Pairing-Based Cryptography

Pairing-Based Cryptography Dan Boneh Stanford University [Tutorial: FOCS 2007]

A new tool: pairings(>1200 papers) • Encryption schemes with new properties: Identity-based, Broadcast, Forward secure, Homomorphic, Searchable, Proxiable, CCA, … • Signature systems with new properties: Short, Aggregate, Append-only,VRF, Short group sigs, e-cash, … • Efficient non-interactive zero-knowledge (NIZK)

Conferences: PiC 2005

Conferences: Pairings 2007

Commercial Interest

Gemalto (formerly Gemplus)

Part 1: What is a pairing?

A := ga B := gb Recall: Diffie-Hellman protocol • G: group of prime order q ; g  G generator • Security: Decision Diffie-Hellman assumption in G: (g, A, B, gab ) indist. from (g, A, B, grand ) Alice a  Zq Bob b  Zq gab gab

0 if z=xy 1 otherwise Standard complexity assumptions • G: group of order q ; 1 g  G ; x,y,z  Zq • Discrete-log problem: g, gx x • Computational Diffie-Hellman problem (CDH): g, gx , gy  gxy • Decision Diffie-Hellman problem (DDH): g, gx , gy , gz

Dlog Alg Time E(Fp) : Pollard Rho p Dlog problem believed to be harder in E(Fp) : (Z/pZ)* : GNFS eln p 3  Groups used in cryptography • Groups where Dlog, CDH, DDH believed hard: • (Z/pZ)* for prime p • Elliptic Curves: E(Fp):y2 = x3 + ax + b

Pairings • Additional structure on elliptic curves : pairings • Defined by A. Weil (1946) • Miller ’84: Algorithm for computing • MOV ’93: Used to attack certain EC systems • Recently (2000-7): lots of crypto applications • Joux[ANTS’00] , Sakai-Ohgishi-Kasahara[SCIS ’00]

GT G Pairings ga e(g,g)ab • G , GT :finite cyclic groups of prime order q. • Def: A pairinge: GG GT is a map: • Bilinear: e(ga, gb) = e(g,g)aba,bZ, gG • Poly-time computable and non-degenerate: g generates G  e(g,g) generates GT • Current examples: G  E(Fp) , GT (Fp)* (  = 1, 2, 3, 4, 6, 10, 12 ) gb e( gx , hy ) = e( gy , hx )

? e(g, gz) = e(gx, gy) DLog in GT e(g,g), e(g,ga) GT Consequences of pairing • Decision Diffie-Hellman (DDH) in G is easy: [J’00, JN’01] • input: g, gx, gy , gz G • to test if z=xy do: • Dlog reduction from G to GT : [MOV ’93] DLog in G  g, ga  G

0 if z=xy 1 otherwise Complexity assumptions in bilinear groups  • e: G  G  GT ; 1 g  G ; x,y,z  Zq • Discrete-log problem: g, gx x • Computational Diffie-Hellman problem (CDH): g, gx , gy  gxy • Bilinear Decision Diffie-Hellman problem (BDDH): g, gx , gy , g z   h, e(h, )

P Q E(Fp)[q] q q Where pairings come from … E(Fp) = G Tate pairing: e(P, Q) := fP(Q) (p-1)/q , (fP) = q(P) - q(O) V. Miller (84): fP has a short straight line program … but:  P,Q  E(Fp) : e(P,Q) = 1

E(Fp)[q]  Q P Def: e( P, Q) = e( P, (Q) ) e: G  G  GT Supersingular bilinear groups • Supersingular curves: ( e.g. y2 = x3 + x ,p=3 (mod 4) ) E(Fp) = G Possible : =2,3,4,6 or “”=7.5 [RS ’02]

E(Fp)[q] MNT and BN groups G1 Open problem: larger (prime order E(Fp) ) e.g.  = 16,20,24, … E(Fp) = G0 e: G0 G1  GT • MNT ’01 Curves:=2,3,4,6 • BN ’05, F’05 Curves: =10, 12 not supersingular curves

Part 2: Crypto Applications

E( PKalice , msg ) Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G() (PK,SK) outputs pub-key and secret-key E(PK, m)  c encrypt m using pub-key PK D(SK, c)  m decrypt c using SK obtain PKalice

Example: ElGamal encryption • G(): (G, g, q)  GenGroup() SK := (   Zq ) ; PK := ( h  g ) • E(PK, mG): sZq and do c (gs , m  hs) • D(SK=, c=(c1,c2) ): observe c1 = (gs) = hs • Security (IND-CPA) based on the DDH assumption: (g, h, gs, hs) indist. from (g, h, gs, grand) Note:ElGamal is insecure in bilinear groups

I am“alice@gmail.com” email encrypted using public key: “alice@gmail.com” Private key Identity Based Encryption [Sha ’84] • IBE: PKE system where PK is an arbitrary string • e.g. e-mail address, phone number, IP addr… CA/PKG master-key

Identity Based Encryption [Sha ’84] Four algorithms : (S,K,E,D) S() (PP,MK) output params, PP, and master-key, MK K(MK, ID)  dID outputs private key, dID , for ID E(PP, ID, m)  c encrypt m using pub-key ID (and PP) D(dID, c)  m decrypt c using dID IBE “compresses” exponentially many PKs into a short PP

Using IBE as a primitive IBE • CCA-secure public key encryption [CHK’04, BK’04, BMW’05] • Non-interactive CCA-secure threshold encryption [BBH’05] • Searchable public key enc [BDOP’04, AB…’05] • Automatic trust negotiations [LDB’03] • Forward secure encryption [CHK ’03] (from H-IBE)

Can we build an IBE ?? • ElGamal is not an IBE: SK := (   Zq ) ; PK := ( h  g ) • PK can be any string: h = “alice@gmail.com”  G • … but cannot compute secret key  • RSA is not an IBE: • Cannot map to an RSA public key (N, e)

= e(g, H(ID)s ) Pairings to the rescue: BF-IBE[BF’01] • S(): (G, GT, g, q)  GenBilGroup() ,   Zq PP := [g, yg ] G ; MK :=  • K(MK, ID): dH(ID) • E(PP, ID, m): sZq and do C (gs , m  e(y, H(ID))s) • D( d, (c1,c2) ): observe: e( c1 , d ) = e( gs, H(ID)) H: ID G

Another IBE: BB-IBE[BB’04] • S(): (G, GT, g, q)  GenBilGroup() ,   Zq PP := [g, yg, g1 , h] G ; MK := g1 • K(MK, ID):dID(MK (yIDh)r , gr) • E(PP, ID, m):sZq and do C (gs , (yIDh)s , me(y,g1)s) • D( (d1,d2), (c1,c2,c3) ): observe: e(c1, d1) / e(c2, d2) = e(y, g1)s r Zq

ID dID K(MK, ID) PP (ID, m0, m1) * C*  E( PP, ID , mb) b{0,1} * b’  {0,1} IBE Security (IND-IDCPA)[BF’01] • Security when attacker can request several private keys Challenger Attacker A PP, MK  S() (S,K,E,D) is IND-IDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()

ID* ID dID K(MK, ID) PP ( m0, m1) C*  E( PP, ID , mb) b{0,1} * b’  {0,1} IBE Security (IND-sIDCPA)[CHK’04] • Security when attacker can request several private keys Challenger Attacker A PP, MK  S() ID* (S,K,E,D) is IND-sIDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()

IBE Security • BB-IBE security theorem: [BB’04] BDDH  BB-IBE is IND-sIDCPA secure • Waters-IBE: [W’05] generalizes BB-IBE BDDH  Waters-IBE is IND-IDCPA secure • Gentry-IBE: [G’06] short PP q-BDHE  Gentry-IBE is IND-IDCPA secure

New Signature Systems CDH  short and efficient sigs (!!)

IBE  Simple digital Signatures [N’01] • Sign(MK, m): sig  K(MK, m) • Verify(PP, m, sig): Test that sig decrypts messages encrypted using m • Conversely: which sig systems give an IBE? • Rabin signatures: [Cocks’01, BGH’07] • Open problem: IBE from GMR, GHR, CS, … • Blackbox Impossibility: IBE from trapdoor perms [BPRVW’07]

= = e(H(m), g) = e(H(m), g) Simple bilinear signatures [BLS ’01] • H: {0,1}*  G hash function. 1 g  G, |G|=q • G():  Zq, PK: y  g  G, SK:  • Sign(SK, m): S  H(m)  G • Verify(PK,m,S): test: e(S, g) = e(H(m), y) • Thm: When H is modeled as a Random Oracle: CDH holds in G  sig is existentially unforgeable ? Short signature: single group element

S User 1: PK1 , m1 S1 User 2: PK2 , m2 S2 User n: PKn , mn Sn Properties • Short: • Aggregatable: [BGLS’02, Bol’02]

Signatures w/o Random Oracles Signature system from BB-IBE: • G():   Zq, g1, h  G PK := ( g, g1, y  g , h)  G,SK := g1 • Sign(SK, m): r  Zq , S  (SK  (ymh)r , gr)  G2 • Verify(PK, m, S=(s1,s2) ): e(s1, g) / e(ymh, s2) = e(g1, y) ?

m* : msg to attack m  m* S  Sign(SK, m) PK S*  G Selectively unforgeable sigs [GMR’88] Sig is selectively unforgrable if  PPT A: Pr[Verify(PK,m*,S*) = “yes”] < neg() Challenger Attacker (PK,SK) K()

m* Zq S* = (s1 , s2 ) (g, g1, y=g) PK = (g, g1, y, h=y-m*g ) m m* S m* Zq g1= s1/s2 Security Theorem Thm: CDH  (sigs from BB-IBE) are selec. unforgeable Proof Intuition: Algorithm for CDH (us) Sig Forger SK = g1

Waters Sigs: existentially unforgeable [Wat ’05] • G():   Zq , g1, h, y1,…,yn  G PK: (g, g1, y  g , h, y1 , …, yn)  G,SK: g1 • Sign(SK, M): r  Zq , M=m1m2 … mn  {0,1}n S  (SK  ( )r , gr)  G2 • Verify(PK, M, S=(s1, s2) ): e(s1 ,g) / e(y1m1 … ynmnh, s2 ) = e(g1, y) y1m1 … ynmnh yMh

Existentially unforgeable • Thm: CDH  Waters-sigs are unforgeable (!!) m* W BB 1/(2n) 1/q a1m1+ … + anmn = v m=m*

Summary thus far IBE from pairings: • BDDH  efficient secure IBE • … and extensions: H-IBE, anon-IBE , … Short signatures from pairings: • CDH  existential unforgeablility • with RO: sig  G , without RO: sig  G2

Part 3: Computing on Ciphertexts

An old open problem [RAD’78] • Doubly homomorphic encryption: (IND-CPA) • (G,E,D) where messages live in Fp •  PPT algorithms A+ and As.t. A+( E(PK, m1) , E(PK, m2) ) E(PK, m1+m2 ) A( E(PK, m1) , E(PK, m2) ) E(PK, m1m2) • Note: ElGamal is multiplicative-homomorphic but not additive …  computing on ciphertexts

Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p, q) – secret bilinear map: e: G  G  GT G = Gp  Gq . gp = gq  Gp ; gq = gp  Gq • Facts: e( gp , gq ) = e(gq , gp) = e(g,g)N = 1 e( gp ,  )  (GT)q

BGN encryption: (1+)-homomorphic • G(): generate bilinear group G of order N=pq PK  (G, N, g, gp) ; SK  p • E(PK,m) : r  ZN , C  gm (gp)r G • D(SK, C) : Cp = [gm]p  [gpr]p = (gq)m  Gq Output: Dloggq( Cp ) • Note: decryption time is O(m )  require small message space ( e.g. {0,1} )

Homomorphic Properties • C1  gm1 (gp)r1 , C2  gm2 (gp)r2  G • Additive hom: E(m1+m2) = C1  C2  (gp)s • One mult hom: E(m1m2) = e(C1,C2)  e(gp,gp)s • More generally: E(m1), …, E(mn)  E(F(m1,…,mn)) For any FZN[X1,…,Xn] of total degree 2 • Example: dot product on encrypted vectors [AW’07] ^ ^

Security: the subgroup assumption • Subgroup assumption: G  Gp DistributionPp (): (G,g,p,q)  GroupGen() N  pq s  ZN Output: (G, N, g, gp, (gp)s) DistributionPG (): (G,g,p,q)  GroupGen() N  pq s  ZN Output: (G, N, g, gp, gs) For any poly-time A: | Pr[A(X) : XPG()] Pr[A(X) : XPp()]| < neg() Thm: BGN is semantically secure under the subgroup assumption

Non-Interactive Zero Knowledge [GOS’06] NIZK proof size: O(|# gates|  ) CRS size: O()

Goal: NIZK for circuit SAT [BFM’88] z AND boolean circuit OR NOT OR NOT AND AND NOT AND  {0,1} b1 b2 b3 b4 b5 b6 b7 b8 Goal: prover wants to convince verifier that circuit is satisfiable in zero knowledge and without interaction

Plan of attack NAND(x1,…,xn) = 1-xi b17 NAND boolean circuit b15 b14 b16 NAND NAND NAND b9 b10 b11 b12 b13 NAND NAND NAND NAND NAND  {0,1} b1 b2 b3 b4 b5 b6 b7 b8 com(b1) , com(b2) , …, com(bm) and for all gates (i,j,k) proof that: bi , bj , bk {0,1} and bk = biNAND bj Proof =

Composite order commitments • Common Reference String: (G, g, gp) , |G|=N=pq • com(m): r  ZN , output Cgm(gp)r note: com(m1)  com(m2) is commitment for (m1+m2) • Fact: z = x NAND y x, y, z, x+y+2(z-1)  {0,1} • For a CG we need a (W.I.) proof for the statement: “C=com(0) or C=com(1) ” • Then for each gate (i,j,k) generate proof of “0 or 1” for: com(bi) , com(bj) , com(bk), and com(bi)  com(bj)  [com(bk) / com(1)]2

com(1) com(0) GOS (W.I.) Proof • Common Reference String: (G, g, gp) , |G|=N=pq • Let C =gm  (gp)r IF: C = g  (gp)r or C = (gp)r THEN: L = e(C , Cg-1) = e(gp ,  )  (GT)q m{0,1}, r : e(C , Cg-1) = e(gp , g2m-1 (gp)r ) • Proof that (*) is true:  = g2m-1 (gp)r G • To verify proof test if: e(C, Cg-1) = e( gp , ) (*) (order p) ?

Pairing-Based Cryptography

Pairing-Based Cryptography

Presentation Transcript

Position Based Cryptography

Identity-Based Encryption from the Weil Pairing

Position Based Cryptography*

Position- Based Quantum Cryptography

A Pairing-Based Blind Signature E-Voting Scheme

Lattice-based Cryptography

Pairing-Based Non-interactive Proofs

An Introduction to Pairing Based Cryptography

Identity Based Cryptography

Identity-based authenticated key agreement protocol based on Weil pairing

Lattice-Based Cryptography

Identity-Based Encryption form the Weil Pairing

Identity-based authenticated key agreement protocol based on Weil pairing

Pairing-Based Non-interactive Zero-Knowledge Proofs

Lattice-Based Cryptography

Pairing-Based Cryptography

Pairing

Lattice-based Cryptography

Pairing-Based Non-interactive Zero-Knowledge Proofs

Lattice-Based Cryptography