Dj Q: Using Dual Systems to Revisit q-Type Assumptions Melissa Chase - - PowerPoint PPT Presentation

Déjà Q: Using Dual Systems to Revisit q-Type Assumptions

Melissa Chase (MSR Redmond) Sarah Meiklejohn (UC San Diego → University College London)

1

Pairing-based cryptography: a brief history

2

Historically, pairings have provided great functionality

Pairing-based cryptography: a brief history

2

Historically, pairings have provided great functionality

• First IBE instantiation [BF01]

Pairing-based cryptography: a brief history

2

Historically, pairings have provided great functionality

• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]

Pairing-based cryptography: a brief history

2

Historically, pairings have provided great functionality

• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]

With great functionality, comes great (ir)responsibility!

Pairing-based cryptography: a brief history

2

Historically, pairings have provided great functionality

• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]

With great functionality, comes great (ir)responsibility!

• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)

Pairing-based cryptography: a brief history

2

Historically, pairings have provided great functionality

• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]

With great functionality, comes great (ir)responsibility!

• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
• Later assumptions: Subgroup Hiding [BGN05], Decision Linear, SXDH

Pairing-based cryptography: a brief history

2

Historically, pairings have provided great functionality

• First IBE instantiation [BF01]
• Many other breakthroughs have followed [BBS04,GS08,KSW08,LW11,...]

With great functionality, comes great (ir)responsibility!

• First assumption: BDH (given (ga,gb,gc), compute e(g,g)abc)
• Later assumptions: Subgroup Hiding [BGN05], Decision Linear, SXDH
• Even later assumptions: q-SDH, q-ADHSDH, q-EDBDH, q-SDH-III, q-SFP

, “source group q-parallel BDHE,” etc.

Why are q-type assumptions worrisome?

3

Why are q-type assumptions worrisome?

3

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan

IBE universe

Why are q-type assumptions worrisome?

3

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan

IBE universe

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan

IBE universe

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe q-SDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan

(g,gx,…,gxq)

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe q-SDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

(g,gx,…,gxq)

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe q-SDH ⇒ /

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

(g,gx,…,gxq)

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe q-SDH ⇒ / q+5-SDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

(g,gx,…,gxq) (g,gx,…,gxq,…,gxq+5)

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe q-SDH ⇒ / q+5-SDH ⇒

>

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

(g,gx,…,gxq) (g,gx,…,gxq,…,gxq+5)

Why are q-type assumptions worrisome?

3

BDH ⇒

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

IBE universe q-SDH ⇒ / q+5-SDH ⇒

>

t/√q steps [Cheon06] t/√q+5 steps

Alice Bob Charles Dora Ernie Fred George Hannah Isabelle Julian Kate Louise Melissa Nicholas Otis Phil Quentin Rachel Sarah Tristan Ursula Vanessa William Xavier Yevgeniy

Moving away from q-type assumptions

4

Dual systems [W09,…] have proved effective at removing q-type assumptions

Moving away from q-type assumptions

4

Dual systems [W09,…] have proved effective at removing q-type assumptions

• Properties of bilinear groups: subgroup hiding and parameter hiding

Moving away from q-type assumptions

4

Dual systems [W09,…] have proved effective at removing q-type assumptions

• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps

Moving away from q-type assumptions

4

Dual systems [W09,…] have proved effective at removing q-type assumptions

• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps

Apply dual systems directly to variants of the uber-assumption [BBG05,B08]

Moving away from q-type assumptions

4

Dual systems [W09,…] have proved effective at removing q-type assumptions

• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps

Apply dual systems directly to variants of the uber-assumption [BBG05,B08]

• Reduce* to an assumption that holds by a statistical argument

*currently only in composite-order groups

Moving away from q-type assumptions

4

Dual systems [W09,…] have proved effective at removing q-type assumptions

• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps

Apply dual systems directly to variants of the uber-assumption [BBG05,B08]

• Reduce* to an assumption that holds by a statistical argument
• Adapt dual systems to work for deterministic primitives

*currently only in composite-order groups

Moving away from q-type assumptions

4

Dual systems [W09,…] have proved effective at removing q-type assumptions

• Properties of bilinear groups: subgroup hiding and parameter hiding
• Abstract dual systems into three steps

Apply dual systems directly to variants of the uber-assumption [BBG05,B08]

• Reduce* to an assumption that holds by a statistical argument
• Adapt dual systems to work for deterministic primitives

Extension to Dodis-Yampolskiy PRF [DY05] *currently only in composite-order groups

Outline

5

Outline

5

Bilinear groups

Outline

5

Bilinear groups q-Type assumptions

Outline

5

Bilinear groups q-Type assumptions Extensions

Outline

5

Bilinear groups q-Type assumptions Extensions Conclusions

Outline

5

Bilinear groups q-Type assumptions Extensions Conclusions Bilinear groups

Subgroup hiding Parameter hiding Dual systems

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Group order; prime or composite

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Group order; prime or composite

}

|G| = |H| = κN; |GT| = λN

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Group order; prime or composite

}

|G| = |H| = κN; |GT| = λN e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Group order; prime or composite

}

|G| = |H| = κN; |GT| = λN e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1

}

G = <g>; H = <h>

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Group order; prime or composite

}

|G| = |H| = κN; |GT| = λN e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1

}

G = <g>; H = <h>

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Group order; prime or composite

}

|G| = |H| = κN; |GT| = λN e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1

}

G = <g>; H = <h>

subgroup hiding

Standard bilinear group: (N, G, H, GT, e, g, h)

Properties of (bilinear) groups

6

Group order; prime or composite

}

|G| = |H| = κN; |GT| = λN e: G × H → GT bilinearity: e(ga,hb) = e(g,h)ab ∀a,b∈Z/NZ non-degeneracy: e(x,y) = 1 ∀y∈H ⇒ x = 1

}

G = <g>; H = <h>

subgroup hiding parameter hiding

Composite-order bilinear group: (N, G, GT, e, g) where N = pq

Subgroup hiding

7

subgroup hiding parameter hiding

Composite-order bilinear group: (N, G, GT, e, g) where N = pq

Subgroup hiding

7

subgroup hiding parameter hiding

Gp Gq

Composite-order bilinear group: (N, G, GT, e, g) where N = pq Subgroup hiding [BGN05]:

Subgroup hiding

7

subgroup hiding parameter hiding

Gp Gq

Composite-order bilinear group: (N, G, GT, e, g) where N = pq Subgroup hiding [BGN05]:

Subgroup hiding

7

subgroup hiding parameter hiding

Gp Gq ≈

Composite-order bilinear group: (N, G, GT, e, g) where N = pq Subgroup hiding [BGN05]:

Subgroup hiding

7

subgroup hiding parameter hiding

Gp Gq ≈

random element of Gp × Gq

Composite-order bilinear group: (N, G, GT, e, g) where N = pq Subgroup hiding [BGN05]:

Subgroup hiding

7

subgroup hiding parameter hiding

Gp Gq ≈

(indistinguishable from) random element of Gp × Gq

Composite-order bilinear group: (N, G, GT, e, g) where N = pq Subgroup hiding [BGN05]:

Subgroup hiding

7

subgroup hiding parameter hiding

Gp Gq ≈

(indistinguishable from) random element of Gp random element of Gp × Gq

Parameter hiding [L12]

Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements

subgroup hiding parameter hiding

8

Parameter hiding [L12]

Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements

subgroup hiding parameter hiding

8

Parameter hiding [L12]

Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements

subgroup hiding parameter hiding

g2f(x1,...,xc)

8

g1f(x1,...,xc)

Parameter hiding [L12]

Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements

subgroup hiding parameter hiding

g2f(x1,...,xc)

8

≈

g1f(x1,...,xc)

Parameter hiding [L12]

Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements

subgroup hiding parameter hiding

g2f(x1,...,xc)

8

≈

g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)

Parameter hiding [L12]

Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements

subgroup hiding parameter hiding

g2f(x1,...,xc)

8

is independent from ≈

g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)

Parameter hiding [L12]

Parameter hiding: elements correlated across subgroups are distributed identically to uncorrelated elements

subgroup hiding parameter hiding

g2f(x1,...,xc)

8

is independent from xi mod p reveals nothing about xi mod q (CRT) ≈

g1f(x1,...,xc) g1f(x1,...,xc)g2f(x1′,...,xc′)

Typical dual-system proof for IBE [W09,LW10,...]

9

Typical dual-system proof for IBE [W09,LW10,...]

9

Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: normal:

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: (subgroup hiding) normal:

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: (subgroup hiding) (parameter hiding) normal:

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: semi-functional (SF): (subgroup hiding) (parameter hiding) normal:

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: semi-functional (SF): (subgroup hiding) (parameter hiding) (subgroup hiding) normal:

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: semi-functional (SF): (subgroup hiding) (parameter hiding) (subgroup hiding) (parameter hiding) normal:

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: semi-functional (SF): (subgroup hiding) (parameter hiding) (subgroup hiding) (parameter hiding) normal: semi-functional (SF):

9

ID queries Challenge ciphertext

Typical dual-system proof for IBE [W09,LW10,...]

normal: semi-functional (SF): (subgroup hiding) (parameter hiding) (subgroup hiding) (parameter hiding) normal: semi-functional (SF):

9

SF keys don’t decrypt SF ciphertexts!

ID queries Challenge ciphertext

Dual systems in three easy steps

10

Dual systems in three easy steps

10

• 1. start with base scheme

Dual systems in three easy steps

normal:

10

• 1. start with base scheme

Dual systems in three easy steps

normal:

10

• 1. start with base scheme
• 2. transition to SF version

Dual systems in three easy steps

normal: semi-functional (SF): (subgroup hiding) (parameter hiding)

10

• 1. start with base scheme
• 2. transition to SF version

Dual systems in three easy steps

normal: semi-functional (SF): (subgroup hiding) (parameter hiding)

10

• 1. start with base scheme
• 2. transition to SF version

(subgroup hiding)

Dual systems in three easy steps

normal: semi-functional (SF): (subgroup hiding) (parameter hiding)

10

• 1. start with base scheme
• 2. transition to SF version

(subgroup hiding) (subgroup hiding)

Dual systems in three easy steps

normal: semi-functional (SF): (subgroup hiding) (parameter hiding)

10

• 1. start with base scheme
• 2. transition to SF version

(subgroup hiding) (subgroup hiding)

Dual systems in three easy steps

normal: semi-functional (SF): (subgroup hiding) (parameter hiding)

10

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

(subgroup hiding) (subgroup hiding)

Outline

11

Cryptographic background Pseudorandom functions Extensions Conclusions Bilinear groups q-Type assumptions

The uber-assumption Relating uber-assumptions A bijection trick

The “uber-assumption” [BBG05,B08]

Uber-assumption is parameterized by (c,R,S,T,f)

12

The “uber-assumption” [BBG05,B08]

Uber-assumption is parameterized by (c,R,S,T,f)

• c = number of variables: x1,...,xc ← R

12

The “uber-assumption” [BBG05,B08]

Uber-assumption is parameterized by (c,R,S,T,f)

• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}

12

The “uber-assumption” [BBG05,B08]

Uber-assumption is parameterized by (c,R,S,T,f)

• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}

12

The “uber-assumption” [BBG05,B08]

Uber-assumption is parameterized by (c,R,S,T,f)

• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}

12

The “uber-assumption” [BBG05,B08]

Uber-assumption is parameterized by (c,R,S,T,f)

• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
• f(x1,...,xc): A needs to compute e(g,h)f(x1,...,xc) (or distinguish it from random)

12

The “uber-assumption” [BBG05,B08]

Uber-assumption is parameterized by (c,R,S,T,f)

• c = number of variables: x1,...,xc ← R
• R = <1,ρ1,...,ρr>: A is given g, {gρi(x1,...,xc)}
• S = <1,σ1,...,σs>: A is given h, {hσi(x1,...,xc)}
• T = <1,τ1,...,τt>: A is given e(g,h), {e(g,h)τi(x1,...,xc)}
• f(x1,...,xc): A needs to compute e(g,h)f(x1,...,xc) (or distinguish it from random)

uber(c,R,S,T,f) assumption: given (R,S,T) values, hard to compute/distinguish f

12

Example uber-assumption: exponent q-SDH

exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random

13

Example uber-assumption: exponent q-SDH

exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random

• c = number of variables: c = 1

13

Example uber-assumption: exponent q-SDH

exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random

• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)

13

Example uber-assumption: exponent q-SDH

exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random

• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>

13

Example uber-assumption: exponent q-SDH

exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random

• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
• f(x1,…,xc): f(x) = xq+1

13

Example uber-assumption: exponent q-SDH

exponent q-SDH [ZS-NS04]: given (g,gx,…,gxq), distinguish gxq+1 from random

• c = number of variables: c = 1
• R = <1,ρ1,…,ρr>: ρi(x) = xi (∀i 0≤i≤q)
• S = <1>
• T = <1>
• f(x1,…,xc): f(x) = xq+1

exponent q-SDH is uber(1,<1,{xi}>,<1>,<1>,xq+1)

13

Applying dual systems to exponent q-SDH

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

g1r1x1,…,g1r1x1q

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

g1r1x1,…,g1r1x1q

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

subgroup hiding

g1r1x1,…,g1r1x1q g1r1x1i ⋅ g2r1′x1i

vs.

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

subgroup hiding

g1r1x1,…,g1r1x1q g1r1x1i ⋅ g2r1′x1i

parameter hiding

g1r1x1i ⋅ g2r1′x2i

vs.

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

subgroup hiding

g1r1x1,…,g1r1x1q g1r1x1i ⋅ g2r1′x1i

parameter hiding

g1r1x1i ⋅ g2r1′x2i g1r1x1i + r2x2i ⋅ g2r1′x2i

subgroup hiding vs. vs.

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

subgroup hiding

g1r1x1,…,g1r1x1q g1r1x1i ⋅ g2r1′x1i

parameter hiding

g1r1x1i ⋅ g2r1′x2i g1r1x1i + r2x2i ⋅ g2r1′x2i

subgroup hiding subgroup hiding

g1r1x1+r2x2,…,g1r1x1q+r2x2q

vs. vs. vs.

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

subgroup hiding

g1r1x1,…,g1r1x1q

parameter hiding subgroup hiding subgroup hiding

g1r1x1+r2x2,…,g1r1x1q+r2x2q

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

subgroup hiding

g1r1x1,…,g1r1x1q

parameter hiding subgroup hiding subgroup hiding

g1r1x1+r2x2,…,g1r1x1q+r2x2q g1∑rkxk,…,g1∑rkxkq

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

subgroup hiding

g1r1x1,…,g1r1x1q

parameter hiding subgroup hiding subgroup hiding

g1r1x1+r2x2,…,g1r1x1q+r2x2q g1∑rkxk,…,g1∑rkxkq

14

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,<1,{xi}>,<1>,<1>,xq+1)

Applying dual systems to exponent q-SDH

15

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)

Applying dual systems to exponent q-SDH

15

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)

Applying dual systems to exponent q-SDH

15

r r ... r 1 x . x x 1 x . x x . . . . . . 1 x . x x

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

uber(c,R,<1,{xi}>,<1>,xq+1) → uber(lc,<1,{ ∑rkxki}>,<1>,<1>,∑rkxkq+1)

Applying dual systems to exponent q-SDH

15

=

r r ... r 1 x . x x 1 x . x x . . . . . . 1 x . x x y y . . y

So A is really given

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Applying dual systems to exponent q-SDH

16

=

r r ... r 1 x . x x 1 x . x x . . . . . . 1 x . x x y y . . y

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Applying dual systems to exponent q-SDH

16

=

Vandermonde matrix, so if l=q+2 this is invertible

r r ... r 1 x . x x 1 x . x x . . . . . . 1 x . x x y y . . y

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Applying dual systems to exponent q-SDH

16

=

Vandermonde matrix, so if l=q+2 this is invertible

Consider set S of l-sized sets; then r,y∈S Matrix multiplication is map M: S → S permutation

r r ... r 1 x . x x 1 x . x x . . . . . . 1 x . x x y y . . y

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Applying dual systems to exponent q-SDH

16

=

Vandermonde matrix, so if l=q+2 this is invertible This is chosen uniformly at random from S

Consider set S of l-sized sets; then r,y∈S Matrix multiplication is map M: S → S permutation

r r ... r 1 x . x x 1 x . x x . . . . . . 1 x . x x y y . . y

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Applying dual systems to exponent q-SDH

16

=

Vandermonde matrix, so if l=q+2 this is invertible This is chosen uniformly at random from S

Consider set S of l-sized sets; then r,y∈S Matrix multiplication is map M: S → S permutation

This is distributed uniformly random as well!

r r ... r 1 x . x x 1 x . x x . . . . . . 1 x . x x y y . . y

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

More generally, this is true if

! ! !

has linearly independent columns (or rows)

Applying dual systems to the uber-assumption

17

1 ρ . ρ f(x 1 ρ . ρ f(x . . . . . . . . 1 ρ . ρ f(x

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

More generally, this is true if

! ! !

has linearly independent columns (or rows)

Applying dual systems to the uber-assumption

17

1 ρ . ρ f(x 1 ρ . ρ f(x . . . . . . . . 1 ρ . ρ f(x

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Decisional uber(c,R,S,T,f) holds if:

• 1. subgroup hiding and parameter hiding hold
• 2. S = T = <1>
• 3. f is not a linear combination of ρi

More generally, this is true if

! ! !

has linearly independent columns (or rows)

Applying dual systems to the uber-assumption

17

1 ρ . ρ f(x 1 ρ . ρ f(x . . . . . . . . 1 ρ . ρ f(x

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Decisional uber(c,R,S,T,f) holds if:

• 1. subgroup hiding and parameter hiding hold
• 2. S = T = <1>
• 3. f is not a linear combination of ρi
• nly computational requirement

More generally, this is true if

! ! !

has linearly independent columns (or rows)

Applying dual systems to the uber-assumption

17

1 ρ . ρ f(x 1 ρ . ρ f(x . . . . . . . . 1 ρ . ρ f(x

• 1. start with base scheme
• 2. transition to SF version
• 3. argue information is hidden

Decisional uber(c,R,S,T,f) holds if:

• 1. subgroup hiding and parameter hiding hold
• 2. S = T = <1>
• 3. f is not a linear combination of ρi
• nly computational requirement

limitation

Outline

18

Cryptographic background q-Type assumptions Data Conclusions Bilinear groups Extensions

Broader classes of assumptions Dodis-Yampolskiy PRF

Strengthening our results

sh ph sh sh

19

Strengthening our results

sh ph sh sh

Remember that we needed two types of subgroup hiding … …even when given a generator for

19

Strengthening our results

sh ph sh sh

Remember that we needed two types of subgroup hiding … …even when given a generator for

vs.

19

Strengthening our results

sh ph sh sh

Remember that we needed two types of subgroup hiding … …even when given a generator for

vs. vs.

19

Strengthening our results

sh ph sh sh

Remember that we needed two types of subgroup hiding … …even when given a generator for This restricts us to “one-sided” assumptions

vs. vs.

19

• 2. S = T = <1>

Strengthening our results

sh ph sh sh

Remember that we needed two types of subgroup hiding … …even when given a generator for This restricts us to “one-sided” assumptions

vs. vs.

19

(g,gx,…,gxq) → gxq+1 or random

[eq-SDH]

• 2. S = T = <1>

Strengthening our results

sh ph sh sh

Remember that we needed two types of subgroup hiding … …even when given a generator for This restricts us to “one-sided” assumptions

vs. vs.

19

(g,gx,…,gxq) → gxq+1 or random (g,gx,…,gxq,hx) → compute (c,g1/x+c)

[eq-SDH] [q-SDH]

• 2. S = T = <1>

Strengthening our results

sh ph sh sh

vs. vs.

20

sh ph

Remember that we needed two types of subgroup hiding…

Strengthening our results

sh ph sh sh

To address this, switch back to regular dual systems

vs. vs.

20

sh ph

Remember that we needed two types of subgroup hiding…

Strengthening our results

sh ph sh sh

To address this, switch back to regular dual systems

vs. vs.

20

sh ph

Remember that we needed two types of subgroup hiding…

Strengthening our results

sh ph sh sh

To address this, switch back to regular dual systems

vs. vs.

20

sh ph

Remember that we needed two types of subgroup hiding…

Strengthening our results

sh ph sh sh

To address this, switch back to regular dual systems

vs. vs.

20

sh ph

Remember that we needed two types of subgroup hiding…

Computational uber(c,R,S,T,f) holds if:

• 1. subgroup hiding and parameter hiding hold
• 2. f is not a linear combination of ρi

limitation

Strengthening our results

sh ph sh sh

To address this, switch back to regular dual systems This implies (for example) that q-SDH [BB04] follows from subgroup hiding.... …and so does everything based on q-SDH (like Boneh-Boyen signatures)*

vs. vs.

20

sh ph

Remember that we needed two types of subgroup hiding… *when instantiated in asymmetric composite-order groups [BRS11]

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI

verifiable random function

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI

require u=e(g,h) verifiable random function

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI

require u=e(g,h) verifiable random function q-type assumption

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI

require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ) verifiable random function q-type assumption

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI Theorem: Advprf ≤ q·Advsgh

require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ) verifiable random function q-type assumption

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI Theorem: Advprf ≤ q·Advsgh

require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ) verifiable random function q-type assumption pseudorandom function

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI Theorem: Advprf ≤ q·Advsgh

require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ) verifiable random function q-type assumption require composite order pseudorandom function

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI Theorem: Advprf ≤ q·Advsgh

require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ) verifiable random function q-type assumption require composite order pseudorandom function static assumption

Reexamining the Dodis-Yampolskiy PRF

21

f(x) = u1/sk+x for fixed sk←R; x∈a(λ)

Theorem [DY05]: Advvrf ≤ a(λ)·Adva(λ)-DBDHI Theorem: Advprf ≤ q·Advsgh

require u=e(g,h) looseness: need |a(λ)| ≤ poly(λ) verifiable random function q-type assumption require composite order a(λ) of arbitrary size pseudorandom function static assumption

Outline

22

Cryptographic background q-Type assumptions Extensions Conclusions Bilinear groups Conclusions

Conclusions and open problems

23

We applied the dual-system technique directly to a broad class of assumptions

Conclusions and open problems

23

We applied the dual-system technique directly to a broad class of assumptions Limitation: Restricted to (asymmetric) composite-order (bilinear) groups

Conclusions and open problems

23

We applied the dual-system technique directly to a broad class of assumptions Limitation: Restricted to (asymmetric) composite-order (bilinear) groups Limitation: Can’t get rid of every q-type assumption

Conclusions and open problems

23

We applied the dual-system technique directly to a broad class of assumptions Limitation: Restricted to (asymmetric) composite-order (bilinear) groups Limitation: Can’t get rid of every q-type assumption Full version!: cs.ucsd.edu/~smeiklejohn/files/eurocrypt14a.pdf

Conclusions and open problems

23

We applied the dual-system technique directly to a broad class of assumptions Limitation: Restricted to (asymmetric) composite-order (bilinear) groups Limitation: Can’t get rid of every q-type assumption Full version!: cs.ucsd.edu/~smeiklejohn/files/eurocrypt14a.pdf

Conclusions and open problems

23

Thanks! Any questions?