Download presentation
Presentation is loading. Please wait.
Published byNeil Preston Modified over 5 years ago
1
The power of Pairings towards standard model security
Pairings, IBE, IND-CCA-secure encryption, authentication
2
From previous lecture Public-key Crypto PKE Signature Schemes
Alternative to symmetric key primitives Do not require sharing keys, but they require a PKI PKE Comes in 2 flavours: IND-CPA and IND-CCA Saw 1 constrution based on DDH that is IND-CPA Malleability implies no IND-CCA Signature Schemes Security: EUF-CMA RSA signatures are not EUF-CMA But we could use FDH in the random oracle model
3
Part I Pairings
4
Pairings in General Setting :
2 additive groups πΊ 1 , πΊ 2 , multiplicative group πΊ π All three groups of prime order π We can write πΊ 1 =<π, β¦qπ> and πΊ 2 =<π, β¦, qπ> Imagine a mapping π: πΊ 1 Γ πΊ 2 β πΊ π such that: Bilinear: for all a,bβ{1, β¦, πβ1} it holds that: π aπ, bπ = π(π,π) ππ Non-degenerate: π(π,π)β 1 Efficiently computable
5
Pairings in Cryptography
Usually computed on elliptic curves There are different types, depending on how the pairing is constructed Security depends on type and on something called βembedding degreeβ Mostly defined with elements from additive subgroups (rather than multiplicative ones), but we will keep the multiplicative notation We will not cover specifics in this course If youβre interested, you could read: Lawrence C. Washington: βElliptic curves: Number theory and cryptographyβ
6
DDH and Pairings Consider multiplicative group πΎ= <π> of prime order π, and a pairing π:πΎΓπΎβ πΎ π on this group Given π, π π , π π , π π DDH problem requires to decide whether π π = π ππ or π π just random element Bilinearity: π π π , π π = π(π,π) ππ =π(π, π ππ ) DDH adversary tests whether π π π , π π =π(π, π π ) If so, then guess that π π = π ππ Else, output that π c is random Conclusion: DDH is easy to solve in groups that admit pairings
7
Hard Problems with Pairings
Setup: multiplicative group πΎ=<π> of prime order π, given a bilinear mapping π:πΎΓπΎβ πΎ π Computational Bilinear DH problem: Given (π, π π , π π , π π ), compute π πππ Decisional Bilinear DH problem Given (π, π π , π π , π π , π π§ ), decide whether π π§ = π πππ CDH and DLog: We think these are still hard despite pairings
8
Why we use pairings Alice Bob Alice Charlie Bob Choose Choose Compute
π΄ 1 =ππ; π΄ 2 =ππ Alice Bob Alice Choose a β π
{0, β¦, πβ1} Choose b β π
{0, β¦, πβ1} π΄=aπ π¨ π , π¨ π πͺ π , πͺ π π© π , π© π π΅=bπ Charlie Bob Compute πΎ=bπ΄ Compute πΎ=aπ΅ c β π
{0, β¦, πβ1} πΆ 1 =ππ; πΆ 2 =ππ b β π
{0, β¦, πβ1} πΆ 1 =ππ; πΆ 2 =ππ Same πΎ: bπ΄=baπ=abπ=aπ΅
9
Three-partite Key Exchange
πΎ= π( π΅ 1 , πΆ 2 ) π = π(ππ,ππ) π = π(π,π) πππ Alice Bob Alice Choose a β π
{0, β¦, πβ1} Choose b β π
{0, β¦, πβ1} π¨ π , π¨ π π΄=aπ πͺ π , πͺ π π© π , π© π π΅=bπ Charlie Bob Compute πΎ=bπ΄ Compute πΎ=aπ΅ πΎ= π( π΄ 1 , π΅ 2 ) π = π(ππ,ππ) π = π(π,π) πππ πΎ= π( πΆ 1 , π΄ 2 ) π = π(π,π) πππ Same πΎ: bπ΄=baπ=abπ=aπ΅
10
Part II Identity-Based Encryption
11
PKE and IBE PKE: IBE: Alice has a private key for decryption
Bob (and everyone else) has a public key for encryption to Alice Problem of certification: whose key is that? IBE: Bob has (a function of) Aliceβs identity (name, address, social security number) as a PK Alice can derive a secret key from that Bob encrypts with Aliceβs identity, so only she can decrypt
12
IBE Syntax Tuple of algorithms (Setup, KGen, Enc, Dec) with:
Setup( 1 π ): on input the security parameter, this algorithm outputs (πππΎ, ππππ), a master secret key and some global parameters KGen(πππΎ, πΌπ·) : on input the master secret key and the identity, this algorithm outputs an identity-specific secret key π π πΌπ· Enc(πΌπ·;π): on input an identity and a message, output a ciphertext π π·ππ(π π πΌπ· , π): on input the identity-specific π π πΌπ· and a cipher- text, output plaintext π or symbol β₯
13
IBE Setup Why do we need a setup algorithm for IBE and not for regular PKE?
14
IBE Setup Why do we need a setup algorithm for IBE and not for regular PKE? Not because we need πππΎ to generate our secret keys with After all, each user could just generate π π πΌπ· as we do in regular PKE, right?
15
IBE Setup Why do we need a setup algorithm for IBE and not for regular PKE? Not because we need πππΎ to generate our secret keys with After all, each user could just generate π π πΌπ· as we do in regular PKE, right? Wrong! We need to ensure that the parameters are chosen well, so that thereβs no clash for π π πΌπ· !
16
Pairing Based IBE Designed by Boneh and Franklin in 2001 Ingredients:
Identity space ππ» A hash function (will see it later) A bilinear mapping Setup outputs: A couple of groups πΎ, πΎ π of prime order π A secret value π¦β{1, 2, β¦, πβ1} A generator π for πΎ, and the value π π¦ A hash function π»: ππ»βπΎ Set πππΎ=π¦ ; ππππ=(πΎ, πΎ π , π, π π¦ , π»)
17
Boneh-Franklin IBE πππΎ=π¦ ; ππππ=(πΎ, πΎ π , π, π π¦ ,π»)
πππΎ=π¦ ; ππππ=(πΎ, πΎ π , π, π π¦ ,π») ID-specific secret key generation: Takes input π¦, πΌπ· Output π π πΌπ· = π» πΌπ· π¦ βπΎ Encryption: Takes input π, πΌπ· Choose random πβ{1, β¦,πβ1}, compute π π Output: π=( π π , πβ
π π» πΌπ· , π π¦ π ) Decryption: Takes input π=( π 1 , π 2 ), π π πΌπ· Compute: π 2 π(π» πΌπ· π¦ , π π ) = π
18
Security of Boneh-Franklin
Theorem: BF is IND-CPA in the random oracle model if the Decisional Bilinear DH problem is hard in πΎ Translation: In the random oracle model If there exists an adversary that wins the IND-CPA game against the BF scheme with probability π π΄ Then there exists an adversary B that can solve the DBDH problem in πΎ with probability π π» π π΄ ,
19
IND-CPA for IBE πππΎ, ππππ βSetup ( 1 π )
IND-CPA: eavesdropper canβt tell even 1 bit of p-text πππΎ, ππππ βSetup ( 1 π ) π β $ 0,1 π 0 , π 1 , πΌπ· β A πΎπΊππ β
, π»(β
) (ππππ, 1 π ) πβEnc(πΌπ·; π π ) πβ A πΎπΊππ(β
) (π, ππππ, 1 π ) A wins iff. π=π and KGen(πΌπ·) never queried Parameter: π π» RO queries Intuition: we will need the ROM in order to make sure that the small entropy from identifiers translates to a LOT of entropy for the secret keys
20
Proof of IND-CPA of BF Proof:
Bβs goal is to distinguish between (π, π π , π π , π π , π πππ ) and (π, π π , π π , π π , π π§ ) Bβs strategy will be to inject the challenge into a single identity πΌπ·; then B will hope that A will output THAT identity for the challenge Constructing B: Receives (π, π π , π π , π π , π π§ ) with π§ random or π§=πππ Begin by running Setup, need to output ππππ to A Insert π π¦ = π π , output πΎ, πΎ π ,π, π π ,π» to A A can now make πΎπΊππ and π» queries The former outputs secret keys, but not for the challenge ID The latter allows to just hash identities (in the ROM)
21
Proof of IND-CPA of BF Proof (continued): Constructing B:
Receives (π, π π , π π , π π , π π§ ) with π§ random or π§=πππ Begin by running Setup, need to output ππππ to A Insert π π¦ = π π , output πΎ, πΎ π ,π, π π ,π» to A A can now make πΎπΊππ and π» queries B: guesses a random index: πβ{1, β¦, π π» } Answer to H queries (programming RO): On π-th query, πβ π, pick random π π , output π» π₯ = π π£ On π-th query, insert π» π₯ = π π Answer to KGen queries: B knows DLog of of all π»(π₯), except for the π-th query But A canβt query the ππΎ for that if itβs his challenge
22
Proof of IND-CPA of BF Proof (continued): Constructing B:
Receives (π, π π , π π , π π , π π§ ) with π§ random or π§=πππ Running Setup, output πΎ, πΎ π ,π, π π ,π» to A Answer to queries: B: guesses a random index: πβ{1, β¦, π π» } Answer to H queries (programming RO): On π-th query, πβ π, pick random π π , output π» π₯ = π π π On π-th query, insert π» π₯ = π π Answer to KGen queries: On π-th query, output π πΎ πΌπ· = (π π ) π π =π» π₯ π On π-th query, abort Aβs challenge: A outputs ( π 0 , π 1 , πΌπ·) If πΌπ· was not π-th query, abort Else: choose random π β , output ( π π , π π β β
π π§ )
23
Proof of IND-CPA of BF Proof (continued):
Receives (π, π π , π π , π π , π π§ ) with π§ random or π§=πππ Running Setup, output πΎ, πΎ π ,π, π π ,π» to A Answer to queries: B: guesses a random index: πβ{1, β¦, π π» } Answer to H queries (programming RO): On π-th query, πβ π, pick random π π , output π» π₯ = π π π On π-th query, insert π» π₯ = π π Answer to KGen queries: On π-th query: π πΎ πΌπ· = (π π ) π π =π» π₯ π ; if π=π, abort Aβs challenge: A outputs ( π 0 , π 1 , πΌπ·) If πΌπ· was not π-th query, abort and guess if π§=πππ or not Else: choose random π β , output ( π π , π π β β
π π§ ) Aβs response: guess π β of π β B guesses π§=πππ iff. π β = π β
24
Proof of IND-CPA of BF Proof (cont): Analysis:
B chooses the wrong π implies B had to guess (B wins w.p ) Happens w.p. 1β 1 π π» B chooses the right π implies: If π§=πππ simulation of game is perfect; A wins w.p π π΄ If π§ is random, π is statistically independent from π 0 , π 1 A wins w.p. 1 2 B wins w.p.: 1 π π» β π΅ wins π΅ guesses right] + 1β 1 π π» β
1 2 = 1 π π» π π΄ β
β 1 π π» β
1 2 = π π» π π΄
25
Part II The Uses of IBE
26
Fujisaki-Okamoto Designed a βcompilerβ:
Input: a PKE scheme thatβs IND-CPA secure Output: a PKE scheme thatβs IND-CCA secure Boneh and Franklin used it on their IND-CPA scheme, and obtained an IND-CCA one We wonβt look at the generic compiler, but letβs see the IND-CCA version of BF! For interested readers, see: Fujisaki, Okamoto βSecure integration of asymmetric and symmetric encryption schemesβ, Crypto 99
27
CCA-secure IBE Setup outputs: ID-specific secret key generation:
A couple of groups πΎ, πΎ π of prime order π A secret value π¦β{1, 2, β¦, πβ1} A generator π for πΎ, and the value π π¦ Hash functions: π»: ππ»βπΎ, πΉ: 0,1 π Γ 0,1 π β β€ π β , πΊ: 0,1 π β 0,1 π Set πππΎ=π¦ ; ππππ=(πΎ, πΎ π , π, π π¦ , πΉ,πΊ,π») ID-specific secret key generation: Takes input π¦, πΌπ· Output π π πΌπ· = π» πΌπ· π¦ βπΎ
28
IND-CCA version of BF Setup: πππΎ=π¦ ; ππππ=(πΎ, πΎ π , π, π π¦ , πΉ,πΊ,π»)
Key generation: π π πΌπ· = π» πΌπ· π¦ βπΎ Encryption: Takes input π, πΌπ· Choose random π β 0,1 π , compute π=πΉ(π ,π) Output: π=( π π , π β
π π» πΌπ· , π π¦ π , πβ
πΊ(π ) ) Decryption: Takes input π= π 1 , π 2 , π 3 , π π πΌπ· =π» πΌπ· π¦ Compute: π 2 π(π» πΌπ· π¦ , π π ) = π Finally get π = π 3 πΊ( π )
29
Security Statement Theorem: In the Random Oracle Model (πΉ,πΊ,π» all ROs)
If the DBDH assumption holds in group πΎ, then the modified Boneh-Franklin scheme is IND-CCA secure We will not prove this here Intuition: π 2 hides π like it hid π before, and we use π to hide π in π 3 . We use πΉ to cryptographically bind π to π , but since πΉ is a random oracle any change in π creates a random πΉ output.
30
Signatures in the Standard Model
So far weβve seen: IND-CPA-secure encryption in the standard model (no ROs required) β ElGamal IND-CPA-secure IBE in the ROM β Boneh-Franklin IND-CCA-secure IBE in the ROM β BF + FO EUF-CMA signatures in the ROM using Full-domain hashing (FDH) Letβs see now: (strongly) EUF-CMA signatures without random oracles, using pairings
31
Strong unforgeability
EUF-CMA: adversary canβt forge fresh signature π π, ππ βKGen ( 1 π ) π , π β A Sign(β) (ππ, 1 π ) Store list β={ π 1 , π 1 , β¦( π π , π π )} of queries to Sign A wins iff. π, β ββ and Vf ππ;π, π =1 sEUF-CMA: adversary canβt forge fresh signature A wins iff. π, π ββ and Vf ππ;π, π =1
32
Strong Unforgeability: BSW
Boneh, Shen, Waters Ingredients: Group πΎ of prime order π such that π:πΎΓπΎβ πΎ π , with πΎ= <π> Hash function π»: 0,1 β β 0,1 π such that π> 2 π Key generation πΎπΊππ: Choose secret π¦β{1, β¦, πβ1}, compute π π¦ Choose public π β , ββπΎ, and random π’ β , π’ 1 ,β¦, π’ π βπΎ Set π={ π’ 1 ,β¦, π’ π } and pick π» Output: ππΎ=(π, π π , π β ,β, π’ β ,π,π») and ππΎ= (π β ) π¦
33
Strong Unforgeability: BSW
πΎπΊππ outputs ππΎ=(π, π π¦ , π β ,β, π’ β ,π,π») and ππΎ= (π β ) π¦ Signing message π: Pick random π.π β β€ π ; Set π 2 = π π βπΎ Set π‘βπ» π π 2 β 0,1 π ; interpret π‘ as element of β€ π Do π£βπ» π π‘ β π β 0,1 π ; write π£= π£ 1 β¦ π£ π , with π£ π β{0,1} Compute: π 1 = (π β ) π¦ ( π’ β π=1 π π’ π π£ π ) π , output ( π 1 , π 2 ,π ) Verification of signature ( π 1 , π 2 ,π ) for message π: Compute π‘ =π» π π 2 , encode it as element of β€ π Do π£ βπ» π π‘ β π β 0,1 π ; write π£= π£ 1 β¦ π£ π , with π£ π β{0,1} Verify: π π 1 ,π =π π 2 , π’ β π=1 π π’ π π£ π β
π( π π¦ , π β )
34
Strong Unforgeability of BSW
Theorem: Given the hash function π» is collision resistant Given the CDH is hard to solve in group πΎ Then the BSW scheme is strongly EUF-CMA Proof: Goal of sEUF-CMA attacker: output tuple ( π β ,( π 1 , π 2 ,π )) such that π β , π 1 , π 2 ,π βπ Divide forgeries in 3 types: Type I: π£ β =π£ and π‘ β =π‘ (reduce to CR of H) Type II: π£ β =π£ and π‘ β β π‘ (reduce to DLog) Type III: π£ β β π£ (reduce to CDH)
35
Proof β type i forgeries
sEUF-CMA adversary A outputs ( π β ,( π 1 β , π 2 β , π β )) such that π£ β =π£ and π‘ β =π‘ Build adversary B that breaks collision resistance of π» Setup: B simply runs setup honestly, and picks π». Output ππΎ=(π, π π¦ , π β ,β, π’ β ,π,π») and ππΎ= (π β ) π¦ Signatures: B signs messages honestly Challenge: B receives Aβs forgery ( π β ,( π 1 β , π 2 β , π β )) such that π£ β =π£ corresponding to π, π 1 , π 2 ,π βπ Analysis: Since π‘ β =π‘, t β =H M β π 2 β , t=H M | π 2 ), what we want to prove is M π 2 β π β π 2 β . Say π= π β and π π =π 2 = π 2 β . We know π£ β =π£=π» π π‘ β π . The fact that π£ β =π£ implies π 1 = π 1 β . If π β =π , then A lost. Else, A wins, but produces collision in π» π π‘ β π .
36
Proof β Type II Forgeries
sEUF-CMA adversary A outputs ( π β ,( π 1 β , π 2 β , π β )) such that π£ β =π£ and π‘ β β π‘ Build adversary B that breaks Dlog B receives (π, β) from challenger, must find log π β Setup: inject g, h into ππΎ=(π, π π¦ , π β ,β, π’ β ,π,π»), get ππΎ= (π β ) π¦ honestly, output ππΎ to A Signature queries: signatures done honestly Forgery: B receives Aβs forgery ( π β ,( π 1 β , π 2 β , π β )) such that π£ β =π£ corresponding to π, π 1 , π 2 ,π βπ Analysis: As π£ β =π£=π» π π‘ β π , we know π» π π‘ β π =π» π π‘ β β π β , in which π ,π β ,π‘, π‘ β are known. Output π= π‘β π‘ β π β βπ as DLog
37
Proof β TYPE III Forgeries
We will not cover them here. Proof is more complicated, and relies on a transformation of EUF-CMA to sEUF-CMA
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.