The generic group model in pairing- based cryptography Hovav Shacham, UC San Diego I. Background Pairings
• Multiplicative groups G1, G2, GT
• Maps between G1 and G2 (more later)
• A “pairing” e: G1 × G2 → GT that is • bilinear: e(ua,vb) = e(u,v)ab
• nondegenerate: e(g1,g2) ≠ 1 • efficiently computable [M86] • Such groups arise in algebraic geometry Pairings — birds & bees
• Consider elliptic curve E/Fp; prime r|#E(Fp)
• G1 = E(Fq)[r] × • G2 ≤ E(Fpk)[r] k: order of p in (Z/rZ) × • GT = µr < (Fpk) • e is the Weil pairing, Tate pairing, etc. Elliptic curve parameters
x • Discrete logarithm: given g1 , recover x • For 80-bit dlog security on E, need: • r > 2160 for generic-group attacks; 1024 • | Fpk | > 2 for index-calculus attacks • Barreto and Naehrig generate prime- order curves with k=12. For example:
E: y2 = x3 + 13 k = 12 p = 1040463591175731554588039391555929992995375960613 (160 bits) r = #E = 1040463591175731554588038371524758323102235285837 Maps between G1 & G2
• tr gives ψ: G2 → G1 for E[r] G not trace-0 2 trace-0 • In supersingular curves, also have φ: G1 →G2 G 2 φ • can identify G1=G2=G ψ
If need hash onto G2, • E(Fp)[r] = G1 take G2 = E(Fpk)[r] Assumptions in paring-based crypto
• Classic, e.g., • DBDH: given g, ga, gb, gc, distinguish abc e(g,g) from random in GT • Baroque, e.g., k-BDHI, k-SDH (see later) • Decadent, e.g., Gaining confidence in assumptions
1. Show that they hold unconditionally (assuming, say, P≠NP) 2. Try to break them, consider observed hardness (e.g., factoring, discrete log) 3. Show they are hard to break in a restricted model of computation II. Generic groups Generic groups
• Models attacks that don’t rely on special structure of group • Group elements replaced with opaque string representation • Oracles provided for allowed operations • Adversary power otherwise unrestricted History
• Introduced by Nechaev (’94) and Shoup (’97) to study discrete log problem • Extended by Boneh and Boyen (’04) to consider pairings, groups G, GT • Used extensively since to gain confidence in assumptions for pairing- based cryptography The Über Assumption [BBG’05]
s • Let Π = Fp[X1,…,Xn]; P, Q ∈ Π , f ∈ Π
• d = max { {2 deg Pi}, {2 deg Qi}, deg f }
• f is dependent on P, Q if exist aij, bk st
f = ∑ aij PiPj + ∑ bk Qk The Über Assumption (cont.)
Theorem. If f is independent of P&Q, an adversary that makes q queries has advantage at most (q +2s + 2)2 d · 2r in distinguishing e(g,g)f(x1,…,xn) from random given {gPi(x1,…,xn)}, {e(g,g)Qi(x1,…,xn)} (appropriately encoded) Example: DBDH
• Instantiation: • Π = Fp[X,Y,Z] • P = {1, X, Y, Z} • Q = {1} • f = XYZ • Max advantage: 3(q+8)2/2r = O(q2/r). Proof idea
• Set up environment, answer adversary queries using encodings from Π to {0,1}*
• Afterwards assign random values for {Xi} • Simulation is wrong if two elts p, q (in P, in Q, f, or a query response) • are different as polynomials, but • are equal under chosen assignment Proof idea (cont.)
• Number of polynomials: q+2s+2 (queries; P; Q; f and random) • Probability that p−q = 0: < deg (p−q) / r • Max degree is max of
• 2 max deg Pi (use pairing!)
• max deg Qi • deg f Extensions [B’08]
• Type-II and Type-III pairings
• solutions with multiple components in G, GT • multiple possible solutions (a la SDH) • rational functions in exponents (a la SDH) • composite-order groups Digression: k-Linear [S’07,HK’07] r r • Given g1, …, gk, h; g1 1, …, gk k; distinguish h∑rk from random • 1-Linear = DDH; 2-Linear = Linear [BBS’04] • k-Linear easy given (k+1)-multilinear map • k-Linear hard in generic group equipped with k-multilinear map • So strictly weaker assumption with increasing k III. Strengths of the generic group model Undefeated
• No assumption proved secure in the generic group model has been broken
• (more on this later) Discrete log problems with auxiliary info • Given g, w=g(γ), g(γ2), …, g(γk) … • k-DL: output γ • k-SDH: output (c,g1/(γ+c)) • k-BDHI: distinguish e(g,g)1/γ from random
• etc.: DHE, ABDHE, ABCDEFGHE, … Prophecy …
• No adversary can break k-DHI, k-SDH (etc.) in generic group model with fewer than Ω(q2k/r) queries • with k=r1/3, algorithm with q=r1/3 not ruled out! … fulfilled
• Brown & Gallant ’04, Cheon ’06: if r satisfies property (*) and k=r1/3, exists algorithm for k-DL with q=r1/3.
• (*): r−1 has divisor d of order Θ(r1/3) IV. Limitations of the generic group model Proofs are unilluminating
• Generic proofs: long, full of boilerplate • sometimes this hides bugs ([KM’10]) • Punchline often of form “q2/r” • not good when schemes proved directly Unsoundness
• Philosophical justification: • If scheme is secure in generic group • instantiated in “generic-enough” group • then it remains secure • Dent ’02: exists scheme secure in generic group and insecure in every group The pairing [MOV’91]
• When embedding degree is small pairing maps dlog on E(Fq) to Fqk • Dlog is subexponential on finite fields! Faster discrete log on subfield curves • Nonsupersingular binary elliptic curves: E: y2 + xy = x3 + Ax2 + B over GF(2m), B≠0 • Subfield if A, B defined over GF(2l), l
• Analog to generic-group model for rings • Useful for analyzing RSA-related problems • Key difference: operations can fail (not all elements invertible) • Adversary not given ring order N The generic ring model (cont.) • Aggarwal & Maurer ’09: The RSA problem is equivalent to factoring in the generic ring model The generic ring model (cont.) • Aggarwal & Maurer ’09: The RSA problem is equivalent to factoring in the generic ring model
• Jager & Schwenk ’09: Computing the Jacobi symbol is equivalent to factoring in the generic ring model V. A research agenda A strange state of affairs
• Generic group model seems to capture all we know about pairing groups • These are the least generic groups ever A proposed problem
Break an assumption secure in the generic group model. Which assumption?
1. An assumption actually used in a published paper 2. An assumption within a family of assumptions (e.g., the über family) 3. A new assumption you invent (but in the style of previous ones) Break where?
1. On all pairing-friendly elliptic curves (i.e., “generically”) 2. On a specific pairing-friendly curve (see [FST’10] for a curve catalog) 3. On a new pairing-friendly curve you invent Break how?
1. Give a polynomial-time algorithm (i.e., break completely) 2. Give an exponential algorithm faster than the generic bounds More generally …
• Assumptions in pairing-based cryptography need more scrutiny • Mathematicians can help More generally …
• Assumptions in pairing-based cryptography need more scrutiny • Mathematicians can help
Thanks!