tools for simulating features of composite order bilinear groups in the prime order setting
DESCRIPTION
Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting . Allison Lewko. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A. Types of Bilinear Groups. Prime Order:. Composite Order:. Pros and Cons. - PowerPoint PPT PresentationTRANSCRIPT
Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting
Allison Lewko
Types of Bilinear Groups
G - a ¯nitecyclic group of order pe: G £ G ! GT - a bilinear map:
e(ga;gb) = e(g;g)ab
Prime Order:
Composite Order:
G - a ¯nitecyclic group of order N = p1p2p3e: G £ G ! GT - a bilinear map
Gp1
Gp2 Gp3
Primeorder subgroupsorthogonal under e:
Pros and Cons
Prime Order Groups:Composite Order Groups:
Orthogonal Subgroups
Coprime Orders
Large group order
Slow pairings
Simple assumptions
Smaller group order
Faster pairings
Lack of extra structure
Composite OrderGroups
Prime OrderGroups
Goal
Prior State of Affairs
Ad Hoc Results
[LOST
W10
]
[OT10]
[W09]
[BGN05]
[BSW06][KSW08]
General translation [F10]
Challenge
Proofconstruction
Composite OrderGroups
Prime OrderGroups
What Features Do Proofs Need?Orthogonal Subgroups:
Hidden Parameters:
Simulator
Public Parameters
Internal ViewV
Attacker
V|PP - random variable- has some entropy
Expand/Contract With ComputationalAssumptions
Building Orthogonality in Prime Order
Usevectors in theexponent:g2 G; ~v 2 Zd
p
g~v := (gv1 ;gv2 ; : : : ;gvd )
e(g~v;g~w) := Q di=1e(gvi ;gwi ) = e(g;g)~v¢~w
orthogonality:~v¢~w ´ 0modulo p e(g~v;g~w) = 1=)
Progress So Far
orthogonal subspacesorthogonal subgroups
Gp1
Gp2 Gp3
g~v
g~w
coprimeorders ?
g~z
Exploiting Coprimality
a - randomexponent in ZN
g1 2 Gp1N = p1p2p3
ga1 - reveals a modulo p1a modulo p2a modulo p3gremain hidden
attacker
ga1a mod N
simulator
a modulo p2a modulo p3
ChineseRemainderTheorem
Goal
Replacecoprimality, CRT
Alternate mechanismfor hiding parameters
Tool: Dual Pairing Vector Spaces [OT08,09]
d - constant dimension
B := ~b1; ~b2; : : : ~bd
B¤ := ~b¤1; ~b¤2; : : : ~b¤d
~bi ¢~b¤j =0 for i 6= jDual orthonormal:
bases of Zdpg
~bi ¢~b¤i =1 for all i
sampleB at random,B¤ determined
Orthogonal Subspaces with DPVS
~b1; ~b2; ~b3; ~b4
~b¤1; ~b¤2; ~b¤3; ~b¤4orthogonal
Orthogonality across bases, not within!
~b3 ¡ ~b4; 2~b4
~b¤3; 12~b¤3+ 1
2~b¤4
Hidden Parameters with DPVS
~b1; ~b2;
~b¤1; ~b¤2;
What can be determined about hidden vectors?
Not Everything!
~b3; ~b4
~b¤3; ~b¤4Can’t detect change!
Expanding/Contracting with DPVS
\ TheSubspaceAssumption"
~b1 ~b2 ~b3
~b¤1; ~b¤2; ~b¤3
g~v ?
g~b3Not Given:
Implied by DLIN Assumption
Demonstration: Boneh-Boyen IBEOriginal Scheme:
Ciphertext:Key: g®(uI Dh)r ; gr
gs; (uI Dh)s
Our Scheme:Ciphertext:
Key:
g~v
g~w~v= s1~b1+s1I D~b2+s2~b3+s2I D~b4
~w= (®+r1I D)~b¤1 ¡ r1~b¤2+r2I D~b¤3 ¡ r2~b¤4
blinding factorcancelation
Sketch of Proof
s1~b1+s1I D0~b2+s2~b3+s2I D0~b4
(®+r1I D)~b¤1 ¡ r1~b¤2+r2I D~b¤3 ¡ r2~b¤4
Ciphertext:
Key:+s3~b5+s3I D0~b6
+r3I D~b¤5 ¡ r3~b¤6
+ Random
+ Random
Decryption Failure!
Dual System Encryption
SubspaceAssumption
Further Applications
Lewko-Waters Unbounded HIBE
- Natural prime order construction
- Security from DLIN
- Simpler proof
Summary
Dual pairing vector spaces 1. orthogonality
2. parameter hiding
Subspace assumption1. simulated subgroup decision2. implied by DLIN
General tools for translating dual system encryption proofs
Thanks for your attention.
Questions?