Comparing the Pairing Efficiency over Composite-Order and - PowerPoint PPT Presentation

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore Guillevic C2, Dinard, France C2 2012 1/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Outline 1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion C2 2012 2/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Outline 1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion C2 2012 3/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Previous work [Boneh, Goh and Nissim, TCC 2005] First public-key � homomorphic encryption scheme using composite-order groups and pairings Based on the Subgroup Decision Assumption � For the last seven years, many protocols with interesting � properties based on this assumption [Freeman, Eurocrypt 2010] Specific conversions to prime-order � groups [Lewko, Eurocrypt 2012] Generic conversions to prime-order � groups and nice security proofs → It remains quite theoretical C2 2012 4/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Contributions Explicit parameter sizes for protocols based on the Subgroup � Decision Assumption at common security levels Implementation in C and benchmarks � C2 2012 5/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Outline 1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion C2 2012 6/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Subgroup Decision Assumption given a group G of composite order p 1 p 2 = N (e.g. an RSA modulus) without knowing its decomposition into p 1 and p 2 , it is hard to decide whether a given element g ∈ G is in the subgroup of order p 1 . N must be infeasible to factor ⇒ very large parameter sizes. C2 2012 7/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Bilinear Groups 1. G 1 , G 2 and G T are three cyclic groups of order N 2. e : G 1 × G 2 → G T is a bilinear map i.e. for all g 1 , h 1 ∈ G 1 and g 2 , h 2 ∈ G 2 , e ( g 1 · h 1 , g 2 ) = e ( g 1 , g 2 ) · e ( h 1 , g 2 ) and e ( g 1 , g 2 · h 2 ) = e ( g 1 , g 2 ) · e ( g 1 , h 2 ). 2’. for all a , b ∈ Z , g 1 ∈ G 1 , g 2 ∈ G 2 , 2 ) = e ( g 1 , g 2 ) ab = e ( g b e ( g a 1 , g b 1 , g a 2 ). C2 2012 8/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion BGN protocol: setup 1. Generate two random τ -bit primes p 1 , p 2 and set N = p 1 p 2 . 2. Generate a (symmetric) bilinear pairing e : G 1 × G 1 → G T with G 1 and G T of order N . 3. Pick two random generators g 1 , u 1 ← G 1 and set h 1 = u p 2 1 ⇒ h 1 is a random generator of the subgroup of order p 1 of G 1 . Set g T = e ( g 1 , g 1 ) as generator of G T and h T = e ( g 1 , h 1 ) = g p 2 T as generator of the subgroup of order p 1 of G T . 4. PK = ( N , G 1 , G T , e , g 1 , h 1 , g T , h T ). SK = p 1 . C2 2012 9/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion BGN protocol: encrypt/decrypt Encrypt( PK , m ) : m ∈ N , m < p 2 . Pick a random r ← { 0 , 1 , . . . , N − 1 } . The ciphertext is c = g m 1 · h r 1 ∈ G 1 . Decrypt( SK , c ∈ G 1 ) : We have c p 1 = ( g m 1 ) p 1 = ( g p 1 1 · h r 1 ) m → compute the discrete log of c p 1 in base g p 1 . → very slow, → or m must be very small (few bits). C2 2012 10/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion BGN protocol: homomorphic add/mul Add( c 1 , c 2 ) mod N Pick a random r ← { 0 , 1 , . . . , N − 1 } . 1 = g m 1 + m 2 mod N · h r ′ c = c 1 · c 2 · h r 1 ∈ G 1 . 1 Mul( c 3 , c 4 ) mod N (once) Pick a random r ← { 0 , 1 , . . . , N − 1 } . T = g m 3 · m 4 mod N · h r ′ c = e ( c 3 , c 4 ) · h r T ∈ G T . T Add( c 5 , c 6 ) mod N Pick a random r ← { 0 , 1 , . . . , N − 1 } . T = g m 5 + m 6 mod N · h r ′ c = c 5 · c 6 · h r T ∈ G T . T C2 2012 11/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion BGN in practice Suitable elliptic curve: easy to generate � 1. Let N a composite-order modulus (generated with e.g. openssl ). 2. Find the smallest integer h , 4 | h , such that hN − 1 is prime. p ) : y 2 = x 3 − x is 3. Let p = hN − 1. The elliptic curve E ( F supersingular, of order hN = p + 1 and embedding degree 2. Moreover, an explicit isomorphism G 1 → G 2 is available, hence the pairing is symmetric. Tate pairing only (one of the worst pairings in speed). � Parameter sizes: 3072 � log N � 3248 (NIST–Ecrypt). � C2 2012 12/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion BGN variants Over composite-order groups made of several distinct primes � Each information is hidden in a subgroup � The parameter sizes depend on the Number Field Sieve (NFS) � attack and the Elliptic Curve Method (ECM) attack C2 2012 13/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Outline 1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion C2 2012 14/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Freeman and Lewko Conversions As operations are much faster on a prime-order elliptic curve � than a composite-order one, the protocol is built on this prime-order curve. It uses a vector of elements in the same prime-order group: � each copy of the prime-order group corresponds to a subgroup in the composite-order setting. To distinguish between the different copies, elements are � generated from different generators. The protocol security relies on the d -Linear Problem, an � extension of the Diffie-Hellman Problem. New properties to achieve: projecting pairings and cancelling � pairings. C2 2012 15/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion BGN Conversion: setup 1. Let ( G 1 , G 2 , G T ) three cyclic groups of prime order n with a pairing e : G 1 × G 2 → G T . 2. Let G 1 = G 2 1 , G 2 = G 2 2 , G T = G 4 T . 3. Choose random generators g 1 ∈ G 1 , g 2 ∈ G 2 and let g T = e ( g 1 , g 2 ). � a 1 � � a 2 � b 1 b 2 4. Choose random , ∈ SL 2 ( F n ). c 1 d 1 c 2 d 2 5. Let H 1 be the subgroup of G 1 generated by h 1 = ( g a 1 1 , g b 1 1 ), let H 2 be the subgroup of G 2 generated by h 2 = ( g a 2 2 , g b 2 2 ). 6. Define a pairing e : G 1 × G 2 → G T by e ([ u 1 , v 1 ] , [ u 2 , v 2 ]) = [ e ( u 1 , u 2 ) , e ( u 1 , v 2 ) , e ( v 1 , u 2 ) , e ( v 1 , v 2 )]. 7. Let H T = � e ( h 1 , h 2 ) , e ( h 1 , [ g c 2 2 , g d 2 2 ]) , e ([ g c 1 1 , g d 1 1 ] , h 2 ) � ⊂ G T . C2 2012 16/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion BGN Conversion: setup 8. The analogous of computing c p 1 is computing a projecting map π 1 , π 2 or π T from the groups G 1 , G 2 or G T s.t. H ∗ ⊂ Ker( π ∗ ) and e ( π 1 ( u ) , π 2 ( v )) = π T ( e ( u , v )). ′ 9. The public parameters are ( G 1 , H 1 , G 2 , H 2 , G T , G T , e , g 1 , g 2 ) and the secret trapdoors are π 1 , π 2 and π T which need the numbers a 1 , b 1 , . . . , d 2 , e.g. π 1 ([ u 1 , v 1 ]) = [ u − b 1 c 1 · v a 1 c 1 , u − b 1 d 1 · v a 1 d 1 ]. 1 1 1 1 Homomorphic properties: The message is hidden in the exponent and a random blinding � term from the subgroup is added. To decrypt, a discrete logarithm is needed. � C2 2012 17/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Outline 1 Introduction 2 BGN protocol with a symmetric pairing 3 BGN conversions 4 Our implementation 5 Conclusion C2 2012 18/23

grid Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion LibCryptoLCH The LibCryptoLCH is a proprietary cryptographic library developed inside the Crypto Lab (Laboratoire Chiffre) at THALES. p arithmetic with Montgomery representation F � multiplication in Intelx86 assembly language can be activated (thanks to F. de Portzamparc) same high-level pairing optimizations as in the most efficient � papers generic design : may use any p or elliptic curve � modular approach � Curve, Pairing k log 2 m log 2 p Miller L. F. Exp. Pairing Ssingular, Tate 2 256 1536 19.7 ms 20.5 ms 40.2 ms BN, Opt. Ate 12 256 256 2.4 ms 3.0 ms 5.4 ms Pairings with normal NIST parameter sizes for a 128-bit security level, PC Linux Intel x86, 2.6 GHz C2 2012 19/23