Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting
description
Transcript of Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting
![Page 1: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/1.jpg)
Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting
Allison Lewko
![Page 2: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/2.jpg)
Types of Bilinear Groups
G - a ¯nitecyclic group of order pe: G £ G ! GT - a bilinear map:
e(ga;gb) = e(g;g)ab
Prime Order:
Composite Order:
G - a ¯nitecyclic group of order N = p1p2p3e: G £ G ! GT - a bilinear map
Gp1
Gp2 Gp3
Primeorder subgroupsorthogonal under e:
![Page 3: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/3.jpg)
Pros and Cons
Prime Order Groups:Composite Order Groups:
Orthogonal Subgroups
Coprime Orders
Large group order
Slow pairings
Simple assumptions
Smaller group order
Faster pairings
Lack of extra structure
![Page 4: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/4.jpg)
Composite OrderGroups
Prime OrderGroups
Goal
![Page 5: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/5.jpg)
Prior State of Affairs
Ad Hoc Results
[LOST
W10
]
[OT10]
[W09]
[BGN05]
[BSW06][KSW08]
General translation [F10]
![Page 6: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/6.jpg)
Challenge
Proofconstruction
Composite OrderGroups
Prime OrderGroups
![Page 7: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/7.jpg)
What Features Do Proofs Need?Orthogonal Subgroups:
Hidden Parameters:
Simulator
Public Parameters
Internal ViewV
Attacker
V|PP - random variable- has some entropy
Expand/Contract With ComputationalAssumptions
![Page 8: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/8.jpg)
Building Orthogonality in Prime Order
Usevectors in theexponent:g2 G; ~v 2 Zd
p
g~v := (gv1 ;gv2 ; : : : ;gvd )
e(g~v;g~w) := Q di=1e(gvi ;gwi ) = e(g;g)~v¢~w
orthogonality:~v¢~w ´ 0modulo p e(g~v;g~w) = 1=)
![Page 9: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/9.jpg)
Progress So Far
orthogonal subspacesorthogonal subgroups
Gp1
Gp2 Gp3
g~v
g~w
coprimeorders ?
g~z
![Page 10: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/10.jpg)
Exploiting Coprimality
a - randomexponent in ZN
g1 2 Gp1N = p1p2p3
ga1 - reveals a modulo p1a modulo p2a modulo p3gremain hidden
attacker
ga1a mod N
simulator
a modulo p2a modulo p3
ChineseRemainderTheorem
![Page 11: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/11.jpg)
Goal
Replacecoprimality, CRT
Alternate mechanismfor hiding parameters
![Page 12: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/12.jpg)
Tool: Dual Pairing Vector Spaces [OT08,09]
d - constant dimension
B := ~b1; ~b2; : : : ~bd
B¤ := ~b¤1; ~b¤2; : : : ~b¤d
~bi ¢~b¤j =0 for i 6= jDual orthonormal:
bases of Zdpg
~bi ¢~b¤i =1 for all i
sampleB at random,B¤ determined
![Page 13: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/13.jpg)
Orthogonal Subspaces with DPVS
~b1; ~b2; ~b3; ~b4
~b¤1; ~b¤2; ~b¤3; ~b¤4orthogonal
Orthogonality across bases, not within!
![Page 14: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/14.jpg)
~b3 ¡ ~b4; 2~b4
~b¤3; 12~b¤3+ 1
2~b¤4
Hidden Parameters with DPVS
~b1; ~b2;
~b¤1; ~b¤2;
What can be determined about hidden vectors?
Not Everything!
~b3; ~b4
~b¤3; ~b¤4Can’t detect change!
![Page 15: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/15.jpg)
Expanding/Contracting with DPVS
\ TheSubspaceAssumption"
~b1 ~b2 ~b3
~b¤1; ~b¤2; ~b¤3
g~v ?
g~b3Not Given:
Implied by DLIN Assumption
![Page 16: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/16.jpg)
Demonstration: Boneh-Boyen IBEOriginal Scheme:
Ciphertext:Key: g®(uI Dh)r ; gr
gs; (uI Dh)s
Our Scheme:Ciphertext:
Key:
g~v
g~w~v= s1~b1+s1I D~b2+s2~b3+s2I D~b4
~w= (®+r1I D)~b¤1 ¡ r1~b¤2+r2I D~b¤3 ¡ r2~b¤4
blinding factorcancelation
![Page 17: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/17.jpg)
Sketch of Proof
s1~b1+s1I D0~b2+s2~b3+s2I D0~b4
(®+r1I D)~b¤1 ¡ r1~b¤2+r2I D~b¤3 ¡ r2~b¤4
Ciphertext:
Key:+s3~b5+s3I D0~b6
+r3I D~b¤5 ¡ r3~b¤6
+ Random
+ Random
Decryption Failure!
Dual System Encryption
SubspaceAssumption
![Page 18: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/18.jpg)
Further Applications
Lewko-Waters Unbounded HIBE
- Natural prime order construction
- Security from DLIN
- Simpler proof
![Page 19: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/19.jpg)
Summary
Dual pairing vector spaces 1. orthogonality
2. parameter hiding
Subspace assumption1. simulated subgroup decision2. implied by DLIN
General tools for translating dual system encryption proofs
![Page 20: Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting](https://reader035.fdocuments.us/reader035/viewer/2022062501/568162c8550346895dd353dd/html5/thumbnails/20.jpg)
Thanks for your attention.
Questions?