A Promenade Through the New Cryptography of Bilinear Pairings
Total Page:16
File Type:pdf, Size:1020Kb
Invited paper appearing in the Proceedings of the IEEE Information Theory Workshop 2006—ITW 2006, Punta del Este, Uruguay, March 2006. c IEEE. Available online at http://www.cs.stanford.edu/˜xb/itw06/. A Promenade through the New Cryptography of Bilinear Pairings Xavier Boyen Voltage Inc. Arastradero Road Palo Alto, California Email: [email protected] Abstract— This paper gives an introductory account of Assumptions rooted in Factoring and the Discrete the origin, nature, and uses of bilinear pairings, arguably Logarithm problem are interesting in that they tend to the newest and hottest toy in a cryptographer’s toolbox. have complementary properties. Factoring, via the RSA A handful of cryptosystems built on pairings are briefly surveyed, including a couple of realizations of the famously and Strong-RSA assumptions, offers a realization of the elusive identity-based encryption primitive. tremendously useful primitive of trapdoor permutation. Discrete Logarithm, in the guises of the Computational I. INTRODUCTION and Decision Diffie-Hellman (CDH and DDH), offers It can be said that much of contemporaneous cryp- us the option to work with either a computational or a tography can be traced to Shannon’s legacy of “secrecy decisional complexity assumption, the latter being use- systems”, an information theoretic foundation. To escape ful to build public-key encryption systems with formal from the one-time pad, however, it has become neces- proofs of security; by contrast, Factoring and RSA-like sary to appeal to a variety of computational complexity problems are essentially computational, and are thus notions, e.g., to leverage short secrets in order to protect inherently more suited for signature and authentication long messages. Modern cryptography is, in essence, a schemes—although we note that the Random Oracle computational game of cat and mouse between honest heuristic blurs that disctinction, and exceptions abound. secret holders and resource-bounded adversaries. The common situation before the apparition of bilinear Traditionally, cryptographic scheme development has pairings was that CDH and DDH were concomitantly evolved along two separate paths that differ in their hard in all algebraic groups of cryptographic interest. complexity theoretic meanderings. On the one hand, the Bilinear maps—or pairings as they are often called— delicate art of “symbolic obfuscation” has roots in the first appeared in cryptographic constructions around the early ciphers of the Antiquity; from it most of today’s turn of the millennium [1] [2], although they had been secret-key systems and hash functions have been crafted, used cryptanalytically a few years prior [3]. Pairings due to its unsurpassed performance. On the other hand, have vastly expanded the world of Discrete Logarithm the comparatively recent advent of algebraic methods has assumptions. The simplest examples of this is that they started to open, a few decades ago, a Pandora’s Box of provide algebraic groups in which the DDH problem is cryptosystems with astonishing features, encompassing easy even though CDH is still believed to be hard, a virtually all of today’s public-key cryptography. state of affair abstractly referred to as the Gap Diffie- Many public-key systems have been proposed in the Hellman (GapDH) assumption. GapDH is perhaps the past three decased, based on sundry algebra and a fair simplest non-trivial assumption to be made in bilinear share of complexity theoretic assumptions. Some are groups, although there are many others as we shall see. based on NP-hard problems or coding theoretic tricks We start in §II with a simple definition of pairings. (e.g., the McEliece cryptosystem); others involve exotic In §III we give a brief overview of a concrete number branches of group theory such as braid groups, or Lattice theoretic implementation of pairings, and in §IV discuss reduction problems that blur the boundary between the a few useful complexity theoretic abstractions. We then discrete and the continuous. The most prolific and suc- turn our attention to the good uses that cryptographers cessful approaches, however, all rely on the same handful have made of pairings, with a keen interest in §V for of complexity assumptions, which are rooted either in the realizations of the identity-based encryption primitive, hardness of integer factorization (e.g., RSA) or in that and in §VI for signature schemes with novel properties. of taking discrete logarithms (e.g., Diffie-Hellman). We conclude in §VII with long-standing open problems. II. BILINEAR GROUPS III. ALGEBRAIC REALIZATIONS Before delving into the actual realization of bilinear Algebraic curves and elliptic curves in particular have groups and maps, it is helpful to understand why they provided an avenue for the construction of cryptograph- are so desirable in cryptography. ically suitable bilinear pairings, known as the Weil and For illustration, consider a cyclic group G of (finite) the Tate pairings. In the next few paragraphs we give size or order n, such as the set Zn of integer residues a very brief overview of how these pairing come to modulo n. If we use the multiplication symbol ‘·’ to existence. denote the group operation (which in Zn is the arithmetic To start, consider a finite field (or Galois field) Fq addition modulo n), then we know that every element of size q, usually a large prime. Roughly speaking, an h ∈ G can be expressed as an integral power of some elliptic curve over the field Fq is defined by a bivariate fixed element g ∈ G called a generator of the group, i.e., equation in x and y, such as E : y2 = x3 + a x + b, a (a mod n) ∃a ∈ Z : g · g ··· g = g = g = h. where a and b are constants in Fq. We can view a pair | {z } a times (x, y) ∈ Fq × Fq as representing the coordinates of a In this context, the CDH problem is the task of point on the doubly periodic integer “plane” (or torus) a b a b calculating g given only g, g , g , and an implicit de- Fq × Fq. We say that such a point is on the curve if scription of Zn. The DDH problem is to decide whether its coordinates satisfy the curve equation in Fq. It turns or not h = ga b in a given quadruple of group elements out that the set of points on the curve (to which we hg, ga, gb, hi. For G the set of integers under addition add a special zero point to serve as neutral element) modulo n, both problems are of course easy to solve. forms a group, denoted E(Fq), under a simple group On the contrary, if we take G to be the multiplicative operation called point addition on the curve. Hasse’s subgroup of order p in the set of integer residues Zq, theorem states that the group size, #E(Fq), is always roughly the same as the field size, # = q; more such that p and q = 1 + 2 p are prime numbers, then √ Fq suddenly both CDH and DDH are believed to be hard precisely, |#E(Fq) − (q + 1)| ≤ 2 q. With a suitable problems. choice of field and curve, the group size #E(Fq) can Now, abstractly, a bilinear pairing is an efficiently be made to contain a large prime factor p, in which case ˆ computable map e : G × G → GT , where for simplicity the group E(Fq) will have a cyclic subgroup of prime G and Gˆ are two cyclic groups of equal order p that order p, which can be our candidate for G. are respectively generated by some g ∈ G and gˆ ∈ Gˆ . To proceed, we consider the same curve equation E as ˆ (We could even have G = G and g =g ˆ, though in above, but on a larger field Fqk which for k > 1 is called general we do not.) The range of e is a multiplicative an algebraic extension of the ground field Fq. Elements group of order p, denoted GT , and generated by e[g, gˆ]. of Fqk can be represented, e.g., as polynomials of degree The pairing must be non-trivially bilinear, meaning that (up to) k with coefficients in Fq. What this entails is a b c the equality e[g , gˆ ] = e[g, gˆ] holds if and only if the that the elements of Fqk are compatible with those of integer exponents satisfy a b = c (mod p). Fq, so that the product of, say, a ∈ Fq and x ∈ Fqk is a With this definition, it is easy to see that the pairing is well-defined element of Fqk . Thus, and by analogy with a powerful tool that lets us compute something similar what we did earlier, we can define E(Fqk ) as the set of to a Diffie-Hellman operation, with the important caveat points (x, y) ∈ Fqk × Fqk that satisfy the curve equation ˆ that the process takes us from G and G to the different in Fqk . Under the point addition rule, E(Fqk ) forms a group GT from which we generally cannot get back. group, albeit a much larger one than E(Fq). The point of Nevertheless, this is sufficient to give us a direct test for this discussion is that as k is increased, there is a special ˆ the DDH problem (for G = G) or a dual-group version value of k > 1 for which E(Fqk ) contains a subgroup of DDH (when G 6= Gˆ ). Indeed, given an instance of order p. This subgroup will be our candidate for Gˆ , a b ˆ 2 ˆ 2 hg, g , gˆ , hi ∈ G × G , it is easy to determine whether and the smallest such k its embedding degree in E(Fq). hˆ =g ˆa b by verifying the equality e[ga, gb] = e[g, hˆ].