On Efficient and Secure Implementation of Pairing-Based ... · PDF fileOn Efficient and...

Click here to load reader

  • date post

    19-Mar-2018
  • Category

    Documents

  • view

    217
  • download

    3

Embed Size (px)

Transcript of On Efficient and Secure Implementation of Pairing-Based ... · PDF fileOn Efficient and...

  • On Efficient and Secure Implementation ofPairing-Based Protocols in the Type 4 Setting

    Sanjit ChatterjeeUniversity of Waterloo

    Joint work with Darrel Hankerson and Alfred Menezes

    April 14, 2010

    Sanjit Chatterjee (UW) 1 / 28

  • Pairing

    I Let G1, G2 and GT be three groups.I A pairing on (G1,G2, GT ) is a function e : G1 G2 GT that is

    bilinear and non-degenerate.I e(aU,bV ) = e(U,V )ab = e(bU,aV ) U G1,V G2,a,b Z.I The pairing should be efficiently computable.I Concrete examples are Weil pairing, Tate pairing over elliptic

    curve groups.

    Sanjit Chatterjee (UW) 2 / 28

  • Types of Pairing

    e : G1 G2 GT

    I G1, G2 and GT are cyclic groups of prime order n.I e is a symmetric pairing if G1 = G2 (aka, Type 1 pairing).I If an efficiently-computable isomorphism : G2 G1

    ((P2) = P1), is known, then e is called a Type 2 pairing.I If no such mapping is known, then e is called a Type 3 pairing.

    Sanjit Chatterjee (UW) 3 / 28

  • Type 4 Pairing

    e : G1 G2 GT

    I G1 and GT are cyclic groups of prime order n.I But G2 is a non-cyclic group of order n2.I There is a small probability for the pairing to be degenerate.I One can efficiently compute the homomorphism : G2 G1.I One can hash onto G2.

    Sanjit Chatterjee (UW) 4 / 28

  • Why Type 4?

    Consider the following ID-based Key Agreement Protocol [Scott]:

    I Public hash function H : {0,1} G2.I KGC has a master secret s R [1,n 1].I User As pub. key is QA = H(IDA) and KGC provides pvt. key

    dA = sQA.I Similarly, Bs pub. key is QB = H(IDB) and pvt. key dB = sQB.I A and B exchange some messages and compute a shared secret

    K = e((QA),QB)sxy .

    Sanjit Chatterjee (UW) 5 / 28

  • On Efficient Implementation

    Sanjit Chatterjee (UW) 6 / 28

  • A Concrete Situation: BN Curves

    I Introduced by Barreto-Naehrig (2005).I Ideal (nearly) for the 128-bit security level.

    I Let E/Fp : Y 2 = X 3 + b.I #E(Fp) = n.I p and n are 256-bit primes.I The embedding degree is k = 12.

    I E [n] : Set of all order-n points on E .I E [n] E(Fp12).

    Sanjit Chatterjee (UW) 7 / 28

  • Type 4 Pairing from BN Curves

    I Let G1 = E(Fp) and GT be the order-n subgroup of Fp12 .I e4 : G1 E [n] GT is a Type 4 pairing.I Bitlength of (compressed) elements of G1: 257 and of E [n]: 3073.I Tr(P) =

    11i=0

    i(P) is an efficiently computable homomorphismfrom E [n] to G1.

    I is the p-th power Frobenius.

    I Hashing onto E [n] is possible but costly.I Roughly 540 times the cost of a point multiplication in G1

    [Chen-Cheng-Smart:2007].I (Hashing onto G1 is very cheap.)

    Sanjit Chatterjee (UW) 8 / 28

  • The Trace-0 Subgroup

    I E [n] contains n + 1 subgroups of order n.I One of them is G1.I Another is the Trace-O subgroup, T0.

    I All points P E [n] satisfying Tr(P) =11

    i=0 i(P) = .

    I T0 can be viewed as having coordinates in Fp2 (instead of Fp12).I A Type 3 pairing is defined as e3 : G1 T0 GT .

    I Examples are the ate and R-ate pairings.

    Sanjit Chatterjee (UW) 9 / 28

  • Efficient Representation of E [n]

    I Define : E [n] G1 by (Q) = 112Tr(Q).I Q (Q) T0 for all Q E [n].I : Q 7 Q (Q) is a homomorphism from E [n] onto T0.

    I Define : E [n] G1 T0 by (Q) = ((Q), (Q)).I is an efficiently-computable isomorphism,I The inverse mapping, given by (Q1,Q2) 7 Q1 + Q2, is also

    efficiently computable.I Wlg, elements of E [n] can be represented as pairs of points

    (Q1,Q2) G1 T0.

    Sanjit Chatterjee (UW) 10 / 28

  • Hashing onto E [n]

    I Define H : {0,1} E [n] as H(m) = (H1(m),H2(m)).I H1 : {0,1} G1.I H2 : {0,1} T0.

    I Significantly faster hashing onto E [n].I Hashing onto G1 and T0 requires arithmetic in Fp and Fp2 .I Less than 3 times as costly as a point multiplication in G1.

    I Hashing into E [n] is 180 times less costly than previouslyestimated.

    I If H1 and H2 are modeled as random oracles, then H is also arandom oracle.

    Sanjit Chatterjee (UW) 11 / 28

  • Type 4 Pairing from Type 3

    I Let e3(P,Q), P G1, Q T0 be a Type 3 pairing.I Define e4 : G1 E [n] GT by e4(P,Q) = e3(P, Q), where

    Q = Q 6(Q).I If Q = (Q1,Q2), then Q = (,2Q2).

    I e4 is bilinear and can be computed in essentially the same time ase3.

    I e4 is non-degenerate.

    Sanjit Chatterjee (UW) 12 / 28

  • Comparison

    E/Fp : Y 2 = X 2 + 3 with BN parameters z = 6000000000001F2D.

    Type 3 Type 4Bitlength of elements in G1 257 257

    Bitlength of elements in T0/E [n] 513 770Bitlength of elements in GT 1,024 1,024

    Exponentiation in G1 1,533m 1,533mExponentiation in T0/E [n] 3,052m 4,585m

    Hashing into G1 315m 315mHashing into T0/E [n] 3,726m 4,041m

    Pairing 15,175m 15,175m

    (Estimated costs are in terms of Fp multiplications.)

    Sanjit Chatterjee (UW) 13 / 28

  • On Secure Implementation

    Sanjit Chatterjee (UW) 14 / 28

  • Group Signature

    I Every member has a secret key but there is a single public key forthe whole group.

    I Group signatures provide signer-anonymity.I Revocation of a user may be critical for some applications.

    Sanjit Chatterjee (UW) 15 / 28

  • Boneh-Shacham Group Signature

    I BS group signature allows a verifier to locally check whether thegiven signature is generated by a revoked user.

    I Verifier-local revocation (VLR) group signature.I The signature length is short.I Application: privacy preserving attestation.

    I Can be implemented in Type 1 but not in Type 2 or Type 3.I The first protocol for which Type 4 setting was introduced

    [Shacham:2005].

    Sanjit Chatterjee (UW) 16 / 28

  • The BS-VLR Protocol

    Some essentials:

    I Employs a Type 4 pairing e : G1 E [n] GT .I Two hash functions (treated as random oracle):

    I H0 : {0,1} E [n] E [n].I H : {0,1} [1,n 1].

    I Group public key, gpk = (P1,P2,W ) where P2 R E [n],P1 = (P2) and W = P2, R [1,n 1].

    I Pvt. key of user i , gsk [i] = (Ai , xi), where xi R [1,n 1] andAi = ( + xi)1P1.

    I The corresponding revocation token is Ai .

    Sanjit Chatterjee (UW) 17 / 28

  • Signing and Verification

    I To sign i computes:I (U, V ) = H0(gpk ,M, r) where M is the message and r R [1,n 1].I U = (U) and V = (V ).I T1 = U and T2 = Ai + V , where R [1,n 1].I Compute helper values R1,R2,R3.I Challenge value, c = H(gpk ,M, r ,T1,T2,R1,R2,R3).I contains r ,T1,T2, c and three randomizers (to rederive

    R1,R2,R3).I is accepted as valid if c is a correct challenge and the signer is

    not revoked.

    Sanjit Chatterjee (UW) 18 / 28

  • Revocation Check in BS-VLR Group Signature

    I A list of revocation tokens (RL) corresponding to the revokedusers is publicly available.

    I Suppose the signature () is generated by a user i whoserevocation token Ai is in RL.

    I The correctness of the protocol mandates that must be rejected.

    Sanjit Chatterjee (UW) 19 / 28

  • Revocation Check

    I The protocol stipulates that will be rejected since:

    e(T2 Ai , U) = e(T1, V ) (1)

    I (U, V ) = H0(gpk ,M, r) E [n] E [n].I T1 = U and T2 = Ai + V , where U = (U) and V = (V ).

    I So Eqn. 1 can be rewritten as:

    e(V , U) = e(U, V ) (2)

    I Trivially holds if both U, V are from same order-n subgroup ofE [n].

    I Write U = xV (and U = xV ).

    Sanjit Chatterjee (UW) 20 / 28

  • Another Look at the Revocation Check

    I But E [n] is a group of order n2!I U, V are obtained through hashing into random elements of E [n].

    I The probability that they belong to the same order-n subgroup ofE [n] is negligibly small.

    I With overwhelming probability Eqn. 2 will not hold.I A signature generated by a revoked user will be accepted as valid.

    I The protocol is not secure!I So also the protocols that extend the idea of BS-VLR group

    signature.I Nakanishi and Funabiki [2006].I Bringer et al. [2008].

    Sanjit Chatterjee (UW) 21 / 28

  • Another Look at the Revocation Check

    I But E [n] is a group of order n2!I U, V are obtained through hashing into random elements of E [n].

    I The probability that they belong to the same order-n subgroup ofE [n] is negligibly small.

    I With overwhelming probability Eqn. 2 will not hold.I A signature generated by a revoked user will be accepted as valid.

    I The protocol is not secure!I So also the protocols that extend the idea of BS-VLR group

    signature.I Nakanishi and Funabiki [2006].I Bringer et al. [2008].

    Sanjit Chatterjee (UW) 21 / 28

  • Whats Wrong with the Security Argument?

    I Security mandates that the protocol satisfies correctness,traceability and selfless-anonymity properties.

    I Fails to satisfy the correctness property when we work in E [n].I By implication the traceability property is violated.

    I The arguments hold if we restrict to a order-n subgroup of E [n].I Not instantiable in Type 2 or Type 3 settings.I Can be instantiated in Type 1, but the signature is no longer short.

    Sanjit Chatterjee (UW) 22 / 28

  • Rescuing BS-VLR Scheme

    Essential idea:

    I For random U, V E [n] in general one cannot expect

    e((V ), U

    )= e

    ((U), V

    ).

    I But bilinearity of e ensures

    e((V ), U

    )= e

    ((V ), U

    ).

    I Revocation check works properly if we send T1 = U E [n]instead of T1 as part of .

    I For each A RL check whether the following holds:

    e(T2 A, U) = e(V , T1) (3)

    Sanjit Chatterjee (UW) 23 / 28

  • Modified BS-VLR

    I Key generation algorithm remains unchanged.I Define H0 : {0,1} E [n]G1.I To sign, compute (U,V ) = H0(g