controlled algebras and gii’s ronald l. rivest mit csail ipam workshop october 9, 2006
TRANSCRIPT
Controlled Algebras and GII’s
Ronald L. RivestMIT CSAIL
IPAM Workshop October 9, 2006
Outline
Controlled algebras Trapdoor discrete log groups Black box & pseudo-free
groups Groups with infeasible inverses Transitive signatures Trapdoor pairings
Algebra ( S1 , S2 , op1 , op2, …, opn ) Algebra is set(s) with operation(s). Abstract algebra is mathematical
object. Instantiation is computational
object:– Each element of set has one or more
representations.– Each operation has associated
computational procedure.
Controlled Algebra ( S , op1 , op2, op3, op4, …, opn ) F F I T T Control computation of each operation:
– F (feasible or public: public poly-time algorithm)
– I (infeasible: no poly-time alg. exists)– T (trapdoor: polytime only with trapdoor
information) Which controlled algebras can we
make?
Controlled Groups Group operations:
– Identity: produces identity element e– Generator(s): produces generator(s)– Sample: produces random element – Multiply: group operation– Invert: given x , compute x-1
– Equal: test equality of elements– Canonical: give canonical rep of
element– Discrete log, root, DDH, CDH, hash, …
Each separately controlled…
Analogy: gene expression
One of the marvelous features of the way DNA works is that the semantics of the gene (i.e., what protein is made) is decoupled from the control of its expression. Semantics and control may evolve separately.control
protein
Example: Trapdoor DL groups
(See Dent and Galbraith 2006) Generator g: public, generates G =
<g> Multiplication (group opn): public Discrete logarithm: trapdoor
Applications: key agreement, encryption. (Publish group description as public key…)
Trapdoor DL groups
Open problem to construct practical trapdoor DL groups.
Paillier cryptosystem comes close. Dent & Galbraith also propose
pairing-based approach; large tables required.
Black box group Controlled group related to notion of
black box group (group operation efficient; others, such as discrete log, may not be) which is “essentially the same” as (“just”) the mathematical object.
Some attempts to have “computational black box group” (Frey; Galbraith) via “disguised elliptic curves” or other techniques, for specific groups.
“Pseudo-free” Group
Notion introduced by Hohenberger (2003), refined by Rivest (2004).
Group is (strongly) “pseudo-free” if adversary can’t find solution to any “non-trivial” equation (i.e. one that has no solution in free group).
Micciancio (2005) showed that Zn*
where n=pq is pseudo-free (given “strong RSA assumption”).
Groups with Infeasible Inverses (GII’s)
Want group operation to be easy, but computing inverses to be hard (for everyone).
GII’s introduced by Susan Hohenberger in her MS thesis; also studied by David Molnar, Vinod Vaikuntanathan.
Open problem to make GII’s under reasonable assumptions.
GII’s imply Key Agreement
(Hohenberger; Rabi/Sherman) Alice draws random elts: x, y Alice sends Bob: xy, y Bob draws random elt: z Bob sends Alice yz Both compute K = (xy)z = x(yz)
Security Argument [H]
An Eve who can guess K=xyz from (xy,y,yz) can invert random elts.
Choose a at random Give Eve xy = ai , y = aj , yz = ak
where i-j+k=-1. Then K = ai-j+k = a-1 .
Strongly Associative OWF’s
(Introduced by Rabi/Sherman) Associative function f(.,.) on set S Easy to compute f(x,y) given x, y Given f(x,y) and y , hard to compute
any x’ such that f(x’,y) = f(x,y). Hemaspaandra and Rothe show that
SAOWF and OWF are black-box equivalent on non-structured domains.
But on a group, SAOWF = GII’s.
Trapdoor GII’s (TGII’s) GII except some trapdoor information
allows computation of inverses. Any finite GII is really TGII, since
knowing group order allows computation of inverses. However, it may be possible to generate a GII without anyone knowing group order…
Applications of TGII’s
Vaikuntanathan (2003) has shown how to implement IBE using any TGII that has an efficient algorithm for sampling a random element together with its inverse.
Is this only known sufficient condition for IBE outside of bilinear maps?
Vaikuntanathan’s IBE construction
Let G be a TGII, h1 h2 hash functions.
Given ID, define gID = h1(ID)
Define skID = gID-1 (using trapdoor)
To encrypt m, pick r randomly, then: C = (r gID, mh2(r))
To decrypt (s,t) compute m = t h2(s skID)
(Sampling of pairs (a,a-1) needed, but only in reduction proof, for ID-CPA security.)
How to construct GII or TGII??
Order of group must be hidden. RSA group (Zn
*) has hidden order, but inverses are unfortunately easy.
Maybe use “trusted oracle” to provide interface for composition / sampling / comparing elements, but not inversion. All reps are encrypted. (Saxena and Soh)
Open problem!
Transitive Signatures (due to Micali/Rivest) Signature scheme on pairs of elts
(think of σ(a,b) as sig on edge (a,b) ) DTS (Directed Transitive Signatures)
Given σ(a,b) and σ(b,c) , anyone can compute σ(a,c)
UTS (Undirected TS) Given σ(a,b), easy to compute σ(b,a)
Transitive signatures
a c
bσ(a,b) σ(b,c)
σ(a,c)
Potential applications to cert chains…
Some relationships (see [H])
KA
GII
TGIITDP
PKE
OWF
OT
DTS
UTS
SDS
TDLBM
Constructing a DTS from TGII
Simple way to build a directed transitive signature scheme from a TGII:– Signature on (a,b) is just a/b
But is this secure???
Trapdoor pairings
A group with a bilinear map, except that one needs trapdoor information to compute the pairing function.(Rivest (2004), Dent & Galbraith (2006))
Applications of trapdoor pairings
ID scheme (Dent & Galbraith): Alice is only one who can correctly compute DDH results on challenges (ga, gb, gab) or (ga, gb, gc)
Making various flavors of signature schemes (ID-based, aggregate, ring, …) into “designated verifier” schemes
Construction of trapdoor pairings
Use elliptic curve over Zn where n=pq (Dent & Galbraith 2006)
“Disguised elliptic curves” (Dent & Galbraith, Galbraith 2006) Parameters may have to be extremely large…
Summary – Open problems
1. Construct practical trapdoor DL groups.
2. Make groups with infeasible inversion (GII’s), under reasonable assumptions.
3. Make better trapdoor pairings.4. Prove that simple TGII---->DTS
construction is secure (or fix it).
Acknowledgments
Thanks to Susan Hohenberger, David Molnar, and Vinod Vaikuntanathan for helpful suggestions and comments….
(The End)