Presentation is loading. Please wait.

Presentation is loading. Please wait.

The power of Pairings towards standard model security

Published byNeil Preston Modified over 5 years ago

Similar presentations

Presentation on theme: "The power of Pairings towards standard model security"β€” Presentation transcript:

1 The power of Pairings towards standard model security
Pairings, IBE, IND-CCA-secure encryption, authentication

2 From previous lecture Public-key Crypto PKE Signature Schemes
Alternative to symmetric key primitives Do not require sharing keys, but they require a PKI PKE Comes in 2 flavours: IND-CPA and IND-CCA Saw 1 constrution based on DDH that is IND-CPA Malleability implies no IND-CCA Signature Schemes Security: EUF-CMA RSA signatures are not EUF-CMA But we could use FDH in the random oracle model

3 Part I Pairings

4 Pairings in General Setting :
2 additive groups 𝐺 1 , 𝐺 2 , multiplicative group 𝐺 𝑇 All three groups of prime order π‘ž We can write 𝐺 1 =<𝑃, …q𝑃> and 𝐺 2 =<𝑄, …, q𝑄> Imagine a mapping 𝑒: 𝐺 1 Γ— 𝐺 2 β†’ 𝐺 𝑇 such that: Bilinear: for all a,b∈{1, …, π‘žβˆ’1} it holds that: 𝑒 a𝑃, b𝑄 = 𝑒(𝑃,𝑄) π‘Žπ‘ Non-degenerate: 𝑒(𝑃,𝑄)β‰ 1 Efficiently computable

5 Pairings in Cryptography
Usually computed on elliptic curves There are different types, depending on how the pairing is constructed Security depends on type and on something called β€œembedding degree” Mostly defined with elements from additive subgroups (rather than multiplicative ones), but we will keep the multiplicative notation We will not cover specifics in this course If you’re interested, you could read: Lawrence C. Washington: β€˜Elliptic curves: Number theory and cryptography’

6 DDH and Pairings Consider multiplicative group 𝔾= <𝑔> of prime order π‘ž, and a pairing 𝑒:𝔾×𝔾→ 𝔾 𝑇 on this group Given 𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 DDH problem requires to decide whether 𝑔 𝑐 = 𝑔 π‘Žπ‘ or 𝑔 𝑐 just random element Bilinearity: 𝑒 𝑔 π‘Ž , 𝑔 𝑏 = 𝑒(𝑔,𝑔) π‘Žπ‘ =𝑒(𝑔, 𝑔 π‘Žπ‘ ) DDH adversary tests whether 𝑒 𝑔 π‘Ž , 𝑔 𝑏 =𝑒(𝑔, 𝑔 𝑐 ) If so, then guess that 𝑔 𝑐 = 𝑔 π‘Žπ‘ Else, output that 𝑔 c is random Conclusion: DDH is easy to solve in groups that admit pairings

7 Hard Problems with Pairings
Setup: multiplicative group 𝔾=<𝑔> of prime order π‘ž, given a bilinear mapping 𝑒:𝔾×𝔾→ 𝔾 𝑇 Computational Bilinear DH problem: Given (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 ), compute 𝑔 π‘Žπ‘π‘ Decisional Bilinear DH problem Given (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 , 𝑔 𝑧 ), decide whether 𝑔 𝑧 = 𝑔 π‘Žπ‘π‘ CDH and DLog: We think these are still hard despite pairings

8 Why we use pairings Alice Bob Alice Charlie Bob Choose Choose Compute
𝐴 1 =π‘Žπ‘ƒ; 𝐴 2 =π‘Žπ‘„ Alice Bob Alice Choose a ∈ 𝑅 {0, …, π‘žβˆ’1} Choose b ∈ 𝑅 {0, …, π‘žβˆ’1} 𝐴=a𝑃 𝑨 𝟏 , 𝑨 𝟐 π‘ͺ 𝟏 , π‘ͺ 𝟐 𝑩 𝟏 , 𝑩 𝟐 𝐡=b𝑃 Charlie Bob Compute 𝐾=b𝐴 Compute 𝐾=a𝐡 c ∈ 𝑅 {0, …, π‘žβˆ’1} 𝐢 1 =𝑐𝑃; 𝐢 2 =𝑐𝑄 b ∈ 𝑅 {0, …, π‘žβˆ’1} 𝐢 1 =𝑏𝑃; 𝐢 2 =𝑏𝑄 Same 𝐾: b𝐴=ba𝑃=ab𝑃=a𝐡

9 Three-partite Key Exchange
𝐾= 𝑒( 𝐡 1 , 𝐢 2 ) π‘Ž = 𝑒(𝑏𝑃,𝑐𝑄) π‘Ž = 𝑒(𝑃,𝑄) π‘Žπ‘π‘ Alice Bob Alice Choose a ∈ 𝑅 {0, …, π‘žβˆ’1} Choose b ∈ 𝑅 {0, …, π‘žβˆ’1} 𝑨 𝟏 , 𝑨 𝟐 𝐴=a𝑃 π‘ͺ 𝟏 , π‘ͺ 𝟐 𝑩 𝟏 , 𝑩 𝟐 𝐡=b𝑃 Charlie Bob Compute 𝐾=b𝐴 Compute 𝐾=a𝐡 𝐾= 𝑒( 𝐴 1 , 𝐡 2 ) 𝑐 = 𝑒(π‘Žπ‘ƒ,𝑏𝑄) 𝑐 = 𝑒(𝑃,𝑄) π‘Žπ‘π‘ 𝐾= 𝑒( 𝐢 1 , 𝐴 2 ) 𝑏 = 𝑒(𝑃,𝑄) π‘Žπ‘π‘ Same 𝐾: b𝐴=ba𝑃=ab𝑃=a𝐡

10 Part II Identity-Based Encryption

11 PKE and IBE PKE: IBE: Alice has a private key for decryption
Bob (and everyone else) has a public key for encryption to Alice Problem of certification: whose key is that? IBE: Bob has (a function of) Alice’s identity (name, address, social security number) as a PK Alice can derive a secret key from that Bob encrypts with Alice’s identity, so only she can decrypt

12 IBE Syntax Tuple of algorithms (Setup, KGen, Enc, Dec) with:
Setup( 1 πœ† ): on input the security parameter, this algorithm outputs (𝑀𝑆𝐾, π‘ƒπ‘ƒπ‘Žπ‘Ÿ), a master secret key and some global parameters KGen(𝑀𝑆𝐾, 𝐼𝐷) : on input the master secret key and the identity, this algorithm outputs an identity-specific secret key 𝑠 π‘˜ 𝐼𝐷 Enc(𝐼𝐷;𝑀): on input an identity and a message, output a ciphertext 𝑐 𝐷𝑒𝑐(𝑠 π‘˜ 𝐼𝐷 , 𝑐): on input the identity-specific 𝑠 π‘˜ 𝐼𝐷 and a cipher- text, output plaintext π‘š or symbol βŠ₯

13 IBE Setup Why do we need a setup algorithm for IBE and not for regular PKE?

14 IBE Setup Why do we need a setup algorithm for IBE and not for regular PKE? Not because we need 𝑀𝑆𝐾 to generate our secret keys with After all, each user could just generate 𝑠 π‘˜ 𝐼𝐷 as we do in regular PKE, right?

15 IBE Setup Why do we need a setup algorithm for IBE and not for regular PKE? Not because we need 𝑀𝑆𝐾 to generate our secret keys with After all, each user could just generate 𝑠 π‘˜ 𝐼𝐷 as we do in regular PKE, right? Wrong! We need to ensure that the parameters are chosen well, so that there’s no clash for 𝑠 π‘˜ 𝐼𝐷 !

16 Pairing Based IBE Designed by Boneh and Franklin in 2001 Ingredients:
Identity space 𝕀𝔻 A hash function (will see it later) A bilinear mapping Setup outputs: A couple of groups 𝔾, 𝔾 𝑇 of prime order π‘ž A secret value π‘¦βˆˆ{1, 2, …, π‘žβˆ’1} A generator 𝑔 for 𝔾, and the value 𝑔 𝑦 A hash function 𝐻: 𝕀𝔻→𝔾 Set 𝑀𝑆𝐾=𝑦 ; π‘ƒπ‘ƒπ‘Žπ‘Ÿ=(𝔾, 𝔾 𝑇 , 𝑔, 𝑔 𝑦 , 𝐻)

17 Boneh-Franklin IBE 𝑀𝑆𝐾=𝑦 ; π‘ƒπ‘ƒπ‘Žπ‘Ÿ=(𝔾, 𝔾 𝑇 , 𝑔, 𝑔 𝑦 ,𝐻)
𝑀𝑆𝐾=𝑦 ; π‘ƒπ‘ƒπ‘Žπ‘Ÿ=(𝔾, 𝔾 𝑇 , 𝑔, 𝑔 𝑦 ,𝐻) ID-specific secret key generation: Takes input 𝑦, 𝐼𝐷 Output 𝑠 π‘˜ 𝐼𝐷 = 𝐻 𝐼𝐷 𝑦 βˆˆπ”Ύ Encryption: Takes input π‘š, 𝐼𝐷 Choose random π‘Ÿβˆˆ{1, …,π‘žβˆ’1}, compute 𝑔 π‘Ÿ Output: 𝑐=( 𝑔 π‘Ÿ , π‘šβ‹… 𝑒 𝐻 𝐼𝐷 , 𝑔 𝑦 π‘Ÿ ) Decryption: Takes input 𝑐=( 𝑐 1 , 𝑐 2 ), 𝑠 π‘˜ 𝐼𝐷 Compute: 𝑐 2 𝑒(𝐻 𝐼𝐷 𝑦 , 𝑔 π‘Ÿ ) = π‘š

18 Security of Boneh-Franklin
Theorem: BF is IND-CPA in the random oracle model if the Decisional Bilinear DH problem is hard in 𝔾 Translation: In the random oracle model If there exists an adversary that wins the IND-CPA game against the BF scheme with probability 𝑝 𝐴 Then there exists an adversary B that can solve the DBDH problem in 𝔾 with probability π‘ž 𝐻 𝑝 𝐴 ,

19 IND-CPA for IBE 𝑀𝑆𝐾, π‘ƒπ‘ƒπ‘Žπ‘Ÿ ←Setup ( 1 πœ† )
IND-CPA: eavesdropper can’t tell even 1 bit of p-text 𝑀𝑆𝐾, π‘ƒπ‘ƒπ‘Žπ‘Ÿ ←Setup ( 1 πœ† ) 𝑏 ← $ 0,1 π‘š 0 , π‘š 1 , 𝐼𝐷 ← A 𝐾𝐺𝑒𝑛 β‹… , 𝐻(β‹…) (π‘ƒπ‘ƒπ‘Žπ‘Ÿ, 1 πœ† ) 𝑐←Enc(𝐼𝐷; π‘š 𝑏 ) 𝑑← A 𝐾𝐺𝑒𝑛(β‹…) (𝑐, π‘ƒπ‘ƒπ‘Žπ‘Ÿ, 1 πœ† ) A wins iff. 𝑑=𝑏 and KGen(𝐼𝐷) never queried Parameter: π‘ž 𝐻 RO queries Intuition: we will need the ROM in order to make sure that the small entropy from identifiers translates to a LOT of entropy for the secret keys

20 Proof of IND-CPA of BF Proof:
B’s goal is to distinguish between (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 , 𝑔 π‘Žπ‘π‘ ) and (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 , 𝑔 𝑧 ) B’s strategy will be to inject the challenge into a single identity 𝐼𝐷; then B will hope that A will output THAT identity for the challenge Constructing B: Receives (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 , 𝑔 𝑧 ) with 𝑧 random or 𝑧=π‘Žπ‘π‘ Begin by running Setup, need to output π‘ƒπ‘π‘Žπ‘Ÿ to A Insert 𝑔 𝑦 = 𝑔 π‘Ž , output 𝔾, 𝔾 𝑇 ,𝑔, 𝑔 π‘Ž ,𝐻 to A A can now make 𝐾𝐺𝑒𝑛 and 𝐻 queries The former outputs secret keys, but not for the challenge ID The latter allows to just hash identities (in the ROM)

21 Proof of IND-CPA of BF Proof (continued): Constructing B:
Receives (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 , 𝑔 𝑧 ) with 𝑧 random or 𝑧=π‘Žπ‘π‘ Begin by running Setup, need to output π‘ƒπ‘π‘Žπ‘Ÿ to A Insert 𝑔 𝑦 = 𝑔 π‘Ž , output 𝔾, 𝔾 𝑇 ,𝑔, 𝑔 π‘Ž ,𝐻 to A A can now make 𝐾𝐺𝑒𝑛 and 𝐻 queries B: guesses a random index: π‘–βˆˆ{1, …, π‘ž 𝐻 } Answer to H queries (programming RO): On 𝑗-th query, 𝑗≠𝑖, pick random π‘Ÿ 𝑗 , output 𝐻 π‘₯ = 𝑔 𝑣 On 𝑖-th query, insert 𝐻 π‘₯ = 𝑔 𝑏 Answer to KGen queries: B knows DLog of of all 𝐻(π‘₯), except for the 𝑖-th query But A can’t query the 𝑆𝐾 for that if it’s his challenge

22 Proof of IND-CPA of BF Proof (continued): Constructing B:
Receives (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 , 𝑔 𝑧 ) with 𝑧 random or 𝑧=π‘Žπ‘π‘ Running Setup, output 𝔾, 𝔾 𝑇 ,𝑔, 𝑔 π‘Ž ,𝐻 to A Answer to queries: B: guesses a random index: π‘–βˆˆ{1, …, π‘ž 𝐻 } Answer to H queries (programming RO): On 𝑗-th query, 𝑗≠𝑖, pick random π‘Ÿ 𝑗 , output 𝐻 π‘₯ = 𝑔 π‘Ÿ 𝑗 On 𝑖-th query, insert 𝐻 π‘₯ = 𝑔 𝑏 Answer to KGen queries: On 𝑗-th query, output 𝑆 𝐾 𝐼𝐷 = (𝑔 π‘Ž ) π‘Ÿ 𝑗 =𝐻 π‘₯ π‘Ž On 𝑖-th query, abort A’s challenge: A outputs ( π‘š 0 , π‘š 1 , 𝐼𝐷) If 𝐼𝐷 was not 𝑖-th query, abort Else: choose random 𝑏 βˆ— , output ( 𝑔 𝑐 , 𝑀 𝑏 βˆ— β‹… 𝑔 𝑧 )

23 Proof of IND-CPA of BF Proof (continued):
Receives (𝑔, 𝑔 π‘Ž , 𝑔 𝑏 , 𝑔 𝑐 , 𝑔 𝑧 ) with 𝑧 random or 𝑧=π‘Žπ‘π‘ Running Setup, output 𝔾, 𝔾 𝑇 ,𝑔, 𝑔 π‘Ž ,𝐻 to A Answer to queries: B: guesses a random index: π‘–βˆˆ{1, …, π‘ž 𝐻 } Answer to H queries (programming RO): On 𝑗-th query, 𝑗≠𝑖, pick random π‘Ÿ 𝑗 , output 𝐻 π‘₯ = 𝑔 π‘Ÿ 𝑗 On 𝑖-th query, insert 𝐻 π‘₯ = 𝑔 𝑏 Answer to KGen queries: On 𝑗-th query: 𝑆 𝐾 𝐼𝐷 = (𝑔 π‘Ž ) π‘Ÿ 𝑗 =𝐻 π‘₯ π‘Ž ; if 𝑗=𝑖, abort A’s challenge: A outputs ( π‘š 0 , π‘š 1 , 𝐼𝐷) If 𝐼𝐷 was not 𝑖-th query, abort and guess if 𝑧=π‘Žπ‘π‘ or not Else: choose random 𝑏 βˆ— , output ( 𝑔 𝑐 , 𝑀 𝑏 βˆ— β‹… 𝑔 𝑧 ) A’s response: guess 𝑑 βˆ— of 𝑏 βˆ— B guesses 𝑧=π‘Žπ‘π‘ iff. 𝑑 βˆ— = 𝑏 βˆ—

24 Proof of IND-CPA of BF Proof (cont): Analysis:
B chooses the wrong 𝑖 implies B had to guess (B wins w.p ) Happens w.p. 1βˆ’ 1 π‘ž 𝐻 B chooses the right 𝑖 implies: If 𝑧=π‘Žπ‘π‘ simulation of game is perfect; A wins w.p 𝑝 𝐴 If 𝑧 is random, 𝑐 is statistically independent from π‘š 0 , π‘š 1 A wins w.p. 1 2 B wins w.p.: 1 π‘ž 𝐻 β„™ 𝐡 wins 𝐡 guesses right] + 1βˆ’ 1 π‘ž 𝐻 β‹… 1 2 = 1 π‘ž 𝐻 𝑝 𝐴 β‹… βˆ’ 1 π‘ž 𝐻 β‹… 1 2 = π‘ž 𝐻 𝑝 𝐴

25 Part II The Uses of IBE

26 Fujisaki-Okamoto Designed a β€œcompiler”:
Input: a PKE scheme that’s IND-CPA secure Output: a PKE scheme that’s IND-CCA secure Boneh and Franklin used it on their IND-CPA scheme, and obtained an IND-CCA one We won’t look at the generic compiler, but let’s see the IND-CCA version of BF! For interested readers, see: Fujisaki, Okamoto β€œSecure integration of asymmetric and symmetric encryption schemes”, Crypto 99

27 CCA-secure IBE Setup outputs: ID-specific secret key generation:
A couple of groups 𝔾, 𝔾 𝑇 of prime order π‘ž A secret value π‘¦βˆˆ{1, 2, …, π‘žβˆ’1} A generator 𝑔 for 𝔾, and the value 𝑔 𝑦 Hash functions: 𝐻: 𝕀𝔻→𝔾, 𝐹: 0,1 π‘ž Γ— 0,1 π‘ž β†’ β„€ π‘ž βˆ— , 𝐺: 0,1 πœ† β†’ 0,1 πœ† Set 𝑀𝑆𝐾=𝑦 ; π‘ƒπ‘ƒπ‘Žπ‘Ÿ=(𝔾, 𝔾 𝑇 , 𝑔, 𝑔 𝑦 , 𝐹,𝐺,𝐻) ID-specific secret key generation: Takes input 𝑦, 𝐼𝐷 Output 𝑠 π‘˜ 𝐼𝐷 = 𝐻 𝐼𝐷 𝑦 βˆˆπ”Ύ

28 IND-CCA version of BF Setup: 𝑀𝑆𝐾=𝑦 ; π‘ƒπ‘ƒπ‘Žπ‘Ÿ=(𝔾, 𝔾 𝑇 , 𝑔, 𝑔 𝑦 , 𝐹,𝐺,𝐻)
Key generation: 𝑠 π‘˜ 𝐼𝐷 = 𝐻 𝐼𝐷 𝑦 βˆˆπ”Ύ Encryption: Takes input π‘š, 𝐼𝐷 Choose random π‘ βˆˆ 0,1 π‘ž , compute π‘Ÿ=𝐹(𝑠,π‘š) Output: 𝑐=( 𝑔 π‘Ÿ , 𝑠⋅𝑒 𝐻 𝐼𝐷 , 𝑔 𝑦 π‘Ÿ , π‘šβ‹…πΊ(𝑠) ) Decryption: Takes input 𝑐= 𝑐 1 , 𝑐 2 , 𝑐 3 , 𝑠 π‘˜ 𝐼𝐷 =𝐻 𝐼𝐷 𝑦 Compute: 𝑐 2 𝑒(𝐻 𝐼𝐷 𝑦 , 𝑔 𝑠 ) = 𝑠 Finally get π‘š = 𝑐 3 𝐺( 𝑠 )

29 Security Statement Theorem: In the Random Oracle Model (𝐹,𝐺,𝐻 all ROs)
If the DBDH assumption holds in group 𝔾, then the modified Boneh-Franklin scheme is IND-CCA secure We will not prove this here Intuition: 𝑐 2 hides 𝑠 like it hid π‘š before, and we use 𝑠 to hide π‘š in 𝑐 3 . We use 𝐹 to cryptographically bind π‘Ÿ to 𝑠, but since 𝐹 is a random oracle any change in 𝑠 creates a random 𝐹 output.

30 Signatures in the Standard Model
So far we’ve seen: IND-CPA-secure encryption in the standard model (no ROs required) – ElGamal IND-CPA-secure IBE in the ROM – Boneh-Franklin IND-CCA-secure IBE in the ROM – BF + FO EUF-CMA signatures in the ROM using Full-domain hashing (FDH) Let’s see now: (strongly) EUF-CMA signatures without random oracles, using pairings

31 Strong unforgeability
EUF-CMA: adversary can’t forge fresh signature π‘ π‘˜, π‘π‘˜ ←KGen ( 1 πœ† ) π‘š , 𝜎 ← A Sign(βˆ—) (π‘π‘˜, 1 πœ† ) Store list β„š={ π‘š 1 , 𝜎 1 , …( π‘š π‘˜ , 𝜎 π‘˜ )} of queries to Sign A wins iff. π‘š, βˆ— βˆ‰β„š and Vf π‘π‘˜;π‘š, 𝜎 =1 sEUF-CMA: adversary can’t forge fresh signature A wins iff. π‘š, 𝜎 βˆ‰β„š and Vf π‘π‘˜;π‘š, 𝜎 =1

32 Strong Unforgeability: BSW
Boneh, Shen, Waters Ingredients: Group 𝔾 of prime order π‘ž such that 𝑒:𝔾×𝔾→ 𝔾 𝑇 , with 𝔾= <𝑔> Hash function 𝐻: 0,1 βˆ— β†’ 0,1 𝑛 such that π‘ž> 2 𝑛 Key generation 𝐾𝐺𝑒𝑛: Choose secret π‘¦βˆˆ{1, …, π‘žβˆ’1}, compute 𝑔 𝑦 Choose public 𝑔 βˆ— , β„Žβˆˆπ”Ύ, and random 𝑒 βˆ— , 𝑒 1 ,…, 𝑒 𝑛 βˆˆπ”Ύ Set π‘ˆ={ 𝑒 1 ,…, 𝑒 𝑛 } and pick 𝐻 Output: 𝑃𝐾=(𝑔, 𝑔 π‘Ž , 𝑔 βˆ— ,β„Ž, 𝑒 βˆ— ,π‘ˆ,𝐻) and 𝑆𝐾= (𝑔 βˆ— ) 𝑦

33 Strong Unforgeability: BSW
𝐾𝐺𝑒𝑛 outputs 𝑃𝐾=(𝑔, 𝑔 𝑦 , 𝑔 βˆ— ,β„Ž, 𝑒 βˆ— ,π‘ˆ,𝐻) and 𝑆𝐾= (𝑔 βˆ— ) 𝑦 Signing message π‘š: Pick random π‘Ÿ.π‘ βˆˆ β„€ π‘ž ; Set 𝜎 2 = 𝑔 π‘Ÿ βˆˆπ”Ύ Set 𝑑←𝐻 π‘š 𝜎 2 ∈ 0,1 𝑛 ; interpret 𝑑 as element of β„€ π‘ž Do 𝑣←𝐻 𝑔 𝑑 β„Ž 𝑠 ∈ 0,1 𝑛 ; write 𝑣= 𝑣 1 … 𝑣 𝑛 , with 𝑣 𝑖 ∈{0,1} Compute: 𝜎 1 = (𝑔 βˆ— ) 𝑦 ( 𝑒 βˆ— 𝑖=1 𝑛 𝑒 𝑖 𝑣 𝑖 ) π‘Ÿ , output ( 𝜎 1 , 𝜎 2 ,𝑠) Verification of signature ( 𝜎 1 , 𝜎 2 ,𝑠) for message π‘š: Compute 𝑑 =𝐻 π‘š 𝜎 2 , encode it as element of β„€ π‘ž Do 𝑣 ←𝐻 𝑔 𝑑 β„Ž 𝑠 ∈ 0,1 𝑛 ; write 𝑣= 𝑣 1 … 𝑣 𝑛 , with 𝑣 𝑖 ∈{0,1} Verify: 𝑒 𝜎 1 ,𝑔 =𝑒 𝜎 2 , 𝑒 βˆ— 𝑖=1 𝑛 𝑒 𝑖 𝑣 𝑖 ⋅𝑒( 𝑔 𝑦 , 𝑔 βˆ— )

34 Strong Unforgeability of BSW
Theorem: Given the hash function 𝐻 is collision resistant Given the CDH is hard to solve in group 𝔾 Then the BSW scheme is strongly EUF-CMA Proof: Goal of sEUF-CMA attacker: output tuple ( π‘š βˆ— ,( 𝜎 1 , 𝜎 2 ,𝑠)) such that π‘š βˆ— , 𝜎 1 , 𝜎 2 ,𝑠 βˆ‰π‘„ Divide forgeries in 3 types: Type I: 𝑣 βˆ— =𝑣 and 𝑑 βˆ— =𝑑 (reduce to CR of H) Type II: 𝑣 βˆ— =𝑣 and 𝑑 βˆ— ≠𝑑 (reduce to DLog) Type III: 𝑣 βˆ— ≠𝑣 (reduce to CDH)

35 Proof – type i forgeries
sEUF-CMA adversary A outputs ( π‘š βˆ— ,( 𝜎 1 βˆ— , 𝜎 2 βˆ— , 𝑠 βˆ— )) such that 𝑣 βˆ— =𝑣 and 𝑑 βˆ— =𝑑 Build adversary B that breaks collision resistance of 𝐻 Setup: B simply runs setup honestly, and picks 𝐻. Output 𝑃𝐾=(𝑔, 𝑔 𝑦 , 𝑔 βˆ— ,β„Ž, 𝑒 βˆ— ,π‘ˆ,𝐻) and 𝑆𝐾= (𝑔 βˆ— ) 𝑦 Signatures: B signs messages honestly Challenge: B receives A’s forgery ( π‘š βˆ— ,( 𝜎 1 βˆ— , 𝜎 2 βˆ— , 𝑠 βˆ— )) such that 𝑣 βˆ— =𝑣 corresponding to π‘š, 𝜎 1 , 𝜎 2 ,𝑠 βˆˆπ‘„ Analysis: Since 𝑑 βˆ— =𝑑, t βˆ— =H M βˆ— 𝜎 2 βˆ— , t=H M | 𝜎 2 ), what we want to prove is M 𝜎 2 β‰  𝑀 βˆ— 𝜎 2 βˆ— . Say 𝑀= 𝑀 βˆ— and 𝑔 π‘Ÿ =𝜎 2 = 𝜎 2 βˆ— . We know 𝑣 βˆ— =𝑣=𝐻 𝑔 𝑑 β„Ž 𝑠 . The fact that 𝑣 βˆ— =𝑣 implies 𝜎 1 = 𝜎 1 βˆ— . If 𝑠 βˆ— =𝑠, then A lost. Else, A wins, but produces collision in 𝐻 𝑔 𝑑 β„Ž 𝑠 .

36 Proof – Type II Forgeries
sEUF-CMA adversary A outputs ( π‘š βˆ— ,( 𝜎 1 βˆ— , 𝜎 2 βˆ— , 𝑠 βˆ— )) such that 𝑣 βˆ— =𝑣 and 𝑑 βˆ— ≠𝑑 Build adversary B that breaks Dlog B receives (𝑔, β„Ž) from challenger, must find log 𝑔 β„Ž Setup: inject g, h into 𝑃𝐾=(𝑔, 𝑔 𝑦 , 𝑔 βˆ— ,β„Ž, 𝑒 βˆ— ,π‘ˆ,𝐻), get 𝑆𝐾= (𝑔 βˆ— ) 𝑦 honestly, output 𝑃𝐾 to A Signature queries: signatures done honestly Forgery: B receives A’s forgery ( π‘š βˆ— ,( 𝜎 1 βˆ— , 𝜎 2 βˆ— , 𝑠 βˆ— )) such that 𝑣 βˆ— =𝑣 corresponding to π‘š, 𝜎 1 , 𝜎 2 ,𝑠 βˆˆπ‘„ Analysis: As 𝑣 βˆ— =𝑣=𝐻 𝑔 𝑑 β„Ž 𝑠 , we know 𝐻 𝑔 𝑑 β„Ž 𝑠 =𝐻 𝑔 𝑑 βˆ— β„Ž 𝑠 βˆ— , in which 𝑠,𝑠 βˆ— ,𝑑, 𝑑 βˆ— are known. Output π‘Ž= π‘‘βˆ’ 𝑑 βˆ— 𝑠 βˆ— βˆ’π‘  as DLog

37 Proof – TYPE III Forgeries
We will not cover them here. Proof is more complicated, and relies on a transformation of EUF-CMA to sEUF-CMA

Download ppt "The power of Pairings towards standard model security"

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = Γ‘gΓ±, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = Γ‘gΓ±, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT Β© 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT Β© 2002 MICHAEL I. SHAMOS Cryptographic Security.
Identity Based Encryption

Identity Based Encryption
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT Β© 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT Β© 2003 MICHAEL I. SHAMOS Cryptography.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Similar presentations

Ads by Google