Notes for Lecture 14

Similar documents
Notes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange

An IBE Scheme to Exchange Authenticated Secret Keys

CS 161 Computer Security

1 Identification protocols

Key Escrow free Identity-based Cryptosystem

Cryptography: More Primitives

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Introduction to Cryptography Lecture 7

CS 161 Computer Security

Lecture 10, Zero Knowledge Proofs, Secure Computation

CS 395T. Formal Model for Secure Key Exchange

CSE 127: Computer Security Cryptography. Kirill Levchenko

Introduction to Cryptography Lecture 7

Applied Cryptography and Computer Security CSE 664 Spring 2018

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Foundations of Cryptography CS Shweta Agrawal

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Cryptography. Andreas Hülsing. 6 September 2016

More crypto and security

Homework 3: Solution

Key Establishment and Authentication Protocols EECE 412

CS Computer Networks 1: Authentication

Applied Cryptography and Computer Security CSE 664 Spring 2017

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction to Public-Key Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Chapter 9 Public Key Cryptography. WANG YANG

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

1 Achieving IND-CPA security

Remove Key Escrow from The Identity-Based Encryption System

Lecture 7 - Applied Cryptography

Secure Multiparty Computation

Diffie-Hellman. Part 1 Cryptography 136

Notes for Lecture 10

Brief Introduction to Provable Security

Auth. Key Exchange. Dan Boneh

Crypto Background & Concepts SGX Software Attestation

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

CPSC 467: Cryptography and Computer Security

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

CPSC 467b: Cryptography and Computer Security

ISA 562: Information Security, Theory and Practice. Lecture 1

Certificateless Public Key Cryptography

CS 161 Computer Security

Group Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CS61A Lecture #39: Cryptography

Lecture 1: Perfect Security

Attribute-Based Encryption. Allison Lewko, Microsoft Research

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Part VI. Public-key cryptography

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Lectures 6+7: Zero-Leakage Solutions

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

RSA. Public Key CryptoSystem

CIS 4360 Secure Computer Systems Applied Cryptography

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Tools for Computing on Encrypted Data

Encryption 2. Tom Chothia Computer Security: Lecture 3

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Chapter 10 : Private-Key Management and the Public-Key Revolution

Encryption from the Diffie-Hellman assumption. Eike Kiltz

Key-Policy Attribute-Based Encryption

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Security Analysis of Shim s Authenticated Key Agreement Protocols from Pairings

CSC/ECE 774 Advanced Network Security

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

1. Diffie-Hellman Key Exchange

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

CS 161 Computer Security

Cryptographic Hash Functions

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

2.1 Basic Cryptography Concepts

Cryptographic Systems

Lecture 6 - Cryptography

Lecture 2 Applied Cryptography (Part 2)

Application of Number Theory to Cryptology

MITOCW watch?v=zlohv4xq_ti

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Cryptography. Lecture 12. Arpita Patra

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Advanced Topics in Cryptography

Privacy, Discovery, and Authentication for the Internet of Things

Spring 2010: CS419 Computer Security

Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018

CS408 Cryptography & Internet Security

Somewhat Homomorphic Encryption

CIS 3362 Final Exam 12/4/2013. Name:

Introduction to Secure Multi-Party Computation

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Transcription:

COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e : G G G 2. We have e(ap, bq) = e(p, Q) ab. We call this an asymmetric pairing when G G. In a symmetric pairing, G = G, you can pair an element by itself, which you can t do in asymmetric pairings. We ll be looking at symmetric pairings today. Recall our example of 3 party key exchange, with three users Alice, Bob and Charlie. There was no obvious way to incorporate Charlie into the basic two party key agreement protocol. But with pairings, Alice can send ap, Bob can send bp, and Charlie can send cp. The key is e(p, P ) abc, which all the users can compute by pairing the other two users messages and then raising the result to their own secret exponent. This launched a whole subfield of cryptography called pairing-based crypto. Today we ll sample some of the results in this area. 1.2 Short Signatures Lots of signatures we ve seen require megabyte-sized signatures to get security against 2 128 time adversaries. It turns out that pairings give the shortest signatures that we know of. Before we see the scheme, we recall the Decision Diffie Hellman Assumption (DDH). The assumption is that (P, ap, bp, abp ) and (P, ap, bp, cp ) are computationally indistinguishable for random a, b, c. We claim that DDH is easy in groups G with a symmetric pairing. We can simply pair e(ap, bp ) and check if it s equal to e(p, cp ). Equality holds if c = ab, but holds with very small probability if c is randomly chosen. Computational Diffie Hellman Assumption (CDH): Given P, ap, bp, computing abp is hard. It s unclear what pairing helps you do with respect to this task, and people believe that it s still hard to compute abp even if a pairing is available (in elliptic curve groups). 1

An elliptic curve group with a pairing gives us a potential gap-dh group, which is a group where DDH is easy and CDH is hard. Consider the following signature scheme based on a gap-dh group G: Gen() : Pick a random a Z p, and let Q = ap, where P is a fixed generator of the group. a is the secret key and Q is the public key. Sign(sk, m) : Assume a hash function H : M G. The signature is σ = a H(m). Ver(pk, m, σ) : The inputs include P, ap, m, a H(m). Instead of m, we look at H(m), which we can think of as some bp. Then ah(m) = abp. Then this looks like a Diffie Hellman instance, so if I m in a gap-dh group, I can check if I ve determined the right solution. Security intuitively follows from the CDH hardness assumption. But what hash function should we use? We can t use H(m) = mp, since if you know m you can compute amp = m (ap ). Remember the points on the elliptic curve satisfy y 2 = x 3 + ax + b. Let s take our message and treat it as the x value. H(m) = (m, y) where y = m 3 + Am + B. The relationship between operations in the x coordinate and group operations is complicated and there s no way to run this attack. There s a security proof for this that we won t go over. Signatures are just 1 group element, so if you want security against 2 128 time adversaries, you can set your group size to be 2 256, so you can get signatures of 256 bits. 1.3 Identity-Based Encryption For everything we ve seen so far, public keys have been long strings of bits corresponding to various algebraic values. In Identity-Based Encryption, we want public keys to be your email address. There is going to be a set-up algorithm run by some trusted third party. Setup() (msk, mpk). The master public key mpk is public, but only the trusted third party knows msk. Enc(mpk, id, m) c. Think of id as the person s email address. Extract(msk, id) sk id. This algorithm is run by the trusted third party and outputs a secret key for user with identity id. Dec(sk id, c) m. 2

Once you know the master public key, you can send messages to anyone else without having to interact with the trusted third party. Note that this protocol relies on users being able to authenticate their identities to the trusted third party. Intuitively, for security we want that if your identity is not id, you cannot distinguish messages intended for id. Consider the following basic scheme. Setup() (msk, mpk). Generate a 2 by n grid, and for each cell in the grid generate a public key, secret key pair. The master public key is the set of all public keys generated. The master secret key is the set of all secret keys generated. Enc(mpk, id, m) c. Do an n out of n secret sharing of m. Basically just use random shares that XOR to m. Then you encode c i Enc(pk i,idi, sh i ). c = {c i } i [n]. Extract(msk, id) sk id. Select the secret keys {sk i,idi } i [n] (select the grid boxes corresponding to the identity, meaning that for each column, read off a bit of the identity to choose between the top cell and the bottom cell). Dec(sk id, c) m. To decrypt, you decrypt each c i and recombine the secret shares to recover m. If you have id id and you have sk id, you can t learn anything about m encrypted for user id. Essentially, at least one share must be hidden. However, this scheme has no protection against collusion between two or more users. Suppose one user is the all 0 s and the other user is the all 1 s. Then they have all the secret keys, and can break everyone else s secret keys. This motivates defining collusion-resistant IBE. We can have some bounded collusionresistant system where I can handle up to 1000 users colluding. However, what we really is that if everyone in the world gets together to collude, they still can t decrypt messages for you. This is called Fully Collusion-Resistant IBE. Here is such a scheme built from pairings: Setup(). This algorithm chooses a random a Z p, and sets msk = a. Then Q = ap is set to be mpk. Enc(mpk, id, m). To encrypt, choose a random integer d Z p. Then output (dp, e(q, H(id)) d m). We assume messages are already group elements in G 2 (we don t care how this is done). Extract(msk, id). The secret key is just ah(id). 3

Dec(aH(id), (dp, e(q, H(id)) d m)). To decrypt, you compute e(q,h(id))d m e(dp,ah(id)). Using Q = ap and multilinearity, we see this gives m. Security intuition is that H(id) acts as a public key, and learning secret keys for other public keys doesn t let you learn the secret key of that specific user. 1.4 Broadcast Encryption The setup is we have some content distributor A. Think of A as XM radio or a TV channel. We have a bunch of users, B, C, D, E, F. At any given time, a subset of them have subscribed to A s content. She has some message that she wants to broadcast (think of this as a song) over public airwaves, but she only wants the set of users (say B, D, E) to be able to decrypt and listen to the song. The naive solution is to have each user own a public key/secret key pair, and have the public message be a concatenation of the ciphertexts encrypting the message to each user in the broadcast set. The public key is the concatenation of all the users public keys. This is obviously infeasible for services like Netflix. Ideally we want the ciphertext to be O(1), and the public key to be O(1). The simplest solution we just saw has both of these at O(N). It turns out that with pairings we have an O(1) ciphertext size and O(N) public key size. You can actually run instances of this pairing-based scheme in parallel to get O( N) for both public key size and ciphertext size. 1.5 Multi-Party Key Exchange To build this, we can hope to construct something like a tri-linear map. This would have the property that e : G G G G 3, where e(ap, bp, cp ) = e(p, P, P ) abc. It turns out that if we have a multilinear map, where e : G k G k, we can build a number of things. For example (not a comprehensive list at all): Broadcast encryption with O(1) ciphertext and public key size. Multiparty non-interactive key agreement for k 1 users. Obfuscation. This is a tool that hides everything about a program but still allows for evaluation. Note obfuscation is different from garbled circuits, since with garbled circuits you need input labels and it s only one-time. Fully Homomorphic Encryption. This is an encryption allows you to compute on ciphertexts directly without leaking knowledge of the messages. 4

The remarkable thing is that for all these things a 3-linear map suffices. Can we get a 3-linear map from elliptic curves? Recall the torsion group can be written as E[p] Z p Z p. So say P, Q spans E[p]. Any point R = ap + bq. I a b det( ) c d can think of the Weil pairing as e(r, S) = µ p where µ p is the primitive pth root of unity and S = cp + dq. We see that a 3-linear map presents issues, a b because this matrix becomes c d. It s unclear how to think of the determinant e f of this non-square matrix. It turns out you can use structures in algebraic geometry where the torsion group can be a three dimensional space. Now everything has three coordinates, and you can define a pairing like this with a determinant of a 3 by 3 matrix, but we have no idea how to compute this efficiently. And there are actually some reasons to believe this is not possible. With lattices you can actually build something that looks like a multilinear map (called a graded encoding scheme), though the security for these constructions is still poorly understood. Next time we ll be talking about lattice-based crypto, but only schemes with well-understood security guarantees. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback