5

I'm currently working on Ciphertext Policy Attribute-Based Encryption (CP-ABE). So far I'm only using it with a basic understanding how it actually works. Now I want to understand it a bit better, but I've never learned anything about bilinear groups or pairing-based cryptography.

To start with I would like to calculate a very simple example on my own. Therefore I'd like to use small numbers and very simple operations (although this definitely won't be secure).

I will just write what I tried to do for the first step (Setup) — would be great if someone could tell me whether it is completely wrong or if it goes in the right direction:

I chose a group generator of $g=7$ and an order of $p=13$. Therefore I got the group $G_0=\{1\ldots12\}$. (Correct so far?)

Then I defined $e(X,Y)=g^{XY}\bmod{}p$

Using this, I can now calculate the Public Key and the Master Key with two random integers $\alpha=3; \beta=4$:

$MK=\{\beta,g^\alpha\}=\{4,7^3\}=\{4,343\bmod13\}=\{4,5\}$

(Still correct?)

$PK=\{G_0,g,h=g^\beta,f=g^{1/\beta},e(g,g)^\alpha\}=\{G_0,7,7^4\bmod13,7^{1/4}\bmod13,7^{7*7*3}\bmod13\}=\{G_0,7,9,??,5\}$

(How can I calculate $7^{1/4}$?)

I hope to be able to do the rest on my own as soon as I understand this part.

Gilles 'SO- stop being evil'
  • 20,442
  • 4
  • 54
  • 97
Baertierchen
  • 51
  • 1
  • 1
  • 3

1 Answers1

4

I think you have a lack of knowledge on pairings and finite fields. Your definition of the pairing $e(X,Y)=g^{XY} \bmod p$ is not correct.

A pairing is defined as a map $e : \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T$ with the property \begin{align}\text{for all }g_1 \in \mathbb{G}_1 \text{ and } g_2 \in \mathbb{G}_2: e(g_1^a,g_2^b) = e(g_1,g_2)^{ab}\text{.}\end{align} For cryptographic usage we also need the properties that the pairing is not degenerated and efficient computable. Your definition of the pairing does not hold all these properties.

Today, pairings are basically implemented with elliptic curves over finite fields ($\mathbb{G}_1$ and $\mathbb{G}_2$) and with an extended finite field ($\mathbb{G}_T$). All the three groups have prime order $p$ so that you can calculate the inverse in the exponent very easily: $g^{1/\beta} = g^{\beta^{-1} \pmod p}$.

I think it is not that easy to generate a toy example for pairing based cryptography, because you need special elliptic curves with known order, embedding degree and other parameters and an efficiently computable pairing function.

If you like to understand pairings better I can recommend the dissertation of Ben Lynn [1]. He also wrote the PBC Library [2] that implements pairings in C and is very easy to use.

[1] https://crypto.stanford.edu/pbc/thesis.html
[2] https://crypto.stanford.edu/pbc/

Ekris
  • 476
  • 4
  • 5