Comparing the Pairing Efficiency over Composite-Order and - - PowerPoint PPT Presentation

C2 2012 1/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Comparing the Pairing Efficiency

• ver Composite-Order and Prime-Order

Elliptic Curves

Aurore Guillevic C2, Dinard, France

grid

C2 2012 2/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Outline

1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion

grid

C2 2012 3/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Outline

1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion

grid

C2 2012 4/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Previous work

• [Boneh, Goh and Nissim, TCC 2005] First public-key

homomorphic encryption scheme using composite-order groups and pairings

• Based on the Subgroup Decision Assumption
• For the last seven years, many protocols with interesting

properties based on this assumption

• [Freeman, Eurocrypt 2010] Specific conversions to prime-order

groups

• [Lewko, Eurocrypt 2012] Generic conversions to prime-order

groups and nice security proofs → It remains quite theoretical

grid

C2 2012 5/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Contributions

• Explicit parameter sizes for protocols based on the Subgroup

Decision Assumption at common security levels

• Implementation in C and benchmarks

grid

C2 2012 6/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Outline

1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion

grid

C2 2012 7/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Subgroup Decision Assumption

given a group G of composite order p1p2 = N (e.g. an RSA modulus) without knowing its decomposition into p1 and p2, it is hard to decide whether a given element g ∈ G is in the subgroup

• f order p1.

N must be infeasible to factor ⇒ very large parameter sizes.

grid

C2 2012 8/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Bilinear Groups

• 1. G1, G2 and GT are three cyclic groups of order N
• 2. e : G1 × G2 → GT is a bilinear map i.e. for all g1, h1 ∈ G1

and g2, h2 ∈ G2, e(g1 · h1, g2) = e(g1, g2) · e(h1, g2) and e(g1, g2 · h2) = e(g1, g2) · e(g1, h2). 2’. for all a, b ∈ Z, g1 ∈ G1, g2 ∈ G2, e(ga

1, gb 2 ) = e(g1, g2)ab = e(gb 1 , ga 2).

grid

C2 2012 9/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

BGN protocol: setup

• 1. Generate two random τ-bit primes p1, p2 and set N = p1p2.
• 2. Generate a (symmetric) bilinear pairing e : G1 × G1 → GT

with G1 and GT of order N.

• 3. Pick two random generators g1, u1 ← G1 and set

h1 = up2

1 ⇒ h1 is a random generator of the subgroup of order

p1 of G1. Set gT = e(g1, g1) as generator of GT and hT = e(g1, h1) = gp2

T as generator of the subgroup of order p1

• f GT.
• 4. PK = (N, G1, GT, e, g1, h1, gT, hT). SK = p1.

grid

C2 2012 10/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

BGN protocol: encrypt/decrypt

Encrypt(PK, m): m ∈ N, m < p2. Pick a random r ← {0, 1, . . . , N − 1}. The ciphertext is c = gm

1 · hr 1 ∈ G1 .

Decrypt(SK, c ∈ G1): We have cp1 = (gm

1 · hr 1)p1 = (gp1 1 )m

→ compute the discrete log of cp1 in base gp1. → very slow, → or m must be very small (few bits).

grid

C2 2012 11/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

BGN protocol: homomorphic add/mul

Add(c1, c2) mod N Pick a random r ← {0, 1, . . . , N − 1}. c = c1 · c2 · hr

1 = gm1+m2 mod N 1

· hr′

1 ∈ G1 .

Mul(c3, c4) mod N (once) Pick a random r ← {0, 1, . . . , N − 1}. c = e(c3, c4) · hr

T = gm3·m4 mod N T

· hr′

T ∈ GT .

Add(c5, c6) mod N Pick a random r ← {0, 1, . . . , N − 1}. c = c5 · c6 · hr

T = gm5+m6 mod N T

· hr′

T ∈ GT .

grid

C2 2012 12/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

BGN in practice

• Suitable elliptic curve: easy to generate
• 1. Let N a composite-order modulus (generated with e.g.
• penssl).
• 2. Find the smallest integer h, 4 | h, such that hN − 1 is prime.
• 3. Let p = hN − 1. The elliptic curve E(F

p) : y 2 = x3 − x is

supersingular, of order hN = p + 1 and embedding degree 2.

Moreover, an explicit isomorphism G1 → G2 is available, hence the pairing is symmetric.

• Tate pairing only (one of the worst pairings in speed).
• Parameter sizes: 3072 log N 3248 (NIST–Ecrypt).

grid

C2 2012 13/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

BGN variants

• Over composite-order groups made of several distinct primes
• Each information is hidden in a subgroup
• The parameter sizes depend on the Number Field Sieve (NFS)

attack and the Elliptic Curve Method (ECM) attack

grid

C2 2012 14/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Outline

1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion

grid

C2 2012 15/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Freeman and Lewko Conversions

• As operations are much faster on a prime-order elliptic curve

than a composite-order one, the protocol is built on this prime-order curve.

• It uses a vector of elements in the same prime-order group:

each copy of the prime-order group corresponds to a subgroup in the composite-order setting.

• To distinguish between the different copies, elements are

generated from different generators.

• The protocol security relies on the d-Linear Problem, an

extension of the Diffie-Hellman Problem.

• New properties to achieve: projecting pairings and cancelling

pairings.

grid

C2 2012 16/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

BGN Conversion: setup

• 1. Let (G1, G2, GT) three cyclic groups of prime order n with a

pairing e : G1 × G2 → GT.

• 2. Let G1 = G2

1, G2 = G2 2, GT = G4 T.

• 3. Choose random generators g1 ∈ G1, g2 ∈ G2 and let

gT = e(g1, g2).

• 4. Choose random

a1 b1 c1 d1

• ,

a2 b2 c2 d2

• ∈ SL2(F

n).

• 5. Let H1 be the subgroup of G1 generated by h1 = (ga1

1 , gb1 1 ),

let H2 be the subgroup of G2 generated by h2 = (ga2

2 , gb2 2 ).

• 6. Define a pairing e : G1 × G2 → GT by

e([u1, v1], [u2, v2]) = [e(u1, u2), e(u1, v2), e(v1, u2), e(v1, v2)].

• 7. Let HT = e(h1, h2), e(h1, [gc2

2 , gd2 2 ]), e([gc1 1 , gd1 1 ], h2) ⊂ GT.

grid

C2 2012 17/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

BGN Conversion: setup

• 8. The analogous of computing cp1 is computing a projecting

map π1, π2 or πT from the groups G1, G2 or GT s.t. H∗ ⊂ Ker(π∗) and e(π1(u), π2(v)) = πT(e(u, v)).

• 9. The public parameters are (G1, H1, G2, H2, GT, G

′

T, e, g1, g2)

and the secret trapdoors are π1, π2 and πT which need the numbers a1, b1, . . . , d2, e.g. π1([u1, v1]) = [u−b1c1

1

· va1c1

1

, u−b1d1

1

· va1d1

1

]. Homomorphic properties:

• The message is hidden in the exponent and a random blinding

term from the subgroup is added.

• To decrypt, a discrete logarithm is needed.

grid

C2 2012 18/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Outline

1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion

grid

C2 2012 19/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

LibCryptoLCH

The LibCryptoLCH is a proprietary cryptographic library developed inside the Crypto Lab (Laboratoire Chiffre) at THALES.

• F

p arithmetic with Montgomery representation

multiplication in Intelx86 assembly language can be activated (thanks to F. de Portzamparc)

• same high-level pairing optimizations as in the most efficient

papers

• generic design: may use any p or elliptic curve
• modular approach

Curve, Pairing k log2 m log2 p Miller L.

• F. Exp.

Pairing Ssingular, Tate 2 256 1536 19.7 ms 20.5 ms 40.2 ms BN, Opt. Ate 12 256 256 2.4 ms 3.0 ms 5.4 ms Pairings with normal NIST parameter sizes for a 128-bit security level, PC Linux Intel x86, 2.6 GHz

grid

C2 2012 20/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Results

Operation Composite-order EC Prime-order EC × Enc,Add 1 exp. in G1 600 ms 1 exp. in G1 and G2 2.5 ms 240 Decrypt C p1 ∈ G1 300 ms π1: 4 exp. in G1 2.4 ms 120 π2: 4 exp. in G2 7.6 ms 40 Multiply 1 pairing + 1470 ms 1 exp. in G1, G2, 43.3 ms 34 1 exp. in GT 4×(3 pairings) Enc,Add 1 exp. in GT 170 ms 1 exp. in G1, G2 33.7 ms 5 4×(2 pairings) Decrypt C p1 ∈ GT 84 ms πt(C) 16 exp. in GT 64.0 ms 1.3

grid

C2 2012 21/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Outline

1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion

grid

C2 2012 22/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Conclusion

• BGN introduced very nice properties and is practical but quite

slow on a PC

• Conversions in the prime-order setting provide much faster

timings → Add in G1 is 240 times faster, Mul is 34 times faster and Add in GT 5 times faster.

grid

C2 2012 23/23

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion

Thank you for your attention. aurore.guillevic@thalesgroup.com