thesis/sec-pairings.tex

53 lines
3.4 KiB
TeX
Raw Normal View History

2018-01-23 14:34:23 +00:00
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% \section{Pairing-Based Cryptography} %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2018-01-27 20:27:06 +00:00
Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.
Multiple constructions and parameter sets coexist for pairings.
2018-02-02 15:09:02 +00:00
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
2018-01-27 20:27:06 +00:00
2018-03-20 10:07:21 +00:00
In the following, we rely on the black-box definition of cryptographic pairings as bilinear maps, and on the assumed hardness of classical assumptions over pairings, namely $\SXDH$ and $\SDL$.
2018-01-30 08:53:01 +00:00
2018-01-27 20:27:06 +00:00
%\subsection{Bilinear maps}
2018-02-02 15:09:02 +00:00
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \index{Pairings}
2018-01-23 14:34:23 +00:00
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
\begin{enumerate}[\quad (i)]
\item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
\item non-degeneracy: $e(g,\hat{g}) = 1_{\GT} \iff g = 1_{\GG}$ or $\hat{g} = 1_{\Gh}$.
\item the map is computable in polynomial time in the size of the input.
\end{enumerate}
\end{definition}
2018-01-27 20:27:06 +00:00
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
2018-02-08 18:12:15 +00:00
The most standard assumptions over pairings are derived from the equivalent of the Diffie-Hellman assumptions from cyclic groups,
2018-02-28 17:02:06 +00:00
described in \cref{de:DDH} and recalled here.
2018-01-27 20:27:06 +00:00
2018-02-28 17:02:06 +00:00
\defDDH*
2018-01-27 20:27:06 +00:00
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
2018-03-20 08:52:32 +00:00
\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \index{Pairings!SXDH} \label{de:SXDH}
2018-01-27 20:27:06 +00:00
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
\end{definition}
2018-03-20 10:09:07 +00:00
In \cref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
2018-01-27 20:27:06 +00:00
Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.
This gives a stronger security guarantee for the security of schemes proven under this kind of assumptions.
For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).
2018-03-20 08:52:32 +00:00
In the aforementioned chapter, we also rely on the following assumption, which generalizes the Discrete Logarithm problem to asymmetric groups.
2018-03-20 10:07:21 +00:00
\begin{definition}[$\SDL$]
2018-03-20 08:52:32 +00:00
\label{de:SDL} \index{Pairings!SDL}
2018-04-04 16:46:37 +00:00
In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given
$\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$
2018-03-20 08:52:32 +00:00
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
\end{definition}
This assumption is still a static and non-interactive assumption.