Invited paper appearing in the Proceedings of the IEEE Information Theory Workshop 2006—ITW 2006, Punta del Este, Uruguay, March 2006. c IEEE. Available online at http://www.cs.stanford.edu/˜xb/itw06/.

A Promenade through the New of Bilinear Pairings

Xavier Boyen Voltage Inc. Arastradero Road Palo Alto, California Email: [email protected]

Abstract— This paper gives an introductory account of Assumptions rooted in Factoring and the Discrete the origin, nature, and uses of bilinear pairings, arguably Logarithm problem are interesting in that they tend to the newest and hottest toy in a cryptographer’s toolbox. have complementary properties. Factoring, via the RSA A handful of built on pairings are briefly surveyed, including a couple of realizations of the famously and Strong-RSA assumptions, offers a realization of the elusive identity-based primitive. tremendously useful primitive of trapdoor permutation. , in the guises of the Computational I.INTRODUCTION and Decision Diffie-Hellman (CDH and DDH), offers It can be said that much of contemporaneous cryp- us the option to work with either a computational or a tography can be traced to Shannon’s legacy of “secrecy decisional complexity assumption, the latter being use- systems”, an information theoretic foundation. To escape ful to build public- encryption systems with formal from the one-time pad, however, it has become neces- proofs of security; by contrast, Factoring and RSA-like sary to appeal to a variety of computational complexity problems are essentially computational, and are thus notions, e.g., to leverage short secrets in order to protect inherently more suited for signature and authentication long messages. Modern cryptography is, in essence, a schemes—although we note that the Random Oracle computational game of cat and mouse between honest heuristic blurs that disctinction, and exceptions abound. secret holders and resource-bounded adversaries. The common situation before the apparition of bilinear Traditionally, cryptographic scheme development has pairings was that CDH and DDH were concomitantly evolved along two separate paths that differ in their hard in all algebraic groups of cryptographic interest. complexity theoretic meanderings. On the one hand, the Bilinear maps—or pairings as they are often called— delicate art of “symbolic obfuscation” has roots in the first appeared in cryptographic constructions around the early ciphers of the Antiquity; from it most of today’s turn of the millennium [1] [2], although they had been secret-key systems and hash functions have been crafted, used cryptanalytically a few years prior [3]. Pairings due to its unsurpassed performance. On the other hand, have vastly expanded the world of Discrete Logarithm the comparatively recent advent of algebraic methods has assumptions. The simplest examples of this is that they started to open, a few decades ago, a Pandora’s Box of provide algebraic groups in which the DDH problem is cryptosystems with astonishing features, encompassing easy even though CDH is still believed to be hard, a virtually all of today’s public-key cryptography. state of affair abstractly referred to as the Gap Diffie- Many public-key systems have been proposed in the Hellman (GapDH) assumption. GapDH is perhaps the past three decased, based on sundry algebra and a fair simplest non-trivial assumption to be made in bilinear share of complexity theoretic assumptions. Some are groups, although there are many others as we shall see. based on NP-hard problems or coding theoretic tricks We start in §II with a simple definition of pairings. (e.g., the McEliece ); others involve exotic In §III we give a brief overview of a concrete number branches of group theory such as braid groups, or Lattice theoretic implementation of pairings, and in §IV discuss reduction problems that blur the boundary between the a few useful complexity theoretic abstractions. We then discrete and the continuous. The most prolific and suc- turn our attention to the good uses that cryptographers cessful approaches, however, all rely on the same handful have made of pairings, with a keen interest in §V for of complexity assumptions, which are rooted either in the realizations of the identity-based encryption primitive, hardness of (e.g., RSA) or in that and in §VI for signature schemes with novel properties. of taking discrete logarithms (e.g., Diffie-Hellman). We conclude in §VII with long-standing open problems. II.BILINEAR GROUPS III.ALGEBRAIC REALIZATIONS Before delving into the actual realization of bilinear Algebraic curves and elliptic curves in particular have groups and maps, it is helpful to understand why they provided an avenue for the construction of cryptograph- are so desirable in cryptography. ically suitable bilinear pairings, known as the Weil and For illustration, consider a cyclic group G of (finite) the Tate pairings. In the next few paragraphs we give size or order n, such as the set Zn of integer residues a very brief overview of how these pairing come to modulo n. If we use the multiplication symbol ‘·’ to existence. denote the group operation (which in Zn is the arithmetic To start, consider a finite field (or Galois field) Fq addition modulo n), then we know that every element of size q, usually a large prime. Roughly speaking, an h ∈ G can be expressed as an integral power of some elliptic curve over the field Fq is defined by a bivariate fixed element g ∈ G called a generator of the group, i.e., equation in x and y, such as E : y2 = x3 + a x + b, a (a mod n) ∃a ∈ Z : g · g ··· g = g = g = h. where a and b are constants in Fq. We can view a pair | {z } a times (x, y) ∈ Fq × Fq as representing the coordinates of a In this context, the CDH problem is the task of point on the doubly periodic integer “plane” (or torus) a b a b calculating g given only g, g , g , and an implicit de- Fq × Fq. We say that such a point is on the curve if scription of Zn. The DDH problem is to decide whether its coordinates satisfy the curve equation in Fq. It turns or not h = ga b in a given quadruple of group elements out that the set of points on the curve (to which we hg, ga, gb, hi. For G the set of integers under addition add a special zero point to serve as neutral element) modulo n, both problems are of course easy to solve. forms a group, denoted E(Fq), under a simple group On the contrary, if we take G to be the multiplicative operation called point addition on the curve. Hasse’s subgroup of order p in the set of integer residues Zq, theorem states that the group size, #E(Fq), is always roughly the same as the field size, # = q; more such that p and q = 1 + 2 p are prime numbers, then √ Fq suddenly both CDH and DDH are believed to be hard precisely, |#E(Fq) − (q + 1)| ≤ 2 q. With a suitable problems. choice of field and curve, the group size #E(Fq) can Now, abstractly, a bilinear pairing is an efficiently be made to contain a large prime factor p, in which case ˆ computable map e : G × G → GT , where for simplicity the group E(Fq) will have a cyclic subgroup of prime G and Gˆ are two cyclic groups of equal order p that order p, which can be our candidate for G. are respectively generated by some g ∈ G and gˆ ∈ Gˆ . To proceed, we consider the same curve equation E as ˆ (We could even have G = G and g =g ˆ, though in above, but on a larger field Fqk which for k > 1 is called general we do not.) The range of e is a multiplicative an algebraic extension of the ground field Fq. Elements group of order p, denoted GT , and generated by e[g, gˆ]. of Fqk can be represented, e.g., as polynomials of degree The pairing must be non-trivially bilinear, meaning that (up to) k with coefficients in Fq. What this entails is a b c the equality e[g , gˆ ] = e[g, gˆ] holds if and only if the that the elements of Fqk are compatible with those of integer exponents satisfy a b = c (mod p). Fq, so that the product of, say, a ∈ Fq and x ∈ Fqk is a With this definition, it is easy to see that the pairing is well-defined element of Fqk . Thus, and by analogy with a powerful tool that lets us compute something similar what we did earlier, we can define E(Fqk ) as the set of to a Diffie-Hellman operation, with the important caveat points (x, y) ∈ Fqk × Fqk that satisfy the curve equation ˆ that the process takes us from G and G to the different in Fqk . Under the point addition rule, E(Fqk ) forms a group GT from which we generally cannot get back. group, albeit a much larger one than E(Fq). The point of Nevertheless, this is sufficient to give us a direct test for this discussion is that as k is increased, there is a special ˆ the DDH problem (for G = G) or a dual-group version value of k > 1 for which E(Fqk ) contains a subgroup of DDH (when G 6= Gˆ ). Indeed, given an instance of order p. This subgroup will be our candidate for Gˆ , a b ˆ 2 ˆ 2 hg, g , gˆ , hi ∈ G × G , it is easy to determine whether and the smallest such k its embedding degree in E(Fq). hˆ =g ˆa b by verifying the equality e[ga, gb] = e[g, hˆ]. The last step involves a bit of magic. Recall that we In spite of this ability, it is not obvious how one have identified two (distinct) subgroups of points on the would compute hˆ from hg, g,ˆ ga, gˆbi without knowing curve E, both of them having the same prime order p. at least one of the exponents a and b; in fact, it is Consider two points U ∈ E(Fq) and V ∈ E(Fqk ). In widely believed that this CDH-like problem is hard for general, any element g1 ∈ G ⊂ E(Fq) can be expressed the bilinear pairings of cryptographic interest, which are as a linear combination of U and V , and the same is true ˆ ˆ based on algebraic curves. We shall give a very rough of any gˆ2 ∈ G ⊂ E(Fqk ). Since G and G are linearly intuition for this in the next section. independent, the linear coefficients of g1 and gˆ2 have a

2 typically non-zero determinant: have proven very useful, there are a many plausible DL- like complexity assumptions that can be made in bilinear u1 v1 u v g1 = U · V ∆ = 1 1 for groups, based on the preceding observations. We briefly u2 v2 u2 v2 gˆ2 = U · V review some of the main ones, most of them having both The Weil pairing (and the closely related Tate pairing) a computational and a decisional version. can then be viewed as the function ω∆, where ω is some a) Bilinear Diffie-Hellman (BDH): On input the generators g ∈ and gˆ ∈ ˆ , and their powers to each primitive p-th root of unity in Fqk . Bilinearity arises from G G the observation that if we let g0 = ga and gˆ0 = gb, we of the undisclosed exponents a, b, c ∈ Zp, it is hard to 1 1 2 2 a b c get ∆0 = a b ∆. The magic of the Weil pairing is that it compute the element e[g, gˆ] ∈ GT (or to recognize it has an efficient algorithm, discovered by Miller [4], that from random, in the decisional version denoted D-BDH). ∆ This assumption was formally stated in [7]. computes the value of ω based solely on g1 and gˆ2, without necessitating ∆ or the linear coefficients. We BDH and D-BDH are direct analogues of CDH and remark that for k as previously defined, the extension DDH in non-bilinear groups, except that here a third secret exponent is needed since it is easy to compute field Fqk always has a multiplicative subgroup of order e[g, gˆ]a b from ga and gˆb. p; this subgroup is our target group GT . All of the above is true in general, so in that sense b) Strong Diffie-Hellman (SDH): Given as input ˆ bilinear pairings are not hard to obtain. However, this g ∈ G, and the powers of gˆ ∈ G to each of the exponents 2 ` only works in practice if the embedding degree k is 1, a, a , ..., a ∈ Zp for some number ` and secret a, it a+b small. The reason is that elements of Gˆ are points is hard to find b ∈ Zp and h ∈ G such that h = g. Purported solutions are easy to verify by checking that (x, y) ∈ qk × qk , whose coordinates will be intractably F F a b difficult to represente and calculate with for large k. e[h, (ˆg )(ˆg) ] = e[g, gˆ]. SDH was first stated in [8]. Since a random curve generally produces extremely SDH is a Discrete Logarithm counterpart to Strong large embedding degrees, a lot of recent effort has been RSA. Both assumptions have in common that a prob- dedicated to devise clever ways to generate practical lem instance has not one but a very large number of curves, yielding large subgroups with tiny embedding admissible solutions. SDH, like S-RSA before it, has degrees—such as k = 2 and 6 [5], and 12 [6]. found many application in signatures and authentication Lastly, we mention that it is sometimes possible to schemes. It has no obvious decisional version. obtain a modified “symmetric” pairing whose arguments c) Linear: On input g, ga, gb, ga x, gb y ∈ G, it is x+y are interchangeable and both live in the group G. The hard to compute g ∈ G (or to distinguish it from idea is to reduce this case to the earlier “asymmetric” random, in the decisional version of the assumption). case, by lifting one of the arguments from G into Gˆ Linear was originally proposed in [9]. using a homomorphic distortion function ψ : G → Gˆ Since (D-)Linear instances involve no elements of (not to be confused with the more commonly available GT , the assumption remains meaningful in ordinary trace map φ : Gˆ → G, which goes in the other direction). non-bilinear groups. Its appeal in bilinear groups stems Distortion functions are guaranteed by a special algebraic from the design as a weakening of (DDH/)CDH that is structure, exemplified by the so-called supersingular believed to hold even in the presence of a bilinear map. curves that have enjoyed a recent bout of popularity in We note that many more complexity assumptions cryptographic circles for precisely that reason. have been stated and used in the context of pairings— probably more than in any other branch of cryptography. IV. COMPLEXITY ASSUMPTIONS The flexibility to tailor complexity assumptions to build The upshot of the previous section is that the cryp- cryptosystems with novel properties has undoubtedly tographic pairing implementations that we know of, are been a major factor in the rapid rise of pairings. We shall ∆ u1 v1 functions of the form e[g1, gˆ2] = ω with ∆ = u2 v2 describe some of those in the remaining few sections. u1 v1 u2 v2 for g1 = U · V and gˆ2 = U · V . Although it is reasonable to be suspicious of assump- As noted, the 2-by-2 determinant causes bilinearity. tions made for a single purpose, we note that in many Furthermore, since ∆ appears in the exponent, it stands cases powerful supportive arguments can be made based to reason that a function that evaluates to ω∆ should be on generic group structural arguments. In other words, hard to invert, for the same reason that vanilla Discrete properly constructed cryptosystems based on pairings Logarithm is presumed hard in the same groups. can be impervious to (mathematical) attacks, unless the Similarly to (non-bilinear) groups in which the formu- underlying pairing realization itself has a vulnerability lation of stronger assumptions such as CDH and DDH independent of the cryptosystem.

3 V. IDENTITY-BASED ENCRYPTION Encr.: To encrypt a message for a user named ID, Public-key differs from secret-key encryption in that the sender picks a random r ∈ Zp and uses r r the key used for encryption cannot feasibly be used for e[H[ID], f] as session key. The header h = g decryption, which requires a separate key. The two keys is added to the . are related “by birth” through the key pair generation Decr.: To decrypt a ciphertext with header h, the process; and obviously the encryption key must be made recipient recovers the session key as e[d, h], available to the encrypting party before the system can which will be correct if the identities match. be used. Usually, a public key is bound to her owner’s This is a simplified description; in the real scheme legal name or other identifying information with a digital additional hash functions are needed in order for the signature issued by a trusted certificate authority. security proofs to go through. Nonetheless, the scheme is Identity-based encryption (IBE) is public key encryp- very simple to understand once we have abstracted away tion with a twist. Here, the public key can be any string, the notion of pairing. In practice, the requirement to hash such as the legal name of the recipient. The private key is into G complicates matters with asymmetric pairings. generated from it by a central trusted authority (TA) who B. Boneh-Boyen (BB1) [12] holds a master secret key. To encrypt in such a system, The Boneh-Boyen system works well with the general one needs only to know the name of the recipient, and bilinear map e : × ˆ → , and uses only a collision- a set of public system parameters that are common to G G GT resistant hash function H from identities to (a subset of) all users under the purview of the TA. Since the public , or none at all if identities are encoded as integers. key does not functionally depend on the private key, the Zp Setup: The master secret is a triple of random integers sender need not wait for the recipient to send him her α, β, γ ∈ . The public system parameters are public key. Also, there is less of a need for certificates Zp g, u = gα, w = gγ ∈ , and z = e[g, gˆ]α β. and revocation lists, since public keys can be reasonably G Issue: To issue a private key to a user with name ID, short lived and are unambiguous by design. the TA selects a random t ∈ Zp and outputs The notion of IBE was suggested two decades α β+(γ+α H[ID]) t t ago [10], without any suggestion as to how it could be d0 =g ˆ and d1 =g ˆ . Encr.: To encrypt a message for a user named ID, the realized. Slow progress was made over the years using r sender selects a random r ∈ Zp and uses v traditional cryptographic techniques, until it became ap- r as session key. A header consisting of h0 = g parent that bilinear maps provided the perfect answer r r H[ID] to the question [2] [7]. This came as a breakthrough and h1 = w ·u is added to the ciphertext. in 2001 with the publication of the first practical IBE Decr.: To decrypt a ciphertext with header h0 and h1, system whose security could be reduced to the simple the recipient recovers the session key as the ratio e[h0, d0]/e[h1, d1], which will be equal BDH complexity assumption [7]. As good things never r come alone, the same year saw a completely different to z if the identities match. proposal for a simpler but less practical IBE based on Again, this is a simplified description. Here, the pri- a Factoring assumption [11]. The discovery of pairing- vate keys are randomized. This scheme appears more based IBE has spurred a great deal of research in this complicated than the previous one, but it is faster since new area, which in particular resulted in the invention all exponentiations are to fixed bases, and hence can be of a less demanding and more flexible paradigm [12] greatly optimized. that was also more secure: its distinct advantage was Much like BF, the BB1 scheme has been extended to admit a security reduction that did not rely on the in many ways to offer, e.g., hierarchical identities [13], random oracle heuristic. improved security [14], and threshold decryption [15]. We now describe the two main IBE schemes. Both schemes are secure under the BDH assumption, without random oracles in the case of BB1. Both can be A. Boneh-Franklin (BF) [7] made to conceal the recipient identity in addition to the The Boneh-Franklin system ideally necessitates a message, as well as to withstand active attacks. “symmetric” bilinear map e : G × G → GT (cf. §III), Very recently, Boyen and Waters [16] built a fully and requires a “full domain” cryptographic hash function anonymous hierarchical IBE scheme, upon the Linear H from identities to elements of G, available to all. assumption. Systems that exploit stronger complexity Setup: The master secret is a random integer σ ∈ Zp. assumptions have also been suggested; these include σ The public parameters are g and f = g ∈ G. Boneh and Boyen’s second IBE construction (BB2) [12], Issue: To issue a private key to a user with name ID, as well as a very recent IBE scheme by Gentry [17], the TA returns d = (H[ID])σ ∈ G. whose proofs both rely on SDH-like assumptions.

4 VI.SIGNATURE AND AUTHENTICATION REFERENCES It has been observed that IBE implies : [1] A. Joux, “A one round protocol for tripartite Diffie-Hellman,” disguise the messages as identities, and use the IBE Journal of Cryptology, vol. 17, no. 4, pp. 263–76, 2004, extended abstract in Proceedings of ANTS IV, 2000. private keys as signatures. Since a BF private key is a [2] R. Sakai, K. Ohgishi, and M. Kasahara, “Cryptosystems based single element of G, it is natural to seek to turn BF IBE on pairings,” in Proceedings of the Symposium on Cryptography into a compact signature (in the random oracle model). and Information Security—SCIS 2000, 2000. [3] A. Menezes, T. Okamoto, and S. Vanstone, “Reducing elliptic This is the essence of the BLS signature scheme [18], curve logarithms in a finite field,” IEEE Transactions on Infor- which unlike BF uses asymmetric pairings to reduce the mation Theory, vol. 39, no. 5, pp. 1639–46, 1993. size of elements of . Notably, these signatures can be [4] V. Miller, “The Weil pairing, and its efficient calculation,” G Journal of Cryptology, vol. 17, no. 4, 2004. aggregated [19]. The basic BLS scheme is as follows: [5] A. Miyaji, M. Nakabayashi, and S. Takano, “New explicit con- Setup: The signing key is a random integer σ ∈ Zp. ditions of elliptic curve traces for FR-reduction,” IEICE Trans. ˆ σ ˆ Fundamentals, vol. E84-A, no. 5, pp. 1234–43, 2001. The verification key is gˆ and f =g ˆ ∈ G. [6] P. S. L. M. Barreto and M. Naehrig, “Pairing-friendly ellip- σ Sign: To sign a message M, give s = (H[M]) ∈ G. tic curves of prime order,” Cryptology ePrint Archive, Report Verif.: To verify hM, si, check e[s, gˆ] = e[H[M], fˆ]. 2005/133, 2005, http://eprint.iacr.org/. [7] D. Boneh and M. Franklin, “Identity-based encryption from the Short signatures built from pairings need not directly Weil pairing,” SIAM Journal of Computing, vol. 32, no. 3, pp. correspond to an IBE scheme. The BB scheme [8] uses 586–615, 2003, extended abstract in CRYPTO 2001. a construction whose security can be directly reduced to [8] D. Boneh and X. Boyen, “Short signatures without random oracles,” in Advances in Cryptology—EUROCRYPT 2004, ser. the SDH assumption without requiring random oracles. LNCS, vol. 3027. Springer, 2004, pp. 56–73. A collision-resistant function H into Zp is needed only [9] D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” if messages cannot be encoded in . The scheme is: in Advances in Cryptology—CRYPTO 2004, ser. LNCS, vol. Zp 3152. Springer, 2004, pp. 41–55. Setup: The signing key is a pair of integers α, β ∈ Zp. [10] A. Shamir, “Identity-based cryptosystems and signature The verification key is made of aˆ =g ˆα, ˆb =g ˆβ, schemes,” in Advances in Cryptology—CRYPTO 1984, ser. LNCS, vol. 196. Springer, 1984, pp. 47–53. gˆ, and z = e[g, gˆ]. [11] C. Cocks, “An identity based encryption scheme based on Sign: To sign a message M, choose a random r ∈ Zp, quadratic residues,” in Proceedings of the 8th IMA International 1 and output r and s = g /(α+β r+H[M]) ∈ G. Conference on Cryptography and Coding, 2001. [12] D. Boneh and X. Boyen, “Efficient selective-ID secure iden- Verif.: To publicly verify a signed message hM, r, si, tity based encryption without random oracles,” in Advances r H[M] test the equality e[s, aˆ · ˆb · gˆ ] = z. in Cryptology—EUROCRYPT 2004, ser. LNCS, vol. 3027. Bilinear maps have been useful in more complicated Springer, 2004, pp. 223–38. [13] D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity schemes, such as group and ring signatures. In these, based encryption with constant size ciphertext,” in Advances in signers sign on behalf of a plurality of users, who have Cryptology—EUROCRYPT 2005. willingly constituted a group, or are conscripted in a [14] B. Waters, “Efficient identity-based encryption without random oracles,” in Advances in Cryptology—EUROCRYPT 2005, ser. ring. In group signatures, a tracing authority also has LNCS, vol. 3494. Springer, 2005. the ability to expose the true signer. Group signatures [15] D. Boneh, X. Boyen, and S. Halevi, “Chosen ciphertext secure have especially benefited from pairings [9] [20] [21], for public key threshold encryption without random oracles,” in Proceedings of RSA-CT 2006. they blend authentication and encryption: with bilinear [16] X. Boyen and B. Waters, “Anonymous hierarchical identity-based maps, complementary goals can be tackled by combining encryption (without random oracles),” Manuscript, 2006. assumptions (e.g., SDH for signing, Linear for tracing). [17] C. Gentry, “Identity based encryption without random oracles with a tight security reduction,” Manuscript, 2006. Other surprising ways in which pairings have been [18] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the used include homomorphic encryption [22] as well as Weil pairing,” Journal of Cryptology, vol. 17, no. 4, pp. 297–319, 2004, extended abstract in ASIACRYPT 2001. non-interactive zero-knowledge proof systems [23]. [19] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Advances VII.CONCLUSION in Cryptology—EUROCRYPT 2003. In this tour, we have explored some of the foundations [20] X. Boyen and B. Waters, “Compact group signatures without random oracles,” Cryptology ePrint Archive, Report 2005/381, and applications of bilinear maps in cryptography. 2005, http://eprint.iacr.org/. For the mathematician, a long-standing open question [21] G. Ateniese, J. Camenisch, S. Hohenberger, and B. de Medeiros, concerns the existence of multilinear maps, which could “Practical group signatures without random oracles,” Cryptology ePrint Archive, Report 2005/385, 2005, http://eprint.iacr.org/. have far reaching consequences in both cryptography and [22] D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-DNF for- . For the cryptographer, as a counterpoint to mulas on ,” in Proceedings of TCC 2005, ser. LNCS. IBE appearing to be so closely connected to pairings, a Springer, 2005. [23] J. Groth, R. Ostrovsky, and A. Sahai, “Perfect non-interactive fascinating open problem is to devise an IBE scheme zero knowledge for np,” Cryptology ePrint Archive, Report from generic trapdoor permutations. 2005/290, 2005, http://eprint.iacr.org/.

5