Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Similar documents
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Hidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith

ON THE IMPLEMENTATION OF COMPOSITE-ORDER BILINEAR GROUPS IN CRYPTOGRAPHIC PROTOCOLS SEVERIANO K. SISNEROS THESIS

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Keywords Homomorphic encryption, pairing-based cryptography, elliptic curves, low depth circuits.

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

A Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University

Public Key Cryptography

Introduction to Cryptography. Lecture 8

On the (Im)possibility of Projecting Property in Prime-Order Setting

Notes for Lecture 17

FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD

Instantiating the Dual System Encryption Methodology in Bilinear Groups

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Discrete logarithm and related schemes

8 Elliptic Curve Cryptography

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lossy Trapdoor Functions and Their Applications

Post-quantum security models for authenticated encryption

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

A Profitable Sub-Prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Advanced Cryptography 03/06/2007. Lecture 8

El Gamal A DDH based encryption scheme. Table of contents

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

How to Shuffle in Public

Efficient Identity-based Encryption Without Random Oracles

Introduction to Elliptic Curve Cryptography

CPSC 467: Cryptography and Computer Security

Fully Homomorphic Encryption and Bootstrapping

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Gentry s SWHE Scheme

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CPSC 467b: Cryptography and Computer Security

Public-Key Encryption: ElGamal, RSA, Rabin

Constructing Families of Pairing-Friendly Elliptic Curves

5.4 ElGamal - definition

4-3 A Survey on Oblivious Transfer Protocols

Essam Ghadafi CT-RSA 2016

Lecture Notes, Week 6

Lattice-Based Non-Interactive Arugment Systems

Decentralized Evaluation of Quadratic Polynomials on Encrypted Data

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

The Elliptic Curve in https

CS 395T. Probabilistic Polynomial-Time Calculus

ASYMMETRIC ENCRYPTION

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Advanced Topics in Cryptography

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

On the complexity of computing discrete logarithms in the field F

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Introduction to Cybersecurity Cryptography (Part 4)

Elliptic Curve Cryptography

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Isogenies in a quantum world

CPSC 467b: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Open problems in lattice-based cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

An Introduction to Pairings in Cryptography

Mathematics of Cryptography

Short Exponent Diffie-Hellman Problems

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

1 Number Theory Basics

Efficient and Secure Delegation of Linear Algebra

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Non-interactive Zaps and New Techniques for NIZK

Lecture 7: ElGamal and Discrete Logarithms

Cryptography IV: Asymmetric Ciphers

Optimised versions of the Ate and Twisted Ate Pairings

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Identity Based Encryption

Multikey Homomorphic Encryption from NTRU

G Advanced Cryptography April 10th, Lecture 11

Leakage Resilient ElGamal Encryption

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Public Key Cryptography

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Transcription:

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 1 / 14

Composite-order bilinear groups Background Composite-order bilinear groups: What are they? Cyclic groups G, G t of order N = p 1 p r ; Nondegenerate, bilinear pairing e : G G G t ; Useful for crypto if (some version of) the subgroup decision assumption holds in G: {x R G : ord(x) < N} and {x R G} computationally indistinguishable. In particular, factoring N must be infeasible. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 2 / 14

Composite-order bilinear groups Background Composite-order bilinear groups: What are they good for? Used in recent years to solve many cryptographic problems: Somewhat homomorphic encryption [BGN05] Traitor tracing [BSW06] Ring and group signatures [BW07, SW07] NIZK proof systems [GOS06, GS08] Attribute-based encryption [KSW08, LOSTW10] Fully secure HIBE [W09, LW10] David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 3 / 14

Composite-order bilinear groups Background Composite-order bilinear groups: Some drawbacks Groups are instantiated using supersingular elliptic curves E over finite fields F q, q 1 (mod N) prime. Groups are very large: N 2 1024 to prevent factoring attack. Pairings are very slow [Scott]. usual pairing-based crypto: (prime-order MNT curve) composite-order groups: (supersingular curve) G E(F q ) 160 bits G t F q 1024 bits 6 3 ms pairing G E(F q ) 1024 bits G t F q 2048 bits 2 150 ms pairing Conclusion: using composite-order elliptic curves negates many advantages of elliptic curve crypto. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 4 / 14

Composite-order bilinear groups Our contribution Our goal: Obtain functionality of composite-order group cryptosystems using infrastructure of prime-order bilinear groups: small group sizes fast pairing well studied assumptions Want a general conversion method. Previous solutions [IP08, W09, LW10] ad-hoc (or at least opaque). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 5 / 14

Composite-order bilinear groups Our contribution Our contribution Abstract framework that captures the cryptographic properties of composite-order bilinear groups. Instantiations of groups with these properties using prime-order bilinear groups. Method for converting cryptosystems from composite-order groups to prime-order groups. Not a black-box compiler; proofs need to be checked (fails for [LW10]). Conversion of 1 Somewhat homomorphic encryption [BGN05]; 2 Traitor tracing [BSW06]; 3 Attribute-based encryption [KSW08]. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 6 / 14

A generalized framework Subgroup decision problems Generalizing the subgroup decision assumption Generalized subgroup decision problem: 5 groups G 1 G, H 1 H, G t nondegenerate bilinear map e : G H G t (asymmetric) distinguish {x R G 1 } from {x R G} or distinguish {y R H 1 } from {y R H}. If both problems computationally infeasible, then generalized subgroup decision assumption holds for (G, G 1, H, H 1, G t, e). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 7 / 14

A generalized framework Subgroup decision problems A key observation [CS03, G04] DDH is a subgroup decision problem! Given group G 1 of order p, define G := G 1 G 1. G 1 := random linear subgroup (g, g x ). Then (g y, g z ) G 1 z = xy (mod p). Extend to the (asymmetric) pairing setting: If ê : G 1 G 2 G t is a pairing, define H := G 2 G 2. H 1 := random linear subgroup (h, h x ). Define e : G H G t = G t by e((g, g ), (h, h )) := ê(g, h) a ê(g, h ) b ê(g, h) c ê(g, h ) d. Can define pairing into G t = G m t componentwise. Theorem If DDH assumption holds in G 1 and G 2, then generalized subgroup decision assumption holds for (G, G 1, H, H 1, G t, e). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 8 / 14

A generalized framework Subgroup decision problems A key observation [CS03, G04] DDH is a subgroup decision problem! Given group G 1 of order p, define G := G 1 G 1. G 1 := random linear subgroup (g, g x ). Then (g y, g z ) G 1 z = xy (mod p). Extend to the (asymmetric) pairing setting: If ê : G 1 G 2 G t is a pairing, define H := G 2 G 2. H 1 := random linear subgroup (h, h x ). Define e : G H G t = G t by e((g, g ), (h, h )) := ê(g, h) a ê(g, h ) b ê(g, h) c ê(g, h ) d. Can define pairing into G t = G m t componentwise. Theorem If DDH assumption holds in G 1 and G 2, then generalized subgroup decision assumption holds for (G, G 1, H, H 1, G t, e). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 8 / 14

A generalized framework Subgroup decision problems A key observation [CS03, G04] DDH is a subgroup decision problem! Given group G 1 of order p, define G := G 1 G 1. G 1 := random linear subgroup (g, g x ). Then (g y, g z ) G 1 z = xy (mod p). Extend to the (asymmetric) pairing setting: If ê : G 1 G 2 G t is a pairing, define H := G 2 G 2. H 1 := random linear subgroup (h, h x ). Define e : G H G t = G t by e((g, g ), (h, h )) := ê(g, h) a ê(g, h ) b ê(g, h) c ê(g, h ) d. Can define pairing into G t = G m t componentwise. Theorem If DDH assumption holds in G 1 and G 2, then generalized subgroup decision assumption holds for (G, G 1, H, H 1, G t, e). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 8 / 14

A generalized framework Subgroup decision problems But wait... Isn t DDH easy in groups with a pairing? 1 Not necessarily: DDH believed to be hard on ordinary pairing-friendly elliptic curves when G 1 is the base field subgroup, G 2 is the trace-zero subgroup. Pairing is asymmetric (no efficient maps G 1 G 2 ). Also called SXDH assumption. 2 Yes, if G 1 = G 2... But the k-linear assumption may still hold! (with k 2) k-linear assumption [HK07, S07] generalizes DDH (is DDH when k = 1), may hold in groups with k-linear map. Generalize DDH construction: G = H = G k+1 1, G 1 = H 1 = random k-dimensional subgroup. k-linear assumption subgroup decision assumption. Solution (2) is less efficient: G is larger (more copies of G 1 ) and not suited to high security levels (bounded embedding degree for symmetric pairings). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 9 / 14

A generalized framework Subgroup decision problems But wait... Isn t DDH easy in groups with a pairing? 1 Not necessarily: DDH believed to be hard on ordinary pairing-friendly elliptic curves when G 1 is the base field subgroup, G 2 is the trace-zero subgroup. Pairing is asymmetric (no efficient maps G 1 G 2 ). Also called SXDH assumption. 2 Yes, if G 1 = G 2... But the k-linear assumption may still hold! (with k 2) k-linear assumption [HK07, S07] generalizes DDH (is DDH when k = 1), may hold in groups with k-linear map. Generalize DDH construction: G = H = G k+1 1, G 1 = H 1 = random k-dimensional subgroup. k-linear assumption subgroup decision assumption. Solution (2) is less efficient: G is larger (more copies of G 1 ) and not suited to high security levels (bounded embedding degree for symmetric pairings). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 9 / 14

A generalized framework Subgroup decision problems But wait... Isn t DDH easy in groups with a pairing? 1 Not necessarily: DDH believed to be hard on ordinary pairing-friendly elliptic curves when G 1 is the base field subgroup, G 2 is the trace-zero subgroup. Pairing is asymmetric (no efficient maps G 1 G 2 ). Also called SXDH assumption. 2 Yes, if G 1 = G 2... But the k-linear assumption may still hold! (with k 2) k-linear assumption [HK07, S07] generalizes DDH (is DDH when k = 1), may hold in groups with k-linear map. Generalize DDH construction: G = H = G k+1 1, G 1 = H 1 = random k-dimensional subgroup. k-linear assumption subgroup decision assumption. Solution (2) is less efficient: G is larger (more copies of G 1 ) and not suited to high security levels (bounded embedding degree for symmetric pairings). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 9 / 14

A generalized framework Subgroup decision problems But wait... Isn t DDH easy in groups with a pairing? 1 Not necessarily: DDH believed to be hard on ordinary pairing-friendly elliptic curves when G 1 is the base field subgroup, G 2 is the trace-zero subgroup. Pairing is asymmetric (no efficient maps G 1 G 2 ). Also called SXDH assumption. 2 Yes, if G 1 = G 2... But the k-linear assumption may still hold! (with k 2) k-linear assumption [HK07, S07] generalizes DDH (is DDH when k = 1), may hold in groups with k-linear map. Generalize DDH construction: G = H = G k+1 1, G 1 = H 1 = random k-dimensional subgroup. k-linear assumption subgroup decision assumption. Solution (2) is less efficient: G is larger (more copies of G 1 ) and not suited to high security levels (bounded embedding degree for symmetric pairings). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 9 / 14

A generalized framework Types of pairings What about the pairing? Can t use just any pairing e on product groups G and H cryptosystems require certain properties for correctness. 1 Projecting pairing: maps: π 1 : G G, π 2 : H H, π t : G t G t kernels: G 1 ker π 1, H 1 ker π 2, G t ker π t pairing: e(π 1 (g), π 2 (h)) = π t (e(g, h)) 2 Cancelling pairing: groups: G = G 1 G r, H = H 1 H r pairing: e(g i, H j ) = 1 for i j. In systems: use G 1 to blind elements of G; remove blinding by applying π 1 (projecting) or pairing with elements of H 2 (cancelling). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 10 / 14

A generalized framework Types of pairings What about the pairing? Can t use just any pairing e on product groups G and H cryptosystems require certain properties for correctness. 1 Projecting pairing: maps: π 1 : G G, π 2 : H H, π t : G t G t kernels: G 1 ker π 1, H 1 ker π 2, G t ker π t pairing: e(π 1 (g), π 2 (h)) = π t (e(g, h)) 2 Cancelling pairing: groups: G = G 1 G r, H = H 1 H r pairing: e(g i, H j ) = 1 for i j. In systems: use G 1 to blind elements of G; remove blinding by applying π 1 (projecting) or pairing with elements of H 2 (cancelling). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 10 / 14

A generalized framework Types of pairings What about the pairing? Can t use just any pairing e on product groups G and H cryptosystems require certain properties for correctness. 1 Projecting pairing: maps: π 1 : G G, π 2 : H H, π t : G t G t kernels: G 1 ker π 1, H 1 ker π 2, G t ker π t pairing: e(π 1 (g), π 2 (h)) = π t (e(g, h)) 2 Cancelling pairing: groups: G = G 1 G r, H = H 1 H r pairing: e(g i, H j ) = 1 for i j. In systems: use G 1 to blind elements of G; remove blinding by applying π 1 (projecting) or pairing with elements of H 2 (cancelling). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 10 / 14

A generalized framework Types of pairings What about the pairing? Can t use just any pairing e on product groups G and H cryptosystems require certain properties for correctness. 1 Projecting pairing: maps: π 1 : G G, π 2 : H H, π t : G t G t kernels: G 1 ker π 1, H 1 ker π 2, G t ker π t pairing: e(π 1 (g), π 2 (h)) = π t (e(g, h)) 2 Cancelling pairing: groups: G = G 1 G r, H = H 1 H r pairing: e(g i, H j ) = 1 for i j. In systems: use G 1 to blind elements of G; remove blinding by applying π 1 (projecting) or pairing with elements of H 2 (cancelling). David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 10 / 14

A generalized framework Types of pairings Projecting and cancelling pairings on product groups View group elements as vectors g v = (g v 1, g v 2 ). Do linear algebra in the exponent. 1 Projecting pairing takes tensor product of vectors: Define e : G H G t := G 4 t to be vector of all 4 componentwise pairings ê on G 1 G 2. π 1, π 2, π t do linear projection in the exponent (details in paper). 2 Cancelling pairing takes dot product of vectors: Define e so that e(g v, h w ) = ê(g, h) v w. Define subgroups using orthogonal vectors: G 1 = g v, G 2 = g w, H 1 = h v, H 2 = h w with v w = w v = 0. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 11 / 14

A generalized framework Types of pairings Projecting and cancelling pairings on product groups View group elements as vectors g v = (g v 1, g v 2 ). Do linear algebra in the exponent. 1 Projecting pairing takes tensor product of vectors: Define e : G H G t := G 4 t to be vector of all 4 componentwise pairings ê on G 1 G 2. π 1, π 2, π t do linear projection in the exponent (details in paper). 2 Cancelling pairing takes dot product of vectors: Define e so that e(g v, h w ) = ê(g, h) v w. Define subgroups using orthogonal vectors: G 1 = g v, G 2 = g w, H 1 = h v, H 2 = h w with v w = w v = 0. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 11 / 14

A generalized framework Types of pairings Projecting and cancelling pairings on product groups View group elements as vectors g v = (g v 1, g v 2 ). Do linear algebra in the exponent. 1 Projecting pairing takes tensor product of vectors: Define e : G H G t := G 4 t to be vector of all 4 componentwise pairings ê on G 1 G 2. π 1, π 2, π t do linear projection in the exponent (details in paper). 2 Cancelling pairing takes dot product of vectors: Define e so that e(g v, h w ) = ê(g, h) v w. Define subgroups using orthogonal vectors: G 1 = g v, G 2 = g w, H 1 = h v, H 2 = h w with v w = w v = 0. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 11 / 14

The conversion process Our framework How to convert a composite-order cryptosystem to prime-order groups 1 Write the system using our abstract group framework, with appropriate type of pairing. Transfer to asymmetric groups for greatest generality. 2 Translate security assumption to general framework. Check the security proof! 3 Instantiate system and assumption using groups G, H constructed from G 1, G 2. e.g. generalized subgroup decision assumption instantiated as DDH. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 12 / 14

The conversion process An example Instantiating BGN Encryption in DDH groups G 1, G 2 : PK: G = G 2 1, G 1 = (g, g x ), ĝ = (g y, g z ), + similar in H = G 2 2. SK: x, y, z + analogues for H. Encryption in G: encode msg using ĝ, blind with random elt of G 1. Enc(m): r R F p ; C = (g y, g z ) m (g, g x ) r = (g ym+r, g zm+xr ) Encryption in H similar. Add by multiplying ciphertexts; multiply once by pairing ciphertexts. Use projecting pairing e (vector of 4 pairings). Decryption in G: 1 Compute π 1 (C) = (g ym+r ) x (g zm+xr ) 1 = (g xy z ) m. 2 Take discrete log base π 1 (ĝ) = g xy z (requires small message space). Decryption in H similar; decryption in G t = G 4 t more complicated. DDH in G 1, G 2 subgp decision in (G, G 1, H, H 1, e) semantic security. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 13 / 14

The conversion process An example Instantiating BGN Encryption in DDH groups G 1, G 2 : PK: G = G 2 1, G 1 = (g, g x ), ĝ = (g y, g z ), + similar in H = G 2 2. SK: x, y, z + analogues for H. Encryption in G: encode msg using ĝ, blind with random elt of G 1. Enc(m): r R F p ; C = (g y, g z ) m (g, g x ) r = (g ym+r, g zm+xr ) Encryption in H similar. Add by multiplying ciphertexts; multiply once by pairing ciphertexts. Use projecting pairing e (vector of 4 pairings). Decryption in G: 1 Compute π 1 (C) = (g ym+r ) x (g zm+xr ) 1 = (g xy z ) m. 2 Take discrete log base π 1 (ĝ) = g xy z (requires small message space). Decryption in H similar; decryption in G t = G 4 t more complicated. DDH in G 1, G 2 subgp decision in (G, G 1, H, H 1, e) semantic security. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 13 / 14

The conversion process An example Instantiating BGN Encryption in DDH groups G 1, G 2 : PK: G = G 2 1, G 1 = (g, g x ), ĝ = (g y, g z ), + similar in H = G 2 2. SK: x, y, z + analogues for H. Encryption in G: encode msg using ĝ, blind with random elt of G 1. Enc(m): r R F p ; C = (g y, g z ) m (g, g x ) r = (g ym+r, g zm+xr ) Encryption in H similar. Add by multiplying ciphertexts; multiply once by pairing ciphertexts. Use projecting pairing e (vector of 4 pairings). Decryption in G: 1 Compute π 1 (C) = (g ym+r ) x (g zm+xr ) 1 = (g xy z ) m. 2 Take discrete log base π 1 (ĝ) = g xy z (requires small message space). Decryption in H similar; decryption in G t = G 4 t more complicated. DDH in G 1, G 2 subgp decision in (G, G 1, H, H 1, e) semantic security. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 13 / 14

The conversion process An example Instantiating BGN Encryption in DDH groups G 1, G 2 : PK: G = G 2 1, G 1 = (g, g x ), ĝ = (g y, g z ), + similar in H = G 2 2. SK: x, y, z + analogues for H. Encryption in G: encode msg using ĝ, blind with random elt of G 1. Enc(m): r R F p ; C = (g y, g z ) m (g, g x ) r = (g ym+r, g zm+xr ) Encryption in H similar. Add by multiplying ciphertexts; multiply once by pairing ciphertexts. Use projecting pairing e (vector of 4 pairings). Decryption in G: 1 Compute π 1 (C) = (g ym+r ) x (g zm+xr ) 1 = (g xy z ) m. 2 Take discrete log base π 1 (ĝ) = g xy z (requires small message space). Decryption in H similar; decryption in G t = G 4 t more complicated. DDH in G 1, G 2 subgp decision in (G, G 1, H, H 1, e) semantic security. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 13 / 14

The conversion process An example Instantiating BGN Encryption in DDH groups G 1, G 2 : PK: G = G 2 1, G 1 = (g, g x ), ĝ = (g y, g z ), + similar in H = G 2 2. SK: x, y, z + analogues for H. Encryption in G: encode msg using ĝ, blind with random elt of G 1. Enc(m): r R F p ; C = (g y, g z ) m (g, g x ) r = (g ym+r, g zm+xr ) Encryption in H similar. Add by multiplying ciphertexts; multiply once by pairing ciphertexts. Use projecting pairing e (vector of 4 pairings). Decryption in G: 1 Compute π 1 (C) = (g ym+r ) x (g zm+xr ) 1 = (g xy z ) m. 2 Take discrete log base π 1 (ĝ) = g xy z (requires small message space). Decryption in H similar; decryption in G t = G 4 t more complicated. DDH in G 1, G 2 subgp decision in (G, G 1, H, H 1, e) semantic security. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 13 / 14

The conversion process Conclusion Other systems We also applied our conversion process to BSW traitor tracing and KSW attribute-based encryption. Groups become smaller and pairing computations become much faster. Security assumptions remain of comparable complexity. Efficiency improvement is greater at higher security levels: Bit size of BGN ciphertexts Security level composite-order prime-order 80-bit 1024 1020 128-bit 3072 1536 256-bit 15360 6400 Conclusion: Most things that can be done using composite-order bilinear groups can be done more efficiently using prime-order bilinear groups. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 14 / 14

The conversion process Conclusion Other systems We also applied our conversion process to BSW traitor tracing and KSW attribute-based encryption. Groups become smaller and pairing computations become much faster. Security assumptions remain of comparable complexity. Efficiency improvement is greater at higher security levels: Bit size of BGN ciphertexts Security level composite-order prime-order 80-bit 1024 1020 128-bit 3072 1536 256-bit 15360 6400 Conclusion: Most things that can be done using composite-order bilinear groups can be done more efficiently using prime-order bilinear groups. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 14 / 14

The conversion process Conclusion Other systems We also applied our conversion process to BSW traitor tracing and KSW attribute-based encryption. Groups become smaller and pairing computations become much faster. Security assumptions remain of comparable complexity. Efficiency improvement is greater at higher security levels: Bit size of BGN ciphertexts Security level composite-order prime-order 80-bit 1024 1020 128-bit 3072 1536 256-bit 15360 6400 Conclusion: Most things that can be done using composite-order bilinear groups can be done more efficiently using prime-order bilinear groups. David Mandell Freeman (Stanford) Converting Pairing-Based Cryptosystems Eurocrypt 2010 14 / 14

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback