Dual Pairing Vector Space

Dual Pairing Vector Space

Change Background colours in the layout tab in the panel above^ Dual Pairing Vector Space Shiwei Zhang School of Computer Science and Software Engineering Faculty of Engineering and Information Sciences University of Wollongong, Australia Student Number: 3792444 Email: [email protected] October 3, 2014 VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Literature [1] Okamoto, T.: Dual pairing vector spaces and their applications to functional encryption (July 2014), lecture in University of Wollongong [2] Okamoto, T., Takashima, K.: Homomorphic encryption and signatures from vector decomposition. In: Galbraith, S., Paterson, K. (eds.) Pairing-Based Cryptography { Pairing 2008, Lecture Notes in Computer Science, vol. 5209, pp. 57{74. Springer Berlin Heidelberg (2008) [3] Okamoto, T., Takashima, K.: Some key techniques on pairing vector spaces. In: Nitaj, A., Pointcheval, D. (eds.) Progress in Cryptology { AFRICACRYPT 2011, Lecture Notes in Computer Science, vol. 6737, pp. 380{382. Springer Berlin Heidelberg (2011) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 1 Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Pairing Groups Let G1 and G2 be additive groups of prime order q with generator P and Q respectively, and G3 be multiplicative group of the same prime order q. jG1j = jG2j = jGT j = q P 2 G1;Q 2 G2 (P; Q =6 1) Scalar multiplication is defined for G1 and G2 as follows: 8 2 Z ··· a q; aP = |P + P + P +{z + P + P} a The conventional notation ga, where g is a generator, is not used for more nature DPVS representation. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 2 Bilinear Pairing The e: G1 × G2 ! GT is a bilinear pairing which has following properties: Bilinearity: xy 8P 2 G1;Q 2 G2; x; y 2 Zq; e(xP; yQ) = e(P; Q) Non-degeneracy: 9P 2 G1;Q 2 G2 : e(P; Q) =6 1 Computability: 8P 2 G1;Q 2 G2; 9A which is an efficient algorithm to compute e(P; Q) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 3 Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Objective Mathematically rich structures should be useful in implementing various cryptographic primitives and protocols [2]. F∗ Traditional cryptography (genus 0). e.g. finite field ( p) Pairing-based cryptography (genus 1). e.g. elliptic curve groups (E=Fp) New property: Bilinearity A nature way to construct a richer structure from pairing groups is Direct Product of Pairing Groups −! Dual Pairing Vector Space VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 4 Definition Vectors x 2 V and y 2 V∗ are defined as following: 2 GN V x := (P1;:::;PN ) 1 = 2 GN V∗ y := (Q1;:::;QN ) 2 = Vector Addition 8 2 GN V z := (R1;:::;RN ) 1 = x + z := (P1 + R1;:::;PN + RN ) Scalar multiplication 8a 2 Fq; ax := (aP1; : : : ; aPN ) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 5 Canonical Basis I The canonical bases are defined as following: A := (a1; : : : ; aN ) a1 := (P; 0;:::; 0); a2 := (0; P; 0;:::; 0); aN := (0;:::; 0;P ) A∗ ∗ ∗ ∗ ∗ ∗ := (a1; : : : ; aN ) a1 := (Q; 0;:::; 0); a2 := (0; Q; 0;:::; 0); aN := (0;:::; 0;Q) Visually, they can be represented as following: 0 1 0 1 P 0 ··· 0 Q 0 ··· 0 B ··· C B ··· C B 0 P 0 C ∗ B 0 Q 0 C A := B . C A := B . C @ . .. A @ . .. A 0 0 ··· P 0 0 ··· Q VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 6 Canonical Basis II Elements x 2 V, y 2 V∗ can be expressed on canonical basis: x := (x1P; : : : ; xN P ) y := (y1Q; : : : ; yN Q) ··· ∗ ··· ∗ = x1a1 + + xN aN = y1a1 + + yN aN = (x1; : : : ; xN )A = (y1; : : : ; yN )A∗ = (~x)A = (~y)A∗ 2 FN Note that ~x;~y q . VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 7 Canonical Basis III As ~x is a N-dimensional vector and A is a N × N matrix and by observing the definition of the calculation of x, it can also be computed naturally using matrix. 2 3 a1;1 a1;2 ··· a1;N 6 7 [ ] 6 a2;1 a2;2 ··· a2;N 7 ··· x = ~xA = x1 x2 xN 6 . 7 4 . .. 5 a a ··· a " N;1 N;2 # N;N XN XN XN = xiai;1 xiai;2 ··· xiai;N = (~x)A i=1 i=1 i=1 Similarly, y = ~yA∗. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 8 Duality Inner-Products between V and V∗ are defined as following: ∗ 8x := (~x)A 2 V; y := (~y)A∗ 2 V ; XN x · y := xiyi = ~x · ~y 2 Fq i=1 ∗ ∗ Since 8y 2 V , there is a linear map y : V ! Fq (i.e. y : x 7! x · y), V is the dual space of V. Hence, bilinear pairing between V and V∗ is defined as YN P N ~x;~y x·y i=1 xiyi 2 G e(x; y) := e(xiP; yiQ) = e(P; Q) = gT = gT T i=1 VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 9 Orthonormality Since V is finite-dimensional (i.e. N-dimensional), V∗ has the same dimension as V and ( ∗ 1 if i = j ∗ δi;j ai · a = δi;j := =) e(ai; a ) = g j 0 if i =6 j j T (A; A∗) are dual orthonormal bases of V and V∗. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 10 Base Change I To change the base (A; A∗) to a new base (B; B∗), a N × N invertible matrix X is uniformly chosen from the general linear group of degree N over Fq. U T −1 X := (χi;j ) − GL(N; Fq)(θi;j) := (X ) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 11 Base Change II The base change operation is processed as following using linear transformation: T −1 A −!X B A∗ −−−−−!(X ) B∗ B B∗ ∗ ∗ := (b1; : : : ; bN ) := (b1; : : : ; bN ) XN XN ∗ ∗ bi = χi;jaj for i = 1;:::;N bi = θi;jaj for i = 1;:::;N j=1 j=1 := (χi;1P; : : : ; χi;N P ) := (θi;1Q; : : : ; θi;N Q) A ~ = ( ~χi) = (θi)A∗ VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 12 Base Change III As an extension of x = ~xA, the previous base change can be simplified. 2 3 XN XN XN 6 χ a χ a ··· χ a 7 6 1;i i;1 1;i i;2 1;i i;N 7 2 3 2 3 6 i=1 i=1 i=1 7 ··· ··· 6 7 χ1;1 χ1;2 χ1;N a1;1 a1;2 a1;N 6 XN XN XN 7 6 ··· 7 6 ··· 7 6 ··· 7 6 χ2;1 χ2;2 χ2;N 7 6 a2;1 a2;2 a2;N 7 6 χ2;iai;1 χ2;iai;2 χ2;iai;N 7 B = XA = 6 . 7 6 . 7 = 6 7 4 . .. 5 4 . .. 5 6 i=1 i=1 i=1 7 . 6 . 7 ··· ··· 6 . .. 7 χN;1 χN;2 χN;N aN;1 aN;2 aN;N 6 7 4XN XN XN 5 χN;iai;1 χN;iai;2 ··· χN;iai;N i=1 i=1 i=1 Similarly, B∗ = (XT )−1A∗. VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 13 Base Change IV Note that B is a basis of V and B∗ is a basis of V∗. Since ∗ ∗ δi;j · · ~ ∗ · ~ ) bi bj = ( ~χi)A (θj)A = ~χi θj = δi;j = e(bi; bj ) = gT (B; B∗) are dual orthonormal bases of V and V∗. The pairing operation of vectors of the changed base by X is shown below: x := x1b1 + ··· + xN bN = (x1; ··· ; xN )B = (~x)B 2 V ∗ ∗ ∗ ··· ··· ∗ ∗ 2 V y := y1b1 + + yN bN = (y1; ; yN )B = (~y)B YN P ∗ N ∗ i=1 xiyi e(x; y) = e(xibi; yibi ) = e(P; Q) (since e(bi; bi ) = gT ) i=1 ~x·~y = gT VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 14 Trapdoor It is hard to compute B∗ from (B; A; A∗) but is easy with X. −−−−−−!hard6 B A A∗ B∗ ( ; ; ) −−−−−−!easy X VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 15 Special Case: Self-Duality With symmetric pairing group (G1 = G2) = G, the bilinear pairing and the vector space ∗ N become e: G × G ! GT and V = V := G . Other properties are changed as following: Base change U X −GL(N;F ) A −−−−−−−−−−!q (B; B∗) Note that (A; B; B∗) are (self-dual) orthonormal bases of V. Trapdoor 6−−−−−! ∗ (B; A) −−−−−! B X VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 16 Outline 1 Preliminaries 2 Dual Pairing Vector Space 3 Intractable Problems Vector Decomposition Problem Decisional Subspace Problem Hierarchical Trapdoors 4 Conclusion VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW Intractable Problems There are two intractable problems in DPVS suitable for cryptographic applications: Vector Decomposition Problem (VDP) Decisional Subspace Problem (DSP) VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 17 Vector Decomposition Problem I VDP definition is originally named as Computational Vector Decomposition Problem [2]. Definition (VDP(N1;N2): (N1;N2)-Vector Decomposition Problem) Let G be an N1-dimensional Fq-vector space generator, taking a security parameter k, and N1 > N2. Let A be a probabilistic polynomial-time machine. The advantage of A is defined as following: 2 3 R k U N1 VDP u = (v1; : : : ; vN ; 0;:::; 0)B j V −G(1 ); B − V ; (N1;N2) 4 2 5 AdvA (k) = P r U − FN1 A k V B ~v = (v1; : : : ; vN1 ) q ; v = (~v)B; u (1 ; ; ; v) The VDP(N1;N2) assumption is satisfied if there is no probabilistic polynomial-time VDP(N1;N2) adversary A has non-negligible advantage AdvA (k). VISIONARY / PASSIONATE / DYNAMIC CONNECT: UOW 18 Vector Decomposition Problem II ! v = v1; v2; : : : ; vN2−1; vN2 ; vN2+1; : : : ; vN1−1; vN1 ? B ? ? 6y Hard ! u = v1; v2; : : : ; vN2−1; vN2 ; 0;:::; 0 B Remark that there is a special case of VDP.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    40 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us