Lecture 25: Pairing Based Cryptography

Similar documents
Fixed Argument Pairing Inversion on Elliptic Curves

Key Establishment Protocols. Cryptography CS 507 Erkay Savas Sabanci University

10/04/18. P [P(x)] 1 negl(n).

Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q

New problems in universal algebraic geometry illustrated by boolean equations

arxiv: v1 [math.co] 1 Apr 2011

Construction and Analysis of Boolean Functions of 2t + 1 Variables with Maximum Algebraic Immunity

Using Laplace Transform to Evaluate Improper Integrals Chii-Huei Yu

CALCULATING THE NUMBER OF TWIN PRIMES WITH SPECIFIED DISTANCE BETWEEN THEM BASED ON THE SIMPLEST PROBABILISTIC MODEL

Computer Security Laboratory Concordia Institute for Information Systems Engineering Concordia University, Montreal (QC), Canada

Concurrent Blind Signatures without Random Oracles

E E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Notes by S. Pehlivanoglu, J. Todd, and H.S. Zhou

Cryptography. Primitives and Protocols. Aggelos Kiayias

Provable Security in Cryptography

E E E. Aggelos Kiayias. Cryptography. Primitives and Protocols. Based on notes by S. Pehlivanoglu, J. Todd, K. Samari, T. Zacharias and H.S.

New Finding on Factoring Prime Power RSA Modulus N = p r q

6 PROBABILITY GENERATING FUNCTIONS

Non-Transferable Proxy Re-Encryption Scheme

Inverting the nal exponentiation of Tate pairings on ordinary elliptic curves using faults

Some RSA-based Encryption Schemes with Tight Security Reduction

Lecture 18: Graph Isomorphisms

Probablistically Checkable Proofs

A more efficient secure event signature protocol for massively multiplayer online games based on P2P Dapeng Li1, a, Liang Hu1,b, and JianFeng Chu1,c

9.1 The multiplicative group of a finite field. Theorem 9.1. The multiplicative group F of a finite field is cyclic.

Introduction Common Divisors. Discrete Mathematics Andrei Bulatov

Application of Parseval s Theorem on Evaluating Some Definite Integrals

Solving Some Definite Integrals Using Parseval s Theorem

On the ratio of maximum and minimum degree in maximal intersecting families

Chapter 3: Theory of Modular Arithmetic 38

Pairing Inversion via Non-degenerate Auxiliary Pairings

ON INDEPENDENT SETS IN PURELY ATOMIC PROBABILITY SPACES WITH GEOMETRIC DISTRIBUTION. 1. Introduction. 1 r r. r k for every set E A, E \ {0},

On the ratio of maximum and minimum degree in maximal intersecting families

Divisibility. c = bf = (ae)f = a(ef) EXAMPLE: Since 7 56 and , the Theorem above tells us that

A STUDY OF HAMMING CODES AS ERROR CORRECTING CODES

Enumerating permutation polynomials

Multiple Criteria Secretary Problem: A New Approach

RELIABILITY is an important concept in the design

AQI: Advanced Quantum Information Lecture 2 (Module 4): Order finding and factoring algorithms February 20, 2013

On a Hyperplane Arrangement Problem and Tighter Analysis of an Error-Tolerant Pooling Design

Efficient Multiplication in for Elliptic Curve Cryptography

Design and Analysis of Password-Based Key Derivation Functions

CALCULUS II Vectors. Paul Dawkins

Perturbation to Symmetries and Adiabatic Invariants of Nonholonomic Dynamical System of Relative Motion

Stanford University CS259Q: Quantum Computing Handout 8 Luca Trevisan October 18, 2012

NOTE. Some New Bounds for Cover-Free Families

Localization of Eigenvalues in Small Specified Regions of Complex Plane by State Feedback Matrix

Lifting Private Information Retrieval from Two to any Number of Messages

Auchmuty High School Mathematics Department Advanced Higher Notes Teacher Version

Anonymity-enhanced Pseudonym System

Anonymous return route information for onion based mix-nets

Measure Estimates of Nodal Sets of Polyharmonic Functions

Lecture 16 Root Systems and Root Lattices

Pushdown Automata (PDAs)

On decompositions of complete multipartite graphs into the union of two even cycles

Design and Analysis of Password-Based Key Derivation Functions

HOW TO TEACH THE FUNDAMENTALS OF INFORMATION SCIENCE, CODING, DECODING AND NUMBER SYSTEMS?

The Archimedean Circles of Schoch and Woo

Journal of Inequalities in Pure and Applied Mathematics

A Comparison and Contrast of Some Methods for Sample Quartiles

Central Coverage Bayes Prediction Intervals for the Generalized Pareto Distribution

Goodness-of-fit for composite hypotheses.

Quasi-Randomness and the Distribution of Copies of a Fixed Graph

A Bijective Approach to the Permutational Power of a Priority Queue

Overcoming Weak Expectations

THE MAXIMUM SIZE OF A PARTIAL SPREAD II: UPPER BOUNDS

On a quantity that is analogous to potential and a theorem that relates to it

Surveillance Points in High Dimensional Spaces

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Duality between Statical and Kinematical Engineering Systems

Research Article On Alzer and Qiu s Conjecture for Complete Elliptic Integral and Inverse Hyperbolic Tangent Function

FUSE Fusion Utility Sequence Estimator

MAGNETIC FIELD AROUND TWO SEPARATED MAGNETIZING COILS

On the Computation of the Optimal Ate Pairing at the 192-bit Security Level

Analytical Solutions for Confined Aquifers with non constant Pumping using Computer Algebra

ONE-POINT CODES USING PLACES OF HIGHER DEGREE

COLLAPSING WALLS THEOREM

Chaos and bifurcation of discontinuous dynamical systems with piecewise constant arguments

15.081J/6.251J Introduction to Mathematical Programming. Lecture 6: The Simplex Method II

Turán Numbers of Vertex-disjoint Cliques in r- Partite Graphs

1. INTRODUCTION FAST ELLIPTIC CURVE CRYPTOGRAPHY USING OPTIMAL DOUBLE-BASE CHAINS

Encapsulation theory: radial encapsulation. Edmund Kirwan *

QUANTUM ALGORITHMS IN ALGEBRAIC NUMBER THEORY

CHARIOT: Cloud-Assisted Access Control for the Internet of Things

Computers and Mathematics with Applications

ANA BERRIZBEITIA, LUIS A. MEDINA, ALEXANDER C. MOLL, VICTOR H. MOLL, AND LAINE NOBLE

TANTON S TAKE ON CONTINUOUS COMPOUND INTEREST

arxiv: v1 [math.co] 4 May 2017

The Substring Search Problem

Australian Intermediate Mathematics Olympiad 2017

A pathway to matrix-variate gamma and normal densities

Lecture 7. Public Key Cryptography (Diffie-Hellman and RSA)

Channel matrix, measurement matrix and collapsed matrix. in teleportation

A Simple Model of Communication APIs Application to Dynamic Partial-order Reduction

Consensus Determining with Dependencies of Attributes with Interval Values

THE NUMBER OF TWO CONSECUTIVE SUCCESSES IN A HOPPE-PÓLYA URN

Fall 2014 Randomized Algorithms Oct 8, Lecture 3

H.W.GOULD West Virginia University, Morgan town, West Virginia 26506

Asymptotically Lacunary Statistical Equivalent Sequence Spaces Defined by Ideal Convergence and an Orlicz Function

An upper bound on the number of high-dimensional permutations

Functions Defined on Fuzzy Real Numbers According to Zadeh s Extension

Transcription:

6.897 Special Topics in Cyptogaphy Instucto: Ran Canetti May 5, 2004 Lectue 25: Paiing Based Cyptogaphy Scibe: Ben Adida 1 Intoduction The field of Paiing Based Cyptogaphy has exploded ove the past 3 yeas [cy, DBS04]. The cental idea is the constuction of a mapping between two useful cyptogaphic goups which allows fo new cyptogaphic schemes based on the eduction of one poblem in one goup to a diffeent, usually easie poblem in the othe goup. In many eseach papes, the fist of these two goups is efeed to as a Gap Goup, whee the Decisional Diffie Helman poblem [Bon98] is easy (because it educes to an easy poblem in the second goup), but the Computational Diffie Helman poblem emains had. The known implementations of these paiings the Weil and Tate paiings involve faily complex mathematics. Fotunately, they can be dealt with abstactly, using only the goup stuctue and mapping popeties. Many inteesting schemes have been built based puely on abstact bilinea maps. 2 Bilinea Maps The majo paiing based constuct is the bilinea map. Conside two goups G 1 and G 2 of pime ode. Fo claity, we denote G 1 using additive notation and G 2 using multiplicative notation, even though the goup opeations in G 1 and G 2 may well be vey diffeent fom the well known aithmetic addition and multiplication. (Sometimes G 1 is also witten multiplicatively in the liteatue.) We conside P and Q two geneatos of G 1, and we wite a times {}}{ ap = P + P +... + P We now conside the mapping e as follows: e : G 1 G 1 G 2 (Note that we do not know how to build a self bilinea map, G 1 G 1 G 1. This would be uite poweful.) Useful bilinea maps have thee popeties: Bilineaity P, Q G 1, a, b Z, e(ap, bq) = e(p, Q) ab 17 1

Non Degeneacy If eveything maps to the identity, that s obviously not inteesting: P G 1, P = 0 e(p, P ) = G 2 (e(p, P ) geneates G 2 ) In othe wods: P = 0 e(p, P ) = 1 Computability e is efficiently computable. We can find G 1 and G 2 whee these popeties hold: the Weil and Tate paiings pove the existence of such constuctions. Typically, G 1 is an elliptic cuve goup and G 2 is a finite field. 3 Complexity Implications The constuction of a bilinea map comes with a numbe of complexity implications. Theoem 1 The Discete Log Poblem in G 1 is no hade than the Discete Log Poblem in G 2. Poof 1 Conside Q = ap (still using additive notation), though a is unknown. Solving the Discete Log Poblem involves discoveing a fo a given P and a andom Q. We note: e(p, Q) = e(p, ap ) = e(p, P ) a Thus, we can educe the Discete Log Poblem in G 1 to the Discete Log Poblem in G 2. Given P G 1 and a andom Q G 1, and noting that the mapping e is easily computable, we can compute log P (Q) as follows: 1. detemine P = e(p, P ) 2. detemine Q = e(p, Q) 3. detemine a = log P (Q ) in G 2. 4. a is also log P (Q). Theoem 2 The Decisional Diffie Helman [Bon98] is easy in G 1. Poof 2 Solving the DDH poblem involves distinguishing: P, ap, bp, cp with a, b, c R Z, and P, ap, bp, abp with a, b R Z If we define P, A, B, C as the fou values given to the distinguishe, the distinguishe functions as follows: 17 2

1. Detemine v 1 = e(a, B) and v 2 = e(p, C) 2. If v 1 = v 2, then the tuple is of the type P, ap, bp, abp. Indeed, assume C = abp, then: e(a, B) = e(ap, bp ) = e(p, P ) ab = e(p, abp ) = e(p, C) Since we know the mapping e is non degeneate, the euality e(a, B) = e(p, C) is euivalent to c = ab. The distinguishe can gain a significant advantage in deciding DDH given the mapping e. 4 Cyptogaphic Schemes The application of bilinea maps leads to numeous inteesting cyptogaphic schemes. 4.1 One Round, 3 paty Key Ageement Scheme In 2000, Joux intoduced a scheme fo one ound, 3 paty key ageement based on bilinea maps [Jou00]. Key ageement schemes based on Diffie Helman [DH76] ae well known, but all euie moe than one ound of exchanged data. In the Joux scheme, assume the above notation and existence of a bilinea map between goups G 1 and G 2 with P a geneato of G 1. Thee paties A, B, C espectively have secets a, b, c Z. The potocol functions as follows: 1. A B, C: ap 2. B A, C: bp 3. C A, B: cp 4. Note that steps 1, 2, 3 ae done in one ound of paallel message exchanges. 5. A computes e(bp, cp ) a = e(p, P ) abc. 6. B computes e(ap, cp ) b = e(p, P ) abc. 7. C computes e(ap, bp ) c = e(p, P ) abc. 8. Note that steps 5, 6, 7 ae done in paallel. 9. All paties have the same shaed key K = e(p, P ) abc G 2. This potocol is contingent on the BDH assumption. Definition The Bilinea Diffie Helman (BDH) Assumption consides the computation of e(p, P ) abc given P, ap, bp, cp to be had. 4.2 Identity Based Encyption In 1984, Shami imagined a public key encyption scheme whee any publicy known sting (e.g. someone s email addess) could be used as a public key [Sha85]. In this scheme, 17 3

the coesponding pivate key is deliveed to the pope owne of this sting (e.g. the ecipient of the email addess) by a tusted pivate key geneato. This key geneato must veify the use s identity befoe deliveing a pivate key, of couse, though this veification is essentially the same as that euied fo issuing a cetificate in a typical Public Key Infastuctue (PKI). Thus, an Identity Based Encyption Scheme enables the deployment of a public key cyptosystem without the pio setup of a PKI: a use poves his identity in a lazy way, only once he needs his pivate key to decypt a message sent to him. In 2001, Boneh and Fanklin devised the fist pactical implementation of such an Identity Based Encyption scheme [BF01]. Thei appoach uses bilinea maps and elies on the BDH Assumption and the Random Oacle model. Setup the usual G 1 and G 2 with a bilinea mapping e : G 1 G 1 G 2 and P a geneato a system wide secet key s R Z. a coesponding system wide public key P pub = sp. Encypt We want to encypt a message m to public key A using the system wide settings fom above. The encyption function is: Enc(P pub, A, m) = P, M H 2 (g A ), R Z g A = e(q A, P pub ) Q A = H 1 (A) H 1 : { 0, 1} G 1, a andom oacle H 2 : G 2 { 0, 1}, a andom oacle Decypt We want to decypt a ciphetext c = (u, v) encypted with public key sting A. The secet key is deliveed to the owne of A as d A = sq A, with Q A defined as above: Q A = H 1 (A). We define: Dec(u, v, d A ) = v H 2 (e(d A, u)) = v H 2 (e(sh 1 (A), P )) = v H 2 (e(h 1 (A), P ) s ) = v H 2 (e(q A, sp ) ) = v H 2 (e(q A, P pub ) ) = v H 2 (g A ) = (m H 2 (g A )) H 2 (g A ) = m 17 4

This scheme is not CCA2 secue, but can be made so with the Fujisaki Okamoto constuction [FO99], which assumes the Random Oacle model nothing futhe than what we aleady assume. Refeences [BF01] Dan Boneh and Matt Fanklin. Identity based encyption fom the Weil paiing. Lectue Notes in Compute Science, 2139:213??, 2001. [Bon98] Dan Boneh. The decisional diffie hellman poblem. In Thid Algoithmic Numbe Theoy Symposium, pages 48 63. Spinge Velag, 1998. [cy] Paiing based cypto lounge. available at http://planeta.tea.com.b/ infomatica/paulobaeto/pblounge.html. [DBS04] Ratna Dutta, Rana Baua, and Palash Saka. Paiing based cyptogaphy : A suvey. Cyptology epint Achive, Repot 2004/064, 2004. http://epint. iac.og/. [DH76] [FO99] Whitfield Diffie and Matin E. Hellman. New diections in cyptogaphy. IEEE Tansactions on Infomation Theoy, IT 22(6):644 654, 1976. Eiichio Fujisaki and Tatsuaki Okamoto. Secue integation of asymmetic and symmetic encyption schemes. Lectue Notes in Compute Science, 1666:537 554, 1999. [Jou00] Antoine Joux. A one ound potocol fo tipatite diffie hellman. In Poceedings of the 4th Intenational Symposium on Algoithmic Numbe Theoy, pages 385 394. Spinge Velag, 2000. [Sha85] Adi Shami. Identity based cyptosystems and signatue schemes. In Cypto 84, LNCS Vol. 196, pages 47 53. Spinge, 1985. 17 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback