pairing-based cryptography
DESCRIPTION
Pairing-Based Cryptography. Dan Boneh Stanford University. [Tutorial: FOCS 2007]. A new tool: pairings (>1200 papers). Encryption schemes with new properties: Identity-based, Broadcast, Forward secure, Homomorphic, Searchable, Proxiable, CCA, … - PowerPoint PPT PresentationTRANSCRIPT
Pairing-Based Cryptography
Dan Boneh
Stanford University
[Tutorial: FOCS 2007]
A new tool: pairings (>1200 papers)
• Encryption schemes with new properties:
Identity-based, Broadcast, Forward secure,
Homomorphic, Searchable, Proxiable, CCA, …
• Signature systems with new properties:
Short, Aggregate, Append-only,
VRF, Short group sigs, e-cash, …
• Efficient non-interactive zero-knowledge (NIZK)
Conferences: PiC 2005
Conferences: Pairings 2007
Commercial Interest
Gemalto (formerly Gemplus)
Part 1: What is a pairing?
Recall: Diffie-Hellman protocol G: group of prime order q ; g G generator
Security: Decision Diffie-Hellman assumption in G:
(g, A, B, gab ) indist. from (g, A, B, grand )
Alice
a Zq
Bob
b Zq
A := ga
B := gb
gab
gab
Standard complexity assumptions G: group of order q ; 1 g G ; x,y,z Zq
Discrete-log problem: g, gx x
Computational Diffie-Hellman problem (CDH):
g, gx , gy g
xy
Decision Diffie-Hellman problem (DDH):
g, gx , gy , gz
0 if z=xy
1 otherwise
Groups used in cryptography
Groups where Dlog, CDH, DDH believed hard:
(Z/pZ)* for prime p
Elliptic Curves: E(Fp): y2 = x3 + ax + b
Dlog problem believed to be harder in E(Fp) :
eln pGNFS(Z/pZ)* :
pPollard RhoE(Fp) :
TimeDlog Alg
3
Pairings
Additional structure on elliptic curves : pairingspairings
Defined by A. Weil (1946)
Miller ’84: Algorithm for computing
MOV ’93: Used to attack certain EC systems
Recently (2000-7): lots of crypto applications Joux [ANTS’00] , Sakai-Ohgishi-Kasahara [SCIS ’00]
Pairings G , GT : finite cyclic groups
of prime order q.
Def: A pairing e: GG GT is a map:
Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
Poly-time computable and non-degenerate:
g generates G e(g,g) generates GT
Current examples: G E(Fp) , GT (Fp)*
( = 1, 2, 3, 4, 6, 10, 12 )
ga
gb
e(g,g)ab
G GT
e( gx , hy ) = e( gy , hx )
Consequences of pairing
Decision Diffie-Hellman (DDH) in G is easy: [J’00, JN’01]
input: g, gx, gy , gz G
to test if z=xy do:
Dlog reduction from G to GT : [MOV ’93]
DLog in G g, ga G DLog
in GT e(g,g), e(g,ga) GT
e(g, gz) = e(gx, gy)
?
Complexity assumptions in bilinear groups e: G G GT ; 1 g G ; x,y,z Zq
Discrete-log problem: g, gx x
Computational Diffie-Hellman problem (CDH):
g, gx , gy g
xy
Bilinear Decision Diffie-Hellman problem (BDDH):
g, gx , gy , g
z
0 if z=xy
1 otherwise
h, e(h, )
Where pairings come from …
E(Fp) = G
E(Fp)[q]
PQ
q
q
Tate pairing: e(P, Q) := fP(Q) (p-1)/q
, (fP) = q(P) - q(O)
V. Miller (84): fP has a short straight line program
… but: P,Q E(Fp) : e(P,Q) = 1
Supersingular bilinear groups Supersingular curves: ( e.g. y2 = x3 + x , p=3 (mod 4) )
E(Fp) = G
Def: Def: ee( P, Q) = ( P, Q) = ee( P, ( P, (Q) ) (Q) )
ee : G : G G G G GTT
E(Fp)[q]
P Q
Possible Possible : : =2,3,4,6 or “=2,3,4,6 or “”=7.5 ”=7.5 [RS ’02]
MNT and BN groups
E(Fp) = G0
E(Fp)[q]
G1
ee : : GG00 GG11 G GTT
• MNT ’01 Curves: =2,3,4,6=2,3,4,6
• BN ’05, F’05 Curves: =10, 12=10, 12 not supersingularcurves
Open problem: larger (prime order E(Fp) )
e.g. = 16,20,24, …
Part 2: Crypto Applications
Recall: Pub-Key Encryption (PKE)
PKE Three algorithms : (G, E, D)
G() (PK,SK) outputs pub-key and secret-key
E(PK, m) c encrypt m using pub-key PK
D(SK, c) m decrypt c using SK
E( PKalice , msg )obtain
PKalice
Example: ElGamal encryption
G(): (G, g, q) GenGroup()
SK := ( Zq ) ; PK := ( h g )
E(PK, mG): sZq and do c ( gs , m hs )
D(SK=, c=(c1,c2) ): observe c1 = (gs)
= hs
Security (IND-CPA) based on the DDH assumption:
(g, h, gs , h
s ) indist. from (g, h, gs , grand )
Note: ElGamal is insecure in bilinear groups
Identity Based Encryption [Sha ’84] IBE: PKE system where PK is an arbitrary string
• e.g. e-mail address, phone number, IP addr…
email encrypted using public key:
I am “[email protected]”
Private keymaster-key
CA/PKG
Identity Based Encryption [Sha ’84]
Four algorithms : (S,K,E,D)
S() (PP,MK) output params, PP,
and master-key, MK
K(MK, ID) dID outputs private key, dID , for ID
E(PP, ID, m) c encrypt m using pub-key ID (and PP)
D(dID, c) m decrypt c using dID
IBE “compresses” exponentially many PKs into a short PP
Using IBE as a primitive
IBE CCA-secure public key encryption [CHK’04, BK’04, BMW’05]
Non-interactive CCA-secure threshold encryption [BBH’05]
Searchable public key enc [BDOP’04, AB…’05]
Automatic trust negotiations [LDB’03]
Forward secure encryption [CHK ’03] (from H-IBE)
Can we build an IBE ??
ElGamal is not an IBE:
SK := ( Zq ) ; PK := ( h g )
PK can be any string: h = “[email protected]” G
… but cannot compute secret key
RSA is not an IBE:
Cannot map to an RSA public key (N, e)
Pairings to the rescue: BF-IBE [BF’01]
S(): (G, GT, g, q) GenBilGroup() , Zq
PP := [g, yg
] G ; MK :=
K(MK, ID): d H(ID)
E(PP, ID, m): sZq and do
C ( gs , m e(y, H(ID))s )
D( d, (c1,c2) ):
observe: e( c1 , d ) = e( gs , H(ID) )
H: ID G
e(g, H(ID)
s )
=
Another IBE: BB-IBE [BB’04]
S(): (G, GT, g, q) GenBilGroup() , Zq
PP := [g, yg, g1 , h] G ; MK := g1
K(MK, ID): dID ( MK (yIDh)r , g
r )
E(PP, ID, m): sZq and do
C ( gs , (yIDh)s , me(y,g1)
s )
D( (d1,d2), (c1,c2,c3) ):
observe: e(c1, d1) / e(c2, d2) = e(y, g1)s
r Zq
IBE Security (IND-IDCPA) [BF’01]
Security when attacker can request several private keys
Ch
alle
ng
er
PP, MK S()
Atta
cker A
PP
dID K(MK, ID)
ID
b’ {0,1}
(S,K,E,D) is IND-IDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()
b{0,1}
(ID, m0, m1)
C* E( PP, ID , mb)*
*
IBE Security (IND-sIDCPA) [CHK’04]
Security when attacker can request several private keys
Ch
alle
ng
er
PP, MK S()
Atta
cker A
PP
dID K(MK, ID)
ID
b’ {0,1}
(S,K,E,D) is IND-sIDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()
b{0,1}
( m0, m1)
C* E( PP, ID , mb)*
ID*
ID*
IBE Security
BB-IBE security theorem: [BB’04]
BDDH BB-IBE is IND-sIDCPA secure
Waters-IBE: [W’05] generalizes BB-IBE
BDDH Waters-IBE is IND-IDCPA secure
Gentry-IBE: [G’06] short PP
q-BDHE Gentry-IBE is IND-IDCPA secure
New Signature Systems
CDH short and efficient sigs (!!)
IBE Simple digital Signatures [N’01]
Sign(MK, m): sig K(MK, m)
Verify(PP, m, sig): Test that sig decrypts messages
encrypted using m
Conversely: which sig systems give an IBE?
Rabin signatures: [Cocks’01, BGH’07]
Open problem: IBE from GMR, GHR, CS, …
Blackbox Impossibility: IBE from trapdoor perms [BPRVW’07]
Simple bilinear signatures [BLS ’01]
H: {0,1}* G hash function. 1 g G , |G|=q
G(): Zq, PK: y g G , SK:
Sign(SK, m): S H(m) G
Verify(PK,m,S): test: e(S, g) = e(H(m), y)
Thm: When H is modeled as a Random Oracle:
CDH holds in G sig is existentially unforgeable
e(H(m), g) = e(H(m), g
)
=
=
?
Short signature:
single group element
Properties Short:
Aggregatable: [BGLS’02, Bol’02]
User 1: PK1 , m1 S1
User 2: PK2 , m2 S2
User n: PKn , mn Sn
S
BLS RSA DSS
160 (bits) 1024 (bits) 320 (bits)
Signatures w/o Random Oracles
Signature system from BB-IBE:
G(): Zq, g1, h G
PK := ( g, g1, y g , h) G , SK := g1
Sign(SK, m): r Zq ,
S ( SK (ym
h)r , gr ) G2
Verify(PK, m, S=(s1,s2) ): e(s1, g) / e(ymh, s2) = e(g1, y)?
Selectively unforgeable sigs [GMR’88]
Sig is selectively unforgrable if
PPT A: Pr[Verify(PK,m*,S*) = “yes”] < neg()
Challe
ng
er
(PK,SK) K()
Atta
cker
PK
S* G
m* : msg to attack
S Sign(SK, m)
m m*
Security Theorem
Thm: CDH (sigs from BB-IBE) are selec. unforgeable
Proof Intuition:
Sig
Forg
er
Algorithm for CDH (us)
m* Zq
PK = (g, g1, y, h=y-m*g )
m m*
S
S* = (s1 , s2 )
(g, g1, y=g)
m*
Zq
g1
= s1/s2
SK = g1
Waters Sigs: existentially unforgeable [Wat ’05]
G(): Zq , g1, h, y1,…,yn G
PK: (g, g1, y g , h, y1 , …, yn) G , SK: g1
Sign(SK, M): r Zq , M=m1m2 … mn {0,1}n
S ( SK ( )r , g
r ) G2
Verify(PK, M, S=(s1, s2) ):
e(s1 ,g) / e(y1
m1 … yn
mn h, s2 ) = e(g1, y)
yMhy1
m1 … yn
mn h
Existentially unforgeable
Thm: CDH Waters-sigs are unforgeable (!!)
m*
1/qBBBB WW1/(2n)
m=m* a1m1+ … + anmn = v
Summary thus far
IBE from pairings:
BDDH efficient secure IBE
… and extensions: H-IBE, anon-IBE , …
Short signatures from pairings:
CDH existential unforgeablility
with RO: sig G , without RO: sig G2
Part 3: Computing on Ciphertexts
An old open problem [RAD’78]
Doubly homomorphic encryption: (IND-CPA)
(G,E,D) where messages live in Fp
PPT algorithms A+ and A
s.t.
A+ ( E(PK, m1) , E(PK, m2) ) E(PK, m1+m2 )
A ( E(PK, m1) , E(PK, m2) ) E(PK,
m1m2 )
Note: ElGamal is multiplicative-homomorphic
but not additive …
computing on ciphertexts
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p, q) – secret
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: e( gp , gq ) = e(gq , gp) = e(g,g)N = 1
e( gp , ) (GT)q
BGN encryption: (1+)-homomorphic G(): generate bilinear group G of order N=pq
PK (G, N, g, gp ) ; SK p
E(PK,m) : r ZN , C gm
(gp)r G
D(SK, C) : Cp = [gm]
p [gp
r]p = (gq)
m Gq
Output: Dloggq( C
p )
Note: decryption time is O(m )
require small message space ( e.g. {0,1} )
Homomorphic Properties
C1 gm1 (gp)r1 , C2 gm2 (gp)
r2 G
Additive hom: E(m1+m2) = C1 C2 (gp)s
One mult hom: E(m1m2) = e(C1,C2) e(gp,gp)s
More generally: E(m1), …, E(mn) E(F(m1,…,mn))
For any FZN[X1,…,Xn] of total degree 2
Example: dot product on encrypted vectors [AW’07]
^
^
Security: the subgroup assumption Subgroup assumption: G Gp
Distribution PG ():
(G,g,p,q) GroupGen()
N pq
s ZN
Output: (G, N, g, gp, gs
)
Distribution Pp ():
(G,g,p,q) GroupGen()
N pq
s ZN
Output: (G, N, g, gp, (gp)s
)
For any poly-time A:
| Pr[A(X) : XPG()] Pr[A(X) : XPp()] | < neg()
Thm: BGN is semantically secure under the subgroup assumption
Non-Interactive Zero Knowledge
[GOS’06]
NIZK proof size: O(|# gates| )
CRS size: O()
Goal: NIZK for circuit SAT [BFM’88]
AND
OR NOT OR
AND ANDNOTANDNOT
b1 b6b2 b3 b4 b5 b7 b8
Goal: prover wants to convince verifier that circuit is satisfiable
in zero knowledge and without interaction
{0,1}
z
booleancircuit
Plan of attack
NAND
NAND NAND NAND
NAND NANDNANDNANDNAND
b1 b6b2 b3 b4 b5 b7 b8 {0,1}
b17
booleancircuit
NAND(x1,…,xn) = 1-xi
b9 b10 b11 b12 b13
b14 b15 b16
Proof = com(b1) , com(b2) , …, com(bm) and
for all gates (i,j,k) proof that:
bi , bj , bk {0,1} and bk = bi NAND bj
Composite order commitments Common Reference String: (G, g, gp) , |G|=N=pq
com(m): r ZN , output Cgm(gp)
r
note: com(m1) com(m2) is commitment for (m1+m2)
Fact: z = x NAND y x, y, z, x+y+2(z-1) {0,1}
For a CG we need a (W.I.) proof for the statement: “ C=com(0) or C=com(1) ”
Then for each gate (i,j,k) generate proof of “0 or 1” for:com(bi) , com(bj) , com(bk), and
com(bi) com(bj) [com(bk) / com(1)]2
GOS (W.I.) Proof
Common Reference String: (G, g, gp) , |G|=N=pq
Let C = gm (gp)r
IF: C = g (gp)r or C = (gp)
r
THEN: L = e(C , Cg-1) = e(gp , ) (GT)q
m{0,1}, r : e(C , Cg-1) = e( gp , g2m-1 (gp)r )
Proof that (*) is true: = g2m-1 (gp)r G
To verify proof test if: e(C, Cg-1) = e( gp , )
(*)
(order p)
?
com(1) com(0)
Why is the proof Zero Knowledge? Common Reference String: (G, g, gp) , |G|=N=pq
Basic idea: Simulator uses (G, g, grand ) as CRS Indistinguishable by subgroup assumption Commitment C = gm (grand)r contains no info on m
Summary: multi-theorem NIZK
NIZK proof size: O(|# gates| )
CRS size: O()
Part 4: open problems
Open problems
n-linear maps?
e: Gn GT where Dlog in G is intractable
Motivation: Homomorphic encryption, broadcast enc, … [BS’02]
2. Verifiable Random Functions [MRV’99] Verifiable Random Function (VRF):
Setup(): (PK,SK) PRF F(SK, x): y and proof verify(PK, x, y, ): yes/no
Pairing-based constructions: [L’02, DY05]
PK=(g, g) , SK=
F(, x) = e(g,g)1/(+x) ; = g1/(+x)
but, security reduction takes exponential time in |x|
Question: “simple” construction with poly-time reduction
THE END
Pairings: A powerful tool for building cryptosystems