New Trapdoor Projection Maps for Composite-Order Bilinear Groups Sarah Meiklejohn Hovav Shacham

New Trapdoor Projection Maps for Composite-Order Bilinear Groups
Sarah Meiklejohn
UC San Diego
smeiklej@cs.ucsd.edu
Hovav Shacham
UC San Diego
hovav@cs.ucsd.edu
Abstract
An asymmetric pairing over groups of composite order is a bilinear map e : G1 × G2 → GT for
groups G1 and G2 of composite order N = pq. We observe that a recent construction of pairing-friendly
elliptic curves in this setting by Boneh, Rubin, and Silverberg exhibits surprising and unprecedented
structure: projecting an element of the order-N 2 group G1 ⊕ G2 onto the bilinear groups G1 and G2
requires knowledge of a trapdoor. This trapdoor, the square root of a certain number modulo N ,
seems strictly weaker than the trapdoors previously used in composite-order bilinear cryptography.
In this paper, we describe, characterize, and exploit this surprising structure. It is our thesis that
the additional structure available in these curves will give rise to novel cryptographic constructions,
and we initiate the study of such constructions. Both the subgroup hiding and SXDH assumptions
appear to hold in the new setting; in addition, we introduce custom-tailored assumptions designed
to capture the trapdoor nature of the projection maps into G1 and G2 . Using the old and new
assumptions, we describe an extended variant of the Boneh-Goh-Nissim cryptosystem that allows a
user, at the time of encryption, to restrict the homomorphic operations that may be performed. We
also present a variant of the Groth-Ostrovsky-Sahai NIZK, and new anonymous IBE, signature, and
encryption schemes.
1
Introduction
Groups with computable pairings have, over the last decade, proved to be a fruitful setting for designing
cryptographic primitives and protocols. The tripartite key agreement protocol of Joux [37], followed
closely by the groundbreaking identity-based encryption scheme of Boneh and Franklin [12], have
led to constructions for cryptographic goals including (but by no means limited to) zero knowledge
proofs [35, 36, 34], group signatures [10, 19, 20], blind signatures [9, 2, 47], functional and attribute-based
encryption [39, 43, 45], and anonymous credentials [21, 6, 5].
What makes such groups so useful for cryptography is the additional structure provided by the
pairing: As compared to regular groups, the presence of a bilinear map e means that cryptographers
have a useful new building block for their designs. Indeed, early work on pairing-based cryptography
treated the pairing as a decisional Diffie-Hellman oracle [38, 16]; additional schemes were made possible
when cryptographers began taking advantage of the algebraic structure that the pairing provides beyond
the DDH oracle [14].
Pairing-based cryptography is thus a striking illustration of the value of algebraic structure for
constructing cryptographic schemes: A richer structure allows for a wider variety of cryptographic
schemes, provided that there exist some hard problems on which security can be based. It is perhaps
surprising, then, that the way in which pairings are used have become quite standard. Most often, we
imagine a bilinear group G to be a cyclic group of prime order that induces a map e : G × G → GT
(where GT is treated in a similarly abstract manner).
Two lines of work seek to generalize this understanding of pairings. One line considers bilinear
groups G of composite order; the other line reconsiders the mathematical structure of the group G, for
1
example to support asymmetric pairings e : G1 × G2 → GT . Both these lines of work have been exploited
to construct new cryptographic schemes, and we discuss both in detail below.
In this paper, we consider one of the instantiations of pairing-friendly elliptic curves proposed in a
recent paper of Boneh, Rubin, and Silverberg [17]. We show that this instantiation exhibits surprising
and unprecedented new structure (explained in more detail below); namely that projecting a point from
the group G onto a subgroup G1 or G2 requires knowledge of a trapdoor. We believe that this structure
can give rise to new cryptographic schemes, and we initiate the study of such schemes by proposing new
hardness assumptions and protocols that rely on them.
More precisely, Boneh et al. construct, for the first time, composite-order bilinear groups that are
also ordinary; i.e., non-supersingular. These constructions provide a bilinear group pair G1 , G2 , with
each group of order N = pq. As already used previously in the literature on composite-order bilinear
groups, there exist maps, computable by anyone who knows the factorization of N , that project from
these groups to their order-p and q subgroups. But, as we observe in this paper, one of the three
constructions of Boneh et al. has surprising additional structure. Whereas in all previous constructions
of pairing-friendly elliptic curves projecting from the N -torsion group G = G1 ⊕ G2 to its subgroups
G1 and G2 was either easy or infeasible, in this instantiation it is possible to project from G to G1 and
G2 only when given a trapdoor. This trapdoor — knowledge of a particular square root modulo n — seems
to be strictly weaker than the trapdoor required to project “at the second level” into the order-p and q
subgroups of G1 and G2 .
In our first contribution, we describe, characterize, and exploit the surprising structure of the Boneh
et al. construction of pairing-friendly curves. In Section 3, we detail the mathematical structure of G
and define the maps “at the first level,” from G to G1 and G2 , as well as the more familiar maps “at the
second level,” to the p- and q-order subgroups of G1 and G2 .
Although the bilinear group is therefore less efficient than previous constructions of composite-order
bilinear groups (as generators of G1 and G2 are both needed to represent G), we believe that the
advantages outweigh the disadvantages, as we are able to both move away from supersingular curves
and provide additional structure in the hope of supporting novel cryptographic constructions. Towards
this end, we initiate the study of such constructions by first considering in Section 4 plausible hardness
assumptions in our setting; in particular, we observe that both the subgroup decision (SGH) assumption
and the SXDH assumption (i.e., the assumption that DDH is hard in both G1 and G2 ) appear to hold,
and then propose additional new assumptions specifically tailored for arguing security of schemes in the
new setting.
Using the old and new assumptions, we then describe in Section 5 an extended version of the BGN
cryptosystem that allows for a wide range of flexibility in its applications, as well as an extension of
the Groth-Ostrovsky-Sahai NIZK to our setting in Section 6, and new IBE, signature, and encryption
schemes in Section 7. We expect that our schemes will provide roadmaps for translating other schemes
that use composite-order bilinear groups into our setting; the extra structure available in our setting
may then allow the translated schemes to be extended with additional properties.
Related work. As described above, two lines of work seek to expand and generalize our understanding
of pairing-friendly elliptic curves.
The first line considers bilinear groups of composite order. This setting was introduced by Boneh,
Goh, and Nissim in 2005 [15] and subsequently used for many cryptographic constructions. In this
setting, the bilinear group G decomposes into its prime-order subgroups. This fact has been exploited
to provide useful structure for cryptography: it allows one to project elements from G into one of the
subgroups (as used, e.g., by the Boneh-Goh-Nissim encryption scheme), and to cancel elements from the
two subgroups (as used, e.g., in the Boyen-Waters group signature [19], the traitor tracing scheme due
to Boneh, Sahai, and Waters [18], and the Lewko-Waters HIBE [44]).
2
Subsequent work has considered whether composite-order bilinear groups have a strictly richer
structure than prime-order bilinear groups. In one such paper, Freeman [29] showed how to translate
schemes that used either one of the projecting or canceling properties (mentioned above) from the
composite- to prime-order setting. Lewko [41] showed how to extend the methods of Freeman to work
for a wider class of schemes, while Meiklejohn et al. [47] gave evidence that such translations might not
always be possible, in particular in the case in which a scheme requires both the projecting and canceling
properties. This evidence was later invalidated by Seo and Cheon [49] and by Lewko and Meiklejohn [42],
who demonstrated that it was in fact possible to achieve, simultaneously, projecting and canceling.
The second line of work studies the mathematical structure of the bilinear group G. On supersingular
curves, distortion maps make it possible to define a modified pairing ê : G × G → GT with G of prime
order (see [12, Section 5] for details). On ordinary (non-supersingular) curves, such distortion maps are
not available, and we take distinct groups G1 and G2 , each of order N and define an asymmetric pairing
e : G1 ×G2 → GT . For efficient representation, the group G1 is chosen so that its elements are defined over
a base field, whereas G2 is defined over a field extension. (The degree of this extension is related to the
embedding degree, a crucial value with an important effect on implementation efficiency [30].) Galbraith,
Paterson, and Smart [31] give a taxonomy of these configuration choices. In their taxonomy, symmetric
pairings correspond to “Type 1”; asymmetric pairings are “Type-2” or “Type-3,” depending on whether
or not a computable endomorphism ψ exists from G2 to G1 . Recent work by Chatterjee and Menezes [24]
observed that any cryptographic scheme using Type-2 pairings and relying on the endomorphism ψ can
in fact be implemented using Type 3 pairings, in which such a map does not exist.
Koblitz and Menezes [40] make the case for pairing-friendly elliptic curves with embedding degree
k = 1. In these curves, the entire N -torsion group G is already defined over the base field, and we can
take G1 and G2 as any two orthogonal subgroups. Alternatively, we can choose to work directly with
the entire group G = G1 ⊕ G2 . (Chen, Cheng, and Smart dub this the “Type-4” pairing [25].)
2
Mathematical Preliminaries and Notation
In this section, we provide some mathematical background on elliptic curves and review one of the
ordinary composite-order curve constructions due to Boneh et al. [17]. Although we give basic definitions
that do not assume any knowledge of algebraic geometry, we note that the results of Boneh et al.
may nevertheless be difficult to follow without some background. We refer interested readers to either
Silverman [50] or a set of notes produced by IDA/CCR [22] (the latter assumes no mathematical
background).
For completeness, we also provide cryptographic security definitions in Appendix A for zero-knowledge
proofs, which we construct in Section 6, and for anonymous identity-based encryption, which we construct
in Section 7 (but we note here that they are just the standard definitions for these notions).
2.1
Mathematical background
We start by giving some basic definitions for elliptic curves that will be used in this section and Section 3.1;
for the rest of the paper, however, no knowledge of elliptic curves is needed.
In the three definitions that follow, we use the general notion of an elliptic curve E over a field K
(although we do assume for ease of exposition that E is non-singular and the characteristic of K is not 2
or 3); as we only ever use K = Fq for a prime power q, this can be kept in mind for concreteness.
Definition 2.1. An elliptic curve defined over a field K such that char(K) 6= 2, 3 is the set of solutions
in the projective plane P2 (K̄) to an equation of the form y 2 = x3 + ax + b for a, b ∈ K and such that
x3 + ax + b has three distinct roots (i.e., the curve is non-singular), together with a point at infinity O.
One of the most useful features of elliptic curves is that, with the addition of this point at infinity,
the set of points on the curve E form a group, using addition as the group operation; this means that
3
for any P, Q ∈ E, there is a unique point R ∈ E such that P + Q = R. This group also turns out to
have useful subgroups, such as the group of K-rational points and the N -torsion group, both of which
we define here:
Definition 2.2. If E is an elliptic curve defined over a field K, then for a field K 0 ⊆ K we define the
K 0 -rational points of E, written as E(K 0 ), to be the points whose coordinates lie in K 0 .
Definition 2.3. For an elliptic curve E defined over a field K, the N -torsion group of E, written as
E[N ],1 is the set {P ∈ E(K) | N · P = O}.
Definition 2.4. [17] If q is a prime power, E is an elliptic curve over Fq , and N is a divisor of |E(Fq )|
such that N is relatively prime to q, then the embedding degree of E with respect to N is the smallest
positive integer k such that N | q k − 1.
Finally, in terms of cryptographic constructions, one of the most useful features of elliptic curves
has been their ability to support a pairing, or a map e : G × G → GT (where G is typically equal to
E[N ] for some N , either prime or composite). In the rest of the paper, we focus exclusively on the
Weil pairing. In addition to the usual notions of bilinearity and non-degeneracy that a pairing satisfies,
the Weil pairing has an additional property, alternating, that we will be able to exploit later on in our
cryptographic constructions.
Definition 2.5. [48] The Weil pairing on an elliptic curve E is a map e : E[N ] × E[N ] → µN (where
µN are the N -th roots of unity) with the following properties:
1. Bilinearity. If P, Q, R ∈ E[N ] then e(P +Q, R) = e(P, R)e(Q, R) and e(P, Q+R) = e(P, Q)e(P, R).
2. Alternating. If P ∈ E[N ] then e(P, P ) = 1. This, along with bilinearity, implies that if P, Q ∈ E[N ]
then e(P, Q) = e(Q, P )−1 , which is usually called skew-symmetry.
3. Non-degeneracy. If O 6= P ∈ E[N ], there exists Q ∈ E[N ] such that e(P, Q) 6= 1.
2.2
The construction of E[N ]
As discussed in the introduction, we are interested in exploring the rich structure provided by one of
the settings proposed by Boneh, Rubin, and Silverberg [17, Section 4], in which the group G := E[N ]
decomposes into two subgroups, G1 and G2 , both of which are distortion free. As mentioned, this setting
is especially useful for cryptography, as DDH can be assumed to hold in both groups; in addition, we
will see that this property allows us to construct projection maps from G into both G1 and G2 that
require a trapdoor to compute. Finally, the construction has the additional advantage that, because the
resulting curve has embedding degree k = 1, it is optimally efficient [30].2
In order to construct these ordinary composite-order curves, we follow a slightly modified version of
the algorithm of Boneh et al., presented in Algorithm 1 for reference. As noted by Boneh et al., the
construction guarantees that N | (q − 1), so that the embedding degree is indeed k = 1. In addition,
using a result of Balasubramanian and Koblitz [3, Theorem 1] and the fact that N 2 | (q − 1), we have
that G := E[N ] ⊆ E(Fq ); as G therefore has exponent N but contains N 2 points, we know that it can
be represented as the product of two cyclic groups of order N . While there are many choices for this
decomposition, we focus on one in particular, guided by the following proposition:3
1
This is a slight abuse of notation; in fact what we mean is the group E(K)[N ].
This is because we’re using ordinary elliptic curves; if we instead work with supersingular curves, curves with k = 2
would be the most efficient.
3
This is a heavily pared-down version of the original theorem, as it focuses only on the one case in which we are
interested.
2
4
Algorithm 1 Find a prime q and a curve E over Fq such that E[N ] ⊆ E(Fq )
Input: a positive integer N
1. Choose a positive integer D suitable for the CM method [7, Chapter VIII], and set k = 1.
2. Define q := 1 + Dk 2 N 2 .
3. If q is prime, use the CM method to obtain an elliptic curve E over Fq with discriminant D, such
that E(Fq ) has q − 1 points. If q is not prime, set k = k + 1 and repeat Step 2.
Proposition 2.6. [23, Theorem 2.1] Suppose N is a positive integer, q is a prime, and E is an
ordinary elliptic curve over Fq such that E[N ] ⊆ Fq . Define O = End(E) to be an order in some
imaginary quadratic field K. For each prime divisor p of N such that p - [OK : O]Disc(K), if p is
furthermore split in OK then all but two subgroups of E[p] have distortion maps; it follows that if all
prime divisors p of N satisfy these properties, then all but two subgroups of E[N ] have distortion maps.
This proposition guarantees that, if we choose N and E correctly, there exist distortion-free subgroups
G1 and G2 of the N -torsion group G. To actually construct these subgroups (again, following the
construction of Boneh et al.),
√ we observe that the CM method produces a curve with endomorphism ring
End(E) = OK for K = Q( −D). We therefore start by picking N so that all of its prime divisors meet
the two properties required; namely, for all p | N , p - Disc(K) and p is split in K/Q. Next, we alter Step
1 of Algorithm 1 to require not only that D is suitable for the CM method but also that gcd(N, 2D) = 1.
We then compute a square root of −D mod N and call it s; note that this is the only step of the setup
process that requires knowing the factorization of N . After completing
the algorithm and obtaining the
√
elliptic curve E, we then define σ ∈ End(E) to be the action of −D (see, e.g., Galbraith and Rotger [32,
Algorithm 1] for a way to compute this efficiently) and pick some point P ∈ G (recall G = E[N ]). We
then define the points P1 := ((σ + s)/2s)P and P2 := (−(σ − s)/2s)P ,4 and define G1 and G2 to be the
groups generated by these points. If both P1 and P2 have exact order N (which will occur with high
probability, but if not we can use a different P and try again), then P1 and P2 jointly generate all of G;
furthermore, we have that P1 + P2 = ((σ + s)/2s)P + (−(σ − s)/2s)P = (2s/2s)P = P , and so we see
that G = G1 + G2 .
In summary, this process gives rise to a Setup algorithm that we use throughout the rest of the paper.
• Setup(1k ): Use the algorithms above to generate a prime q, a composite N , and an elliptic curve
E defined over Fq such that G := E[N ] contains N 2 points. Define P1 and P2 as above, and
set G1 := hP1 i and G2 := hP2 i. Finally, define e to be the Weil pairing and GT := µN . Output
(N, G1 , G2 , GT , e, P1 , P2 ).5
In the next two sections, we argue that this setting provides useful structural properties, and that
certain cryptographic assumptions hold; to do this, we crucially rely on two properties: the alternating
property of the Weil pairing, and the fact that G1 and G2 are both distortion free. For the latter, we
see that, simply by construction, G1 and G2 are in fact the only two distortion-free subgroups of G.
Intuitively, this holds because, while the map σ would work as a distortion map for any other subgroups
of G, G1 and G2 are in fact the eigenspaces of σ and so are the two distortion-free subgroups of G. More
formally, we prove the following lemma:
4
We deviate slightly here from Boneh et al., who use P1 := (σ + s)P and P2 := (σ − s)P , and we use the notation
to mean (2s)−1 mod N . As we will see in the next section, our choice of points allows us to achieve useful projection
properties that it seems difficult to achieve with their points.
5
Later on, when we switch to multiplicative notation, we write P1 and P2 as g1 and g2 respectively.
1
2s
5
Lemma 2.7. If P1 :=
distortion free.
σ+s
2s P ,
P2 :=
s−σ
2s P ,
G1 := hP1 i, and G2 := hP2 i, then both G1 and G2 are
√
Proof. Consider any endomorphism φ ∈ End(E); because
End(E)
=
O
for
K
=
Q(
−D) we know
K
√
that φ lies in a space generated by σ (i.e., the action of −D) and the identity map 1. But, because
(σ −s)P1 = ((σ −s)(σ +s)/2s)P = ((σ 2 −s2 )/2s)P = ((−D−(−D))/2s)P = 0 we know that σ(P1 ) = sP1 ,
which is in G1 because P1 generates G1 , so we have that σ(G1 ) = G1 . By the same logic (just using
P2 in place of P1 ), we see that σ(P2 ) = −sP2 and thus σ(G2 ) = G2 . Similarly, it trivially holds that
both G1 and G2 are preserved under the identity endomorphism. Therefore, it must be the case that G1
and G2 are also preserved under φ, as φ lies in a space generated by 1 and σ, so G1 and G2 must be
distortion free.
In addition, we would like to ensure that the alternating property is not specific to the Weil pairing,
as this ensures that an adversary cannot succeed in gaining extra information about group elements (for
example, if they are in all of G1 or just a subgroup) by using a different pairing. We therefore show that
the Tate pairing is alternating in our setting as well.
√
Lemma 2.8. Let σ be the action of −D; i.e., the map σ ∈ End(E) such that σ 2 + D = 0. Let G1 be
an eigenspace of prime order r such that σ(P ) = sP for all P ∈ G1 , where s2 + D ≡ 0 mod r. Then if
gcd(r, 2D) = 1 and e is the Tate pairing, e(P, P ) = 1 for all P ∈ G1 .
Proof. Theorem IX.9(4) of Blake, Seroussi, and Smart [7] tells us that for all P, Q ∈ G1 , e(σ(P ), σ(Q)) =
e(P, Q)deg(σ) . In our setting we have deg(σ) = D, so e(σ(P ), σ(P )) = e(P, P )D . We also have that
2
e(σ(P ), σ(P )) = e(sP, sP ) = e(P, P )s = e(P, P )−D , and thus e(P, P )−D = e(P, P )D . As D 6= 0, 1, this
implies that e(P, P ) = 1.
3
The Structure of G
As discussed in the introduction, two of the most useful features of composite-order bilinear groups are
(1) the ability to project into specific subgroups, and (2) the ability to cancel elements from different
subgroups. In this section, we fully characterize the structure of the group G just constructed in
Section 2.2 and use it to demonstrate how both these properties can be used; as we will see, we are able
to project both from G into G1 and G2 and from G1 and G2 into their respective subgroups, as well as
cancel elements in a number of interesting ways.
For the rest of the paper, we focus exclusively on the case when N = pq (i.e., the product of two
primes), but note that all of our subsequent arguments generalize to the case when N is a product of
arbitrarily many primes as well. For the case when N = pq, we just saw in the previous section how to
construct the N -torsion group G so as to have a decomposition into two subgroups G1 and G2 , where
G1 and G2 are of order N ; then we know by the structure theorem for finite abelian groups that they
both further decompose into their respective subgroups of order p and order q, so that we end up with a
“tree” group structure as seen in Figure 1. As we discuss both the decomposition of G into G1 and G2
and the decomposition of G1 and G2 into their respective subgroups, we refer to the decomposition of G
into G1 and G2 as the “first level” of decomposition, and the further decompositions of G1 and G2 as
the “second level” of decomposition.
3.1
Projection at the first level of decomposition
We now consider how to map from G into its subgroups G1 and G2 ; in addition to wanting to be able to
map into these subgroups, as observed above, these maps are most useful when they project into the
subgroups. We define this type of map formally as follows:
6
G
G1
G2
G1p
G1q
G2p
G2q
Figure 1: The structure of the N -torsion group G for the case when N = pq (for the more general case when
N = p1 . . . pn , we end up with an n-ary split at the second level). Each subgroup of G is cyclic and we refer to its
generator using the same subscript as the group name; for example, g1p generates G1p and g2q generates G2q . We
furthermore have a collection of f maps that project from G down to a corresponding subgroup; again, each map
is named by the subgroup to which it maps, so we have, for example, f1p : G → G1p and f2 : G → G2 .
Definition 3.1 (Projection map.). We say that a function f : G → G0 is a projection map if it is (1)
efficiently computable, (2) idempotent; i.e., f n (x) = f (x) for all x ∈ G and n ∈ N, and (3) G0 ⊂ G;
i.e., f maps into a strict subset of G. If furthermore f is assumed to be hard to compute without the
knowledge of some additional piece of information, then we say that it is a trapdoor projection map.
In order to construct our trapdoor projection
maps we use the values σ and s chosen in Section 2.2;
√
recall that σ ∈ End(E) was the action of −D, while s was a square root of −D modulo N . We first repeat
an observation used in the proof of Lemma 2.7; namely that (σ+s)(σ−s) = σ 2 −s2 = −D−(−D) = 0. We
also recall that we chose P1 := ((σ + s)/2s)P and P2 := ((s − σ)/2s)P , and then set G1 := hP1 i and
G2 := hP2 i. Combining this with our observation, we see that σ is equivalent to s in G1 and equivalent
to −s in G2 ; intuitively then, G1 and G2 cannot have any elements in common. More formally, we prove
the following lemma:
Lemma 3.2. If P1 :=
σ+s
2s P ,
P2 :=
s−σ
2s P ,
G1 := hP1 i, and G2 := hP2 i, then G1 ∩ G2 = {O}.
s−σ
Proof. Take some element u ∈ G1 ∩ G2 ; then we know we can write u = σ+s
2s aP =
2s bP for some
(σ+s)(−(σ−s))aP
0(−aP )
a, b ∈ Z/N Z. Then (σ + s)u =
= 2s = O, and likewise (σ − s)u = (σ−s)(σ+s)aP
=
2s
2s
0aP
=
O.
We
therefore
have
that
σ(u)
+
su
=
O
and
that
σ(u)
−
su
=
O;
subtracting
this
second
2s
equation from the first gives us that 2su = O, which implies (by the choice of s) that u = O.
As an initial attempt at defining our projection maps, we consider the maps defined as f1 (x) := (σ+s)x
and f2 (x) := (σ − s)x. We also use the fact that G = G1 ⊕ G2 to write any element
u ∈ G uniquely
as
σ−s
u = aP1 +bP2 for a, b ∈ Z/N Z, so that f1 (u) = (σ +s)(aP1 +bP2 ) = (σ +s) σ+s
+(σ
+s)
=
aP
bP
2s
2s
(σ+s)(σ+s)
aP = (σ + s)aP1 . We therefore have that f1 (G) = G1 ; we can similarly show that f2 (G) = G2 ,
2s
so the third required property in Definition 3.1 is met. These maps are not, however, idempotent, as
they do not leave their respective components unchanged (so, as seen above, f1 alters the G1 component
in addition to eliminating the G2 component, and f2 behaves analogously). To meet this requirement,
we alter our maps and define f1 (x) := ((σ + s)/2s)x; we then have that
σ+s
σ + s (σ + s)
(σ − s)
(σ + s)(σ + s)
(σ + s)(σ − s)
(aP1 + bP2 ) =
aP +
bP =
aP +
bP
2s
2s
2s
2s
2s · 2s
4s2
(σ 2 + 2σs + s2 )
0
(2s2 + 2σs)
(2s(σ + s))
(σ + s)
=
aP + 2 bP =
aP =
aP =
aP = aP1 ,
2s · 2s
4s
2s · 2s
2s · 2s
2s
f1 (u) =
so that f1 gets rid of the G2 component while leaving the G1 component unchanged. If we define
f2 (x) := (−(σ − s)/2s)x we can go through a similar derivation to see that f2 cancels the G1 component
and leave the G2 component unchanged, meaning we achieve idempotence with both maps, as f1n (u) = aP1
and f2n (u) = bP2 for all n ∈ N. In addition, recall from Section 2.2 that the value s used in computing
7
f1 and f2 is a square root modulo N , which should typically be hard to compute without knowledge
of the factorization of N . Both maps therefore seemingly require this extra information in order to be
efficiently computable and thus, under the assumption that s should be hard to compute given only N ,
both f1 and f2 are trapdoor projection maps.
3.2
Projection at the second level of decomposition
Because we no longer need to discuss the underlying mathematics, we now switch from additive to
multiplicative notation, so that we refer to P1 and P2 from the previous section as g1 and g2 respectively,
which means that any point in G can now be written as g1a · g2b for some a, b ∈ Z/N Z. As before, we
focus our exposition on the case when N = pq (i.e., N is an RSA modulus), although our subsequent
arguments generalize to the case when N is a product of arbitrarily many primes.
As we did in the previous section with f1 and f2 , we can attempt to construct trapdoor projection
maps from G1 into G1p and G1q , and similarly for G2 . Fortunately, such maps have already been used
in the cryptographic literature (for example as the secret key in the
( Boneh-Goh-Nissim encryption
1 mod p
scheme [15]). To project from G1 into G1p , we can use the value λp ≡
which is computable
0 mod q,
using the Chinese Remainder theorem and the factorization of N . The map fp : G1 → G1p is then
defined as fp (x) := xλp ; as with f1 and f2 , we can easily see that this map leaves the G1p component
unchanged while canceling out the G1q component, so that it is also idempotent. We can similarly
define λq ≡ 0 mod p and ≡ 1 mod q to obtain a map fq : G1 → G1q that is defined as fq (x) := xλq .
As these maps depend only on p and q, they work equally as well for G2 as for G1 , so we also have
fp : G2 → G2p and fq : G2 → G2q . Note that knowledge of either λp or λq reveals the factorization
of N as, e.g., gcd(N, λp ) = q.
We can also define maps from the full group G into the second-level subgroups; as we already have
maps from G down to G1 and G2 and we have just constructed maps from G1 and G2 into their respective
subgroups, however, we can define these maps as the composition of our existing maps. This means
f1p := fp ◦ f1 , f1q := fq ◦ f1 , f2p := fp ◦ f2 , and f2q := fq ◦ f2 .
3.3
Cancellation of elements within G
Finally, we turn to how elements in different subgroups cancel with each other when paired; we give a
definition of this property, closely related to the definition of r-cancelling given by Freeman [29, Definition
3.5], as follows:
Definition 3.3. For a pairing e : G × G → GT and two subgroups A, B ⊂ G, we say that A and B are
canceling if for all a ∈ A and b ∈ B it holds that e(a, b) = 1.
To see what kind of cancellation we achieve, we begin at the first level of decomposition. Here,
we observe that the alternating property of the bilinear map, combined with the fact that G1 and G2
are both cyclic, implies that e(a, b) = 1 for any a, b ∈ G1 or a, b ∈ G2 . G1 and G2 therefore cancel
with themselves, which makes the pairing functionally asymmetric. Incorporating the second level of
decomposition, we also see that e(G1p , G2q ) = 1, as an element of order p in G1 is of the form a = g1qα
for some α ∈ Z/N Z and an element of order q in G2 is of the form b = g2pβ for some β ∈ Z/N Z; pairing
these two yields e(a, b) = e(g1qα , g2pβ ) = e(g1 , g2pqαβ ) = e(g1 , g2N αβ ) = 1.A similar argument shows that
e(G1q , G2p ) = 1 as well, meaning the only two pairs of subgroups that aren’t canceling at the second
level are G1p and G2p , and G1q and G2q .
It turns out that these canceling properties, in addition to being useful on their own, can be further
exploited when combined with our projection maps. To see this, we note that by the definition of a
projection map, u = f1 (u) · f2 (u) for any u ∈ G. This means that, as an example,
e(f1 (u), v) = e(f1 (u), f1 (v)f2 (v)) = e(f1 (u), f2 (v)) · 1 = e(f1 (u), f2 (v))e(f2 (u), f2 (v)) = e(u, f2 (v)),
8
so that e(f1 (u), v) = e(u, f2 (v)) for all u, v ∈ G. In particular then, we have e(f1 (u), g) = e(u, g2 ), which
we exploit in our constructions in Section 5 and Section 7. We also observe a similar relation at the
second level, where e(f1p (u), g) = e(u, g2p ) for any u ∈ G (and similarly e(f2q (u), g) = e(u, g1q ), etc.), as
elements in every subgroup except G2p cancel when paired with an element in G1p .
4
Translating Assumptions into Our Setting
As discussed earlier, all previous cryptographic constructions using composite-order bilinear groups were
constrained to use only supersingular curves; i.e., curves in which a distortion map always exists from
G2 to G1 . Among other things, this means that, for all previous composite-order settings, the f1 and f2
maps defined in Section 3.1 are always easy to compute and thus no assumption can be made about
their hardness. For this reason, all previous constructions focused on a subgroup of the N -torsion group,
as using the entire group would serve only to make the constructions less efficient. As our setting does
use the entire N -torsion group G (and therefore does come with the caveat that it is less efficient), it
generalizes these previous settings, as G1 and G2 together represent a composite-order bilinear group as
used in previous constructions.
The rich structure provided by this generalization not only allows us to translate existing assumptions
and schemes into our setting, but also provides a degree of flexibility in the process of this translation.
To demonstrate this flexibility, we focus on two mild and well-established assumptions, SXDH [4] and
SGH [15], and discuss the various flavors that these assumptions can take on after being translated into
our setting. We then suggest two additional assumptions that capture the fact that f1 and f2 should be
hard to compute.
Symmetric External Diffie Hellman (SXDH) Looking back at Section 2, and at Lemma 2.7 in
particular, we remind ourselves that G1 and G2 are both subgroups in which no distortion maps exist; i.e.,
there are no maps φ ∈ End(E) such that φ(u) 6∈ G1 for u ∈ G1 (and similarly for G2 ). In particular, this
means that all known attacks on DDH do not apply to these subgroups, and so we can reasonably (or at
least, as reasonably as possible) assume that the SXDH assumption holds for G1 and G2 . As a reminder,
this assumption says that DDH holds in both G1 and G2 ; i.e., given g1 and g2 , it is hard to distinguish
$
both (g1a , g1b , g1ab ) from (g1a , g1b , g1c ) and (g2α , g2β , g2αβ ) from (g2α , g2β , g2γ ) for random a, b, c, α, β, γ ←
− Z/N Z.
Subgroup hiding at the second level Perhaps the most popular assumption used for compositeorder bilinear groups has been the Subgroup Hiding assumption (SGH for short), which says that for a
bilinear group G = Gp × Gq , a random element of Gq is indistinguishable from a random element of G.
In our setting, this means that a random element of G1q should be indistinguishable from a random
element of G1 , and that the same should be true in G2 . This is only true, however, as long as all the
generators at the third level of the tree are kept hidden; if one knows, for example, g2p , then breaking
SGH in G1 is simple, as e(h, g2p ) = 1 if and only if h ∈ G1q .
We also easily see that, analogously, solving SGH in G2 becomes easy when given g1p . Perhaps
somewhat surprisingly, however, if you are given g1p rather than g2p then you are no closer to solving
SGH in G1 ; because the Weil pairing is alternating, e(h, g1p ) = 1 regardless of whether or not h is in all
of G1 .
Using this observation, we define three variants of the SGH assumption. The first, simultaneous
SGH, says that SGH is hard in both G1 and G2 , which as we just saw means that we can reveal only
the generators g1 and g2 . The second, one-sided SGH, says that if we reveal the generators g1p and g1q
then SGH still holds in G1 but no longer holds in G2 (and similarly for G1 if we reveal the generators
g2p and g2q ). Finally, we use the first level of the tree as well, and consider extended SGH in either G1
or G2 , which says respectively that given an element u ∈ G, it is hard to tell whether the G1p or G2p
component of u is empty (i.e., f1p (u) = 1 or f2p (u) = 1) or not.
9
Assumption 4.1 (Extended SGH). Given the group setting (N, G1 , G2 , GT , e, g1 , g2 ) and an element
u ∈ G, it is hard to tell if f1p (u) = 1 or not.
As with simultaneous SGH, deciding if the G1p component is empty becomes easy if we are given
g2p , and deciding the G2p component is easy if we are given g1p . We also easily show that SGH in G1
implies extended SGH in G1 (and analogously for G2 ) as follows:
Lemma 4.2. If SGH is hard in G1 , then extended SGH is also hard in G1 .
Proof. To show this, we take an adversary A that can break extended SGH in G1 with some non-negligible
advantage and use it to construct an adversary B that can break SGH in G1 with the same advantage.
As input, B receives the setting (N, G1 , G2 , GT , e, g1 , g2 ) and an element h ∈ G1 . It then picks a random
$
element v ←
− G2 and gives to A the setting and the element h · v. B then guesses the same thing that A
does. As h is random (modulo having an empty G1p component or not) and v is random, the element B
gives to A is distributed identically to the input that it expects. In addition, as the winning conditions
for A and B are identical, B succeeds whenever A does, and thus B succeeds with advantage .
We also consider one slightly stronger version of simultaneous SGH, in which we require the candidate
values in G1 and G2 to have the same discrete logs (with respect to g1 and g2 respectively). We call this
duplicate SGH and state it formally here as:
Assumption 4.3 (Duplicate SGH). Given the group setting (N, G1 , G2 , GT , e, g1 , g2 ), h1 := g1α , and
h2 := g2α for α ∈ Z/N Z, it is hard to tell whether h1 is a random element of G1q and h2 is a random
element of G2q , or h1 is a random element of G1 and h2 is a random element of G2 .
As we will see in Section 6, this assumption can be used to instantiate a zero-knowledge version of
Groth-Sahai proofs [36] that is closely related to their instantiation under SGH.
Subgroup hiding at the first level As the first level of decomposition is new to our setting, we
now present two assumptions designed to capture the hardness of computing f1 and f2 (as they were
constructed to be trapdoor projection maps). The first assumption we suggest is very simple: assume
that f1 and f2 are hard to compute! (One can always compute both or neither, as f2 (u) = u/f1 (u).)
Formally, we have:
$
Assumption 4.4. Given the group setting (N, G1 , G2 , GT , e, g1 , g2 ) and random u ←
− G for G := G1 ×G2 ,
it is hard to compute f1 (u).
In addition to this computational assumption, for many applications (including our construction of an
anonymous IBE in Section 7) we would like a decisional variant. In G, however, there is no clear analogue
to an assumption like SGH (which, as we saw, can essentially be thought of as the decisional version
of the assumption that fp is hard to compute), as the generators g1 and g2 are presumed to be known.
While we could attempt to hide these generators, this would significantly reduce the functionality of our
setting and we thus choose to instead move to the target group GT . Here, one decisional assumption that
we suggest is that given u, v ∈ G, it should be hard to distinguish e(f1 (u), f2 (v)) from random; note that
this does indeed become easy to solve given f1 , as one can compute e(f1 (u), v) = e(f1 (u), f2 (v)) directly.
Assumption 4.5. Given the group setting (N, G1 , G2 , GT , e, g1 , g2 ), an element T ∈ GT , and random
$
u, v ←
− G for G := G1 × G2 , it is hard to tell if T = e(f1 (u), f2 (v)) or T is random.
As the unique structure of our bilinear group makes it far from generic, proofs that these new
assumptions hold in the generic group model do not seem to carry much weight. Instead, we observe
that computing the map f1 seemingly requires (from Section 3.1) knowledge of a non-trivial square root
10
of −D modulo N , just as computing the projection map into p-order subgroups (as is implicitly used in
ordinary SGH) seemingly requires knowledge of the factorization of N . We therefore lend credence to
these assumptions only by observing their close analogue with the corresponding assumptions for SGH,
and the fact that the projection maps at the second level (i.e., the ones used for SGH) are at least as
hard to compute as the projection maps at the first level.
5
An Extended Version of the BGN Encryption Scheme
In the previous section, we saw the added flexibility that can be gained when translating assumptions
such as SGH into our setting. In this section, we demonstrate that flexibility can also be gained when
translating existing schemes into our setting. As one example, we look at the Boneh-Goh-Nissim (BGN)
encryption scheme [15], which we recall allows a user, given a set of ciphertexts, to perform any number of
additions and one multiplication on plaintexts. We show that this property is preserved when the scheme
is translated into our setting; beyond this, operations on specific plaintexts (for example, multiplying
two plaintexts together) may be specifically disallowed by the user at the time of encryption, or even
afterwards by an independent third party (i.e., someone who sees only the ciphertexts). To demonstrate
why this might be useful, we describe in Appendix B a “restricted” secure two-party computation of a
2-DNF formula based on this extended encryption scheme, along with some potential applications.
5.1
The original BGN encryption scheme
We start with a reminder of the BGN encryption scheme; to keep things simple, we focus solely on
the case of bit encryption. Because the scheme is homomorphic, we must describe it in terms of four
algorithms: a KeyGen algorithm that outputs the public key pk and secret key sk , an Enc algorithm
that takes in a public key pk and message m and outputs a ciphertext c, a Dec algorithm that takes
in a secret key sk and ciphertext c and outputs a message m, and an Eval algorithm that, on input a
binary operation op and a pair of ciphertexts (c1 , c2 ) with respective plaintexts m1 and m2 , outputs a
new ciphertext c containing as a plaintext op(m1 , m2 ).
• KeyGen(1k ): Generate a bilinear group (N, G, GT , e, g) such that N = pq for two large primes p
$
and q. Pick a random value r ←
− Z/N Z and set h := g rp , so that h is a random generator of the
q-order subgroup of G. Return pk := (N, G, GT , e, g, h) and sk := fp .
$
• Enc(pk , m): Pick r ←
− Z/N Z and return c := g m hr .
• Dec(sk , c): Compute fp (c). If this is equal to fp (g) or fp (e(g, g)) then return 1; if it is equal to 1
return 0. (To extend beyond bit encryption to small messages m, we would instead compute fp (c)
and then take its discrete log using, for example, Pollard’s rho algorithm.)
$
• Eval(pk , op, c1 , c2 ): First pick a random value r ←
− Z/N Z. If op = + and c1 , c2 ∈ G then return
c1 · c2 · hr ; otherwise, if c1 , c2 ∈ GT then return c1 · c2 · e(g, h)r , and if neither of these cases holds
(i.e., c1 and c2 are in different groups) return ⊥.
If op = × and c1 , c2 ∈ G then return e(c1 , c2 ) · e(g, h)r . In all other cases, return ⊥.
5.2
Our adapted scheme
In translating the BGN scheme into our setting, we exploit the fact that we have two groups instead of
just one; this means that we can have a regular BGN ciphertext in G1 (or G2 ), and potentially add in
a “noise” factor (i.e., some randomness) in the other group. This results in five types of ciphertexts:
regular BGN ciphertexts in both G1 and G2 (in which the noise factor in the other group is just 0),
“noisy” BGN ciphertexts in both G1 and G2 , and ciphertexts in GT . As we will see, both here and in
Appendix B, these noisy ciphertexts make it difficult to multiply the values within; a user can thus
decide, at the time of encryption, which operations should and shouldn’t be performed on his particular
set of ciphertexts.
11
As our expanded scheme deals with five types of ciphertexts rather than two, we treat the type as an
explicit input to the encryption algorithm; for ease of exposition, we also focus solely on bit encryption.
Our scheme is as follows:
• KeyGen(1k ): Use the Setup algorithm from Section 2.2 to produce (N, G1 , G2 , GT , e, g1 , g2 ). Pick
$
$
random elements h1 ←
− G1q and h2 ←
− G2q , and output pk := (N, G, GT , e, g1 , g2 , h1 , h2 ) and
sk := (fp , f1 , f2 ).
$
• Enc(pk , t, m): Pick random r, s ←
− Z/N Z and return c := g1m hr1 if t = 1, c := g2m hr2 if t = 2, g1m hr1 g2s
if t = 3, and g2m hr2 g1s if t = 4.
• Dec(sk , c): Parse sk = (fp , f1 , f2 ). If c ∈ GT then compute fp (c); if this is equal to fp (e(g1 , g2 ))
then return 1 and if it is equal to 1 return 0.
Otherwise, if c ∈ G compute f1p (c) and f2p (c). If either is equal to 1 then return 0; otherwise, if
the former is equal to fp (g1 ) or the latter is equal to fp (g2 ) then return 1 (and if neither of these
equalities hold then output ⊥).
The IND-CPA security of the scheme follows essentially directly from the IND-CPA security of the
BGN encryption scheme; for ciphertexts of types 1 and 2 we can use SGH in G1 and G2 respectively,
while for ciphertexts of types 3 and 4 we can use Extended SGH (Assumption 4.1) in G1 and G2
respectively. As we saw in Lemma 4.2, SGH in G1 implies Extended SGH in G1 (and analogously in
G2 ); we therefore have the following theorem:
Theorem 5.1. If SGH holds in both G1 and G2 then the encryption scheme described above is IND-CPA
secure.
Looking at the decryption algorithm, there is one potential setback when using type 3 and 4
encryption, which is the possibility of a decryption error. For a type-1 ciphertext c, f2p (c) = 1 and so c
always decrypts perfectly; similarly, for a type-2 ciphertext f1p (c) = 1 and decryption is again perfect,
and for a type-5 ciphertext (i.e., one in GT ), decryption is perfect as well. Because type-3 and type-4
s for type-3 ciphertexts
ciphertexts both inhabit the whole group G, however, we have that f2p (c) = g2p
s
and f1p (c) = g1p for type-4 ciphertexts. In order for a decryption error to occur, it must therefore be the
$
case that s = 1 (and beyond bit encryption that s is very small), which for s ←
− Z/N Z happens with
6
negligible probability and thus leads to a negligible decryption error.
Finally, we turn to the homomorphic properties of our extended scheme. Just as in the original
scheme, our scheme allows for arbitrarily many additions and at most one multiplication; as we will
see momentarily, however, by encrypting values using certain types we may in some cases restrict these
operations.
$
• Eval(pk , op, c1 , c2 ): First pick random values r1 , r2 ←
− Z/N Z. If op is + then return (1) c := c1 ·c2 ·hr11
r2
if c1 , c2 ∈ G1 , (2) c := c1 · c2 · h2 if c1 , c2 ∈ G2 , (3) c := c1 · c2 · hr11 · hr22 if c1 , c2 ∈ G, or (4)
c := c1 · c2 · e(h1 , g2 )r1 if c1 , c2 ∈ GT . If op is instead × then return c := e(c1 , c2 ) · e(h1 , g2 )r1 if
c1 ∈ G1 and c := e(c2 , c1 ) · e(h1 , g2 )r1 if c2 ∈ G1 .
As mentioned above, the goal of using noisy ciphertexts is to make it easy to perform operations on
certain ciphertexts (so as to achieve the functionality provided by a homomorphic encryption scheme),
but difficult to perform them on others. To formalize this, we use tables for both of our binary operations
6
In fact, for bit encryption, we could eliminate this decryption error altogether by checking if (1) c ∈ G1 , (2) c/g2 ∈ G1 ,
(3) c ∈ G2 , or (4) c/g1 ∈ G2 . In the first case we have a type-3 ciphertext using s = 0, and in the second case we have
s = 1; in either case, we can decrypt using only f1p (c). In the latter two cases we have a type-4 ciphertext (using s = 0 and
s = 1 respectively), so can decrypt using only f2p (c).
12
+
1
2
3
4
5
1
1
⊥
3/1
⊥
⊥
2
⊥
2
⊥
4/2
⊥
3
3/1
⊥
3/1
⊥
⊥
4
⊥
4/2
⊥
4/2
⊥
×
1
2
3
4
5
5
⊥
⊥
⊥
⊥
5
1
⊥
5
⊥
5
⊥
2
5
⊥
5
⊥
⊥
3
⊥
5
⊥
⊥/5
⊥
4
5
⊥
⊥/5
⊥
⊥
5
⊥
⊥
⊥
⊥
⊥
Figure 2: Tables T+ and T× that represent the action of a given binary operation on ciphertext types. For entries
where there are two numbers, the first number represents the type that anyone can achieve (e.g., anyone can
add two type-1 ciphertexts to produce a type-1 ciphertext), while the second represents the type that a user can
achieve only with knowledge of f1 .
as seen in Figure 2. A table entry Top (i, j) is equal to t if the following conditions hold: for a type-i
ciphertext c1 with corresponding plaintext m1 and a type-j ciphertext c2 with corresponding plaintext
$
− Eval(pk , op, c1 , c2 ) has type t, and (2) Dec(sk , c) = op(m1 , m2 ). If
m2 , it must be the case that (1) c ←
these conditions hold then Top (i, j) = t, and otherwise Top (i, j) = ⊥. An operation op should then be
easy to perform on ciphertexts of type t1 and t2 if Top (t1 , t2 ) 6= ⊥, and hard to perform otherwise. As an
example, we consider multiplying a type-1 encryption of a message m1 with a type-4 encryption of a
message m2 . Even though the latter is a noisy ciphertext, the table tells us that this should nevertheless
produce a type-5 encryption of m1 m2 . To confirm this, we write the type-1 ciphertext as c1 = g1m1 hr11
and the type-4 ciphertext as g2m2 hr22 g1s2 ; we then have
Eval(pk , ×, c1 , c2 ) = e(g1m1 hr11 , g2m2 hr22 g1s2 ) · e(g1 , h2 )r
0
= e(g1m1 , g2m2 )e(hr11 , g2m2 hr22 g1s2 )e(g1m1 , hr22 g1s2 )e(g1 , h2 )r
0
= gTm1 m2 · e(h1 , g2 )r1 m2 e(h1 , h2 )r1 r2 e(g1 , h2 )m1 r2 e(g1 , h2 )r
0
r 00
z
=
=
gTm1 m2
gTm1 m2
}|
{
0
· e(g1 , h2 )r1 + βr1 r2 + m1 r2 + r
00
· hrT ,
which is indeed a type-5 encryption of m1 m2 . Looking at another entry in the table, however, we see
that multiplying two noisy ciphertexts should be difficult, as T× (3, 4) = ⊥. To see this, we attempt to
multiply a type-3 ciphertext c1 = g1m1 hr11 g2s1 with a type-4 ciphertext c2 = g2m2 hr22 g1s2 and get
Eval(pk , ×, c1 , c2 ) = e(g1m1 hr11 g2s1 , g2m2 hr22 g1s2 ) · e(g1 , h2 )r
0
= e(g1m1 , g2m2 )e(hr11 g2s1 , g2m2 hr22 g1s2 )e(g1m1 , hr22 g1s2 )e(g1 , h2 )r
0
= gTm1 m2 · e(h1 , g2 )r1 m2 e(h1 , h2 )r1 r2 e(g2 , g1 )s1 s2 e(g1 , h2 )m1 r2 e(g1 , h2 )r
0
r 00
=
=
gTm1 m2 −s1 s2
gTm1 m2 −s1 s2
z
}|
{
0
· e(g1 , h2 )r1 + βr1 r2 + m1 r2 + r
00
· hrT ,
which decrypts to m1 m2 − s1 s2 and is therefore information-theoretically independent from the original
messages m1 and m2 . Although multiplying type-3 and type-4 ciphertexts therefore seems to be difficult,
we note that with knowledge of f1 this task in fact becomes easy. To see this, we first observe that
any type-1 ciphertext can be easily converted into a type-3 ciphertext (analogously, type 2 into type 4)
by simply multiplying in a random value from G2 . With knowledge of f1 then, a user can reverse this
operation and turn a type-3 ciphertext into a type-1 ciphertext by computing f1 (c); knowledge of f1
therefore allows him to properly multiply the values inside type-3 and type-4 ciphertexts.
13
6
A NIZK Proof That a Committed Value is a Bit
For composite-order bilinear groups in the symmetric setting (i.e., where G1 = G2 ), the techniques for
proving that a committed value is a bit are well known; the first zero-knowledge proof was given by
Groth, Ostrovsky, and Sahai in 2006 [35] and has been used in a variety of constructions since.
Briefly, in the symmetric setting, if we have a commitment c = g b hr , where g generates G and h is a
random element of Gq , and we call the group element in the commitment x, then we want to prove that
e(x, g −1 x) = 1, as this will demonstrate that one of x or g −1 x must be 1, which will happen only in the
case that x = g b for some bit b. In the asymmetric setting, however, this strategy is clearly impossible,
as we require an element from G1 to be paired with an element from G2 , and x can only live in one
or the other. We must therefore replicate the commitment in the G2 subgroup (so assuming c ∈ G1 ,
construct a commitment d ∈ G2 to the same value), prove that these are commitments to the same
value, and then prove that the common value is a bit. So, if we define x1 to be the value contained in
c and x2 to be the value contained in d, we see that to prove x1 = x2 we need to prove satisfiability
of the pairing product equation e(x1 , g2 ) · e(g1 , 1/x2 ) = 1. Then, to prove that their common discrete
logarithm is either 0 or 1, we prove satisfiability of the equation e(x1 , x2 /g2 ) = 1.
Fortunately, for proving these types of equations, we can directly use Groth-Sahai (GS) proofs [36]
Q
which allow a user to prove satisfiability of any pairing product equation of the form i e(xi , yi ) = 1
for xi ∈ G1 and yi ∈ G2 . Briefly, this is accomplished by forming commitments ci to the values xi and
Q r
commitments di to the values yi ; this can be done by computing ci := xi · j h1jj for random rj and
Q s
di := yi · j h2jj for random sj . These values {h1j , h2j } are referred to as the “commitment keys” and
can be either binding or hiding; in order to prove witness indistinguishability, the two settings must be
assumed to be indistinguishable. After forming the commitments, a proof π = ({π1j }, {π2j }) is formed
Q
such that i e(ci , di ) = e(h1 , π1 )e(π2 , h2 ).
As we argued in Section 4 that SXDH can be reasonably assumed to hold in our setting, we already
have this proof system at our disposal, as Groth and Sahai provide instantiations under the Subgroup
Hiding (SGH), SXDH, and Decision Linear [10] assumptions. In addition, by using the SGH-based
construction in both G1 and G2 , we obtain an instantiation under simultaneous SGH, or the assumption
that SGH holds in both G1 and G2 .
While using Groth-Sahai proofs gives us witness indistinguishability, for some applications (and in
particular for our two-party computation in Appendix B) we need full zero knowledge. We therefore
demonstrate here how the SGH-based proof system can be boosted to full zero knowledge, using the
duplicate SGH assumption (Assumption 4.3) and the same randomization techniques as Groth, Ostrovsky,
and Sahai. The protocol runs as follows:
• CRSSetup(1k ): Use the Setup algorithm from Section 2.2 to produce (N, G1 , G2 , GT , e, g1 , g2 ). Next,
compute commitment keys as h1 and h2 , where h1 is a random element of G1q and h2 is a random
element of G2q . Output σcrs := (N, G1 , G2 , GT , e, g1 , g2 , h1 , h2 ).
• P(σcrs , (c, d), (b, r1 , r2 )):
1. Define x1 to be the value in c and x2 to be the value in d. Then, using the openings of c and
d, form a GS proof for the pairing product equation e(x1 , g2 )e(g1 , 1/x2 ) = 1; this will yield a
proof πe0 := (π1e , π2e ) such that e(c, g2 )e(g1 , 1/d) = e(h1 , π1e )e(π2e , h2 ).
2. Next, form another GS proof for the equation e(x1 , x2 /g2 ) = 1. Call this proof πb0 := (π1b , π2b ).7
$
3. Now, randomize each proof as follows: for each pair π1 and π2 , pick random values r, s ←
− Z/N Z
1/r
1/s
r
0
0
s
and compute π0 := h1 and π1 := π1 , as well as π2 := π2 and π3 := h2 . Finally, compute
π00 := g1r and π30 := g2s , and output the proof π := (π0 , π00 , π10 , π20 , π3 , π30 ).
7
Note that if we used these proofs as is we would achieve witness indistinguishability; it is therefore the randomization
in the next step that makes these proofs zero knowledge.
14
4. Output π = (πe , πb ) (where πe and πb are the respective versions of πe0 and πb0 run through
Step 3 above).
• V(σcrs , (c, d), (πe , πb )):
1. For the equality proof, parse πe = (π0 , π00 , π10 , π20 , π3 , π30 ). Then check that
e(π0 , g2 ) = e(π00 , h2 ),
(1)
e(g1 , π3 ) = e(h1 , π30 ),
(2)
e(c, g2 )e(g1 , 1/d) = e(π0 , π10 ) · e(π20 , π3 ).
(3)
and finally that
2. For the bit proof, parse πb = (π0 , π00 , π10 , π20 , π3 , π30 ). Check that Equations 1 and 2 hold for
this set of proofs, and then check
e(c, d/g2 ) = e(π0 , π10 ) · e(π20 , π3 ).
(4)
3. Accept only if both the above checks pass.
Theorem 6.1. If duplicate SGH holds in G, the above protocol for proving that two commitments open
to the same bit is a NIZKPoK that satisfies perfect completeness, perfect soundness, computational zero
knowledge, and perfect extractability.
We show this through the following series of lemmas:
Lemma 6.2. The above protocol satisfies perfect completeness.
Proof. To show perfect completeness, we assume that c, d, πb , and πe are all formed honestly. For
Equation 1, if we define β := dlogg1 (h1 ) = dlogg2 (h2 ) then we have that
e(π0 , g2 ) = e(hr1 , g2 ) = e(g1βr , g2 ) = e(g1r , g2β ) = e(π00 , h2 ),
so that this check will pass for both πb and πe . Similarly, for Equation 2, we have
e(g1 , π3 ) = e(g1 , hs2 ) = e(g1 , g2βs ) = e(g1β , g2s ) = e(h1 , π30 ),
so that this check will pass as well. For Equation 3, we can already assume (by the completeness of GrothSahai proofs) that we have in place proofs π1 and π2 such that e(c, g2 )e(g1 , 1/d) = e(h1 , π1 ) · e(π2 , h2 ),
which allows us to see that
1/r
1/s
e(c, g2 )e(g1 , 1/d) = e(h1 , π1 )1/r·r · e(π2 , h2 )1/s·s = e(hr1 , π1 ) · e(π2 , hs2 ) = e(π0 , π10 ) · e(π20 , π3 ),
so that this check will pass as well. Using an almost identical derivation for Equation 4 allows us to see
that this check will pass as well.
Lemma 6.3. The above protocol is perfectly sound.
Proof. To show perfect soundness of the protocol, we can examine what each of the verification checks
proves. If Equation 1 passes verification, then we know that
e(π0q , g2 ) = e(π0 , g2 )q = e(π00 , h2 )q = e(π00 , hq2 ) = 1,
15
so that π0 must have order q; we can perform a similar derivation with Equation 2 to see that π3 must
also have order q. Looking at Equation 3, we can see that
(e(c, g2 )e(g1 , 1/d))q = (e(π0 , π10 ) · e(π20 , π3 ))q = e(π0q , π10 ) · e(π20 , π3q ) = 1.
If we write c = g1γ and d = g2δ for some γ, δ ∈ Z/N Z, then we can see that if e(g1γq , g2 ) · e(g1 , g2−δq ) = 1
then either c and 1/d both have order q or γq = δq; the first case implies that the value contained in
both c and d is a 0, but the second implies only that c and d are commitments to the same value. Taking
Equation 4 into account as well, however, we see (by the same derivation as above) that e(c, d/g2 )q = 1,
so that either c has order q or d/g2 has order q, which means that either the value contained in c is 0 or
the value contained in d is 1; combining this with the information above, we can see that c and d must
be commitments to the same value, and that their common value must in fact be a bit, or else these
equality checks will not pass.
Lemma 6.4. If duplicate SGH holds, the above protocol is zero knowledge.
Proof. To show zero knowledge, we describe our simulator (S1 , S2 ). To start, S1 will output a CRS
σsim so that h1 and h2 are in all of G1 and G2 respectively, and a trapdoor τs := (p, q, β), where
β = dlogg1 (h1 ) = dlogg2 (h2 ). The simulator S2 , when given τs and some commitments c and d, works as
follows: for πe , recall that we will need proofs that satisfy e(c, g2 )e(g1 , 1/d) = e(π0 , π10 ) · e(π20 , π3 ). To do
this, S2 will first use the factorization of N to determine which of c and g1−1 c is a generator for the full
group G1 , and similarly which of d and g2−1 d is a generator for G2 ; without loss of generality, assume it
is c and d (and if not use g1−1 c and g2−1 d in subsequent arguments). S2 will then pick random values
$
1/r
1/s
r, s ←
− Z/N Z and compute π0 := cr , π10 := g2 , π20 := g1 , and π3 := (1/d)s . It can compute as well
1/β
1/β
π00 := π0 and π30 := π3 ; we then have that
1/r
1/s
e(π0 , π10 ) · e(π20 , π3 ) = e(cr , g2 ) · e(g1 , (1/d)s ) = e(c, g2 ) · e(g1 , 1/d),
and furthermore that
1/β
e(π0 , g2 ) = e(π0 , g2 )β/β = e(π0 , g2β ) = e(π00 , h2 )
and
1/β
e(g1 , π3 ) = e(g1 , π3 )β/β = e(g1β , π3 ) = e(h1 , π30 )
$
so that all the verification checks for πe will pass. For πb , S2 can now pick new random values r, s ←
− Z/N Z,
$
and a random group element R ←
− G1 (this can be accomplished by just picking a random exponent
$
1/β
t←
− Z/N Z and computing R := g1t ). It can then set π0 := (c/R)r , π00 := π0 , π10 := (d/g2 )1/r , π20 := Rs ,
1/β
π3 := (d/g2 )1/s , and π30 := π3 . The checks in Equations 1 and 2 will pass for the exact same reasons as
they did for πe , so we can focus on just the check in Equation 4. This equation will be satisfied just by
construction, however, as we have that
e(π0 , π10 ) · e(π20 , π3 ) = e((c/R)r , (d/g2 )1/r ) · e(Rs , (d/g2 )1/s )
= e(c/R, d/g2 )r/r · e(R, d/g2 )s/s
= e(c/R · R, d/g2 )
= e(c, d/g2 ).
Now that we have shown that S2 can produce proofs that pass verification, we still need to argue that
the output of S1 is indistinguishable from the output of CRSSetup and that the proofs produced by S2
are indistinguishable from the proofs produced by the prover. For S1 , it follows directly from duplicate
16
SGH that σsim , in which h1 ∈ G1 and h2 ∈ G2 , is indistinguishable from the honest CRS, in which
h1 ∈ G1q and h2 ∈ G2q . For S2 , observe that if the commitments c and d are generators for G1 and G2 ,
then all the π values will just be random elements in G1 and G2 , and thus indistinguishable from honest
proofs (as honest proofs will also lie in all of G1 or G2 in the case that h1 and h2 generate all of G1 and
G2 respectively). As S2 uses instead g1−1 c and g2−1 d in the case that c and d are in fact not generators,
it will always end up with random π values and thus provide proofs that are distributed identically to
those produced by the prover.
Lemma 6.5. The above protocol is perfectly extractable.
Proof. To show this, we describe our extractor (E1 , E2 ). The algorithm E1 will run the honest CRSSetup
and set τe := fp ; the σext output by E1 is therefore trivially distributed identically to an honest CRS. As
for E2 , we know that a proof π will contain a commitment c; by perfect soundness, we know that c will
be a commitment to a bit. As we are using the honest CRS and thus have that h1 ∈ G1q , we know that
fp (h1 ) = 1 and so fp (c) = g1b . Then to extract the bit b, the extractor can compute fp (c); if this is equal
to 1 then it outputs b = 0 and otherwise it outputs b = 1.
7
An Anonymous IBE and Derivative Schemes
In this section, we see how to achieve a simple anonymous identity-based encryption (IBE) scheme in
our setting. Like the Boneh-Frankin [12], Cocks [26], and Boneh-Gentry-Hamburg [13] IBEs, we use
a full-domain hash function, modeled as a random oracle, to map identity strings to group elements.
In our case, the target of the hash function is the entire group G. The IBE master secret is the
trapdoor projection map f1 , so that the secret key corresponding to an identity id is f1 H(id ) . Like
the Boneh-Franklin IBE, our IBE is anonymous [1]: given a ciphertext, an adversary cannot determine
the identity authorized to decrypt it. Our IBE has useful mathematical structure, and we show how
to adapt that structure to obtain a unique signature (in the random oracle model) and a public-key
encryption scheme (in the standard model).
7.1
An anonymous IBE scheme
An identity-based encryption scheme (or IBE for short) consists of four PPT algorithms: a Setup
algorithm that takes in the security parameter and outputs a set of parameters params and a master
secret key msk ; a KeyGen algorithm that takes in the master secret key msk and public identity id and
outputs the secret key sk id corresponding to the identity; an Enc algorithm that takes in a public identity
id and a message M and outputs a ciphertext C; and a Dec algorithm that takes in a secret key sk id
corresponding to some identity id and a ciphertext C (encrypted to the identity id ), outputs the message
M contained in C. There are two security properties that are desirable for an IBE: IND-ID-CPA security,
which is analogous to the notion of IND-CPA security for regular encryption, and anonymity [1], which
says that it is hard to tell, given a ciphertext, which identity it is encrypted for. Formal definitions of
these two properties can be found in Appendix A.2.
In this section, we see how to construct an IBE that satisfies both these properties if Assumption 4.5
$
holds, which we recall states that given u, v ←
− G it is hard to distinguish e(f1 (u), f2 (v)) from random.
• Setup(1k ) : Use the Setup algorithm from Section 2.2 to produce (N, G1 , G2 , GT , e, g1 , g2 ). Next,
define a hash function H : {0, 1}∗ → G (note that, among others, Chatterjee and Menezes [24]
demonstrate how this is possible) that maps from possible identities to elements in G, and output
params := (N, G1 , G2 , g1 , g2 , e, GT , H) and msk := f1 .
• KeyGen(params, msk , id ) : Output sk id := f1 (H(id )).
$
− Z/N Z and compute C1 := g1r g2s and C2 :=
• Enc(params, id , M ) : Pick random values r, s ←
s
M · e(H(id ), g2 ). Output C := (C1 , C2 ).
17
• Dec(params, C = (C1 , C2 ), skid ) : Output M := C2 /e(skid , C1 ).
Theorem 7.1. The scheme outlined above is an anonymous IND-ID-CPA-secure IBE under Assumption 4.5 and in the random oracle model.
Lemma 7.2. The scheme outlined above is correct.
Proof. Using the projection property of f1 and the alternating property of the Weil pairing, we see that
C2
M · e(H(id), g2s )
M · e(f1 (H(id)), g2s ) · e(f2 (H(id)), g2s )
M · e(f1 (H(id)), g2s ) · 1
=
=
=
= M,
e(sk, C1 )
e(f1 (H(id)), g1r g2s )
e(f1 (H(id)), g1r ) · e(f1 (H(id)), g2s )
1 · e(f1 (H(id)), g2s )
so that for a properly formed ciphertext decryption will always return the correct message.
Lemma 7.3. If Assumption 4.5 holds, then the scheme outlined above is an IND-ID-CPA-secure IBE in
the random oracle model.
Proof. To show this, we consider an adversary A that succeeds in the game outlined in Definition A.2
with some non-negligible advantage , and use it to construct an adversary B that breaks Assumption 4.5
with non-negligible advantage /q, where q is the number of queries to the random oracle.
To start, B will receive as input the setup parameters params as well as the values u, v, T , where
either T = e(f1 (u), f2 (v)) or T is random; B can then send params to A. To answer H oracle queries, B
will first guess at random which query it thinks A will pick as id ∗ ; denote by i∗ the index that B chooses.
$
On all but the i∗ -th query, if A queries on an identity id , B will pick random values a, b ←
− Z/N Z and
a
b
a
∗
return H(id ) := g1 g2 ; it will also store H(id ) and g1 for later. On the i -th query, B will call the queried
identity id ∗ and return H(id ∗ ) := u. Meanwhile, for key extraction queries, if A queries on an identity
id that was previously queried to H then B can simply return the stored G1 component. Otherwise,
B can pick H(id ) as it did earlier, return the G1 component, and store the values for later. If A ever
queries on id ∗ , B must simply abort. Finally, at some point A will issue its challenge (M0 , M1 , id ∗ ). If
$
id ∗ does not match B’s guess then it must again abort; otherwise, it can pick a random bit b ←
− {0, 1},
0
and return to A (C1 := v, C2 := Mb · T ). When A outputs its guess bit b , B will guess that T is random
if b0 6= b and equal to e(f1 (u), f2 (v)) if b0 = b.
We now need to show that if A has advantage , then B will have advantage /q; first, we show that
interactions with B are identical to the honest interactions that A expects. Because the parameters
for the game in Definition A.2 and Assumption 4.5 are the same, the value params that B gives to A
will be identical to the honest one. For random oracle queries, B chooses completely random values for
all but the identity id ∗ . Because u is assumed to be random, however, the value H(id ∗ ) will also look
random to A and so the outputs H(id ) returned by B will again be identical to ones chosen completely
at random. Similarly, because B is picking the values for H(id ) itself, it knows the value of f1 (H(id )) for
every id =
6 id ∗ and so the skid values will in fact be computed correctly and are again identical to those
output by an honest authority. For the ciphertext, the C1 returned by B will be identically distributed
to an honest one, as v is assumed to be a random element of G.
We turn finally to the value C2 returned by B. If T is random, then C2 must be random as well,
so in particular is information-theoretically independent from Mb and thus can reveal no information
about the bit b. In this case then, A cannot have any advantage in guessing the bit b. If instead
T = e(f1 (u), f2 (v)), (C1 , C2 ) is an honestly computed encryption of Mb . In this case, A will succeed
with non-negligible advantage ; as B succeeds in guessing whenever A does and it correctly guesses i∗ ,
B will succeed with advantage /q.
We next turn to proving that the IBE is anonymous. As we have just shown IND-ID-CPA security,
by Lemma A.5 it suffices to prove anonymity by proving that our IBE satisfies the weaker notion of
anonymity defined in Definition A.4.
18
Lemma 7.4. The IBE construction given in Section 7.1 satisfies weak anonymity, as defined in
Definition A.4.
Proof. To prove this, we show that, for a random message R, the ciphertext C ∗ given to A in Step 3
of the game is information-theoretically independent of the bit b, and thus A can have no advantage.
$
Looking at the ciphertext, we can see that C ∗ = (C1∗ , C2∗ ), where C1∗ = g1r g2s for some r, s ←
− Z/N Z, and
C2∗ = R · e(H(id b ), g2s ). As R is random, C2∗ will be distributed uniformly at random over GT and thus
its distribution will be independent of the bit b. In addition, C1∗ contains no information about the
bit b (as it is always just a random element of G), and so C ∗ as a whole is information-theoretically
independent of the bit b.
Combining this lemma with the fact that we just proved the IND-ID-CPA security of the scheme,
Lemma A.5 tells us that the scheme is also anonymous and so Theorem 7.1 follows.
7.2
A unique signature scheme
One interesting aspect of the IBE described above is the signature scheme that we can derive from it,
which works as follows:
• KeyGen(1k ) : Use the same methods as above to generate params and msk , then output pk :=
params and sk := (pk , msk ).
• Sign(sk , M ) : Compute and return σ := f1 (H(M )).
• Verify(pk , σ, M ) : Check that e(σ, g1 ) = 1 and e(σ, g) = e(H(M ), g2 ); return 1 if these checks pass
and 0 otherwise.
The unforgeability of the signature follows from transformation, proposed by Naor [12, 27], from
IBE to signatures. In fact, we can prove unforgeability for the signature scheme alone under a weaker,
computational assumption (Assumption 4.4), still in the random oracle model.
Because no randomness is involved, we can see that the signing algorithm will generate only a single
signature for any message. To establish that our signature is a unique signature [33, 46], we must prove
a stronger property: that if, for some pk and M , Verify(pk , σ, M ) = Verify(pk , σ 0 , M ) = 1, then σ = σ 0 .
Theorem 7.5. For a fixed message M , if there exist two signatures σ1 and σ2 such that Verify(pk , σ1 , M ) =
Verify(pk , σ2 , M ) = 1 then σ1 = σ2 .
Proof. If Verify(pk , σi , M ) = 1 for i ∈ {1, 2} then, by the definition of the verification algorithm, we have
that e(σi , g1 ) = 1 and e(σi , g) = e(H(M ), g2 ). The first of these checks ensures that, because the pairing
is non-degenerate, it must be the case that σi ∈ G1 . In this case, e(σi , g) = e(σi , g2 ), which further
implies, because e(σi , g) = e(H(M ), g2 ), that σi = H(M ) for both i = 1 and i = 2; i.e., the signatures
are equal.
7.3
A simple encryption scheme
In addition to the IND-CCA-secure encryption scheme that can be derived from the IBE using the generic
transformations due to Boneh, Canetti, Halevi, and Katz [11], we can also describe a multiplicatively
homomorphic IND-CPA-secure scheme as follows:
• Setup(1k ) : Use the Setup algorithm from Section 2.2 to output params := (N, G1 , G2 , GT , e, g1 , g2 ).
$
• KeyGen(params) : Pick random values a, b ←
− Z/N Z and compute u := g1a · g2b . Output pk := u
and sk := g1a .
$
• Enc(params, pk , M ) : Pick random values r, s ←
− Z/N Z and compute C1 := g1r · g2s and C2 :=
s
M · e(pk , g2 ). Output C := (C1 , C2 ).
19
• Dec(params, sk , C = (C1 , C2 )) : Output M := C2 /e(sk , C2 ).
$
• Eval(params, pk , ×, C1 , C2 ) : Parse C1 = (C11 , C12 ) and C2 = (C21 , C22 ), pick r, s ←
− Z/N Z, and
compute C10 := C11 · C21 · g1r · g2s and C20 := C12 · C22 · e(pk , g2s ). Output C := (C10 , C20 ).
This scheme has a number of nice advantages. First, the keys in this scheme are group elements;
as compared to BGN [15], in which keys are entire group settings, this means that keys all live in the
same space, which means they are both smaller and potentially more useful in applications. For more
complex protocols in which the encryption scheme is a building block, providing a user with access to f1
makes him “all-powerful,” as it allows him to recover the secret key corresponding to any public key. In
addition, the encryption scheme has the advantage over the IND-CCA-secure scheme derived from the
IBE that its proof of security does not rely on the random oracle model.
Theorem 7.6. If Assumption 4.5 holds, the encryption scheme described above is IND-CPA secure.
Proof. To show this, we take an adversary A that breaks the IND-CPA security of the scheme with
some non-negligible advantage and use it to construct an adversary B that breaks Assumption 4.5
with the same non-negligible advantage.
To start, B will get as input a group setting params := (N, G1 , G2 , GT , e, g1 , g2 ) and elements u, v ∈ G
and T ∈ GT . It will then set pk := u and give both params and pk to A. When A gives back its query
$
(M0 , M1 ), B will pick a bit b ←
− {0, 1} and return to A C := (v, Mb · T ). When A outputs its guess bit
b0 , B will guess that T is random if b0 6= b and equal to e(f1 (u), f2 (v)) otherwise.
To see that interactions with B are distributed indistinguishably from those that A expects, we first
observe that params are the same in both the honest case and the interaction with B. Similarly, as u is
assumed to be a random value, the pk given to A will be distributed identically in both cases as well.
As for the ciphertext, using C1 := v is again distributed identically to the honest distribution over C1 ,
as in both cases it is just a random element of G. Turning finally to the value C2 , we see that if T is
random then C2 is random as well, and is thus information-theoretically independent of the message Mb .
In this case, then, A can have no advantage in guessing the bit b. In the case that T = e(f1 (u), f2 (v)),
however, (C1 , C2 ) is an honestly computed encryption of Mb and so A should have the same advantage
here that it does normally. As B therefore succeeds in guessing whenever A does, B must succeed with
advantage as well.
Acknowledgments
References
[1] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi.
Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions. Journal of
Cryptology, 21(3), July 2008.
[2] M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo. Structure-preserving signatures and commitments
to group elements. In Proceedings of Crypto 2010, volume 6223 of Lecture Notes in Computer Science, pages 209–236,
2010.
[3] R. Balasubramanian and N. Koblitz. The improbability that an elliptic curve has subexponential discrete log problem
under the Menezes-Okamoto-Vanstone algorithm. Journal of Cryptology, 11(2):141–145, 1998.
[4] L. Ballard, M. Green, B. de Medeiros, and F. Monrose. Correlation-resistant storage via keyword-searchable encryption.
Cryptology ePrint Archive, Report 2005/417, 2005. http://eprint.iacr.org/2005/417.
[5] M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, and H. Shacham. Delegatable anonymous
credentials. In Proceedings of Crypto 2009, volume 5677 of Lecture Notes in Computer Science, pages 108–125.
Springer-Verlag, 2009.
[6] M. Belenkiy, M. Chase, M. Kohlweiss, and A. Lysyanskaya. Non-interactive anonymous credentials. In Proceedings of
the 5th Theory of Cryptography Conference (TCC), pages 356–374, 2008.
20
[7] I. Blake, G. Seroussi, and N. Smart. Elliptic Curves in Cryptography. Number 265 in London Mathematical Society.
Cambridge University Press, 1999.
[8] M. Blum, A. de Santis, S. Micali, and G. Persiano. Non-interactive zero-knowledge. SIAM Journal of Computing,
20(6):1084–1118, 1991.
[9] A. Boldyreva. Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group
signature scheme. In Y. Desmedt, editor, Proceedings of PKC 2003, volume 2567 of Lecture Notes in Computer Science,
pages 31–46. Springer-Verlag, Jan. 2003.
[10] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In Proceedings of Crypto 2004, volume 3152 of Lecture
Notes in Computer Science, pages 41–55. Springer-Verlag, 2004.
[11] D. Boneh, R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryption. SIAM
Journal of Computing, 36(5):1301–28, 2007.
[12] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. SIAM Journal of Computing, 32(3):586–615,
2003.
[13] D. Boneh, C. Gentry, and M. Hamburg. Space-efficient identity based encryption without pairings. In A. Sinclair,
editor, Proceedings of FOCS 2007, pages 647–57. IEEE Computer Society, Oct. 2007.
[14] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verifiably encrypted signatures from bilinear maps. In
Proceedings of Eurocrypt 2003, volume 2656 of Lecture Notes in Computer Science, pages 416–32. Springer-Verlag,
2003.
[15] D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on ciphertexts. In Proceedings of the 2nd Theory of
Cryptography Conference (TCC), volume 3378 of Lecture Notes in Computer Science, pages 325–341. Springer-Verlag,
2005.
[16] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. Journal of Cryptology, 17(4):297–319,
Sept. 2004. Extended abstract in Proceedings of Asiacrypt 2001.
[17] D. Boneh, K. Rubin, and A. Silverberg. Finding ordinary composite order elliptic curves using the Cocks-Pinch
method. Journal of Number Theory, 131(5):832–841, 2011.
[18] D. Boneh, A. Sahai, and B. Waters. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In
Proceedings of Eurocrypt 2006, volume 4004 of Lecture Notes in Computer Science, pages 573–592. Springer-Verlag,
2006.
[19] X. Boyen and B. Waters. Compact group signatures without random oracles. In Proceedings of Eurocrypt 2006, volume
4004 of Lecture Notes in Computer Science, pages 427–444. Springer-Verlag, 2006.
[20] X. Boyen and B. Waters. Full-domain subgroup hiding and constant-size group signatures. In Proceedings of PKC
2007, volume 4450 of Lecture Notes in Computer Science, pages 1–15. Springer-Verlag, 2007.
[21] J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In Proceedings
of Crypto 2004, volume 3152 of Lecture Notes in Computer Science, pages 56–72. Springer-Verlag, 2004.
[22] L. Charlap and D. Robbins. An elementary introduction to elliptic curves. IDA/CCR report, 1998. www.idaccr.org/
reports/reports.html.
[23] D. Charles. On the existence of distortion maps on ordinary elliptic curves. Cryptology ePrint Archive, Report
2006/128, 2006. http://eprint.iacr.org/2006/128.
[24] S. Chatterjee and A. Menezes. On cryptographic protocols employing asymmetric pairings – the role of ψ revisited.
Discrete Applied Mathematics, 159(13):1311–1322, 2011.
[25] L. Chen, Z. Cheng, and N. Smart. Identity-based key agreement protocols from pairings. International Journal of
Information Security, 6(4):213–41, 2007.
[26] C. Cocks. An identity based encryption scheme based on quadratic residues. In B. Honary, editor, Proceedings of IMA
2001, volume 2260 of Lecture Notes in Computer Science, pages 360–63. Springer-Verlag, Dec. 2001.
[27] Y. Cui, E. Fujisaki, G. Hanaoka, H. Imai, and R. Zhang. Formal security treatments for signatures from identity-based
encryption. In W. Susilo, J. K. Liu, and Y. Mu, editors, Proceedings of ProvSec 2007, volume 4784 of Lecture Notes in
Computer Science, pages 218–27. Springer-Verlag, Nov. 2007.
[28] U. Feige, D. Lapidot, and A. Shamir. Multiple non-interactive zero knowledge proofs under general assumptions.
SIAM Journal of Computing, 29(1):1–28, 1999.
[29] D. M. Freeman. Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In
Proceedings of Eurocrypt 2010, volume 6110 of Lecture Notes in Computer Science, pages 44–61. Springer-Verlag, 2010.
21
[30] D. M. Freeman, M. Scott, and E. Teske. A taxonomy of pairing-friendly elliptic curves. Journal of Cryptology,
23:224–280, 2010.
[31] S. Galbraith, K. Paterson, and N. Smart. Pairings for cryptographers. Discrete Applied Mathematics, 156(16):3113–21,
2008.
[32] S. Galbraith and V. Rotger. Easy decision Diffie-Hellman groups. LMS Journal of Computation and Mathematics,
7:201–218, 2004.
[33] S. Goldwasser and R. Ostrovsky. Invariant signatures and noninteractive zero-knowledge proofs are equivalent (extended
abstract). In E. Brickell, editor, Proceedings of Crypto 1992, volume 740 of Lecture Notes in Computer Science, pages
228–45. Springer-Verlag, Aug. 1992.
[34] J. Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In Proceedings of
Asiacrypt 2006, volume 4284 of Lecture Notes in Computer Science, pages 444–459. Springer-Verlag, 2006.
[35] J. Groth, R. Ostrovsky, and A. Sahai. Perfect non-interactive zero-knowledge for NP. In Proceedings of Eurocrypt
2006, volume 4004 of Lecture Notes in Computer Science, pages 339–358. Springer-Verlag, 2006.
[36] J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In Proceedings of Eurocrypt 2008,
volume 4965 of Lecture Notes in Computer Science, pages 415–432. Springer-Verlag, 2008.
[37] A. Joux. A one round protocol for tripartite Diffie-Hellman. Journal of Cryptology, 17(4):263–76, 2004.
[38] A. Joux and K. Nguyen. Separating decision Diffie-Hellman from computational Diffie-Hellman in cryptographic
groups. Journal of Cryptology, 16(4):239–47, 2003.
[39] J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner
products. In Proceedings of Eurocrypt 2008, volume 4965 of Lecture Notes in Computer Science, pages 146–162.
Springer-Verlag, 2008.
[40] N. Koblitz and A. Menezes. Pairing-based cryptography at high security levels. In N. Smart, editor, Proceedings of
Cryptography and Coding 2005, volume 3796 of Lecture Notes in Computer Science, pages 13–36. Springer-Verlag, 2005.
[41] A. Lewko. Tools for simulating features of composite order bilinear groups in the prime order setting. In Proceedings
of Eurocrypt 2012, 2012.
[42] A. Lewko and S. Meiklejohn. A profitable sub-prime loan: Obtaining the advantages of composite-order in prime-order
bilinear groups. Cryptology ePrint Archive, Report 2013/300, 2013. eprint.iacr.org/2013/300.
[43] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters. Fully secure functional encryption: attributed-based
encryption and (hierarchical) inner production encryption. In Proceedings of Eurocrypt 2010, volume 6110 of Lecture
Notes in Computer Science, pages 62–91. Springer-Verlag, 2010.
[44] A. Lewko and B. Waters. New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In
Proceedings of the 7th Theory of Cryptography Conference (TCC), volume 5978 of Lecture Notes in Computer Science,
pages 455–479. Springer-Verlag, 2010.
[45] A. Lewko and B. Waters. Decentralizing attribute-based encryption. In Proceedings of Eurocrypt 2011, volume 6632 of
Lecture Notes in Computer Science, pages 568–588. Springer-Verlag, 2011.
[46] A. Lysyanskaya. Unique signatures and verifiable random functions from the DH-DDH separation. In M. Yung, editor,
Proceedings of Crypto 2002, volume 2442 of Lecture Notes in Computer Science, pages 597–612. Springer-Verlag, Aug.
2002.
[47] S. Meiklejohn, H. Shacham, and D. M. Freeman. Limitations on transformations from composite-order to prime-order
groups: the case of round-optimal blind signatures. In Proceedings of Asiacrypt 2010, pages 519–538, 2010.
[48] V. Miller. The Weil pairing, and its efficient calculation. Journal of Cryptology, 17(4):235–261, 2004.
[49] J. H. Seo and J. H. Cheon. Beyond the limitation of prime-order bilinear groups and its application to round optimal
blind signature. In Proceedings of TCC 2012, Lecture Notes in Computer Science. Springer-Verlag, 2012.
[50] J. Silverman. The Arithmetic of Elliptic Curves. Number 106 in Graduate Texts in Mathematics. Springer-Verlag,
1986.
A
A.1
Definitions
Definitions for zero-knowledge proofs
In Section 6 we construct a non-interactive zero-knowledge proof of knowledge that a committed value is
a bit; we formally define the notions of a zero-knowledge proof and a proof of knowledge here.
22
A non-interactive proof system [8, 28] for a relation R consists of three PPT algorithms: a CRSSetup
algorithm that takes in the security parameter and generates a common reference string (CRS) σcrs , a P
algorithm that takes in σcrs , a statement x and a witness w and outputs a proof π that x ∈ LR , and a
V algorithm that takes in σcrs , a statement x and a proof π and outputs 1 if the proof is valid and 0
otherwise. We have the following definition that encapsulates the notions of witness indistinguishability,
zero knowledge, and extractability that can be achieved for such a proof system:
Definition A.1. A set of algorithms (CRSSetup, P, V) constitute a non-interactive (NI) proof system for
an efficient relation R with associated language LR if completeness and soundness, as defined below, are
satisfied; additionally, the proof system is extractable if extractability is satisfied, witness indistinguishable
(WI) if witness-indistinguishability is satisfied, and zero knowledge if the zero-knowledge property is
satisfied. A proof system that satisfies all of these properties is a non-interactive zero-knowledge proof
of knowledge (NIZKPoK for short), while one that satisfies witness indistinguishability but not zero
knowledge is a NIWIPoK.
$
$
1. Completeness [8]. For all σcrs ←
− CRSSetup(1k ) and (x, w) ∈ R, V(σcrs , x, π) = 1 for all π ←
−
P(σcrs , x, w).
$
2. Soundness [8]. For all PPT A and σcrs ←
− CRSSetup(1k ), the probability that A(σcrs ) outputs (x, π)
such that x ∈
/ LR but V(σcrs , x, π) = 1 is at most negligible. Perfect soundness is achieved when
this probability is 0.
3. Extractability [35]. There exists a polynomial-time extractor (E1 , E2 ) such that E1 (1k ) outputs
$
(σext , τe ), and E2 (σext , τe , x, π) outputs a value w such that σext ←
− E1 (1k ) is indistinguishable
$
from σcrs ←
− CRSSetup(1k ), and for all PPT A, the probability that A(σext , τe ) outputs (x, π) such
that V(σcrs , x, π) = 1 but E2 (σext , τe , x, π) = w and (x, w) ∈
/ R is at most negligible. Perfect
extractability is achieved if this probability is 0, and σext is distributed identically to σcrs .
4. Witness indistinguishability [28]. For all (x, w1 , w2 ) such that (x, w1 ) ∈ R and (x, w2 ) ∈ R, for
$
$
$
σcrs ←
− CRSSetup(1k ), π1 ←
− P(σcrs , x, w1 ), and π2 ←
− P(σcrs , x, w2 ), π1 is indistinguishable from
π2 . Perfect witness indistinguishability is achieved when these two distributions are identical.
5. Zero knowledge [28]. There exists a polynomial-time simulator (S1 , S2 ) such that S1 (1k ) outputs
(σsim , τs ), and S2 (σsim , τs , x) outputs a value πs such that for all (x, w) ∈ R and PPT adversaries A,
$
the following two interactions are indistinguishable: in the first, we compute σcrs ←
− CRSSetup(1k )
and give A σcrs and oracle access to P(σcrs , ·, ·) (where P will output ⊥ on input (x, w) such that
$
(x, w) ∈
/ R); in the second, we compute (σsim , τs ) ←
− S1 (1k ) and give A σsim and oracle access to
0
0
S2 (σsim , τs , ·, ·), where, on input (x, w), S2 outputs S2 (σsim , τs , x) if (x, w) ∈ R and ⊥ otherwise.
Perfect zero-knowledge is achieved if these interactions are distributed identically.
A.2
Definitions for identity-based encryption
In Section 7.1 we construct an IBE scheme; recall briefly that an IBE consists of four algorithms:
Setup(1k ), KeyGen(params, msk , id ), Enc(params, id , M ), and Dec(params, sk id , C). The properties
required by these algorithms can be summarized in the following definition:
Definition A.2. An IBE scheme E = (Setup, KeyGen, Enc, Dec) is chosen-plaintext secure under a
chosen identity attack (or IND-ID-CPA-secure for short) if the following two properties hold:
$
1. Correctness: For all identities id , messages M , and (params, msk ) ←
− Setup(1k ), if skid is the
output of KeyGen(msk , id ) and C is the output of Enc(params, id , M ), then Dec(params, skid , C)
outputs M with probability 1.
23
2. IND-ID-CPA security: For an adversary A and a bit b, let pA
b (k) be the probability of the event that
0
b = 0 in the following game:
$
• Step 1: (params, msk ) ←
− Setup(1k ).
• Step 2: A gets params and is allowed to issue queries to a key extraction oracle; i.e., an
$
oracle that, on input id , returns sk id ←
− KeyGen(msk , id ). At some point, A will output
(id ∗ , M0 , M1 ), with the constraint that it must not have queried its oracle on input id ∗ .
$
• Step 3: C ∗ ←
− Enc(params, id ∗ , Mb ).
• Step 4: A is given C ∗ and access to its key extraction oracle, with the continued stipulation
that it cannot query it on id ∗ . Finally, A will output a guess bit b0 .
The IBE is considered IND-ID-CPA secure if for all PPT algorithms A there exists a negligible
A
function ν(·) such that |pA
0 (k) − p1 (k)| < ν(k).
In addition, an IBE can be called anonymous [1] if a ciphertext does not reveal its intended recipient
(i.e., the identity id used to compute it). We have the following security definition:
Definition A.3. [1] For an IBE scheme (Setup, KeyGen, Enc, Dec), a PPT adversary A, and a bit b,
0
let pA
b (k) be the probability of the event that b = 0 in the following game:
$
• Step 1: (params, msk ) ←
− Setup(1k ).
• Step 2: A gets params and is allowed to issue queries to a key extraction oracle; i.e., an oracle
$
that, on input id , returns sk id ←
− KeyGen(msk , id ). At some point, A will output (id ∗0 , id ∗1 M ), with
the constraint that it must not have queried its oracle on id ∗0 or id ∗1 .
$
• Step 3: C ∗ ←
− Enc(params, id ∗b , M ).
• Step 4: A is given C ∗ and access to its key extraction oracle, with the continued stipulation that it
cannot query it on id ∗0 or id ∗1 . Finally, A will output a guess bit b0 .
The IBE is considered anonymous if for all PPT algorithms A there exists a negligible function ν(·) such
A
that |pA
0 (k) − p1 (k)| < ν(k).
In addition to introducing the above notion of anonymity, Abdalla et al. also consider a weaker
notion (which they call IND-ANO-RE-CPA and we choose to call weak anonymity) defined as follows:
Definition A.4. [1] For an IBE scheme (Setup, KeyGen, Enc, Dec), a PPT adversary A, and a bit b,
0
let pA
b (k) be the probability of the event that b = 0 in the following game:
$
• Step 1: (params, msk ) ←
− Setup(1k ).
• Step 2: A gets params and is allowed to issue queries to a key extraction oracle; i.e., an oracle
$
that, on input id , returns sk id ←
− KeyGen(msk , id ). At some point, A will output (id ∗0 , id ∗1 M ), with
the constraint that it must not have queried its oracle on id ∗0 or id ∗1 .
$
$
• Step 3: R ←
− {0, 1}|M | , C ∗ ←
− Enc(params, id ∗b , R).
∗
• Step 4: A is given C and access to its key extraction oracle, with the continued stipulation that it
cannot query it on id ∗0 or id ∗1 . Finally, A will output a guess bit b0 .
The IBE is considered weakly anonymous if for all PPT algorithms A there exists a negligible function
A
ν(·) such that |pA
0 (k) − p1 (k)| < ν(k).
They then go on to prove the following lemma, which we will use in Section 7 when we prove security
of our IBE construction.
Lemma A.5. [1] If an IBE scheme is IND-ID-CPA secure and weakly anonymous then is also anonymous.
24
B
A Restricted Two-Party Computation for 2-DNF
In this section, we show how the adapted version of BGN encryption presented in Section 5 can be used
to realize a restricted two-party computation for a 2-DNF formula. We first define a 2-DNF:
Definition B.1. [15] A 2-DNF formula over the variables x1 , . . . , xn is of the form ∨ki=1 (`i,1 ∧ `i,2 )
where `i,1 , `i,2 ∈ {x1 , . . . , xn , x̄1 , . . . , x̄n }.
In a regular (i.e., unrestricted) two-party computation of a 2-DNF, one party, Alice, holds the formula
φ(x1 , . . . , xn ) and another party, Bob, holds an assignment a1 , . . . , an . In the course of the computation,
we would like Bob to learn φ(a1 , . . . , an ) without Alice learning anything about the assignment and
without Bob learning anything about the formula (beyond what he learns from his output). To accomplish
this using regular BGN encryption, Boneh et al. [15] outline a protocol: briefly, Bob can encrypt his
assignment a1 , . . . , an using the BGN encryption scheme and send the ciphertexts to Alice, who then
uses the homomorphic properties of the scheme to compute an encryption of φ(a1 , . . . , an ) by using × in
place of ∧, + in place of ∨, and (1 − xi ) in place of x̄i .
Boneh et al. also describe [15, Section 4.2] how to use this two-party computation of a 2-DNF
formula to achieve private information retrieval (PIR for short): if Alice holds a database D of size n
√
√
(for n a perfect square, this can mean a table with dimensions n × n), then the 2-DNF formula can
be φ(x1 , . . . , x√n , y1 , . . . , y√n ) := ∨Di,j =1 (xi ∧ yj ). If Bob wishes to retrieve the (i, j)-th entry of this
database, he sets xi = yj = 1 and all other variables to 0; he and Alice then engage in the two-party
computation outlined above and at the end Bob will learn the value Di,j .
In a restricted two-party computation, Bob can potentially encrypt his assignment to ensure that
two values are not put in the same clause; this is accomplished by encrypting these values using the
“noisy” type 3 and type 4 ciphertexts discussed in Section 5.
$
• Bob generates (pk , sk ) ←
− KeyGen(1k ) and sends pk to Alice. For unrestricted ai values which can
$
$
be put in a clause with any other value, Bob computes c1i ←
− Enc(pk , 1, ai ) and c2i ←
− Enc(pk , 2, ai ),
$
$
while for restricted values aj Bob computes c1j ←
− Enc(pk , 3, aj ) and c2j ←
− Enc(pk , 4, aj ). Bob
then sends {c1i , c2i } to Alice.
• Upon receiving pk and {c1i , c2i }, Alice proceeds as follows: for each clause of the form (`1 , `2 ), if
`1 = xi then Alice will set y1 := c1i and if `1 = x̄i then she sets y1 := Enc(pk , 1, 1)/c1i , so that y1
encrypts 1 − ai . She then does the same for `2 ; i.e., if `2 = xj then she sets y2 := c2j and if `2 = x̄j
$
then she sets y2 := Enc(pk , 2, 1)/c2j . She then computes ci ←
− Eval(pk , ×, y1 , y2 ) for the i-th clause,
$
and repeats this for all clauses. She can then compute c ←
− Eval(pk , +, {ci })8 and return c to Bob.
• When he gets back c from Alice, Bob can compute m = Dec(sk , c) to recover the value of
φ(a1 , . . . , an ).
Theorem B.2. The above protocol is correct.
Proof. To show this, we want to prove that if Alice’s formula is φ(x1 , . . . , xn ) = ∨ki=1 (`1,i ∧ `2,i ), then if
Bob uses all unrestricted values (i.e., sticks to Type 1 and Type 2 encryption), at the end he outputs
m = φ(a1 , . . . , an ). To start, Alice computes
$
ci ←
− Eval(pk , ×, y1 , y2 ) = e(y1 , y2 ) · e(h1 , g2 )r
8
Note that while we previously defined Eval only on pairs of ciphertexts, it is straightforward to extend it to take in a
set of n ciphertexts instead.
25
$
$
$
for r ←
− Z/N Z. If `1,i = xj and `2,i = xj 0 , then y1 ←
− Enc(pk , 1, aj ) and y2 ←
− Enc(pk , 2, aj 0 ), and thus ci
encrypts aj · aj 0 = aj ∧ aj 0 ; we can similarly argue about the cases in which `1,i = x¯j or `2,i = x¯j 0 . Now,
$
Alice computes c ←
− Eval(pk , +, {ci }i ); as ci appropriately encrypts aj ∧ aj 0 , we have
c = c1 · . . . · ck · e(h1 , g2 )r
$
for r ←
− Z/N Z, which encrypts the sum, or logical or, of each of the clauses. By the correctness of BGN
decryption, Bob will therefore correctly pull out the value φ(a1 , . . . , an ) as desired.
As our protocol is, modulo Bob’s choice of encryption, essentially identical to that of Boneh et al.,
the proof of the following theorem is very similar to theirs:
Theorem B.3. If SGH holds in G1 and G2 , the above protocol is a secure two-party computation for a
semi-honest Alice and a semi-honest Bob.
Proof. (Sketch.) By the IND-CPA security of the encryption scheme, the ciphertexts {c1i , c2i }i that
Bob sends to Alice reveal nothing about his assignment (a1 , . . . , an ); in particular, to simulate Bob’s
$
$
side of the interaction, a simulator could simply give {c1i ←
− Enc(pk , 1, 0), c2i ←
− Enc(pk , 2, 0)}i to Alice.
Similarly, as Bob receives only the final ciphertext c, a simulator knowing the value of φ(a1 , . . . , an ) could
$
simply compute c ←
− Enc(pk , 5, φ(a1 , . . . , an )) and return this to Bob; as this is distributed identically to
what Bob receives from Alice, yet the simulator knew only φ(a1 , . . . , an ), Bob learns nothing beyond
whether the formula was satisfied or not.
As observed by Boneh et al., the above protocol is not secure against a malicious Bob. As an example,
if Bob sends Alice encryptions of values that are not bits, then he can potentially learn if and how these
values were used by seeing if φ(a1 , . . . , an ) is itself a bit or not. To augment this protocol to be secure
even for a malicious Bob, we again adopt the approach of Boneh et al. Now, in addition to generating
the set of ciphertexts {c1i , c2i }, Bob can also generate, for each i, a zero-knowledge proof πi that c1i
and c2i are encryptions of the same value, and that that value is a bit. To see how such proofs can be
generated, we refer the reader to Section 6. To also prevent against Bob giving Alice a set of ciphertexts
that he does not actually know how to decrypt, we can add an extra interaction in between Steps 1
and 2 in which Alice ensures that Bob really can decrypt by sending him a set of challenge ciphertexts
and asking him to return the corresponding plaintexts. She will then only continue with Step 2 if the
plaintexts are correct and all of the proofs πi verify.
Theorem B.4. If duplicate SGH holds, the above protocol is a secure two-party computation for a
semi-honest Alice and a malicious Bob.
Proof. (Sketch.) Once again, the IND-CPA security of the encryption scheme guarantees that Alice will
learn nothing about Bob’s assignment. In addition, the zero-knowledge property of the proof guarantees
that these also reveal no information about the assignment (a1 , . . . , an ); i.e., to simulate the proofs in
addition to the ciphertexts, it would suffice to run the zero-knowledge simulator. As for Alice’s security
against a malicious Bob, by the soundness of the proof, Bob is unable to generate a proof πi that verifies
and yet the ciphertexts c1i and c2i do not encrypt a bit. Bob is therefore constrained to behave as he
would in the honest protocol, and thus security reduces to the semi-honest case.
On its own, it is perhaps not immediately clear why Bob would be interested in this type of restricted
evaluation. Consider, however, the following example: Bob is a government employee who has recently,
for whatever reason, had his security clearance downgraded, and Alice is in possession of a database
that Bob wishes to access certain elements of. Because of his downgraded clearance, however, there
26
are now certain entries in the database that Bob is not granted permission to access. To ensure that
Bob does not access these entries, a censor Carol can be inserted into the above process as follows:
Bob encrypts his values just as he did in the honest PIR scheme; i.e., if he is interested in the (i, j)-th
entry then he sets xi = yj = 1 and all other variables to 0. He then encrypts these values, using only
type 1 and type 2 encryptions,9 to get a set of ciphertexts {c1i , c2i } and passes these ciphertexts to
Carol. Now, for all entries (i0 , j 0 ) that Bob should not be allowed to access, Carol can add noise to the
appropriate ciphertexts as follows: first, for all i0 such that there is a corresponding j 0 such that access
to the (i0 , j 0 )-th entry should be disallowed (and analogously for all j 0 such that there is a corresponding
$
i0 ), Carol can pick random values r1 , r2 ←
− Z/N Z and compute c01i0 := c1i0 · g2r1 and c02i0 := c2i0 · g1r2 ; note
that this changes the type of the c1i0 ciphertext from 1 to 3, and the type of the c2i0 ciphertext from 2 to
4. Carol then passes these modified ciphertexts along to Alice, who can return the result straight to Bob.
By the properties discussed in Section 5, we know that if access to the (i, j)-th entry is restricted
then Bob will get back an encryption of garbage rather than Di,j . In addition, the IND-CPA security of
the encryption scheme guarantees that Carol can restrict access to certain entries withough learning
anything about which entry Bob is trying to access. Although Alice does learn that the request has been
passed through a censor, without knowledge of f1 she still cannot “undo” the censoring process and thus,
as desired, neither Alice nor Carol will learn which entry Bob was trying to access, and Bob will get back
either (1) Di,j if his security clearance permits access to the (i, j)-th entry, (2) nothing if Alice chooses
to abort, or (3) some garbage value to indicate that he is not permitted to access the (i, j)-th entry.
9
We note that it does not actually cause any problems for Bob to use types 3 and 4 encryption as well, but it doesn’t
seem to provide any benefit to Bob either.
27