limitations on transformations from composite order to
play

Limitations on Transformations from Composite-Order to Prime-Order - PowerPoint PPT Presentation

Apr 08, 2023 •310 likes •1.09k views

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

  1. Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1

  2. Elliptic curves: what are they and why do we care? Bilinear groups are cyclic groups G of some finite order that admit a nondegenerate bilinear map e: G × G → G T • Bilinear: e(x a ,y) = e(x,y) a = e(x,y a ), nondegenerate: e(x,y) = 1 for all y ⇔ x = 1 • Composite order: |G| = N (often use N = pq), prime order: |G| = p 2

  3. Elliptic curves: what are they and why do we care? Bilinear groups are cyclic groups G of some finite order that admit a nondegenerate bilinear map e: G × G → G T • Bilinear: e(x a ,y) = e(x,y) a = e(x,y a ), nondegenerate: e(x,y) = 1 for all y ⇔ x = 1 • Composite order: |G| = N (often use N = pq), prime order: |G| = p 3

  4. Elliptic curves: what are they and why do we care? Bilinear groups are cyclic groups G of some finite order that admit a nondegenerate bilinear map e: G × G → G T • Bilinear: e(x a ,y) = e(x,y) a = e(x,y a ), nondegenerate: e(x,y) = 1 for all y ⇔ x = 1 • Composite order: |G| = N (often use N = pq), prime order: |G| = p Historically, we use elliptic curves for two main reasons: • Functionality: IBE [BF01], functional encryption, etc. • Efficiency: discrete log problem is harder, can use smaller parameters 4

  5. Outline 5

  6. Outline Divide the talk into three main parts: 5

  7. Outline Divide the talk into three main parts: • The setting: work in composite-order bilinear groups 5

  8. Outline Divide the talk into three main parts: • The setting: work in composite-order bilinear groups • The application: a round-optimal blind signature scheme 5

  9. Outline Divide the talk into three main parts: • The setting: work in composite-order bilinear groups • The application: a round-optimal blind signature scheme • The problem: what if we want to instantiate our scheme in a prime-order setting instead? 5

  10. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: 6

  11. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: “somewhat” homomorphic encryption [BGN05] 6

  12. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: traitor “somewhat” tracing homomorphic [BSW06] zero knowledge encryption [GOS06,GS08] group [BGN05] signatures predicate [BW07] ring encryption signatures HIBE [KSW08] [SW07] [LW10] 6

  13. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: traitor “somewhat” tracing homomorphic [BSW06] zero knowledge encryption [GOS06,GS08] group [BGN05] signatures blind predicate [BW07] signatures ring encryption [MSF10] signatures HIBE [KSW08] [SW07] [LW10] 6

  14. Composite- vs. prime-order groups 7

  15. Composite- vs. prime-order groups Why would we switch to prime-order groups? 7

  16. Composite- vs. prime-order groups Why would we switch to prime-order groups? • Composite-order means bigger : in prime-order groups, can use group of size ~160 bits; in composite-order groups need ~1024 bits (discrete log vs. factoring) • In addition, there aren’t many composite-order curve families (need to use supersingular vs. ordinary curves) 7

  17. Composite- vs. prime-order groups Why would we switch to prime-order groups? • Composite-order means bigger : in prime-order groups, can use group of size ~160 bits; in composite-order groups need ~1024 bits (discrete log vs. factoring) • In addition, there aren’t many composite-order curve families (need to use supersingular vs. ordinary curves) Previously, people converted schemes in an ad-hoc way [W09,GSW09,LW10] Freeman [F10] is first to provide a general conversion method 7

  18. The application: round-optimal blind signatures 8

  19. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S 8

  20. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S 8

  21. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m 8

  22. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ 8

  23. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! 8

  24. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req 8

  25. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ ´ 8

  26. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ 8

  27. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ Same σ as in the unblinded case above 8

  28. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ Same σ as in the unblinded case above Applications: electronic cash, anonymous credentials, etc. 8

  29. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ Same σ as in the unblinded case above Applications: electronic cash, anonymous credentials, etc. Still a very active research area [O06,F09,AO10,AHO10,R10,GRSSU11] 8

  30. Our scheme: ideas 9

  31. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] 9

  32. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: 9

  33. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T 9

  34. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T 9

  35. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T • Abstract assumption: B = B 1 × B 2 , where B 1 is indistinguishable from B • Subgroup hiding: set B = G = G p × G q 9

  36. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T • Abstract assumption: B = B 1 × B 2 , where B 1 is indistinguishable from B • Subgroup hiding: set B = G = G p × G q • DLIN: rank 2 matrix ~ rank 3 matrix for a 3 × 3 matrix over F p 9

  37. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T • Abstract assumption: B = B 1 × B 2 , where B 1 is indistinguishable from B • Subgroup hiding: set B = G = G p × G q • DLIN: rank 2 matrix ~ rank 3 matrix for a 3 × 3 matrix over F p • Benefits: can use composite- and prime-order settings 9

  38. Our scheme: sketch 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LIMITATIONS OF FIBRE PLACEMENT TECHNIQUES FOR VARIABLE ANGLE TOW COMPOSITES AND THEIR

LIMITATIONS OF FIBRE PLACEMENT TECHNIQUES FOR VARIABLE ANGLE TOW COMPOSITES AND THEIR

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS LIMITATIONS OF FIBRE PLACEMENT TECHNIQUES FOR VARIABLE ANGLE TOW COMPOSITES AND THEIR PROCESS-INDUCED DEFECTS B.C. Kim 1 , K. Hazra 1 , P. Weaver 1 , K. Potter 1 * 1 ACCIS (Advanced Composite

350 views • 6 slides
Transformations Composition of Transformations Congruence Transformations Dilations Similarity

Transformations Composition of Transformations Congruence Transformations Dilations Similarity

Slide 1 / 145 Slide 2 / 145 Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 145 Slide 4 / 145 Table of Contents click on the topic to go to that section Transformations Translations Reflections Rotations Transformations

464 views • 25 slides
Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore Guillevic C2, Dinard, France C2 2012 1/23 grid

558 views • 23 slides
Transformations Composition of Transformations Congruence Transformations Dilations

Transformations Composition of Transformations Congruence Transformations Dilations

Slide 1 / 154 Slide 2 / 154 Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 154 Slide 4 / 154 Table of Contents click on the topic to go to that section Transformations Translations Reflections Rotations

581 views • 45 slides
Transformations Composition of Transformations Congruence Transformations Dilations

Transformations Composition of Transformations Congruence Transformations Dilations

Slide 1 / 154 Slide 2 / 154 Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 154 Slide 4 / 154 Table of Contents click on the topic to go to that section Transformations Translations Reflections Rotations

643 views • 26 slides
Semigroups of order-preserving transformations Young researchers in mathematics 3 rd August 2017

Semigroups of order-preserving transformations Young researchers in mathematics 3 rd August 2017

Semigroups of order-preserving transformations Young researchers in mathematics 3 rd August 2017 Wilf Wilson University of St Andrews Wilf Wilson Semigroups of order-preserving transformations Page 0 of 412 What are semigroups and monoids?

422 views • 41 slides
EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J.

EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J. Lee 1 , J.-S. Kim 2 , M. Cho 3* 1 School of Mechanical and Aerospace Engineering, Seoul

454 views • 6 slides
Rewriting Techniques for syntax Correctness of Program Transformations normal order reduction

Rewriting Techniques for syntax Correctness of Program Transformations normal order reduction

LR Nondeterminism Overview The calculus LR with true call-by-need evaluation Rewriting Techniques for syntax Correctness of Program Transformations normal order reduction contextual semantics David Sabel and Manfred Schmidt-Schau

369 views • 15 slides
Semantical evaluations as monadic second-order compatible structure transformations Bruno

Semantical evaluations as monadic second-order compatible structure transformations Bruno

Semantical evaluations as monadic second-order compatible structure transformations Bruno Courcelle Universit Bordeaux 1, LaBRI (based in part on joint work with T. Knapik, Universit de La Runion, France) Summary 1.Introduction

795 views • 35 slides
CMSC427 Transformations I Credit: slides 9+ from Prof. Zwicker Transformations: outline

CMSC427 Transformations I Credit: slides 9+ from Prof. Zwicker Transformations: outline

CMSC427 Transformations I Credit: slides 9+ from Prof. Zwicker Transformations: outline Types of transformations Specific: translation, rotation, scaling, shearing Classes: rigid, affine, projective Representing transformations

1.11k views • 68 slides
Transformations Rotations Reflections Dilations Symmetry Congruence & Similarity

Transformations Rotations Reflections Dilations Symmetry Congruence & Similarity

Slide 1 / 230 Slide 2 / 230 8th Grade 2D Geometry: Transformations 2015-11-13 www.njctl.org Slide 3 / 230 Slide 4 / 230 Table of Contents Click on a topic to go to that section Transformations Translations Transformations

729 views • 39 slides
Review Transformations Scale Translate Rotate Combining Transformations

Review Transformations Scale Translate Rotate Combining Transformations

Review Transformations Scale Translate Rotate Combining Transformations Transformations are cumulative Flipping the y-axis direction Rotating about the center of an object Animating with transformations translate

695 views • 23 slides
From Data to Effects Dependence Graphs: Source-to-Source Transformations for C CPC 2015 Nelson

From Data to Effects Dependence Graphs: Source-to-Source Transformations for C CPC 2015 Nelson

Motivation Limitations of the Data Dependence Graph Effects Dependence Graph Impact on Existing Code Transformations Conclusion From Data to Effects Dependence Graphs: Source-to-Source Transformations for C CPC 2015 Nelson Lossing 1 Pierre

662 views • 26 slides
COMPUTER GRAPHICS COURSE Transformations Georgios Papaioannou 2016 ABOUT TRANSFORMATIONS

COMPUTER GRAPHICS COURSE Transformations Georgios Papaioannou 2016 ABOUT TRANSFORMATIONS

COMPUTER GRAPHICS COURSE Transformations Georgios Papaioannou 2016 ABOUT TRANSFORMATIONS Transformations They are operators on vectors and points of a corresponding vector or affine space They alter the coordinates of shape vertices

1.1k views • 81 slides
Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices are functions representations Matrices represent linear transfs CS5600 Computer Graphics Lecture Set 5 by 2 x 2 Matrices == 2D Linear

269 views • 9 slides
Linear Transformations Linear Transformations 1 / 21 Linear Transformations A function T from R

Linear Transformations Linear Transformations 1 / 21 Linear Transformations A function T from R

Linear Transformations Linear Transformations 1 / 21 Linear Transformations A function T from R n R m is called a linear transformation if there exists an m n matrix A such that T ( x ) = A x x R n satisfying the following:

890 views • 31 slides
Fermion space charge in narrow band- gap semiconductors, Weyl semimetals and around highly charged

Fermion space charge in narrow band- gap semiconductors, Weyl semimetals and around highly charged

Fermion space charge in narrow band- gap semiconductors, Weyl semimetals and around highly charged nuclei Eugene B. Kolomeisky University of Virginia Work done in collaboration with: J. P. Straley, University of Kentucky H.

608 views • 28 slides
Slide 1 / 40 1 Two charges +Q and -3Q are placed in opposite corners of a square. The work

Slide 1 / 40 1 Two charges +Q and -3Q are placed in opposite corners of a square. The work

Slide 1 / 40 1 Two charges +Q and -3Q are placed in opposite corners of a square. The work required to move a test charge q from point A to point B is: A dependent on the path taken from A to B B directly proportional to the distance between

476 views • 14 slides
CS 4100: Artificial Intelligence Reinforcement Learning Ja Jan-Wi Willem van de Meent

CS 4100: Artificial Intelligence Reinforcement Learning Ja Jan-Wi Willem van de Meent

CS 4100: Artificial Intelligence Reinforcement Learning Ja Jan-Wi Willem van de Meent Northeastern University [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188 materials are available at

437 views • 19 slides
The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Rules of Inference Section 1.6

The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Rules of Inference Section 1.6

The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Rules of Inference Section 1.6 Section Summary Valid Arguments Inference Rules for Propositional Logic Using Rules of Inference to Build Arguments Rules of Inference

733 views • 57 slides
On Coinduction and Quantum Lambda Calculi Yuxin Deng East China Normal University (Joint work

On Coinduction and Quantum Lambda Calculi Yuxin Deng East China Normal University (Joint work

On Coinduction and Quantum Lambda Calculi Yuxin Deng East China Normal University (Joint work with Yuan Feng and Ugo Dal Lago) To appear at CONCUR15 1 Outline Motivation A quantum -calculus Coinductive proof techniques

633 views • 41 slides
SYMBOLIC LOGIC UNIT 7: THE PROOF METHOD: 8 BASIC INFERENCE RULES Constants vs. Variables A

SYMBOLIC LOGIC UNIT 7: THE PROOF METHOD: 8 BASIC INFERENCE RULES Constants vs. Variables A

SYMBOLIC LOGIC UNIT 7: THE PROOF METHOD: 8 BASIC INFERENCE RULES Constants vs. Variables A B p q Constants are Variables are abbreviations of placeholders for any specific sentences with formula whatever, determinate meanings.

611 views • 37 slides
Talk on Sheaf Representation John Kennison Clark University Joint work with Mike Barr and Bob

Talk on Sheaf Representation John Kennison Clark University Joint work with Mike Barr and Bob

Talk on Sheaf Representation John Kennison Clark University Joint work with Mike Barr and Bob Raphael Note: I didnt actually use slides, but if I had they would be something like the following. I want to thank Bill Lawvere as so many of the

437 views • 10 slides
Section 4 Boundary Value Problems for ODEs Numerical Analysis II Xiaojing Ye, Math &

Section 4 Boundary Value Problems for ODEs Numerical Analysis II Xiaojing Ye, Math &

Section 4 Boundary Value Problems for ODEs Numerical Analysis II Xiaojing Ye, Math & Stat, Georgia State University 222 BVP for ODE We study numerical solution for boundary value problem (BVP). If the BVP involves first-order ODE, then

798 views • 55 slides

More recommend