thesis/sec-pairings.tex

                    %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                    % \section{Pairing-Based Cryptography} %
                    %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
Multiple constructions and parameter sets coexist for pairings.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.


%\subsection{Bilinear maps}
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}
  A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
  \begin{enumerate}[\quad (i)]
    \item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
    \item non-degeneracy: $e(g,\hat{g}) = 1_{\GT} \iff g = 1_{\GG}$ or $\hat{g} = 1_{\Gh}$.
    \item the map is computable in polynomial time in the size of the input.
  \end{enumerate}
\end{definition}

For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.

Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.

\begin{definition}[$\DDH$] \label{de:DDH}
  Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
  Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
  The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.
\end{definition}

This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.

\begin{definition}[$\SXDH$]
  The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
\end{definition}

In Chapter~\ref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.

This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions.
For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).
Lattices and pairings 2018-01-23 14:34:23 +00:00			`%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%`
			`% \section{Pairing-Based Cryptography} %`
			`%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%`

Modifications 2018-01-27 20:27:06 +00:00			`Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.`
			`Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.`
			`Multiple constructions and parameter sets coexist for pairings.`
			`Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,BD17}.`


			`%\subsection{Bilinear maps}`
Lattices and pairings 2018-01-23 14:34:23 +00:00			`\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings}`
			`A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:`
			`\begin{enumerate}[\quad (i)]`
			`\item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.`
			`\item non-degeneracy: $e(g,\hat{g}) = 1_{\GT} \iff g = 1_{\GG}$ or $\hat{g} = 1_{\Gh}$.`
			`\item the map is computable in polynomial time in the size of the input.`
			`\end{enumerate}`
			`\end{definition}`

Modifications 2018-01-27 20:27:06 +00:00			`For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.`

			`Most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups.`

			`\begin{definition}[$\DDH$] \label{de:DDH}`
			`Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.`
			`Given $(g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.`
			`The DDH assumption is the intractability of the problem for any $\PPT$ algorithm.`
			`\end{definition}`

			`This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.`

			`\begin{definition}[$\SXDH$]`
			`The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.`
			`\end{definition}`

			`In Chapter~\ref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.`
			`Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.`

			`This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions.`
			`For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).`