Efficient Lattice (H)IBE in the
standard model
Shweta Agrawal, Dan Boneh, Xavier Boyen
IBE
Security
Parameter λ
Identity ID
Setup
Public Params
PP
Master secret key MSK
Extract
Secret key SK
Messag
e
m
Encrypt
Ciphertext
C
Decrypt
Message
m
Arbitrary string id is public key!
2
Prior Work
Bilinear Maps
Lattices
BF01
IBE, RO
GPV08
CHK03
IBE, SM
CHKP10, AB09
CHK03 HIBE, bit by bit CHKP10
BB04
Efficient HIBE ABB10a (this)
W05
Adaptive sec.
BBG05
B10, ABB10a (this)
Small CT HIBE ABB10b (Crypto)
3
Our Results
CHKP10
ABB10
m
Id in {0,1}k
Id in Zqn
0
2m
2m
0
m
1
0
0
(k+1)
m
Secret key is basis of (k+1)m
lattice
Secret key is Õ (n2) bits
Ciphertext is Õ (kn) bits
1
1
2m
2m
2m
2m
2m
Secret key is vector in 2m lattice
Secret key is Õ (n) bits
Ciphertext is Õ (n) bits
4
Our Results
More efficient lattice based HIBE in the
standard model (using delegation of
CHKP10).
Scheme Ciphertext
length
Secret
Public
Key length params
Lattice dim.
CHKP10
Õ (klnd2)
Õ (k2l3n2d2)
Õ (kn2d3)
Õ (kldn)
ABB10
Õ (lnd2)
Õ (l3n2d2)
Õ (n2d3)
Õ (ldn)
k: no of bits per identity d: maximum depth
l : level in hierarchy
n: security parameter
5
Why Lattices?
Strong hardness guarantees
Efficient operations, parallelizable
No quantum algorithm (yet)
6
What’s a Lattice?
v’2
v’1
v1
v2
A set of points with periodic arrangement
Discrete subgroup in Rn
7
Parallelepipeds
8
Parallelepipeds
9
Basis quality and
Hardness
•
SVP, CVP, ISIS (...) hard given arbitrary
(bad) basis.
•
Some hard lattice problems are easy given
a good basis.
•
Many cryptosystems (GPV08, AB09, CHKP10,
ABB10) exploit this asymmetry.
Here’s
how………
10
Exploiting
Asymmetry(roughly)
Make bad basis public key
Make good basis private key
Encrypt using bad basis, decrypt using
good basis
Recovering good basis from bad basis is
hard !
11
More precisely….
The private key comes from the
ISIS problem….
12
ISIS (or syndrome
decoding)
Given matrix A over Zq, syndrome u over Zq, find
``small” (low norm) integer vector z such that
Az=u mod q
n
A
z
m
=
u
n
m
Define
fA(z) = Az
fA : space of ``small” m-dim vectors  n-dim vectors
Solving ISIS (or inverting fA) is hard !!
13
Main Idea (GPV08)
•
•
•
fA ( z ) = Az is hard to invert in
general.
m

Λ={e : Ae=0}
Zq is a lattice
Can ``invert” fA given short basis for
Λ!
• Make A depend on identity Id and encrypt
using A.
• A, vector u public , fA-1(u) private
14
Intuition for
Constructions
Previous Systems [AB09, CHKP10]
•
Master secret key
•
Secret Key for (id=01) : basis for
F01 =
0
1
[A0| A1 |A2 ]
: basis for A0
(one block per bit!)
•
Know how to compute trapdoor for
``extended” matrix [T1|T2|T3]
•
Encrypt (b, id=01): Uses matrix F01
15
Intuition
(contd)
Previous Systems: Simulation
(selective
sec.)
•
Let challenge identity id* = 11
•
Must not have SK for id*, hence don’t have
master secret (basis for A0)!
Choose
1
A0, A1 ,
1
A2
•
Choose
0
A1
with TD
•
Can compute basis of F 01 =[ A0| A10|A21]
•
Cannot compute basis of F 11 =[ A0|
1
1
A |A ]
•
0
A2
random (no TD)
16
Our new system [ABB10]
n
Zq
is encoded ``all at once”!
•
Id in
•
Master secret: basis for A0
•
Encryption matrix Fid = [A0| A1 +id B]
•
Secret Key for id: = vector in Λ(Fid)
Fid fixed dimension !
17
Our new System [ABB10]
Simulation: Let challenge identity =
*
id
•
Don’t have basis for A0 Fid = [A0| A1 +id B]
•
Have basis for B
•
Let A1 = [A0R – id* ×B]
•
Fid = [A0| A0R + (id –id*)B]
•
Develop algorithm to find basis for
Fid given basis for B
•
Trapdoor vanishes for id = id*
Random low
norm
matrix
18
Our new system
PP = A0, A1, B
Real System
MSK
A1
= Trapdoor for A0
= Randomly chosen
Simulation
MSK
A1
= Trapdoor for B
*
= A0R – ID B
Indistinguishable since R is
random!
Encryption
matrix FID = [A0|A1+ID.B]
Secret Key = short vector in FID
MSK  Key for any ID
Encryption
matrix FID = [A0 | A1+ID.B]
= [A0 | A0R + (ID *
ID )B]
Secret Key = short vector in FID
Trapdoor for B  Key for ID ≠ ID
*
19
The matrix R
•
Matrix R : each column randomly and
m
independently chosen from {+1, -1}
•
(A0, A1) indistinguishable from (A0, A0R)
by leftover hash lemma
•
Roughly states that R has enough
entropy to make A0R look like A1
20
Key Generation (Real
• Given A0, u,
short basis for Λ(A0)
system)
can sample short e s.t. A0 e = u
(GPV08)
•
•
Have short basis for Λ(A0), want
short vector in Λ(A0 | A1) , i.e. e =
e0 e1
A0 | A1 e0 = 0
e1
Easy! Pick short e1 randomly. Solve
for short e0 using short basis for
Λ(A0)
21
•
Key Queries
(simulation)
Have short basis for Λ(B)
•
Want short vector in Λ (A0 | A0R + ID. B) , i.e. e s.t
A0 | A0R + ID. B e = 0
•
Pick short e0 randomly. Solve for short e1 s.t.
(ID. B) e1 = -A0e0 using short basis for Λ(ID.B)
•
Output
e0 – R e1
e1
FID e = A0e0 – A0Re1 + A0Re1 + (ID.B) e1 = 0
22
Security?
Learning With Errors: Distinguish
``noisy inner products” from uniform
Fix uniform s
n
Zq
a1 , b1 = <a1,s> +
e1
a2 , b2 = <a2,s> +
e2
am , bm = <a
,s>+
m
n
Zq , ei ~ ϕ  Zq
ai uniform
em
?
a’1 , b’1
a’2 , b’2
a’m , b’m
ai uniform
n
Zq ,
bi uniform Zq
23
Ciphertext = (c0 c1)
T
us
c0=
+ x + m [q/2] in Fq
• Then (u, c0) is LWE instance
• Indistinguishable from random!
c1 =
T
Fid s
+ y
z
in
2m
Fq
•
Fid = [A0 | A1 + id×R]
•
m instances of LWE!
24
Receives (m+1) LWE
challenges
Game!
Announce id*
•Construct A0,u from LWE.
•Pick B with T for Λ(B)
•Pick random R
•A1=AoR – id*B
• F = [A0| A0R + (id –
Send A0, A1, B
id*)
B]
Query SK for {idj}
• If id ≠ id*, can use trapdoor
for B to sample e from Λ(F)
• Do not have TD for id*, can
answer all other queries
Return SK for Idj
Send message
M
Enc(M) or random
Use Guess G to solve LWE !!!
Guess G
25
Conclusions
•
Reviewed existing lattice based IBE
•
Examined new technique to encrypt
without increasing the dimension of
the encryption matrix
•
BB-style IBE and HIBE
•
About 160 times more efficient than
CHKP10 (k needs to be 160 bits).
26
Thank you!
Questions?
27