Advertisement

Automated Analysis of Cryptographic Assumptions in Generic Group Models

  • Gilles Barthe
  • Edvard FagerholmEmail author
  • Dario Fiore
  • John Mitchell
  • Andre Scedrov
  • Benedikt Schmidt
Article
  • 28 Downloads

Abstract

We initiate the study of principled, automated methods for analyzing hardness assumptions in generic group models, following the approach of symbolic cryptography. We start by defining a broad class of generic and symbolic group models for different settings—symmetric or asymmetric (leveled) k-linear groups—and by proving “computational soundness” theorems for the symbolic models. Based on this result, we formulate a very general master theorem that formally relates the hardness of a (possibly interactive) assumption in these models to solving problems in polynomial algebra. Then, we systematically analyze these problems. We identify different classes of assumptions and obtain decidability and undecidability results. Next, we develop and implement automated procedures for verifying the conditions of master theorems, and thus the validity of hardness assumptions in generic group models. The concrete outcome of this work is an automated tool which takes as input the statement of an assumption and outputs either a proof of its generic hardness or shows an algebraic attack against the assumption.

Keywords

Generic group model Cryptographic assumptions Automated methods 

Notes

Acknowledgements

This work is supported in part by ONR Grants N00014-12-1-0914 and N00014-15-1-2750, Madrid regional Projects S2009TIC-1465 PROMETIDOS and S2013/ICE-2731 N-Greens, and Spanish Projects TIN2009-14599 DESAFIOS 10, TIN2012-39391-C04-01 Strongsoft, TIN2015-70713-R DEDETIS, and RTC-2016-4930-7 (DataMantium). Additional support for Mitchell, Scedrov, and Fagerholm is from the AFOSR MURI “Science of Cyber Security: Modeling, Composition, and Measurement” and from NSF Grants CNS-0831199 (Mitchell) and CNS-0830949 (Scedrov and Fagerholm). The research of Fiore and Schmidt has received funds from the European Commission’s Seventh Framework Programme Marie Curie Cofund Action AMAROUT II (Grant No. 291803). The research of Dario Fiore is also partially supported by a Juan de la Cierva fellowship by the Spanish Ministry of Economy.

References

  1. 1.
    M. Abadi, P. Rogaway, Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol. 20(3):395 (2007).CrossRefGoogle Scholar
  2. 2.
    M. Abdalla, D. Pointcheval, Interactive Diffie–Hellman assumptions with applications to password-based authentication, in A. Patrick, M. Yung, editors, FC 2005, vol. 3570 of LNCS (Springer, 2005), pp. 341–356Google Scholar
  3. 3.
    G. Ateniese, J. Camenisch, B. de Medeiros, Untraceable RFID tags via insubvertible encryption, in V. Atluri, C. Meadows, A. Juels, editors, ACM CCS 05 (ACM Press, 2005), pp. 92–101Google Scholar
  4. 4.
    C. E. Z. Baltico, D. Catalano, D. Fiore, R. Gay, Practical functional encryption for quadratic functions with applications to predicate encryption, in Advances in Cryptology—CRYPTO 2017 (2017).Google Scholar
  5. 5.
    G. Barthe, J. Cederquist, S. Tarento, A machine-checked formalization of the generic model and the random oracle model, in Automated Reasoning—Second International Joint Conference, IJCAR 2004, Cork, Ireland, July 4–8, 2004, Proceedings, pp. 385–399 (2004)Google Scholar
  6. 6.
    G. Barthe, E. Fagerholm, D. Fiore, A. Scedrov, B. Schmidt, M. Tibouchi, Strongly-optimal structure preserving signatures from type ii pairings: Synthesis and lower bounds, in J. Katz, editor, Public-Key Cryptography—PKC 2015, vol. 9020 of LNCS (Springer, Berlin, 2015), pp. 355–376Google Scholar
  7. 7.
    G. Barthe, S. Tarento, A machine-checked formalization of the random oracle model, in Types for Proofs and Programs, International Workshop, TYPES 2004, Jouy-en-Josas, France, December 15–18, 2004, Revised Selected Papers (2004), pp. 33–49Google Scholar
  8. 8.
    K. Benson, H. Shacham, B. Waters, The k-BDH assumption family: Bilinear map cryptography from progressively weaker assumptions, in E. Dawson, editor, CT-RSA 2013, vol. 7779 of LNCS, (Springer, Feb. / Mar. 2013), pp. 310–325Google Scholar
  9. 9.
    B. Blanchet. Security protocol verification: Symbolic and computational models, in POST 2012, vol. 7215 of Lecture Notes in Computer Science (Springer, Heidelberg, 2012), pp. 3–29Google Scholar
  10. 10.
    A. Boldyreva, C. Gentry, A. O’Neill, D. H. Yum, Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing, in P. Ning, S. D. C. di Vimercati, P. F. Syverson, editors, ACM CCS 07 (ACM Press, 2007), pp. 276–285Google Scholar
  11. 11.
    A. Boldyreva, C. Gentry, A. O’Neill, D. H. Yum, Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. Cryptology ePrint Archive, Report 2007/438, revised 21 Feb 2010 (2007)Google Scholar
  12. 12.
    D. Boneh, X. Boyen. Short signatures without random oracles. In C. Cachin, J. Camenisch, editors, EUROCRYPT 2004, vol. 3027 of LNCS (Springer, 2004), pp. 56–73Google Scholar
  13. 13.
    D. Boneh, X. Boyen, E.-J. Goh. Hierarchical identity based encryption with constant size ciphertext, in R. Cramer, editor, EUROCRYPT 2005, vol. 3494 of LNCS (Springer, 2005), pp. 440–456Google Scholar
  14. 14.
    D. Boneh, X. Boyen, E.-J. Goh. Hierarchical identity based encryption with constant size ciphertext. Cryptology ePrint Archive, Report 2005/015 (2005)Google Scholar
  15. 15.
    D. Boneh, M. K. Franklin, Identity-based encryption from the Weil pairing, in J. Kilian, editor, CRYPTO 2001, vol. 2139 of LNCS (Springer, 2001), pp. 213–229Google Scholar
  16. 16.
    D. Boneh, C. Gentry, B. Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys, in V. Shoup, editor, CRYPTO 2005, vol. 3621 of LNCS (Springer, 2005), pp. 258–275Google Scholar
  17. 17.
    D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in J. Kilian, editor, TCC 2005, vol. 3378 of LNCS (Springer, 2005), pp. 325–341Google Scholar
  18. 18.
    X. Boyen. The uber-assumption family (invited talk), in S. D. Galbraith, K. G. Paterson, editors, PAIRING 2008, vol. 5209 of LNCS (Springer, 2008), pp. 39–56Google Scholar
  19. 19.
    E. Bresson, Y. Lakhnech, L. Mazaré, B. Warinschi, A generalization of DDH with applications to protocol analysis and computational soundness, in A. Menezes, editor, CRYPTO 2007, vol. 4622 of LNCS (Springer, 2007), pp. 482–499Google Scholar
  20. 20.
    H. Cohen, A course in computational algebraic number theory, vol. 138 of Graduate Texts in Mathematics (Springer, Berlin, 1993)Google Scholar
  21. 21.
    L. De Moura, N. Bjørner, Z: An efficient smt solver, in Tools and Algorithms for the Construction and Analysis of Systems (Springer, 2008), pp. 337–340Google Scholar
  22. 22.
    A. Escala, G. Herold, E. Kiltz, C. Ràfols, J. Villar. An algebraic framework for Diffie–Hellman assumptions, in R. Canetti, J. A. Garay, editors, CRYPTO 2013, Part II, vol. 8043 of LNCS (Springer, 2013), pp. 129–147Google Scholar
  23. 23.
    D. M. Freeman, Converting pairing-based cryptosystems from composite-order groups to prime-order groups, in H. Gilbert, editor, EUROCRYPT 2010, vol. 6110 of LNCS (Springer, 2010), pp. 44–61Google Scholar
  24. 24.
    S. Garg, C. Gentry, A. Sahai, B. Waters. Witness encryption and its applications, in D. Boneh, T. Roughgarden, J. Feigenbaum, editors, 45th ACM STOC (ACM Press, 2013), pp. 467–476Google Scholar
  25. 25.
    K. Gjøsteen, Ø. Thuen. Password-based signatures, in Public Key Infrastructures, Services and Applications (Springer, 2012), pp. 17–33Google Scholar
  26. 26.
    S. Halevi, A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181 (2005)Google Scholar
  27. 27.
    C. Hanser, D. Slamanig, Structure-preserving signatures on equivalence classes and their application to anonymous credentials, in P. Sarkar, T. Iwata, editors, Advances in Cryptology—ASIACRYPT 2014, vol. 8873 of Lecture Notes in Computer Science (Springer, Berlin, 2014), pp. 491–511Google Scholar
  28. 28.
    C. Hanser, D. Slamanig. Structure-preserving signatures on equivalence classes and their application to anonymous credentials, in P. Sarkar, T. Iwata, editors, Advances in Cryptology—ASIACRYPT 2014, vol. 8873 of Lecture Notes in Computer Science (Springer, Berlin, 2014), pp. 491–511Google Scholar
  29. 29.
    S. Hohenberger, A. Sahai, B. Waters, Full domain hash from (leveled) multilinear maps and identity-based aggregate signatures, in R. Canetti, J. A. Garay, editors, CRYPTO 2013, Part I, vol. 8042 of LNCS (Springer, 2013), pp. 494–512Google Scholar
  30. 30.
    J. Y. Hwang, D. H. Lee, M. Yung, Universal forgery of the identity-based sequential aggregate signature scheme, in W. Li, W. Susilo, U. K. Tupakula, R. Safavi-Naini, V. Varadharajan, editors, ASIACCS 09 (ACM Press, 2009), pp. 157–160Google Scholar
  31. 31.
    T. Jager, A. Rupp, The semi-generic group model and applications to pairing-based cryptography, in M. Abe, editor, ASIACRYPT 2010, vol. 6477 of LNCS (Springer, 2010), pp. 539–556Google Scholar
  32. 32.
    T. Jager, J. Schwenk, On the equivalence of generic group models, in J. Baek, F. Bao, K. Chen, X. Lai, editors, ProvSec 2008, vol. 5324 of LNCS (Springer, 2008), pp. 200–209Google Scholar
  33. 33.
    D. Jovanović, L. De Moura, Solving non-linear arithmetic, in Automated Reasoning(Springer, 2012), pp. 339–354Google Scholar
  34. 34.
    J. Katz, A. Sahai, B. Waters, Predicate encryption supporting disjunctions, polynomial equations, and inner products, in N. P. Smart, editor, EUROCRYPT 2008, vol. 4965 of LNCS (Springer, 2008), pp. 146–162Google Scholar
  35. 35.
    J. Katz, A. Sahai, B. Waters, Predicate encryption supporting disjunctions, polynomial equations, and inner products. Journal of Cryptology, 26(2), 191–224 (2013)Google Scholar
  36. 36.
    A. Lysyanskaya, R. L. Rivest, A. Sahai, S. Wolf, Pseudonym systems, in H. M. Heys, C. M. Adams, editors, SAC 1999, vol. 1758 of LNCS (Springer, 1999), pp 184–199Google Scholar
  37. 37.
    J. V. Matijasevic, Enumerable sets are diophantine. Dokl. Akad. Nauk SSSR, 191, 279–282 (1970)MathSciNetGoogle Scholar
  38. 38.
    U. M. Maurer, Abstract models of computation in cryptography (invited paper), in N. P. Smart, editor, 10th IMA International Conference on Cryptography and Coding, vol. 3796 of LNCS (Springer, 2005), pp. 1–12Google Scholar
  39. 39.
    U. M. Maurer, S. Wolf. Diffie–Hellman oracles, in N. Koblitz, editor, CRYPTO’96, vol. 1109 of LNCS (Springer, 1996), pp. 268–282Google Scholar
  40. 40.
    M. Naor, On cryptographic assumptions and challenges (invited talk), in D. Boneh, editor, CRYPTO 2003, vol. 2729 of LNCS (Springer, 2003), pp. 96–109Google Scholar
  41. 41.
    V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2), 165–172 (1994)MathSciNetCrossRefGoogle Scholar
  42. 42.
    T. Okamoto, K. Takashima, Fully secure functional encryption with general relations from the decisional linear assumption, in T. Rabin, editor, CRYPTO 2010, vol. 6223 of LNCS (Springer, 2010), pp. 191–208Google Scholar
  43. 43.
    A. Robinson, Solution of a problem of tarski. Fundamenta Mathematicae, 47(2), 179–204 (1959)MathSciNetCrossRefGoogle Scholar
  44. 44.
    J. T. Schwartz, Fast probabilistic algorithms for verification of polynomial identities. Journal of the ACM, 27, 701–717 (1980)MathSciNetCrossRefGoogle Scholar
  45. 45.
    H. Shacham, A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074 (2007). http://eprint.iacr.org/2007/074.
  46. 46.
    V. Shoup, Lower bounds for discrete logarithms and related problems, in W. Fumy, editor, EUROCRYPT’97, vol. 1233 of LNCS (Springer, 1997), pp. 256–266Google Scholar
  47. 47.
    W. Stein et al. Sage Mathematics Software (Version 5.12). The Sage Development Team (2013) http://www.sagemath.org
  48. 48.
    M. Szydlo, A note on chosen-basis decisional Diffie–Hellman assumptions, in Financial Cryptography and Data Security (Springer, 2006), pp. 166–170Google Scholar
  49. 49.
    R. Zippel, Probabilistic algorithms for sparse polynomials, in E. W. Ng, editor, EUROSM ’79, vol. 72 of Lecture Notes in Computer Science (Springer, 1979), pp. 216–226Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Gilles Barthe
    • 1
  • Edvard Fagerholm
    • 1
    • 2
    • 5
    Email author
  • Dario Fiore
    • 1
  • John Mitchell
    • 3
  • Andre Scedrov
    • 2
    • 4
  • Benedikt Schmidt
    • 1
    • 6
  1. 1.IMDEA Software InstituteMadridSpain
  2. 2.University of PennsylvaniaPhiladelphiaUSA
  3. 3.Stanford UniversityStanfordUSA
  4. 4.National Research University Higher School of EconomicsMoscowRussian Federation
  5. 5.NVIDIASanta ClaraUSA
  6. 6.GoogleMountain ViewUSA

Personalised recommendations