Bilinear Mappings in Formal Cryptography

26
Bilinear Mappings in Formal Cryptography 08.10.11

description

Bilinear Mappings in Formal Cryptography. 0 8 .10.11. Bilinear Mapping. Define : Let n be a prime number. G 1 =  P  is an additive group of order n with identity element 0 (P is the generator of G 1 ) . G T is a multiplicative group of order n with identity element 1. - PowerPoint PPT Presentation

Transcript of Bilinear Mappings in Formal Cryptography

Page 1: Bilinear Mappings in Formal Cryptography

Bilinear Mappings in Formal Cryptography

08.10.11

Page 2: Bilinear Mappings in Formal Cryptography

Bilinear Mapping

Define:

• Let n be a prime number.• G1 = P is an additive

group of order n with identity element 0 (P is the generator of G1).

• GT is a multiplicative group of order n with identity element 1.

Page 3: Bilinear Mappings in Formal Cryptography

Bilinear Mapping

Define a mapping

e : G1 x G1 → GT,

which satisfies the following properties:

• Bilinearity: for each R,S G1, a,b Zn:e(aR, bS) = e(R,S)ab.

• Non-degeneracy: e(P, P) ≠ 1.• Computability: e can be easily computed.

Page 4: Bilinear Mappings in Formal Cryptography

Discrete Logarithm Problem

• Let G = P. We say that the discrete logarithm problem is hard in G, if given some Q G it is impossible to find in polynomial time an integer x, such that:

Q = xP (additive group)Q = Px (multiplicative group)

• If the discrete logarithm problem is hard in G1, then, according to bilinearity, it should be also hard in GT.

Page 5: Bilinear Mappings in Formal Cryptography

Bilinear Diffie-Hellman Problem

• Bilinear Diffie-Hellman Problem (BDHP): Given P, aP, bP, cP G1, compute e(P,P)abc.

• This problem cannot be solved in polynomial time if the discrete logarithm problem is hard in the group G1.

Page 6: Bilinear Mappings in Formal Cryptography

Example: Tripartite Key Exchange

The new key is:

e(bP,cP)a = e(P,P)abc (Alice)e(aP,cP)b = e(P,P)abc (Bob)e(aP,bP)c = e(P,P)abc (Chris)

If the intruder eavesdrops at the network and gets the values of aP, bP and cP, he cannot derive the new key.

Page 7: Bilinear Mappings in Formal Cryptography

Formal and Computational Views• Formal view

– Messages are elements of term algebra.– Possible operations on terms are enumerated– Protocol is represented through a process

calculus or a theory.

• Computational view– Messages are bit strings– Possible operations on bit strings: everything in

probabilistic polynomial time.– Protocol is a set of probabilistic Turing

machines.

Page 8: Bilinear Mappings in Formal Cryptography

Derivation Rules• Define a predicate I:

I(x) is true iff the intruder knows the value of x.• Horn clauses are boolean formulas of the form:

F1 & F2 & ... & Fn → G• Use the predicate I in the formulas.

I(A1) & I(A2) & ... & I(An) → I(B)• If the intruder knows A1 ... An, he will also know B.

Page 9: Bilinear Mappings in Formal Cryptography

Describing the Intruder Rules• Let a message m encrypted by a key k be represented

by the term enc(k,m).• The intruder may encrypt any message m with any key k

and get enc(k,m).• The intruder may decrypt any enc(k,m) with the

corresponding key k and obtain the message m.

I(k) & I(m) → I(enc(k,m)) I(k) & I(enc(k,m)) → I(m)

Page 10: Bilinear Mappings in Formal Cryptography

Describing the Protocol Rules

• I(enc(Kb, (Ka,Na,Kab))) → I(enc(Ka, (Na,Nb,Kb)))• I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) →

I(enc(Kb, (Na,Nb)))• I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) &

I(enc(Kb, (Na,Nb)) → I(enc(Kab,M))

Page 11: Bilinear Mappings in Formal Cryptography

Protocol Analysis

• I(k1)

• I(k2)

• I(k1) & I(k2) → I(key)

• I(enc(key,secret))

• I(X) & I(enc(X,Y)) → I(Y)

• query I(secret)

Page 12: Bilinear Mappings in Formal Cryptography

Challenges• If the protocol is described as an equational theory, it

needs the support of equivalence relations.• The algebraic properties of operations have to be

described separately.• Protocol analysis has to take these properties

(congruence relations) into account.

Page 13: Bilinear Mappings in Formal Cryptography

Properties of a Bilinear Mapping

• Non-degeneracy: e(P, P) ≠ 1.– It will be a default setting if we do not state that

e(P,P) = 1– The identity P is actually not defined anywhere.

• Computability: e can be easily computed.– The attacker should be able to use the mapping

e. We need to add corresponding rules.• Bilinearity: for each R,S G1, a,b Zn:

e(aR, bS) = e(R,S)ab.– This property is more difficult to implement.

Page 14: Bilinear Mappings in Formal Cryptography

Related Work

• Ralf Küsters and Tomasz Truderung: Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation. CSF, 2009, 157-171, http://doi.ieeecomputersociety.org/10.1109/CSF.2009.17, http://dblp.unitrier.de.

• This work provides an extension for ProVerif that allows to analyze protocols with finite number of exponents.

Page 15: Bilinear Mappings in Formal Cryptography

Our Contribution:

• An equational theory of bilinear pairings for exponent-ground terms that allows only products in exponents (based on the Related Work).

• A protocol transformer that was used for DH exponentiation has been upgraded so that it would support bilinear mappings (with and without types).

• Some pairing-based protocols have been tested in ProVerif.

Page 16: Bilinear Mappings in Formal Cryptography

The Protocol Transformer

1. Translates all the terms in the description of the protocol to the normal form.

2. Encodes them.3. Generates a set of intruder rules according to the set of

grounded exponents C that it has been discovered.4. Writes the new set of rules to the output file that is ready to be

tested with ProVerif.

Page 17: Bilinear Mappings in Formal Cryptography

Normal Form

• All the multipliers are transferred from the group G1 to the group GT.

e(aP, bP) ≈ e(P,P)ab

• The exponents and the multipliers are grouped.

G^(aba-1cb) ≈ G^(b2c)• The exponents and the multipliers are

ordered. G^(b3a4) ≈ G^(a4b3)

Page 18: Bilinear Mappings in Formal Cryptography

Encoding

• There is a finite fixed set of possible exponents that are used in the protocol (we can use a finite set according to Related Work):

C = {a,b,c}• The integers in the exponents are encoded:

1 ≈ s(0), 2 ≈ s(s(0)), ...-1 ≈ p(0), -2 ≈ p(p(0)), ...

• The algebraic terms are encoded:G^(a-1c2) ≈ exp(G,p(0),0,s(s(0)))P*(b-1c) ≈ mult(P,0,p(0),s(0))

Page 19: Bilinear Mappings in Formal Cryptography

Joux’s Protocol for Authenticated Channels

The intruder knows the public Point.

I(P)

The intruder knows the values that the honest users have sent to the network.

I(aP), I(bP), I(cP)

The intruder gets the secret if he gets the key.

I(e(aP,bP)c) → I(secret)

I(e(bP,cP)a) → I(secret)

I(e(aP,cP)b) → I(secret)

Page 20: Bilinear Mappings in Formal Cryptography

Normalizing Joux Protocol• Three parties: C = {a,b,c}• The intruder knows the Point.

I(P) - no normalization needed• The intruder knows the values that the honest users have

sent to the network.I(aP) ≈ I(mult(P, s(0), 0, 0)I(bP) ≈ I(mult(P, 0, s(0), 0)I(cP) ≈ I(mult(P, 0, 0, s(0))

• The intruder gets the secret if he gets the key.– I(e(aP,bP)c) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)– I(e(bP,cP)a) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)– I(e(aP,cP)b) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret)

• The intruder has three ways to derive the secret, and in each case he actually needs the same key.

Page 21: Bilinear Mappings in Formal Cryptography

Intruder Rules• A set of rules is being generated for the particular set of grounded

exponents.• Examples of intruder rules for C = {a,b,c}:

– I(exp(X,X1,X2, X3)),I(a) → I(exp(X,s(X1),X2,X3));

– I(X),I(Y) → I(e(X,Y));

– I(X),I(mult(Y,Y1,Y2,Y3)) → I(exp(e(X,Y),Y1,Y2,Y3));

– I(exp(X, 0, 0, 0)) → I(X);– ……

Page 22: Bilinear Mappings in Formal Cryptography

Normalization Rules

• We introduce new predicates that define normalization:– E(X,Y,Z) is true iff XY = Z– M(X,Y,Z) is true iff XY = Z– P(X,Y,Z) is true iff e(X,Y) = Z

• Examples of normalization rules for C = {a,b,c}:– E(exp(X, 0, p(0),0), b, X));

– M(mult(X, X1, X2 , X3), a, mult(X, s(X1), X2 , X3));

– P(mult(X, X1, X2 , X3), Y, exp(e(X,Y), X1, X2 , X3));

Page 23: Bilinear Mappings in Formal Cryptography

Using Normalization Rules

• Suppose that we are trying to implement Joux protocol for unauthenticated channels.

• The variables aP, bP, and cP coming from the network can be substituted by the attacker.– I(e(A,B)c) → I(secret)– I(e(B,C)a) → I(secret)– I(e(A,C)b) → I(secret)

• Where A,B,C are variables.• We cannot apply normalization directly.• Use auxiliary variables X and Y.

– P(A,B,X) & E(X,c,Y) & I(Y) → I(secret)– P(B,C,X) & E(X,a,Y) & I(Y) → I(secret)– P(A,C,X) & E(X,b,Y) & I(Y) → I(secret) .

• ProVerif understands that it is insecure.

Page 24: Bilinear Mappings in Formal Cryptography

Solving the Previous Problem• All the keys are normalized and encoded.• The keys generated by different parties are syntactically

equivalent.• The intruder is also capable of using bilinear pairings,

multiplication, and exponentiation. He can compose similar structures himself.

Page 25: Bilinear Mappings in Formal Cryptography

Open Questions

• There protocol analyzer does not support addition, and it also has not been done in the Related Work. In the given work, the addition has been tried only for two elements. One protocol turned out to be insecure even with this constrained setting.

• The analysis process is too slow. There are some protocols that have not been tested since the number of rules produced by ProVerif did not want to converge.

Page 26: Bilinear Mappings in Formal Cryptography

Efficiency of the AnalyzerProtocol Name Nr. of

TestsAverage Time(sec)

Vulnerability

A simple ID-based pairing protocol

1000 0.0149 Not found

A More Efficient Identity Based Authenticated Key Agreement Protocol

1000 0.0310 Occurs with a negligible probability

Smart's ID-based AK Protocol

1000 0.0508 Not found

Joux’s Protocol 100 0.273 If the channels are not authenticated

TAK 1 10 254 Not found

Shim's protocol variation

10 836 If no comparison is used

A Six Pass Pairing Based AKC Protocol

10 1330 Not found

TAK 2 1 > 43200 A vulnerability found