Efficient Lattice (H)IBE in the standard model

Shweta Agrawal, Dan Boneh, Xavier Boyen

2

IBE Setup

Extract

Encrypt

Decrypt

Public Params PP

Master secret key MSK

Security Parameter λ

Identity ID

Secret key SK

Message m

Ciphertext C

Message m

Arbitrary string id is public key!

3

Prior Work

Bilinear Maps

BF01

CHK03

CHK03

BB04

W05

BBG05

Lattices

GPV08

CHKP10, AB09

CHKP10

ABB10a (this)

B10, ABB10a (this)

ABB10b (Crypto)

IBE, RO

HIBE, bit by bit

IBE, SM

Efficient HIBE

Adaptive sec.

Small CT HIBE

4

Our Results

Secret key is basis of (k+1)m latticeSecret key is Õ (n2) bitsCiphertext is Õ (kn) bits

(k+1)m

0

m

2m

2m

0

0 1 0 1

Id in {0,1}k

CHKP10

1

m

2m 2m 2m 2m

2m

Id in Zqn

ABB10

Secret key is vector in 2m latticeSecret key is Õ (n) bitsCiphertext is Õ (n) bits

5

Our ResultsMore efficient lattice based HIBE in the

standard model (using delegation of CHKP10).

Scheme Ciphertext length

SecretKey length

Publicparams

Lattice dim.

CHKP10 Õ (klnd2) Õ (k2l3n2d2) Õ (kn2d3) Õ (kldn)

ABB10 Õ (lnd2) Õ (l3n2d2) Õ (n2d3) Õ (ldn)

k: no of bits per identity d: maximum depthl : level in hierarchy n: security parameter

6

Why Lattices?

Strong hardness guarantees

Efficient operations, parallelizable

No quantum algorithm (yet)

7

What’s a Lattice?

A set of points with periodic arrangementDiscrete subgroup in Rn

v1

v2

v’2

v’1

8

Parallelepipeds

9

Parallelepipeds

10

Basis quality and Hardness

• SVP, CVP, ISIS (...) hard given arbitrary (bad) basis.

• Some hard lattice problems are easy given a good basis.

• Many cryptosystems (GPV08, AB09, CHKP10,

ABB10) exploit this asymmetry.

Here’s how………

11

Exploiting Asymmetry(roughly)

Make bad basis public key

Make good basis private key

Encrypt using bad basis, decrypt using good basis

Recovering good basis from bad basis is hard !

12

More precisely….

The private key comes from the ISIS problem….

13

ISIS (or syndrome decoding)

Given matrix A over Zq, syndrome u over Zq, find ``small” (low norm) integer vector

z such that Az=u mod q

Define fA(z) = Az

A z u=

fA : space of ``small” m-dim vectors n-dim vectors

n

m

m n

Solving ISIS (or inverting fA) is hard !!

14

Main Idea (GPV08)

• fA ( z ) = Az is hard to invert in general.

• Λ = { e : A e = 0 } Zqm is a lattice

• Can ``invert” fA given short basis for Λ !

⊆

• Make A depend on identity Id and encrypt using A.• A, vector u public , fA

-1(u) private

15

Intuition for Constructions

Previous Systems [AB09, CHKP10]

• Master secret key : basis for A0

• Secret Key for (id=01) : basis for

F01 = [A0| A10|A2

1] (one block per bit!)

• Know how to compute trapdoor for ``extended” matrix [T1|T2|T3]

• Encrypt (b, id=01): Uses matrix F01

16

Intuition (contd)Previous Systems: Simulation (selective

sec.)

• Let challenge identity id* = 11

• Must not have SK for id*, hence don’t have master secret (basis for A0)!

• Choose A0, A11, A2

1 random (no TD)

• Choose A10 A2

0 with TD

• Can compute basis of F 01 =[ A0| A10|A2

1]

• Cannot compute basis of F 11 =[ A0| A11|

A21]

17

Our new system [ABB10]

• Id in Zqn is encoded ``all at once”!

• Master secret: basis for A0

• Encryption matrix Fid = [A0| A1 +id B]

• Secret Key for id: = vector in Λ(Fid)

Fid fixed dimension !

18

Our new System [ABB10]

Simulation: Let challenge identity = id*

• Don’t have basis for A0

• Have basis for B

• Let A1 = [A0R – id* ×B]

• Fid = [A0| A0R + (id –id*)B]

• Develop algorithm to find basis for Fid given basis for B

• Trapdoor vanishes for id = id*

Fid = [A0| A1 +id B]

Random low norm matrix

19

Our new systemPP = A0, A1, B

Real System Simulation

MSK = Trapdoor for A0

MSK = Trapdoor for B

A1 = Randomly chosen

Encryption matrix FID = [A0|A1+ID.B]

Secret Key = short vector in FIDSecret Key = short vector in FID

Encryptionmatrix FID = [A0 | A1+ID.B]

= [A0 | A0R + (ID - ID*)B]

A1 = A0R – ID* B

MSK Key for any ID Trapdoor for B Key for ID ≠ ID*

Indistinguishable since R is random!

20

The matrix R• Matrix R : each column randomly

and independently chosen from {+1, -1}m

• (A0, A1) indistinguishable from (A0, A0R)

by leftover hash lemma

• Roughly states that R has enough entropy to make A0R look like A1

21

Key Generation (Real system)

• Given A0, u, short basis for Λ(A0) can sample short e s.t. A0 e = u (GPV08)

• Have short basis for Λ(A0), want short vector in Λ(A0 | A1) , i.e. e = e0 e1 A0 | A1 e0 = 0

e1

• Easy! Pick short e1 randomly. Solve for short e0 using short basis for Λ(A0)

22

Key Queries (simulation)

• Have short basis for Λ(B)

• Want short vector in Λ (A0 | A0R + ID. B) , i.e. e s.t. A0 | A0R + ID. B e = 0

• Pick short e0 randomly. Solve for short e1 s.t. (ID. B) e1 = -A0e0 using short basis for Λ(ID.B)

• Output e0 – R e1

e1

FID e = A0e0 – A0Re1 + A0Re1 + (ID.B) e1 = 0

23

Security?Learning With Errors:

Distinguish ``noisy inner products” from uniform

Fix uniform s Zqn ∈

a1 , b1 = <a1,s> + e1

a2 , b2 = <a2,s> + e2

am , bm = <am,s>+ em

?

ai uniform Zqn , ei ~ ϕ

Zq

∈ ai uniform Zqn , bi uniform

Zq

∈ ∈∈

24

Ciphertext = (c0 c1)

c1 = FidTs + y in Fq

2m

z

• Fid = [A0 | A1 + id×R]

• m instances of LWE!

c0= uTs + x + m [q/2] in Fq

• Then (u, c0) is LWE instance

• Indistinguishable from random!

25

Receives (m+1) LWE challenges

Announce id*

•Construct A0,u from LWE.

•Pick B with T for Λ(B)

•Pick random R

•A1=AoR – id*B

Query SK for {idj}

• F = [A0| A0R + (id – id*)

B ]

• If id ≠ id*, can use trapdoor for B to sample e from Λ(F)

• Do not have TD for id*, can answer all other queries

Send A0, A1, B

Return SK for Idj

Enc(M) or random

Send message M

Guess GUse Guess G to solve LWE !!!

Game!

26

Conclusions

• Reviewed existing lattice based IBE

• Examined new technique to encrypt without increasing the dimension of the encryption matrix

• BB-style IBE and HIBE

• About 160 times more efficient than CHKP10 (k needs to be 160 bits).

27

Thank you!

Questions?