Transcript scws1 6243
Controlled Algebras and GII’s Ronald L. Rivest MIT CSAIL IPAM Workshop October 9, 2006 Outline Controlled algebras Trapdoor discrete log groups Black box & pseudo-free groups Groups with infeasible inverses Transitive signatures Trapdoor pairings Algebra ( S1 , S2 , op1 , op2, …, opn ) Algebra is set(s) with operation(s). Abstract algebra is mathematical object. Instantiation is computational object: – Each element of set has one or more representations. – Each operation has associated computational procedure. Controlled Algebra ( S , op1 , op2, op3, op4, …, opn ) F F I T T Control computation of each operation: – F (feasible or public: public poly-time algorithm) – I (infeasible: no poly-time alg. exists) – T (trapdoor: polytime only with trapdoor information) Which controlled algebras can we make? Controlled Groups Group – – – – – – – – operations: Identity: produces identity element e Generator(s): produces generator(s) Sample: produces random element Multiply: group operation Invert: given x , compute x-1 Equal: test equality of elements Canonical: give canonical rep of element Discrete log, root, DDH, CDH, hash, … Each separately controlled… Analogy: gene expression One of the marvelous features of the way DNA works is that the semantics of the gene (i.e., what protein is made) is decoupled from the control of its expression. Semantics and control may evolve separately. control protein Example: Trapdoor DL groups (See Dent and Galbraith 2006) Generator g: public, generates G = <g> Multiplication (group opn): public Discrete logarithm: trapdoor Applications: key agreement, encryption. (Publish group description as public key…) Trapdoor DL groups Open problem to construct practical trapdoor DL groups. Paillier cryptosystem comes close. Dent & Galbraith also propose pairing-based approach; large tables required. Black box group Controlled group related to notion of black box group (group operation efficient; others, such as discrete log, may not be) which is “essentially the same” as (“just”) the mathematical object. Some attempts to have “computational black box group” (Frey; Galbraith) via “disguised elliptic curves” or other techniques, for specific groups. “Pseudo-free” Group Notion introduced by Hohenberger (2003), refined by Rivest (2004). Group is (strongly) “pseudo-free” if adversary can’t find solution to any “non-trivial” equation (i.e. one that has no solution in free group). Micciancio (2005) showed that Zn* where n=pq is pseudo-free (given “strong RSA assumption”). Groups with Infeasible Inverses (GII’s) Want group operation to be easy, but computing inverses to be hard (for everyone). GII’s introduced by Susan Hohenberger in her MS thesis; also studied by David Molnar, Vinod Vaikuntanathan. Open problem to make GII’s under reasonable assumptions. GII’s imply Key Agreement (Hohenberger; Rabi/Sherman) Alice draws random elts: x, y Alice sends Bob: xy, y Bob draws random elt: z Bob sends Alice yz Both compute K = (xy)z = x(yz) Security Argument [H] An Eve who can guess K=xyz from (xy,y,yz) can invert random elts. Choose a at random Give Eve xy = ai , y = aj , yz = ak where i-j+k=-1. Then K = ai-j+k = a-1 . Strongly Associative OWF’s (Introduced by Rabi/Sherman) Associative function f(.,.) on set S Easy to compute f(x,y) given x, y Given f(x,y) and y , hard to compute any x’ such that f(x’,y) = f(x,y). Hemaspaandra and Rothe show that SAOWF and OWF are black-box equivalent on non-structured domains. But on a group, SAOWF = GII’s. Trapdoor GII’s (TGII’s) GII except some trapdoor information allows computation of inverses. Any finite GII is really TGII, since knowing group order allows computation of inverses. However, it may be possible to generate a GII without anyone knowing group order… Applications of TGII’s Vaikuntanathan (2003) has shown how to implement IBE using any TGII that has an efficient algorithm for sampling a random element together with its inverse. Is this only known sufficient condition for IBE outside of bilinear maps? Vaikuntanathan’s IBE construction Let G be a TGII, h1 h2 hash functions. Given ID, define gID = h1(ID) Define skID = gID-1 (using trapdoor) To encrypt m, pick r randomly, then: C = (r gID, mh2(r)) To decrypt (s,t) compute m = t h2(s skID) (Sampling of pairs (a,a-1) needed, but only in reduction proof, for ID-CPA security.) How to construct GII or TGII?? Order of group must be hidden. RSA group (Zn*) has hidden order, but inverses are unfortunately easy. Maybe use “trusted oracle” to provide interface for composition / sampling / comparing elements, but not inversion. All reps are encrypted. (Saxena and Soh) Open problem! Transitive Signatures (due to Micali/Rivest) Signature scheme on pairs of elts (think of σ(a,b) as sig on edge (a,b) ) DTS (Directed Transitive Signatures) Given σ(a,b) and σ(b,c) , anyone can compute σ(a,c) UTS (Undirected TS) Given σ(a,b), easy to compute σ(b,a) Transitive signatures σ(a,b) a b σ(a,c) σ(b,c) c Potential applications to cert chains… Some relationships (see [H]) TDP OT PKE TDL BM TGII DTS GII KA OWF SDS UTS Constructing a DTS from TGII Simple way to build a directed transitive signature scheme from a TGII: – Signature on (a,b) is just a/b But is this secure??? Trapdoor pairings A group with a bilinear map, except that one needs trapdoor information to compute the pairing function. (Rivest (2004), Dent & Galbraith (2006)) Applications of trapdoor pairings ID scheme (Dent & Galbraith): Alice is only one who can correctly compute DDH results on challenges (ga, gb, gab) or (ga, gb, gc) Making various flavors of signature schemes (ID-based, aggregate, ring, …) into “designated verifier” schemes Construction of trapdoor pairings Use elliptic curve over Zn where n=pq (Dent & Galbraith 2006) “Disguised elliptic curves” (Dent & Galbraith, Galbraith 2006) Parameters may have to be extremely large… Summary – Open problems 1. 2. 3. 4. Construct practical trapdoor DL groups. Make groups with infeasible inversion (GII’s), under reasonable assumptions. Make better trapdoor pairings. Prove that simple TGII---->DTS construction is secure (or fix it). Acknowledgments Thanks to Susan Hohenberger, David Molnar, and Vinod Vaikuntanathan for helpful suggestions and comments…. (The End)