PPE Circuits: Formal Definition to Software Automation

Pairing-based cryptography is widely used for its efficiency and functionality. When designing pairing-based schemes, one common task is to devise algorithms for verifying a set of untrusted group elements with respect to a set of trusted group elements. One might be searching for a verification algorithm for a signature scheme or a method for verifying an IBE/ABE private key with respect to the IBE/ABE public parameters. In ACM CCS 2019 Hohenberger Vusirikala, the AutoPPE software tool was introduced for automatically generating a set of pairing product equations (PPEs) that can verify the correctness of a set of pairing group elements with respect to a set of trusted group elements. This task is non-trivial. Some schemes (e.g., those based on dual system encryption) provably do not support any efficient algorithm for verifying the private keys with respect to the public parameters. Other schemes (e.g., the Boyen-Waters anonymous IBE) were left in a gray area by Hohenberger-Vusirikala (CCS 19) -- no conjunction of PPEs was known for testing them, but no proof of untestability either. In this work, we significantly generalize and expand on the foundation of Hohenberger-Vusirikala (CCS 19). Specifically, we consider a larger space of verification algorithms, which we call PPE Circuits, to verify a set of untrusted group elements with respect to a set of trusted group elements. Informally, a PPE Circuit supports AND, OR, NOT and PPE gates, thus capturing all of the capability of AutoPPE while novelly enabling the verification algorithm to include arbitrary logic (as opposed to only conjunctions of PPEs). Our contributions include a formalization of PPE circuits, a provably-correct algorithm for searching for a PPE circuit given a description of the trusted and untrusted elements to be verified, and a new open-source software tool called AutoCircuitPPE that realizes this algorithm. AutoCircuitPPE was tested on a host of test cases and it output PPE circuits for all "gray area" schemes left unresolved in Hohenberger-Vusirikala (CCS 19) as well as several new test cases, usually in 100 seconds or less.