A Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University

Similar documents
Instantiating the Dual System Encryption Methodology in Bilinear Groups

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption

14 Diffie-Hellman Key Agreement

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Fully Homomorphic Encryption and Bootstrapping

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Function-Hiding Inner Product Encryption

On Kilian s Randomization of Multilinear Map Encodings

Obfuscation and Weak Multilinear Maps

CPSC 467b: Cryptography and Computer Security

Unbounded HIBE and Attribute-Based Encryption

Open problems in lattice-based cryptography

Advanced Cryptography 03/06/2007. Lecture 8

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Lecture 17: Constructions of Public-Key Encryption

5.4 ElGamal - definition

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture Notes, Week 6

Background: Lattices and the Learning-with-Errors problem

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

RSA. Ramki Thurimella

Discrete Logarithm Problem

Efficient Selective Identity-Based Encryption Without Random Oracles

5199/IOC5063 Theory of Cryptology, 2014 Fall

Identity-based Hierarchical Key-insulated Encryption without Random Oracles

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Obfuscation without Multilinear Maps

A Profitable Sub-Prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups

Identity Based Encryption

Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Single-Database Private Information Retrieval

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

F O R SOCI AL WORK RESE ARCH

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

1 Number Theory Basics

Identity-based encryption

Lecture 7: ElGamal and Discrete Logarithms

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Cryptography and Security Final Exam

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Property Preserving Symmetric Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lattice-Based Non-Interactive Arugment Systems

Introduction to Cryptography. Lecture 8

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Introduction to Elliptic Curve Cryptography

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Public-Key Encryption: ElGamal, RSA, Rabin

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Introduction to Modern Cryptography. Benny Chor

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

CS 355: Topics in Cryptography Spring Problem Set 5.

Public Key Cryptography

6.080/6.089 GITCS Apr 15, Lecture 17

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

On the (Im)possibility of Projecting Property in Prime-Order Setting

Lattice Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

10 Concrete candidates for public key crypto

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

8 Elliptic Curve Cryptography

Déjà Q: Using Dual Systems to Revisit q-type Assumptions

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

DATA PRIVACY AND SECURITY

Number theory (Chapter 4)

G Advanced Cryptography April 10th, Lecture 11

Shorter IBE and Signatures via Asymmetric Pairings

Dual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits

Lattice Cryptography

1 Secure two-party computation

Pairing-Based Cryptography An Introduction

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 7: CPA Security, MACs, OWFs

Introduction to Cybersecurity Cryptography (Part 4)

ASYMMETRIC ENCRYPTION

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

CRYPTANALYSIS OF COMPACT-LWE

Shorter Identity-Based Encryption via Asymmetric Pairings

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Public Key Cryptography

Practical Bootstrapping in Quasilinear Time

CIS 551 / TCOM 401 Computer and Network Security

Question: Total Points: Score:

Transcription:

A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University

Group Basics There are two kinds of people in this world. Those who like additive group notation, and those who like multiplicative group notation. inefficient: discrete log?? efficient: group operation identity test

Bilinear Groups efficient:

When Faced with a New Group Assumption: Is it secret? Is it safe? Is it useful? Is it needed?

Kinds of Assumptions Generic group models q-type assumptions static assumptions Variants: Symmetric/Asymetric Composite Order/ Prime Order Linear/ Bilinear/ MultiLinear

Kinds of Proof Techniques Brute Force Cancelation Encoding Dual System Deja Q basic generic group arguments BB IBE G06, W 05 W09, LW10, LOSTW10, CM14, W16

Billinear Diffie-Hellman Assumption Symmetric group: Given: Distinguish:

SXDH Assumption Asymmetric group: Given: Distinguish:

A Basic q-type Assumption Symmetric group: Given: Distinguish:

A Driving Example: IBE Decryption:

Arguing Generic Security Look at exponents you are given in G: Look at the blinding factor: All you can do is take linear combinations of degree at most 2

Proof Challenges Beyond Generic Security Hard Problem Simulator Attacker Simulator must balance two competing goals: answer attacker queries leverage attacker success

Arguing Selective Security - Embed the challenge as a function of known ID* Given: Distinguish: Choose then Simulator can produce key for any ID not equal to ID*!

How to Leverage a q-type Assumption [example from W05] What if we don t want to fix ID* ahead of time? Can t make Keys the simulator can make To partition small PP with parameter q: Use a q-size assumption!

Simulation Techniques Deja Q [CM13,W16] q-type Dual pairing vector spaces [OT08,OT09,] Composite Order Subgroup Decision SXDH/DLIN *These arrows are partial and not transitive!

Composite Order Bilinear Groups How the pairing operates: a c d E b f ab df

Subgroup Decision Assumptions in Composite Order Bilinear Groups Example: Given Distinguish from

Subgroup Decision in a Multilinear Group? Here s what it might look like in a 3-linear group: Given Distinguish from

Deja Q Basic Example r 1 a r 1 a r 1 a r 1 a 2 r 1 a 3 Subgroup decision r 1 a 2 r 1 a 2 r 1 a 3 r 1 a 3 r 1 a q r 1 a q r 1 a q

Deja Q Basic Example Mod p Mod q r 1 a r 1 a r 1 a 2 r 1 a 2 r 1 a 3 r 1 a 3 Chinese Remainder Theorem Mod p Mod q r 1 a t 1 b r 1 a 2 t 1 b 2 r 1 a 3 t 1 b 3 r 1 a q r 1 a q r 1 a q t 1 b q

Deja Q Basic Example Mod p Mod q Mod p Mod q r 1 a t 1 b 1 r 1 a 2 t 1 b 1 2 r 1 a 3 t 1 b 1 3 Subgroup Decision + Chinese Remainder Theorem r 1 a t 1 b 1 + t 2 b 2 r 1 a 2 t 1 b 12 + t 2 b 2 2 r 1 a 3 t 1 b 1 3 + t 2 b 2 3 r 1 a q t 1 b 1 q r 1 a q t 1 b 1 q + t 2 b 2 q

Deja Q Basic Example r 1 a Mod p Mod q t 1 b 1 + t 2 b 2 + + t q b q Subgroup Decision + Chinese Remainder Theorem Subgroup Decision + Chinese Remainder Theorem r 1 a 2 t 1 b 12 + t 2 b 2 2 + + t q b q 2 r 1 a 3 t 1 b 1 3 + t 2 b 2 3 + + t q b q 3 r 1 a q t 1 b 1 q + t 2 b 2 q + + t q b q q

Deja Q Basic Example b 1 b q b 1 q b q q t 1 t q = Uniformly random Mod q Full rank

Deja Q Basic Example r 1 a Mod p Mod q t 1 b 1 + t 2 b 2 + + t q b q z 1 r 1 a 2 t 1 b 12 + t 2 b 2 2 + + t q b q 2 r 1 a 3 t 1 b 1 3 + t 2 b 2 3 + + t q b q 3 Identically Distributed to z 2 z 3 z 3 r 1 a q t 1 b 1 q + t 2 b 2 q + + t q b q q z q

Dual Pairing Vector Spaces b 2 b 1 Emulates some features of composite order, asymmetric group: E r s t z rs tz

Emulating Subgroup Decision using SXDH Asymmetric group: Given: Distinguish:

Dual System Using Subgroup Assumptions for Functional Encryption [W09 + too many to cite*] Most Basic Template: PP: CT: SK: Unconstrained by PP! SF CT: SF SK:

Using Subgroup Assumptions for Obfuscation [GBSW 15] Reduction will isolate each input. Main idea: Have poly many parallel obfuscations, C 0 C 0 C 1 each responsible for a bucket of inputs Hybrid Type 1: Allocate/Transfer inputs among different buckets, but programs do not change at all. Assumption used here. Hybrid Type 2: When one bucket only has a single isolated input, then apply Kilian and change the program. Information-theoretic / No Assumption needed.

Ok, So what are these buckets really like? Matrix Branching Programs Simple example: [Barrington, Want implement: GGHRSW] F(x Oblivious 1 x 2 ) = XOR( Matrix x 1, xbranching 2 ) Program for F: n-bit input x=x 1 x 2 x n (e.g. n=3 here) 2k invertible matrices over Z N æ 1 0 ö æ M Evaluation 1,0 = ç on x: M 1,1 = ç è 0 1 ø è ì ï Õ = í M i,x(i mod n) 0 1 1 0 I if F(x) = 0 æ i=1...k 1 0 ö B if æ îï F(x) 0 =1 1 ö M Where 2,0 = ç B is fixed matrix M 2,1 = I ç over Z è 0 1 ø è 1 0 N ø ö ø M 1, 0 M 1, 1 M 2, 0 M 2, 1 M 3, 0 M 3, 1 M 4, 0 M 4, 1 æ 0 1 ö B = ç è 1 0 ø [Barrington]: All log-depth (NC 1 ) circuits have poly-size Matrix Branching Programs M k, 0 M k, 1

Kilian Simulation Towards Obfuscation Oblivious Matrix Branching Program for F: n-bit input x=x 1 x 2 x n 2k invertible matrices over Z N Evaluation on x: ì ï Õ M i,x(i mod n) = í îï i=1...k (e.g. n=3 here) I if F(x) = 0 B if F(x) =1 Where B is fixed matrix I over Z N Kilian Randomization: Chose R 1,, R k-1 random over Z N Kilian shows that for each x, can statistically simulate M x matrices knowing only product. ~ ~ ~ M 1, 0 M 1, 1 ~ ~ M 2, 0 M 2, 1 ~ ~ M 3, 0 M 3, 1 ~ ~ M 4, 0 M 4, 1 ~ ~ M k, 0 M k, 1

Hybrids Intuition C 0 C 0 C 0 ~ M 1, 1 ~ M 1, 0 ~ M 1, 1 ~ ~ M 2, 0 M 2, 1 ~ ~ M 2, 0 M 2, 1 ~ M 2, 0 ~ ~ M 3, 0 M 3, 1 ~ ~ M 3, 0 M 3, 1 ~ M 3, 0 ~ ~ M 4, 0 M 4, 1 ~ ~ M 4, 0 M 4, 1 ~ M 4, 1 ~ ~ M k, 0 M k, 1 ~ ~ M k, 0 M k, 1 ~ M k, 0

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback