New Trapdoor Projection Maps for Composite-Order Bilinear Groups

An asymmetric pairing over groups of composite order is a bilinear map e : G1 ×G2 → GT for groups G1 and G2 of composite order N = pq. We observe that a recent construction of pairing-friendly elliptic curves in this setting by Boneh, Rubin, and Silverberg exhibits surprising and unprecedented structure: projecting an element of the order-N group G1 ⊕G2 onto the bilinear groups G1 and G2 requires knowledge of a trapdoor. This trapdoor, the square root of a certain number modulo N , seems strictly weaker than the trapdoors previously used in composite-order bilinear cryptography. In this paper, we describe, characterize, and exploit this surprising structure. It is our thesis that the additional structure available in these curves will give rise to novel cryptographic constructions, and we initiate the study of such constructions. Both the subgroup hiding and SXDH assumptions appear to hold in the new setting; in addition, we introduce custom-tailored assumptions designed to capture the trapdoor nature of the projection maps into G1 and G2. Using the old and new assumptions, we describe an extended variant of the Boneh-Goh-Nissim cryptosystem that allows a user, at the time of encryption, to restrict the homomorphic operations that may be performed. We also present a variant of the Groth-Ostrovsky-Sahai NIZK, and new anonymous IBE, signature, and encryption schemes.

[1]  Craig Gentry,et al.  Space-Efficient Identity Based EncryptionWithout Pairings , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[2]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, Journal of Cryptology.

[3]  Hovav Shacham,et al.  Delegatable Anonymous Credentials , 2008, IACR Cryptology ePrint Archive.

[4]  Rafail Ostrovsky,et al.  Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract) , 1992, CRYPTO.

[5]  David Mandell Freeman,et al.  Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups , 2010, EUROCRYPT.

[6]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[7]  Matthew Green,et al.  Correlation-Resistant Storage via Keyword-Searchable Encryption , 2005, IACR Cryptol. ePrint Arch..

[8]  Allison Bishop,et al.  Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption , 2010, EUROCRYPT.

[9]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[10]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[11]  Jonathan Katz,et al.  Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products , 2008, Journal of Cryptology.

[12]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[13]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[14]  Markulf Kohlweiss,et al.  Non-Interactive Anonymous Credentials , 2007, IACR Cryptol. ePrint Arch..

[15]  S. Micali,et al.  Noninteractive Zero-Knowledge , 1990, SIAM J. Comput..

[16]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[17]  Mihir Bellare,et al.  Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions , 2005, Journal of Cryptology.

[18]  Brent Waters,et al.  Compact Group Signatures Without Random Oracles , 2006, EUROCRYPT.

[19]  Allison Bishop,et al.  A Profitable Sub-prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups , 2015, Public Key Cryptography.

[20]  Hideki Imai,et al.  Formal Security Treatments for Signatures from Identity-Based Encryption , 2007, ProvSec.

[21]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[22]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[23]  Alexandra Boldyreva,et al.  Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme , 2003, Public Key Cryptography.

[24]  R. Balasubramanian,et al.  The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm , 1998, Journal of Cryptology.

[25]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[26]  Ian F. Blake,et al.  Elliptic Curves in Cryptography: Preface , 1999 .

[27]  Allison Bishop,et al.  Decentralizing Attribute-Based Encryption , 2011, IACR Cryptol. ePrint Arch..

[28]  Clifford C. Cocks An Identity Based Encryption Scheme Based on Quadratic Residues , 2001, IMACC.

[29]  Sanjit Chatterjee,et al.  On cryptographic protocols employing asymmetric pairings - The role of Ψ revisited , 2011, Discret. Appl. Math..

[30]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[31]  Allison Bishop,et al.  Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting , 2012, EUROCRYPT.

[32]  Allison Bishop,et al.  New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts , 2010, IACR Cryptol. ePrint Arch..

[33]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[34]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[35]  Brent Waters,et al.  Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys , 2006, EUROCRYPT.

[36]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[37]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[38]  Hovav Shacham,et al.  Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures , 2010, ASIACRYPT.

[39]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[40]  Brent Waters,et al.  Full-Domain Subgroup Hiding and Constant-Size Group Signatures , 2007, Public Key Cryptography.

[41]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[42]  Antoine Joux,et al.  Separating Decision Diffie–Hellman from Computational Diffie–Hellman in Cryptographic Groups , 2003, Journal of Cryptology.

[43]  Denis Xavier Charles On the existence of distortion maps on ordinary elliptic curves , 2006, IACR Cryptol. ePrint Arch..

[44]  Steven D. Galbraith,et al.  Easy decision-Diffie-Hellman groups , 2004, IACR Cryptol. ePrint Arch..

[45]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[46]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[47]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.