Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Allison Lewko

Types of Bilinear Groups

G - a ¯nitecyclic group of order p

e: G £ G ! GT - a bilinear map:

e(ga;gb) = e(g;g)ab

Prime Order:

Composite Order:

G - a ¯nitecyclic group of order N = p1p2p3

e: G £ G ! GT - a bilinear map

Gp1

Gp2 Gp3

Primeorder subgroupsorthogonal under e:

Pros and Cons

Prime Order Groups:Composite Order Groups:

Orthogonal Subgroups

Coprime Orders

Large group order

Slow pairings

Simple assumptions

Smaller group order

Faster pairings

Lack of extra structure

Composite OrderGroups

Prime OrderGroups

Goal

Prior State of Affairs

Ad Hoc Results

[LOS

TW10

]

[OT10]

[W09]

[BGN05]

[BSW06][KSW08]

General translation [F10]

Challenge

Proof

construction

Composite OrderGroups

Prime OrderGroups

What Features Do Proofs Need?Orthogonal Subgroups:

Hidden Parameters:

Simulator

Public Parameters

Internal ViewV

Attacker

V|PP - random variable- has some entropy

Expand/Contract With ComputationalAssumptions

Building Orthogonality in Prime Order

Usevectors in theexponent:

g2 G; ~v 2 Zdp

g~v := (gv1 ;gv2 ; : : : ;gvd )

e(g~v;g~w) :=Q d

i=1e(gvi ;gwi ) = e(g;g)~v¢~w

orthogonality:

~v¢~w ´ 0modulo p e(g~v;g~w) = 1=)

Progress So Far

orthogonal subspacesorthogonal subgroups

Gp1

Gp2 Gp3

g~v

g~w

coprimeorders ?

g~z

Exploiting Coprimality

a - randomexponent in ZN

g1 2 Gp1N = p1p2p3

ga1 - reveals a modulo p1

a modulo p2a modulo p3gremain hidden

attacker

ga1a mod N

simulator

a modulo p2a modulo p3

ChineseRemainderTheorem

Goal

Replacecoprimality, CRT

Alternate mechanismfor hiding parameters

Tool: Dual Pairing Vector Spaces [OT08,09]

d - constant dimension

B := ~b1; ~b2; : : : ~bd

B¤ := ~b¤1; ~b¤2; : : : ~b¤d

~bi ¢~b¤j =0 for i 6= j

Dual orthonormal:

bases of Zdpg

~bi ¢~b¤i =1 for all i

sampleB at random,B¤ determined

Orthogonal Subspaces with DPVS

~b1; ~b2; ~b3; ~b4

~b¤1; ~b¤2; ~b¤3; ~b¤4

orthogonal

Orthogonality across bases, not within!

~b3 ¡ ~b4; 2~b4

~b¤3;12~b¤3+

12~b¤4

Hidden Parameters with DPVS

~b1; ~b2;

~b¤1; ~b¤2;

What can be determined about hidden vectors?

Not Everything!

~b3; ~b4

~b¤3; ~b¤4

Can’t detect change!

Expanding/Contracting with DPVS

\ TheSubspaceAssumption"

~b1 ~b2 ~b3

~b¤1; ~b¤2; ~b¤3

g~v ?

g~b3Not Given:

Implied by DLIN Assumption

Demonstration: Boneh-Boyen IBEOriginal Scheme:

Ciphertext:

Key: g®(uI Dh)r ; gr

gs; (uI Dh)s

Our Scheme:

Ciphertext:

Key:

g~v

g~w~v= s1~b1+s1I D~b2+s2~b3+s2I D~b4

~w= (®+r1I D)~b¤1 ¡ r1~b¤2+r2I D~b¤3 ¡ r2~b¤4

blinding factorcancelation

Sketch of Proof

s1~b1+s1I D0~b2+s2~b3+s2I D0~b4

(®+r1I D)~b¤1 ¡ r1~b¤2+r2I D~b¤3 ¡ r2~b¤4

Ciphertext:

Key:

+s3~b5+s3I D0~b6

+r3I D~b¤5 ¡ r3~b¤6

+ Random

+ Random

Decryption Failure!

Dual System Encryption

SubspaceAssumption

Further Applications

Lewko-Waters Unbounded HIBE

- Natural prime order construction

- Security from DLIN

- Simpler proof

Summary

Dual pairing vector spaces 1. orthogonality

2. parameter hiding

Subspace assumption1. simulated subgroup decision2. implied by DLIN

General tools for translating dual system encryption proofs

Thanks for your attention.

Questions?