On Efficient and Secure Implementation ofPairing-Based Protocols in the Type 4 Setting

Sanjit ChatterjeeUniversity of Waterloo

Joint work with Darrel Hankerson and Alfred Menezes

April 14, 2010

Sanjit Chatterjee (UW) 1 / 28

Pairing

I Let G1, G2 and GT be three groups.I A pairing on (G1,G2, GT ) is a function e : G1 G2 GT that is

bilinear and non-degenerate.I e(aU,bV ) = e(U,V )ab = e(bU,aV ) U G1,V G2,a,b Z.I The pairing should be efficiently computable.I Concrete examples are Weil pairing, Tate pairing over elliptic

curve groups.

Sanjit Chatterjee (UW) 2 / 28

Types of Pairing

e : G1 G2 GT

I G1, G2 and GT are cyclic groups of prime order n.I e is a symmetric pairing if G1 = G2 (aka, Type 1 pairing).I If an efficiently-computable isomorphism : G2 G1

((P2) = P1), is known, then e is called a Type 2 pairing.I If no such mapping is known, then e is called a Type 3 pairing.

Sanjit Chatterjee (UW) 3 / 28

Type 4 Pairing

e : G1 G2 GT

I G1 and GT are cyclic groups of prime order n.I But G2 is a non-cyclic group of order n2.I There is a small probability for the pairing to be degenerate.I One can efficiently compute the homomorphism : G2 G1.I One can hash onto G2.

Sanjit Chatterjee (UW) 4 / 28

Why Type 4?

Consider the following ID-based Key Agreement Protocol [Scott]:

I Public hash function H : {0,1} G2.I KGC has a master secret s R [1,n 1].I User As pub. key is QA = H(IDA) and KGC provides pvt. key

dA = sQA.I Similarly, Bs pub. key is QB = H(IDB) and pvt. key dB = sQB.I A and B exchange some messages and compute a shared secret

K = e((QA),QB)sxy .

Sanjit Chatterjee (UW) 5 / 28

On Efficient Implementation

Sanjit Chatterjee (UW) 6 / 28

A Concrete Situation: BN Curves

I Introduced by Barreto-Naehrig (2005).I Ideal (nearly) for the 128-bit security level.

I Let E/Fp : Y 2 = X 3 + b.I #E(Fp) = n.I p and n are 256-bit primes.I The embedding degree is k = 12.

I E [n] : Set of all order-n points on E .I E [n] E(Fp12).

Sanjit Chatterjee (UW) 7 / 28

Type 4 Pairing from BN Curves

I Let G1 = E(Fp) and GT be the order-n subgroup of Fp12 .I e4 : G1 E [n] GT is a Type 4 pairing.I Bitlength of (compressed) elements of G1: 257 and of E [n]: 3073.I Tr(P) =

11i=0

i(P) is an efficiently computable homomorphismfrom E [n] to G1.

I is the p-th power Frobenius.

I Hashing onto E [n] is possible but costly.I Roughly 540 times the cost of a point multiplication in G1

[Chen-Cheng-Smart:2007].I (Hashing onto G1 is very cheap.)

Sanjit Chatterjee (UW) 8 / 28

The Trace-0 Subgroup

I E [n] contains n + 1 subgroups of order n.I One of them is G1.I Another is the Trace-O subgroup, T0.

I All points P E [n] satisfying Tr(P) =11

i=0 i(P) = .

I T0 can be viewed as having coordinates in Fp2 (instead of Fp12).I A Type 3 pairing is defined as e3 : G1 T0 GT .

I Examples are the ate and R-ate pairings.

Sanjit Chatterjee (UW) 9 / 28

Efficient Representation of E [n]

I Define : E [n] G1 by (Q) = 112Tr(Q).I Q (Q) T0 for all Q E [n].I : Q 7 Q (Q) is a homomorphism from E [n] onto T0.

I Define : E [n] G1 T0 by (Q) = ((Q), (Q)).I is an efficiently-computable isomorphism,I The inverse mapping, given by (Q1,Q2) 7 Q1 + Q2, is also

efficiently computable.I Wlg, elements of E [n] can be represented as pairs of points

(Q1,Q2) G1 T0.

Sanjit Chatterjee (UW) 10 / 28

Hashing onto E [n]

I Define H : {0,1} E [n] as H(m) = (H1(m),H2(m)).I H1 : {0,1} G1.I H2 : {0,1} T0.

I Significantly faster hashing onto E [n].I Hashing onto G1 and T0 requires arithmetic in Fp and Fp2 .I Less than 3 times as costly as a point multiplication in G1.

I Hashing into E [n] is 180 times less costly than previouslyestimated.

I If H1 and H2 are modeled as random oracles, then H is also arandom oracle.

Sanjit Chatterjee (UW) 11 / 28

Type 4 Pairing from Type 3

I Let e3(P,Q), P G1, Q T0 be a Type 3 pairing.I Define e4 : G1 E [n] GT by e4(P,Q) = e3(P, Q), where

Q = Q 6(Q).I If Q = (Q1,Q2), then Q = (,2Q2).

I e4 is bilinear and can be computed in essentially the same time ase3.

I e4 is non-degenerate.

Sanjit Chatterjee (UW) 12 / 28

Comparison

E/Fp : Y 2 = X 2 + 3 with BN parameters z = 6000000000001F2D.

Type 3 Type 4Bitlength of elements in G1 257 257

Bitlength of elements in T0/E [n] 513 770Bitlength of elements in GT 1,024 1,024

Exponentiation in G1 1,533m 1,533mExponentiation in T0/E [n] 3,052m 4,585m

Hashing into G1 315m 315mHashing into T0/E [n] 3,726m 4,041m

Pairing 15,175m 15,175m

(Estimated costs are in terms of Fp multiplications.)

Sanjit Chatterjee (UW) 13 / 28

On Secure Implementation

Sanjit Chatterjee (UW) 14 / 28

Group Signature

I Every member has a secret key but there is a single public key forthe whole group.

I Group signatures provide signer-anonymity.I Revocation of a user may be critical for some applications.

Sanjit Chatterjee (UW) 15 / 28

Boneh-Shacham Group Signature

I BS group signature allows a verifier to locally check whether thegiven signature is generated by a revoked user.

I Verifier-local revocation (VLR) group signature.I The signature length is short.I Application: privacy preserving attestation.

I Can be implemented in Type 1 but not in Type 2 or Type 3.I The first protocol for which Type 4 setting was introduced

[Shacham:2005].

Sanjit Chatterjee (UW) 16 / 28

The BS-VLR Protocol

Some essentials:

I Employs a Type 4 pairing e : G1 E [n] GT .I Two hash functions (treated as random oracle):

I H0 : {0,1} E [n] E [n].I H : {0,1} [1,n 1].

I Group public key, gpk = (P1,P2,W ) where P2 R E [n],P1 = (P2) and W = P2, R [1,n 1].

I Pvt. key of user i , gsk [i] = (Ai , xi), where xi R [1,n 1] andAi = ( + xi)1P1.

I The corresponding revocation token is Ai .

Sanjit Chatterjee (UW) 17 / 28

Signing and Verification

I To sign i computes:I (U, V ) = H0(gpk ,M, r) where M is the message and r R [1,n 1].I U = (U) and V = (V ).I T1 = U and T2 = Ai + V , where R [1,n 1].I Compute helper values R1,R2,R3.I Challenge value, c = H(gpk ,M, r ,T1,T2,R1,R2,R3).I contains r ,T1,T2, c and three randomizers (to rederive

R1,R2,R3).I is accepted as valid if c is a correct challenge and the signer is

not revoked.

Sanjit Chatterjee (UW) 18 / 28

Revocation Check in BS-VLR Group Signature

I A list of revocation tokens (RL) corresponding to the revokedusers is publicly available.

I Suppose the signature () is generated by a user i whoserevocation token Ai is in RL.

I The correctness of the protocol mandates that must be rejected.

Sanjit Chatterjee (UW) 19 / 28

Revocation Check

I The protocol stipulates that will be rejected since:

e(T2 Ai , U) = e(T1, V ) (1)

I (U, V ) = H0(gpk ,M, r) E [n] E [n].I T1 = U and T2 = Ai + V , where U = (U) and V = (V ).

I So Eqn. 1 can be rewritten as:

e(V , U) = e(U, V ) (2)

I Trivially holds if both U, V are from same order-n subgroup ofE [n].

I Write U = xV (and U = xV ).

Sanjit Chatterjee (UW) 20 / 28

Another Look at the Revocation Check

I But E [n] is a group of order n2!I U, V are obtained through hashing into random elements of E [n].

I The probability that they belong to the same order-n subgroup ofE [n] is negligibly small.

I With overwhelming probability Eqn. 2 will not hold.I A signature generated by a revoked user will be accepted as valid.

I The protocol is not secure!I So also the protocols that extend the idea of BS-VLR group

signature.I Nakanishi and Funabiki [2006].I Bringer et al. [2008].

Sanjit Chatterjee (UW) 21 / 28

Another Look at the Revocation Check

I But E [n] is a group of order n2!I U, V are obtained through hashing into random elements of E [n].

I The probability that they belong to the same order-n subgroup ofE [n] is negligibly small.

I With overwhelming probability Eqn. 2 will not hold.I A signature generated by a revoked user will be accepted as valid.

I The protocol is not secure!I So also the protocols that extend the idea of BS-VLR group

signature.I Nakanishi and Funabiki [2006].I Bringer et al. [2008].

Sanjit Chatterjee (UW) 21 / 28

Whats Wrong with the Security Argument?

I Security mandates that the protocol satisfies correctness,traceability and selfless-anonymity properties.

I Fails to satisfy the correctness property when we work in E [n].I By implication the traceability property is violated.

I The arguments hold if we restrict to a order-n subgroup of E [n].I Not instantiable in Type 2 or Type 3 settings.I Can be instantiated in Type 1, but the signature is no longer short.

Sanjit Chatterjee (UW) 22 / 28

Rescuing BS-VLR Scheme

Essential idea:

I For random U, V E [n] in general one cannot expect

e((V ), U

)= e

((U), V

).

I But bilinearity of e ensures

e((V ), U

)= e

((V ), U

).

I Revocation check works properly if we send T1 = U E [n]instead of T1 as part of .

I For each A RL check whether the following holds:

e(T2 A, U) = e(V , T1) (3)

Sanjit Chatterjee (UW) 23 / 28

Modified BS-VLR

I Key generation algorithm remains unchanged.I Define H0 : {0,1} E [n]G1.I To sign, compute (U,V ) = H0(g