170 likes | 197 Views
Weaknesses in the Generic Group Model. Dr. Alex Dent alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex. Groups in Cryptography. We often use a “group” in cryptography. However a group is an abstract concept. Cryptography tends to use some kind of binary encoding of a group.
E N D
Weaknesses in the Generic Group Model Dr. Alex Dent alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex
Groups in Cryptography • We often use a “group” in cryptography. • However a group is an abstract concept. • Cryptography tends to use some kind of binary encoding of a group. : G {0,1}* • The different encodings have different computational properties.
The group Cp • The cyclic group of p elements can be realised as: • An additive group of integers. • A multiplicative group of integers. • A subgroup of an elliptic curve group. • All of these groups are isomorphic but have vastly different computational properties.
The Generic Group Model • The generic group aims to capture the idea that a scheme is secure on some arbitrary, unspecified group. • Applicable only to schemes that are useable in arbitrary groups, like Diffie-Hellman based schemes. • Not applicable to RSA based schemes. • Two main formalisations.
Nechaev’s Model • Attacker has access to an oracle that can: • Check equality of group elements. • Perform group operations. • The encoding of the group is never considered in this model.
Shoup’s Model • Instead of using abstract group elements use a randomly selected encoding : Z {0,1} • Attacker has access to an oracle that computes group operations but can test for equality itself. n p
Shoup’s Model • The idea is that, because is a random function, we cannot take advantage of any structure provided by the encoding. • This model has proven easier to use. • More realistic?
Shoup’s Model • “The Exact Security of ECIES in the Generic Group model” (N. Smart.) • “Generic Groups, Collision Resistance and ECDSA” (D. Brown) • “Flaws in Applying Proof Methodologies to Signature Schemes” (J. Stern, D. Pointcheval, J. Malone-Lee, N. Smart)
Schnorr and Jakobsson’s Model • Combines the random oracle model and the Nechaev generic group model. • A scheme that is secure in the Schnorr and Jakobsson model is certainly secure in the Shoup model. • Converse is not true? Impossible to simulate a full domain random oracle with a random encoding function.
The Random Oracle Model • Introduced by Bellare and Rogaway in 1993. • Aims to show that a scheme is secure up to weaknesses that might be introduced by the hash function. • Replaces the hash function by a randomly chosen function.
The Random Oracle Model • Famous paper by Canetti, Goldreich and Halevi has shown that the ROM is weak… • …in the sense that there exists schemes that are provably secure in the random oracle model but insecure when the hash function is replaced with any function. • Uses “CS Proofs” (Micali).
My Results • The same techniques that are used in the Canetti et al. paper can be used in the Shoup model. • There exist problems that are provably hard in the generic group model but easy to solve when the random encoding function is replaced with any polynomial time encoding function.
My Results • There also exist cryptographic schemes that are provably secure in the generic group model but insecure when used with any specific group. • Uses “Cryptographic CS Proofs” (Micali) which is a stronger assumption.
Other models • Obviously since the Schnorr and Jakobsson model assumes the random oracle model, the above result is trivial in that model. • It has not been shown that security proofs in Nechaev’s model are weak.
A quick digression • How applicable is the generic group model for security proofs? • Generic groups have no automorphisms but we mostly restrict ourselves to groups that have predictable automorphisms (such as Elliptic Curve groups) • Or we build automorphisms into groups to improve performance.
A quick digression • Consider the ECIES encryption scheme. • The scheme uses EC-DH and only uses the x-coordinates of points to improve performance. • Provably secure in the Shoup version of the generic group model (N. Smart). • However very obviously weak due to the fact that, on an elliptic curve, if P=(x,y) then -P=(x,-y).
Conclusion • Schemes that have proofs of security in the generic group model are not necessarily weak… • …but the proof of security is only a heuristic guide to the security of the algorithm. • Furthermore they should be implemented with care to avoid nullifying that proof.