Pairings and Gap Groups - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Pairings and Gap Groups

Description:

It is possible to find schemes that do not use pairings, but ... Galindo, Martin, Morillo, Villar 2003: Fujisaki-Okamoto IND-CCA hybrid encryption revisited. ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 16
Provided by: carolin90
Category:
Tags: gap | groups | pairings | villar

less

Transcript and Presenter's Notes

Title: Pairings and Gap Groups


1
Pairings and Gap Groups
  • Caroline Kudla
  • Royal Holloway
  • University of London
  • c.j.kudla_at_rhul.ac.uk

2
Uses of Pairings
  • Pairings have found many applications in
    cryptography
  • ID-based cryptography
  • Tripartite key agreement
  • Certificateless cryptography
  • .
  • However they can also have more obscure
    applications in provable security.
  • It is possible to find schemes that do not use
    pairings, but where a pairing is used for the
    security proof!

3
Provable Security
Query
Response
Adversary E
Challenger C
. . . .
Output
4
Secure Encryption
Decryption query (Ciphertext)
Plaintext
. . .
Adversary E
Challenger C
Test query (M0,M1)
Encryption of Mi
. . . .
Output guess for i
5
Secure Key Agreement
Send msg to Pi
Challenger
Response from Pi
Corrupt Pi
Private key of Pi
Participants P1 P2 . . . Pn
Reveal Pi
Adversary E
Session key of Pi
. . .
Test oracle P
SK
. . .
If b0, SKSK Else SKRandom
Output guess for b
6
Key agreement protocol 1
  • Alice and Bob wish to share a key

ga
gy
gx
gb
Alice and Bob compute their shared secret K as
follows
7
Security Proof for Protocol 1
  • C wishes to solve CDH on inputs (gu,gv), and sets
    up a game with E where participant i has public
    key gu.

Test session
Non-test session
gv
ga
Pi(gx)
Pj(gu)
E
Pi(gu)
gb
gb
Problem C can extract the solution for the CDH
problem instance from Es guess for the Test
session key, but C cannot answer all Reveal
queries! Many proofs assume E cannot make Reveal
queries.
8
Gap Problems (OP01)
  • Given a relation f(x,y)?0,1 we can define
  • The Computational Problem
  • Given x, find y such that f(x,y)1
  • The Decisional Problem
  • Given x and y, determine whether f(x,y)1 or
    not
  • The Gap Problem To solve the computational
    problem with the help of an oracle which solves
    the decisional problem.
  • Eg the Gap Diffie-Hellman Problem
  • Given gx and gy, compute gxy given a DDH oracle
    which on input lt gx,gy,gcgt determines whether
    cxy.

9
Gap Assumptions
  • The security of many cryptographic schemes rely
    on a Gap assumption
  • Undeniable signatures
  • Okomoto, Pointcheval 2001 The Gap problems A
    new class of problems for the security of
    cryptographic schemes.
  • Encryption schemes (Plaintext-checking)
  • Coron, Handschuh, Joye, Paillier, Pointcheval,
    Tymen 2002 Optimal chosen-ciphertext secure
    encryption of arbitrary length messages
  • Galindo, Martin, Morillo, Villar 2003
    Fujisaki-Okamoto IND-CCA hybrid encryption
    revisited.
  • Signcryption schemes
  • Baek, Steinfeld, Zheng 2002 Formal proofs for
    the security of signcryption.
  • Malone-Lee 2004 Signcryption with
    non-interactive non-repudiation.
  • Key agreement protocols
  • Abdalla, Chevassut, Pointcheval 2005 One-time
    verifier-based encrypted key exchange.
  • Kudla Paterson, 2005.

10
Key agreement protocol 1
  • Alice and Bob wish to share a key

ga
gy
gx
gb
Alice and Bob compute their shared secret K as
follows
11
Security Proof for Protocol 1
  • C wishes to solve CDH on inputs (gu,gv), and sets
    up a game with E where participant i has public
    key gu.

Test session
Non-test session
gv
ga
Pi(gx)
Pj(gu)
E
Pi(gu)
gb
gb
C can extract the solution for the CDH problem
instance and, given access to a DDH oracle, C can
co-ordinate responses from the random oracle and
Reveal queries so that Es view of the game is
consistent.
12
The problem with Gap assumptions
  • A Gap assumption is the assumption that some
    computational problem is hard even if one has
    access to a decisional oracle.
  • However this decisional oracle may not exist in
    reality!
  • Eg For protocol 1, we assume GDH in a group for
    which DDH is assumed to be hard, therefore our
    proof makes use of a non-existent oracle!

13
How do Pairings help?
  • For a group of points on an elliptic curve
    equipped with an efficient bilinear pairing ê,
    the decisional Diffie-Hellman problem is easy.
  • In this case the Gap DH problem is in fact
    equivalent to the computational DH problem.
  • So we find that certain schemes can be proven
    secure under the CDH assumption where a pairing
    is required to exist for the security proof but
    is not used in the scheme!

14
Key agreement protocol 2
  • Alice and Bob wish to share a key

aP
yP
xP
bP
Alice and Bob compute their shared secret K as
follows The security of this protocol relies on
the hardness of the EC CDH problem if an
efficient bilinear map ê exists for the elliptic
curve.
15
Conclusions
  • Pairings have many applications in ID-based
    cryptography, tripartite key agreement,
    certificateless crytography, etc
  • But they have some surprising applications in
    provable security for certain schemes (which may
    not even require pairings) due to their ability
    to solve the DDH problem on elliptic curves.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Pairings and Gap Groups" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!