Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bilinear Mappings in Formal Cryptography 08.10.11.

Published byNorman Amos Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "Bilinear Mappings in Formal Cryptography 08.10.11."— Presentation transcript:

1 Bilinear Mappings in Formal Cryptography 08.10.11

2 Bilinear Mapping Define: Let n be a prime number. G 1 =  P  is an additive group of order n with identity element 0 (P is the generator of G 1 ). G T is a multiplicative group of order n with identity element 1.

3 Bilinear Mapping Define a mapping e : G 1 x G 1 → G T, which satisfies the following properties: Bilinearity: for each R,S  G 1, a,b  Z n : e(aR, bS) = e(R,S) ab. Non-degeneracy: e(P, P) ≠ 1. Computability: e can be easily computed.

4 Discrete Logarithm Problem Let G =  P . We say that the discrete logarithm problem is hard in G, if given some Q  G it is impossible to find in polynomial time an integer x, such that:  Q = xP (additive group)  Q = P x (multiplicative group) If the discrete logarithm problem is hard in G 1, then, according to bilinearity, it should be also hard in G T.

5 Bilinear Diffie-Hellman Problem Bilinear Diffie-Hellman Problem (BDHP): Given P, aP, bP, cP  G 1, compute e(P,P) abc. This problem cannot be solved in polynomial time if the discrete logarithm problem is hard in the group G 1.

6 Example: Tripartite Key Exchange The new key is: e(bP,cP) a = e(P,P) abc (Alice) e(aP,cP) b = e(P,P) abc (Bob) e(aP,bP) c = e(P,P) abc (Chris) If the intruder eavesdrops at the network and gets the values of aP, bP and cP, he cannot derive the new key.

7 Formal and Computational Views Formal view –Messages are elements of term algebra. –Possible operations on terms are enumerated –Protocol is represented through a process calculus or a theory. Computational view –Messages are bit strings –Possible operations on bit strings: everything in probabilistic polynomial time. –Protocol is a set of probabilistic Turing machines.

8 Derivation Rules Define a predicate I: I(x) is true iff the intruder knows the value of x. Horn clauses are boolean formulas of the form: F 1 & F 2 &... & F n → G Use the predicate I in the formulas. I(A 1 ) & I(A 2 ) &... & I(A n ) → I(B) If the intruder knows A 1... A n, he will also know B.

9 Describing the Intruder Rules Let a message m encrypted by a key k be represented by the term enc(k,m). The intruder may encrypt any message m with any key k and get enc(k,m). The intruder may decrypt any enc(k,m) with the corresponding key k and obtain the message m. I(k) & I(m) → I(enc(k,m)) I(k) & I(enc(k,m)) → I(m)

10 Describing the Protocol Rules I(enc(Kb, (Ka,Na,Kab))) → I(enc(Ka, (Na,Nb,Kb))) I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) → I(enc(Kb, (Na,Nb))) I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) & I(enc(Kb, (Na,Nb)) → I(enc(Kab,M))

11 Protocol Analysis I(k1) I(k2) I(k1) & I(k2) → I(key) I(enc(key,secret)) I(X) & I(enc(X,Y)) → I(Y) query I(secret)

12 Challenges If the protocol is described as an equational theory, it needs the support of equivalence relations. The algebraic properties of operations have to be described separately. Protocol analysis has to take these properties (congruence relations) into account.

13 Properties of a Bilinear Mapping Non-degeneracy: e(P, P) ≠ 1. –It will be a default setting if we do not state that e(P,P) = 1 –The identity P is actually not defined anywhere. Computability: e can be easily computed. –The attacker should be able to use the mapping e. We need to add corresponding rules. Bilinearity: for each R,S  G 1, a,b  Z n : e(aR, bS) = e(R,S) ab. –This property is more difficult to implement.

14 Related Work Ralf Küsters and Tomasz Truderung: Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation. CSF, 2009, 157-171, http://doi.ieeecomputersociety.org/10.1109/CSF.2009.17, http://dblp.unitrier.de. http://dblp.unitrier.de This work provides an extension for ProVerif that allows to analyze protocols with finite number of exponents.

15 Our Contribution: An equational theory of bilinear pairings for exponent-ground terms that allows only products in exponents (based on the Related Work). A protocol transformer that was used for DH exponentiation has been upgraded so that it would support bilinear mappings (with and without types). Some pairing-based protocols have been tested in ProVerif.

16 The Protocol Transformer 1.Translates all the terms in the description of the protocol to the normal form. 2. Encodes them. 3. Generates a set of intruder rules according to the set of grounded exponents C that it has been discovered. 4. Writes the new set of rules to the output file that is ready to be tested with ProVerif.

17 Normal Form All the multipliers are transferred from the group G 1 to the group G T. e(aP, bP) ≈ e(P,P) ab The exponents and the multipliers are grouped. G^(aba -1 cb) ≈ G^(b 2 c) The exponents and the multipliers are ordered. G^(b 3 a 4 ) ≈ G^(a 4 b 3 )

18 Encoding There is a finite fixed set of possible exponents that are used in the protocol (we can use a finite set according to Related Work): C = {a,b,c} The integers in the exponents are encoded: 1 ≈ s(0), 2 ≈ s(s(0)),... -1 ≈ p(0),-2 ≈ p(p(0)),... The algebraic terms are encoded: G^(a -1 c 2 ) ≈ exp(G,p(0),0,s(s(0))) P*(b -1 c) ≈ mult(P,0,p(0),s(0))

19 Joux’s Protocol for Authenticated Channels The intruder knows the public Point. I(P) The intruder knows the values that the honest users have sent to the network. I(aP), I(bP), I(cP) The intruder gets the secret if he gets the key. I(e(aP,bP) c ) → I(secret) I(e(bP,cP) a ) → I(secret) I(e(aP,cP) b ) → I(secret)

20 Normalizing Joux Protocol Three parties: C = {a,b,c} The intruder knows the Point. I(P) - no normalization needed The intruder knows the values that the honest users have sent to the network. I(aP) ≈ I(mult(P, s(0), 0, 0) I(bP) ≈ I(mult(P, 0, s(0), 0) I(cP) ≈ I(mult(P, 0, 0, s(0)) The intruder gets the secret if he gets the key. –I(e(aP,bP) c ) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret) –I(e(bP,cP) a ) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret) –I(e(aP,cP) b ) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret) The intruder has three ways to derive the secret, and in each case he actually needs the same key.

21 Intruder Rules A set of rules is being generated for the particular set of grounded exponents. Examples of intruder rules for C = {a,b,c}: –I(exp(X,X 1,X 2, X 3 )),I(a) → I(exp(X,s(X 1 ),X 2,X 3 )); –I(X),I(Y) → I(e(X,Y)); –I(X),I(mult(Y,Y 1,Y 2,Y 3 )) → I(exp(e(X,Y),Y 1,Y 2,Y 3 )); –I(exp(X, 0, 0, 0)) → I(X); –……

22 Normalization Rules We introduce new predicates that define normalization: –E(X,Y,Z) is true iff X Y = Z –M(X,Y,Z) is true iff XY = Z –P(X,Y,Z) is true iff e(X,Y) = Z Examples of normalization rules for C = {a,b,c}: –E(exp(X, 0, p(0),0), b, X)); –M(mult(X, X 1, X 2, X 3 ), a, mult(X, s(X 1 ), X 2, X 3 )); –P(mult(X, X 1, X 2, X 3 ), Y, exp(e(X,Y), X 1, X 2, X 3 ));

23 Using Normalization Rules Suppose that we are trying to implement Joux protocol for unauthenticated channels. The variables aP, bP, and cP coming from the network can be substituted by the attacker. –I(e(A,B) c ) → I(secret) –I(e(B,C) a ) → I(secret) –I(e(A,C) b ) → I(secret) Where A,B,C are variables. We cannot apply normalization directly. Use auxiliary variables X and Y. –P(A,B,X) & E(X,c,Y) & I(Y) → I(secret) –P(B,C,X) & E(X,a,Y) & I(Y) → I(secret) –P(A,C,X) & E(X,b,Y) & I(Y) → I(secret). ProVerif understands that it is insecure.

24 Solving the Previous Problem All the keys are normalized and encoded. The keys generated by different parties are syntactically equivalent. The intruder is also capable of using bilinear pairings, multiplication, and exponentiation. He can compose similar structures himself.

25 Open Questions There protocol analyzer does not support addition, and it also has not been done in the Related Work. In the given work, the addition has been tried only for two elements. One protocol turned out to be insecure even with this constrained setting. The analysis process is too slow. There are some protocols that have not been tested since the number of rules produced by ProVerif did not want to converge.

26 Efficiency of the Analyzer Protocol NameNr. of Tests Average Time(sec) Vulnerability A simple ID-based pairing protocol 10000.0149Not found A More Efficient Identity Based Authenticated Key Agreement Protocol 10000.0310Occurs with a negligible probability Smart's ID-based AK Protocol 10000.0508Not found Joux’s Protocol1000.273If the channels are not authenticated TAK 110254Not found Shim's protocol variation10836If no comparison is used A Six Pass Pairing Based AKC Protocol 101330Not found TAK 21> 43200A vulnerability found

Download ppt "Bilinear Mappings in Formal Cryptography 08.10.11."

Similar presentations

Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Parshuram Budhathoki FAU October 25, 2012 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU.

Parshuram Budhathoki FAU October 25, /25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU.
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Certificateless Authenticated Two-Party Key Agreement Protocols

Certificateless Authenticated Two-Party Key Agreement Protocols
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Public Key Algorithms 4/17/2017 M. Chatterjee.

Public Key Algorithms 4/17/2017 M. Chatterjee.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:

CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Similar presentations

Ads by Google