towards standard model security Pairings IBE INDCCAsecure encryption authentication From previous lecture Publickey Crypto Alternative to symmetric key primitives Do not require sharing keys but they require a PKI ID: 552469
Download Presentation The PPT/PDF document "The power of Pairings" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
The power of Pairings towards standard model security
Pairings, IBE, IND-CCA-secure encryption, authenticationSlide2
From previous lecture
Public-key Crypto
Alternative to symmetric key primitives
Do not require sharing keys, but they require a PKI
PKE
Comes in 2 flavours: IND-CPA and IND-CCA
Saw 1 constrution based on DDH that is IND-CPA
Malleability implies no IND-CCA
Signature Schemes
Security: EUF-CMA
RSA signatures are not EUF-CMA
But we could use FDH in the random oracle modelSlide3
Part IPairingsSlide4
Pairings in General
Setting :
2 additive groups
, multiplicative group
All three groups of prime order
We can write and Imagine a mapping such that:Bilinear: for all it holds that:Non-degenerate: Efficiently computable
Slide5
Pairings in Cryptography
Usually computed on elliptic curves
There are different types, depending on how the pairing is constructed
Security depends on type and on something called “embedding degree”
Mostly defined with elements from additive subgroups (rather than multiplicative ones), but we will keep the multiplicative notation
We will not cover specifics in this course
If you’re interested, you could read: Lawrence C. Washington: ‘Elliptic curves: Number theory and cryptography’Slide6
DDH and Pairings
Consider multiplicative group
of prime order
, and a pairing
on this group
Given
DDH problem requires to decide whether or just random elementBilinearity:
DDH adversary tests whether
If so, then guess that
Else, output that
is random
Conclusion: DDH is easy to solve in groups that admit pairings
Slide7
Hard Problems with Pairings
Setup
: multiplicative group
of prime order
, given a bilinear mapping
Computational Bilinear DH problem:
Given , compute Decisional Bilinear DH problemGiven , decide whether CDH and DLog:We think these are still hard despite pairings
Slide8
Why we use pairings
Alice
Bob
Choose
Choose
Compute
Compute Same :
Alice
Bob
Charlie
;
;
;
Slide9
Three-partite Key Exchange
Alice
Bob
Choose
Choose
Compute
Compute Same :
Alice
Bob
Charlie
=
=
Slide10
Part IIIdentity-Based EncryptionSlide11
PKE and IBE
PKE:
Alice has a private key for decryption
Bob (and everyone else) has a public key for encryption to Alice
Problem of certification: whose key is that?
IBE:
Bob has (a function of) Alice’s identity (name, email address, social security number) as a PKAlice can derive a secret key from thatBob encrypts with Alice’s identity, so only she can decryptSlide12
IBE Syntax
Tuple of algorithms
with:
: on input the security parameter, this algorithm
outputs
, a master secret key and
some global parameters : on input the master secret key and the identity, this algorithm outputs an identity-specific secret key : on input an identity and a message, output a ciphertext : on input the identity-specific and a cipher-
text, output plaintext
or symbol
Slide13
IBE Setup
Why do we need a setup algorithm for IBE and not for regular PKE?Slide14
IBE Setup
Why do we need a setup algorithm for IBE and not for regular PKE?
Not because we need
to generate our secret keys with
After all, each user could just generate
as we do in regular PKE, right?
Slide15
IBE Setup
Why do we need a setup algorithm for IBE and not for regular PKE?
Not because we need
to generate our secret keys with
After all, each user could just generate
as we do in regular PKE, right?
Wrong!We need to ensure that the parameters are chosen well, so that there’s no clash for ! Slide16
Pairing Based IBE
Designed by Boneh and Franklin in 2001
Ingredients:
Identity space
A hash function (will see it later)
A bilinear mapping Setup outputs:A couple of groups of prime order A secret value A generator for , and the value A hash function Set ;
Slide17
Boneh-Franklin IBE
;
ID-specific secret key generation:
Takes input
Output
Encryption:
Takes input Choose random , compute Output:
Decryption:
Takes input
Compute:
Slide18
Security of Boneh-Franklin
Theorem:
BF is IND-CPA in the random oracle model if the Decisional Bilinear DH problem is hard in
Translation:
In the random oracle model
If there exists an adversary that wins the IND-CPA game against the BF scheme with probability Then there exists an adversary B that can solve the DBDH problem in with probability , Slide19
IND-CPA for IBE
IND-CPA
: eavesdropper can’t tell even 1 bit of p-text
A
wins iff.
and
never queried Parameter: RO queries
Intuition: we will need the ROM in order to make sure that the small entropy from identifiers translates to a LOT of entropy for the secret keys
Slide20
Proof of IND-CPA of BF
Proof:
B’s goal is to distinguish between
and
B’s strategy will be to inject the challenge into a single identity
; then B will hope that A will output THAT identity for the challenge
Constructing B:Receives with random or Begin by running
, need to output
to A
Insert
, output
to AA can now make and queriesThe former outputs secret keys, but not for the challenge IDThe latter allows to just hash identities (in the ROM) Slide21
Proof of IND-CPA of BF
Proof (continued):
Constructing B:
Receives
with
random or
Begin by running , need to output to AInsert , output to AA can now make and queriesB: guesses a random index: Answer to H queries (programming RO): On -th query, , pick random
, output
On
-th query, insert
Answer to queries: B knows DLog of of all , except for the -th query But A can’t query the for that if it’s his challenge
Slide22
Proof of IND-CPA of BF
Proof (continued):
Constructing B:
Receives
with
random or
Running , output to AAnswer to queries:B: guesses a random index: Answer to H queries (programming RO): On -th query, , pick random , output On
-th query, insert
Answer to
queries:
On
-th query, output On -th query, abortA’s challenge: A outputs
If
was not
-th query, abort
Else: choose random
, output
Slide23
Proof of IND-CPA of BF
Proof (continued):
Receives
with
random or
Running
, output to AAnswer to queries:B: guesses a random index: Answer to H queries (programming RO): On -th query, , pick random , output On -th query, insert
Answer to
queries:
On
-th
query: ; if , abortA’s challenge: A outputs
If
was not
-th query,
abort and guess if
or not
Else: choose random
, output
A’s response: guess
of
B guesses
iff.
Slide24
Proof of IND-CPA of BF
Proof (cont):
Analysis:
B chooses the wrong
implies B had to guess (B wins w.p.
)
Happens w.p. B chooses the right implies: If simulation of game is perfect; A wins w.p. If is random, is statistically independent from A wins w.p. B wins w.p.: +
Slide25
Part IIThe Uses of IBESlide26
Fujisaki-Okamoto
Designed a “compiler”:
Input: a PKE scheme that’s IND-CPA secure
Output: a PKE scheme that’s IND-CCA secure
Boneh and Franklin used it on their IND-CPA scheme, and obtained an IND-CCA one
We won’t look at the generic compiler, but let’s see the IND-CCA version of BF!
For interested readers, see:Fujisaki, Okamoto “Secure integration of asymmetric and symmetric encryption schemes”, Crypto 99Slide27
CCA-secure IBE
Setup outputs:
A couple of groups
of prime order
A secret value
A generator
for , and the value Hash functions:
,
Set
;
ID-specific secret key generation:
Takes input
Output
Slide28
IND-CCA version of BF
Setup:
;
Key generation:
Encryption
:
Takes input Choose random , compute Output:
Decryption
:
Takes input
Compute:
Finally get
Slide29
Security Statement
Theorem:
In the Random Oracle Model (
all ROs)
If the DBDH assumption holds in group
, then the modified
Boneh-Franklin scheme is IND-CCA secureWe will not prove this hereIntuition: hides like it hid before, and we use to hide in . We use to cryptographically bind to , but since is a random oracle any change in creates a random output. Slide30
Signatures in the Standard Model
So far we’ve seen:
IND-CPA-secure encryption in the standard model (no ROs required) – ElGamal
IND-CPA-secure IBE in the ROM – Boneh-Franklin
IND-CCA-secure IBE in the ROM – BF + FO
EUF-CMA signatures in the ROM using Full-domain hashing (FDH)
Let’s see now:(strongly) EUF-CMA signatures without random oracles, using pairingsSlide31
Strong unforgeability
EUF-CMA: adversary can’t forge fresh signature
Store list
of queries to Sign A wins iff. and sEUF-CMA: adversary can’t forge fresh signature
Store list
of queries to Sign
A
wins iff.
and
Slide32
Strong Unforgeability: BSW
Boneh, Shen, Waters
Ingredients:
Group
of prime order
such that
, with Hash function such that Key generation :Choose secret , compute Choose public , and random
Set
and pick
Output:
and
Slide33
Strong Unforgeability: BSW
outputs
and
Signing message
:
Pick random ; Set Set
; interpret
as element of
Do
; write
, with
Compute:
, output
Verification of signature
for message
:
Compute
, encode it as element of
Do
; write
, with
Verify:
Slide34
Strong Unforgeability of BSW
Theorem:
Given the hash function
is collision resistant
Given the CDH is hard to solve in group
Then the BSW scheme is strongly EUF-CMA
Proof: Goal of sEUF-CMA attacker: output tuple such that Divide forgeries in 3 types:Type I: and (reduce to CR of H)Type II: and
(reduce to
DLog
)
Type III:
(reduce to CDH) Slide35
Proof – type i forgeries
sEUF-CMA adversary A outputs
such that
and
Build adversary B that breaks collision resistance of
Setup
: B simply runs setup honestly, and picks . Output and Signatures
: B signs messages honestly
Challenge
: B receives A’s forgery
such that
corresponding to
Analysis
: Since
, what we want to prove is
. Say
and
. We know
. The fact that
implies
. If
, then A lost. Else, A wins, but produces collision in
.
Slide36
Proof – Type II Forgeries
sEUF-CMA adversary A outputs
such that
and
Build adversary B that breaks
Dlog
B receives from challenger, must find Setup: inject into
, get
honestly, output
to A
Signature queries: signatures done honestly
Forgery: B receives A’s forgery such that
corresponding to
Analysis: As
, we know
=
, in which
are known. Output
as
DLog
Slide37
Proof – TYPE III Forgeries
We will not cover them here.
Proof is more complicated
, and relies on a transformation of EUF-CMA to
sEUF
-CMA