1 / 15

Pairings and Gap Groups

Pairings and Gap Groups. Caroline Kudla Royal Holloway University of London c.j.kudla@rhul.ac.uk. Uses of Pairings. Pairings have found many applications in cryptography: ID-based cryptography Tripartite key agreement Certificateless cryptography ….

tate
Download Presentation

Pairings and Gap Groups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pairings and Gap Groups Caroline Kudla Royal Holloway University of London c.j.kudla@rhul.ac.uk C. Kudla. PIC05, June '05

  2. Uses of Pairings Pairings have found many applications in cryptography: • ID-based cryptography • Tripartite key agreement • Certificateless cryptography • …. However they can also have more obscure applications in provable security. It is possible to find schemes that do not use pairings, but where a pairing is used for the security proof! C. Kudla. PIC05, June '05

  3. Provable Security Query Response Adversary E Challenger C . . . . Output C. Kudla. PIC05, June '05

  4. Secure Encryption Decryption query (Ciphertext) Plaintext . . . Adversary E Challenger C Test query (M0,M1) Encryption of Mi . . . . Output guess for i C. Kudla. PIC05, June '05

  5. Secure Key Agreement Send msg to Pi Challenger Response from Pi Corrupt Pi Private key of Pi Participants P1 P2 . . . Pn Reveal Pi Adversary E Session key of Pi . . . Test oracle P* SK . . . If b=0, SK=SK* Else SK=Random Output guess for b C. Kudla. PIC05, June '05

  6. Key agreement protocol 1 Alice and Bob wish to share a key: ga gy gx gb Alice and Bob compute their shared secret K as follows: C. Kudla. PIC05, June '05

  7. Security Proof for Protocol 1 C wishes to solve CDH on inputs (gu,gv), and sets up a game with E where participant i has public key gu. Test session: Non-test session: gv ga Pi(gx) Pj(gu) E Pi(gu) gb gb Problem: C can extract the solution for the CDH problem instance from E’s guess for the Test session key, but C cannot answer all Reveal queries! Many proofs assume E cannot make Reveal queries. C. Kudla. PIC05, June '05

  8. Gap Problems (OP01) Given a relation f(x,y)→{0,1} we can define: The Computational Problem: Given x, find y such that f(x,y)=1 The Decisional Problem: Given x and y, determine whether f(x,y)=1 or not The Gap Problem: To solve the computational problem with the help of an oracle which solves the decisional problem. Eg the Gap Diffie-Hellman Problem: Given gx and gy, compute gxy given a DDH oracle which on input < gx,gy,gc> determines whether c=xy. C. Kudla. PIC05, June '05

  9. Gap Assumptions The security of many cryptographic schemes rely on a Gap assumption: Undeniable signatures: • Okomoto, Pointcheval 2001: The Gap problems: A new class of problems for the security of cryptographic schemes. Encryption schemes: (Plaintext-checking) • Coron, Handschuh, Joye, Paillier, Pointcheval, Tymen 2002: Optimal chosen-ciphertext secure encryption of arbitrary length messages • Galindo, Martin, Morillo, Villar 2003: Fujisaki-Okamoto IND-CCA hybrid encryption revisited. Signcryption schemes: • Baek, Steinfeld, Zheng 2002: Formal proofs for the security of signcryption. • Malone-Lee 2004: Signcryption with non-interactive non-repudiation. Key agreement protocols: • Abdalla, Chevassut, Pointcheval 2005: One-time verifier-based encrypted key exchange. • Kudla & Paterson, 2005. C. Kudla. PIC05, June '05

  10. Key agreement protocol 1 Alice and Bob wish to share a key: ga gy gx gb Alice and Bob compute their shared secret K as follows: C. Kudla. PIC05, June '05

  11. Security Proof for Protocol 1 C wishes to solve CDH on inputs (gu,gv), and sets up a game with E where participant i has public key gu. Test session: Non-test session: gv ga Pi(gx) Pj(gu) E Pi(gu) gb gb C can extract the solution for the CDH problem instance and, given access to a DDH oracle, C can co-ordinate responses from the random oracle and Reveal queries so that E’s view of the game is consistent. C. Kudla. PIC05, June '05

  12. The problem with Gap assumptions A Gap assumption is the assumption that some computational problem is hard even if one has access to a decisional oracle. However this decisional oracle may not exist in reality! Eg For protocol 1, we assume GDH in a group for which DDH is assumed to be hard, therefore our proof makes use of a non-existent oracle! C. Kudla. PIC05, June '05

  13. How do Pairings help? For a group of points on an elliptic curve equipped with an efficient bilinear pairing ê, the decisional Diffie-Hellman problem is easy. In this case the Gap DH problem is in fact equivalent to the computational DH problem. So we find that certain schemes can be proven secure under the CDH assumption where a pairing is required to exist for the security proof but is not used in the scheme! C. Kudla. PIC05, June '05

  14. Key agreement protocol 2 Alice and Bob wish to share a key: aP yP xP bP Alice and Bob compute their shared secret K as follows: The security of this protocol relies on the hardness of the EC CDH problem if an efficient bilinear map ê exists for the elliptic curve. C. Kudla. PIC05, June '05

  15. Conclusions Pairings have many applications in ID-based cryptography, tripartite key agreement, certificateless crytography, etc… But they have some surprising applications in provable security for certain schemes (which may not even require pairings) due to their ability to solve the DDH problem on elliptic curves. C. Kudla. PIC05, June '05

More Related