Déjà Q: Using Dual Systems to Revisit q-Type Assumptions
Transcript of Déjà Q: Using Dual Systems to Revisit q-Type Assumptions
![Page 1: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/1.jpg)
Déjà Q: Using Dual Systems to Revisit q-Type Assumptions
Melissa Chase (MSR Redmond)Sarah Meiklejohn (UC San Diego → University College London)
1
![Page 2: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/2.jpg)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
![Page 3: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/3.jpg)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
![Page 4: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/4.jpg)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
![Page 5: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/5.jpg)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
![Page 6: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/6.jpg)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
![Page 7: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/7.jpg)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
• Later assumptions: Subgroup Hiding [BGN05], Decision Linear, SXDH
![Page 8: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/8.jpg)
Pairing-based cryptography: a brief history
2
Historically, pairings have provided great functionality
• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]
With great functionality, comes great (ir)responsibility!
• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
• Later assumptions: Subgroup Hiding [BGN05], Decision Linear, SXDH
• Even later assumptions: q-SDH, q-ADHSDH, q-EDBDH, q-SDH-III, q-SFP, “source group q-parallel BDHE,” etc.
![Page 9: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/9.jpg)
Why are q-type assumptions worrisome?
3
![Page 10: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/10.jpg)
Why are q-type assumptions worrisome?
3
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
IBE universe
![Page 11: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/11.jpg)
Why are q-type assumptions worrisome?
3
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
IBE universe
![Page 12: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/12.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
IBE universe
![Page 13: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/13.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
![Page 14: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/14.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
![Page 15: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/15.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒ AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
(g,gx,…,gxq)
![Page 16: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/16.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒ AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
![Page 17: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/17.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/ AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
![Page 18: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/18.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/
q+5-SDH ⇒
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
(g,gx,…,gxq,…,gxq+5)
![Page 19: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/19.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/
q+5-SDH ⇒
>
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
(g,gx,…,gxq)
(g,gx,…,gxq,…,gxq+5)
![Page 20: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/20.jpg)
Why are q-type assumptions worrisome?
3
BDH ⇒AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
IBE universe
q-SDH ⇒/
q+5-SDH ⇒
>
t/√q steps [Cheon06]
t/√q+5 steps
AliceBob
CharlesDoraErnie
FredGeorgeHannahIsabelleJulian
KateLouiseMelissaNicholas
Otis
PhilQuentinRachelSarahTristan
UrsulaVanessaWilliamXavier
Yevgeniy
![Page 21: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/21.jpg)
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
![Page 22: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/22.jpg)
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
![Page 23: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/23.jpg)
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
![Page 24: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/24.jpg)
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
![Page 25: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/25.jpg)
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
• Reduce* to an assumption that holds by a statistical argument
*currently only in composite-order groups
![Page 26: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/26.jpg)
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
• Reduce* to an assumption that holds by a statistical argument
• Adapt dual systems to work for deterministic primitives
*currently only in composite-order groups
![Page 27: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/27.jpg)
Moving away from q-type assumptions
4
Dual systems [W09,…] have proved effective at removing q-type assumptions
• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps
Apply dual systems directly to variants of the uber-assumption [BBG05,B08]
• Reduce* to an assumption that holds by a statistical argument
• Adapt dual systems to work for deterministic primitives
Extension to Dodis-Yampolskiy PRF [DY05]*currently only in composite-order groups
![Page 28: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/28.jpg)
Outline
5
![Page 29: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/29.jpg)
Outline
5
Bilinear groups
![Page 30: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/30.jpg)
Outline
5
Bilinear groups q-Type assumptions
![Page 31: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/31.jpg)
Outline
5
Bilinear groups q-Type assumptions
Extensions
![Page 32: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/32.jpg)
Outline
5
Bilinear groups q-Type assumptions
Extensions Conclusions
![Page 33: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/33.jpg)
Outline
5
Bilinear groups q-Type assumptions
Extensions Conclusions
Bilinear groupsSubgroup hiding Parameter hiding
Dual systems
![Page 34: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/34.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
![Page 35: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/35.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
![Page 36: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/36.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
![Page 37: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/37.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
![Page 38: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/38.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
![Page 39: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/39.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
![Page 40: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/40.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
subgroup hiding
![Page 41: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/41.jpg)
Standard bilinear group: (N, G, H, GT, e, g, h)
Properties of (bilinear) groups
6
Group order; prime or composite
}
|G| = |H| = κN; |GT| = λN
e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ
non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1
}
G = <g>; H = <h>
subgroup hidingparameter hiding
![Page 42: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/42.jpg)
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding
7
subgroup hidingparameter hiding
![Page 43: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/43.jpg)
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
![Page 44: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/44.jpg)
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
![Page 45: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/45.jpg)
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈
![Page 46: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/46.jpg)
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈
random element of Gp × Gq
![Page 47: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/47.jpg)
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈(indistinguishable from)
random element of Gp × Gq
![Page 48: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/48.jpg)
Composite-order bilinear group: (N, G, GT, e, g) where N = pq
Subgroup hiding [BGN05]:
Subgroup hiding
7
subgroup hidingparameter hiding
Gp Gq
≈(indistinguishable from)
random element of Gp
random element of Gp × Gq
![Page 49: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/49.jpg)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
8
![Page 50: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/50.jpg)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
8
![Page 51: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/51.jpg)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
g1f(x1,...,xc)
![Page 52: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/52.jpg)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
≈g1f(x1,...,xc)
![Page 53: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/53.jpg)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
≈g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)
![Page 54: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/54.jpg)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
is independent from
≈g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)
![Page 55: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/55.jpg)
Parameter hiding [L12]
Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements
subgroup hidingparameter hiding
g2f(x1,...,xc)
8
is independent from
xi mod p reveals nothing about xi mod q (CRT)
≈g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)
![Page 56: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/56.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
9
![Page 57: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/57.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
9
Challenge ciphertext
![Page 58: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/58.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
9
ID queries
Challenge ciphertext
![Page 59: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/59.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
normal:
9
ID queries
Challenge ciphertext
![Page 60: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/60.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
(subgroup hiding)
normal:
9
ID queries
Challenge ciphertext
![Page 61: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/61.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
(subgroup hiding)
(parameter hiding)
normal:
9
ID queries
Challenge ciphertext
![Page 62: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/62.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
normal:
9
ID queries
Challenge ciphertext
![Page 63: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/63.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
normal:
9
ID queries
Challenge ciphertext
![Page 64: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/64.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
(parameter hiding)
normal:
9
ID queries
Challenge ciphertext
![Page 65: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/65.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
(parameter hiding)
normal:
semi-functional (SF):
9
ID queries
Challenge ciphertext
![Page 66: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/66.jpg)
Typical dual-system proof for IBE [W09,LW10,...]
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
(subgroup hiding)
(parameter hiding)
normal:
semi-functional (SF):
9
SF keys don’t decrypt SF ciphertexts!
ID queries
Challenge ciphertext
![Page 67: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/67.jpg)
Dual systems in three easy steps
10
![Page 68: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/68.jpg)
Dual systems in three easy steps
10
1. start with base scheme
![Page 69: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/69.jpg)
Dual systems in three easy steps
normal:
10
1. start with base scheme
![Page 70: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/70.jpg)
Dual systems in three easy steps
normal:
10
1. start with base scheme2. transition to SF version
![Page 71: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/71.jpg)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
![Page 72: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/72.jpg)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
(subgroup hiding)
![Page 73: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/73.jpg)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
(subgroup hiding)
(subgroup hiding)
![Page 74: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/74.jpg)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version
(subgroup hiding)
(subgroup hiding)
![Page 75: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/75.jpg)
Dual systems in three easy steps
normal:
semi-functional (SF):
(subgroup hiding)
(parameter hiding)
10
1. start with base scheme2. transition to SF version3. argue information is hidden
(subgroup hiding)
(subgroup hiding)
![Page 76: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/76.jpg)
Outline
11
Cryptographic background Pseudorandom functions
Extensions Conclusions
Bilinear groupsq-Type assumptions
The uber-assumption Relating uber-assumptions
A bijection trick
![Page 77: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/77.jpg)
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
12
![Page 78: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/78.jpg)
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
12
![Page 79: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/79.jpg)
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
12
![Page 80: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/80.jpg)
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
12
![Page 81: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/81.jpg)
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
12
![Page 82: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/82.jpg)
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
• f(x1,...,xc): A needs to compute e(g,h)f(x1,...,xc) (or distinguish it from random)
12
![Page 83: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/83.jpg)
The “uber-assumption” [BBG05,B08]
Uber-assumption is parameterized by (c,R,S,T,f)
• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
• f(x1,...,xc): A needs to compute e(g,h)f(x1,...,xc) (or distinguish it from random)
uber(c,R,S,T,f) assumption: given (R,S,T) values, hard to compute/distinguish f
12
![Page 84: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/84.jpg)
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
13
![Page 85: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/85.jpg)
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
13
![Page 86: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/86.jpg)
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
13
![Page 87: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/87.jpg)
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
13
![Page 88: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/88.jpg)
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
• f(x1,…,xc): f(x) = xq+1
13
![Page 89: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/89.jpg)
Example uber-assumption: exponent q-SDH
exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random
• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
• f(x1,…,xc): f(x) = xq+1
exponent q-SDH is uber(1,<1,{xi}>,<1>,<1>,xq+1)
13
![Page 90: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/90.jpg)
Applying dual systems to exponent q-SDH
14
1. start with base scheme2. transition to SF version 3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 91: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/91.jpg)
Applying dual systems to exponent q-SDH
g1r1x1,…,g1r1x1q
14
1. start with base scheme2. transition to SF version 3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 92: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/92.jpg)
Applying dual systems to exponent q-SDH
g1r1x1,…,g1r1x1q
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 93: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/93.jpg)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 94: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/94.jpg)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
parameter hiding
g1r1x1i ⋅
g2r1′x2i
vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 95: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/95.jpg)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
parameter hiding
g1r1x1i ⋅
g2r1′x2ig1r1x1i + r2x2i
⋅ g2r1′x2i
subgroup hiding
vs.
vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 96: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/96.jpg)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q g1r1x1i ⋅
g2r1′x1i
parameter hiding
g1r1x1i ⋅
g2r1′x2ig1r1x1i + r2x2i
⋅ g2r1′x2i
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
vs.
vs.vs.
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 97: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/97.jpg)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q
parameter hiding
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 98: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/98.jpg)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q
parameter hiding
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
g1∑rkxk,…,g1∑rkxkq
14
1. start with base scheme 2. transition to SF version3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 99: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/99.jpg)
Applying dual systems to exponent q-SDH
subgroup hiding
g1r1x1,…,g1r1x1q
parameter hiding
subgroup hidingsubgroup hiding
g1r1x1+r2x2,…,g1r1x1q+r2x2q
g1∑rkxk,…,g1∑rkxkq
14
1. start with base scheme 2. transition to SF version 3. argue information is hidden
uber(c,<1,{xi}>,<1>,<1>,xq+1)
![Page 100: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/100.jpg)
Applying dual systems to exponent q-SDH
15
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 101: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/101.jpg)
uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)
Applying dual systems to exponent q-SDH
15
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 102: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/102.jpg)
uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)
Applying dual systems to exponent q-SDH
15
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 103: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/103.jpg)
uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)
Applying dual systems to exponent q-SDH
15
=
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
So A is really given 1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 104: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/104.jpg)
Applying dual systems to exponent q-SDH
16
=
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 105: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/105.jpg)
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 106: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/106.jpg)
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
Consider set S of l-sized sets; then r,y∈S
Matrix multiplication is map M: S → Spermutation
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 107: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/107.jpg)
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
This is chosen uniformly at random from S
Consider set S of l-sized sets; then r,y∈S
Matrix multiplication is map M: S → Spermutation
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 108: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/108.jpg)
Applying dual systems to exponent q-SDH
16
=
Vandermonde matrix, so if l=q+2 this is invertible
This is chosen uniformly at random from S
Consider set S of l-sized sets; then r,y∈S
Matrix multiplication is map M: S → Spermutation
This is distributed uniformly random as well!
r r ... r 1 x . x x1 x . x x. . .. . .1 x . x x
yy..y
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 109: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/109.jpg)
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
![Page 110: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/110.jpg)
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Decisional uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. S = T = <1> 3. f is not a linear combination of ρi
![Page 111: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/111.jpg)
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Decisional uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. S = T = <1> 3. f is not a linear combination of ρi
only computational requirement
![Page 112: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/112.jpg)
More generally, this is true if
!
!
!
has linearly independent columns (or rows)
Applying dual systems to the uber-assumption
17
1 ρ . ρ f(x1 ρ . ρ f(x. . . .. . . .1 ρ . ρ f(x
1. start with base scheme 2. transition to SF version 3. argue information is hidden
Decisional uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. S = T = <1> 3. f is not a linear combination of ρi
only computational requirement
limitation
![Page 113: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/113.jpg)
Outline
18
Cryptographic background q-Type assumptions
Data Conclusions
Bilinear groups
ExtensionsBroader classes of assumptions
Dodis-Yampolskiy PRF
![Page 114: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/114.jpg)
Strengthening our results
sh ph sh sh
19
![Page 115: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/115.jpg)
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
19
![Page 116: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/116.jpg)
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
vs.
19
![Page 117: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/117.jpg)
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
vs. vs.
19
![Page 118: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/118.jpg)
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
This restricts us to “one-sided” assumptions
vs. vs.
19
2. S = T = <1>
![Page 119: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/119.jpg)
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
This restricts us to “one-sided” assumptions
vs. vs.
19
(g,gx,…,gxq) → gxq+1 or random[eq-SDH]
2. S = T = <1>
![Page 120: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/120.jpg)
Strengthening our results
sh ph sh sh
Remember that we needed two types of subgroup hiding …
…even when given a generator for
This restricts us to “one-sided” assumptions
vs. vs.
19
(g,gx,…,gxq) → gxq+1 or random
(g,gx,…,gxq,hx) → compute (c,g1/x+c)
[eq-SDH]
[q-SDH]
2. S = T = <1>
![Page 121: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/121.jpg)
Strengthening our results
sh ph sh sh
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
![Page 122: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/122.jpg)
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
![Page 123: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/123.jpg)
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
![Page 124: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/124.jpg)
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
![Page 125: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/125.jpg)
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
Computational uber(c,R,S,T,f) holds if: 1. subgroup hiding and parameter hiding hold
2. f is not a linear combination of ρi
limitation
![Page 126: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/126.jpg)
Strengthening our results
sh ph sh sh
To address this, switch back to regular dual systems
This implies (for example) that q-SDH [BB04] follows from subgroup hiding....
…and so does everything based on q-SDH (like Boneh-Boyen signatures)*
vs. vs.
20
sh ph
Remember that we needed two types of subgroup hiding…
*when instantiated in asymmetric composite-order groups [BRS11]
![Page 127: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/127.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
![Page 128: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/128.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
![Page 129: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/129.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
verifiable random function
![Page 130: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/130.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
require u=e(g,h)verifiable random function
![Page 131: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/131.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
require u=e(g,h)verifiable random function q-type assumption
![Page 132: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/132.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
![Page 133: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/133.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
![Page 134: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/134.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
pseudorandom function
![Page 135: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/135.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
require composite orderpseudorandom function
![Page 136: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/136.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
require composite orderpseudorandom function static assumption
![Page 137: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/137.jpg)
Reexamining the Dodis-Yampolskiy PRF
21
f(x) = u1/sk+x for fixed sk←R; x∈a(λ)
Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI
Theorem: Advprf ≤ q·Advsgh
require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ)verifiable random function q-type assumption
require composite order a(λ) of arbitrary sizepseudorandom function static assumption
![Page 138: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/138.jpg)
Outline
22
Cryptographic background q-Type assumptions
Extensions Conclusions
Bilinear groups
Conclusions
![Page 139: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/139.jpg)
Conclusions and open problems
23
![Page 140: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/140.jpg)
We applied the dual-system technique directly to a broad class of assumptions
Conclusions and open problems
23
![Page 141: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/141.jpg)
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Conclusions and open problems
23
![Page 142: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/142.jpg)
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Limitation: Can’t get rid of every q-type assumption
Conclusions and open problems
23
![Page 143: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/143.jpg)
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Limitation: Can’t get rid of every q-type assumption
Full version!: cs.ucsd.edu/~smeiklejohn/files/eurocrypt14a.pdf
Conclusions and open problems
23
![Page 144: Déjà Q: Using Dual Systems to Revisit q-Type Assumptions](https://reader033.fdocuments.us/reader033/viewer/2022050403/62702172cee79c136c035047/html5/thumbnails/144.jpg)
We applied the dual-system technique directly to a broad class of assumptions
Limitation: Restricted to (asymmetric) composite-order (bilinear) groups
Limitation: Can’t get rid of every q-type assumption
Full version!: cs.ucsd.edu/~smeiklejohn/files/eurocrypt14a.pdf
Conclusions and open problems
23
Thanks! Any questions?