Royal Holloway, February 2017 1/43 Bilinear Groups and Assumptions Reductions Symmetric Schemes Conclusions Déjà Q All Over Again Melissa Chase 1 Mary Maller 2 1 MSR Redmond Sarah Meiklejohn 2 2 University College London
2/43
3/43 Subgroup Hiding certain q-type Assumptions
/43 Example: Broadcast Encryption Methods of delivering encrypted content over a broadcast channel where only qualified users can decrypt the content. Example Boneh Gentry and Waters broadcast encryption scheme [BGW-Crypto05]. Pairing based solution Short ciphertexts and private keys Collusion resistant
5/43 The q-bdhe Assumption The BGW broadcast encryption scheme bases its security on the q-bdhe assumption [BGW-Crypto05]. Given g,g c,g α,...,g αq,g αq+2,...,g α2q it is hard to distinguish e(g,g c ) q+1 from random.
5/43 The q-bdhe Assumption The BGW broadcast encryption scheme bases its security on the q-bdhe assumption [BGW-Crypto05]. Given g,g c,g α,...,g αq,?,g αq+2,...,g α2q it is hard to distinguish e(g,g c ) q+1 from random.
Déjà Q: Using Dual Systems to Revisit q-type Assumptions [CM-Eurocrypt14] Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 1 2. Pr[break q-type assumption] O(q) Pr[break subgroup hiding] 6/43 1 Asymmetric composite order bilinear groups do exist - see [BRS-JNT11].
/43 [CM-Eurocrypt14]: Contributions Decides Computes Source Group given info in one group given info in both groups Target Group given info in one group given info in both groups q-bdhe
8/43 Our Contributions: Broader Decides Computes Source Group given info in one group given info in both groups Target Group given info in one group given info in both groups q-bdhe
9/43 Our Contributions: Tighter Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 2 p 3. Pr[break q-type assumption] O(log q) Pr[break subgroup hiding]
0/43 Outline of Presentation
1/43 Bilinear Groups Standard Bilinear Groups: G = (N,G,H,G T,e,g,h). N = group order; prime or composite G = H = kn, G T = λn G =< g >, H =< h > e : G H G T Properties Bilinearity: e(g a,h b ) = e(g,h) ab Non-degeneracy: e(x,y) = 1 y H x = 1.
2/43 Subgroup Hiding [BGN - TCC05]
2/43 Subgroup Hiding [BGN - TCC05]
2/43 Subgroup Hiding [BGN - TCC05]
3/43 Parameter Hiding [Lewko-Eurocrypt12]
3/43 Parameter Hiding [Lewko-Eurocrypt12]
3/43 Parameter Hiding [Lewko-Eurocrypt12]
3/43 Parameter Hiding [Lewko-Eurocrypt12]
4/43 Outline of Presentation
5/43 Reductions we can Cover
6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]
6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]
6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]
6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]
6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]
6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]
7/43 Déjà Q: Reduction Techniques
7/43 Déjà Q: Reduction Techniques
7/43 Déjà Q: Reduction Techniques
7/43 Déjà Q: Reduction Techniques
7/43 Déjà Q: Reduction Techniques
8/43 Our Tight Reduction Techniques Double the randomness.
8/43 Our Tight Reduction Techniques Double the randomness.
8/43 Our Tight Reduction Techniques Double the randomness.
8/43 Our Tight Reduction Techniques Double the randomness.
8/43 Our Tight Reduction Techniques Double the randomness.
8/43 Our Tight Reduction Techniques Double the randomness.
9/43 Result Given g ρ 1(x),...,g ρ q(x),h σ 1(x),...,h σ q(x) ĥ Then Adv[Deciding e(g,ĥ) f(x) from random] (3 + log(q + 2)) Pr[Breaks Subgroup Hiding]
20/43 Result Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 2 p 3. Pr[break q-type assumption] O(log q) Pr[break subgroup hiding]
21/43 Outline of Presentation
22/43 Example: Broadcast Encryption Methods of delivering encrypted content over a broadcast channel where only qualified users can decrypt the content. Example Boneh Gentry and Waters broadcast encryption scheme [BGW-Crypto05]. Pairing based solution Short ciphertexts and private keys Collusion resistant
23/43 Broadcast Encryption The asymmetric q-bdhe assumption: given ĥ,g α,h α,...,g αq,h αq,g αq+2,h αq+2,...,g α2q,h α2q it is hard to distinguish e(g,ĥ) q+1 from random is tightly implied by subgroup hiding and parameter hiding. The BGW broadcast encryption scheme is implied by the symmetric q-bdhe assumption.
24/43 Symmetric Reductions The previous asymmetric reduction fails in the symmetric case. Adversary given components that would allow it to trivially break subgroup hiding in the symmetric case (e(g 1,H 2 ) = 1). Show how to push through the same reduction in the symmetric case by adding randomness from a fourth subgroup. Symmetric schemes can also be translated into asymmetric groups.
25/43 The Asymmetric BGW Variant Techniques from [AGOT-Crypto14]. g p0[1] di gi p0[0] gc p1[0] vi C0 = G = G&H = H p2[0] Ci p2[1] p1[1]
26/43 Identity Based KEM [ACF-Eurocrypt09] g Bi g1 gc p1[0] gij hi p0[0] C p2[0] p3[0] skid p0[1] p1[1] p2[1] p3[1] p4[0] p4[1]
27/43 ABE Scheme [Waters08] The less efficient construction. g ga gi msk gc p0[1] p1[0] p5[1] p5[0] K hi L p0[0] p1[1] C' p2[1] Ci Kx p3[1] p2[0] p4[0] p3[0] p4[1]
28/43 HIBE Scheme [BBG-Eurocrypt05] g yi gc g1 a1 g2 g3 hi B p0[0] p1[0] p0[1] msk bi C p2[0] a0 p1[1] p2[1]
29/43 Outline of Presentation
30/43 Open Problems How can we analyse are q-type assumptions in prime order groups? How can we analyse are q-power knowledge of exponent assumptions ("non-falsifiable" assumptions)? How can we analyse are q-type when the adversary has inputs from both source groups and the challenge component is also in the source group?
31/43 Thank-you for Listening.