Weaknesses in the Generic Group Model - PowerPoint PPT Presentation

About This Presentation
Title:

Weaknesses in the Generic Group Model

Description:

Groups in Cryptography We often use a group in cryptography. However a group is an abstract concept. ... A subgroup of an elliptic curve group. – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 18
Provided by: Alexa106
Category:

less

Transcript and Presenter's Notes

Title: Weaknesses in the Generic Group Model


1
Weaknesses in the Generic Group Model
  • Dr. Alex Dent
  • alex_at_fermat.ma.rhul.ac.uk
  • http//www.isg.rhul.ac.uk/alex

2
Groups in Cryptography
  • We often use a group in cryptography.
  • However a group is an abstract concept.
  • Cryptography tends to use some kind of binary
    encoding of a group.
  • ? G 0,1
  • The different encodings have different
    computational properties.

3
The group Cp
  • The cyclic group of p elements can be realised
    as
  • An additive group of integers.
  • A multiplicative group of integers.
  • A subgroup of an elliptic curve group.
  • All of these groups are isomorphic but have
    vastly different computational properties.

4
The Generic Group Model
  • The generic group aims to capture the idea that a
    scheme is secure on some arbitrary, unspecified
    group.
  • Applicable only to schemes that are useable in
    arbitrary groups, like Diffie-Hellman based
    schemes.
  • Not applicable to RSA based schemes.
  • Two main formalisations.

5
Nechaevs Model
  • Attacker has access to an oracle that can
  • Check equality of group elements.
  • Perform group operations.
  • The encoding of the group is never considered in
    this model.

6
Shoups Model
  • Instead of using abstract group elements use a
    randomly selected encoding
  • ? Z 0,1
  • Attacker has access to an oracle that computes
    group operations but can test for equality
    itself.

n
p
7
Shoups Model
  • The idea is that, because ? is a random
    function, we cannot take advantage of any
    structure provided by the encoding.
  • This model has proven easier to use.
  • More realistic?

8
Shoups Model
  • The Exact Security of ECIES in the Generic Group
    model (N. Smart.)
  • Generic Groups, Collision Resistance and ECDSA
    (D. Brown)
  • Flaws in Applying Proof Methodologies to
    Signature Schemes (J. Stern, D. Pointcheval, J.
    Malone-Lee, N. Smart)

9
Schnorr and Jakobssons Model
  • Combines the random oracle model and the Nechaev
    generic group model.
  • A scheme that is secure in the Schnorr and
    Jakobsson model is certainly secure in the Shoup
    model.
  • Converse is not true? Impossible to simulate a
    full domain random oracle with a random encoding
    function.

10
The Random Oracle Model
  • Introduced by Bellare and Rogaway in 1993.
  • Aims to show that a scheme is secure up to
    weaknesses that might be introduced by the hash
    function.
  • Replaces the hash function by a randomly chosen
    function.

11
The Random Oracle Model
  • Famous paper by Canetti, Goldreich and Halevi has
    shown that the ROM is weak
  • in the sense that there exists schemes that are
    provably secure in the random oracle model but
    insecure when the hash function is replaced with
    any function.
  • Uses CS Proofs (Micali).

12
My Results
  • The same techniques that are used in the Canetti
    et al. paper can be used in the Shoup model.
  • There exist problems that are provably hard in
    the generic group model but easy to solve when
    the random encoding function is replaced with any
    polynomial time encoding function.

13
My Results
  • There also exist cryptographic schemes that are
    provably secure in the generic group model but
    insecure when used with any specific group.
  • Uses Cryptographic CS Proofs (Micali) which is
    a stronger assumption.

14
Other models
  • Obviously since the Schnorr and Jakobsson model
    assumes the random oracle model, the above result
    is trivial in that model.
  • It has not been shown that security proofs in
    Nechaevs model are weak.

15
A quick digression
  • How applicable is the generic group model for
    security proofs?
  • Generic groups have no automorphisms but we
    mostly restrict ourselves to groups that have
    predictable automorphisms (such as Elliptic Curve
    groups)
  • Or we build automorphisms into groups to improve
    performance.

16
A quick digression
  • Consider the ECIES encryption scheme.
  • The scheme uses EC-DH and only uses the
    x-coordinates of points to improve performance.
  • Provably secure in the Shoup version of the
    generic group model (N. Smart).
  • However very obviously weak due to the fact that,
    on an elliptic curve, if P(x,y) then -P(x,-y).

17
Conclusion
  • Schemes that have proofs of security in the
    generic group model are not necessarily weak
  • but the proof of security is only a heuristic
    guide to the security of the algorithm.
  • Furthermore they should be implemented with care
    to avoid nullifying that proof.
Write a Comment
User Comments (0)
About PowerShow.com