The generic group model in pairing- based cryptography Hovav Shacham, UC San Diego I. Background Pairings • Multiplicative groups G1, G2, GT • Maps between G1 and G2 (more later) • A “pairing” e: G1 × G2 → GT that is • bilinear: e(ua,vb) = e(u,v)ab • nondegenerate: e(g1,g2) ≠ 1 • efficiently computable [M86] • Such groups arise in algebraic geometry Pairings — birds & bees • Consider elliptic curve E/Fp; prime r|#E(Fp) • G1 = E(Fq)[r] × • G2 ≤ E(Fpk)[r] k: order of p in (Z/rZ) × • GT = µr < (Fpk) • e is the Weil pairing, Tate pairing, etc. Elliptic curve parameters x • Discrete logarithm: given g1 , recover x • For 80-bit dlog security on E, need: • r > 2160 for generic-group attacks; 1024 • | Fpk | > 2 for index-calculus attacks • Barreto and Naehrig generate prime- order curves with k=12. For example: E: y2 = x3 + 13 k = 12 p = 1040463591175731554588039391555929992995375960613 (160 bits) r = #E = 1040463591175731554588038371524758323102235285837 Maps between G1 & G2 • tr gives ψ: G2 → G1 for E[r] G not trace-0 2 trace-0 • In supersingular curves, also have φ: G1 →G2 G 2 φ • can identify G1=G2=G ψ If need hash onto G2, • E(Fp)[r] = G1 take G2 = E(Fpk)[r] Assumptions in paring-based crypto • Classic, e.g., • DBDH: given g, ga, gb, gc, distinguish abc e(g,g) from random in GT • Baroque, e.g., k-BDHI, k-SDH (see later) • Decadent, e.g., Gaining confidence in assumptions 1. Show that they hold unconditionally (assuming, say, P≠NP) 2. Try to break them, consider observed hardness (e.g., factoring, discrete log) 3. Show they are hard to break in a restricted model of computation II. Generic groups Generic groups • Models attacks that don’t rely on special structure of group • Group elements replaced with opaque string representation • Oracles provided for allowed operations • Adversary power otherwise unrestricted History • Introduced by Nechaev (’94) and Shoup (’97) to study discrete log problem • Extended by Boneh and Boyen (’04) to consider pairings, groups G, GT • Used extensively since to gain confidence in assumptions for pairing- based cryptography The Über Assumption [BBG’05] s • Let Π = Fp[X1,…,Xn]; P, Q ∈ Π , f ∈ Π • d = max { {2 deg Pi}, {2 deg Qi}, deg f } • f is dependent on P, Q if exist aij, bk st f = ∑ aij PiPj + ∑ bk Qk The Über Assumption (cont.) Theorem. If f is independent of P&Q, an adversary that makes q queries has advantage at most (q +2s + 2)2 d · 2r in distinguishing e(g,g)f(x1,…,xn) from random given {gPi(x1,…,xn)}, {e(g,g)Qi(x1,…,xn)} (appropriately encoded) Example: DBDH • Instantiation: • Π = Fp[X,Y,Z] • P = {1, X, Y, Z} • Q = {1} • f = XYZ • Max advantage: 3(q+8)2/2r = O(q2/r). Proof idea • Set up environment, answer adversary queries using encodings from Π to {0,1}* • Afterwards assign random values for {Xi} • Simulation is wrong if two elts p, q (in P, in Q, f, or a query response) • are different as polynomials, but • are equal under chosen assignment Proof idea (cont.) • Number of polynomials: q+2s+2 (queries; P; Q; f and random) • Probability that p−q = 0: < deg (p−q) / r • Max degree is max of • 2 max deg Pi (use pairing!) • max deg Qi • deg f Extensions [B’08] • Type-II and Type-III pairings • solutions with multiple components in G, GT • multiple possible solutions (a la SDH) • rational functions in exponents (a la SDH) • composite-order groups Digression: k-Linear [S’07,HK’07] r r • Given g1, …, gk, h; g1 1, …, gk k; distinguish h∑rk from random • 1-Linear = DDH; 2-Linear = Linear [BBS’04] • k-Linear easy given (k+1)-multilinear map • k-Linear hard in generic group equipped with k-multilinear map • So strictly weaker assumption with increasing k III. Strengths of the generic group model Undefeated • No assumption proved secure in the generic group model has been broken • (more on this later) Discrete log problems with auxiliary info • Given g, w=g(γ), g(γ2), …, g(γk) … • k-DL: output γ • k-SDH: output (c,g1/(γ+c)) • k-BDHI: distinguish e(g,g)1/γ from random • etc.: DHE, ABDHE, ABCDEFGHE, … Prophecy … • No adversary can break k-DHI, k-SDH (etc.) in generic group model with fewer than Ω(q2k/r) queries • with k=r1/3, algorithm with q=r1/3 not ruled out! … fulfilled • Brown & Gallant ’04, Cheon ’06: if r satisfies property (*) and k=r1/3, exists algorithm for k-DL with q=r1/3. • (*): r−1 has divisor d of order Θ(r1/3) IV. Limitations of the generic group model Proofs are unilluminating • Generic proofs: long, full of boilerplate • sometimes this hides bugs ([KM’10]) • Punchline often of form “q2/r” • not good when schemes proved directly Unsoundness • Philosophical justification: • If scheme is secure in generic group • instantiated in “generic-enough” group • then it remains secure • Dent ’02: exists scheme secure in generic group and insecure in every group The pairing [MOV’91] • When embedding degree is small pairing maps dlog on E(Fq) to Fqk • Dlog is subexponential on finite fields! Faster discrete log on subfield curves • Nonsupersingular binary elliptic curves: E: y2 + xy = x3 + Ax2 + B over GF(2m), B≠0 • Subfield if A, B defined over GF(2l), l<m • [WZ’98], [GLV’98]: Pollard ρ on subfield curves in time O( r 1/2 / (m/l)1/2 ) • Idea: replace point P by equivalence class ψ(P), ψ2(P), ψ3(P), …, ψm/l(P) Malleability of ECDSA signatures • Brown ’01: ECDSA secure in generic group model • Stern et al. ’02: • ECDSA encoding function f(P) depends only on x-coordinate • if (r, s) is a valid signature on some message, then so is (r, −s) The generic ring model • Analog to generic-group model for rings • Useful for analyzing RSA-related problems • Key difference: operations can fail (not all elements invertible) • Adversary not given ring order N The generic ring model (cont.) • Aggarwal & Maurer ’09: The RSA problem is equivalent to factoring in the generic ring model The generic ring model (cont.) • Aggarwal & Maurer ’09: The RSA problem is equivalent to factoring in the generic ring model • Jager & Schwenk ’09: Computing the Jacobi symbol is equivalent to factoring in the generic ring model V. A research agenda A strange state of affairs • Generic group model seems to capture all we know about pairing groups • These are the least generic groups ever A proposed problem Break an assumption secure in the generic group model. Which assumption? 1. An assumption actually used in a published paper 2. An assumption within a family of assumptions (e.g., the über family) 3. A new assumption you invent (but in the style of previous ones) Break where? 1. On all pairing-friendly elliptic curves (i.e., “generically”) 2. On a specific pairing-friendly curve (see [FST’10] for a curve catalog) 3. On a new pairing-friendly curve you invent Break how? 1. Give a polynomial-time algorithm (i.e., break completely) 2. Give an exponential algorithm faster than the generic bounds More generally … • Assumptions in pairing-based cryptography need more scrutiny • Mathematicians can help More generally … • Assumptions in pairing-based cryptography need more scrutiny • Mathematicians can help Thanks!.