Weaknesses in the Generic Group Model - PowerPoint PPT Presentation

About This Presentation

Title:

Weaknesses in the Generic Group Model

Description:

Number of Views:36

Avg rating:3.0/5.0

Slides: 18

Provided by: Alexa106

Category:

more less

Transcript and Presenter's Notes

Title: Weaknesses in the Generic Group Model

1
Weaknesses in the Generic Group Model

2
Groups in Cryptography

3
The group Cp

The cyclic group of p elements can be realised
as
An additive group of integers.
A multiplicative group of integers.
A subgroup of an elliptic curve group.
All of these groups are isomorphic but have
vastly different computational properties.

4
The Generic Group Model

The generic group aims to capture the idea that a
scheme is secure on some arbitrary, unspecified
group.
Applicable only to schemes that are useable in
arbitrary groups, like Diffie-Hellman based
schemes.
Not applicable to RSA based schemes.
Two main formalisations.

5
Nechaevs Model

6
Shoups Model

Instead of using abstract group elements use a
randomly selected encoding
? Z 0,1
Attacker has access to an oracle that computes
group operations but can test for equality
itself.

n
p
7
Shoups Model

The idea is that, because ? is a random
function, we cannot take advantage of any
structure provided by the encoding.
This model has proven easier to use.
More realistic?

8
Shoups Model

The Exact Security of ECIES in the Generic Group
model (N. Smart.)
Generic Groups, Collision Resistance and ECDSA
(D. Brown)
Flaws in Applying Proof Methodologies to
Signature Schemes (J. Stern, D. Pointcheval, J.
Malone-Lee, N. Smart)

9
Schnorr and Jakobssons Model

Combines the random oracle model and the Nechaev
generic group model.
A scheme that is secure in the Schnorr and
Jakobsson model is certainly secure in the Shoup
model.
Converse is not true? Impossible to simulate a
full domain random oracle with a random encoding
function.

10
The Random Oracle Model

Introduced by Bellare and Rogaway in 1993.
Aims to show that a scheme is secure up to
weaknesses that might be introduced by the hash
function.
Replaces the hash function by a randomly chosen
function.

11
The Random Oracle Model

Famous paper by Canetti, Goldreich and Halevi has
shown that the ROM is weak
in the sense that there exists schemes that are
provably secure in the random oracle model but
insecure when the hash function is replaced with
any function.
Uses CS Proofs (Micali).

12
My Results

The same techniques that are used in the Canetti
et al. paper can be used in the Shoup model.
There exist problems that are provably hard in
the generic group model but easy to solve when
the random encoding function is replaced with any
polynomial time encoding function.

13
My Results

There also exist cryptographic schemes that are
provably secure in the generic group model but
insecure when used with any specific group.
Uses Cryptographic CS Proofs (Micali) which is
a stronger assumption.

14
Other models

Obviously since the Schnorr and Jakobsson model
assumes the random oracle model, the above result
is trivial in that model.
It has not been shown that security proofs in
Nechaevs model are weak.

15
A quick digression

How applicable is the generic group model for
security proofs?
Generic groups have no automorphisms but we
mostly restrict ourselves to groups that have
predictable automorphisms (such as Elliptic Curve
groups)
Or we build automorphisms into groups to improve
performance.

16
A quick digression

Consider the ECIES encryption scheme.
The scheme uses EC-DH and only uses the
x-coordinates of points to improve performance.
Provably secure in the Shoup version of the
generic group model (N. Smart).
However very obviously weak due to the fact that,
on an elliptic curve, if P(x,y) then -P(x,-y).

17
Conclusion

Schemes that have proofs of security in the
generic group model are not necessarily weak
but the proof of security is only a heuristic
guide to the security of the algorithm.
Furthermore they should be implemented with care
to avoid nullifying that proof.

Write a Comment

User Comments (0)