ebook img

Non-Abelian Groups as Candidate Platform for Cryptographic PDF

24 Pages·2006·0.54 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Non-Abelian Groups as Candidate Platform for Cryptographic

Non-Abelian Groups as Candidate Platform for Cryptographic Schemes: Strengths and Weaknesses Rainer Steinwandt Florida Atlantic University Non-abelian groups in cryptography: Why? … besides being academic fun: • desire for new hardness assumptions (not amenable to known quantum algorithms) • desire for performance improvements (e.g., smaller signatures, faster encryption) Other promising candidates exist, incl. • Lattices (→ NTRU) • Multivariate Cryptography (→ SFLASH) … current state – a pragmatic view • many proposals for encryption, signing, key establishment, … using non-abelian groups have been made • most suggestions that were specified in detail have been attacked successfully hardly any non-abelian proposal available that is accepted as practical and secure What is a cryptographic scheme? Common problems in “non-abelian proposals”: • lack of clearly specified assumptions & goals security model unclear • available cryptographic tools & attack models not taken into account • lack of formal rigor “attacks w/o mathematical value” Example: public key encryption Established minimum requirement: indistinguishable encryptions under chosen plaintext attacks (with proof!) … or be more efficient than the others ☺ • encrypt one bit at a time • “sufficiently complicated” instances • hard to find plaintext from ciphertext MST revisited 1 • introduced as public key encryption scheme • no security proof • no secure key generation known … could yield trapdoor one-way perm. from a group-theoretical problem combination with known cryptographic constructions could yield a “real scheme” Logarithmic signatures of finite groups G a finite group, A , ..., A ⊆ G with G =A ·...·A . 1 s 1 s Then [A , ..., A ] is a logarithmic signature 1 s for G :⇔ each g ∈ G has a unique factorization g = a ·...·a with a ∈ A . 1 s i i Ex.: For a subgroup chain G = G > G >... > G ={id} 0 1 s choose A as left transversal of G mod G i i−1 i The trouble with the instances… MST needs log. signatures Λ so that factoring 1 w.r.t. Λ needs knowledge of trapdoor Z/|G|Z [A ,..., A ] G [B , ..., B ] Z/|G|Z 1 s 1 t mixed basis mixed basis multiply factor represent. represent. n (a , ..., a ) g (b , ..., b ) f (n) 1 s 1 t ... unclear how to generate these reliably (cf. key generation trouble w/ conjugacy & root problem in braid groups) Symmetric cryptography & group theory • For PGM, “a symmetric MST ”, things look 1 better: successful cryptanalysis lacking • Tillich-Zémor hash function from CRYPTO 94 “structurally unbroken” for n prime: 1.) Fix GF(2n)=GF(2)[X]/(f(X)) 2.) For α a root of f(X), set α 1 α α+1 B := , B := ∈ SL (GF(2n)) 0 1 2 1  1 1 0 3.) Hash value of m∈{0,1}* : H(m):=∏ B i i Getting constructive… • Alternative to constructing complete group- based cryptographic scheme from scratch: Provable reduction of, e.g., IND-CCA2 security to group-theoretical assumption ( Cramer-Shoup-like construction). - possibly no efficient instance known + you know what you need & get

Description:
Strengths and Weaknesses. Rainer Steinwandt. Florida Atlantic University Tillich-Zémor hash function from CRYPTO 94. “structurally unbroken” for n prime: 1.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.