Download presentation

Presentation is loading. Please wait.

Published byRebecca Henderson Modified over 2 years ago

1
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen

2
2 IBE Setup Extract Encrypt Decrypt Public Params PP Master secret key MSK Security Parameter λ Identity ID Secret key SK Messag e m Ciphertext C Message m Arbitrary string id is public key!

3
3 Prior Work Bilinear Maps BF01 CHK03 BB04 W05 BBG05 Lattices GPV08 CHKP10, AB09 CHKP10 ABB10a (this) B10, ABB10a (this) ABB10b (Crypto) IBE, RO HIBE, bit by bit IBE, SM Efficient HIBE Adaptive sec. Small CT HIBE

4
4 Our Results Secret key is basis of (k+1)m lattice Secret key is Õ (n 2 ) bits Ciphertext is Õ (kn) bits (k+1) m 0 m 2m Id in {0,1} k CHKP10 1 m 2m Id in Z q n ABB10 Secret key is vector in 2m lattice Secret key is Õ (n) bits Ciphertext is Õ (n) bits

5
5 Our Results More efficient lattice based HIBE in the standard model (using delegation of CHKP10). SchemeCiphertext length Secret Key length Public params Lattice dim. CHKP10Õ (klnd 2 )Õ (k 2 l 3 n 2 d 2 )Õ (kn 2 d 3 )Õ (kldn) ABB10Õ (lnd 2 )Õ (l 3 n 2 d 2 )Õ (n 2 d 3 )Õ (ldn) k: no of bits per identity d: maximum depth l : level in hierarchy n: security parameter

6
6 Why Lattices? Strong hardness guarantees Efficient operations, parallelizable No quantum algorithm (yet)

7
7 Whats a Lattice? A set of points with periodic arrangement Discrete subgroup in R n v1v1 v2v2 v2v2 v1v1

8
8 Parallelepipeds

9
9

10
10 Basis quality and Hardness SVP, CVP, ISIS (...) hard given arbitrary (bad) basis. Some hard lattice problems are easy given a good basis. Many cryptosystems (GPV08, AB09, CHKP10, ABB10) exploit this asymmetry. Heres how………

11
11 Exploiting Asymmetry (roughly) Make bad basis public key Make good basis private key Encrypt using bad basis, decrypt using good basis Recovering good basis from bad basis is hard !

12
12 More precisely…. The private key comes from the ISIS problem….

13
13 ISIS (or syndrome decoding) Given matrix A over Z q, syndrome u over Z q, find ``small (low norm) integer vector z such that Az=u mod q Define f A (z) = Az A z u = f A : space of ``small m-dim vectors n-dim vectors n m m n Solving ISIS (or inverting f A ) is hard !!

14
14 Main Idea (GPV08) f A ( z ) = Az is hard to invert in general. Λ = { e : A e = 0 } Z q m is a lattice Can ``invert f A given short basis for Λ ! Make A depend on identity Id and encrypt using A. A, vector u public, f A -1 (u) private

15
15 Intuition for Constructions Previous Systems [AB09, CHKP10] Master secret key : basis for A 0 Secret Key for (id=01) : basis for F 01 = [A 0 | A 1 0 |A 2 1 ] (one block per bit!) Know how to compute trapdoor for ``extended matrix [T 1 |T 2 |T 3 ] Encrypt (b, id=01): Uses matrix F 01

16
16 Intuition (contd) Previous Systems: Simulation (selective sec.) Let challenge identity id * = 11 Must not have SK for id *, hence dont have master secret (basis for A 0 )! Choose A 0, A 1 1, A 2 1 random (no TD) Choose A 1 0 A 2 0 with TD Can compute basis of F 01 =[ A 0 | A 1 0 |A 2 1 ] Cannot compute basis of F 11 =[ A 0 | A 1 1 |A 2 1 ]

17
17 Our new system [ABB10] Id in Z q n is encoded ``all at once! Master secret: basis for A 0 Encryption matrix F id = [A 0 | A 1 +id B] Secret Key for id: = vector in Λ(F id ) F id fixed dimension !

18
18 Our new System [ABB10] Simulation: Let challenge identity = id * Dont have basis for A 0 Have basis for B Let A 1 = [A 0 R – id * ×B] F id = [A 0 | A 0 R + (id –id * )B] Develop algorithm to find basis for F id given basis for B Trapdoor vanishes for id = id * F id = [A 0 | A 1 +id B] Random low norm matrix

19
19 Our new system PP = A 0, A 1, B Real System Simulation MSK = Trapdoor for A 0 MSK = Trapdoor for B A 1 = Randomly chosen Encryption matrix F ID = [A 0 |A 1 +ID.B] Secret Key = short vector in F ID Encryption matrix F ID = [A 0 | A 1 +ID.B] = [A 0 | A 0 R + (ID - ID * )B] A 1 = A 0 R – ID * B MSK Key for any IDTrapdoor for B Key for ID ID * Indistinguishable since R is random!

20
20 The matrix R Matrix R : each column randomly and independently chosen from {+1, -1} m (A 0, A 1 ) indistinguishable from (A 0, A 0 R) by leftover hash lemma Roughly states that R has enough entropy to make A 0 R look like A 1

21
21 Key Generation (Real system) Given A 0, u, short basis for Λ(A 0 ) can sample short e s.t. A 0 e = u (GPV08) Have short basis for Λ(A 0 ), want short vector in Λ(A 0 | A 1 ), i.e. e = e 0 e 1 A 0 | A 1 e 0 = 0 e 1 Easy! Pick short e 1 randomly. Solve for short e 0 using short basis for Λ(A 0 )

22
22 Key Queries (simulation) Have short basis for Λ(B) Want short vector in Λ (A 0 | A 0 R + ID. B), i.e. e s.t. A 0 | A 0 R + ID. B e = 0 Pick short e 0 randomly. Solve for short e 1 s.t. (ID. B) e 1 = -A 0 e 0 using short basis for Λ(ID.B) Output e 0 – R e 1 e 1 F ID e = A 0 e 0 – A 0 Re 1 + A 0 Re 1 + (ID.B) e 1 = 0

23
23 Security? Learning With Errors : Distinguish ``noisy inner products from uniform Fix uniform s Z q n a 1, b 1 = + e 1 a 2, b 2 = + e 2 a m, b m = + e m ? a 1, b 1 a 2, b 2 a m, b m a i uniform Z q n, e i ~ ϕ Z q a i uniform Z q n, b i uniform Z q

24
24 Ciphertext = (c 0 c 1 ) c 1 = F id T s + y in F q 2m z F id = [A 0 | A 1 + id×R] m instances of LWE! c 0 = u T s + x + m [q/2] in F q Then (u, c 0 ) is LWE instance Indistinguishable from random!

25
25 Receives (m+1) LWE challenges Announce id * Construct A 0,u from LWE. Pick B with T for Λ(B) Pick random R A 1 =A o R – id * B Query SK for {id j } F = [A 0 | A 0 R + (id – id * ) B ] If id id *, can use trapdoor for B to sample e from Λ(F) Do not have TD for id *, can answer all other queries Send A 0, A 1, B Return SK for Id j Enc(M) or random Send message M Guess G Use Guess G to solve LWE !!! Game!

26
26 Conclusions Reviewed existing lattice based IBE Examined new technique to encrypt without increasing the dimension of the encryption matrix BB-style IBE and HIBE About 160 times more efficient than CHKP10 (k needs to be 160 bits).

27
27 Thank you! Questions?

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google