Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairing-based cryptosystems, and we show how to use prime-order elliptic curve groups to construct bilinear groups with the same properties. In particular, we define a generalized version of the subgroup decision problem and give explicit constructions of bilinear groups in which the generalized subgroup decision assumption follows from the decision Diffie-Hellman assumption, the decision linear assumption, and/or related assumptions in prime-order groups.
We apply our framework and our prime-order group constructions to create more efficient versions of cryptosystems that originally required composite-order groups. Specifically, we consider the Boneh-Goh-Nissim encryption scheme, the Boneh-Sahai-Waters traitor tracing system, and the Katz-Sahai-Waters attribute-based encryption scheme. We give a security theorem for the prime-order group instantiation of each system, using assumptions of comparable complexity to those used in the composite-order setting. Our conversion of the last two systems to prime-order groups answers a problem posed by Groth and Sahai.
Keywordspairing-based cryptography composite-order groups cryptographic hardness assumptions
- 1.Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management — Part 1: General (revised). NIST Special Pub. 800-57 (2007)Google Scholar
- 2.Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)Google Scholar
- 3.Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005)Google Scholar
- 8.Duquesne, S., Lange, T.: Pairing-based cryptography. In: Handbook of Elliptic and Hyperelliptic Curve Cryptography, pp. 573–590. Chapman & Hall/CRC, Boca Raton (2006)Google Scholar
- 10.Freeman, D.M.: Converting pairing-based protocols from composite-order groups to prime-order groups. Cryptology ePrint Archive, Report 2009/540 (2009), http://eprint.iacr.org/2009/540
- 12.Gjøsteen, K.: Subgroup membership problems and public key cryptosystems. Ph.D. dissertation, Norwegian University of Science and Technology (2004), http://ntnu.diva-portal.org/smash/get/diva2:121977/FULLTEXT01
- 17.Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010)Google Scholar
- 18.Scott, M.: Personal communication (February 17, 2009)Google Scholar
- 19.Shacham, H.: A Cramer-Shoup encryption scheme from the Linear assumption and from progressively weaker Linear variants. Cryptology ePrint Archive, Report 2007/074 (2007), http://eprint.iacr.org/2007/074
- 22.Yoshida, M.: Inseparable multiplex transmission using the pairing on elliptic curves and its application to watermarking. In: Proc. 5th Conf. on Algebraic Geometry, Number Theory, Coding Theory and Cryptography, Univ. of Tokyo (2003), http://www.math.uiuc.edu/~duursma/pub/yoshida_paper.pdf