670 likes | 1.28k Vues
Pairing-Based Cryptography. Dan Boneh Stanford University. [Tutorial: FOCS 2007]. A new tool: pairings (>1200 papers). Encryption schemes with new properties: Identity-based, Broadcast, Forward secure, Homomorphic, Searchable, Proxiable, CCA, …
E N D
Pairing-Based Cryptography Dan Boneh Stanford University [Tutorial: FOCS 2007]
A new tool: pairings(>1200 papers) • Encryption schemes with new properties: Identity-based, Broadcast, Forward secure, Homomorphic, Searchable, Proxiable, CCA, … • Signature systems with new properties: Short, Aggregate, Append-only,VRF, Short group sigs, e-cash, … • Efficient non-interactive zero-knowledge (NIZK)
A := ga B := gb Recall: Diffie-Hellman protocol • G: group of prime order q ; g G generator • Security: Decision Diffie-Hellman assumption in G: (g, A, B, gab ) indist. from (g, A, B, grand ) Alice a Zq Bob b Zq gab gab
0 if z=xy 1 otherwise Standard complexity assumptions • G: group of order q ; 1 g G ; x,y,z Zq • Discrete-log problem: g, gx x • Computational Diffie-Hellman problem (CDH): g, gx , gy gxy • Decision Diffie-Hellman problem (DDH): g, gx , gy , gz
Dlog Alg Time E(Fp) : Pollard Rho p Dlog problem believed to be harder in E(Fp) : (Z/pZ)* : GNFS eln p 3 Groups used in cryptography • Groups where Dlog, CDH, DDH believed hard: • (Z/pZ)* for prime p • Elliptic Curves: E(Fp):y2 = x3 + ax + b
Pairings • Additional structure on elliptic curves : pairings • Defined by A. Weil (1946) • Miller ’84: Algorithm for computing • MOV ’93: Used to attack certain EC systems • Recently (2000-7): lots of crypto applications • Joux[ANTS’00] , Sakai-Ohgishi-Kasahara[SCIS ’00]
GT G Pairings ga e(g,g)ab • G , GT :finite cyclic groups of prime order q. • Def: A pairinge: GG GT is a map: • Bilinear: e(ga, gb) = e(g,g)aba,bZ, gG • Poly-time computable and non-degenerate: g generates G e(g,g) generates GT • Current examples: G E(Fp) , GT (Fp)* ( = 1, 2, 3, 4, 6, 10, 12 ) gb e( gx , hy ) = e( gy , hx )
? e(g, gz) = e(gx, gy) DLog in GT e(g,g), e(g,ga) GT Consequences of pairing • Decision Diffie-Hellman (DDH) in G is easy: [J’00, JN’01] • input: g, gx, gy , gz G • to test if z=xy do: • Dlog reduction from G to GT : [MOV ’93] DLog in G g, ga G
0 if z=xy 1 otherwise Complexity assumptions in bilinear groups • e: G G GT ; 1 g G ; x,y,z Zq • Discrete-log problem: g, gx x • Computational Diffie-Hellman problem (CDH): g, gx , gy gxy • Bilinear Decision Diffie-Hellman problem (BDDH): g, gx , gy , g z h, e(h, )
P Q E(Fp)[q] q q Where pairings come from … E(Fp) = G Tate pairing: e(P, Q) := fP(Q) (p-1)/q , (fP) = q(P) - q(O) V. Miller (84): fP has a short straight line program … but: P,Q E(Fp) : e(P,Q) = 1
E(Fp)[q] Q P Def: e( P, Q) = e( P, (Q) ) e: G G GT Supersingular bilinear groups • Supersingular curves: ( e.g. y2 = x3 + x ,p=3 (mod 4) ) E(Fp) = G Possible : =2,3,4,6 or “”=7.5 [RS ’02]
E(Fp)[q] MNT and BN groups G1 Open problem: larger (prime order E(Fp) ) e.g. = 16,20,24, … E(Fp) = G0 e: G0 G1 GT • MNT ’01 Curves:=2,3,4,6 • BN ’05, F’05 Curves: =10, 12 not supersingular curves
E( PKalice , msg ) Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G() (PK,SK) outputs pub-key and secret-key E(PK, m) c encrypt m using pub-key PK D(SK, c) m decrypt c using SK obtain PKalice
Example: ElGamal encryption • G(): (G, g, q) GenGroup() SK := ( Zq ) ; PK := ( h g ) • E(PK, mG): sZq and do c (gs , m hs) • D(SK=, c=(c1,c2) ): observe c1 = (gs) = hs • Security (IND-CPA) based on the DDH assumption: (g, h, gs, hs) indist. from (g, h, gs, grand) Note:ElGamal is insecure in bilinear groups
I am“alice@gmail.com” email encrypted using public key: “alice@gmail.com” Private key Identity Based Encryption [Sha ’84] • IBE: PKE system where PK is an arbitrary string • e.g. e-mail address, phone number, IP addr… CA/PKG master-key
Identity Based Encryption [Sha ’84] Four algorithms : (S,K,E,D) S() (PP,MK) output params, PP, and master-key, MK K(MK, ID) dID outputs private key, dID , for ID E(PP, ID, m) c encrypt m using pub-key ID (and PP) D(dID, c) m decrypt c using dID IBE “compresses” exponentially many PKs into a short PP
Using IBE as a primitive IBE • CCA-secure public key encryption [CHK’04, BK’04, BMW’05] • Non-interactive CCA-secure threshold encryption [BBH’05] • Searchable public key enc [BDOP’04, AB…’05] • Automatic trust negotiations [LDB’03] • Forward secure encryption [CHK ’03] (from H-IBE)
Can we build an IBE ?? • ElGamal is not an IBE: SK := ( Zq ) ; PK := ( h g ) • PK can be any string: h = “alice@gmail.com” G • … but cannot compute secret key • RSA is not an IBE: • Cannot map to an RSA public key (N, e)
= e(g, H(ID)s ) Pairings to the rescue: BF-IBE[BF’01] • S(): (G, GT, g, q) GenBilGroup() , Zq PP := [g, yg ] G ; MK := • K(MK, ID): dH(ID) • E(PP, ID, m): sZq and do C (gs , m e(y, H(ID))s) • D( d, (c1,c2) ): observe: e( c1 , d ) = e( gs, H(ID)) H: ID G
Another IBE: BB-IBE[BB’04] • S(): (G, GT, g, q) GenBilGroup() , Zq PP := [g, yg, g1 , h] G ; MK := g1 • K(MK, ID):dID(MK (yIDh)r , gr) • E(PP, ID, m):sZq and do C (gs , (yIDh)s , me(y,g1)s) • D( (d1,d2), (c1,c2,c3) ): observe: e(c1, d1) / e(c2, d2) = e(y, g1)s r Zq
ID dID K(MK, ID) PP (ID, m0, m1) * C* E( PP, ID , mb) b{0,1} * b’ {0,1} IBE Security (IND-IDCPA)[BF’01] • Security when attacker can request several private keys Challenger Attacker A PP, MK S() (S,K,E,D) is IND-IDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()
ID* ID dID K(MK, ID) PP ( m0, m1) C* E( PP, ID , mb) b{0,1} * b’ {0,1} IBE Security (IND-sIDCPA)[CHK’04] • Security when attacker can request several private keys Challenger Attacker A PP, MK S() ID* (S,K,E,D) is IND-sIDCPA secure if PPT A: |Pr[b=b’] – ½| < neg()
IBE Security • BB-IBE security theorem: [BB’04] BDDH BB-IBE is IND-sIDCPA secure • Waters-IBE: [W’05] generalizes BB-IBE BDDH Waters-IBE is IND-IDCPA secure • Gentry-IBE: [G’06] short PP q-BDHE Gentry-IBE is IND-IDCPA secure
New Signature Systems CDH short and efficient sigs (!!)
IBE Simple digital Signatures [N’01] • Sign(MK, m): sig K(MK, m) • Verify(PP, m, sig): Test that sig decrypts messages encrypted using m • Conversely: which sig systems give an IBE? • Rabin signatures: [Cocks’01, BGH’07] • Open problem: IBE from GMR, GHR, CS, … • Blackbox Impossibility: IBE from trapdoor perms [BPRVW’07]
= = e(H(m), g) = e(H(m), g) Simple bilinear signatures [BLS ’01] • H: {0,1}* G hash function. 1 g G, |G|=q • G(): Zq, PK: y g G, SK: • Sign(SK, m): S H(m) G • Verify(PK,m,S): test: e(S, g) = e(H(m), y) • Thm: When H is modeled as a Random Oracle: CDH holds in G sig is existentially unforgeable ? Short signature: single group element
S User 1: PK1 , m1 S1 User 2: PK2 , m2 S2 User n: PKn , mn Sn Properties • Short: • Aggregatable: [BGLS’02, Bol’02]
Signatures w/o Random Oracles Signature system from BB-IBE: • G(): Zq, g1, h G PK := ( g, g1, y g , h) G,SK := g1 • Sign(SK, m): r Zq , S (SK (ymh)r , gr) G2 • Verify(PK, m, S=(s1,s2) ): e(s1, g) / e(ymh, s2) = e(g1, y) ?
m* : msg to attack m m* S Sign(SK, m) PK S* G Selectively unforgeable sigs [GMR’88] Sig is selectively unforgrable if PPT A: Pr[Verify(PK,m*,S*) = “yes”] < neg() Challenger Attacker (PK,SK) K()
m* Zq S* = (s1 , s2 ) (g, g1, y=g) PK = (g, g1, y, h=y-m*g ) m m* S m* Zq g1= s1/s2 Security Theorem Thm: CDH (sigs from BB-IBE) are selec. unforgeable Proof Intuition: Algorithm for CDH (us) Sig Forger SK = g1
Waters Sigs: existentially unforgeable [Wat ’05] • G(): Zq , g1, h, y1,…,yn G PK: (g, g1, y g , h, y1 , …, yn) G,SK: g1 • Sign(SK, M): r Zq , M=m1m2 … mn {0,1}n S (SK ( )r , gr) G2 • Verify(PK, M, S=(s1, s2) ): e(s1 ,g) / e(y1m1 … ynmnh, s2 ) = e(g1, y) y1m1 … ynmnh yMh
Existentially unforgeable • Thm: CDH Waters-sigs are unforgeable (!!) m* W BB 1/(2n) 1/q a1m1+ … + anmn = v m=m*
Summary thus far IBE from pairings: • BDDH efficient secure IBE • … and extensions: H-IBE, anon-IBE , … Short signatures from pairings: • CDH existential unforgeablility • with RO: sig G , without RO: sig G2
An old open problem [RAD’78] • Doubly homomorphic encryption: (IND-CPA) • (G,E,D) where messages live in Fp • PPT algorithms A+ and As.t. A+( E(PK, m1) , E(PK, m2) ) E(PK, m1+m2 ) A( E(PK, m1) , E(PK, m2) ) E(PK, m1m2) • Note: ElGamal is multiplicative-homomorphic but not additive … computing on ciphertexts
Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p, q) – secret bilinear map: e: G G GT G = Gp Gq . gp = gq Gp ; gq = gp Gq • Facts: e( gp , gq ) = e(gq , gp) = e(g,g)N = 1 e( gp , ) (GT)q
BGN encryption: (1+)-homomorphic • G(): generate bilinear group G of order N=pq PK (G, N, g, gp) ; SK p • E(PK,m) : r ZN , C gm (gp)r G • D(SK, C) : Cp = [gm]p [gpr]p = (gq)m Gq Output: Dloggq( Cp ) • Note: decryption time is O(m ) require small message space ( e.g. {0,1} )
Homomorphic Properties • C1 gm1 (gp)r1 , C2 gm2 (gp)r2 G • Additive hom: E(m1+m2) = C1 C2 (gp)s • One mult hom: E(m1m2) = e(C1,C2) e(gp,gp)s • More generally: E(m1), …, E(mn) E(F(m1,…,mn)) For any FZN[X1,…,Xn] of total degree 2 • Example: dot product on encrypted vectors [AW’07] ^ ^
Security: the subgroup assumption • Subgroup assumption: G Gp DistributionPp (): (G,g,p,q) GroupGen() N pq s ZN Output: (G, N, g, gp, (gp)s) DistributionPG (): (G,g,p,q) GroupGen() N pq s ZN Output: (G, N, g, gp, gs) For any poly-time A: | Pr[A(X) : XPG()] Pr[A(X) : XPp()]| < neg() Thm: BGN is semantically secure under the subgroup assumption
Non-Interactive Zero Knowledge [GOS’06] NIZK proof size: O(|# gates| ) CRS size: O()
Goal: NIZK for circuit SAT [BFM’88] z AND boolean circuit OR NOT OR NOT AND AND NOT AND {0,1} b1 b2 b3 b4 b5 b6 b7 b8 Goal: prover wants to convince verifier that circuit is satisfiable in zero knowledge and without interaction
Plan of attack NAND(x1,…,xn) = 1-xi b17 NAND boolean circuit b15 b14 b16 NAND NAND NAND b9 b10 b11 b12 b13 NAND NAND NAND NAND NAND {0,1} b1 b2 b3 b4 b5 b6 b7 b8 com(b1) , com(b2) , …, com(bm) and for all gates (i,j,k) proof that: bi , bj , bk {0,1} and bk = biNAND bj Proof =
Composite order commitments • Common Reference String: (G, g, gp) , |G|=N=pq • com(m): r ZN , output Cgm(gp)r note: com(m1) com(m2) is commitment for (m1+m2) • Fact: z = x NAND y x, y, z, x+y+2(z-1) {0,1} • For a CG we need a (W.I.) proof for the statement: “C=com(0) or C=com(1) ” • Then for each gate (i,j,k) generate proof of “0 or 1” for: com(bi) , com(bj) , com(bk), and com(bi) com(bj) [com(bk) / com(1)]2
com(1) com(0) GOS (W.I.) Proof • Common Reference String: (G, g, gp) , |G|=N=pq • Let C =gm (gp)r IF: C = g (gp)r or C = (gp)r THEN: L = e(C , Cg-1) = e(gp , ) (GT)q m{0,1}, r : e(C , Cg-1) = e(gp , g2m-1 (gp)r ) • Proof that (*) is true: = g2m-1 (gp)r G • To verify proof test if: e(C, Cg-1) = e( gp , ) (*) (order p) ?