Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Published byRebecca Henderson Modified over 10 years ago

Similar presentations

Presentation on theme: "Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen."— Presentation transcript:

1 Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen

2 2 IBE Setup Extract Encrypt Decrypt Public Params PP Master secret key MSK Security Parameter λ Identity ID Secret key SK Messag e m Ciphertext C Message m Arbitrary string id is public key!

3 3 Prior Work Bilinear Maps BF01 CHK03 BB04 W05 BBG05 Lattices GPV08 CHKP10, AB09 CHKP10 ABB10a (this) B10, ABB10a (this) ABB10b (Crypto) IBE, RO HIBE, bit by bit IBE, SM Efficient HIBE Adaptive sec. Small CT HIBE

4 4 Our Results Secret key is basis of (k+1)m lattice Secret key is Õ (n 2 ) bits Ciphertext is Õ (kn) bits (k+1) m 0 m 2m 0 0 1 0 1 Id in {0,1} k CHKP10 1 m 2m Id in Z q n ABB10 Secret key is vector in 2m lattice Secret key is Õ (n) bits Ciphertext is Õ (n) bits

5 5 Our Results More efficient lattice based HIBE in the standard model (using delegation of CHKP10). SchemeCiphertext length Secret Key length Public params Lattice dim. CHKP10Õ (klnd 2 )Õ (k 2 l 3 n 2 d 2 )Õ (kn 2 d 3 )Õ (kldn) ABB10Õ (lnd 2 )Õ (l 3 n 2 d 2 )Õ (n 2 d 3 )Õ (ldn) k: no of bits per identity d: maximum depth l : level in hierarchy n: security parameter

6 6 Why Lattices? Strong hardness guarantees Efficient operations, parallelizable No quantum algorithm (yet)

7 7 Whats a Lattice? A set of points with periodic arrangement Discrete subgroup in R n v1v1 v2v2 v2v2 v1v1

8 8 Parallelepipeds

9 9

10 10 Basis quality and Hardness SVP, CVP, ISIS (...) hard given arbitrary (bad) basis. Some hard lattice problems are easy given a good basis. Many cryptosystems (GPV08, AB09, CHKP10, ABB10) exploit this asymmetry. Heres how………

11 11 Exploiting Asymmetry (roughly) Make bad basis public key Make good basis private key Encrypt using bad basis, decrypt using good basis Recovering good basis from bad basis is hard !

12 12 More precisely…. The private key comes from the ISIS problem….

13 13 ISIS (or syndrome decoding) Given matrix A over Z q, syndrome u over Z q, find ``small (low norm) integer vector z such that Az=u mod q Define f A (z) = Az A z u = f A : space of ``small m-dim vectors n-dim vectors n m m n Solving ISIS (or inverting f A ) is hard !!

14 14 Main Idea (GPV08) f A ( z ) = Az is hard to invert in general. Λ = { e : A e = 0 } Z q m is a lattice Can ``invert f A given short basis for Λ ! Make A depend on identity Id and encrypt using A. A, vector u public, f A -1 (u) private

15 15 Intuition for Constructions Previous Systems [AB09, CHKP10] Master secret key : basis for A 0 Secret Key for (id=01) : basis for F 01 = [A 0 | A 1 0 |A 2 1 ] (one block per bit!) Know how to compute trapdoor for ``extended matrix [T 1 |T 2 |T 3 ] Encrypt (b, id=01): Uses matrix F 01

16 16 Intuition (contd) Previous Systems: Simulation (selective sec.) Let challenge identity id * = 11 Must not have SK for id *, hence dont have master secret (basis for A 0 )! Choose A 0, A 1 1, A 2 1 random (no TD) Choose A 1 0 A 2 0 with TD Can compute basis of F 01 =[ A 0 | A 1 0 |A 2 1 ] Cannot compute basis of F 11 =[ A 0 | A 1 1 |A 2 1 ]

17 17 Our new system [ABB10] Id in Z q n is encoded ``all at once! Master secret: basis for A 0 Encryption matrix F id = [A 0 | A 1 +id B] Secret Key for id: = vector in Λ(F id ) F id fixed dimension !

18 18 Our new System [ABB10] Simulation: Let challenge identity = id * Dont have basis for A 0 Have basis for B Let A 1 = [A 0 R – id * ×B] F id = [A 0 | A 0 R + (id –id * )B] Develop algorithm to find basis for F id given basis for B Trapdoor vanishes for id = id * F id = [A 0 | A 1 +id B] Random low norm matrix

19 19 Our new system PP = A 0, A 1, B Real System Simulation MSK = Trapdoor for A 0 MSK = Trapdoor for B A 1 = Randomly chosen Encryption matrix F ID = [A 0 |A 1 +ID.B] Secret Key = short vector in F ID Encryption matrix F ID = [A 0 | A 1 +ID.B] = [A 0 | A 0 R + (ID - ID * )B] A 1 = A 0 R – ID * B MSK Key for any IDTrapdoor for B Key for ID ID * Indistinguishable since R is random!

20 20 The matrix R Matrix R : each column randomly and independently chosen from {+1, -1} m (A 0, A 1 ) indistinguishable from (A 0, A 0 R) by leftover hash lemma Roughly states that R has enough entropy to make A 0 R look like A 1

21 21 Key Generation (Real system) Given A 0, u, short basis for Λ(A 0 ) can sample short e s.t. A 0 e = u (GPV08) Have short basis for Λ(A 0 ), want short vector in Λ(A 0 | A 1 ), i.e. e = e 0 e 1 A 0 | A 1 e 0 = 0 e 1 Easy! Pick short e 1 randomly. Solve for short e 0 using short basis for Λ(A 0 )

22 22 Key Queries (simulation) Have short basis for Λ(B) Want short vector in Λ (A 0 | A 0 R + ID. B), i.e. e s.t. A 0 | A 0 R + ID. B e = 0 Pick short e 0 randomly. Solve for short e 1 s.t. (ID. B) e 1 = -A 0 e 0 using short basis for Λ(ID.B) Output e 0 – R e 1 e 1 F ID e = A 0 e 0 – A 0 Re 1 + A 0 Re 1 + (ID.B) e 1 = 0

23 23 Security? Learning With Errors : Distinguish ``noisy inner products from uniform Fix uniform s Z q n a 1, b 1 = + e 1 a 2, b 2 = + e 2 a m, b m = + e m ? a 1, b 1 a 2, b 2 a m, b m a i uniform Z q n, e i ~ ϕ Z q a i uniform Z q n, b i uniform Z q

24 24 Ciphertext = (c 0 c 1 ) c 1 = F id T s + y in F q 2m z F id = [A 0 | A 1 + id×R] m instances of LWE! c 0 = u T s + x + m [q/2] in F q Then (u, c 0 ) is LWE instance Indistinguishable from random!

25 25 Receives (m+1) LWE challenges Announce id * Construct A 0,u from LWE. Pick B with T for Λ(B) Pick random R A 1 =A o R – id * B Query SK for {id j } F = [A 0 | A 0 R + (id – id * ) B ] If id id *, can use trapdoor for B to sample e from Λ(F) Do not have TD for id *, can answer all other queries Send A 0, A 1, B Return SK for Id j Enc(M) or random Send message M Guess G Use Guess G to solve LWE !!! Game!

26 26 Conclusions Reviewed existing lattice based IBE Examined new technique to encrypt without increasing the dimension of the encryption matrix BB-style IBE and HIBE About 160 times more efficient than CHKP10 (k needs to be 160 bits).

27 27 Thank you! Questions?

Download ppt "Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen."

Similar presentations

CLASSICAL ENCRYPTION TECHNIQUES

CLASSICAL ENCRYPTION TECHNIQUES
You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…

You have been given a mission and a code. Use the code to complete the mission and you will save the world from obliteration…
Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Using Matrices in Real Life

Using Matrices in Real Life
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Symmetric Encryption Prof. Ravi Sandhu.

Symmetric Encryption Prof. Ravi Sandhu.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Subspace Embeddings for the L1 norm with Applications Christian Sohler David Woodruff TU Dortmund IBM Almaden.

Subspace Embeddings for the L1 norm with Applications Christian Sohler David Woodruff TU Dortmund IBM Almaden.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
My Alphabet Book abcdefghijklm nopqrstuvwxyz.

My Alphabet Book abcdefghijklm nopqrstuvwxyz.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts 1 - 20.

Addition Facts
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
RSA.

RSA.
1 Pretty Good Privacy (PGP) Security for Electronic Email.

1 Pretty Good Privacy (PGP) Security for Electronic .

Similar presentations

Ads by Google