Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Digital SignaturesDennis Hofheinz (slides based on slides by Björn Kaidel and GunnarHartung)
Digital Signatures 2020-04-21 1
Outline
Recap from last lectures
sEUF-CMA from chameleon hashing
Pairing-based signatures
Digital Signatures 2020-04-21 2
Recap from last lectures
• Chameleon hash functions as a technical tool– CHFs are randomized and have special trapdoor– Trapdoor not known→ collision-resistance– Trapdoor known→ collisions can be found
• CHFs + EUF-naCMA→ EUF-CMA (chameleon) sigs
• CHFs are (i.e., can be interpreted as) one-time sigs
Digital Signatures 2020-04-21 3
Outline
Recap from last lectures
sEUF-CMA from chameleon hashing
Pairing-based signatures
Digital Signatures 2020-04-21 4
Stronger forms of EUF-CMA
CEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
q queries
m∗,σ∗
Vfy(pk , m∗,σ∗) = 1∧
m∗ /∈ {m1, ... , mq}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and m∗ /∈ {m1, ..., mq}Question: what stronger form of security is conceivable?
Digital Signatures 2020-04-21 5
Strong EUF-CMA (sEUF-CMA) experiment
CsEUF-CMA A
(pk , sk )← Gen(1k ) pk
mi
σi
q queries
m∗,σ∗
Vfy(pk , m∗,σ∗) = 1∧
(m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}?
A wins iff Vfy(pk , m∗,σ∗) = 1 and (m∗,σ∗) /∈ {(m1,σ1) ... , (mq ,σq)}
Digital Signatures 2020-04-21 6
Definition: sEUF-CMA
Def. 51: (sEUF-CMA)A signature scheme Σ = (Gen, Sign, Vfy) is sEUF-CMA secure ifffor all PPT A,
Pr
[ACsEUF-CMA(pk ) = (m∗,σ∗) :
Vfy(pk , m∗,σ∗) = 1∧(m∗,σ∗) /∈ {(m1,σ1), ..., (mq ,σq)}
]
is negligible.
Digital Signatures 2020-04-21 7
sEUF-CMA: applications
• A can win even if m∗ has been signed before. . .
• . . . as long as σ∗ is fresh
• Mainly useful as component of more complex buildingblocks. . .
• . . . such as adaptively secure public-key encryption
Digital Signatures 2020-04-21 8
CH + EUF-CMA→ sEUF-CMA (not in notes)
• Given: EUF-CMA secure Σ′ = (Gen′, Sign′, Vfy′)• Given: CHF CH = (GenCH, TrapCollCH)
Construct sEUF-CMA secure Σ = (Gen, Sign, Vfy).
Gen(1k ) :
• (pk ′, sk ′)← Gen′(1k )
• (chF , τF )← GenCH(1k )
• (chH , τH )← GenCH(1k )
• pk = (pk ′, chF , chH )
• sk = (sk ′, τH )
Digital Signatures 2020-04-21 9
CH + EUF-CMA→ sEUF-CMA (not in notes)
• Given: EUF-CMA secure Σ′ = (Gen′, Sign′, Vfy′)• Given: CHF CH = (GenCH, TrapCollCH)
Construct sEUF-CMA secure Σ = (Gen, Sign, Vfy).
Gen(1k ) :
• (pk ′, sk ′)← Gen′(1k )
• (chF , τF )← GenCH(1k )
• (chH , τH )← GenCH(1k )
• pk = (pk ′, chF , chH )
• sk = (sk ′, τH )
Digital Signatures 2020-04-21 9
CH + EUF-CMA→ sEUF-CMA (not in notes)
• Given: EUF-CMA secure Σ′ = (Gen′, Sign′, Vfy′)• Given: CHF CH = (GenCH, TrapCollCH)
Construct sEUF-CMA secure Σ = (Gen, Sign, Vfy).
Gen(1k ) :
• (pk ′, sk ′)← Gen′(1k )
• (chF , τF )← GenCH(1k )
• (chH , τH )← GenCH(1k )
• pk = (pk ′, chF , chH )
• sk = (sk ′, τH )
Digital Signatures 2020-04-21 9
CH + EUF-CMA→ sEUF-CMA (not in notes)
• Given: EUF-CMA secure Σ′ = (Gen′, Sign′, Vfy′)• Given: CHF CH = (GenCH, TrapCollCH)
Construct sEUF-CMA secure Σ = (Gen, Sign, Vfy).
Gen(1k ) :
• (pk ′, sk ′)← Gen′(1k )
• (chF , τF )← GenCH(1k )
• (chH , τH )← GenCH(1k )
• pk = (pk ′, chF , chH )
• sk = (sk ′, τH )
Digital Signatures 2020-04-21 9
CH + EUF-CMA→ sEUF-CMA (not in notes)Let m′,σ′ be arbitrary
Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R
• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )
Vfy(pk , m,σ): pk = (pk ′, chF , chH ), σ = (σ̃, rF , rH )• h := chH (m‖σ̃, rH )• m̃ := chF (h, rF )• Vfy′(pk ′, m̃, σ̃) ?= 1
Digital Signatures 2020-04-21 10
CH + EUF-CMA→ sEUF-CMA (not in notes)Let m′,σ′ be arbitrary
Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )
• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )
Vfy(pk , m,σ): pk = (pk ′, chF , chH ), σ = (σ̃, rF , rH )• h := chH (m‖σ̃, rH )• m̃ := chF (h, rF )• Vfy′(pk ′, m̃, σ̃) ?= 1
Digital Signatures 2020-04-21 10
CH + EUF-CMA→ sEUF-CMA (not in notes)Let m′,σ′ be arbitrary
Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)
• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )
Vfy(pk , m,σ): pk = (pk ′, chF , chH ), σ = (σ̃, rF , rH )• h := chH (m‖σ̃, rH )• m̃ := chF (h, rF )• Vfy′(pk ′, m̃, σ̃) ?= 1
Digital Signatures 2020-04-21 10
CH + EUF-CMA→ sEUF-CMA (not in notes)Let m′,σ′ be arbitrary
Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)
• σ := (σ̃, rF , rH )
Vfy(pk , m,σ): pk = (pk ′, chF , chH ), σ = (σ̃, rF , rH )• h := chH (m‖σ̃, rH )• m̃ := chF (h, rF )• Vfy′(pk ′, m̃, σ̃) ?= 1
Digital Signatures 2020-04-21 10
CH + EUF-CMA→ sEUF-CMA (not in notes)Let m′,σ′ be arbitrary
Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )
Vfy(pk , m,σ): pk = (pk ′, chF , chH ), σ = (σ̃, rF , rH )• h := chH (m‖σ̃, rH )• m̃ := chF (h, rF )• Vfy′(pk ′, m̃, σ̃) ?= 1
Digital Signatures 2020-04-21 10
CH + EUF-CMA→ sEUF-CMA (not in notes)Let m′,σ′ be arbitrary
Sign(sk , m) : sk = (sk ′, τH )• rF ← R, r ′H ← R• h := chH (m′‖σ′, r ′H )• m̃ := chF (h, rF )• σ̃ ← Sign′(sk ′, m̃)• rH ← TrapCollCH(τH , m′‖σ′, r ′H , m‖σ̃)• σ := (σ̃, rF , rH )
Vfy(pk , m,σ): pk = (pk ′, chF , chH ), σ = (σ̃, rF , rH )• h := chH (m‖σ̃, rH )• m̃ := chF (h, rF )• Vfy′(pk ′, m̃, σ̃) ?= 1
Digital Signatures 2020-04-21 10
CH + EUF-CMA→ sEUF-CMA (not in notes)
Theorem:Assume CH is collision-resistant, and Σ′ is EUF-CMA secure. ThenΣ is sEUF-CMA secure.
Proof idea: next slides.
(Slightly different from construction in lecture notes!)
Digital Signatures 2020-04-21 11
CH + EUF-CMA→ sEUF-CMA (not in notes)
• Signatures (different order in tuple):
σ = (σ̃, rH , rF )
h
m̃Vfy′
0/1
m
• Note: two ways to break circularity– start with h, then remap preimage of h to m‖Sign′(sk ′, m̃) usingτH (this is what Sign does)
– start with m̃, then remap preimage of m̃ to h using τF
Digital Signatures 2020-04-21 12
CH + EUF-CMA→ sEUF-CMA (not in notes)
• Signatures (different order in tuple):
σ = (σ̃, rH , rF )
h
m̃Vfy′
0/1
m
• Note: two ways to break circularity– start with h, then remap preimage of h to m‖Sign′(sk ′, m̃) usingτH (this is what Sign does)
– start with m̃, then remap preimage of m̃ to h using τF
Digital Signatures 2020-04-21 12
CH + EUF-CMA→ sEUF-CMA (not in notes)
σ = (σ̃, rH , rF )
h
m̃Vfy′
0/1
m
• If we could rely on both CHFs being collision-resistant:“same m̃”⇒ “same h, rF ”⇒ “same m, σ̃, rH ”
• . . . so “same m̃”⇒ “same (m,σ)”
Digital Signatures 2020-04-21 13
CH + EUF-CMA→ sEUF-CMA (not in notes)
σ = (σ̃, rH , rF )
h
m̃Vfy′
0/1
m
• If we could rely on both CHFs being collision-resistant:“same m̃”⇒ “same h, rF ”⇒ “same m, σ̃, rH ”
• . . . so “same m̃”⇒ “same (m,σ)”
Digital Signatures 2020-04-21 13
CH + EUF-CMA→ sEUF-CMA (not in notes)
• So if both CHFs are CR, we have “same m̃”⇒ “same (m,σ)”
• We can assume that forgery contains fresh (m∗,σ∗)
• Case E0: “forgery contains reused m̃∗ = m̃i ”→ red. to CHF-CR
• Case E1: “forgery contains fresh m̃∗”→ reduce to EUF-CMA
• Problem: how can we rely on collision-resistance of bothCHFs when τH (or τF ) necessary to sign?
• Solution: during reduction to CR, guess which CHF is brokenfirst, use trapdoor of other CHF to sign
Digital Signatures 2020-04-21 14
CH + EUF-CMA→ sEUF-CMA (not in notes)
• So if both CHFs are CR, we have “same m̃”⇒ “same (m,σ)”
• We can assume that forgery contains fresh (m∗,σ∗)
• Case E0: “forgery contains reused m̃∗ = m̃i ”→ red. to CHF-CR
• Case E1: “forgery contains fresh m̃∗”→ reduce to EUF-CMA
• Problem: how can we rely on collision-resistance of bothCHFs when τH (or τF ) necessary to sign?
• Solution: during reduction to CR, guess which CHF is brokenfirst, use trapdoor of other CHF to sign
Digital Signatures 2020-04-21 14
CH + EUF-CMA→ sEUF-CMA (not in notes)
• So if both CHFs are CR, we have “same m̃”⇒ “same (m,σ)”
• We can assume that forgery contains fresh (m∗,σ∗)
• Case E0: “forgery contains reused m̃∗ = m̃i ”→ red. to CHF-CR
• Case E1: “forgery contains fresh m̃∗”→ reduce to EUF-CMA
• Problem: how can we rely on collision-resistance of bothCHFs when τH (or τF ) necessary to sign?
• Solution: during reduction to CR, guess which CHF is brokenfirst, use trapdoor of other CHF to sign
Digital Signatures 2020-04-21 14
CH + EUF-CMA→ sEUF-CMA (not in notes)
• So if both CHFs are CR, we have “same m̃”⇒ “same (m,σ)”
• We can assume that forgery contains fresh (m∗,σ∗)
• Case E0: “forgery contains reused m̃∗ = m̃i ”→ red. to CHF-CR
• Case E1: “forgery contains fresh m̃∗”→ reduce to EUF-CMA
• Problem: how can we rely on collision-resistance of bothCHFs when τH (or τF ) necessary to sign?
• Solution: during reduction to CR, guess which CHF is brokenfirst, use trapdoor of other CHF to sign
Digital Signatures 2020-04-21 14
CH + EUF-CMA→ sEUF-CMA (not in notes)
• So if both CHFs are CR, we have “same m̃”⇒ “same (m,σ)”
• We can assume that forgery contains fresh (m∗,σ∗)
• Case E0: “forgery contains reused m̃∗ = m̃i ”→ red. to CHF-CR
• Case E1: “forgery contains fresh m̃∗”→ reduce to EUF-CMA
• Problem: how can we rely on collision-resistance of bothCHFs when τH (or τF ) necessary to sign?
• Solution: during reduction to CR, guess which CHF is brokenfirst, use trapdoor of other CHF to sign
Digital Signatures 2020-04-21 14
CH + EUF-CMA→ sEUF-CMA (not in notes)
• So if both CHFs are CR, we have “same m̃”⇒ “same (m,σ)”
• We can assume that forgery contains fresh (m∗,σ∗)
• Case E0: “forgery contains reused m̃∗ = m̃i ”→ red. to CHF-CR
• Case E1: “forgery contains fresh m̃∗”→ reduce to EUF-CMA
• Problem: how can we rely on collision-resistance of bothCHFs when τH (or τF ) necessary to sign?
• Solution: during reduction to CR, guess which CHF is brokenfirst, use trapdoor of other CHF to sign
Digital Signatures 2020-04-21 14
Transformations: overview (not in notes)
EUF-naCMA EUF-1-naCMA
EUF-CMA
CH
sEUF-CMA
SUF-naCMA (selective UF-naCMA)
not discussed
Digital Signatures 2020-04-21 15
Transformations: overview (not in notes)
EUF-naCMA EUF-1-naCMA
EUF-CMA
CH
sEUF-CMA
SUF-naCMA (selective UF-naCMA)
not discussed
Digital Signatures 2020-04-21 15
Transformations: overview (not in notes)
EUF-naCMA EUF-1-naCMA
EUF-CMA
CH
sEUF-CMA
SUF-naCMA (selective UF-naCMA)
not discussed
Digital Signatures 2020-04-21 15
Transformations: overview (not in notes)
EUF-naCMA EUF-1-naCMA
EUF-CMA
CH
sEUF-CMA
SUF-naCMA (selective UF-naCMA)
not discussed
Digital Signatures 2020-04-21 15
Transformations: overview (not in notes)
EUF-naCMA EUF-1-naCMA
EUF-CMA
CH
sEUF-CMA
SUF-naCMA (selective UF-naCMA)
not discussed
Digital Signatures 2020-04-21 15
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about sEUF-CMA starts now!
Digital Signatures 2020-04-21 16
Outline
Recap from last lectures
sEUF-CMA from chameleon hashing
Pairing-based signatures
Digital Signatures 2020-04-21 17
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-21 18
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-21 18
Pairings
Definition 78 (Pairings):Let G1,G2,GT be groups of prime order p. A pairing is a map
e : G1 ×G2 → GT
with the following properties:
1) Bilinearity: ∀g1, g′1 ∈ G1, g2, g′2 ∈ G2 :
e(g1 · g′1, g2) = e(g1, g2) · e(g′1, g2)
e(g1, g2 · g′2) = e(g1, g2) · e(g1, g′2)
⇒ e(ga1 , g2) = e(g1, g2)a = e(g1, ga
2 )enables one multiplication in the exponent.
Digital Signatures 2020-04-21 18
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-21 19
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-21 19
Pairings
2) Non-degeneracy: for all generators g1 ∈ G1, g2 ∈ G2:
e(g1, g2) generates GT
(|GT |prime⇐⇒ e(g1, g2) 6= 1
)
3) e efficiently computable
Note: there are also pairings over groups of non-prime order.
Digital Signatures 2020-04-21 19
Pairing: remarks
• G1,G2 often elliptic curves (“source groups”)
• GT ⊆ FQ (“target group”)
Original (cryptographic) application:
• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps
to “lift/push” DLog problem from Gi to GT
– given gx1 ∈ G1, find x
– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in
GT
• Some assumptions (like DDH) do not hold in G1 if G1 = G2
Digital Signatures 2020-04-21 20
Pairing: remarks
• G1,G2 often elliptic curves (“source groups”)
• GT ⊆ FQ (“target group”)
Original (cryptographic) application:
• Cryptanalysis• Example: assuming DLog easier in GT than in Gi , then e helps
to “lift/push” DLog problem from Gi to GT
– given gx1 ∈ G1, find x
– compute e(gx1 , g2) = e(g1, g2)x , and then DLog of e(g1, g2)x in
GT
• Some assumptions (like DDH) do not hold in G1 if G1 = G2
Digital Signatures 2020-04-21 20
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-21 21
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-21 21
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-21 21
Types of Pairings
Type 1: G1 = G2, “symmetric pairing” e : G×G→ GT
Type 2: G1 6= G2, “asymmetric pairing”There is an efficient nontrivial homomorphism
ψ : G2 → G1
Type 3: G1 6= G2, “asymmetric pairing”There is no efficient nontrivial homomorphism
ψ : G2 → G1
Note: here, we mainly consider type-1 pairings
Digital Signatures 2020-04-21 21
Pairings: research
• Pairings already very powerful (we will see examples)
• Multilinear maps (for more source groups) would be even morepowerful
• 2012: Garg, Gentry, Halevi “Candidate Multilinear Maps fromIdeal Lattices and Applications”
• Since then many MLM candidates, attacks, improvements,applications. . .
Digital Signatures 2020-04-21 22
Joux’s 3-party key exchange
• Like Diffie-Hellman key exchange, but for 3 parties A, B, C
• That means A, B, C end up with common shared key
• e : G×G→ GT , g generates G, |G| = |GT | = p prime
Digital Signatures 2020-04-21 23
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-21 24
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-21 24
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-21 24
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga
ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-21 24
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-21 24
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-21 24
Joux’s 3-party key exchange
A
B C
a← Zp
b ← Zp c ← Zp
ga g a
ga ga
gb
gb
gb
ga, gb
g c
gc
gb, gc
ga, gc
k = e(gb, gc)a = e(g, g)abc
k = e(ga, gc)b = e(g, g)abc k = e(ga, gb)c = e(g, g)abc
• Shared key is k = e(g, g)abc
• Order of exchanged messages does not matter• (Multilinear map→ more parties)
Digital Signatures 2020-04-21 24
Socrative
Self-checking with quizzes
• Use following URL: https://b.socrative.com/login/student
• . . . and enter room “HOFHEINZ8872”
• Will also be in chat (so you can click on link)
• No registration necessary
• Quiz about pairings starts now!
Digital Signatures 2020-04-21 25