arxiv: v1 [cs.cr] 16 Dec 2015

Similar documents
Secure Delegation of Elliptic-Curve Pairing

A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System

On the Big Gap Between p and q in DSA

Fully Verifiable Secure Delegation of Pairing Computation: Cryptanalysis and An Efficient Construction

Lecture 1: Introduction to Public key cryptography

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

A Strong Identity Based Key-Insulated Cryptosystem

Efficient and Secure Delegation of Linear Algebra

Entity Authentication

Identity-Based Online/Offline Encryption

Cryptology. Vilius Stakėnas autumn

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

On Two Round Rerunnable MPC Protocols

Introduction to Cryptography Lecture 13

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Public Key Authentication with One (Online) Single Addition

Week 7 An Application to Cryptography

Cryptographical Security in the Quantum Random Oracle Model

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Experimental Study of DIGIPASS GO3 and the Security of Authentication

arxiv: v3 [cs.cr] 15 Jun 2017

CPSC 467b: Cryptography and Computer Security

Public-Key Encryption: ElGamal, RSA, Rabin

Type-based Proxy Re-encryption and its Construction

Lecture 38: Secure Multi-party Computation MPC

Efficient Identity-based Encryption Without Random Oracles

Unbalancing Pairing-Based Key Exchange Protocols

ExpSOS: Secure and Verifiable Outsourcing of Exponentiation Operations for Mobile Cloud Computing

Security Implications of Quantum Technologies

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Eavesdropping or Disrupting a Communication On the Weakness of Quantum Communications

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Secure Vickrey Auctions without Threshold Trust

Security Protocols and Application Final Exam

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Katz, Lindell Introduction to Modern Cryptrography

Introduction to Modern Cryptography. Benny Chor

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Verifiable Delegation of Polynomials

FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes

Security Analysis of Some Batch Verifying Signatures from Pairings

Quantum Wireless Sensor Networks

An Anonymous Authentication Scheme for Trusted Computing Platform

Optimal Use of Montgomery Multiplication on Smart Cards

Physically Unclonable Functions

CRYPTOGRAPHY AND NUMBER THEORY

Blind Collective Signature Protocol

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Applied cryptography

A Small Subgroup Attack on Arazi s Key Agreement Protocol

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Uncloneable Quantum Money

Introduction to Modern Cryptography. Benny Chor

Policy-based Signature

Optimal Verification of Operations on Dynamic Sets

An Introduction to Pairings in Cryptography

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex

A DPA attack on RSA in CRT mode

Notes on Zero Knowledge

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

One can use elliptic curves to factor integers, although probably not RSA moduli.

Evaluating 2-DNF Formulas on Ciphertexts

Constructing Verifiable Random Number in Finite Field

ID-Based Blind Signature and Ring Signature from Pairings

A Note on the Cramer-Damgård Identification Scheme

CPSC 467: Cryptography and Computer Security

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

Introduction to Modern Cryptography Lecture 11

Cryptography and Security Final Exam

Public-Key Cryptosystems CHAPTER 4

1 Number Theory Basics

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Divisible E-cash Made Practical

Introduction to Cryptography. Lecture 8

NTRU Cryptosystem and Its Analysis

Anonymous Single-Round Server-Aided Verification

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

10 Public Key Cryptography : RSA

CSC 774 Advanced Network Security

Provable Security Proofs and their Interpretation in the Real World

CSC 774 Advanced Network Security

RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer

CPSC 467: Cryptography and Computer Security

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

A new security notion for asymmetric encryption Draft #12

Notes for Lecture 17

Cryptography IV: Asymmetric Ciphers

Efficient Password-based Authenticated Key Exchange without Public Information

A Pairing-Based DAA Scheme Further Reducing TPM Resources

Fixed Argument Pairings

Research Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension

arxiv: v1 [quant-ph] 23 Nov 2017

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Proposal: RFID Security by Client and Server Delegation

Transcription:

A Note on Efficient Algorithms for Secure Outsourcing of Bilinear Pairings arxiv:1512.05413v1 [cs.cr] 16 Dec 2015 Lihua Liu 1 Zhengjun Cao 2 Abstract. We show that the verifying equations in the scheme [Theoretical Computer Science, 562 (2015), 112-121] cannot filter out some malformed values returned by the malicious servers. We also remark that the two untrusted programs model adopted in the scheme is somewhat artificial, and discuss some reasonable scenarios for outsourcing computations. Keywords. bilinear pairing, outsourcing computation, semi-honest server. 1 Introduction Very recently, Chen et al. [1] have put forth a scheme for outsourcing computations of bilinear pairings in two untrusted programs model which was introduced by Hohenberger and Lysyanskaya [4]. In the scheme, a user T can indirectly compute the pairing e(a,b) by outsourcing some expensive work to two untrusted servers U 1 and U 2 such that A, B and e(a,b) are kept secret. Using the returned values from U 1, U 2 and some previously stored values, the user T can recover e(a, B). The Chen et al. s scheme is derived from the Chevallier-Mames et al. s scheme [2] by storing some values in a table in order to save some expensive operations such as point multiplications and exponentiations. Besides, the new scheme introduces two servers U 1 and U 2 rather than the unique server U in the Chevallier-Mames et al. s scheme. The authors [1] claim that the scheme achieves the security as long as one of the two servers is honest. In other word, a malicious server cannot obtain either A or B. Unfortunately, the assumption cannot ensure that the scheme works well, because a malicious server can return some random values while the user T cannot detect the malicious behavior. As a result, T outputs a false value. In this note, we show that the verifying equations in the scheme [1] cannot filter out some 1 Department of Mathematics, Shanghai Maritime University, China. liulh@shmtu.edu.cn 2 Department of Mathematics, Shanghai University, Shanghai, China. 1

malformed values returned by the malicious servers. To fix this drawback, we should specify that the servers are semi-honest. We also point out that the two untrusted programs model adopted in the scheme is somewhat artificial and discuss some reasonable scenarios for outsourcing computations. 2 Review of the scheme Let G 1 and G 2 be two cyclic additive groups with a large prime order q. Let G 3 be a cyclic multiplicative group of the same order q. A bilinear pairing is a map e : G 1 G 2 G 3 with the following properties. (1) Bilinear: e(ar,bq) = e(r,q) ab for all R G 1, Q G 2, and a,b Z q. (2) Non-degenerate: There exist R G 1 and Q G 2 such that e(r,q) 1. (3) Computable: There is an efficient algorithm to compute e(r,q) for all R G 1,Q G 2. The Chen et al. s scheme [1] uses two untrusted servers U 1,U 2. The outsourcer T queries some pairings to the two servers. The scheme can be described as follows. Setup. A trusted server computes a table Rand which consists of the elements of random and independent six-tuple (W 1,W 2,w 1 W 1,w 2 W 1,w 2 W 2,e(w 1 W 1,w 2 W 2 )), where w 1,w 2 R Z q,w 1 R G 1, and W 2 R G 2. The table is then loaded into the memory of T. Look-up table. Given A G 1,B G 2, where A and B may be secret or protected and e(a,b) is always secret or protected. T looks up Rand to create (V 1,V 2,v 1 V 1,v 2 V 1,v 2 V 2,e(v 1 V 1,v 2 V 2 )), (X 1,X 2,x 1 X 1,x 2 X 1,x 2 X 2,e(x 1 X 1,x 2 X 2 )), (Y 1,Y 2,y 1 Y 1,y 2 Y 1,y 2 Y 2,e(y 1 Y 1,y 2 Y 2 )). Interaction with U 1. T sends{(a+v 1 V 1,B+v 2 V 2 ),(v 1 V 1 +v 2 V 1,V 2 ),(x 1 X 1,x 2 X 2 ),(y 1 Y 1,y 2 Y 2 )} to U 1. U 1 returns α 1 = e(a+v 1 V 1,B +v 2 V 2 ), δ = e(v 1,V 2 ) v 1+v 2, β 1 = e(x 1 X 1,x 2 X 2 ), β 2 = e(y 1 Y 1,y 2 Y 2 ). Interaction with U 2. T sends {(A+V 1,v 2 V 2 ),(v 1 V 1,B+V 2 ),(x 1 X 1,x 2 X 2 ),(y 1 Y 1,y 2 Y 2 )} to U 2. U 2 returns α 2 = e(a+v 1,v 2 V 2 ), α 3 = e(v 1 V 1,B +V 2 ), β1 = e(x 1 X 1,x 2 X 2 ), β2 = e(y 1 Y 1,y 2 Y 2 ). Verification. T checks that both U 1 and U 2 produce the correct outputs by verifying that If not, T outputs error. β 1 = β 1 and β 2 = β 2. 2

Computation. T computes e(a,b) = α 1 α 1 2 α 1 3 δ e(v 1V 1,v 2 V 2 ) 1. Remark 1. In the original description of the scheme, the step 2 (see section 4.2 in Ref.[1]) has not specified any actions. It only explains that the pairing e(a,b) can be composed by the related values. The authors have confused the explanation with steps of the scheme (it is common that a step of a scheme should specify some actions performed by a participator), which makes the original description somewhat obscure. 3 The checking mechanism in the scheme fails In the scheme, to check whether the returned values α 1, δ, β 1, β 2 and α 2, α 3, β 1, β2 are properly formed, the user T has to check the verifying equations β 1 = β 1 and β 2 = β 2. We now want to stress that the checking mechanism cannot filter out some malformed values. The drawback is due to that the protected values A,B are not involved in the equations at all. Forexample, uponreceiving{(a+v 1 V 1,B+v 2 V 2 ), (v 1 V 1 +v 2 V 1,V 2 ), (x 1 X 1,x 2 X 2 ), (y 1 Y 1,y 2 Y 2 )}, U 1 picks a random ρ Z q and returns α 1 = e(a+v 1 V 1,B +v 2 V 2 ), ρ, β 1 = e(x 1 X 1,x 2 X 2 ), β 2 = e(y 1 Y 1,y 2 Y 2 ) to T. In such case, we have α 1 α 1 2 α 1 3 e(v 1V 1,v 2 V 2 )) 1 ρ = e(a,b)e(v 1,V 2 ) v 1 v 2 ρ. That means T obtains e(a,b)e(v 1,V 2 ) v 1 v 2 ρ instead of e(a,b). To fix the above drawback, we have to specify that both two servers are semi-honest. The term of semi-honest heremeansthat aserver can copy theinvolved values and always returnsthe correct outputs, but cannot conspire with the other server. Under the reasonable assumption, the original scheme can be greatly simplified. We now present a revised version of it as follows. Look-up table. Given A G 1,B G 2, where A and B may be secret or protected and e(a,b) is always secret or protected. T looks up Rand to create (V 1,V 2,v 1 V 1,v 2 V 1,v 2 V 2,e(v 1 V 1,v 2 V 2 )). Interaction with U 1. T sends {(A+v 1 V 1,B +v 2 V 2 ), (v 1 V 1 +v 2 V 1,V 2 )} to U 1. U 1 returns α 1 = e(a+v 1 V 1,B +v 2 V 2 ), δ = e(v 1,V 2 ) v 1+v 2. Interaction with U 2. T sends {(A+V 1,v 2 V 2 ), (v 1 V 1,B +V 2 )} to U 2. U 2 returns α 2 = e(a+v 1,v 2 V 2 ), α 3 = e(v 1 V 1,B +V 2 ). Computation. T computes e(a,b) = α 1 α 1 2 α 1 3 e(v 1V 1,v 2 V 2 ) 1 δ. 3

4 The checking mechanism in the Chevallier-Mames et al. s scheme works well As we mentioned before, the Chen et al. s scheme [1] is derived from the Chevallier-Mames et al. s scheme [2]. But the new scheme misses the feature of the checking mechanism in the Chevallier-Mames et al. s scheme. We think it is helpful for the later practitioners to explain the feature. In the Chevallier-Mames et al. s scheme, the outsourcer T wants to compute the pairing e(a,b) with the help of the untrusted server U such that A,B and e(a,b) are kept secret. The scheme can be described as follows (See Table 1). Table 1: The Chevallier-Mames et al. s scheme The outsourcer T The server U {P 1 G 1,P 2 G 2, e(p 1,P 2 )} Input: A G 1,B G 2 Pick g 1,g 2,a 1,r 1,a 2,r 2 Z q, compute A+g 1 P 1,B +g 2 P 2 Compute a 1 A+r 1 P 1,a 2 B +r 2 P 2 (A+g 1 P 1,P 2 ) α 1 = e(a+g 1 P 1,P 2 ) and query them. Compute (P 1,B+g 2 P 2 ) α 2 = e(p 1,B +g 2 P 2 ) (A+g 1 P 1,B+g 2 P 2 ) α 3 = e(a+g 1 P 1,B +g 2 P 2 ) (a 1 A+r 1 P 1,a 2 B+r 2 P 2 ) α 4 = e(a 1 A+r 1 P 1,a 2 B +r 2 P 2 ) e(a,b) = α g 2 1 α g 1 2 α 3 e(p 1,P 2 ) g 1g 2 α 1,α 2,α 3,α 4 and return them. Check that α 4? = e(a,b) a 1 a 2 α a 1r 2 1 α a 2r 1 2 e(p 1,P 2 ) r 1r 2 a 1 g 1 r 2 a 2 g 2 r 1 If true, output e(a,b). Notice that the true verifying equation is ( ) α 4 = α g 2 1 α g 1 2 α 3 e(p 1,P 2 ) g a1 a 2 1g 2 α a 1 r 2 1 α a 2r 1 2 e(p 1,P 2 ) r 1r 2 a 1 g 1 r 2 a 2 g 2 r 1 = α g 2a 1 a 2 +a 1 r 2 1 α g 1a 1 a 2 +a 2 r 1 2 α a 1a 2 3 e(p 1,P 2 ) g 1g 2 a 1 a 2 +r 1 r 2 a 1 g 1 r 2 a 2 g 2 r 1 where α 1,α 2,α 3,α 4 are generated by the server U, and the session keys g 1,g 2,a 1,r 1,a 2,r 2 are randomly picked by the outsourcer T. 4

Clearly, the server U cannot generate the four-tuple (α 1,α 2,α 3,α 4 ) satisfying the above verifying equation because the exponents a 1 r 2 g 2 a 1 a 2, a 2 r 1 g 1 a 1 a 2, a 1 a 2, g 1 g 2 a 1 a 2 +r 1 r 2 a 1 g 1 r 2 a 2 g 2 r 1 are not known to the server. The intractability of the above equation can be reduced to the following general challenge: Without knowing a secret exponentθ,findx,y Zq, X 1,Y 1,such thatxθ = Y. 5 The remote and shared servers The authors stress that the two servers U 1 and U 2, in the real-world applications, can be viewed as two copies of one advertised software from two different vendors. We would like to remark that the two copies are neither nearby nor private. They must be remote and shared by many outsourcers. Otherwise, the user T equipped with two private copies of one software can be wholly viewed as an augmented user. But the situation is rarely considered in practice. WenowconsiderthesituationthattheoutsourcerT hastocommunicatewithtworemoteand shared servers. If the data transmitted over channels are not encrypted, then an adversary can obtain A+v 1 V 1,B+v 2 V 2 by tapping the communication between T and U 1, and get v 1 V 1,v 2 V 2 by tapping the communication between T and U 2. Hence, he can recover A and B. Thus, it is reasonable to assume that all data transmitted over channels are encrypted. From the practical point of view, the communication costs (including that of authentication of the exchanged data, the underlying encryption/decryption, etc.) could be far more than the computational gain in the scheme. The authors have neglected the comparisons between the computational gain and the incurred communication costs. Taking into account this drawback, we think the scheme is somewhat artificial. 5.1 A nearby and trusted server Girault and Lefranc [3] have described some situations in which a chip has only a small computation capability is connected to a powerful device. In a GSM mobile telephone, the more sensitive cryptographic operations are performed in the so-called SIM (Subscriber Identification Module), which is already aided by the handset chip, mainly to decipher the over-the-air enciphered conversation. In a payment transaction, a so-called SAM (Secure Access Module) is embedded in a terminal already containing a more powerful chip. 5

A smart card is plugged into a personal computer, seeing that many PCs will be equipped with smart card readers in a near future. We findthat in all thesesituations (asim vs. ahandset, a SAM vs. apowerfulterminal, asmart card vs. a personal computer) the servers are nearby and trusted, not remote and untrusted. 6 Conclusion The true goal of outsourcing computation in the Chen et al. s scheme is to compute bilinear pairings. In view of that pairings spread everywhere in pairing-based cryptograph, we do not think that the trick of equipping a low capability chip with two untrusted softwares is useful. In practice, we think, it is better to consider the scenario where a portable chip has access to a nearby and trusted server. Otherwise, the communication costs could overtake the computational gain of the outsourced computations. References [1] X. Chen, et al., Efficient algorithms for secure outsourcing of bilinear pairings, Theoretical Computer Science, 562 (2015) 112-121. [2] B. Chevallier-Mames, et al., Secure delegation of elliptic-curve pairing, in: CARDIS 2010, in: LNCS, vol. 6035, 2010, pp.24-35. [3] M. Girault, D. Lefranc, Server-aided verification: theory and practice, in: ASIACRYPT 2005, in: LNCS, vol. 3788, 2005, pp.605-623. [4] S. Hohenberger, A. Lysyanskaya, How to securely outsource cryptographic computations, in: TCC 2005, in: LNCS, vol. 3378, pp.264-282. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback