of 26 /26
Bilinear Mappings in Formal Cryptography 08.10.11
• Author

norman-amos-poole
• Category

## Documents

• view

219

0

TAGS:

Embed Size (px)

### Transcript of Bilinear Mappings in Formal Cryptography 08.10.11.

Bilinear Mappings in Formal Cryptography

08.10.11

Bilinear Mapping

Define:

• Let n be a prime number.• G1 = P is an additive

group of order n with identity element 0 (P is the generator of G1).

• GT is a multiplicative group of order n with identity element 1.

Bilinear Mapping

Define a mapping

e : G1 x G1 → GT,

which satisfies the following properties:

• Bilinearity: for each R,S G1, a,b Zn:e(aR, bS) = e(R,S)ab.

• Non-degeneracy: e(P, P) ≠ 1.• Computability: e can be easily computed.

Discrete Logarithm Problem

• Let G = P. We say that the discrete logarithm problem is hard in G, if given some Q G it is impossible to find in polynomial time an integer x, such that:

Q = xP (additive group)Q = Px (multiplicative group)

• If the discrete logarithm problem is hard in G1, then, according to bilinearity, it should be also hard in GT.

Bilinear Diffie-Hellman Problem

• Bilinear Diffie-Hellman Problem (BDHP): Given P, aP, bP, cP G1, compute e(P,P)abc.

• This problem cannot be solved in polynomial time if the discrete logarithm problem is hard in the group G1.

Example: Tripartite Key Exchange

The new key is:

e(bP,cP)a = e(P,P)abc (Alice)e(aP,cP)b = e(P,P)abc (Bob)e(aP,bP)c = e(P,P)abc (Chris)

If the intruder eavesdrops at the network and gets the values of aP, bP and cP, he cannot derive the new key.

Formal and Computational Views• Formal view

– Messages are elements of term algebra.– Possible operations on terms are enumerated– Protocol is represented through a process

calculus or a theory.

• Computational view– Messages are bit strings– Possible operations on bit strings: everything in

probabilistic polynomial time.– Protocol is a set of probabilistic Turing

machines.

Derivation Rules• Define a predicate I:

I(x) is true iff the intruder knows the value of x.• Horn clauses are boolean formulas of the form:

F1 & F2 & ... & Fn → G• Use the predicate I in the formulas.

I(A1) & I(A2) & ... & I(An) → I(B)• If the intruder knows A1 ... An, he will also know B.

Describing the Intruder Rules• Let a message m encrypted by a key k be represented

by the term enc(k,m).• The intruder may encrypt any message m with any key k

and get enc(k,m).• The intruder may decrypt any enc(k,m) with the

corresponding key k and obtain the message m.

I(k) & I(m) → I(enc(k,m)) I(k) & I(enc(k,m)) → I(m)

Describing the Protocol Rules

• I(enc(Kb, (Ka,Na,Kab))) → I(enc(Ka, (Na,Nb,Kb)))• I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) →

I(enc(Kb, (Na,Nb)))• I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) &

I(enc(Kb, (Na,Nb)) → I(enc(Kab,M))

Protocol Analysis

• I(k1)

• I(k2)

• I(k1) & I(k2) → I(key)

• I(enc(key,secret))

• I(X) & I(enc(X,Y)) → I(Y)

• query I(secret)

Challenges• If the protocol is described as an equational theory, it

needs the support of equivalence relations.• The algebraic properties of operations have to be

described separately.• Protocol analysis has to take these properties

(congruence relations) into account.

Properties of a Bilinear Mapping

• Non-degeneracy: e(P, P) ≠ 1.– It will be a default setting if we do not state that

e(P,P) = 1– The identity P is actually not defined anywhere.

• Computability: e can be easily computed.– The attacker should be able to use the mapping

e. We need to add corresponding rules.• Bilinearity: for each R,S G1, a,b Zn:

e(aR, bS) = e(R,S)ab.– This property is more difficult to implement.

Related Work

• Ralf Küsters and Tomasz Truderung: Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation. CSF, 2009, 157-171, http://doi.ieeecomputersociety.org/10.1109/CSF.2009.17, http://dblp.unitrier.de.

• This work provides an extension for ProVerif that allows to analyze protocols with finite number of exponents.

Our Contribution:

• An equational theory of bilinear pairings for exponent-ground terms that allows only products in exponents (based on the Related Work).

• A protocol transformer that was used for DH exponentiation has been upgraded so that it would support bilinear mappings (with and without types).

• Some pairing-based protocols have been tested in ProVerif.

The Protocol Transformer

1. Translates all the terms in the description of the protocol to the normal form.

2. Encodes them.3. Generates a set of intruder rules according to the set of

grounded exponents C that it has been discovered.4. Writes the new set of rules to the output file that is ready to be

tested with ProVerif.

Normal Form

• All the multipliers are transferred from the group G1 to the group GT.

e(aP, bP) ≈ e(P,P)ab

• The exponents and the multipliers are grouped.

G^(aba-1cb) ≈ G^(b2c)• The exponents and the multipliers are

ordered. G^(b3a4) ≈ G^(a4b3)

Encoding

• There is a finite fixed set of possible exponents that are used in the protocol (we can use a finite set according to Related Work):

C = {a,b,c}• The integers in the exponents are encoded:

1 ≈ s(0), 2 ≈ s(s(0)), ...-1 ≈ p(0), -2 ≈ p(p(0)), ...

• The algebraic terms are encoded:G^(a-1c2) ≈ exp(G,p(0),0,s(s(0)))P*(b-1c) ≈ mult(P,0,p(0),s(0))

Joux’s Protocol for Authenticated Channels

The intruder knows the public Point.

I(P)

The intruder knows the values that the honest users have sent to the network.

I(aP), I(bP), I(cP)

The intruder gets the secret if he gets the key.

I(e(aP,bP)c) → I(secret)

I(e(bP,cP)a) → I(secret)

I(e(aP,cP)b) → I(secret)

Normalizing Joux Protocol• Three parties: C = {a,b,c}• The intruder knows the Point.

I(P) - no normalization needed• The intruder knows the values that the honest users have

sent to the network.I(aP) ≈ I(mult(P, s(0), 0, 0)I(bP) ≈ I(mult(P, 0, s(0), 0)I(cP) ≈ I(mult(P, 0, 0, s(0))

• The intruder gets the secret if he gets the key.– I(e(aP,bP)c) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)– I(e(bP,cP)a) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)– I(e(aP,cP)b) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)

• The intruder has three ways to derive the secret, and in each case he actually needs the same key.

Intruder Rules• A set of rules is being generated for the particular set of grounded

exponents.• Examples of intruder rules for C = {a,b,c}:

– I(exp(X,X1,X2, X3)),I(a) → I(exp(X,s(X1),X2,X3));

– I(X),I(Y) → I(e(X,Y));

– I(X),I(mult(Y,Y1,Y2,Y3)) → I(exp(e(X,Y),Y1,Y2,Y3));

– I(exp(X, 0, 0, 0)) → I(X);– ……

Normalization Rules

• We introduce new predicates that define normalization:– E(X,Y,Z) is true iff XY = Z– M(X,Y,Z) is true iff XY = Z– P(X,Y,Z) is true iff e(X,Y) = Z

• Examples of normalization rules for C = {a,b,c}:– E(exp(X, 0, p(0),0), b, X));

– M(mult(X, X1, X2 , X3), a, mult(X, s(X1), X2 , X3));

– P(mult(X, X1, X2 , X3), Y, exp(e(X,Y), X1, X2 , X3));

Using Normalization Rules

• Suppose that we are trying to implement Joux protocol for unauthenticated channels.

• The variables aP, bP, and cP coming from the network can be substituted by the attacker.– I(e(A,B)c) → I(secret)– I(e(B,C)a) → I(secret)– I(e(A,C)b) → I(secret)

• Where A,B,C are variables.• We cannot apply normalization directly.• Use auxiliary variables X and Y.

– P(A,B,X) & E(X,c,Y) & I(Y) → I(secret)– P(B,C,X) & E(X,a,Y) & I(Y) → I(secret)– P(A,C,X) & E(X,b,Y) & I(Y) → I(secret) .

• ProVerif understands that it is insecure.

Solving the Previous Problem• All the keys are normalized and encoded.• The keys generated by different parties are syntactically

equivalent.• The intruder is also capable of using bilinear pairings,

multiplication, and exponentiation. He can compose similar structures himself.

Open Questions

• There protocol analyzer does not support addition, and it also has not been done in the Related Work. In the given work, the addition has been tried only for two elements. One protocol turned out to be insecure even with this constrained setting.

• The analysis process is too slow. There are some protocols that have not been tested since the number of rules produced by ProVerif did not want to converge.

Efficiency of the AnalyzerProtocol Name Nr. of

TestsAverage Time(sec)

Vulnerability

A simple ID-based pairing protocol

A More Efficient Identity Based Authenticated Key Agreement Protocol

1000 0.0310 Occurs with a negligible probability

Smart's ID-based AK Protocol

Joux’s Protocol 100 0.273 If the channels are not authenticated