Fast and Scalable Bilinear-Type Conversion Method for Large Scale Crypto Schemes

Bilinear-type conversion is to translate a cryptographic scheme designed over symmetric bilinear groups into one that works over asymmetric bilinear groups with small overhead regarding the size of objects concerned in the target scheme. In this paper, we address scalability for converting complex cryptographic schemes. Our contribution is threefold. Investigating complexity of bilinear-type conversion. We show that there exists no polynomial-time algorithm for worst-case inputs under standard complexity assumption. It means that bilinear-type conversion in general is an inherently difficult problem. Presenting a new scalable conversion method. Nevertheless, we show that large-scale conversion is indeed possible in practice when the target schemes are built from smaller building blocks with some structure. We present a novel conversion method, called IPConv, that uses 0-1 Integer Programming instantiated with a widely available IP solver. It instantly converts schemes containing more than a thousand of variables and hundreds of pairings. Application to computeraided design. Our conversion method is also useful in modular design of middle to large scale cryptographic applications; first construct over simpler symmetric bilinear groups and run over efficient asymmetric groups. Thus one can avoid complication of manually allocating variables over asymmetric bilinear groups. We demonstrate its usefulness by somewhat counter-intuitive examples where converted DLIN-based Groth-Sahai proofs are more compact than manually built SXDH-based proofs. Though the early purpose of bilinear-type conversion is to save existing schemes from attacks against symmetric bilinear groups, our new scalable conversion method will find more applications beyond the original goal. Indeed, the above computer-aided design can be seen as a step toward automated modular design of cryptographic schemes. key words: pairing-based cryptography, bilinear-type conversion, integer programming, cryptographic scheme design, Groth-Sahai proofs

[1]  Moti Yung,et al.  Traceable Group Encryption , 2014, Public Key Cryptography.

[2]  Gilles Barthe,et al.  Automated Analysis of Cryptographic Assumptions in Generic Group Models , 2014, IACR Cryptol. ePrint Arch..

[3]  M. Sharir,et al.  A strong-connectivity algorithm and its applications in data flow analysis. , 2018 .

[4]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[5]  Marco E. Lübbecke,et al.  Experiments with a Generic Dantzig-Wolfe Decomposition for Integer Programs , 2010, SEA.

[6]  Jens Groth,et al.  Converting Cryptographic Schemes from Symmetric to Asymmetric Bilinear Groups , 2014, CRYPTO.

[7]  Tobias Achterberg,et al.  SCIP: solving constraint integer programs , 2009, Math. Program. Comput..

[8]  Antoine Joux Discrete Logarithms in Small Characteristic Finite Fields: a Survey of Recent Advances (Invited Talk) , 2017, STACS.

[9]  Mehdi Tibouchi,et al.  Strongly-optimal structure preserving signatures from Type II pairings: synthesis and lower bounds , 2016, IET Inf. Secur..

[10]  Bogdan Warinschi,et al.  Groth-Sahai proofs revisited , 2010, IACR Cryptol. ePrint Arch..

[11]  Razvan Barbulescu,et al.  Updating Key Size Estimations for Pairings , 2018, Journal of Cryptology.

[12]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[13]  Ryo Nishimaki,et al.  Constant-Size Structure-Preserving Signatures: Generic Constructions and Simple Assumptions , 2012, Journal of Cryptology.

[14]  Hovav Shacham,et al.  Group signatures with verifier-local revocation , 2004, CCS '04.

[15]  Brent Waters,et al.  Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions , 2009, IACR Cryptol. ePrint Arch..

[16]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[17]  Georg Fuchsbauer,et al.  Batch Groth-Sahai , 2010, ACNS.

[18]  Matthew Green,et al.  Using SMT solvers to automate design tasks for encryption and signature schemes , 2013, CCS.

[19]  Sanjit Chatterjee,et al.  On cryptographic protocols employing asymmetric pairings - The role of Ψ revisited , 2011, Discret. Appl. Math..

[20]  Masayuki Abe,et al.  Design in Type-I, Run in Type-III: Fast and Scalable Bilinear-Type Conversion Using Integer Programming , 2016, CRYPTO.

[21]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[22]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[23]  Susan Hohenberger,et al.  Automating Fast and Secure Translations from Type-I to Type-III Pairing Schemes , 2015, IACR Cryptol. ePrint Arch..

[24]  Bruno Blanchet,et al.  CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols , 2007 .

[25]  Frederik Vercauteren,et al.  On computable isomorphisms in efficient asymmetric pairing-based systems , 2007, Discret. Appl. Math..

[26]  Antoine Joux,et al.  Faster Index Calculus for the Medium Prime Case Application to 1175-bit and 1425-bit Finite Fields , 2013, EUROCRYPT.

[27]  Marc Joye,et al.  Group Signatures with Message-Dependent Opening in the Standard Model , 2014, CT-RSA.

[28]  Mehdi Tibouchi,et al.  Indifferentiable Hashing to Barreto-Naehrig Curves , 2012, LATINCRYPT.

[29]  Ryo Nishimaki,et al.  Tagged One-Time Signatures: Tight Security and Optimal Tag Size , 2013, Public Key Cryptography.

[30]  Moti Yung,et al.  Secure Efficient History-Hiding Append-Only Signatures in the Standard Model , 2015, Public Key Cryptography.

[31]  Dennis Hofheinz,et al.  Polynomial Spaces: A New Framework for Composite-to-Prime-Order Transformations , 2014, IACR Cryptol. ePrint Arch..

[32]  Jens Groth,et al.  Fine-Tuning Groth-Sahai Proofs , 2014, IACR Cryptol. ePrint Arch..

[33]  Rajeev Kohli,et al.  The Minimum Satisfiability Problem , 1994, SIAM J. Discret. Math..

[34]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[35]  Eike Kiltz,et al.  Chosen-Ciphertext Security from Tag-Based Encryption , 2006, TCC.

[36]  Faruk Göloglu,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in F21971 , 2013, IACR Cryptol. ePrint Arch..

[37]  Sanjit Chatterjee,et al.  Comparing two pairing-based aggregate signature schemes , 2010, Des. Codes Cryptogr..

[38]  Amit Sahai,et al.  Efficient Noninteractive Proof Systems for Bilinear Groups , 2008, SIAM J. Comput..

[39]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[40]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, CRYPTO.

[41]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[42]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[43]  Antoine Joux,et al.  A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic , 2013, IACR Cryptol. ePrint Arch..

[44]  Michael Backes,et al.  Verifiable delegation of computation on outsourced data , 2013, CCS.

[45]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.