300 likes | 477 Views
Bilinear Mappings in Formal Cryptography. 0 8 .10.11. Bilinear Mapping. Define : Let n be a prime number. G 1 = P is an additive group of order n with identity element 0 (P is the generator of G 1 ) . G T is a multiplicative group of order n with identity element 1.
E N D
Bilinear Mapping Define: • Let n be a prime number. • G1 = P is an additive group of order n with identity element0(P is the generator of G1). • GT is a multiplicative group of order n with identity element 1.
Bilinear Mapping Define a mapping e : G1x G1 → GT, which satisfies the following properties: • Bilinearity: for each R,S G1, a,b Zn: e(aR, bS) = e(R,S)ab. • Non-degeneracy: e(P, P) ≠ 1. • Computability: e can be easily computed.
Discrete Logarithm Problem • Let G = P. We say that the discrete logarithm problem is hard in G, if given some Q Git is impossible to find in polynomial time an integerx, such that: • Q = xP (additive group) • Q = Px (multiplicative group) • If the discrete logarithm problem is hard in G1, then, according to bilinearity,it should be also hard inGT.
Bilinear Diffie-Hellman Problem • Bilinear Diffie-Hellman Problem (BDHP): Given P, aP, bP, cP G1, compute e(P,P)abc. • This problem cannot be solved in polynomial time if the discrete logarithm problem is hard in the group G1.
Example: Tripartite Key Exchange The new key is: e(bP,cP)a= e(P,P)abc(Alice) e(aP,cP)b= e(P,P)abc(Bob) e(aP,bP)c= e(P,P)abc(Chris) If the intruder eavesdrops at the network and getsthe values of aP, bPandcP, he cannot derive the new key.
Formal and Computational Views • Formal view • Messages are elements of term algebra. • Possible operations on terms are enumerated • Protocol is represented through a process calculus or a theory. • Computational view • Messages are bit strings • Possible operations on bit strings: everything in probabilistic polynomial time. • Protocol is a set of probabilistic Turing machines.
Derivation Rules • Define a predicate I: I(x) is trueiff the intruder knows the value of x. • Horn clauses are boolean formulas of the form: F1 & F2 & ... & Fn→ G • Use the predicate I in the formulas. I(A1) & I(A2) & ... & I(An) → I(B) • If the intruder knows A1 ... An, he will also know B.
Describing the Intruder Rules • Leta message mencrypted by a keykbe represented by the term enc(k,m). • The intruder may encrypt any message m with any key kand get enc(k,m). • The intruder may decrypt any enc(k,m) with the corresponding key k and obtain the message m. I(k) & I(m) → I(enc(k,m))I(k) & I(enc(k,m)) → I(m)
Describing the Protocol Rules • I(enc(Kb, (Ka,Na,Kab)))→I(enc(Ka, (Na,Nb,Kb))) • I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb)))→I(enc(Kb, (Na,Nb))) • I(enc(Kb, (Ka,Na,Kab))) & I(enc(Ka, (Na,Nb,Kb))) & I(enc(Kb, (Na,Nb))→I(enc(Kab,M))
Protocol Analysis • I(k1) • I(k2) • I(k1) & I(k2) → I(key) • I(enc(key,secret)) • I(X)& I(enc(X,Y)) → I(Y) • query I(secret)
Challenges • If the protocol is described as an equational theory, it needs the support of equivalence relations. • The algebraic properties of operations have to be described separately. • Protocol analysis has to take these properties (congruence relations) into account.
Properties of a Bilinear Mapping • Non-degeneracy: e(P, P) ≠ 1. • Itwill be a default setting if we do not state that e(P,P) = 1 • The identity P is actually not defined anywhere. • Computability: e can be easily computed. • The attacker should be able to use the mapping e. We need to add corresponding rules. • Bilinearity: for each R,S G1, a,b Zn: e(aR, bS) = e(R,S)ab. • This property is more difficult to implement.
Related Work • Ralf Küsters and Tomasz Truderung: Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation. CSF, 2009, 157-171, http://doi.ieeecomputersociety.org/10.1109/CSF.2009.17, http://dblp.unitrier.de. • This work provides an extension for ProVerif that allows to analyze protocols with finite number of exponents.
Our Contribution: • An equational theory of bilinear pairings for exponent-ground terms that allows only products in exponents (based on the Related Work). • A protocol transformer that was used for DH exponentiation has been upgraded so that it would support bilinear mappings (with and without types). • Some pairing-based protocols have been tested in ProVerif.
The Protocol Transformer • Translates all the terms in the description of the protocol to the normal form. • Encodes them. • Generates a set of intruder rules according to the set of grounded exponents C that it has been discovered. • Writes the new set of rules to the outputfile that is ready to be tested with ProVerif.
Normal Form • All the multipliers are transferred from the group G1 to the group GT. e(aP, bP) ≈ e(P,P)ab • The exponents and the multipliers are grouped. G^(aba-1cb) ≈ G^(b2c) • The exponents and the multipliers are ordered. G^(b3a4) ≈ G^(a4b3)
Encoding • There is a finite fixed set of possible exponents that are used in the protocol (we can use a finite set according to Related Work): C = {a,b,c} • The integers in the exponents are encoded: 1 ≈ s(0), 2 ≈ s(s(0)), ... -1 ≈ p(0), -2 ≈ p(p(0)), ... • The algebraic terms are encoded: G^(a-1c2)≈ exp(G,p(0),0,s(s(0))) P*(b-1c) ≈ mult(P,0,p(0),s(0))
Joux’s Protocol for Authenticated Channels The intruder knows the public Point. I(P) The intruder knows the values that the honest users have sent to the network. I(aP), I(bP), I(cP) The intruder gets the secret if he gets the key. I(e(aP,bP)c) → I(secret) I(e(bP,cP)a) → I(secret) I(e(aP,cP)b) → I(secret)
Normalizing Joux Protocol • Three parties: C = {a,b,c} • The intruder knows the Point. I(P) - no normalization needed • The intruder knows the values that the honest users have sent to the network. I(aP) ≈ I(mult(P, s(0), 0, 0) I(bP) ≈ I(mult(P, 0, s(0), 0) I(cP) ≈ I(mult(P, 0, 0, s(0)) • The intruder gets the secret if he gets the key. • I(e(aP,bP)c) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret) • I(e(bP,cP)a) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret) • I(e(aP,cP)b) → I(secret) ≈ I(exp(e(P,P),s(0), s(0), s(0)) → I(secret) • The intruder has three ways to derive the secret, and in each case he actually needs the same key.
Intruder Rules • A set of rules is being generated for the particular set of grounded exponents. • Examples of intruder rules for C = {a,b,c}: • I(exp(X,X1,X2, X3)),I(a) → I(exp(X,s(X1),X2,X3)); • I(X),I(Y) → I(e(X,Y)); • I(X),I(mult(Y,Y1,Y2,Y3)) → I(exp(e(X,Y),Y1,Y2,Y3)); • I(exp(X, 0, 0, 0)) → I(X); • ……
Normalization Rules • We introduce new predicates that define normalization: • E(X,Y,Z) is true iff XY = Z • M(X,Y,Z) is true iff XY = Z • P(X,Y,Z) is true iff e(X,Y) = Z • Examples of normalization rules for C = {a,b,c}: • E(exp(X, 0, p(0),0), b, X)); • M(mult(X, X1, X2 , X3), a, mult(X, s(X1), X2 , X3)); • P(mult(X, X1, X2 , X3), Y, exp(e(X,Y), X1, X2 , X3));
Using Normalization Rules • Suppose that we are trying to implement Joux protocol for unauthenticated channels. • The variables aP, bP, and cP coming from the network can be substituted by the attacker. • I(e(A,B)c) → I(secret) • I(e(B,C)a) → I(secret) • I(e(A,C)b) → I(secret) • Where A,B,C are variables. • We cannot apply normalization directly. • Use auxiliary variables X and Y. • P(A,B,X) & E(X,c,Y) & I(Y) → I(secret) • P(B,C,X) & E(X,a,Y) & I(Y) → I(secret) • P(A,C,X) & E(X,b,Y) & I(Y) → I(secret) . • ProVerif understands that it is insecure.
Solving the Previous Problem • All the keys are normalized and encoded. • The keys generated by different parties are syntactically equivalent. • The intruder is also capable of using bilinear pairings, multiplication, and exponentiation. He can compose similar structures himself.
Open Questions • There protocol analyzer does not support addition, and it also has not been done in the Related Work. In the given work, the addition has been tried only for two elements. One protocol turned out to be insecure even with this constrained setting. • The analysis process is too slow. There are some protocols that have not been tested since the number of rules produced by ProVerif did not want to converge.