SAKAWP: Simple Authenticated Key Agreement Protocol Based on Weil Pairing Authors: Eun-Jun Yoon and Kee-Young Yoo Src: International Conference on Convergence.
MPC and Verifiable Computation on Committed Data
Jens Groth, University College London
Modern symmetric-key Encryption
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Cryptographic protocols 2014, Lecture 2 assumptions and reductions
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 22.
Cryptography Lecture 23.
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Analysis and design of algorithm
A shuffle argument secure in the generic model
Cryptography Lecture 24.
Cryptography Lecture 25.
Cryptographic protocols 2016, Lecture 3 Key Exchange, CDH, DDH
Cryptographic protocols 2015, Lecture 3 Key Exchange, CDH, DDH
Efficient Short-Password Key Exchange (ESP-KE)
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Cryptography Lecture 18.
Impossibility of SNARGs
Cryptography Lecture 21.
Cryptography Lecture 19.
Cryptography Lecture 21.
刘振 上海交通大学 计算机科学与工程系 电信群楼3-509
Cryptography Lecture 23.
Cryptography Lecture 26.
Jens Groth and Mary Maller University College London
Lecture 6.2: Protocols - Authentication and Key Exchange II
Presentation transcript:

Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups Essam Ghadafi University of the West of England Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Prime order cyclic group Group generator 𝐺,𝑔 ←Gen( 1 𝜆 ) Group 𝐺 of known prime order 𝑝 Uniformly random generator 𝑔 such that 𝐺=〈𝑔〉 Efficiently computable group operations Generic group model Adversary restricted to group operations and equality testing

Computational problems in cyclic groups For now, just single cyclic group 𝐺,𝑔 of prime order 𝑝. Later, bilinear groups with pairings ( 𝐺 1 , 𝐺 2 , 𝐺 𝑇 , 𝑔 1 , 𝑔 2 ,𝑒). Discrete Logarithm Given 𝑔, 𝑔 𝑥 compute 𝑥 Computational Diffie-Hellman Given 𝑔, 𝑔 𝑎 , 𝑔 𝑏 compute 𝑔 𝑎𝑏 Generalized Diffie-Hellman Exponent Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞−1 , 𝑔 𝑥 𝑞+1 ,…, 𝑔 𝑥 2𝑞 compute 𝑔 𝑥 𝑞 Strong Diffie-Hellman Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 output 𝑐, 𝑔 1 𝑥+𝑐

Non-interactive computational assumptions Generic group model ? ? ? Computational Diffie-Hellman (CDH) Discrete logarithm (DL)

Non-interactive computational assumptions Generic group model 𝑞-GDHE & 𝑞-SFrac Fractional assumptions 𝑞-GDHE 𝑞-SFrac Polynomial assumptions Computational Diffie-Hellman (CDH) Discrete logarithm problem (DL)

Non-interactive computational assumption Accept: 𝑏=1 Reject: 𝑏=0 PPT instance generator 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆 DPT solution verifier 𝑏←𝑉(𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙) Definition The non-interactive computational assumption (𝐼,𝑉) holds if for all PPT adversaries 𝐴 Pr 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆 ;𝑠𝑜𝑙←𝐴(𝑝𝑢𝑏) 𝑉 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙 =1 ≈0

(𝑑,𝑚,𝑛)-target assumption Say assumption is simple if 𝑏 𝑖 𝑋 =0 (𝑑,𝑚,𝑛)-target assumption 𝑚-variate polynomials of total degree 𝑑 or less CDH assumption 1 1 , 𝑋 1 1 , 𝑋 2 1 ← 𝐼 𝑐𝑜𝑟𝑒 𝐺 𝑉 𝑐𝑜𝑟𝑒 1 1 , 𝑋 1 1 , 𝑋 2 1 , 𝑟 𝑋 𝑠 𝑋 ,𝑦 checks 𝑟( 𝑋 ) 𝑠( 𝑋 ) = X 1 X 2 𝑞-SDH assumption 1 1 , 𝑋 1 ,…, 𝑋 𝑞 1 ← 𝐼 𝑐𝑜𝑟𝑒 𝐺 𝑉 𝑐𝑜𝑟𝑒 1 1 , 𝑋 1 ,…, 𝑋 𝑞 1 , 𝑟 𝑋 𝑠 𝑋 ,𝑦 checks 𝑟( 𝑋 ) 𝑠( 𝑋 ) = 1 𝑋+𝑐 Say assumption is univariate if 𝑚=1 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆 𝐺,𝑔 ←Gen 1 𝜆 𝑎 1 𝑋 𝑏 1 ( 𝑋 ) ,…, 𝑎 𝑛 ( 𝑋 ) 𝑏 𝑛 ( 𝑋 ) ,𝑝𝑢 𝑏 ′ ,𝑝𝑟𝑖 𝑣 ′ ← 𝐼 𝑐𝑜𝑟𝑒 𝐺 𝑥 ← 𝒁 𝑝 𝑚 (such that all 𝑏 𝑖 𝑥 ≠0) 𝑝𝑢𝑏= 𝐺, 𝑔 𝑎 1 𝑥 𝑏 1 𝑥 ,…, 𝑔 𝑎 𝑛 𝑥 𝑏 𝑛 𝑥 , 𝑎 1 𝑋 𝑏 1 𝑋 ,…, 𝑎 𝑛 𝑋 𝑏 𝑛 𝑋 ,𝑝𝑢 𝑏 ′ ; 𝑝𝑟𝑖𝑣=(𝑔, 𝑥 ,𝑝𝑟𝑖 𝑣 ′ ) 𝑏←𝑉 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙= 𝑟 𝑋 𝑠 𝑋 ,𝑦,𝑠𝑜 𝑙 ′ Check 𝑟( 𝑋 ) 𝑠( 𝑋 ) ∉span 𝑎 1 𝑋 𝑏 1 𝑋 ,…, 𝑎 𝑛 𝑋 𝑏 𝑛 𝑋 as formal polynomials Check 𝑦= 𝑔 𝑟 𝑥 𝑠 𝑥 and check 𝑉 𝑐𝑜𝑟𝑒 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙 =1 Ensures generic adversary cannot break assumption Say assumption is polynomial if 𝑠 𝑋 =1 Say assumption is fractional if 𝑠 𝑋 ⫮ 𝑟 𝑋 Adversary’s target

Hierarchy of target assumptions GDHE & SFrac Polynomial & Fractional Univariate simple target Simple target assumptions Target assumptions

Uber assumptions Generalized Diffie-Hellman Exponent (𝑞-GDHE) Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞−1 , 𝑔 𝑥 𝑞+1 ,…, 𝑔 𝑥 2𝑞 hard to compute 𝑔 𝑥 𝑞 Simple Fractional (𝑞-SFrac) Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 hard to output 𝑟(𝑋) 𝑠(𝑋) , 𝑔 𝑟(𝑥) 𝑠(𝑥) with deg 𝑠 >deg⁡(𝑟) The 𝑞-SDH problem: given (𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 ) output 𝑐, 𝑔 1 𝑥+𝑐 is a special case of the q-SFrac problem with 𝑟 𝑋 =1 and 𝑠 𝑋 =𝑋+𝑐

Target assumption hierarchy ⋮ 3-GDHE & 3-SFrac 2-GDHE & 2-SFrac 1-GDHE & 1-SFrac CDH

Structural analysis ⋮ ⋮ 3-GDHE 3-SFrac ⇓ ⇓ 2-GDHE ⟸ 2-SFrac ⇓ ⇓ 1-GDHE Gftv#f8HJN FVDXZD\SA ⇓ ⇓ 1-GDHE 1-SFrac ⇔ ⇓ CDH

Asymmetric bilinear groups Bilinear group generator 𝐺 1 , 𝐺 2 , 𝐺 𝑇 , 𝑔 1 , 𝑔 2 ←BGen( 1 𝜆 ) Groups 𝐺 1 , 𝐺 2 , 𝐺 𝑇 of known prime order 𝑝 Efficiently computable group operations in 𝐺 1 , 𝐺 2 , 𝐺 𝑇 Efficiently computable bilinear map 𝑒: 𝐺 1 × 𝐺 2 → 𝐺 𝑇 𝑒 𝑔 1 𝑎 , 𝑔 2 𝑏 =𝑒 𝑔 1 , 𝑔 2 𝑎𝑏 Random generators 𝑔 1 , 𝑔 2 such that 𝐺 1 = 𝑔 1 , 𝐺 2 =〈 𝑔 2 〉 Defining 𝑔 𝑇 =𝑒( 𝑔 1 , 𝑔 2 ) we have 𝐺 𝑇 =〈 𝑔 𝑇 〉 Asymmetric (type III) setting where 𝐺 1 ≠ 𝐺 2

Bilinear target assumption stratification for 𝜶∈{𝟏,𝟐} 𝜶=𝑻 ⋮ ⋮ 2-BGDHE & 2-BSFrac 2-BGap & 2-BSFrac 1-BGDHE & 1-BSFrac 1-BGap & 1-BSFrac CDH CDH

Open problems Prove or disprove the conjecture 𝑞-GDHE ⇒ 1-SDH Find structure in the SFrac assumptions Simplify the 𝑞-BGap assumptions Tightness Analyze assumptions where the goal is to output set group of elements 𝑦 1 ,…, 𝑦 ℓ with some relationship to each other Analyze interactive assumptions

Conclusions Cryptographers Cryptanalysts Most non-interactive computational assumptions in use are implied by the GDHE & SFrac assumptions All non-fractional assumptions are implied by GDHE, giving us a “canary in the coal mine” barrier Cryptanalysts The GDHE and SFrac assumptions are the easiest targets to attack Do not try to break discrete log, attack the “canary in the coal mine” assumptions first