controlled algebras and gii’s

28
Controlled Algebras and GII’s Ronald L. Rivest MIT CSAIL IPAM Workshop October 9, 2006

Upload: galvin-williams

Post on 01-Jan-2016

31 views

Category:

Documents


4 download

DESCRIPTION

Controlled Algebras and GII’s. Ronald L. Rivest MIT CSAIL IPAM Workshop October 9, 2006. Outline. Controlled algebras Trapdoor discrete log groups Black box & pseudo-free groups Groups with infeasible inverses Transitive signatures Trapdoor pairings. Algebra. - PowerPoint PPT Presentation

TRANSCRIPT

Controlled Algebras and GII’s

Ronald L. RivestMIT CSAIL

IPAM Workshop October 9, 2006

Outline

Controlled algebras Trapdoor discrete log groups Black box & pseudo-free

groups Groups with infeasible inverses Transitive signatures Trapdoor pairings

Algebra ( S1 , S2 , op1 , op2, …, opn ) Algebra is set(s) with operation(s). Abstract algebra is mathematical

object. Instantiation is computational

object:– Each element of set has one or more

representations.– Each operation has associated

computational procedure.

Controlled Algebra ( S , op1 , op2, op3, op4, …, opn ) F F I T T Control computation of each operation:

– F (feasible or public: public poly-time algorithm)

– I (infeasible: no poly-time alg. exists)– T (trapdoor: polytime only with trapdoor

information) Which controlled algebras can we

make?

Controlled Groups Group operations:

– Identity: produces identity element e– Generator(s): produces generator(s)– Sample: produces random element – Multiply: group operation– Invert: given x , compute x-1

– Equal: test equality of elements– Canonical: give canonical rep of

element– Discrete log, root, DDH, CDH, hash, …

Each separately controlled…

Analogy: gene expression

One of the marvelous features of the way DNA works is that the semantics of the gene (i.e., what protein is made) is decoupled from the control of its expression. Semantics and control may evolve separately.control

protein

Example: Trapdoor DL groups

(See Dent and Galbraith 2006) Generator g: public, generates G =

<g> Multiplication (group opn): public Discrete logarithm: trapdoor

Applications: key agreement, encryption. (Publish group description as public key…)

Trapdoor DL groups

Open problem to construct practical trapdoor DL groups.

Paillier cryptosystem comes close. Dent & Galbraith also propose

pairing-based approach; large tables required.

Black box group Controlled group related to notion of

black box group (group operation efficient; others, such as discrete log, may not be) which is “essentially the same” as (“just”) the mathematical object.

Some attempts to have “computational black box group” (Frey; Galbraith) via “disguised elliptic curves” or other techniques, for specific groups.

“Pseudo-free” Group

Notion introduced by Hohenberger (2003), refined by Rivest (2004).

Group is (strongly) “pseudo-free” if adversary can’t find solution to any “non-trivial” equation (i.e. one that has no solution in free group).

Micciancio (2005) showed that Zn*

where n=pq is pseudo-free (given “strong RSA assumption”).

Groups with Infeasible Inverses (GII’s)

Want group operation to be easy, but computing inverses to be hard (for everyone).

GII’s introduced by Susan Hohenberger in her MS thesis; also studied by David Molnar, Vinod Vaikuntanathan.

Open problem to make GII’s under reasonable assumptions.

GII’s imply Key Agreement

(Hohenberger; Rabi/Sherman) Alice draws random elts: x, y Alice sends Bob: xy, y Bob draws random elt: z Bob sends Alice yz Both compute K = (xy)z = x(yz)

Security Argument [H]

An Eve who can guess K=xyz from (xy,y,yz) can invert random elts.

Choose a at random Give Eve xy = ai , y = aj , yz = ak

where i-j+k=-1. Then K = ai-j+k = a-1 .

Strongly Associative OWF’s

(Introduced by Rabi/Sherman) Associative function f(.,.) on set S Easy to compute f(x,y) given x, y Given f(x,y) and y , hard to compute

any x’ such that f(x’,y) = f(x,y). Hemaspaandra and Rothe show that

SAOWF and OWF are black-box equivalent on non-structured domains.

But on a group, SAOWF = GII’s.

Trapdoor GII’s (TGII’s) GII except some trapdoor information

allows computation of inverses. Any finite GII is really TGII, since

knowing group order allows computation of inverses. However, it may be possible to generate a GII without anyone knowing group order…

Applications of TGII’s

Vaikuntanathan (2003) has shown how to implement IBE using any TGII that has an efficient algorithm for sampling a random element together with its inverse.

Is this only known sufficient condition for IBE outside of bilinear maps?

Vaikuntanathan’s IBE construction

Let G be a TGII, h1 h2 hash functions.

Given ID, define gID = h1(ID)

Define skID = gID-1 (using trapdoor)

To encrypt m, pick r randomly, then: C = (r gID, mh2(r))

To decrypt (s,t) compute m = t h2(s skID)

(Sampling of pairs (a,a-1) needed, but only in reduction proof, for ID-CPA security.)

How to construct GII or TGII??

Order of group must be hidden. RSA group (Zn

*) has hidden order, but inverses are unfortunately easy.

Maybe use “trusted oracle” to provide interface for composition / sampling / comparing elements, but not inversion. All reps are encrypted. (Saxena and Soh)

Open problem!

Transitive Signatures (due to Micali/Rivest) Signature scheme on pairs of elts

(think of σ(a,b) as sig on edge (a,b) ) DTS (Directed Transitive Signatures)

Given σ(a,b) and σ(b,c) , anyone can compute σ(a,c)

UTS (Undirected TS) Given σ(a,b), easy to compute σ(b,a)

Transitive signatures

a c

bσ(a,b) σ(b,c)

σ(a,c)

Potential applications to cert chains…

Some relationships (see [H])

KA

GII

TGIITDP

PKE

OWF

OT

DTS

UTS

SDS

TDLBM

Constructing a DTS from TGII

Simple way to build a directed transitive signature scheme from a TGII:– Signature on (a,b) is just a/b

But is this secure???

Trapdoor pairings

A group with a bilinear map, except that one needs trapdoor information to compute the pairing function.(Rivest (2004), Dent & Galbraith (2006))

Applications of trapdoor pairings

ID scheme (Dent & Galbraith): Alice is only one who can correctly compute DDH results on challenges (ga, gb, gab) or (ga, gb, gc)

Making various flavors of signature schemes (ID-based, aggregate, ring, …) into “designated verifier” schemes

Construction of trapdoor pairings

Use elliptic curve over Zn where n=pq (Dent & Galbraith 2006)

“Disguised elliptic curves” (Dent & Galbraith, Galbraith 2006) Parameters may have to be extremely large…

Summary – Open problems

1. Construct practical trapdoor DL groups.

2. Make groups with infeasible inversion (GII’s), under reasonable assumptions.

3. Make better trapdoor pairings.4. Prove that simple TGII---->DTS

construction is secure (or fix it).

Acknowledgments

Thanks to Susan Hohenberger, David Molnar, and Vinod Vaikuntanathan for helpful suggestions and comments….

(The End)