A CCA-2 SECURE CRYPTOSYSTEM USING …...Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings Choice of fk;n;mgfor M k(Z n[S m])

Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings

A CCA-2 SECURE CRYPTOSYSTEM USING MATRICES

OVER GROUP RINGS

Second Exam of Severin Ngnosse, CUNY Graduare Center, CS

Committee members: D.Kahrobaei (Mentor), B.Khan, V.Shpilrain, X.Zhang

D. Kahrobaei, C. Koupparis, and V. Shpilrain, A CCA secure cryptosystem usingmatrices over group rings, Contemporary Mathematics, American MathematicalSociety, 9 pages, to appear in 2015, http://arxiv.org/abs/1403.3660.

D. Kahrobaei, C. Koupparis, and V. Shpilrain, Public key exchange usingmatrices over group rings, Groups, Complexity, and Cryptology 5 (2013), 97–115.

V. Shoup, Why chosen ciphertext security matters, IBM Research Report RZ3076, November, 1998.

. Cramer, V. Shoup, A practical public key cryptosystem provably secure againstadaptive chosen ciphertext attack, in Proc. Crypto ’98.

September 5th, 2014

http://arxiv.org/abs/1403.3660


1 Introduction

2 Platform GroupGroup RingsBenefits

3 DH using semigroupsComputational Diffie-Hellman & Decision Diffie HellmanExperimental results

4 Cramer-Shoup cryptosystemCramer-Shoup CryptosystemClassical

5 Using matrices over group ringsSecurityExperimental ResultsOther Parameters


1 Introduction2 Platform Group

Group RingsBenefits






Group RingsBenefits






Group RingsBenefits






Group RingsBenefits





MOTIVATION

Current cryptographic protocols rely heavily on commutativegroups, usually the integers mod n.

Many existing attacks (or proposed new ones) usecommutativity of the platform as a point of weakness for theencryption scheme.

Therefore, proposed new protocols need to be ever moresophisticated/lengthy/clever to survive known attacks.


Group Ring

Definition

Let G be a multiplicative group and let R be a commutative ringwith nonzero unity. The set R[G ] of all formal sums∑

gi∈Grigi

(where ri ∈ R, are almost all equal to zero.) is called group ring


Operations on a Group Ring

We define the sum of two elements in R[G ] by∑gi∈G

aigi

+

∑gi∈G

bigi

=∑gi∈G

(ai + bi )gi .

Note that ai and bi are almost all equal to zero, hence the abovesum is in R[G ]. Thus (R[G ],+) is an abelian group.Multiplication of two elements of R[G ] is defined as follow:∑

gi∈Gaigi

∑gi∈G

bigi

=∑gi∈G

∑gjgk=gi

ajbk

gi .


Choice of Platform

The platforms chosen here are that of sets of matrices (of asmall size) over a group ring, with the usual matrixmultiplication operation.

Specifically, focus will be given to matrices over the groupring Zn[Sm], where Zn is the ring of integers modulo n andSm is the symmetric group of degree m.


Choice of {k , n,m} for Mk(Zn[Sm])

2× 2 or 3× 3 matrices over Zn[S5] (where n = 3, 5 or 7.)Z7[S5] is preferred , as this provides for a large key space (7480

for 2× 2 matrices and 71080 for 3× 3 matrices over Z7[S5]).

Storing a single 2× 2 matrix over Z7[S5] requires about 1350bits, and a single 3× 3 matrix about 3030 bits. Keys areroughly the same size as in the classical schemes.


Benefits I

The groups are simple to compute with and store, while theirsize increases the security of any scheme.

Multiplication of matrices over Z7[S5] is simpler and possiblyfaster than multiplication in Zp for large p. We can store thesmall multiplication table for S5. Hence, there is no actualmultiplication involved, just re-arranging a bit string of length120.


Benefits II

S5 only admits one non-trivial automorphism, so grouptheoretic attacks don’t reveal much (we can replace S5 withA5).

Our platform proves too large or complicated for standardattacks (baby–step giant–step, Pohlig-Hellman, Pollard’s rhoalgorithm).


Diffie-Hellman

Diffie-Hellman using matrices over group ring

Alice and Bob want to share a secret key. They both agree ona platform set. (Here it will be a set of matrices over groupring)

Alice chooses a public matrix M ∈ M3(Z7[S5]), and a privatelarge positive integer a.

Alice computes Ma, and publishes (M,Ma).

Bob chooses another large integer b, and computes andpublishes (Mb).

Both Alice and Bob can now compute the same shared secretkey K = (Ma)b = (Mb)a.

As noted, computations in M3(Z7[S5]) are efficient, and, of course, we can usethe “square and multiply algorithm” for exponentiation.


Computational Diffie-Hellman

The security of the Diffie-Hellman key exchange relies on theassumption that it is computationally hard to recover Mab

from the public information (M,Ma,Mb).

For a given group G , one can define aDiffie-Hellmanalgorithm, F , where upon input of (g , ga, gb) the algorithmoutputs gab,ie F (g , ga, gb) = gab. We say that a group Gsatisfies the CDH assumption if no such efficient algorithm(F ) exists for G



Definition (Boneh)

A CDH algorithm F for a group G is a probabilistic polynomialtime algorithm satisfying, for some fixed α > 0 and sufficientlylarge n ∈ N,

P[F (g , ga, gb) = gab] >1

nα.

The probability is over a uniformly random choice of a and b.

We say that the group G satisfies the CDH assumption if there is no CDHfunction for G .



CDH by itself is not sufficient to prove that the Diffie-Hellmanprotocol is useful for practical cryptographic purposes.

For example, even if CDH is true, one may be able to predict80% of the bits of gab with reasonable confidence.

One must be able to bound the information one can extractabout secret keys from g , ga and gb. This is formallyexpressed by the much stronger Decision Diffie-Hellman(DDH) assumption.


Decision Diffie-Hellman

Definition (Boneh)

A DDH algorithm, F for a group G , is a probabilistic polynomialtime algorithm satisfying, for some fixed α > 0 and sufficientlylarge n∣∣∣P[F (g , g a, gb, g ab) = “True′′]− P[F (g , g a, gb, g c) = “True”]

∣∣∣ > 1

nα

The probability is over a uniformly random choice of a, b and c.

We say the group G satisfies the DDH assumption if there is noDDH algorithm for G . Essentially, DDH assumption implies thatthere is no efficient algorithm which can distinguish between twoprobability distributions (g , ga, gb, gab) and (g , ga, gb, g c), wherea, b, c are chosen at random.


Experimental Results

Some experimental results have been obtained using sets ofmatrices over group rings as platform.Specifically, these results

Show the time it takes to compute powers of a given randommatrice inM2×2(Z2[S5]),M3×3(Z2[S5]),M3×3(Z2[S5]),M3×3(Z3[S5]).

show that given an invertible matrix M ∈M3(Z7[S5]) andrandom integers a, b, c in N, it is not possible to distinguishbetween the distribution generated by (Ma,Mb,Mab) and(Ma,Mb,Mc).

show that given an invertible matrix M ∈M3(Z7[S5]) andrandom integers a it is not possible to extract informationabout a from M and Ma. In other words the distributionsgenerated by (Ma) and random matrix (N) areindistinguishable.


Computational Time

Group Ring Exponent Time (s)

M2(Z2[S5]) 1010 0.17M2(Z2[S5]) 10100 1.90M2(Z2[S5]) 101000 16.83

M2(Z3[S5]) 1010 0.15M2(Z3[S5]) 10100 1.63M2(Z3[S5]) 101000 16.60

M3(Z2[S5]) 1010 0.53M3(Z2[S5]) 10100 5.34

M3(Z3[S5]) 1010 0.55M3(Z3[S5]) 10100 5.49


Experimental DDH Verification

In order to test the DDH assumption two distributions areconsidered: one generated by the tuple Mab and the othergenerated by Mc . a and b are chosen randomly from theinterval [1025, 1026], and c is randomly chosen from[1050, 1052].

To get a clear picture of how elements are distributed in thematrices, we created a table with the distribution of elementsof S5 for each entry of the matrices.

We produced Q-Q plots of entries of Mab versus entries ofMc . (Q-Q plots or Quantile-Quantile plots is a graphicalmethod for comparing 2 probabilty distributions by plottingtheir quantile against each other.)

If these distributions are indistinguishable, then the final Q-Qplots should be straight lines.



Figure: DDH results


Experimetal Results

Figure: DDH results



Figure: Randomness of Ma


Cramer Shoup Cryptosystem

Cramer-Shoup cryptosystem is a generalization of ElGamal

Key exchange problems.

It is provably secure against adaptive chosen ciphertext attack.

The proof of security relies on a standard intractability

assumption namely, the hardness of the Diffie-Hellman

decision problem in underlying group.


Provable security against adaptive chosen ciphertext attack

A formal definition of security against active attacks evolved

in a sequence of papers by Naor and Yung, Rackoff and

Simon, Dolev, Dwork and Naor. The notion is called chosen

ciphertext security or, equivalently, non-malleability.

The intuitive idea behind this definition is that even if

an adversary can get arbitrary ciphertexts of his choice

decrypted, he still gets no partial information about

other encrypted messages.



We define the following game, which is played by the adversary.

First, we run the encryption scheme’s key generation

algorithm, with the necessary input parameters.

In particular, one can input a binary string in {0, 1}n, which

describes the group G on which the algorithm is based.

The adversary is then allowed to make arbitrary queries to the

decryption oracle, decrypting ciphertexts of his choice, except

the target one.



The adversary then chooses two messages, m0 and

m1,submits them to the encryption oracle. The oracle chooses

a random bit b ∈ {0, 1}, encrypts mb and submit the

encrypted message to the adversary.

Upon receipt of the ciphertext, the adversary is allowed to

continue querying the decryption oracle.

At the end of the game, the adversary must output

b′ ∈ {0, 1}, which is the adversary’s best guess as to the value

of b.



The probability of success for the adversary is defined by

P(b′ = b) = 1/2 + ε(n)

ε(n) is called the adversary’s advantage, and n ∼ |G |.

We say the cryptosystem is CCA-2 secure if the advantage of

the adversary is negligible.

Note that a negligible function is a function that grows slower

than any inverse polynomial, n−c , for any particular constant

c and large enough n.


Cramer-Shoup Basic Scheme

Secret Key: random x1, x2, y1, y2, z ∈ Zq

Public Key:

g1, g2 in G (but not 1)

c = g1x1g2

x2

d = g1y1g2

y2

h = g1z

H = hash function chosen from a one-way universal family.



Encryption of m ∈ G : (u1, u2, e, v), where

u1 = g1r

u2 = g2r

e = hrm

v = c rd rα

r ∈ Zq is random

α = H(u1, u2, e).



Decryption of (u1, u2, e, v):

If v = u1x1+αy1u2

x2+αy2

where α = H(u1, u2, e)

then m = e/u1z

else ”reject”



Theorem

The Cramer-Shoup cryptosystem is secure against adaptive chosen

ciphertext attack assuming that

1 The hash function H is chosen from a universal one-way

family.

2 The Diffie-Hellman decision problem is hard in the group G .


A CCA-2 secure cryptosystem using matrices over group

rings

In a paper by Kahrobaei-Koupparis and Shpilrain, the authorsproposed a public key exchange using matrices over group rings.They offer a public key exchange protocol in the spirit ofDiffie-Hellman, but they use matrices over a group ring of a (rathersmall) symmetric group as the platform and discuss security of thisscheme by addressing the Decision Diffie-Hellman (DDH) andComputational Diffie-Hellman (CDH) problems for that platform.



rings

Under the proposed platform, they show that an encryptionscheme similar to the Cramer-Shoup scheme is CCA-2 secure. Theprotocol is as follows:Secret Key: random x1, x2, y1, y2, z ∈ Zn

Public Key:

3× 3 non-identity matrices M1,M2 ∈M3×3(Z7[S5]) such that M1

is invertible and M1M2 = M2M1

c = M1x1M2

x2 , d = M1y1M2

y2

h = M1z .



rings

Encryption of a message N ∈ M3×3(Z7[S5]):E (N) = (u1, u2, e, v), where

u1 = M1r , u2 = M2

r , e = hrN, v = c rd rα, r ∈ Zn is random, andα = H(u1, u2, e).



rings

Decryption of (u1, u2, e, v):

If v = u1x1+αy1u2

x2+αy2 , where α = H(u1, u2, e),then N = (u1

z)−1e(Note that u1 is invertible since M1 is chosen to be invertible.)

else ”reject”



rings

Remarks:

M1 must always be chosen to be an invertible matrix, whereas

M2 is just any matrix such that M1M2 = M2M1.

One must also decide what group Zn to use, i.e., n must be

specified.



rings

As in the theorem proved by Cramer-Shoup mentioned above, thegoal is to show that for random invertible matrices overM3×3(Z7[S5]) if the DDH problem is hard, then the previouslymentioned cryptosystem is secure against adaptive chosenciphertext attack.More formally the following result is obtained:



rings

Theorem

The Cramer-Shoup cryptosystem using the semigroup

G = M3×3Z7[S5] is secure against adaptive chosen ciphertext

attack assuming that

1 the hash function H is chosen from a universal one-way

family, and

2 the Diffie-Hellman decision problem is hard in the group G .


Adaptive Chosen Ciphertext Attacks (CCA-2)

CCA-2 Security

Run the encryption scheme’s key generation algorithm.

Make any number of random queries to the decryption oracle.

At some point, submit two messages to the encryption oracle

The oracle will choose one message and will return its

ciphertext.

Eventually, continue with random queries.

Finally, decide which of the two messages has been encrypted.

We say a cryptosystem is CCA-2 secure if the adversary advantage is negligible.


CCA-2 Security

As a reminder, the original Cramer-Shoup scheme is CCA-2 secure

provided

The hash function is suitably chosen

The Decision Diffie-Hellman problem is hard in the platform

group


Proof of CCA-2 Security

The proof that DDH problem is hard in this scheme under the

chosen platform employed the same analysis as in the

Diffie-Hellman scheme. The results are similar, i.e. it appears

that this group satisfies the DDH assumption.

The subsequent proof that follows will be similar to the

original one by constructing a Decision Diffie-Hellman

algorithm for our platform, which is in direct contradiction

with our initial assumption that DDH is computationally hard

in our semi-group!


Description of a DDH Algorithm

1 Assume that there is an adversary A that can break the

cryptosystem and that our hash function is still chosen from a

universal family of one-way hash functions.

2 Consider an algorithm D, which made of

the adversary’s view of the cryptosytem ,

a random bit generator b ∈ {0, 1} unknown to the adversary A



Our algorithm D receives as input a tuple (M1,M2,M3,M4)

D will have to determine whether this tuple comes from DH

or it is just a random tuple R



Pick random x1, x2, y1, y2, z in Zn and a universal one way

hash function H as mentioned above.

The adversary A receives the public key PK which is:

(M1,M2, c = M1x1M2

x2 , d = M1y1M2

y2 , h = M1z .)



A chooses 2 messages m0 and m1 and passes it to D.

D picks b ∈ {0, 1} and passes to A the tuple

(M3,M4,Mz3mb,M

x1+αy13 Mx2+αy2

4 )

where α = H(M3,M4,Mz3mb)

With this information, the adversary tries to determine b and

return its guess b′



If advervary’s guess b′ = b then D returns “DH”,

otherwise D returns “R”

As a reminder, inputs that D receives come either from “DH” orfrom “R”


Claims

We will argue around 2 main points:

1 If the input for D comes from Diffie-Hellman DH, then the

simulation is nearly perfect, i.e the adversary will have a non

negligible advantage in guessing the hidden bit b generated by

the oracle.

2 if the input for D comes from a random distribution R, then

the adversary’s view is independent of b, and therefore the

adversary’s advantage is negligible.


Claim

By doing so, we have mounted a DDH algorithm capable of

distinguishing a DH distribution from R

We need to verify 3 claims


General Outline-Claim

|P(D = DH|DH)− P(D = DH|R)| < ε. This claim is trivial

since D is a PPT algorithm and the DDH assumption holds as

verified previously.

P(D = DH|DH) = PA(Success). If we are given a DDH

tuple, then all decryption queries succeed for A. Hence the

output of A will match the choice of b with PA(Success).


General Outline - Claims

|P(D = DH|R)− 12 | < ε. Since P(D = DH) = P(A = b), the

proof of this claim relies on the proof of two pieces.

First,we need to show that for all decryption queries where

u1 = M r11 and u2 = M r2

2 with r1 6= r2,the decryption verification

fails with non-negligible probability.

Secondly, we must also show that assuming all invalid

decryptions fail, the adversary A does not learn any additional

information about z .


General Outline - Claims

1 The first part of the claim is proved by walking through all

possible cases of invalid decryption queries and showing that

each fails.

2 The second part is proved by appealing to the fact that the

distributions of a random matrix N and matrices A receives of

the form Ma are indistinguishable.


Experimetal Results

Figure: DDH results



Figure: Randomness of Ma


Parameters for the Cramer-Shoup-like scheme using

matrices over group rings

Two problems relevant to key generation in the scheme are

addressed

1 How to sample invertible matrices

2 How to sample commuting matrices.


Invertible matrices

Sampling invertible matrices can be done using various techniques.The first method is to construct a matrix which is a product ofelementary matrices,

M =n∏

i=1

Ei ,

where Ei is any elementary matrix from M3×3(Z7[S5]). Elementarymatrices can be of one of the three types below. In the matrixTi (u), the element u should be invertible in Z7[S5].


Invertible matrices

Ti,j =

1

. . .

0 1

. . .

1 0

. . .

1


Invertible matrices

Ti (u) =

1

. . .

1

u

1

. . .

1


Invertible matrices

Ti,j (v) =

1

. . .

1

. . .

v 1

. . .

1


Invertible matrices

With such a choice, it is easy to compute M−1 as

M−1 =n∏

i=1

E−1n−i+1

The drawback of generating an invertible matrix this

way is that we do not have a good grasp of the randomness

embedded in this process.

In particular, how large must n be to generate a truly random

matrix?


Invertible matrices

Instead of the previously mentioned method of sampling

random matrices,an alternative solution has been proposed.

Start with an already “somewhat random” matrix, for which it

is easy to compute the inverse.

An example of such a matrix is a lower/upper triangular matrix,with invertible elements on the diagonal:

M =

u1 g1 g20 u2 g30 0 u3

.


Invertible matrices

Constructing the inverse of this matrix involves solving a matrix equation,

M ·M−1 = I

⇒

u1 g1 g2

0 u2 g3

0 0 u3

·u−11 g4 g5

0 u−12 g6

0 0 u−13

=

1 0 0

0 1 0

0 0 1

⇒ g4 = −u−1

1 g1u−12

g5 = u−11 g1u

−12 g3u

−13 − u−1

1 g2u−13

g6 = −u−12 g3u

−13 .


Invertible matrices

One can therefore consider random products of such invertible

upper and lower triangular matrices.

Since these matrices are more complex than elementary

matrices, it seems reasonable to assume that we arrive at a

more uniform distribution sooner than by simply using

elementary matrices.

In experiments product of 20 random matrices were used and

each term of the product was chosen randomly as either a

random invertible upper or lower triangular matrix.


Invertible matrices

As mentioned previously, the benefits of this method are that

inverses are easy to compute and that the chosen matrix

already has a large degree of randomness built in.

In particular, any element of Z7[S5] can be used off the

diagonal, and any invertible elements of the group ring can be

used on the diagonal. These of course include elements such

as λu ∈ Z7[S5], where u ∈ S5 and λ ∈ Z7.


Invertible matrices

Finally, it isimportant to notice that the order of the group

GL3Z7[S5] of invertible 3× 3 matrices over Z7[S5] is at least

10313.

Indeed, if we only count invertible upper and lower triangular

matrices that we described above, then we already have

(7 · 120)3(7120)3 ∼ 10313 matrices.


Commuting matrices

Now that sampled of invertible matrices are obtained, (M1 in

our notation), to sample an arbitrary (i.e., not necessarily

invertible) matrix M2 that would commute with M1 it suffices

to operate as follow:

Given a matrix M1 ∈ G , define M2 =∑k

i=1 aiMi1, where

ai ∈ Z7 are selected randomly.

Clearly M1M2 = M2M1.


Commuting matrices

A reasonable choice for k is about 100 as this would yield

7100 ∼ 1085 choices for M2, which is a sufficiently large key

space.


Other parameters

As mentioned in the introduction of the Cramer-Shoup

algorithm adapted to the chosen platform (i.e group rings), it

is important to to specify the value of n for Zn.

Based on experiments it has been suggested that n ∼ 10100.


Other parameters

This seemed a reasonable choice of exponent since it both

allowed quick computations and ensured that the power a

matrix was raised to could not be figured out by brute force

methods alone.


The End! Thank you!

Documents

A CCA-2 SECURE CRYPTOSYSTEM USING …...Introduction Platform Group DH using semigroups Cramer-Shoup cryptosystem Using matrices over group rings Choice of fk;n;mgfor M k(Z n[S m])