Pairing-Based Cryptography

1
Pairing-Based Cryptography

• Dan Boneh
• Stanford University

Tutorial FOCS 2007
2
A new tool pairings (gt1200 papers)

• Encryption schemes with new properties
• Identity-based, Broadcast, Forward secure,
  Homomorphic, Searchable, Proxiable, CCA,
  
• Signature systems with new properties
• Short, Aggregate, Append-only,VRF,
  Short group sigs, e-cash,
• Efficient non-interactive zero-knowledge (NIZK)

3
Conferences PiC 2005
4
Conferences Pairings 2007
5
Commercial Interest
6
Gemalto (formerly Gemplus)
7
Part 1 What is a pairing?
8
Recall Diffie-Hellman protocol

• G group of prime order q g ? G
  generator
• Security Decision Diffie-Hellman assumption
  in G
• (g, A, B, gab ) indist. from (g, A,
  B, grand )

Alice a ? Zq
Bob b ? Zq
gab
gab
9
Standard complexity assumptions

• G group of order q 1? g ? G
  x,y,z ? Zq
• Discrete-log problem g, gx ? x
• Computational Diffie-Hellman problem (CDH)
• g, gx , gy ? gxy
• Decision Diffie-Hellman problem (DDH)
• g, gx , gy , gz ?

10
Groups used in cryptography

• Groups where Dlog, CDH, DDH believed hard
• (Z/pZ) for prime p
• Elliptic Curves E(Fp) y2 x3 ax b

11
Pairings

• Additional structure on elliptic curves
  pairings
• Defined by A. Weil (1946)
• Miller 84 Algorithm for computing
• MOV 93 Used to attack certain EC systems
• Recently (2000-7) lots of crypto applications
• Joux ANTS00 , Sakai-Ohgishi-Kasahara
  SCIS 00

12
Pairings
GT
G
ga
e(g,g)ab

• G , GT finite cyclic groups of prime
  order q.
• Def A pairing e G?G ? GT is a map
• Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
  g?G
• Poly-time computable and non-degenerate g
  generates G ? e(g,g) generates GT
• Current examples G ? E(Fp) , GT ?
  (Fp?)
• ( ? 1, 2, 3, 4, 6, 10, 12 )

gb
e( gx , hy ) e( gy , hx )
13
Consequences of pairing

• Decision Diffie-Hellman (DDH) in G is easy
  J00, JN01
• input g, gx, gy , gz ? G
• to test if zxy do
• Dlog reduction from G to GT MOV 93

DLog in G
?
g, ga ? G
14
Complexity assumptions in bilinear groups
?

• e G ? G ? GT 1? g ? G
  x,y,z ? Zq
• Discrete-log problem g, gx ? x
• Computational Diffie-Hellman problem (CDH)
• g, gx , gy ? gxy
• Bilinear Decision Diffie-Hellman problem (BDDH)
• g, gx , gy , g z ?

?
?
h, e(h, )
15
Where pairings come from
E(Fp) G
Tate pairing e(P, Q) fP(Q) (p?-1)/q
, (fP) q?(P) - q?(O) V. Miller (84)
fP has a short straight line program but
? P,Q ? E(Fp) e(P,Q) 1
16
Supersingular bilinear groups

• Supersingular curves ( e.g. y2 x3 x ,
  p3 (mod 4) )

E(Fp) G
Possible ? ?2,3,4,6 or ?7.5 RS
02
17
MNT and BN groups
G1
Open problem larger ? (prime order
E(Fp) ) e.g. ? 16,20,24,
E(Fp) G0
e G0 ? G1 ? GT

• MNT 01 Curves ?2,3,4,6
• BN 05, F05 Curves ?10, 12

not supersingular curves
18
Part 2 Crypto Applications
19
Recall Pub-Key Encryption (PKE)

• PKE Three algorithms (G, E, D)
• G(?) ? (PK,SK) outputs pub-key and secret-key
• E(PK, m) ? c encrypt m using pub-key PK
• D(SK, c) ? m decrypt c using SK

obtain PKalice
20
Example ElGamal encryption

• G(?) (G, g, q) ? GenGroup(?)
• SK ( ? ? Zq ) PK ( h ?
  g? )
• E(PK, m?G) s?Zq and do c ? ( gs ,
  m ? hs )
• D(SK?, c(c1,c2) ) observe c1?
  (gs)? hs
• Security (IND-CPA) based on the DDH assumption
• (g, h, gs , hs ) indist. from
  (g, h, gs , grand )

Note ElGamal is insecure in bilinear groups
21
Identity Based Encryption Sha 84

• IBE PKE system where PK is an arbitrary
  string
• e.g. e-mail address, phone number, IP addr

CA/PKG
master-key
22
Identity Based Encryption Sha 84

• Four algorithms (S,K,E,D)
• S(?) ? (PP,MK) output params, PP, and
  master-key, MK
• K(MK, ID) ? dID outputs private key, dID ,
  for ID
• E(PP, ID, m) ? c encrypt m using pub-key ID
  (and PP)
• D(dID, c) ? m decrypt c using dID
• IBE compresses exponentially many PKs into a
  short PP

23
Using IBE as a primitive

• IBE ?
• CCA-secure public key encryption CHK04,
  BK04, BMW05
• Non-interactive CCA-secure threshold encryption
  BBH05
• Searchable public key enc BDOP04, AB05
• Automatic trust negotiations LDB03
• Forward secure encryption CHK 03 (from
  H-IBE)

24
Can we build an IBE ??

• ElGamal is not an IBE
• SK ( ? ? Zq ) PK ( h ?
  g? )
• PK can be any string h
  alice_at_gmail.com ? G
• but cannot compute secret key ?
• RSA is not an IBE
• Cannot map to an RSA public key (N, e)

25
Pairings to the rescue BF-IBE BF01

• S(?) (G, GT, g, q) ? GenBilGroup(?) , ? ?
  Zq
• PP g, y?g? ?G MK ?
• K(MK, ID) d ? H(ID)?
• E(PP, ID, m) s?Zq and do
• C ? ( gs , m ? e(y, H(ID))s )
• D( d, (c1,c2) )
• observe e( c1 , d ) e( gs , H(ID)? )

H ID ? G
26
Another IBE BB-IBE BB04

• S(?) (G, GT, g, q) ? GenBilGroup(?) , ? ?
  Zq
• PP g, y?g?, g1 , h ?G MK
  g1?
• K(MK, ID) dID ? ( MK ? (yID?h)r ,
  gr )
• E(PP, ID, m) s?Zq and do
• C ? ( gs , (yID?h)s , m?e(y,g1)s
  )
• D( (d1,d2), (c1,c2,c3) )
• observe e(c1, d1) / e(c2, d2) e(y,
  g1)s

r ?Zq
27
IBE Security (IND-IDCPA) BF01

• Security when attacker can request several
  private keys

Challenger
Attacker A
PP, MK ? S(?)
(S,K,E,D) is IND-IDCPA secure if ? PPT A
Prbb ½ lt neg(?)
28
IBE Security (IND-sIDCPA) CHK04

• Security when attacker can request several
  private keys

Challenger
Attacker A
PP, MK ? S(?)
ID
(S,K,E,D) is IND-sIDCPA secure if ? PPT A
Prbb ½ lt neg(?)
29
IBE Security

• BB-IBE security theorem BB04
• BDDH ? BB-IBE is IND-sIDCPA secure
• Waters-IBE W05 generalizes BB-IBE
• BDDH ? Waters-IBE is IND-IDCPA secure
• Gentry-IBE G06 short PP
• q-BDHE ? Gentry-IBE is IND-IDCPA secure

30
New Signature Systems

• CDH ? short and efficient sigs (!!)

31
IBE ? Simple digital Signatures N01

• Sign(MK, m) sig ? K(MK, m)
• Verify(PP, m, sig) Test that sig decrypts
  messages encrypted using m
• Conversely which sig systems give an IBE?
• Rabin signatures Cocks01, BGH07
• Open problem IBE from GMR, GHR, CS,
• Blackbox Impossibility IBE from trapdoor perms
  BPRVW07

32
Simple bilinear signatures BLS 01

• H 0,1 ? G hash function. 1? g ? G
  , Gq
• G(?) ? ? Zq, PK y ? g? ? G ,
  SK ?
• Sign(SK, m) S ? H(m)? ? G
• Verify(PK,m,S) test e(S, g)
  e(H(m), y)
• Thm When H is modeled as a Random Oracle CDH
  holds in G ? sig is existentially
  unforgeable

?
Short signature single group element
33
Properties

• Short
• Aggregatable BGLS02, Bol02

BLS RSA DSS
160 (bits) 1024 (bits) 320 (bits)
34
Signatures w/o Random Oracles

• Signature system from BB-IBE
• G(?) ? ? Zq, g1, h ? G
• PK ( g, g1, y ? g? , h) ? G ,
  SK g1?
• Sign(SK, m) r ? Zq ,
• S ? ( SK ? (ymh)r , gr ) ? G2
• Verify(PK, m, S(s1,s2) ) e(s1, g) / e(ymh,
  s2) e(g1, y)

?
35
Selectively unforgeable sigs GMR88

• Sig is selectively unforgrable if
• ? PPT A PrVerify(PK,m,S) yes lt
  neg(?)

Challenger
Attacker
(PK,SK) ?K(?)
36
Security Theorem

• Thm CDH ? (sigs from BB-IBE) are selec.
  unforgeable
• Proof Intuition

Algorithm for CDH (us)
Sig Forger
SK g1?
37
Waters Sigs existentially unforgeable Wat 05

• G(?) ? ? Zq , g1, h, y1,,yn ? G
• PK (g, g1, y ? g? , h, y1 , , yn) ? G ,
  SK g1?
• Sign(SK, M) r ? Zq , Mm1m2 mn ?
  0,1n
• S ? ( SK ? ( )r ,
  gr ) ? G2
• Verify(PK, M, S(s1, s2) )
• e(s1 ,g) / e(y1m1 ynmn? h, s2 ) e(g1,
  y)

yM?h
y1m1 ynmn ?h
38
Existentially unforgeable

• Thm CDH ? Waters-sigs are unforgeable
  (!!)

m
W
BB
1/(2n)
1/q
mm
a1m1 anmn v
39
Summary thus far

• IBE from pairings
• BDDH ? efficient secure IBE
• and extensions H-IBE, anon-IBE ,
• Short signatures from pairings
• CDH ? existential unforgeablility
• with RO sig ? G , without RO
  sig ? G2

40
Part 3 Computing on Ciphertexts
41
An old open problem RAD78

• Doubly homomorphic encryption (IND-CPA)
• (G,E,D) where messages live in Fp
• ? PPT algorithms A and A? s.t.
• A ( E(PK, m1) , E(PK, m2) ) ?
  E(PK, m1m2 )
• A? ( E(PK, m1) , E(PK, m2) ) ?
  E(PK, m1?m2 )
• Note ElGamal is multiplicative-homomorphic
• but not additive

? computing on ciphertexts
42
Bilinear groups of order Npq BGN05

• G group of order Npq. (p, q)
  secret
• bilinear map e G ? G ? GT
• G Gp ? Gq . gp gq ? Gp
  gq gp ? Gq
• Facts e( gp , gq ) e(gq , gp) e(g,g)N 1
• e( gp , ? ) ? (GT)q

43
BGN encryption (1?)-homomorphic

• G(?) generate bilinear group G of order
  Np?q
• PK ? (G, N, g, gp ) SK ? p
• E(PK,m) r ? ZN , C ? gm (gp)r ? G
• D(SK, C) Cp gmp ? gprp (gq)m ?
  Gq
• Output Dloggq( Cp )
• Note decryption time is O(?m )
• ? require small message space ( e.g.
  0,1 )

44
Homomorphic Properties

• C1 ? gm1 (gp)r1 , C2 ? gm2 (gp)r2
  ? G
• Additive hom E(m1m2) C1 ? C2 ? (gp)s
• One mult hom E(m1?m2) e(C1,C2) ? e(gp,gp)s
• More generally E(m1), , E(mn) ?
  E(F(m1,,mn))
• For any F?ZNX1,,Xn of total degree 2
• Example dot product on encrypted vectors
  AW07

45
Security the subgroup assumption

• Subgroup assumption G ? Gp

Distribution PG (?) (G,g,p,q) ?
GroupGen(?) N ? p?q s ? ZN Output (G,
N, g, gp, gs )
Distribution Pp (?) (G,g,p,q) ?
GroupGen(?) N ? p?q s ? ZN Output (G,
N, g, gp, (gp)s )
For any poly-time A PrA(X)
X?PG(?) ? PrA(X) X?Pp(?) lt neg(?)
Thm BGN is semantically secure under the
subgroup assumption
46
Non-Interactive Zero Knowledge GOS06

• NIZK proof size O( gates ? ?)
• CRS size O(?)

47
Goal NIZK for circuit SAT BFM88
z
AND
boolean circuit
OR
NOT
OR
AND
AND
NOT
AND
NOT
? 0,1
b1
b6
b2
b3
b4
b5
b7
b8
Goal prover wants to convince verifier that
circuit is satisfiable in zero knowledge and
without interaction
48
Plan of attack
NAND(x1,,xn) 1-?xi
b17
NAND
boolean circuit
b15
b14
b16
NAND
NAND
NAND
b9
b10
b11
b12
b13
NAND
NAND
NAND
NAND
NAND
? 0,1
b1
b6
b2
b3
b4
b5
b7
b8
com(b1) , com(b2) , , com(bm) and for all
gates (i,j,k) proof that bi , bj , bk ?0,1
and bk bi NAND bj
Proof
49
Composite order commitments

• Common Reference String (G, g, gp) ,
  GNpq
• com(m) r ? ZN , output C?gm?(gp)r
• note com(m1) ? com(m2) is commitment for
  (m1m2)
• Fact z x NAND y ? x, y, z,
  xy2(z-1) ? 0,1
• For a C?G we need a (W.I.) proof for the
  statement
• Ccom(0) or Ccom(1)
• Then for each gate (i,j,k) generate proof of 0
  or 1 for
• com(bi) , com(bj) , com(bk), and
• com(bi) ? com(bj) ? com(bk) / com(1)2

50
GOS (W.I.) Proof

• Common Reference String (G, g, gp) ,
  GNpq
• Let C gm ? (gp)r
• IF C g ? (gp)r or C (gp)r
• THEN L e(C , Cg-1) e(gp , ? ) ? (GT)q
• ?m?0,1, r e(C , Cg-1) e( gp ,
  g2m-1? (gp)r )
• Proof that () is true ? g2m-1?
  (gp)r ? G
• To verify proof test if e(C, Cg-1) e(
  gp , ?)

()
(order p)
?
51
Why is the proof Zero Knowledge?

• Common Reference String (G, g, gp) ,
  GNpq
• Basic idea
• Simulator uses (G, g, grand ) as CRS
• Indistinguishable by subgroup assumption
• Commitment C gm ? (grand)r contains no
  info on m
• Summary multi-theorem NIZK
• NIZK proof size O( gates ? ?)
• CRS size O(?)

52
Part 4 open problems
53
Open problems

• n-linear maps?
• e Gn ? GT where Dlog in G is intractable
• Motivation
• Homomorphic encryption, broadcast enc, BS02

54
2. Verifiable Random Functions MRV99

• Verifiable Random Function (VRF)
• Setup(?) ? (PK,SK)
• PRF F(SK, x) ? y and proof ?
• verify(PK, x, y, ? ) ? yes/no
• Pairing-based constructions L02, DY05
• PK(g, g?) , SK?
• F(?, x) e(g,g)1/(?x) ?
  g1/(?x)
• but, security reduction takes exponential time
  in x
• Question simple construction with poly-time
  reduction

55
THE END
Pairings A powerful tool for building
cryptosystems