efficient lattice h ibe in the standard model l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Efficient Lattice (H)IBE in the standard model PowerPoint Presentation
Download Presentation
Efficient Lattice (H)IBE in the standard model

Loading in 2 Seconds...

play fullscreen
1 / 27

Efficient Lattice (H)IBE in the standard model - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

Efficient Lattice (H)IBE in the standard model. Shweta Agrawal, Dan Boneh, Xavier Boyen. IBE . Setup. Security Parameter λ. Public Params PP. Master secret key MSK. Extract. Identity ID. Secret key SK. Message m. Message m. Ciphertext C. Encrypt. Decrypt.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Efficient Lattice (H)IBE in the standard model' - zev


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
efficient lattice h ibe in the standard model
Efficient Lattice (H)IBE in the standard model
  • Shweta Agrawal, Dan Boneh, Xavier Boyen
slide2
IBE

Setup

Security Parameter λ

Public Params PP

Master secret key MSK

Extract

Identity ID

Secret key SK

Message

m

Message

m

Ciphertext

C

Encrypt

Decrypt

Arbitrary string id is public key!

prior work
Prior Work

Lattices

GPV08

CHKP10, AB09

CHKP10

ABB10a (this)

B10, ABB10a (this)

ABB10b (Crypto)

Bilinear Maps

BF01

CHK03

CHK03

BB04

W05

BBG05

IBE, RO

IBE, SM

HIBE, bit by bit

Efficient HIBE

Adaptive sec.

Small CT HIBE

our results
Our Results

CHKP10

ABB10

m

m

Id in Zqn

Id in {0,1}k

0

2m

2m

1

1

0

0

2m

2m

2m

2m

2m

1

0

Secret key is basis of (k+1)m lattice

Secret key is Õ (n2) bits

Ciphertext is Õ (kn) bits

(k+1)m

Secret key is vector in 2m lattice

Secret key is Õ (n) bits

Ciphertext is Õ (n) bits

our results5
Our Results

More efficient lattice based HIBE in the standard model (using delegation of CHKP10).

k: no of bits per identity d: maximum depth

l : level in hierarchy n: security parameter

why lattices
Why Lattices?
  • Strong hardness guarantees
  • Efficient operations, parallelizable
  • No quantum algorithm (yet)
what s a lattice
What’s a Lattice?

v’1

v1

v’2

v2

A set of points with periodic arrangement

Discrete subgroup in Rn

basis quality and hardness
Basis quality and Hardness
  • SVP, CVP, ISIS (...) hard given arbitrary (bad) basis.
  • Some hard lattice problems are easy given a good basis.
  • Many cryptosystems (GPV08, AB09, CHKP10, ABB10) exploit this asymmetry.

Here’s how………

exploiting asymmetry roughly
Exploiting Asymmetry(roughly)
  • Make bad basis public key
  • Make good basis private key
  • Encrypt using bad basis, decrypt using good basis
  • Recovering good basis from bad basis is hard !
isis or syndrome decoding

A

=

u

z

ISIS (or syndrome decoding)

Given matrix A over Zq, syndrome u over Zq, find ``small” (low norm) integer vector z such that Az=u mod q

n

n

m

m

Define fA(z) = Az

fA : space of ``small” m-dim vectors  n-dim vectors

Solving ISIS (or inverting fA) is hard !!

main idea gpv08
Main Idea (GPV08)
  • fA ( z ) = Az is hard to invert in general.
  • Λ = { e : A e = 0 } Zqm is a lattice
  • Can ``invert” fA given short basis for Λ !
  • Make A depend on identity Id and encrypt
  • using A.
  • A, vector u public , fA-1(u) private
intuition for constructions
Intuition for Constructions

Previous Systems [AB09, CHKP10]

  • Master secret key : basis for A0
  • Secret Key for (id=01) : basis for

F01 = [A0| A10|A21] (one block per bit!)

  • Know how to compute trapdoor for ``extended” matrix [T1|T2|T3]
  • Encrypt (b, id=01): Uses matrix F01
intuition contd
Intuition (contd)

Previous Systems: Simulation (selective sec.)

  • Let challenge identity id* = 11
  • Must not have SK for id*, hence don’t have master secret (basis for A0)!
  • Choose A0, A11, A21random (no TD)
  • Choose A10A20with TD
  • Can compute basis of F 01 =[ A0| A10|A21]
  • Cannot compute basis of F 11 =[ A0| A11|A21]
our new system abb10
Our new system [ABB10]
  • Id in Zqn is encoded ``all at once”!
  • Master secret: basis for A0
  • Encryption matrix Fid = [A0| A1 +id B]
  • Secret Key for id: = vector in Λ(Fid)

Fid fixed dimension !

our new system a bb10
Our new System [ABB10]

Simulation: Let challenge identity = id*

  • Don’t have basis for A0
  • Have basis for B
  • Let A1 = [A0R – id* ×B]
  • Fid= [A0| A0R + (id –id*)B]
  • Develop algorithm to find basis for Fid given basis for B
  • Trapdoor vanishes for id = id*

Fid = [A0| A1 +id B]

Random low norm

matrix

our new system
Our new system

PP = A0, A1, B

Real System

Simulation

MSK = Trapdoor for A0

MSK = Trapdoor for B

A1 = A0R – ID* B

A1 = Randomly chosen

Indistinguishable since R is random!

Encryption

matrix FID = [A0 | A1+ID.B]

= [A0 | A0R + (ID - ID*)B]

Encryption

matrix FID = [A0|A1+ID.B]

Secret Key = short vector in FID

Secret Key = short vector in FID

MSK  Key for any ID

Trapdoor for B  Key for ID ≠ ID*

the matrix r
The matrix R
  • Matrix R : each column randomly and independently chosen from {+1, -1}m
  • (A0, A1) indistinguishable from (A0, A0R)

by leftover hash lemma

  • Roughly states that R has enough entropy to make A0R look like A1
key generation real system
Key Generation (Real system)
  • Given A0, u, short basis for Λ(A0) can sample short e s.t. A0 e = u (GPV08)
  • Have short basis for Λ(A0), want short vector in Λ(A0 | A1) , i.e. e = e0 e1

A0 | A1 e0 = 0

e1

  • Easy! Pick short e1 randomly. Solve

for short e0using short basis for Λ(A0)

key queries simulation
Key Queries (simulation)
  • Have short basis for Λ(B)
  • Want short vector in Λ (A0 | A0R + ID. B) , i.e. e s.t.

A0 | A0R + ID. B e= 0

  • Pick short e0 randomly. Solve for short e1 s.t.

(ID. B) e1 = -A0e0using short basis for Λ(ID.B)

  • Output e0 – R e1

e1

FID e = A0e0 – A0Re1 + A0Re1 + (ID.B) e1 = 0

security
Security?

Learning With Errors: Distinguish ``noisy inner products” from uniform

Fix uniform s Zqn

a’1 , b’1

a’2 , b’2

a’m , b’m

a1 , b1 = <a1,s> + e1

a2 , b2 = <a2,s> + e2

am , bm = <am,s>+ em

?

ai uniform Zqn , ei ~ ϕ Zq

ai uniform Zqn , bi uniform Zq

ciphertext c 0 c 1
Ciphertext = (c0 c1)
  • c0= uTs + x + m [q/2] in Fq
  • Then (u, c0) is LWE instance
  • Indistinguishable from random!

c1 = FidTs + y in Fq2m

z

  • Fid = [A0 | A1 + id×R]
  • m instances of LWE!
slide25

Game!

  • Construct A0,u from LWE.
  • Pick B with T for Λ(B)
  • Pick random R
  • A1=AoR –id*B

Adversary

Query SK for {idj}

Guess G

Receives (m+1) LWE challenges

Announce id*

Send message M

Challenger

  • F = [A0| A0R + (id – id*) B ]
  • If id ≠ id*, can use trapdoor for B to sample e from Λ(F)
  • Do not have TD for id*, can answer all other queries

Enc(M) or random

Return SK for Idj

Send A0, A1, B

Use Guess G to solve LWE !!!

conclusions
Conclusions
  • Reviewed existing lattice based IBE
  • Examined new technique to encrypt without increasing the dimension of the encryption matrix
  • BB-style IBE and HIBE
  • About 160 times more efficient than CHKP10 (k needs to be 160 bits).