1 / 55

Pairing-Based Cryptography

Pairing-Based Cryptography. Dan Boneh Stanford University. [Tutorial: FOCS 2007]. A new tool: pairings (>1200 papers). Encryption schemes with new properties: Identity-based, Broadcast, Forward secure, Homomorphic, Searchable, Proxiable, CCA, …

moesha
Download Presentation

Pairing-Based Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Pairing-Based Cryptography Dan Boneh Stanford University [Tutorial: FOCS 2007]

  2. A new tool: pairings(>1200 papers) • Encryption schemes with new properties: Identity-based, Broadcast, Forward secure, Homomorphic, Searchable, Proxiable, CCA, … • Signature systems with new properties: Short, Aggregate, Append-only,VRF, Short group sigs, e-cash, … • Efficient non-interactive zero-knowledge (NIZK)

  3. Conferences: PiC 2005

  4. Conferences: Pairings 2007

  5. Commercial Interest

  6. Gemalto (formerly Gemplus)

  7. Part 1: What is a pairing?

  8. A := ga B := gb Recall: Diffie-Hellman protocol • G: group of prime order q ; g  G generator • Security: Decision Diffie-Hellman assumption in G: (g, A, B, gab ) indist. from (g, A, B, grand ) Alice a  Zq Bob b  Zq gab gab

  9. 0 if z=xy 1 otherwise Standard complexity assumptions • G: group of order q ; 1 g  G ; x,y,z  Zq • Discrete-log problem: g, gx x • Computational Diffie-Hellman problem (CDH): g, gx , gy  gxy • Decision Diffie-Hellman problem (DDH): g, gx , gy , gz

  10. Dlog Alg Time E(Fp) : Pollard Rho p Dlog problem believed to be harder in E(Fp) : (Z/pZ)* : GNFS eln p 3  Groups used in cryptography • Groups where Dlog, CDH, DDH believed hard: • (Z/pZ)* for prime p • Elliptic Curves: E(Fp):y2 = x3 + ax + b

  11. Pairings • Additional structure on elliptic curves : pairings • Defined by A. Weil (1946) • Miller ’84: Algorithm for computing • MOV ’93: Used to attack certain EC systems • Recently (2000-7): lots of crypto applications • Joux[ANTS’00] , Sakai-Ohgishi-Kasahara[SCIS ’00]

  12. GT G Pairings ga e(g,g)ab • G , GT :finite cyclic groups of prime order q. • Def: A pairinge: GG GT is a map: • Bilinear: e(ga, gb) = e(g,g)aba,bZ, gG • Poly-time computable and non-degenerate: g generates G  e(g,g) generates GT • Current examples: G  E(Fp) , GT (Fp)* (  = 1, 2, 3, 4, 6, 10, 12 ) gb e( gx , hy ) = e( gy , hx )

  13. ? e(g, gz) = e(gx, gy) DLog in GT e(g,g), e(g,ga) GT Consequences of pairing • Decision Diffie-Hellman (DDH) in G is easy: [J’00, JN’01] • input: g, gx, gy , gz G • to test if z=xy do: • Dlog reduction from G to GT : [MOV ’93] DLog in G  g, ga  G

  14. 0 if z=xy 1 otherwise Complexity assumptions in bilinear groups  • e: G  G  GT ; 1 g  G ; x,y,z  Zq • Discrete-log problem: g, gx x • Computational Diffie-Hellman problem (CDH): g, gx , gy  gxy • Bilinear Decision Diffie-Hellman problem (BDDH): g, gx , gy , g z   h, e(h, )

  15. P Q E(Fp)[q] q q Where pairings come from … E(Fp) = G Tate pairing: e(P, Q) := fP(Q) (p-1)/q , (fP) = q(P) - q(O) V. Miller (84): fP has a short straight line program … but:  P,Q  E(Fp) : e(P,Q) = 1

  16. E(Fp)[q]  Q P Def: e( P, Q) = e( P, (Q) ) e: G  G  GT Supersingular bilinear groups • Supersingular curves: ( e.g. y2 = x3 + x ,p=3 (mod 4) ) E(Fp) = G Possible : =2,3,4,6 or “”=7.5 [RS ’02]

  17. E(Fp)[q] MNT and BN groups G1 Open problem: larger (prime order E(Fp) ) e.g.  = 16,20,24, … E(Fp) = G0 e: G0 G1  GT • MNT ’01 Curves:=2,3,4,6 • BN ’05, F’05 Curves: =10, 12 not supersingular curves

  18. Part 2: Crypto Applications

  19. E( PKalice , msg ) Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G() (PK,SK) outputs pub-key and secret-key E(PK, m)  c encrypt m using pub-key PK D(SK, c)  m decrypt c using SK obtain PKalice

  20. Example: ElGamal encryption • G(): (G, g, q)  GenGroup() SK := (   Zq ) ; PK := ( h  g ) • E(PK, mG): sZq and do c (gs , m  hs) • D(SK=, c=(c1,c2) ): observe c1 = (gs) = hs • Security (IND-CPA) based on the DDH assumption: (g, h, gs, hs) indist. from (g, h, gs, grand) Note:ElGamal is insecure in bilinear groups

  21. I am“alice@gmail.com” email encrypted using public key: “alice@gmail.com” Private key Identity Based Encryption [Sha ’84] • IBE: PKE system where PK is an arbitrary string • e.g. e-mail address, phone number, IP addr… CA/PKG master-key

  22. Identity Based Encryption [Sha ’84] Four algorithms : (S,K,E,D) S() (PP,MK) output params, PP, and master-key, MK K(MK, ID)  dID outputs private key, dID , for ID E(PP, ID, m)  c encrypt m using pub-key ID (and PP) D(dID, c)  m decrypt c using dID IBE “compresses” exponentially many PKs into a short PP

  23. Using IBE as a primitive IBE • CCA-secure public key encryption [CHK’04, BK’04, BMW’05] • Non-interactive CCA-secure threshold encryption [BBH’05] • Searchable public key enc [BDOP’04, AB…’05] • Automatic trust negotiations [LDB’03] • Forward secure encryption [CHK ’03] (from H-IBE)

  24. Can we build an IBE ?? • ElGamal is not an IBE: SK := (   Zq ) ; PK := ( h  g ) • PK can be any string: h = “alice@gmail.com”  G • … but cannot compute secret key  • RSA is not an IBE: • Cannot map to an RSA public key (N, e)

  25. = e(g, H(ID)s ) Pairings to the rescue: BF-IBE[BF’01] • S(): (G, GT, g, q)  GenBilGroup() ,   Zq PP := [g, yg ] G ; MK :=  • K(MK, ID): dH(ID) • E(PP, ID, m): sZq and do C (gs , m  e(y, H(ID))s) • D( d, (c1,c2) ): observe: e( c1 , d ) = e( gs, H(ID)) H: ID G

  26. Another IBE: BB-IBE[BB’04] • S(): (G, GT, g, q)  GenBilGroup() ,   Zq PP := [g, yg, g1 , h] G ; MK := g1 • K(MK, ID):dID(MK (yIDh)r , gr) • E(PP, ID, m):sZq and do C (gs , (yIDh)s , me(y,g1)s) • D( (d1,d2), (c1,c2,c3) ): observe: e(c1, d1) / e(c2, d2) = e(y, g1)s r Zq

  27. ID dID K(MK, ID) PP (ID, m0, m1) * C*  E( PP, ID , mb) b{0,1} * b’  {0,1} IBE Security (IND-IDCPA)[BF’01] • Security when attacker can request several private keys Challenger Attacker A PP, MK  S() (S,K,E,D) is IND-IDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()

  28. ID* ID dID K(MK, ID) PP ( m0, m1) C*  E( PP, ID , mb) b{0,1} * b’  {0,1} IBE Security (IND-sIDCPA)[CHK’04] • Security when attacker can request several private keys Challenger Attacker A PP, MK  S() ID* (S,K,E,D) is IND-sIDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()

  29. IBE Security • BB-IBE security theorem: [BB’04] BDDH  BB-IBE is IND-sIDCPA secure • Waters-IBE: [W’05] generalizes BB-IBE BDDH  Waters-IBE is IND-IDCPA secure • Gentry-IBE: [G’06] short PP q-BDHE  Gentry-IBE is IND-IDCPA secure

  30. New Signature Systems CDH  short and efficient sigs (!!)

  31. IBE  Simple digital Signatures [N’01] • Sign(MK, m): sig  K(MK, m) • Verify(PP, m, sig): Test that sig decrypts messages encrypted using m • Conversely: which sig systems give an IBE? • Rabin signatures: [Cocks’01, BGH’07] • Open problem: IBE from GMR, GHR, CS, … • Blackbox Impossibility: IBE from trapdoor perms [BPRVW’07]

  32. = = e(H(m), g) = e(H(m), g) Simple bilinear signatures [BLS ’01] • H: {0,1}*  G hash function. 1 g  G, |G|=q • G():  Zq, PK: y  g  G, SK:  • Sign(SK, m): S  H(m)  G • Verify(PK,m,S): test: e(S, g) = e(H(m), y) • Thm: When H is modeled as a Random Oracle: CDH holds in G  sig is existentially unforgeable ? Short signature: single group element

  33. S User 1: PK1 , m1 S1 User 2: PK2 , m2 S2 User n: PKn , mn Sn Properties • Short: • Aggregatable: [BGLS’02, Bol’02]

  34. Signatures w/o Random Oracles Signature system from BB-IBE: • G():   Zq, g1, h  G PK := ( g, g1, y  g , h)  G,SK := g1 • Sign(SK, m): r  Zq , S  (SK  (ymh)r , gr)  G2 • Verify(PK, m, S=(s1,s2) ): e(s1, g) / e(ymh, s2) = e(g1, y) ?

  35. m* : msg to attack m  m* S  Sign(SK, m) PK S*  G Selectively unforgeable sigs [GMR’88] Sig is selectively unforgrable if  PPT A: Pr[Verify(PK,m*,S*) = “yes”] < neg() Challenger Attacker (PK,SK) K()

  36. m* Zq S* = (s1 , s2 ) (g, g1, y=g) PK = (g, g1, y, h=y-m*g ) m m* S m* Zq g1= s1/s2 Security Theorem Thm: CDH  (sigs from BB-IBE) are selec. unforgeable Proof Intuition: Algorithm for CDH (us) Sig Forger SK = g1

  37. Waters Sigs: existentially unforgeable [Wat ’05] • G():   Zq , g1, h, y1,…,yn  G PK: (g, g1, y  g , h, y1 , …, yn)  G,SK: g1 • Sign(SK, M): r  Zq , M=m1m2 … mn  {0,1}n S  (SK  ( )r , gr)  G2 • Verify(PK, M, S=(s1, s2) ): e(s1 ,g) / e(y1m1 … ynmnh, s2 ) = e(g1, y) y1m1 … ynmnh yMh

  38. Existentially unforgeable • Thm: CDH  Waters-sigs are unforgeable (!!) m* W BB 1/(2n) 1/q a1m1+ … + anmn = v m=m*

  39. Summary thus far IBE from pairings: • BDDH  efficient secure IBE • … and extensions: H-IBE, anon-IBE , … Short signatures from pairings: • CDH  existential unforgeablility • with RO: sig  G , without RO: sig  G2

  40. Part 3: Computing on Ciphertexts

  41. An old open problem [RAD’78] • Doubly homomorphic encryption: (IND-CPA) • (G,E,D) where messages live in Fp •  PPT algorithms A+ and As.t. A+( E(PK, m1) , E(PK, m2) ) E(PK, m1+m2 ) A( E(PK, m1) , E(PK, m2) ) E(PK, m1m2) • Note: ElGamal is multiplicative-homomorphic but not additive …  computing on ciphertexts

  42. Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p, q) – secret bilinear map: e: G  G  GT G = Gp  Gq . gp = gq  Gp ; gq = gp  Gq • Facts: e( gp , gq ) = e(gq , gp) = e(g,g)N = 1 e( gp ,  )  (GT)q

  43. BGN encryption: (1+)-homomorphic • G(): generate bilinear group G of order N=pq PK  (G, N, g, gp) ; SK  p • E(PK,m) : r  ZN , C  gm (gp)r G • D(SK, C) : Cp = [gm]p  [gpr]p = (gq)m  Gq Output: Dloggq( Cp ) • Note: decryption time is O(m )  require small message space ( e.g. {0,1} )

  44. Homomorphic Properties • C1  gm1 (gp)r1 , C2  gm2 (gp)r2  G • Additive hom: E(m1+m2) = C1  C2  (gp)s • One mult hom: E(m1m2) = e(C1,C2)  e(gp,gp)s • More generally: E(m1), …, E(mn)  E(F(m1,…,mn)) For any FZN[X1,…,Xn] of total degree 2 • Example: dot product on encrypted vectors [AW’07] ^ ^

  45. Security: the subgroup assumption • Subgroup assumption: G  Gp DistributionPp (): (G,g,p,q)  GroupGen() N  pq s  ZN Output: (G, N, g, gp, (gp)s) DistributionPG (): (G,g,p,q)  GroupGen() N  pq s  ZN Output: (G, N, g, gp, gs) For any poly-time A: | Pr[A(X) : XPG()] Pr[A(X) : XPp()]| < neg() Thm: BGN is semantically secure under the subgroup assumption

  46. Non-Interactive Zero Knowledge [GOS’06] NIZK proof size: O(|# gates|  ) CRS size: O()

  47. Goal: NIZK for circuit SAT [BFM’88] z AND boolean circuit OR NOT OR NOT AND AND NOT AND  {0,1} b1 b2 b3 b4 b5 b6 b7 b8 Goal: prover wants to convince verifier that circuit is satisfiable in zero knowledge and without interaction

  48. Plan of attack NAND(x1,…,xn) = 1-xi b17 NAND boolean circuit b15 b14 b16 NAND NAND NAND b9 b10 b11 b12 b13 NAND NAND NAND NAND NAND  {0,1} b1 b2 b3 b4 b5 b6 b7 b8 com(b1) , com(b2) , …, com(bm) and for all gates (i,j,k) proof that: bi , bj , bk {0,1} and bk = biNAND bj Proof =

  49. Composite order commitments • Common Reference String: (G, g, gp) , |G|=N=pq • com(m): r  ZN , output Cgm(gp)r note: com(m1)  com(m2) is commitment for (m1+m2) • Fact: z = x NAND y x, y, z, x+y+2(z-1)  {0,1} • For a CG we need a (W.I.) proof for the statement: “C=com(0) or C=com(1) ” • Then for each gate (i,j,k) generate proof of “0 or 1” for: com(bi) , com(bj) , com(bk), and com(bi)  com(bj)  [com(bk) / com(1)]2

  50. com(1) com(0) GOS (W.I.) Proof • Common Reference String: (G, g, gp) , |G|=N=pq • Let C =gm  (gp)r IF: C = g  (gp)r or C = (gp)r THEN: L = e(C , Cg-1) = e(gp ,  )  (GT)q m{0,1}, r : e(C , Cg-1) = e(gp , g2m-1 (gp)r ) • Proof that (*) is true:  = g2m-1 (gp)r G • To verify proof test if: e(C, Cg-1) = e( gp , ) (*) (order p) ?

More Related