DH Problems - MathNet
Transcript of DH Problems - MathNet
DH Problems2006.6.24
서울대학교
천정희
2
Foundations
P =! NP oneway function signature schemesTrapdoor oneway function PKC, IBSIBE
NP problems: IF, DL, Knapsack …Hardness of these problems implies the security of cryptosytems?
3
Relations of ProblemsRelations of Problems
4
Relations between Hard Problems
Hard ProblemsDL Problem: find x in Z from (g, gx)DH Problem: find gab from (g, ga, gb)DDH Problem: determine whether gc=gab from (g,ga,gb,gc)
UsageDL: mathematical base problemDH: a security of protocols relies on this (for one instance)DDH: more rigorous security is based on this (for class of instances)
DLP > DHP > DDHPAre they equivalent?
5
RSA Cases..
Integer factorization problemFind a factorization (p,q) given a composite n=pq
RSA problemLet n=pqe is odd Given m, find m1/e mod n
It is believed that RSA is not equivalent to IFPRef: Boneh and Venkatesan, “Breaking RSA may not be equivalent to factoring” in Eurocrypt’98Abstract: We provide evidence that breaking low-exponent RSA cannot be equivalent to factoring integers. We show that an algebraic reduction from factoring to breaking low-exponent RSA can be converted into an efficient factoring algorithm. Thus, in effect an oracle for breaking RSA does not help in factoring integers. Our result suggests an explanation for the lack of progress in proving that breaking RSA is equivalent to factoring. We emphasize that our results do not expose any weakness in the RSA system.
6
DL = DH?
Consider a DLP on a group of order p [Maurer, C94]DLP is equivalent to DHP if one can find an elliptic curve over Fp whose number of points are smooth. For example, if p+1 is smooth, DLP is equiv. to DDH on a group of order pExtend to hyperelliptic curves…
The complexityO(log^3 p) group operationsO(log^3 p) calls of the DH oracle
7
Proof of Sketch (DL=DH)
Problem ConversionGiven g, h=gm in G of prime order p, find mAssume we have a DH oracle with gab=DHg(ga,gb)Let P=(u,v) be a generator of E(Fp). Q=(m,n) in E(Fq)
Find s with Q=sP using pseudo operationsWe know gu, gv,gm,gn. Can solve ECDLP if #E(Fq) is smooth. (e.g. Pohlig-Hellman)The algorithm (e.g. elliptic curve addition) consists of several additions and multiplications gab=DH(ga,gb) and ga+b=gagb
We can compute s from gm rather than the real m
Compute m from Q=sPWe know P and s. Compute Q and m=x[Q]
8
Weil Pairingφ(P,Q): E[n] × E[n] → GF(qr)*
where e(P,Q) = fP(AQ)/fQ(AP) with (fP)=Ap and AP ~ (P)-(O)
Propertiese(P,P)=1 for all P in E[n][Bilinear] e(P1+P2,Q)=e(P1,Q)e(P2,Q) and e(P,Q1+Q2)=e(P,Q1)e(P,Q2)[Alternating] e(P,Q)=e(Q,P) [Non-Degenerate] e(P,Q)=1 for all Q in E[n] implies P=O[n-th root] e(P,Q)n=1
Modified Weil PairingLet E[n]=Z/n ×Z/n = <R1> × <R2> and ϕ : <R1> <R2> with ϕ(R1)=R2Define a modified Weil paring e’(P,Q)=e(P, ϕ(Q))Then e’(P,P) !=1. Use e’ instead of e (why? See TPKA)Usually, ϕ sends a point in E(Fq) to a point in E(Fq^2) or its twist.
9
DDH = Poly?
DDHGiven (P,aP,bP,cP), if e(P,cP)=P(aP,bP), then c =ab mod pe is efficiently computable when r is small.
Exponent rr =< 6 if E is supersingularExpected value r for random E is
Find the smallest r s.t. n=#E(Fq) | qr-1 qr=1 mod nr is the multiplicative order of q in Z/nZr ~ phi(n)
No known algorithm for DDH on Fq of prime order
10
DHG=DHg?
GranularityDHg: DH problem with a fixed generator gDHG: DHg for all g in G
We haveDLG=DLg
DHG=DHg
DHg(hx,hy)=DHg(gax,gay)=ga^2xy
ga^{-1}=ga^{p-2} can be computed by repeated DH and Mul.DHg(ga^2xy,ga^{-1})=hxy
DDHG != DDHg
Square Exponent (SE) and Inversion Exponent (IE)
11
With Bilinear MapsWith Bilinear Maps
12
New Assumptions related to bilinear maps
Let e: G × G → H for two groups of prime order. e(g,g)=h
New AssumptionsBDL Problem: find t in Z s.t. e(ga,gb)=e(g,g)t from (g,ga,gb) BDH Problem: find e(g,g)abc from (g, ga, gb,gc)DBDH Problem: determine whether e(g,g)abc =hd from (g,ga,gb,gc,hd)
(That is, abc=d mod p)
13
Relations of DH problems with a Bilinear Map
DLh DLg BDLg
DHh DHg BDHg
DDHh DDHg and DBDHg
DDHg DBDHg
Q: BDH = DH?
14
If e is weak-invertible, ..
A bilinear map e: G × G → H is said to be weak-invertible if there is an efficiently computable inverse image (g1,g2) for any h∈H.That is, e(g1,g2)=h
DLg DLh
BDHg = DLg DHh
DHg DHh
15
If e is strong invertible, ..
A bilinear map e: G × G → H is said to be strong-invertible if there is an element g in G s.t. an inverse image g’ is efficiently computable inverse image for any h∈H.That is, e(g’,g)=h
Assume e: G × G → H and f: H → G are efficiently computable. We can solve the DHG problem by O(log p) evaluation of e
Assume we have a self-bilinear map e: G × G → H
Q: e is invertible?
16
Strong Diffie-HellmanStrong Diffie-Hellman
17
Classical Problems
RSAN=pq for two primes p and qe>3 is relatively prime to φ(N)Given m∈ZN, find m1/e ∈ ZN
DLP: Given g and ga in G, find aCDHP: Given (g,ga,gb), compute gab
DDHP: Given (g,ga,gb,gc), decide if gc=gab
Relax the assumption…
18
How to relax the problems?
To design a new system with additional properties
To prove the security without random oracles
How to get a good grade in an exam?Flexible gradingMore Hints before the test
19
Relax the Problems: Flexible Grading
Flexible RSA Problem (BP97,CS99,GHR99)Given a composite n and a message m in Z/nFind (e,m^{1/e}) for some e>2
LRSW Problem (LRSW99)Given g,gx,gy∈G and m∈Z, output (a,ay,ax+mxy) for some a ∈G
20
Relax the Problems: More Hints (1/2)
l -Weak DHPGiven g, ga, …, ga^l, compute g^{1/a}Traitor Tracing [Mitsunari-Sakai-Kasahara’02]
l -Strong DHP: Given g, ga, …, ga^l, compute ga^{l+1}
Short Signatures without Random Oracles[BB04s]Short Group Signatures[BBS04]
21
Relax the Problems: More Hints (2/2)
e: GxG G’: a bilinear mapl-Bilinear DH Inversion Problem
Given g, ga, …, ga^l, compute e(g,g)1/a
Identity-based Encryptions[BB04e]Verifiable Random Functions[DY05]
l-Bilinear DH Exponent ProblemGiven h,g,…,ga^{l-1},ga^{l +1},…,ga^{2l}, compute e(g,h)a^l
HIBE with constant size Ciphertext[BBG05]Public Key Broadcast Encryption[BGW05]
More…
22
The same security?
Time-Memory-Data Trade-off [HS05]More data reduce the online and offline computation time
Strong Diffie-HellmanWe know l additional information: gx^2, gx^3, …, gx^l
23
Main Results
Given g, ga, a can be computed in O(log p (p/d)1/2) group operations using O((p/d)1/2) memory if either
P-: p-1 has a positive divisor d < p1/2 and ga^d are provided orP+: p+1 has a positive divisor d < p1/3 and ga^2,…,ga^d are provided
The new algorithm reduces the complexity by O(√d/log p)
24
Orders of Elliptic Curves
NIST CurvesB-163: p−1 = 2 · 53 · 383 · 21179· (a 132 bit prime)K-163: p−1 = 24 · 43 · 73· (a 16 bit prime) · (an 18 bit prime) · (a 112 bit prime)P-192: p−1 = 24 · 5 · 2389· (an 83 bit prime) · (a 92 bit prime)
EC with embedding degree 6E+(F3^97 ): p−1 = 2 · 349 · 24127552321 · 21523361 · 76801E+(F3^121 ): p−1 = 2 · 3 · 112 · 683 · 6029· (a 123 bit prime
25
Applications
Schemes based on q-Strong DH and its variants
CCA or CMA against schemes based on DH assumptionsBoldyreva’s Blind Signature
(sk,pk)=(x,xP), Sign(M)=xMQuery to a Signing Oracle to get xP, x2P, x3P, …
Original ElGamal Encryption SchemeQuery to a Decryption Oracle
26
An Example
BGW Broadcast Encryption for n users is based on (2n)-BDHE assumptions E+(F3^97) has a subgroup G of 151 bit prime order
AttackPollard rho: O(276) elliptic curve operationsProposed attack: O(259) Exponentiations for n=232
O(242) Exponentiations for n=264 as in file sharingNeed 220 bit prime for 280 security with 264 users
27
Embedding to (Hyper-) Elliptic Curves?
Find an embedding of Z/p to an elliptic curve over Z/p Let E: y^2=x^3+Ax+B for A,B ∈Z/p Given a∈Z/p, find b∈Z/p s.t. (a,b)∈E(Z/p)
b=(a^3+Aa+B)1/2 : expressed by high powers of ag^b is not easy to compute using ga, …, ga^d
Can we implement BSGS w/o computing b?
28
Strong Prime?
Find a prime pNeither p-1 nor p+1 has a divisor d s.t. log2 p<d<√p
How to construct? Use CRT for p=1 mod p1 and p=-1 mod p2
Usually p becomes as large as p1p2
Flexible RSA or LRSW?
29
Composite Order Bilinear MapComposite Order Bilinear Map
30
Composite Order Bilinear Maps
Decision 3-party Diffie-Hellman AssumptionGiven a group Gp of prime order p and random elements gp
Subgroup Decision ProblemG: a group of order n=pqGiven a generator gq ∈ Gq and g ∈ GDetermine if a random element T of G is of order p
Bilinear Subgroup Decision Problem (Traitor Tracing, Alg. Homo)G: a group of order n=pq, E: G x G GT
Given gp ∈ Gp of order p, gq ∈ Gq of order q Determine if a random element T in GT is of order p
31
A Sequence of Bilinear MapsA Sequence of Bilinear Maps
32
Multilinear Map
DefinitionLet G and H be two groups of prime order pA map en : Gn H is n-multilinear if e is linear on each variable.
ApplicationsNon-interactive n-party key agreement schemeBroadcast encryption schemeUnique signature scheme
33
A family of bilinear maps
AssumptionGn: a cyclic group of order pen: Gn × Gn → Gn+1 : bilinear map
Multilinear map: fn: G1n → Gn
f2=e2
fn(x1,…,xn)=en-1( fn-1(x1,…,xn-1 ), fn-1(xn,g,..,g))
34
Non-interactive Multiparty Key Agreement
System ParameterG: a cyclic group of prime order pg ∈G : a generatoren: Gn → H: n-multilinear map
Key SetupSecret Key for user i =ai ∈ Z/p Public Key for user i =gai
Key AgreementShared key of n+1 users = en(ga1,ga2,..,ga_n)a_{n+1}=en(g,g,..,g)a1a2…a_{n+1}
Applications: Video Conferencing, Secure group communications, Broadcast encryption, Secure storage network
35
Forward-Secure Diffie-Hellman
System ParameterGn: cyclic group of composite order Ngn ∈Gn : a generatoren: Gn × Gn → Gn+1 : bilinear map
Initial Key Setupsk1=a ∈ Z/n, pk1=g1
a
Key Evolutionskn+1= skn
2 = a2^n mod Npkn+1=en+1(pkn,pkn) = gn+1^{a2^n} mod N
Key AgreementShared key = {Alice’s pkn}^{Bob’s skn}
Applications: Forward secure encryption/signature, Email shredding