Transcript Weaknesses in the Generic Group Model

Weaknesses in the Generic Group
Model
Dr. Alex Dent
[email protected]
http://www.isg.rhul.ac.uk/~alex
Groups in Cryptography
• We often use a “group” in cryptography.
• However a group is an abstract concept.
• Cryptography tends to use some kind of
binary encoding of a group.
:G
{0,1}*
• The different encodings have different
computational properties.
The group Cp
• The cyclic group of p elements can be
realised as:
– An additive group of integers.
– A multiplicative group of integers.
– A subgroup of an elliptic curve group.
• All of these groups are isomorphic but have
vastly different computational properties.
The Generic Group Model
• The generic group aims to capture the idea
that a scheme is secure on some arbitrary,
unspecified group.
• Applicable only to schemes that are useable
in arbitrary groups, like Diffie-Hellman
based schemes.
• Not applicable to RSA based schemes.
• Two main formalisations.
Nechaev’s Model
• Attacker has access to an oracle that can:
– Check equality of group elements.
– Perform group operations.
• The encoding of the group is never
considered in this model.
Shoup’s Model
• Instead of using abstract group elements use
a randomly selected encoding
 : Zp
{0,1}n
• Attacker has access to an oracle that
computes group operations but can test for
equality itself.
Shoup’s Model
• The idea is that, because  is a random
function, we cannot take advantage of any
structure provided by the encoding.
• This model has proven easier to use.
• More realistic?
Shoup’s Model
• “The Exact Security of ECIES in the
Generic Group model” (N. Smart.)
• “Generic Groups, Collision Resistance and
ECDSA” (D. Brown)
• “Flaws in Applying Proof Methodologies to
Signature Schemes” (J. Stern, D.
Pointcheval, J. Malone-Lee, N. Smart)
Schnorr and Jakobsson’s Model
• Combines the random oracle model and the
Nechaev generic group model.
• A scheme that is secure in the Schnorr and
Jakobsson model is certainly secure in the
Shoup model.
• Converse is not true? Impossible to simulate
a full domain random oracle with a random
encoding function.
The Random Oracle Model
• Introduced by Bellare and Rogaway in
1993.
• Aims to show that a scheme is secure up to
weaknesses that might be introduced by the
hash function.
• Replaces the hash function by a randomly
chosen function.
The Random Oracle Model
• Famous paper by Canetti, Goldreich and
Halevi has shown that the ROM is weak…
• …in the sense that there exists schemes that
are provably secure in the random oracle
model but insecure when the hash function
is replaced with any function.
• Uses “CS Proofs” (Micali).
My Results
• The same techniques that are used in the
Canetti et al. paper can be used in the
Shoup model.
• There exist problems that are provably hard
in the generic group model but easy to solve
when the random encoding function is
replaced with any polynomial time
encoding function.
My Results
• There also exist cryptographic schemes that
are provably secure in the generic group
model but insecure when used with any
specific group.
• Uses “Cryptographic CS Proofs” (Micali)
which is a stronger assumption.
Other models
• Obviously since the Schnorr and Jakobsson
model assumes the random oracle model,
the above result is trivial in that model.
• It has not been shown that security proofs
in Nechaev’s model are weak.
A quick digression
• How applicable is the generic group model
for security proofs?
• Generic groups have no automorphisms but
we mostly restrict ourselves to groups that
have predictable automorphisms (such as
Elliptic Curve groups)
• Or we build automorphisms into groups to
improve performance.
A quick digression
• Consider the ECIES encryption scheme.
• The scheme uses EC-DH and only uses the
x-coordinates of points to improve
performance.
• Provably secure in the Shoup version of the
generic group model (N. Smart).
• However very obviously weak due to the
fact that, on an elliptic curve, if P=(x,y)
then -P=(x,-y).
Conclusion
• Schemes that have proofs of security in the
generic group model are not necessarily
weak…
• …but the proof of security is only a
heuristic guide to the security of the
algorithm.
• Furthermore they should be implemented
with care to avoid nullifying that proof.