Change Background colours in the layout tab in the panel above^
Dual Pairing Vector Space
Shiwei Zhang
School of Computer Science and Software Engineering Faculty of Engineering and Information Sciences University of Wollongong, Australia Student Number: 3792444 Email: [email protected]
October 3, 2014
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Literature
[1] Okamoto, T.: Dual pairing vector spaces and their applications to functional encryption (July 2014), lecture in University of Wollongong [2] Okamoto, T., Takashima, K.: Homomorphic encryption and signatures from vector decomposition. In: Galbraith, S., Paterson, K. (eds.) Pairing-Based Cryptography – Pairing 2008, Lecture Notes in Computer Science, vol. 5209, pp. 57–74. Springer Berlin Heidelberg (2008) [3] Okamoto, T., Takashima, K.: Some key techniques on pairing vector spaces. In: Nitaj, A., Pointcheval, D. (eds.) Progress in Cryptology – AFRICACRYPT 2011, Lecture Notes in Computer Science, vol. 6737, pp. 380–382. Springer Berlin Heidelberg (2011)
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 1 Outline
1 Preliminaries
2 Dual Pairing Vector Space
3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors
4 Conclusion
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Outline
1 Preliminaries
2 Dual Pairing Vector Space
3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors
4 Conclusion
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Pairing Groups
Let G1 and G2 be additive groups of prime order q with generator P and Q respectively, and G3 be multiplicative group of the same prime order q.
|G1| = |G2| = |GT | = q
P ∈ G1,Q ∈ G2 (P,Q ≠ 1)
Scalar multiplication is defined for G1 and G2 as follows: ∀ ∈ Z ··· a q, aP = |P + P + P +{z + P + P} a The conventional notation ga, where g is a generator, is not used for more nature DPVS representation.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 2 Bilinear Pairing
The e: G1 × G2 → GT is a bilinear pairing which has following properties: Bilinearity: xy ∀P ∈ G1,Q ∈ G2, x, y ∈ Zq, e(xP, yQ) = e(P,Q) Non-degeneracy: ∃P ∈ G1,Q ∈ G2 : e(P,Q) ≠ 1 Computability:
∀P ∈ G1,Q ∈ G2, ∃A which is an efficient algorithm to compute e(P,Q)
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 3 Outline
1 Preliminaries
2 Dual Pairing Vector Space
3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors
4 Conclusion
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Objective
Mathematically rich structures should be useful in implementing various cryptographic primitives and protocols [2]. F∗ Traditional cryptography (genus 0). e.g. finite field ( p)
Pairing-based cryptography (genus 1). e.g. elliptic curve groups (E/Fp) New property: Bilinearity A nature way to construct a richer structure from pairing groups is
Direct Product of Pairing Groups −→ Dual Pairing Vector Space
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 4 Definition
Vectors x ∈ V and y ∈ V∗ are defined as following:
∈ GN V x := (P1,...,PN ) 1 = ∈ GN V∗ y := (Q1,...,QN ) 2 =
Vector Addition
∀ ∈ GN V z := (R1,...,RN ) 1 =
x + z := (P1 + R1,...,PN + RN )
Scalar multiplication ∀a ∈ Fq, ax := (aP1, . . . , aPN )
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 5 Canonical Basis I
The canonical bases are defined as following:
A := (a1, . . . , aN ) a1 := (P, 0,..., 0), a2 := (0,P, 0,..., 0), aN := (0,..., 0,P ) A∗ ∗ ∗ ∗ ∗ ∗ := (a1, . . . , aN ) a1 := (Q, 0,..., 0), a2 := (0, Q, 0,..., 0), aN := (0,..., 0,Q)
Visually, they can be represented as following: P 0 ··· 0 Q 0 ··· 0 ··· ··· 0 P 0 ∗ 0 Q 0 A := . . . . A := . . . . . . .. . . . .. . 0 0 ··· P 0 0 ··· Q
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 6 Canonical Basis II
Elements x ∈ V, y ∈ V∗ can be expressed on canonical basis:
x := (x1P, . . . , xN P ) y := (y1Q, . . . , yN Q) ··· ∗ ··· ∗ = x1a1 + + xN aN = y1a1 + + yN aN
= (x1, . . . , xN )A = (y1, . . . , yN )A∗ = (⃗x)A = (⃗y)A∗
∈ FN Note that ⃗x,⃗y q .
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 7 Canonical Basis III
As ⃗x is a N-dimensional vector and A is a N × N matrix and by observing the definition of the calculation of x, it can also be computed naturally using matrix. a1,1 a1,2 ··· a1,N [ ] a2,1 a2,2 ··· a2,N ··· x = ⃗xA = x1 x2 xN . . . . . . .. . a a ··· a [ N,1 N,2 ] N,N ∑N ∑N ∑N = xiai,1 xiai,2 ··· xiai,N = (⃗x)A i=1 i=1 i=1
Similarly, y = ⃗yA∗.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 8 Duality
Inner-Products between V and V∗ are defined as following:
∗ ∀x := (⃗x)A ∈ V, y := (⃗y)A∗ ∈ V , ∑N x · y := xiyi = ⃗x · ⃗y ∈ Fq i=1
∗ ∗ Since ∀y ∈ V , there is a linear map y : V → Fq (i.e. y : x 7→ x · y), V is the dual space of V. Hence, bilinear pairing between V and V∗ is defined as
∏N ∑ N ⃗x,⃗y x·y i=1 xiyi ∈ G e(x, y) := e(xiP, yiQ) = e(P,Q) = gT = gT T i=1
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 9 Orthonormality
Since V is finite-dimensional (i.e. N-dimensional), V∗ has the same dimension as V and {
∗ 1 if i = j ∗ δi,j ai · a = δi,j := =⇒ e(ai, a ) = g j 0 if i ≠ j j T
(A, A∗) are dual orthonormal bases of V and V∗.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 10 Base Change I
To change the base (A, A∗) to a new base (B, B∗), a N × N invertible matrix X is uniformly chosen from the general linear group of degree N over Fq.
U T −1 X := (χi,j ) ←− GL(N, Fq)(θi,j) := (X )
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 11 Base Change II
The base change operation is processed as following using linear transformation:
T −1 A −→X B A∗ −−−−−→(X ) B∗ B B∗ ∗ ∗ := (b1, . . . , bN ) := (b1, . . . , bN ) ∑N ∑N ∗ ∗ bi = χi,jaj for i = 1,...,N bi = θi,jaj for i = 1,...,N j=1 j=1
:= (χi,1P, . . . , χi,N P ) := (θi,1Q, . . . , θi,N Q) A ⃗ = ( ⃗χi) = (θi)A∗
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 12 Base Change III
As an extension of x = ⃗xA, the previous base change can be simplified.
∑N ∑N ∑N χ a χ a ··· χ a 1,i i,1 1,i i,2 1,i i,N i=1 i=1 i=1 ··· ··· χ1,1 χ1,2 χ1,N a1,1 a1,2 a1,N ∑N ∑N ∑N ··· ··· ··· χ2,1 χ2,2 χ2,N a2,1 a2,2 a2,N χ2,iai,1 χ2,iai,2 χ2,iai,N B = XA = . . . . . . . . = . . .. . . . .. . i=1 i=1 i=1 ...... . . . . ··· ··· . . .. . χN,1 χN,2 χN,N aN,1 aN,2 aN,N ∑N ∑N ∑N χN,iai,1 χN,iai,2 ··· χN,iai,N i=1 i=1 i=1 Similarly, B∗ = (XT )−1A∗.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 13 Base Change IV
Note that B is a basis of V and B∗ is a basis of V∗. Since
∗ ∗ δi,j · · ⃗ ∗ · ⃗ ⇒ bi bj = ( ⃗χi)A (θj)A = ⃗χi θj = δi,j = e(bi, bj ) = gT (B, B∗) are dual orthonormal bases of V and V∗. The pairing operation of vectors of the changed base by X is shown below:
x := x1b1 + ··· + xN bN = (x1, ··· , xN )B = (⃗x)B ∈ V ∗ ∗ ∗ ··· ··· ∗ ∗ ∈ V y := y1b1 + + yN bN = (y1, , yN )B = (⃗y)B ∏N ∑ ∗ N ∗ i=1 xiyi e(x, y) = e(xibi, yibi ) = e(P,Q) (since e(bi, bi ) = gT ) i=1 ⃗x·⃗y = gT
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 14 Trapdoor
It is hard to compute B∗ from (B, A, A∗) but is easy with X. −−−−−−→hard̸ B A A∗ B∗ ( , , ) −−−−−−→easy X
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 15 Special Case: Self-Duality
With symmetric pairing group (G1 = G2) = G, the bilinear pairing and the vector space ∗ N become e: G × G → GT and V = V := G . Other properties are changed as following: Base change U X←−GL(N,F ) A −−−−−−−−−−→q (B, B∗) Note that (A, B, B∗) are (self-dual) orthonormal bases of V. Trapdoor ̸−−−−−→ ∗ (B, A) −−−−−→ B X
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 16 Outline
1 Preliminaries
2 Dual Pairing Vector Space
3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors
4 Conclusion
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Intractable Problems
There are two intractable problems in DPVS suitable for cryptographic applications: Vector Decomposition Problem (VDP) Decisional Subspace Problem (DSP)
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 17 Vector Decomposition Problem I
VDP definition is originally named as Computational Vector Decomposition Problem [2].
Definition (VDP(N1,N2): (N1,N2)-Vector Decomposition Problem)
Let G be an N1-dimensional Fq-vector space generator, taking a security parameter k, and N1 > N2. Let A be a probabilistic polynomial-time machine. The advantage of A is defined as following: R k U N1 VDP u = (v1, . . . , vN , 0,..., 0)B | V ←−G(1 ), B ←− V , (N1,N2) 2 AdvA (k) = P r U ←− FN1 ← A k V B ⃗v = (v1, . . . , vN1 ) q , v = (⃗v)B, u (1 , , , v)
The VDP(N1,N2) assumption is satisfied if there is no probabilistic polynomial-time VDP(N1,N2) adversary A has non-negligible advantage AdvA (k).
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 18 Vector Decomposition Problem II
( )
v = v1, v2, . . . , vN2−1, vN2 , vN2+1, . . . , vN1−1, vN1 B ̸y Hard ( )
u = v1, v2, . . . , vN2−1, vN2 , 0,..., 0 B
Remark that there is a special case of VDP. If B is a canonical basis A of V, the VDP can be solved efficiently. Namely, VDPA is easy. (N1,N2) (N1,N2)
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 19 Vector Decomposition Problem III
An alternative expression:
··· ··· v = v1b1 + v2b2 + + vN2 bN2 + vN2+1bN2+1 + + vN1 bN1 ̸y Hard
··· u = v1b1 + v2b2 + + vN2 bN2
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 20 Trapdoor on VDP
The VDP(N1,N2) is expected to be intractable in general but can be solved efficiently by a trapdoor X that is used in generating B. The decomposition algorithm Deco is described as following:
Deco(v, X, N2, B): A −1 Let := (a1, . . . , aN ) (ti,j) = X { 0 if i ≠ j ∑N1 ∑N2 ∑N1 P ri(aj) = u = ti,jxj,κϕκ,i(P ri(v)) aj if i = j i=1 j=1 κ=1 ϕi,j(aj) = ai return u
Note: P ri(v) extracts the i-th element of v. For all w ∈ Fq, ϕi,j (waj) = wϕi,j(aj) = wai.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 21 Proof of Correctness I We show the correctness of Deco. Let a row vector ⃗z = ⃗vX.
−1 −1 ⃗z = ⃗vX =⇒ ⃗v = ⃗zX =⇒ v = (⃗v)B = ⃗vB = ⃗vXA = ⃗zX XA = ⃗zA = (⃗z)A
Then we have { ∑ ⃗v = ⃗zX−1 =⇒ v = N1 z t j ∑ i=1 i i,j ⇒ N1 v = (⃗z)A = v = i=1 ziai
∑N1 ∑N1 =⇒ vjaj = ziti,j aj = ti,jziϕj,i(ai) i=1 i=1
∑N1 ∑N1 = ti,j ϕj,i(ziai) = ti,jϕj,i(P ri(v)) i=1 i=1
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 22 Proof of Correctness II
∑N1 ∑N1 vjbj = xj,κvjaκ (bj = xj,κaκ) κ=1 κ=1
∑N1 = xj,κϕκ,j(vjaj) (ϕκ,j(vjaj) = vjaκ) κ=1 ( ) ∑N1 ∑N1 ∑N1 = xj,κϕκ,j ti,jϕj,i(P ri(v)) (vjaj = ti,jϕj,i(P ri(v))) κ=1 i=1 i=1
∑N1 ∑N1 ∑N1 ∑N1 = xj,κti,jϕκ,j(ϕj,i(P ri(v))) = ti,jxj,κϕκ,i(P ri(v))) i=1 κ=1 i=1 κ=1
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 23 Proof of Correctness III
With ∑N1 ∑N1 vjbj = ti,jxj,κϕκ,i(P ri(v))) i=1 κ=1 finally we have
∑N2 u = vjbj j=1
∑N1 ∑N2 ∑N1 = ti,jxj,κϕκ,i(P ri(v))) i=1 j=1 κ=1
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 24 Generalising Deco Algorithm
To be more general and simpler, the decomposition algorithm can be rewritten as
Deco(v, X, I): −1 (ti,j) := X
∑N1 ∑ ∑N1 u := ti,jxj,κϕκ,i(P ri(v)) i=1 j∈I κ=1 return u
where I is the index of targeted vector elements.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 25 Decisional Subspace Problem I The DSP definition is based on [2].
Definition (DSP(N1,N2): (N1,N2)-Decisional Subspace Problem)
Let G be an N1-dimensional Fq-vector space generator, taking a security parameter k, and N1 > N2 > 1. For all k ∈ N, two distributions, D and R, are defined as following:
R U U D { V B | V ←−G k B ←− VN1 ←− ⟨ ⟩} (k) = ( , , v) (1 ), , v span b1, . . . , bN2 R U U R(k) = {(V, B, v) | V ←−G(1k), B ←− VN1 , v ←− V}
Let A be a probabilistic polynomial-time machine. The advantage of A is defined as following: [ ] [ ]
DSP(N1,N2) k R k R AdvA (k) = P r A(1 , η) → 1 | η ←− D(k) − P r A(1 , η) → 1 | η ←− R(k)
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 26 Decisional Subspace Problem II
( )
v = v1, v2, . . . , vN2−1, vN2 , vN2+1, . . . , vN1−1, vN1 x B yIndistinguishable distribution ( )
u = u1, u2, . . . , uN2−1, uN2 , 0,..., 0 B
The DSP(N1,N2) assumption is satisfied if there is no probabilistic polynomial-time DSP(N1,N2) adversary A has non-negligible advantage AdvA (k). The DSP assumption can be reduced to standard DLIN assumption [2].
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 27 Relation to DLIN problem
Decisional s-linear assumption (DLIN)
Given (P, x1P, . . . , xsP, y1x1P, . . . , ysxsP ), ··· ←−U F∗ Hard to distinguish (y1 + + ys)P and zP where z q . If s = 1, DLIN is DDH, which is not hard in pairing groups. DSP is a generalisation of DLIN. Hard to distinguish x1P 0 ··· 0 P 0 x2P ··· 0 P v = (y1x1P, . . . , ysxsP, zP ) B ...... ′ = . . . . . = (y1, . . . ys, ys+1)B 0 0 ··· xsPP u = (y1x1P, . . . , ysxsP, (y1 + ··· + ys)P ) 0 0 ··· 0 P = (y1, . . . , ys, 0)B
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 28 Trapdoors on DSP DSP can be solved efficiently using different trapdoors. Having X, the Deco algorithm can be used to solve DSP problem. Perform a bilinear pairing with B∗. ⟨ ⟩ Let t∗ ∈ span b∗ , . . . , b∗ , v ←−U span ⟨b , . . . , b ⟩ and v′ ←−U V. Then N2+1 N1 1 N2 ∗ ∗ ∗ ∗ t = (0,..., 0, t , . . . , t )B∗ = (t⃗ )B∗ N2+1 N1 v = (v , . . . , v , 0,..., 0)B = (⃗v)B 1 N2 ′ ′ ′ ⃗′ v = (v1, . . . , v )B = (v )B [ N1 ] ∗ ⃗v·t⃗∗ 0 P r e(v, t ) = gT = gT = 1 = 1 [ ∑ ] =⇒ N1 ′ ∗ ⃗′ ∗ v t ′ ∗ v ·t⃗ i=N2+1 i i P r e(v , t ) = gT = gT = 1 < negl(k)
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 29 Hierarchical Trapdoors
Trapdoors are levelled. The top level trapdoor is X, following B∗, then t∗ ∈ span ⟨B∗⟩.
(A, B): public parameter ̸y ̸y ̸y −−−−−→ −−−−−→ X B∗ t∗ ̸←−−−−− ̸←−−−−− y y y
VDP Any DSP Specific DSP T op level Second level Lower level
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 30 Outline
1 Preliminaries
2 Dual Pairing Vector Space
3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors
4 Conclusion
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Conclusion
We have discussed A richer mathematical structure: Dual Pairing Vector Space Intractable Problem suitable for crypto use: VDP and DSP Hierachical Trapdoors The ultimate trapdoor X The second-level trapdoor B∗ The lower trapdoor t∗
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 31 Not over yet
We have only discussed the basic of Dual Pairing Vector Space and some basic trapdoors. In the latest work of DPVS, only a part of B and B∗, saying Bˆ and Bˆ∗, is used to achieve information-theoretically hiding.
A −−−−−→X B → Bˆ T −1 A∗ −−−−−→(X ) B∗ → Bˆ∗
Applications of DPVS are Homomorphic Encryption, Signatures, Attribute-Based Encryption (Functional Encryption), Attribute-Based Signatures. In addition, DPVS is a better solution than composite-order pairing groups. We will discuss these in the future seminar.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 32 Question Time
Any questions?
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Thank you.
VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW