limitations on transformations from composite order to
play

Limitations on Transformations from Composite-Order to Prime-Order - PowerPoint PPT Presentation

Apr 08, 2023 •310 likes •1.09k views

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

  1. Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1

  2. Elliptic curves: what are they and why do we care? Bilinear groups are cyclic groups G of some finite order that admit a nondegenerate bilinear map e: G × G → G T • Bilinear: e(x a ,y) = e(x,y) a = e(x,y a ), nondegenerate: e(x,y) = 1 for all y ⇔ x = 1 • Composite order: |G| = N (often use N = pq), prime order: |G| = p 2

  3. Elliptic curves: what are they and why do we care? Bilinear groups are cyclic groups G of some finite order that admit a nondegenerate bilinear map e: G × G → G T • Bilinear: e(x a ,y) = e(x,y) a = e(x,y a ), nondegenerate: e(x,y) = 1 for all y ⇔ x = 1 • Composite order: |G| = N (often use N = pq), prime order: |G| = p 3

  4. Elliptic curves: what are they and why do we care? Bilinear groups are cyclic groups G of some finite order that admit a nondegenerate bilinear map e: G × G → G T • Bilinear: e(x a ,y) = e(x,y) a = e(x,y a ), nondegenerate: e(x,y) = 1 for all y ⇔ x = 1 • Composite order: |G| = N (often use N = pq), prime order: |G| = p Historically, we use elliptic curves for two main reasons: • Functionality: IBE [BF01], functional encryption, etc. • Efficiency: discrete log problem is harder, can use smaller parameters 4

  5. Outline 5

  6. Outline Divide the talk into three main parts: 5

  7. Outline Divide the talk into three main parts: • The setting: work in composite-order bilinear groups 5

  8. Outline Divide the talk into three main parts: • The setting: work in composite-order bilinear groups • The application: a round-optimal blind signature scheme 5

  9. Outline Divide the talk into three main parts: • The setting: work in composite-order bilinear groups • The application: a round-optimal blind signature scheme • The problem: what if we want to instantiate our scheme in a prime-order setting instead? 5

  10. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: 6

  11. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: “somewhat” homomorphic encryption [BGN05] 6

  12. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: traitor “somewhat” tracing homomorphic [BSW06] zero knowledge encryption [GOS06,GS08] group [BGN05] signatures predicate [BW07] ring encryption signatures HIBE [KSW08] [SW07] [LW10] 6

  13. The setting: composite-order groups • Cyclic groups G and G T of order N = pq, G = G p × G q but p,q are secret • Bilinear map e: G × G → G T • Often use the subgroup hiding assumption: element of G q indistinguishable from an element of G • This setting has proved to be quite useful: traitor “somewhat” tracing homomorphic [BSW06] zero knowledge encryption [GOS06,GS08] group [BGN05] signatures blind predicate [BW07] signatures ring encryption [MSF10] signatures HIBE [KSW08] [SW07] [LW10] 6

  14. Composite- vs. prime-order groups 7

  15. Composite- vs. prime-order groups Why would we switch to prime-order groups? 7

  16. Composite- vs. prime-order groups Why would we switch to prime-order groups? • Composite-order means bigger : in prime-order groups, can use group of size ~160 bits; in composite-order groups need ~1024 bits (discrete log vs. factoring) • In addition, there aren’t many composite-order curve families (need to use supersingular vs. ordinary curves) 7

  17. Composite- vs. prime-order groups Why would we switch to prime-order groups? • Composite-order means bigger : in prime-order groups, can use group of size ~160 bits; in composite-order groups need ~1024 bits (discrete log vs. factoring) • In addition, there aren’t many composite-order curve families (need to use supersingular vs. ordinary curves) Previously, people converted schemes in an ad-hoc way [W09,GSW09,LW10] Freeman [F10] is first to provide a general conversion method 7

  18. The application: round-optimal blind signatures 8

  19. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S 8

  20. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S 8

  21. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m 8

  22. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ 8

  23. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! 8

  24. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req 8

  25. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ ´ 8

  26. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ 8

  27. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ Same σ as in the unblinded case above 8

  28. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ Same σ as in the unblinded case above Applications: electronic cash, anonymous credentials, etc. 8

  29. The application: round-optimal blind signatures Signatures: user U obtains a signature σ on a message m from a signer S m σ In a blind signature scheme [Ch82], user gets this signature without the signer learning which message it signed! req σ σ ´ Same σ as in the unblinded case above Applications: electronic cash, anonymous credentials, etc. Still a very active research area [O06,F09,AO10,AHO10,R10,GRSSU11] 8

  30. Our scheme: ideas 9

  31. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] 9

  32. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: 9

  33. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T 9

  34. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T 9

  35. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T • Abstract assumption: B = B 1 × B 2 , where B 1 is indistinguishable from B • Subgroup hiding: set B = G = G p × G q 9

  36. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T • Abstract assumption: B = B 1 × B 2 , where B 1 is indistinguishable from B • Subgroup hiding: set B = G = G p × G q • DLIN: rank 2 matrix ~ rank 3 matrix for a 3 × 3 matrix over F p 9

  37. Our scheme: ideas Simple construction (inspired by [BW06]): combine Waters signature [W07] with Groth-Sahai zero-knowledge proofs [GS08] Recap of Groth-Sahai setting: e: G × G → G T τ ↓ ................. E: B × B → B T • Abstract assumption: B = B 1 × B 2 , where B 1 is indistinguishable from B • Subgroup hiding: set B = G = G p × G q • DLIN: rank 2 matrix ~ rank 3 matrix for a 3 × 3 matrix over F p • Benefits: can use composite- and prime-order settings 9

  38. Our scheme: sketch 10

Recommend

LIMITATIONS OF FIBRE PLACEMENT TECHNIQUES FOR VARIABLE ANGLE TOW COMPOSITES AND THEIR

LIMITATIONS OF FIBRE PLACEMENT TECHNIQUES FOR VARIABLE ANGLE TOW COMPOSITES AND THEIR

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS LIMITATIONS OF FIBRE PLACEMENT TECHNIQUES FOR VARIABLE ANGLE TOW COMPOSITES AND THEIR PROCESS-INDUCED DEFECTS B.C. Kim 1 , K. Hazra 1 , P. Weaver 1 , K. Potter 1 * 1 ACCIS (Advanced Composite

350 views • 6 slides
Transformations Composition of Transformations Congruence Transformations Dilations Similarity

Transformations Composition of Transformations Congruence Transformations Dilations Similarity

Slide 1 / 145 Slide 2 / 145 Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 145 Slide 4 / 145 Table of Contents click on the topic to go to that section Transformations Translations Reflections Rotations Transformations

464 views • 25 slides
Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore Guillevic C2, Dinard, France C2 2012 1/23 grid

558 views • 23 slides
Transformations Composition of Transformations Congruence Transformations Dilations

Transformations Composition of Transformations Congruence Transformations Dilations

Slide 1 / 154 Slide 2 / 154 Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 154 Slide 4 / 154 Table of Contents click on the topic to go to that section Transformations Translations Reflections Rotations

581 views • 45 slides
Transformations Composition of Transformations Congruence Transformations Dilations

Transformations Composition of Transformations Congruence Transformations Dilations

Slide 1 / 154 Slide 2 / 154 Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 154 Slide 4 / 154 Table of Contents click on the topic to go to that section Transformations Translations Reflections Rotations

644 views • 26 slides
Semigroups of order-preserving transformations Young researchers in mathematics 3 rd August 2017

Semigroups of order-preserving transformations Young researchers in mathematics 3 rd August 2017

Semigroups of order-preserving transformations Young researchers in mathematics 3 rd August 2017 Wilf Wilson University of St Andrews Wilf Wilson Semigroups of order-preserving transformations Page 0 of 412 What are semigroups and monoids?

422 views • 41 slides
EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J.

EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS EFFICIENT HIGHER ORDER ZIG-ZAG THEORY FOR COUPLED MAGNETO-ELECTRO-ELASTIC COMPOSITE LAMINATES J. Lee 1 , J.-S. Kim 2 , M. Cho 3* 1 School of Mechanical and Aerospace Engineering, Seoul

454 views • 6 slides
Rewriting Techniques for syntax Correctness of Program Transformations normal order reduction

Rewriting Techniques for syntax Correctness of Program Transformations normal order reduction

LR Nondeterminism Overview The calculus LR with true call-by-need evaluation Rewriting Techniques for syntax Correctness of Program Transformations normal order reduction contextual semantics David Sabel and Manfred Schmidt-Schau

369 views • 15 slides
Semantical evaluations as monadic second-order compatible structure transformations Bruno

Semantical evaluations as monadic second-order compatible structure transformations Bruno

Semantical evaluations as monadic second-order compatible structure transformations Bruno Courcelle Universit Bordeaux 1, LaBRI (based in part on joint work with T. Knapik, Universit de La Runion, France) Summary 1.Introduction

795 views • 35 slides
CMSC427 Transformations I Credit: slides 9+ from Prof. Zwicker Transformations: outline

CMSC427 Transformations I Credit: slides 9+ from Prof. Zwicker Transformations: outline

CMSC427 Transformations I Credit: slides 9+ from Prof. Zwicker Transformations: outline Types of transformations Specific: translation, rotation, scaling, shearing Classes: rigid, affine, projective Representing transformations

1.11k views • 68 slides
Transformations Rotations Reflections Dilations Symmetry Congruence & Similarity

Transformations Rotations Reflections Dilations Symmetry Congruence & Similarity

Slide 1 / 230 Slide 2 / 230 8th Grade 2D Geometry: Transformations 2015-11-13 www.njctl.org Slide 3 / 230 Slide 4 / 230 Table of Contents Click on a topic to go to that section Transformations Translations Transformations

729 views • 39 slides
Review Transformations Scale Translate Rotate Combining Transformations

Review Transformations Scale Translate Rotate Combining Transformations

Review Transformations Scale Translate Rotate Combining Transformations Transformations are cumulative Flipping the y-axis direction Rotating about the center of an object Animating with transformations translate

695 views • 23 slides
From Data to Effects Dependence Graphs: Source-to-Source Transformations for C CPC 2015 Nelson

From Data to Effects Dependence Graphs: Source-to-Source Transformations for C CPC 2015 Nelson

Motivation Limitations of the Data Dependence Graph Effects Dependence Graph Impact on Existing Code Transformations Conclusion From Data to Effects Dependence Graphs: Source-to-Source Transformations for C CPC 2015 Nelson Lossing 1 Pierre

662 views • 26 slides
COMPUTER GRAPHICS COURSE Transformations Georgios Papaioannou 2016 ABOUT TRANSFORMATIONS

COMPUTER GRAPHICS COURSE Transformations Georgios Papaioannou 2016 ABOUT TRANSFORMATIONS

COMPUTER GRAPHICS COURSE Transformations Georgios Papaioannou 2016 ABOUT TRANSFORMATIONS Transformations They are operators on vectors and points of a corresponding vector or affine space They alter the coordinates of shape vertices

1.1k views • 81 slides
Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices

Transformations and Matrices Transformations I Transformations are functions Matrices are functions representations Matrices represent linear transfs CS5600 Computer Graphics Lecture Set 5 by 2 x 2 Matrices == 2D Linear

269 views • 9 slides
Linear Transformations Linear Transformations 1 / 21 Linear Transformations A function T from R

Linear Transformations Linear Transformations 1 / 21 Linear Transformations A function T from R

Linear Transformations Linear Transformations 1 / 21 Linear Transformations A function T from R n R m is called a linear transformation if there exists an m n matrix A such that T ( x ) = A x x R n satisfying the following:

890 views • 31 slides
Relational semantics for effect-based program transformations: higher-order store Martin Hofmann

Relational semantics for effect-based program transformations: higher-order store Martin Hofmann

Relational semantics for effect-based program transformations: higher-order store Martin Hofmann Ludwig-Maximilians-Universit at M unchen IFIP Working Group 2.8, June 2009 mh (lmumun) Relational semantics for effects IFIP 2.8 1 / 22

481 views • 26 slides
Combining Polyhedral and AST Transformations in CHiLL Huihui Zhang , Anand Venkat, Protonu Basu,

Combining Polyhedral and AST Transformations in CHiLL Huihui Zhang , Anand Venkat, Protonu Basu,

Combining Polyhedral and AST Transformations in CHiLL Huihui Zhang , Anand Venkat, Protonu Basu, Mary Hall University of Utah January 19, 2016 Outline Introduction Problem Limitations of polyhedral transformation CHiLL Compiler

630 views • 17 slides
1 Legality of Loop Interchange (cont) Loop Interchange Example Case analysis of the direction

1 Legality of Loop Interchange (cont) Loop Interchange Example Case analysis of the direction

Loop Transformations for Parallelism & Locality Loop Permutation Idea Previously Swap the order of two loops to increase parallelism, to improve spatial Data dependences and loops locality, or to enable other transformations

604 views • 5 slides
Contents 1 Introduction 1 2 Linear Transformations 2 3 Polynomial Regression 3 4

Contents 1 Introduction 1 2 Linear Transformations 2 3 Polynomial Regression 3 4

Diagnostics and Transformations Part 2 Contents 1 Introduction 1 2 Linear Transformations 2 3 Polynomial Regression 3 4 Orthogonal Polynomials 6 5 Empirically Motivated Nonlinear Transformations 7 5.1 Mosteller-Tukey Bulging

382 views • 15 slides
Topic 7: 3D Transformations Homogeneous 3D transformations Scene Hierarchies Change of

Topic 7: 3D Transformations Homogeneous 3D transformations Scene Hierarchies Change of

Topic 7: 3D Transformations Homogeneous 3D transformations Scene Hierarchies Change of basis and rotations in 3D Representing 2D transforms as a 3x3 matrix Translate a point [x y] T by [t x t y ] T : x = 1 0 t x x y 0

757 views • 34 slides
CS488 From 3D world into a 2D screen Luc R ENAMBOT 1 Transformations We talked about 2D and

CS488 From 3D world into a 2D screen Luc R ENAMBOT 1 Transformations We talked about 2D and

CS488 From 3D world into a 2D screen Luc R ENAMBOT 1 Transformations We talked about 2D and 3D transformations and how those transformations affect objects in the scene We discussed how polygons are usually formed into hierarchies of

776 views • 42 slides
2.2 Transformations Hao Li http://cs420.hao-li.com 1 OpenGL Transformations Matrices

2.2 Transformations Hao Li http://cs420.hao-li.com 1 OpenGL Transformations Matrices

Fall 2017 CSCI 420: Computer Graphics 2.2 Transformations Hao Li http://cs420.hao-li.com 1 OpenGL Transformations Matrices Model-view matrix (4x4 matrix) Projection matrix (4x4 matrix) vertices in canonical 3D world coordinate

527 views • 41 slides
Todays Topics 3. Transformations in 2D 4. Coordinate-free geometry 5. 3D Objects (curves

Todays Topics 3. Transformations in 2D 4. Coordinate-free geometry 5. 3D Objects (curves

Todays Topics 3. Transformations in 2D 4. Coordinate-free geometry 5. 3D Objects (curves & surfaces) 6. Transformations in 3D Topic 3: 2D Transformations Simple Transformations Homogeneous coordinates Homogeneous 2D

662 views • 42 slides

More recommend