Black-box Groups with Infeasible Inversion (GIIs) - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Black-box Groups with Infeasible Inversion (GIIs)

Description:

Compose. Verify-In-Group. Verify-Not-In-Group ... Compose (by querying the oracle) Verification (of oracle outputs) Verify-In-Group ... Private-Compose ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 18
Provided by: Amit5
Category:

less

Transcript and Presenter's Notes

Title: Black-box Groups with Infeasible Inversion (GIIs)


1
Black-box Groups with Infeasible Inversion (GIIs)
  • by
  • Amitabh Saxena
  • La Trobe University, VIC 3086, Australia

2
Layout of Talk
  • Intuition of GIIs
  • Applications of GIIs
  • Possible Approaches for a construction
  • Notion of Black-box-GIIs (O-GIIs)
  • Security requirements of black-boxes
  • Formal definition of O-GIIs
  • A concrete O-GII construction
  • Summary of Talk

3
1. Intuition of GIIs
  • We want a 2-ary one-way function f such that for
    all strings a, b, c
  • f is associative f (f (a, b), c) f (a, f (b,
    c))
  • f (a, b) is efficiently computable
  • f is strongly non-invertible.
  • Given f (a, b) , a, computing b must be hard
  • Given f (a, b) , b, computing a must be hard
  • We say that f is a Strong Associative One-Way
    Function (SAOWF).
  • First formalized by Rivest, Rabi and Sherman
    Rabi93
  • No useful constructions of SAOWFs known as yet.

4
1. Intuition of GIIs (contd.)
  • We extend SAOWFs to have the structure of an
    abelian group
  • A (mathematical) Group (G , ) is a GII if
  • (G , ) is abelian (i.e. commutative)
  • Sampling elements from G is easy
  • Composition of elements in (G , ) is easy
  • Computing inverses of randomly sampled elements
    is hard in the average case
  • First formalized in Hoh03

5
2. Applications of GIIs
  • One-round multiparty Key Agreement Rabi93
  • Directed Transitive Signatures (DTS) Hoh03
  • Broadcast Encryption Saxena06a
  • Strong Chain Signatures (SCS) Saxena06b
  • Possibly many Others
  • Applications to Re-Trust ( ? )
  • Untraceable, online digital cash ( ? ) current
    research
  • Secure Multiparty Communication (SMC)

6
2. Applications (Contd.)Chain Signatures
Saxena05
  • Chain Signatures are a type of Multisignatures
    that can be used for transitive Trust Transfer
    in ad-hoc networks.
  • Users 1, 2 compute signatures s1, s2 using
    private keys SK1 , SK2 respectively.
  • Given signatures s1, s2 (only) it is easy to
    compute a combined signature s(1, 2) that can be
    verified using public keys PK1 , PK2
  • Weak Chain Signatures Boneh03
  • Given s(1, 2) , PK1 , PK2, it must be
    infeasible to compute s1 or s2
  • Strong Chain Signatures (SCS) Saxena06b
  • Given s(1, 2) , PK1 , PK2 , SK2, infeasible to
    compute s1
  • Given s(1, 2) , PK1 , PK2 , SK1, infeasible to
    compute s2

7
2. Formal Definition GIIs
  • Consists of five algorithms
  • Setup
  • Sample
  • Compose
  • Verify-In-Group
  • Verify-Not-In-Group
  • SECURITY Computing inverses must take
    super-polynomial time for randomly sampled
    elements

8
3. Possible Approaches
  • GIIs can be constructed from a structure known as
    a GapCDH group of composite order n. Saxena06b
  • Let G1 be a cyclic multiplicative group and let
    g be a generator. Define the following problems
  • Discrete Log (DL) problem Given gx, compute x.
  • Computational Diffie-Hellman (CDH) problem Given
    gx, gy compute gxy.
  • We say that G1 is a GapCDH group if the DL
    problem is HARD but the CDH problem is EASY
  • Define the group operation in (G1 , ) to be
    equivalent to solving the CDH problem in G1.
  • If the order of g is some composite number n with
    unknown factorization then (G1, ) forms a GII
    Saxena06b

9
4. Notion of a Black-box GII (O-GII)
  • We extend a GII to have black-box algorithms.
  • A (mathematical) Group (G , ) is an O-GII if
  • (G , ) is abelian (i.e. commutative)
  • Sampling elements from G is easy
  • Composition of elements in (G , ) is easy
    using a black-box with public access (called the
    Oracle)
  • Computing inverses of randomly sampled elements
    is hard even after unlimited access to the
    oracle

10
5. Security in Black-boxes
  • Since access to Black-box is limited, new notions
    of privacy/security needed based on following
  • Black-box may not be authentic
  • Black-box inputs cannot generally be kept private
    (at least from the black-box)
  • Thus, any practical black-box must support
  • VERIFIABLE COMPUTATION
  • PRIVATE COMPUTATION

11
5. Security in Black-boxes (contd.)Verifiable
Computation
  • Verifiable Computation We can test if black-box
    outputs are indeed correct. (For example an RSA
    decryption oracle)
  • Similar to verification of a digital signature
  • Trivial to formalize For all strings a, b, c, it
    is easy to verify if cf (a, b)
  • We call such a black-box a V-Oracle.

12
5. Security in Black-boxes (contd.) Private
Computation
  • Private Computation We can compute privately
    using the public oracle (eg. RSA decryption
    oracle using Chaums blinding technique)
  • Assume V-Oracle Thus protection from active
    adversaries.
  • Black-box is remote and need not be tamperproof
  • Similar to Encrypted Functions
  • Must provide perfect privacy (in the sense of
    Information Theory). Called as a PV-Oracle.

E(x1, x2, xm)
F(E(x1, x2, xm))
E(F(x1, x2, xm))
F(x1, x2, xm)
13
6. Formal Definition O-GIIs
  • Consists of seven algorithms Saxena06a
  • Setup
  • Sample
  • Compose (by querying the oracle)
  • Verification (of oracle outputs)
  • Verify-In-Group
  • Verify-Not-In-Group
  • Private-Compose
  • SECURITY Computing inverses must take
    super-polynomial time for randomly sampled
    elements (assuming that each oracle query takes
    unit time)

14
7. A concrete O-GII Saxena06a
  • Underlying primitives are
  • 1. Admissible Cryptosystem (AC) is an asymmetric
    scheme (E, D)
  • Given E(m1), m2 OR m1, E(m2), it is easy to
    compute E(m1m2 mod n) without knowing D.
    (Needed for private computation)
  • Examples of ACs RSA, Rabin, Paillier Pai99
    cryptosystems.
  • 2. Bilinear Maps of composite order n. (needed
    for verifying the oracle)
  • First used in Bon05.
  • Security based on the Group Inversion Problem
    (GIP).
  • GIP is believed to be hard if the AC is the
    Paillier cryptosystem.
  • GIP is easy if computing Discrete Logs OR
    factoring is easy. However, converse is not true.
    For instance GIP is easy if the AC is RSA or
    Rabin Saxena06b.

15
7. A concrete O-GII (contd.)
  • Brief idea of construction of Saxena06a
  • Let G1, G2 be groups (of order npq) that support
    a bilinear map e G1 G1 ? G2 , and let g be a
    generator of G1
  • Elements of (G , ) are made of two parts
  • first part is of the form gx
  • second part is of the form E(x) using the AC.
  • Composition of A(gx, E(x)) and B(gy, E(y)) is
    simply the result AB (gxy, E(xy mod n)).
  • Observe that the first part of AB is the
    solution of the Computational Diffie-Hellman
    (CDH) Problem. Thus, we essentially convert G1
    into a GapCDH group via the oracle.

16
8. Summary / Conclusion
  • SAOWFs/GIIs
  • Applications Strong Chain Signatures
  • The notion of GapCDH groups
  • Black-box constructions of GIIs
  • Verifiable computation (V-Oracle) active
    attacks
  • Private computation (P-Oracle) passive attacks
  • Private and Verifiable computation (PV-Oracle)
  • Notion of Remote Black-boxes
  • Applications of GIIs, O-GIIs in Re-Trust project
    ( ? )

17
References
  • Bon03 Aggregate and verifiably encrypted
    signatures from bilinear maps, Dan Boneh, Craig
    Gentry and Ben Lynn, Eurocrypt 03.
  • Bon05 Evaluating 2-DNF formulas on
    ciphertexts, Dan Boneh, Eu-Jin Goh, and Kobbi
    Nissim.TCC 05
  • Hoh03 The cryptographic impact of groups with
    infeasible inversion, Susan Hohenberger. Masters
    Thesis, MIT. 2003.
  • Pai99 Public-key cryptosystems based on
    composite degree residuosity classes, Pascal
    Paillier. EUROCRYPT, 99
  • Rabi93 Associative one-way functions A new
    paradigm for secret-key agreement and digital
    signatures, M. Rabi and A Sherman. Tech report
    CS-TR-3183/UMIACS-TR-93-124. 1993
  • Riv04 On the notion of pseudo-free groups,
    Ronald Rivest. TCC 2004.
  • Saxena05 One-Way Signature Chaining A new
    paradigm for group cryptosystems and ecommerce,
    Cryptology e-print archive 2005/335
  • Saxena06a A new cryptosystem based on
    hidden-order groups, Amitabh Saxena and Ben Soh.
    Cryptology e-print archive 2006/172
  • Saxena06b On groups with infeasible
    inversion, Amitabh Saxena. Unpublished.
    http//homepage.cs.latrobe.edu.au/asaxena/gii06.pd
    f
Write a Comment
User Comments (0)
About PowerShow.com