1 / 28

Signature scheme based on the root extraction problem over braid groups

Signature scheme based on the root extraction problem over braid groups. B.C. Wang, Y.P. Hu IET Information security 2009, Vol 3, Iss 2, pp. 53-59. Outline. Induction Preliminaries The proposed signature scheme Performance and parameter specification Security analysis Conclusion.

garan
Télécharger la présentation

Signature scheme based on the root extraction problem over braid groups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Signature scheme based on the root extraction problem over braid groups B.C. Wang, Y.P. Hu IET Information security 2009, Vol 3, Iss 2, pp. 53-59

  2. Outline • Induction • Preliminaries • The proposed signature scheme • Performance and parameter specification • Security analysis • Conclusion

  3. Induction • Artin’s braid group • Infinite non-commutative group • Word problem is solvable • RP and CSP are intractable over braid group • CSP has an exponential computational complexity at least in the worst case • The braid-based cryptography has been a hot issue

  4. Induction • Anshel et al. 1999 - 2003 • The commutator key agreement protocol • Generalised and axiomatically • Ko et al. 2000 • The key exchange protocol • PKC based on the computational DHCP

  5. Induction • Cha et al. 2001 • The cryptosystem can be modified based on DP • Ko et al. 2002 • The signature scheme based on k-simultaneous CSP • Dehornoy • The authentication protocol based on shifted CP • Some other • The authentication protocol based on PR

  6. Induction • Hughes and Myasnikov et al. • The k-simultaneous CSP always provides the attackers sufficient information about the common comjugator braid • The Burau represenation • The sufficiently many equations derived from the k-simultaneous CSP allow the attacker to lift the Burau matrix rep. back to the Artin form

  7. Induction • Linear algebraic problem • Diffie-Hellman type problem • DP • Shifted CSP • Some authors even announced the death of the subject • It is hoped that cryptographic algorithm constructed based on the RP should be more secure

  8. Induction • Two reasons to illustrate the insecurities of previous braid PKC algorithm • The security of these schemes is not tightly related to the underlying intractable problem • The public keys of some schemes reveal too much information about the construction of the crpytographic algorithm • The attacker can obtain many equations with respect to the public and secret keys

  9. Outline • Induction • Preliminaries • The proposed signature scheme • Performance and parameter specification • Security analysis • Conclusion

  10. Preliminaries • Let • len(u) = p, len(v) = q • Compute the LCF of uv = O(pqnlogn) • Compute the inverse u-1 of u = O(pn) • 0 ≦ len(uv) ≦ p + q • len(u) ≒ len(u-1)

  11. Preliminaries • Conjugancy search problem, CSP • Given x ~ y, find a conjugator z s.t. y = zxz-1 • Root problem, RP • Given y ∈ Bn, integer e ≧ 2 s.t. y = xe for some unknow braid x

  12. Outline • Induction • Preliminaries • The proposed signature scheme • Performance and parameter specification • Security analysis • Conclusion

  13. The proposed signature scheme • n : braid index • e : integer, e ≧ 2 • H : a collision-free one-way hash function • H : {0, 1}* → {0, 1}k

  14. The proposed signature scheme • Key generation • Randomly chooses k + 1 non-trivial braids b1, …, bk, r ∈ Bn, s.t. bi and bj commutate, i, j = 1, …, k. • Computes ai = rbier-1, i = 1, …, k • The public key is (a1, …, ak) • The secret key is (b1, …, bk, r)

  15. The proposed signature scheme • Signing a message • To sign a given message m, Alice randomly choose a braid s ∈ Bn. • She calculates • The signature for the message m is (u, t)

  16. The proposed signature scheme • Verification • Bob computes • Verifies the equation • If the equation holds, he accepts the signature (u, t) as a valid signature for m. Otherwise, he rejects it.

  17. The proposed signature scheme • Verification

  18. Outline • Induction • Preliminaries • The proposed signature scheme • Performance and parameter specification • Security analysis • Conclusion

  19. Performance and parameter specification • Parameter specifications • How to find the bi and bj commutative, i, j = 1, …, k. • Randomly choose commutative braids c1, …,cs, where s << k, e.g. s ≒ k / 10. • Randomly choose ks-dimensional vectors v1, …, vk, where vi = (vi1, …, vis), i = 1, …, k, and vij are small integers. • Computeswe have k commutative braids b1, …, bk.

  20. Performance and parameter specification • Parameter specifications • ci in the subgroup <σj1, …, σjl> ⊂ Bn satisfy the requirement that for arbitrary ju and jv, ju ≠ jv, |ju - jv| ≧ 2. • The subgroup <σj1, …, σjl> is a commutative group.

  21. Performance and parameter specification • Suggested parameters • n = 90, e = 2, k = 80, s = k / 10 = 8, len(ci) = 2 • vi = <vi1, …, vis>∈{0, 1}8, and 1≦vi1 + … + vis≦3 • bi has 8 + 28 + 56 = 92 > 80 choices • len(bi) ≦3len(ci) = 6 • len(r) = 8, len(s) = 8 • len(ai) = len(r) + e × len(bi) + len(r-1) = 28 • The public key size = 80 × 28 = 2240 bits • The secret key size = k × len(bi) + len(r) = 488 bits

  22. Performance and parameter specification • Computational complexity and comparison • 1024-RSA modular multiplication = 2.1 × 106 bit operation • Total computational cost to sign a message = 6.2×106 ≒ 3 1024-RSA modular multiplication • The verifier need 3.7×107 ≒ 17 1024-RSA modular multiplication

  23. Outline • Induction • Preliminaries • The proposed signature scheme • Performance and parameter specification • Security analysis • Conclusion

  24. Security analysis • Key recovery attack • Attacker can not lift the Burau matrix rep. back to the Artin braids. • Attacker can not know the secret key by the public key.

  25. Security analysis • On forging a signature • For a given message m, an attacker can forge a valid signature (u, t) iff he can extract the eth root for the braid v ∈ Bn • On extracting the eth root • The attacker can not use the knowledge of the signature to solve the RP.

  26. Security analysis • Security comparison and remarks

  27. Outline • Induction • Preliminaries • The proposed signature scheme • Performance and parameter specification • Security analysis • Conclusion

  28. Conclusions • 詳細介紹braid group的興衰 • 提出前人的不足 • Loosely dependent on the hard problem • Public key leak too much information • 提出簡單的証明方式

More Related