déjà q: using dual systems to revisit q-type assumptions
TRANSCRIPT
Déjà Q: Using Dual Systems to Revisit q-Type Assumptions
Melissa Chase (MSR Redmond)Sarah Meiklejohn (UC San Diego → University College London)
1
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
• Later assumptions: Subgroup Hiding [BGN05], Decision Linear, SXDH
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
• Later assumptions: Subgroup Hiding [BGN05], Decision Linear, SXDH
• Even later assumptions: q-SDH, q-ADHSDH, q-EDBDH, q-SDH-III, q-SFP, “source group q-parallel BDHE,” etc.
Why are q-type assumptions worrisome?
3
Why are q-type assumptions worrisome?
3
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
IBE universe
Why are q-type assumptions worrisome?
3
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
IBE universe
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
IBE universe
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒ AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
(g,gx,…,gxq)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒ AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/ AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/
q+5-SDH ⇒
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
(g,gx,…,gxq,…,gxq+5)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/
q+5-SDH ⇒
>
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
(g,gx,…,gxq,…,gxq+5)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/
q+5-SDH ⇒
>
t/√q steps [Cheon06]
t/√q+5 steps
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
• Reduce* to an assumption that holds by a statistical argument
*currently only in composite-order groups
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
• Reduce* to an assumption that holds by a statistical argument
• Adapt dual systems to work for deterministic primitives
*currently only in composite-order groups
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
• Reduce* to an assumption that holds by a statistical argument
• Adapt dual systems to work for deterministic primitives
Extension to Dodis-Yampolskiy PRF [DY05]*currently only in composite-order groups
Outline
5
Outline
5
Bilinear groups
Outline
5
Bilinear groups q-Type assumptions
Outline
5
Bilinear groups q-Type assumptions
Extensions
Outline
5
Bilinear groups q-Type assumptions
Extensions Conclusions
Outline
5
Bilinear groups q-Type assumptions
Extensions Conclusions
Bilinear groupsSubgroup hiding Parameter hiding
Dual systems
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
subgroup hiding
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
subgroup hidingparameter hiding
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding
7
subgroup hidingparameter hiding
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈
random element of Gp × Gq
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈(indistinguishable from)
random element of Gp × Gq
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈(indistinguishable from)
random element of Gp
random element of Gp × Gq
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
8
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
8
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
g1f(x1,...,xc)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
≈g1f(x1,...,xc)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
≈g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
is independent from
≈g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
is independent from
xi mod p reveals nothing about xi mod q (CRT)
≈g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)
Typical dual-system proof for IBE [W09,LW10,...]
9
Typical dual-system proof for IBE [W09,LW10,...]
9
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
normal:
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
(subgroup hiding)
normal:
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
(subgroup hiding)
(parameter hiding)
normal:
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
normal:
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
normal:
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
(parameter hiding)
normal:
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
(parameter hiding)
normal:
semi-functional (SF):
9
ID queries
Challenge ciphertext
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
(parameter hiding)
normal:
semi-functional (SF):
9
SF keys don’t decrypt SF ciphertexts!
ID queries
Challenge ciphertext
Dual systems in three easy steps
10
Dual systems in three easy steps
10
1. start with base scheme
Dual systems in three easy steps
normal:
10
1. start with base scheme
Dual systems in three easy steps
normal:
10
1. start with base scheme2. transition to SF version
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
(subgroup hiding)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
(subgroup hiding)
(subgroup hiding)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
(subgroup hiding)
(subgroup hiding)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version3. argue information is hidden
(subgroup hiding)
(subgroup hiding)
Outline
11
Cryptographic background Pseudorandom functions
Extensions Conclusions
Bilinear groupsq-Type assumptions
The uber-assumption Relating uber-assumptions
A bijection trick
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
12
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
12
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
12
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
12
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
12
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
• f(x1,...,xc): A needs to compute e(g,h)f(x1,...,xc) (or distinguish it from random)
12
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
• f(x1,...,xc): A needs to compute e(g,h)f(x1,...,xc) (or distinguish it from random)
uber(c,R,S,T,f) assumption: given (R,S,T) values, hard to compute/distinguish f
12
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
13
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
13
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
13
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
13
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
• f(x1,…,xc): f(x) = xq+1
13
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
• f(x1,…,xc): f(x) = xq+1
exponent q-SDH is uber(1,<1,{xi}>,<1>,<1>,xq+1)
13
Applying dual systems to exponent q-SDH
14
1. start with base scheme2. transition to SF version 3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
g1r1x1,…,g1r1x1q
14
1. start with base scheme2. transition to SF version 3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
g1r1x1,…,g1r1x1q
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
parameter hiding
g1r1x1i ⋅
g2r1′x2i
vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
parameter hiding
g1r1x1i ⋅
g2r1′x2ig1r1x1i + r2x2i
⋅ g2r1′x2i
subgroup hiding
vs.
vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
parameter hiding
g1r1x1i ⋅
g2r1′x2ig1r1x1i + r2x2i
⋅ g2r1′x2i
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
vs.
vs.vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q
parameter hiding
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q
parameter hiding
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
g1∑rkxk,…,g1∑rkxkq
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q
parameter hiding
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
g1∑rkxk,…,g1∑rkxkq
14
1. start with base scheme 2. transition to SF version 3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
Applying dual systems to exponent q-SDH
15
1. start with base scheme 2. transition to SF version 3. argue information is hidden
uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)
Applying dual systems to exponent q-SDH
15
1. start with base scheme 2. transition to SF version 3. argue information is hidden
uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)
Applying dual systems to exponent q-SDH
15
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)
Applying dual systems to exponent q-SDH
15
=
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
So A is really given 1. start with base scheme 2. transition to SF version 3. argue information is hidden
Applying dual systems to exponent q-SDH
16
=
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
Consider set S of l-sized sets; then r,y∈S
Matrix multiplication is map M: S → Spermutation
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
This is chosen uniformly at random from S
Consider set S of l-sized sets; then r,y∈S
Matrix multiplication is map M: S → Spermutation
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
This is chosen uniformly at random from S
Consider set S of l-sized sets; then r,y∈S
Matrix multiplication is map M: S → Spermutation
This is distributed uniformly random as well!
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Decisional uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. S = T = <1> 3. f is not a linear combination of ρi
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Decisional uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. S = T = <1> 3. f is not a linear combination of ρi
only computational requirement
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Decisional uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. S = T = <1> 3. f is not a linear combination of ρi
only computational requirement
limitation
Outline
18
Cryptographic background q-Type assumptions
Data Conclusions
Bilinear groups
ExtensionsBroader classes of assumptions
Dodis-Yampolskiy PRF
Strengthening our results
sh ph sh sh
19
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
19
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
vs.
19
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
vs. vs.
19
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
This restricts us to “one-sided” assumptions
vs. vs.
19
2. S = T = <1>
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
This restricts us to “one-sided” assumptions
vs. vs.
19
(g,gx,…,gxq) → gxq+1 or random[eq-SDH]
2. S = T = <1>
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
This restricts us to “one-sided” assumptions
vs. vs.
19
(g,gx,…,gxq) → gxq+1 or random
(g,gx,…,gxq,hx) → compute (c,g1/x+c)
[eq-SDH]
[q-SDH]
2. S = T = <1>
Strengthening our results
sh ph sh sh
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
Computational uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. f is not a linear combination of ρi
limitation
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
This implies (for example) that q-SDH [BB04] follows from subgroup hiding....
…and so does everything based on q-SDH (like Boneh-Boyen signatures)*
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
*when instantiated in asymmetric composite-order groups [BRS11]
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
verifiable random function
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
require u=e(g,h)verifiable random function
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
require u=e(g,h)verifiable random function q-type assumption
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
pseudorandom function
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
require composite orderpseudorandom function
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
require composite orderpseudorandom function static assumption
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
require composite order a(λ) of arbitrary sizepseudorandom function static assumption
Outline
22
Cryptographic background q-Type assumptions
Extensions Conclusions
Bilinear groups
Conclusions
Conclusions and open problems
23
We applied the dual-system technique directly to a broad class of assumptions
Conclusions and open problems
23
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Conclusions and open problems
23
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Limitation: Can’t get rid of every q-type assumption
Conclusions and open problems
23
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Limitation: Can’t get rid of every q-type assumption
Full version!: cs.ucsd.edu/~smeiklejohn/files/eurocrypt14a.pdf
Conclusions and open problems
23
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Limitation: Can’t get rid of every q-type assumption
Full version!: cs.ucsd.edu/~smeiklejohn/files/eurocrypt14a.pdf
Conclusions and open problems
23
Thanks! Any questions?