Sie sind auf Seite 1von 28

# Bar Ilan Winter School. Feb.

2013

## Bilinear Pairings in Cryptography:

Basics of Pairings

Dan Boneh
Stanford University

(1 hour)
Recall: Diffie-Hellman protocol
n G: group of prime order q ; g G generator

Alice A := ga Bob

a Zq b b Zq
B := g

ab ab
g g

## (g, A, B, gab ) indist. from (g, A, B, grand )

Standard complexity assumptions
n G: group of order q ; 1 g G ; x,y,z Zq

x
n Discrete-log problem: g, g x

x y xy
g, g , g g

## n Decision Diffie-Hellman problem (DDH):

x y z 0 if z=xy
g, g , g , g
1 otherwise
G GT
Pairings a
g
ab
e(g,g)
n G , GT : finite cyclic groups b
g
of prime order q.

## q Poly-time computable and non-degenerate:

g generates G e(g,g) generates GT

## n Current examples: G E(Fp) , GT (Fp)*

( = 1, 2, 3, 4, 6, 10, 12 )
G GT
Pairings a
g
ab
e(g,g)
n G , GT : finite cyclic groups b
g
of prime order q.

## q Bilinear: xe(ga, ygb) = e(g,g)ab y gG

a,bZ, x
e( g , h ) = e( g , h )
q Poly-time computable and non-degenerate:
g generates G e(g,g) generates GT

## n Current examples: G E(Fp) , GT (Fp)*

( = 1, 2, 3, 4, 6, 10, 12 )
Consequences of pairing
n Decision Diffie-Hellman (DDH) in G is easy: [J00, JN01]
x y z
q input: g, g , g , g G
z ? x y
q to test if z=xy do: e(g, g ) = e(g , g )

## n Dlog reduction from G to GT : [MOV 93]

DLog a DLog a
in G g, g G in GT e(g,g), e(g,g ) GT
Basic complexity assumptions in bilinear groups
P
n e: G G GT ; 1 g G ; x,y,z Zq

n Discrete-log problem: g, g
x
x P
n Computational Diffie-Hellman problem (CDH):

g,
x
g , g
y
g
xy P

## n Bilinear Decision Diffie-Hellman problem (BDDH):

x y z 0 if z=xy
h, g, g , g , e(h, g)
1 otherwise
Where pairings come from
P
Q

q
E(Fp)[q]

E(Fp) = G
q

(p-1)/q
Tate pairing: e(P, Q) := fP(Q) , (fP) = q(P) - q(O)

## but: P,Q G : e(P,Q) = 1

Supersingular bilinear groups
Supersingular curves: ( e.g. y 2 = x3 + x , p=3 (mod 4) )

E(Fp)[q]

P Q E(Fp) = G

e : G G GT

Def: e( P, Q) = e( P, (Q) )

## Possible : =2,3,4,6 or =7.5 [RS 02]

Asymmetric pairings e: G1 G2 GT
Non-supersingular curves: (1st case) (G1 G2)
G2
Q
E(Fp)[q]
G1
P E(Fp)

## No mapping out of E(Fp)

e : G1 G2 GT
Asymmetric pairings e: G1 G2 GT
Non-supersingular curves: (1st case) (G1 G2)
G2
Q
E(Fp)[q]
trace
G1
P E(Fp) = G

## Projection map tr: G2 G1

Symmetric pairing on G2 easy DDH in G2

## but no (known) DDH algorithm in G1

Asymmetric pairings e: G1 G2 GT
Non-supersingular curves: (2nd case)
G2
Q
E(Fp)[q]
G1
P E(Fp)

## SXDH assumption: DDH hard in G1 and G2

n Used for anonymous IBE, circular insecure enc.,
[D10] [ABBC10, CGH12]
Asymmetric pairings e: G1 G2 GT
Non-supersingular curves: (2nd case)
G2

E(Fp)[q]
G1
E(Fp)

## Most efficient implementations

MNT and BN groups: asymmetric pairings
G2
Open problem: larger (prime order E(Fp) )
E(Fp)[q]
e.g. = 16,20,24, (see taxonomy [FST10] )

E(Fp) = G1

e : G1 G2 GT

## MNT 01 Curves: =2,3,4,6 not supersingular

BN 05, F05 Curves: =10, 12 curves

Example: BLS sigs. using asymmetric pairings
pk = (g2)x H: {0,1}* G1

g2
H(m) sig=H(m)x
g1 G1
KeyGen: output [g1, g2, pk=(g2)x ] , skx

## Security: EUF-CMA assuming aCDH (in RO model)

g2, g2x, g1, g1x, g1y g1xy
More complexity assumptions
in bilinear groups
The decision linear assumption (DLIN) [BBS04]

## g1 , g2 , , gk, gk+1 g1 , g2 , , gk, gk+1

x1 x2 xk xi
p x1 x2 xk y
g1 , g2 , , gk , (gk+1) g1 , g2 , , gk , (gk+1)

to break

## Assumption: k-DLIN holds even if k-linear map in G for kk

The decision linear assumption (DLIN)
n Many bilinear constructions can be based on 2-DLIN

## k-DLIN ( k < n,m )

nm nm
A (Zq)
R
B (Zq)
R
, rank(B)=k
p
output gA output gB
The master assumption [BBG04]

## such that f spanF

q
( {fifj / fk}i,j,k ) (*)

## Thm (informal): (F,f) satisfying (*) and poly. degree,

the (F,f) assumption holds in a generic bilinear group
Composite order groups
Bilinear groups of order N=pq [BGN05]

## n G: group of order N=pq. (p, q) secret

bilinear map: e: G G GT

G = Gp Gq . gp = gq Gp ; gq = gp Gq

## n Facts: e( gp , gq ) = e(gq , gp) = e(g,g)N = 1

e( gp , gpxgqy ) = e(gp,gp)x
An example: BGN encryption [BGN05]

## n KeyGen(): generate bilinear group G of order N=pq

pk (G, N, g, gp ) ; sk p

m r
n Enc(pk, m) : r ZN , C g (gp) G

p m p r p
n Dec(sk, C) : C = [g ] [gp ] = (gq)m Gq
p
Output: Dloggq( C )

## n Note: decryption time is O(m )

require small message space ( e.g. {0,1} )
Homomorphic Properties
C1 gm1 (gp)r1 , C2 gm2 (gp)r2 G

## q Additive hom: E(m1+m2) = C1 C2 (gp)s

^
q One mult hom: E(m1m2) = e(C1,C2) e(gp,gp)s

^
More generally: E(m1), , E(mn) E(F(m1,,mn))

## ( becomes fully homomorphic with a k-linear map, for suff. large k )

Security: the subgroup assumption
Subgroup assumption: G Gp

Distribution PG ():
Distribution Pp ():

(G,g,p,q) GroupGen()
(G,g,p,q) GroupGen()

N pq
N pq

s ZN
s ZN

s s
Output: (G, g, N, g )
Output: (G, g, N, (gp) )

For any poly-time A:

| Pr[A(X) : XPG()] - Pr[A(X) : XPp()] | < neg()

## Thm: BGN is semantically secure under the subgroup assumption

From composite order to prime order
A general conversion: [F10, L12]

## n Resulting systems are often more efficient

(since group size is smaller)
but are technically more complex
Final note: pairings mod N
Consider elliptic curve E: y2 = x3 + ax + b (mod N)
where N=pq is an RSA modulus

## Then E(Z/NZ) = E(Fp) E(Fq)

n Finding size of E(Z/NZ) is as hard as factoring N
cannot compute pairings on E
no known algorithm for DDH on E(Z/NZ)

## trapdoor DDH group

Early work on pairings in crypto

n Miller 1986

THE END