Polynomial Spaces: A New Framework for Composite-to-Prime-Order Transformations

At Eurocrypt 2010, Freeman presented a framework to convert cryptosystems based on composite-order groups into ones that use prime-order groups. Such a transformation is interesting not only froma conceptual point of view, but also since for relevant parameters, operations in prime-order groups arefaster than composite-order operations by an order of magnitude. Since Freeman’s work, several otherworks have shown improvements, but also lower bounds on the efficiency of such conversions.In this work, we present a new framework for composite-to-prime-order conversions. Our framework isin the spirit of Freeman’s work; however, we develop a different, “polynomial” view of his approach, andrevisit several of his design decisions. This eventually leads to significant efficiency improvements, andenables us to circumvent previous lower bounds. Specifically, we show how to verify Groth-Sahai proofsin a prime-order environment (with a symmetric pairing) almost twice as efficiently as the state of theart.We also show that our new conversions are optimal in a very broad sense. Besides, our conversionsalso apply in settings with a multilinear map, and can be instantiated from a variety of computationalassumptions (including, e.g., the k-linear assumption).