Bilinear Mappings in Formal Cryptography 08.10.11.

Author
normanamospoole 
Category
Documents

view
219 
download
0
Embed Size (px)
Transcript of Bilinear Mappings in Formal Cryptography 08.10.11.
Bilinear Mappings in Formal Cryptography
08.10.11
Bilinear Mapping
Define:
• Let n be a prime number.• G1 = P is an additive
group of order n with identity element 0 (P is the generator of G1).
• GT is a multiplicative group of order n with identity element 1.
Bilinear Mapping
Define a mapping
e : G1 x G1 → GT,
which satisfies the following properties:
• Bilinearity: for each R,S G1, a,b Zn:e(aR, bS) = e(R,S)ab.
• Nondegeneracy: e(P, P) ≠ 1.• Computability: e can be easily computed.
Discrete Logarithm Problem
• Let G = P. We say that the discrete logarithm problem is hard in G, if given some Q G it is impossible to find in polynomial time an integer x, such that:
Q = xP (additive group)Q = Px (multiplicative group)
• If the discrete logarithm problem is hard in G1, then, according to bilinearity, it should be also hard in GT.
Bilinear DiffieHellman Problem
• Bilinear DiffieHellman Problem (BDHP): Given P, aP, bP, cP G1, compute e(P,P)abc.
• This problem cannot be solved in polynomial time if the discrete logarithm problem is hard in the group G1.
Example: Tripartite Key Exchange
The new key is:
e(bP,cP)a = e(P,P)abc (Alice)e(aP,cP)b = e(P,P)abc (Bob)e(aP,bP)c = e(P,P)abc (Chris)
If the intruder eavesdrops at the network and gets the values of aP, bP and cP, he cannot derive the new key.
Formal and Computational Views• Formal view
– Messages are elements of term algebra.– Possible operations on terms are enumerated– Protocol is represented through a process
calculus or a theory.
• Computational view– Messages are bit strings– Possible operations on bit strings: everything in
probabilistic polynomial time.– Protocol is a set of probabilistic Turing
machines.
Derivation Rules• Define a predicate I:
I(x) is true iff the intruder knows the value of x.• Horn clauses are boolean formulas of the form:
F1 & F2 & ... & Fn → G• Use the predicate I in the formulas.
I(A1) & I(A2) & ... & I(An) → I(B)• If the intruder knows A1 ... An, he will also know B.
Describing the Intruder Rules• Let a message m encrypted by a key k be represented
by the term enc(k,m).• The intruder may encrypt any message m with any key k
and get enc(k,m).• The intruder may decrypt any enc(k,m) with the
corresponding key k and obtain the message m.
I(k) & I(m) → I(enc(k,m)) I(k) & I(enc(k,m)) → I(m)
Describing the Protocol Rules
• I(enc(Kb, (Ka,Na,Kab))) → I(enc(Ka, (Na,Nb,Kb)))• I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) →
I(enc(Kb, (Na,Nb)))• I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) &
I(enc(Kb, (Na,Nb)) → I(enc(Kab,M))
Protocol Analysis
• I(k1)
• I(k2)
• I(k1) & I(k2) → I(key)
• I(enc(key,secret))
• I(X) & I(enc(X,Y)) → I(Y)
• query I(secret)
Challenges• If the protocol is described as an equational theory, it
needs the support of equivalence relations.• The algebraic properties of operations have to be
described separately.• Protocol analysis has to take these properties
(congruence relations) into account.
Properties of a Bilinear Mapping
• Nondegeneracy: e(P, P) ≠ 1.– It will be a default setting if we do not state that
e(P,P) = 1– The identity P is actually not defined anywhere.
• Computability: e can be easily computed.– The attacker should be able to use the mapping
e. We need to add corresponding rules.• Bilinearity: for each R,S G1, a,b Zn:
e(aR, bS) = e(R,S)ab.– This property is more difficult to implement.
Related Work
• Ralf Küsters and Tomasz Truderung: Using ProVerif to Analyze Protocols with DiffieHellman Exponentiation. CSF, 2009, 157171, http://doi.ieeecomputersociety.org/10.1109/CSF.2009.17, http://dblp.unitrier.de.
• This work provides an extension for ProVerif that allows to analyze protocols with finite number of exponents.
Our Contribution:
• An equational theory of bilinear pairings for exponentground terms that allows only products in exponents (based on the Related Work).
• A protocol transformer that was used for DH exponentiation has been upgraded so that it would support bilinear mappings (with and without types).
• Some pairingbased protocols have been tested in ProVerif.
The Protocol Transformer
1. Translates all the terms in the description of the protocol to the normal form.
2. Encodes them.3. Generates a set of intruder rules according to the set of
grounded exponents C that it has been discovered.4. Writes the new set of rules to the output file that is ready to be
tested with ProVerif.
Normal Form
• All the multipliers are transferred from the group G1 to the group GT.
e(aP, bP) ≈ e(P,P)ab
• The exponents and the multipliers are grouped.
G^(aba1cb) ≈ G^(b2c)• The exponents and the multipliers are
ordered. G^(b3a4) ≈ G^(a4b3)
Encoding
• There is a finite fixed set of possible exponents that are used in the protocol (we can use a finite set according to Related Work):
C = {a,b,c}• The integers in the exponents are encoded:
1 ≈ s(0), 2 ≈ s(s(0)), ...1 ≈ p(0), 2 ≈ p(p(0)), ...
• The algebraic terms are encoded:G^(a1c2) ≈ exp(G,p(0),0,s(s(0)))P*(b1c) ≈ mult(P,0,p(0),s(0))
Joux’s Protocol for Authenticated Channels
The intruder knows the public Point.
I(P)
The intruder knows the values that the honest users have sent to the network.
I(aP), I(bP), I(cP)
The intruder gets the secret if he gets the key.
I(e(aP,bP)c) → I(secret)
I(e(bP,cP)a) → I(secret)
I(e(aP,cP)b) → I(secret)
Normalizing Joux Protocol• Three parties: C = {a,b,c}• The intruder knows the Point.
I(P)  no normalization needed• The intruder knows the values that the honest users have
sent to the network.I(aP) ≈ I(mult(P, s(0), 0, 0)I(bP) ≈ I(mult(P, 0, s(0), 0)I(cP) ≈ I(mult(P, 0, 0, s(0))
• The intruder gets the secret if he gets the key.– I(e(aP,bP)c) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)– I(e(bP,cP)a) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)– I(e(aP,cP)b) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)
• The intruder has three ways to derive the secret, and in each case he actually needs the same key.
Intruder Rules• A set of rules is being generated for the particular set of grounded
exponents.• Examples of intruder rules for C = {a,b,c}:
– I(exp(X,X1,X2, X3)),I(a) → I(exp(X,s(X1),X2,X3));
– I(X),I(Y) → I(e(X,Y));
– I(X),I(mult(Y,Y1,Y2,Y3)) → I(exp(e(X,Y),Y1,Y2,Y3));
– I(exp(X, 0, 0, 0)) → I(X);– ……
Normalization Rules
• We introduce new predicates that define normalization:– E(X,Y,Z) is true iff XY = Z– M(X,Y,Z) is true iff XY = Z– P(X,Y,Z) is true iff e(X,Y) = Z
• Examples of normalization rules for C = {a,b,c}:– E(exp(X, 0, p(0),0), b, X));
– M(mult(X, X1, X2 , X3), a, mult(X, s(X1), X2 , X3));
– P(mult(X, X1, X2 , X3), Y, exp(e(X,Y), X1, X2 , X3));
Using Normalization Rules
• Suppose that we are trying to implement Joux protocol for unauthenticated channels.
• The variables aP, bP, and cP coming from the network can be substituted by the attacker.– I(e(A,B)c) → I(secret)– I(e(B,C)a) → I(secret)– I(e(A,C)b) → I(secret)
• Where A,B,C are variables.• We cannot apply normalization directly.• Use auxiliary variables X and Y.
– P(A,B,X) & E(X,c,Y) & I(Y) → I(secret)– P(B,C,X) & E(X,a,Y) & I(Y) → I(secret)– P(A,C,X) & E(X,b,Y) & I(Y) → I(secret) .
• ProVerif understands that it is insecure.
Solving the Previous Problem• All the keys are normalized and encoded.• The keys generated by different parties are syntactically
equivalent.• The intruder is also capable of using bilinear pairings,
multiplication, and exponentiation. He can compose similar structures himself.
Open Questions
• There protocol analyzer does not support addition, and it also has not been done in the Related Work. In the given work, the addition has been tried only for two elements. One protocol turned out to be insecure even with this constrained setting.
• The analysis process is too slow. There are some protocols that have not been tested since the number of rules produced by ProVerif did not want to converge.
Efficiency of the AnalyzerProtocol Name Nr. of
TestsAverage Time(sec)
Vulnerability
A simple IDbased pairing protocol
1000 0.0149 Not found
A More Efficient Identity Based Authenticated Key Agreement Protocol
1000 0.0310 Occurs with a negligible probability
Smart's IDbased AK Protocol
1000 0.0508 Not found
Joux’s Protocol 100 0.273 If the channels are not authenticated
TAK 1 10 254 Not found
Shim's protocol variation
10 836 If no comparison is used
A Six Pass Pairing Based AKC Protocol
10 1330 Not found
TAK 2 1 > 43200 A vulnerability found