Efficient β-CarbolineAlkaloid-BasedProbeforHighlySensitive ...
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
-
Upload
rebecca-henderson -
Category
Documents
-
view
218 -
download
0
Transcript of Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Efficient Lattice (H)IBE in the standard model
Shweta Agrawal, Dan Boneh, Xavier Boyen
2
IBE Setup
Extract
Encrypt
Decrypt
Public Params PP
Master secret key MSK
Security Parameter λ
Identity ID
Secret key SK
Message m
Ciphertext C
Message m
Arbitrary string id is public key!
3
Prior Work
Bilinear Maps
BF01
CHK03
CHK03
BB04
W05
BBG05
Lattices
GPV08
CHKP10, AB09
CHKP10
ABB10a (this)
B10, ABB10a (this)
ABB10b (Crypto)
IBE, RO
HIBE, bit by bit
IBE, SM
Efficient HIBE
Adaptive sec.
Small CT HIBE
4
Our Results
Secret key is basis of (k+1)m latticeSecret key is Õ (n2) bitsCiphertext is Õ (kn) bits
(k+1)m
0
m
2m
2m
0
0 1 0 1
Id in {0,1}k
CHKP10
1
m
2m 2m 2m 2m
2m
Id in Zqn
ABB10
Secret key is vector in 2m latticeSecret key is Õ (n) bitsCiphertext is Õ (n) bits
5
Our ResultsMore efficient lattice based HIBE in the
standard model (using delegation of CHKP10).
Scheme Ciphertext length
SecretKey length
Publicparams
Lattice dim.
CHKP10 Õ (klnd2) Õ (k2l3n2d2) Õ (kn2d3) Õ (kldn)
ABB10 Õ (lnd2) Õ (l3n2d2) Õ (n2d3) Õ (ldn)
k: no of bits per identity d: maximum depthl : level in hierarchy n: security parameter
6
Why Lattices?
Strong hardness guarantees
Efficient operations, parallelizable
No quantum algorithm (yet)
7
What’s a Lattice?
A set of points with periodic arrangementDiscrete subgroup in Rn
v1
v2
v’2
v’1
8
Parallelepipeds
9
Parallelepipeds
10
Basis quality and Hardness
• SVP, CVP, ISIS (...) hard given arbitrary (bad) basis.
• Some hard lattice problems are easy given a good basis.
• Many cryptosystems (GPV08, AB09, CHKP10,
ABB10) exploit this asymmetry.
Here’s how………
11
Exploiting Asymmetry(roughly)
Make bad basis public key
Make good basis private key
Encrypt using bad basis, decrypt using good basis
Recovering good basis from bad basis is hard !
12
More precisely….
The private key comes from the ISIS problem….
13
ISIS (or syndrome decoding)
Given matrix A over Zq, syndrome u over Zq, find ``small” (low norm) integer vector
z such that Az=u mod q
Define fA(z) = Az
A z u=
fA : space of ``small” m-dim vectors n-dim vectors
n
m
m n
Solving ISIS (or inverting fA) is hard !!
14
Main Idea (GPV08)
• fA ( z ) = Az is hard to invert in general.
• Λ = { e : A e = 0 } Zqm is a lattice
• Can ``invert” fA given short basis for Λ !
⊆
• Make A depend on identity Id and encrypt using A.• A, vector u public , fA
-1(u) private
15
Intuition for Constructions
Previous Systems [AB09, CHKP10]
• Master secret key : basis for A0
• Secret Key for (id=01) : basis for
F01 = [A0| A10|A2
1] (one block per bit!)
• Know how to compute trapdoor for ``extended” matrix [T1|T2|T3]
• Encrypt (b, id=01): Uses matrix F01
16
Intuition (contd)Previous Systems: Simulation (selective
sec.)
• Let challenge identity id* = 11
• Must not have SK for id*, hence don’t have master secret (basis for A0)!
• Choose A0, A11, A2
1 random (no TD)
• Choose A10 A2
0 with TD
• Can compute basis of F 01 =[ A0| A10|A2
1]
• Cannot compute basis of F 11 =[ A0| A11|
A21]
17
Our new system [ABB10]
• Id in Zqn is encoded ``all at once”!
• Master secret: basis for A0
• Encryption matrix Fid = [A0| A1 +id B]
• Secret Key for id: = vector in Λ(Fid)
Fid fixed dimension !
18
Our new System [ABB10]
Simulation: Let challenge identity = id*
• Don’t have basis for A0
• Have basis for B
• Let A1 = [A0R – id* ×B]
• Fid = [A0| A0R + (id –id*)B]
• Develop algorithm to find basis for Fid given basis for B
• Trapdoor vanishes for id = id*
Fid = [A0| A1 +id B]
Random low norm matrix
19
Our new systemPP = A0, A1, B
Real System Simulation
MSK = Trapdoor for A0
MSK = Trapdoor for B
A1 = Randomly chosen
Encryption matrix FID = [A0|A1+ID.B]
Secret Key = short vector in FIDSecret Key = short vector in FID
Encryptionmatrix FID = [A0 | A1+ID.B]
= [A0 | A0R + (ID - ID*)B]
A1 = A0R – ID* B
MSK Key for any ID Trapdoor for B Key for ID ≠ ID*
Indistinguishable since R is random!
20
The matrix R• Matrix R : each column randomly
and independently chosen from {+1, -1}m
• (A0, A1) indistinguishable from (A0, A0R)
by leftover hash lemma
• Roughly states that R has enough entropy to make A0R look like A1
21
Key Generation (Real system)
• Given A0, u, short basis for Λ(A0) can sample short e s.t. A0 e = u (GPV08)
• Have short basis for Λ(A0), want short vector in Λ(A0 | A1) , i.e. e = e0 e1 A0 | A1 e0 = 0
e1
• Easy! Pick short e1 randomly. Solve for short e0 using short basis for Λ(A0)
22
Key Queries (simulation)
• Have short basis for Λ(B)
• Want short vector in Λ (A0 | A0R + ID. B) , i.e. e s.t. A0 | A0R + ID. B e = 0
• Pick short e0 randomly. Solve for short e1 s.t. (ID. B) e1 = -A0e0 using short basis for Λ(ID.B)
• Output e0 – R e1
e1
FID e = A0e0 – A0Re1 + A0Re1 + (ID.B) e1 = 0
23
Security?Learning With Errors:
Distinguish ``noisy inner products” from uniform
Fix uniform s Zqn ∈
a1 , b1 = <a1,s> + e1
a2 , b2 = <a2,s> + e2
am , bm = <am,s>+ em
?
ai uniform Zqn , ei ~ ϕ
Zq
∈ ai uniform Zqn , bi uniform
Zq
∈ ∈∈
24
Ciphertext = (c0 c1)
c1 = FidTs + y in Fq
2m
z
• Fid = [A0 | A1 + id×R]
• m instances of LWE!
c0= uTs + x + m [q/2] in Fq
• Then (u, c0) is LWE instance
• Indistinguishable from random!
25
Receives (m+1) LWE challenges
Announce id*
•Construct A0,u from LWE.
•Pick B with T for Λ(B)
•Pick random R
•A1=AoR – id*B
Query SK for {idj}
• F = [A0| A0R + (id – id*)
B ]
• If id ≠ id*, can use trapdoor for B to sample e from Λ(F)
• Do not have TD for id*, can answer all other queries
Send A0, A1, B
Return SK for Idj
Enc(M) or random
Send message M
Guess GUse Guess G to solve LWE !!!
Game!
26
Conclusions
• Reviewed existing lattice based IBE
• Examined new technique to encrypt without increasing the dimension of the encryption matrix
• BB-style IBE and HIBE
• About 160 times more efficient than CHKP10 (k needs to be 160 bits).
27
Thank you!
Questions?