Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Strong Cryptography from Weak Secrets Building Efficient PKE and IBE from Distributed Passwords Xavier Boyen 1 Céline Chevalier 2 Georg Fuchsbauer 3 David Pointcheval 3 5 May 2010 1 Université de Liège, Belgium 2 Telecom ParisTech, Paris, France 3 École normale supérieure, Paris, France 1/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Our Contribution Abdalla, Boyen, Chevalier, Pointcheval: Distributed Public-Key Cryptography from Weak Secrets PKC 2009 2/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Our Contribution Abdalla, Boyen, Chevalier, Pointcheval: Distributed Public-Key Cryptography from Weak Secrets PKC 2009 Extend their results DDH → DLIN ABCP09 ElGamal encryption Ours Linear encryption, identity-based encryption Practical simulation-sound NIZKs ABCP09 Impractical generic construction or random oracles Ours Practical standard-model construction 2/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Outline Distributed Cryptography 1 Distributed Password Public-Key Cryptography 2 Introduction Outline of Security Model Construction of Public Key Decryption The Decision-Linear Case 3 3/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Outline Distributed Cryptography 1 Distributed Password Public-Key Cryptography 2 Introduction Outline of Security Model Construction of Public Key Decryption The Decision-Linear Case 3 4/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Introduction Goal of distributed cryptography Base security not on a single person → Distribute the secret key among several persons − 5/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Introduction Goal of distributed cryptography Base security not on a single person → Distribute the secret key among several persons − Example: safe with several locks 5/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Introduction Goal of distributed cryptography Base security not on a single person → Distribute the secret key among several persons − Example: safe with several locks Every responsable possesses one key A B C D 5/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case Introduction Goal of distributed cryptography Base security not on a single person → Distribute the secret key among several persons − Example: safe with several locks Every responsable possesses one key → Presence of all responsables necessary − A B C D 5/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case ElGamal Encryption Key distribution Every player P i chooses sk i (big size and thus high entropy) P i publishes pk i = g sk i n Π Global public key: pk = i = 1 pk i n ∑ Secret key: sk = sk i i = 1 6/24
Distributed Cryptography Distributed Password Public-Key Cryptography The Decision-Linear Case ElGamal Encryption Decryption Every player publishes pk i = g sk i n Π Global public key: pk = i = 1 pk i n ∑ Secret key: sk = sk i i = 1 Parameters: G cyclic, g generator and h = g sk Cyphertext: c = E ( m ; r ) = ( mh r , g r ) Every player publishes ( g r ) sk i Multiplying all shares gives ( g r ) sk = h r thus mh r / h r = m 6/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Outline Distributed Cryptography 1 Distributed Password Public-Key Cryptography 2 Introduction Outline of Security Model Construction of Public Key Decryption The Decision-Linear Case 3 7/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Outline Distributed Cryptography 1 Distributed Password Public-Key Cryptography 2 Introduction Outline of Security Model Construction of Public Key Decryption The Decision-Linear Case 3 8/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Introduction Disadvantage Every user must memorize a key of high entropy → Use passwords − 9/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Introduction Disadvantage Every user must memorize a key of high entropy → Use passwords − Passwords in public-key cryptography? If pk i = g pw i → Attack by testing every password pw: g pw ? = pk i − Offline dictionary attack 9/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Introduction Disadvantage Every user must memorize a key of high entropy → Use passwords − Passwords in public-key cryptography? If pk i = g pw i → Attack by testing every password pw: g pw ? = pk i − Offline dictionary attack Best of both worlds Use many passwords to construct distributed key of high entropy 9/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Distributed Password Public-Key Cryptography Model by [ABCP09] n players P 1 , ..., P n One particular player: group leader , P 1 n − 1 “mercenaries”, controlled by P 1 Every P i chooses a password pw i No assumption of secure channels, Communication controlled by the adversary who can corrupt players 10/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Outline Distributed Cryptography 1 Distributed Password Public-Key Cryptography 2 Introduction Outline of Security Model Construction of Public Key Decryption The Decision-Linear Case 3 11/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Universal Composability Principle Real world Ideal world Protocol Ideal Functionality properties of the protocol adversary’s goals adversary’s means 12/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Universal Composability Principle Real world Ideal world Protocol Ideal Functionality properties of the protocol adversary’s goals adversary’s means Players Virtual players 12/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Universal Composability Principle Real world Ideal world Protocol Ideal Functionality properties of the protocol adversary’s goals adversary’s means Players Virtual players Adversary Simulator (to construct) Indistinguishability of the two worlds 12/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Proof principle Summary There exists an adversary A passive or active static or adaptive A impersonating players with passwords of his choice We have to construct a simulator plays the role of the virtual players that are not corrupted by the adversary Simulator does not know passwords chosen by adversary The two worlds must be indistinguishable → Need means to extract the passwords from the adversary − 13/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Proof principle Summary There exists an adversary S A passive or active static or adaptive A S impersonating players with passwords of his choice S S We have to construct a simulator plays the role of the virtual players that are not corrupted by the adversary Simulator does not know passwords chosen by adversary The two worlds must be indistinguishable → Need means to extract the passwords from the adversary − 13/24
Introduction Distributed Cryptography Outline of Security Model Distributed Password Public-Key Cryptography Construction of Public Key The Decision-Linear Case Decryption Outline Distributed Cryptography 1 Distributed Password Public-Key Cryptography 2 Introduction Outline of Security Model Construction of Public Key Decryption The Decision-Linear Case 3 14/24
Recommend
More recommend