Converting pairing-based cryptosystems from composite to prime order setting – A comparative analysis

Abstract Composite order pairing setting has been used to achieve cryptographic functionalities beyond what is attainable in prime order groups. However, such pairings are known to be significantly slower than their prime order counterparts. Thus emerged a new line of research – developing frameworks to convert cryptosystems from composite to prime order pairing setting. In this work, we analyse the intricacies of efficient prime order instantiation of cryptosystems that can be converted using existing frameworks. To compare the relative efficacy of these frameworks we mainly focus on some representative schemes: the Boneh–Goh–Nissim (BGN) homomorphic encryption scheme, ring and group signatures as well as a blind signature scheme. Our concrete analyses lead to several interesting observations. We show that even after a considerable amount of research, the projecting framework implicit in the very first work of Groth–Sahai still remains the best choice for instantiating the BGN cryptosystem. Protocols like the ring signature and group signature which use both projecting and cancelling setting in composite order can be most efficiently instantiated in the Freeman prime-order projecting only setting. In contrast, while the Freeman projecting setting is sufficient for the security reduction of the blind signature scheme, the simultaneous projecting and cancelling setting does provide some efficiency advantage.

[1]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[2]  Tatsuaki Okamoto,et al.  Hierarchical Predicate Encryption for Inner-Products , 2009, ASIACRYPT.

[3]  Hovav Shacham,et al.  Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures , 2010, ASIACRYPT.

[4]  Sanjit Chatterjee,et al.  Comparing two pairing-based aggregate signature schemes , 2010, Des. Codes Cryptogr..

[5]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[6]  Sanjit Chatterjee,et al.  On cryptographic protocols employing asymmetric pairings - The role of Ψ revisited , 2011, Discret. Appl. Math..

[7]  Razvan Barbulescu,et al.  Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case , 2016, CRYPTO.

[8]  Bogdan Warinschi,et al.  Groth-Sahai proofs revisited , 2010, IACR Cryptol. ePrint Arch..

[9]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[10]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[11]  Jonathan Katz,et al.  Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products , 2008, Journal of Cryptology.

[12]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[13]  Allison Bishop,et al.  A Profitable Sub-prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups , 2015, Public Key Cryptography.

[14]  Sanjit Chatterjee,et al.  Type 2 Structure-Preserving Signature Schemes Revisited , 2014, ASIACRYPT.

[15]  Tatsuaki Okamoto,et al.  Homomorphic Encryption and Signatures from Vector Decomposition , 2008, Pairing.

[16]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[17]  David Mandell Freeman,et al.  Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups , 2010, EUROCRYPT.

[18]  Jorge Luis Villar,et al.  An Algebraic Framework for Diffie–Hellman Assumptions , 2015, Journal of Cryptology.

[19]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[20]  Brent Waters,et al.  Compact Group Signatures Without Random Oracles , 2006, EUROCRYPT.

[21]  Francisco Rodríguez-Henríquez,et al.  Computing discrete logarithms in cryptographically-interesting characteristic-three finite fields , 2018, IACR Cryptol. ePrint Arch..

[22]  Allison Lewko,et al.  Tools for simulating features of composite order bilinear groups in the prime order setting , 2012 .

[23]  Aurore Guillevic,et al.  Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves , 2013, ACNS.

[24]  Dennis Hofheinz,et al.  Polynomial Spaces: A New Framework for Composite-to-Prime-Order Transformations , 2014, IACR Cryptol. ePrint Arch..

[25]  Brent Waters,et al.  Full-Domain Subgroup Hiding and Constant-Size Group Signatures , 2007, Public Key Cryptography.

[26]  Jae Hong Seo On the (Im)possibility of Projecting Property in Prime-Order Setting , 2012, ASIACRYPT.

[27]  Elaine Shi,et al.  Predicate Privacy in Encryption Systems , 2009, IACR Cryptol. ePrint Arch..

[28]  Hovav Shacham,et al.  Efficient Ring Signatures Without Random Oracles , 2007, Public Key Cryptography.

[29]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[30]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[31]  Francisco Rodríguez-Henríquez,et al.  On Implementing Pairing-Based Protocols with Elliptic Curves of Embedding Degree One , 2016, IACR Cryptol. ePrint Arch..

[32]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[33]  Jonathan Katz,et al.  Ring Signatures: Stronger Definitions, and Constructions without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[34]  A. Lewko,et al.  Fully Secure HIBE with Short Ciphertexts , 2009 .

[35]  Jung Hee Cheon,et al.  Beyond the Limitation of Prime-Order Bilinear Groups, and Round Optimal Blind Signatures , 2012, TCC.

[36]  Sanjit Chatterjee,et al.  Efficient Computation of Tate Pairing in Projective Coordinate over General Characteristic Fields , 2004, ICISC.