320 likes | 348 Views
Efficient Lattice (H)IBE in the standard model. Shweta Agrawal, Dan Boneh, Xavier Boyen. IBE. Setup. Security Parameter λ. Public Params PP. Master secret key MSK. Extract. Identity ID. Secret key SK. Message m. Message m. Ciphertext C. Encrypt. Decrypt.
E N D
Efficient Lattice (H)IBE in the standard model • Shweta Agrawal, Dan Boneh, Xavier Boyen
IBE Setup Security Parameter λ Public Params PP Master secret key MSK Extract Identity ID Secret key SK Message m Message m Ciphertext C Encrypt Decrypt Arbitrary string id is public key!
Prior Work Lattices GPV08 CHKP10, AB09 CHKP10 ABB10a (this) B10, ABB10a (this) ABB10b (Crypto) Bilinear Maps BF01 CHK03 CHK03 BB04 W05 BBG05 IBE, RO IBE, SM HIBE, bit by bit Efficient HIBE Adaptive sec. Small CT HIBE
Our Results CHKP10 ABB10 m m Id in Zqn Id in {0,1}k 0 2m 2m 1 1 0 0 2m 2m 2m 2m 2m 1 0 Secret key is basis of (k+1)m lattice Secret key is Õ (n2) bits Ciphertext is Õ (kn) bits (k+1)m Secret key is vector in 2m lattice Secret key is Õ (n) bits Ciphertext is Õ (n) bits
Our Results More efficient lattice based HIBE in the standard model (using delegation of CHKP10). k: no of bits per identity d: maximum depth l : level in hierarchy n: security parameter
Why Lattices? • Strong hardness guarantees • Efficient operations, parallelizable • No quantum algorithm (yet)
What’s a Lattice? v’1 v1 v’2 v2 A set of points with periodic arrangement Discrete subgroup in Rn
Basis quality and Hardness • SVP, CVP, ISIS (...) hard given arbitrary (bad) basis. • Some hard lattice problems are easy given a good basis. • Many cryptosystems (GPV08, AB09, CHKP10, ABB10) exploit this asymmetry. Here’s how………
Exploiting Asymmetry(roughly) • Make bad basis public key • Make good basis private key • Encrypt using bad basis, decrypt using good basis • Recovering good basis from bad basis is hard !
More precisely….The private key comes from the ISIS problem….
A = u z ISIS (or syndrome decoding) Given matrix A over Zq, syndrome u over Zq, find ``small” (low norm) integer vector z such that Az=u mod q n n m m Define fA(z) = Az fA : space of ``small” m-dim vectors n-dim vectors Solving ISIS (or inverting fA) is hard !!
Main Idea (GPV08) • fA ( z ) = Az is hard to invert in general. • Λ = { e : A e = 0 } Zqm is a lattice • Can ``invert” fA given short basis for Λ ! • Make A depend on identity Id and encrypt • using A. • A, vector u public , fA-1(u) private
Intuition for Constructions Previous Systems [AB09, CHKP10] • Master secret key : basis for A0 • Secret Key for (id=01) : basis for F01 = [A0| A10|A21] (one block per bit!) • Know how to compute trapdoor for ``extended” matrix [T1|T2|T3] • Encrypt (b, id=01): Uses matrix F01
Intuition (contd) Previous Systems: Simulation (selective sec.) • Let challenge identity id* = 11 • Must not have SK for id*, hence don’t have master secret (basis for A0)! • Choose A0, A11, A21random (no TD) • Choose A10A20with TD • Can compute basis of F 01 =[ A0| A10|A21] • Cannot compute basis of F 11 =[ A0| A11|A21]
Our new system [ABB10] • Id in Zqn is encoded ``all at once”! • Master secret: basis for A0 • Encryption matrix Fid = [A0| A1 +id B] • Secret Key for id: = vector in Λ(Fid) Fid fixed dimension !
Our new System [ABB10] Simulation: Let challenge identity = id* • Don’t have basis for A0 • Have basis for B • Let A1 = [A0R – id* ×B] • Fid= [A0| A0R + (id –id*)B] • Develop algorithm to find basis for Fid given basis for B • Trapdoor vanishes for id = id* Fid = [A0| A1 +id B] Random low norm matrix
Our new system PP = A0, A1, B Real System Simulation MSK = Trapdoor for A0 MSK = Trapdoor for B A1 = A0R – ID* B A1 = Randomly chosen Indistinguishable since R is random! Encryption matrix FID = [A0 | A1+ID.B] = [A0 | A0R + (ID - ID*)B] Encryption matrix FID = [A0|A1+ID.B] Secret Key = short vector in FID Secret Key = short vector in FID MSK Key for any ID Trapdoor for B Key for ID ≠ ID*
The matrix R • Matrix R : each column randomly and independently chosen from {+1, -1}m • (A0, A1) indistinguishable from (A0, A0R) by leftover hash lemma • Roughly states that R has enough entropy to make A0R look like A1
Key Generation (Real system) • Given A0, u, short basis for Λ(A0) can sample short e s.t. A0 e = u (GPV08) • Have short basis for Λ(A0), want short vector in Λ(A0 | A1) , i.e. e = e0 e1 A0 | A1 e0 = 0 e1 • Easy! Pick short e1 randomly. Solve for short e0using short basis for Λ(A0)
Key Queries (simulation) • Have short basis for Λ(B) • Want short vector in Λ (A0 | A0R + ID. B) , i.e. e s.t. A0 | A0R + ID. B e= 0 • Pick short e0 randomly. Solve for short e1 s.t. (ID. B) e1 = -A0e0using short basis for Λ(ID.B) • Output e0 – R e1 e1 FID e = A0e0 – A0Re1 + A0Re1 + (ID.B) e1 = 0
Security? Learning With Errors: Distinguish ``noisy inner products” from uniform Fix uniform s Zqn a’1 , b’1 a’2 , b’2 a’m , b’m a1 , b1 = <a1,s> + e1 a2 , b2 = <a2,s> + e2 am , bm = <am,s>+ em ? ai uniform Zqn , ei ~ ϕ Zq ai uniform Zqn , bi uniform Zq
Ciphertext = (c0 c1) • c0= uTs + x + m [q/2] in Fq • Then (u, c0) is LWE instance • Indistinguishable from random! c1 = FidTs + y in Fq2m z • Fid = [A0 | A1 + id×R] • m instances of LWE!
Game! • Construct A0,u from LWE. • Pick B with T for Λ(B) • Pick random R • A1=AoR –id*B Adversary Query SK for {idj} Guess G Receives (m+1) LWE challenges Announce id* Send message M Challenger • F = [A0| A0R + (id – id*) B ] • If id ≠ id*, can use trapdoor for B to sample e from Λ(F) • Do not have TD for id*, can answer all other queries Enc(M) or random Return SK for Idj Send A0, A1, B Use Guess G to solve LWE !!!
Conclusions • Reviewed existing lattice based IBE • Examined new technique to encrypt without increasing the dimension of the encryption matrix • BB-style IBE and HIBE • About 160 times more efficient than CHKP10 (k needs to be 160 bits).