Anonymous IBE, Leakage Resilience and Circular Security from New - - PowerPoint PPT Presentation

anonymous ibe leakage resilience and circular security
SMART_READER_LITE
LIVE PREVIEW

Anonymous IBE, Leakage Resilience and Circular Security from New - - PowerPoint PPT Presentation

Apr 10, 2024 355 likes •1.01k views

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan Identity-Based Encryption [Sha84, BF03, Coc01] Identity-Based Encryption [Sha84, BF03, Coc01]

slide-1
SLIDE 1

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions

Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan

slide-2
SLIDE 2

Identity-Based Encryption

[Sha84, BF03, Coc01]

slide-3
SLIDE 3

Identity-Based Encryption

[Sha84, BF03, Coc01]

slide-4
SLIDE 4

Identity-Based Encryption

[Sha84, BF03, Coc01]

To Bob:

slide-5
SLIDE 5

Identity-Based Encryption

[Sha84, BF03, Coc01]

To Bob:

Ciphertext may reveal Bob’s identity

slide-6
SLIDE 6

Anonymous Identity-Based Encryption

[BCOP04]

To Bob:

slide-7
SLIDE 7

Constructions of IBE

Reference Assumption RO? Anonymous? Boneh-Franklin Bilinear Maps Yes Yes Cocks QR Yes No Boneh-Gentry- Hamburg + Crescenzo-Saraswat QR Yes Yes Boneh-Boyen Bilinear Maps No No Boyen-Waters + Gentry Bilinear Maps No Yes Gentry-Peikert- Vaikuntanathan LWE Yes Yes Cash-Hofheinz-Kiltz- Peikert + Agrawal-Boneh- Boyen LWE No Yes

slide-8
SLIDE 8

A “Postmodern” Construction of IBE

slide-9
SLIDE 9
  • [DG17a] Non-black-box construction of IBE from CDH

(implied by both DDH and Factoring)

  • New primitive: Chameleon Encryption

A “Postmodern” Construction of IBE

slide-10
SLIDE 10
  • [DG17a] Non-black-box construction of IBE from CDH

(implied by both DDH and Factoring)

  • New primitive: Chameleon Encryption

A “Postmodern” Construction of IBE

Questions

slide-11
SLIDE 11
  • [DG17a] Non-black-box construction of IBE from CDH

(implied by both DDH and Factoring)

  • New primitive: Chameleon Encryption

A “Postmodern” Construction of IBE

Questions

  • What about anonymity? [DG] is not anonymous.
  • IBE from more assumptions? Generic assumptions?
slide-12
SLIDE 12

This Work

slide-13
SLIDE 13
  • Compactness of IBE (“weak IBE” full IBE)
  • Batch Encryption (from which we construct “weak IBE”)
  • Blindness (to help obtain Anonymous IBE)

This Work

  • Notions/Tools
slide-14
SLIDE 14
  • Compactness of IBE (“weak IBE” full IBE)
  • Batch Encryption (from which we construct “weak IBE”)
  • Blindness (to help obtain Anonymous IBE)

This Work

  • More from CDH: Anonymous IBE from CDH
  • Notions/Tools
slide-15
SLIDE 15
  • Compactness of IBE (“weak IBE” full IBE)
  • Batch Encryption (from which we construct “weak IBE”)
  • Blindness (to help obtain Anonymous IBE)

This Work

  • More from CDH: Anonymous IBE from CDH
  • IBE from More: IBE from a variant of the LPN

assumption

  • Notions/Tools
slide-16
SLIDE 16
  • Compactness of IBE (“weak IBE” full IBE)
  • Batch Encryption (from which we construct “weak IBE”)
  • Blindness (to help obtain Anonymous IBE)

This Work

  • Leakage-Resilient and KDM secure public key

encryption from CDH and LPN

  • More from CDH: Anonymous IBE from CDH
  • IBE from More: IBE from a variant of the LPN

assumption

  • Notions/Tools
slide-17
SLIDE 17
  • Compactness of IBE (“weak IBE” full IBE)
  • Batch Encryption (from which we construct “weak IBE”)
  • Blindness (to help obtain Anonymous IBE)

This Work

  • Leakage-Resilient and KDM secure public key

encryption from CDH and LPN

  • More from CDH: Anonymous IBE from CDH
  • IBE from More: IBE from a variant of the LPN

assumption

Also in concurrent work [DGHM18]

* * *

  • Notions/Tools
slide-18
SLIDE 18

Outline

  • Blindness and Anonymous IBE
  • Batch Encryption
  • A blueprint for constructing IBE
slide-19
SLIDE 19

A Blueprint for Constructing IBE

slide-20
SLIDE 20

Primitive |mpk| |ct| |sk| Full IBE

A Blueprint for Constructing IBE

(supporting T identities)

“IBE” Schemes

slide-21
SLIDE 21

Primitive |mpk| |ct| |sk| Full IBE

A Blueprint for Constructing IBE

(supporting T identities)

“IBE” Schemes

Trivial IBE

slide-22
SLIDE 22

Primitive |mpk| |ct| |sk| Full IBE

A Blueprint for Constructing IBE

Weakly Compact IBE

(supporting T identities)

“IBE” Schemes

Trivial IBE

slide-23
SLIDE 23

Primitive |mpk| |ct| |sk| Full IBE

A Blueprint for Constructing IBE

  • Theorem: Weakly Compact IBE IBE

Weakly Compact IBE

(supporting T identities)

“IBE” Schemes

Trivial IBE

slide-24
SLIDE 24

Primitive |mpk| |ct| |sk| Full IBE

A Blueprint for Constructing IBE

  • Theorem: Weakly Compact IBE IBE

Weakly Compact IBE

(supporting T identities)

“IBE” Schemes

  • Uses ideas from [DG17b] (which obtained

adaptively secure IBE from selectively secure IBE) Trivial IBE

slide-25
SLIDE 25

Primitive |mpk| |ct| |sk| Full IBE

A Blueprint for Constructing IBE

  • Theorem: Weakly Compact IBE IBE

Weakly Compact IBE

  • Theorem: “Batch Encryption” can

compress a Trivial IBE scheme into a Weakly Compact IBE scheme

(supporting T identities)

“IBE” Schemes

  • Uses ideas from [DG17b] (which obtained

adaptively secure IBE from selectively secure IBE) Trivial IBE

slide-26
SLIDE 26

How to construct IBE

CDH (LWE) LPN

slide-27
SLIDE 27

How to construct IBE

CDH (LWE) LPN Batch Encryption

[DG17] (CDH) [this work] (LPN)

Step 1

slide-28
SLIDE 28

How to construct IBE

CDH (LWE) LPN Batch Encryption

[DG17] (CDH) [this work] (LPN)

Step 1

wIBE

[this work]

Step 2

slide-29
SLIDE 29

How to construct IBE

CDH (LWE) LPN Batch Encryption

[DG17] (CDH) [this work] (LPN)

Step 1

wIBE

[this work]

Step 2

IBE

[this work]

Step 3

slide-30
SLIDE 30

Batch Encryption

(taking the “chameleon” out of Chameleon Encryption)

slide-31
SLIDE 31

Batch Encryption

(taking the “chameleon” out of Chameleon Encryption)

slide-32
SLIDE 32

Batch Encryption

(taking the “chameleon” out of Chameleon Encryption)

  • Correctness: for all i.
  • Security: computationally hidden from Bob.
slide-33
SLIDE 33

Batch Encryption

(taking the “chameleon” out of Chameleon Encryption)

  • This is Laconic OT [CDGGMP17] without receiver privacy
slide-34
SLIDE 34

Batch Encryption

(taking the “chameleon” out of Chameleon Encryption)

  • Why is this notion powerful?
  • This is Laconic OT [CDGGMP17] without receiver privacy
slide-35
SLIDE 35

Batch Encryption

(taking the “chameleon” out of Chameleon Encryption)

  • Why is this notion powerful?
  • This is Laconic OT [CDGGMP17] without receiver privacy
slide-36
SLIDE 36

Batch Encryption

(taking the “chameleon” out of Chameleon Encryption)

  • Simple black box construction of Leakage-Resilient and

KDM secure PKE from Batch Encryption

slide-37
SLIDE 37

Constructing Batch Encryption

  • CDH/Factoring [DG17].
  • Hash function is the standard discrete log CRHF.
  • Encryption is essentially El-Gamal
  • LWE
  • Hash function is the standard SIS CRHF.
  • Encryption is essentially Dual Regev
  • LPN
  • CRHF constructed by [BLVW18, YZWGL17]
  • Encryption is “an LPN analogue to Dual Regev”
  • Requires noise rate (only quasipolynomially secure)
slide-38
SLIDE 38

wIBE from Batch Encryption

slide-39
SLIDE 39

wIBE from Batch Encryption

  • Question: How do you encrypt without the public key?

(can’t store T public keys)

slide-40
SLIDE 40

wIBE from Batch Encryption

  • Answer: garble the encryption circuit + Batch Encrypt the

labels (“Deferred Encryption Paradigm”)

  • Question: How do you encrypt without the public key?

(can’t store T public keys)

slide-41
SLIDE 41

wIBE from Batch Encryption

  • Answer: garble the encryption circuit + Batch Encrypt the

labels (“Deferred Encryption Paradigm”)

  • Question: How do you encrypt without the public key?

(can’t store T public keys)

slide-42
SLIDE 42

wIBE from Batch Encryption

  • Answer: garble the encryption circuit + Batch Encrypt the

labels (“Deferred Encryption Paradigm”)

  • Question: How do you encrypt without the public key?

(can’t store T public keys)

slide-43
SLIDE 43

How to construct IBE

IBE wIBE

(non-black-box)

[this work]

Batch Encryption CDH LPN

[DG17] (CDH) [this work] (LPN)

[this work]

+ Garbled PKE

slide-44
SLIDE 44

How to construct Anonymous IBE?

AnonIBE wAnonIBE

“Anonymous” Batch Encryption CDH LPN

slide-45
SLIDE 45

How to construct Anonymous IBE?

AnonIBE wAnonIBE

“Anonymous” Batch Encryption CDH LPN

NO

slide-46
SLIDE 46

Attack on Anonymity

What is the problem?

In some intermediate decryption steps, Adversary has the correct secret keys.

slide-47
SLIDE 47

Attack on Anonymity

What is the problem?

In some intermediate decryption steps, Adversary has the correct secret keys.

slide-48
SLIDE 48

Attack on Anonymity

What is the problem?

In some intermediate decryption steps, Adversary has the correct secret keys.

slide-49
SLIDE 49

Attack on Anonymity

What is the problem?

In some intermediate decryption steps, Adversary has the correct secret keys.

Learns the first two bits of id

slide-50
SLIDE 50

Attack on Anonymity

What is the problem?

In some intermediate decryption steps, Adversary has the correct secret keys.

We need a notion of wIBE security that holds even against authorized users.

Learns the first two bits of id

slide-51
SLIDE 51

Blind IBE

A notion of security that holds even against authorized users.

To Bob:

slide-52
SLIDE 52

Blind IBE

A notion of security that holds even against authorized users.

  • Semantic Security, and

To Bob:

slide-53
SLIDE 53

Blind IBE

A notion of security that holds even against authorized users.

  • Semantic Security, and
slide-54
SLIDE 54

Blind IBE

A notion of security that holds even against authorized users.

  • Semantic Security, and

For random m

  • *

*We actually allow a relaxation of this definition

slide-55
SLIDE 55

Blind IBE

A notion of security that holds even against authorized users.

  • Semantic Security, and

For random m

  • We build Blind IBE from Blind Batch Encryption
  • Reminiscent of weak attribute hiding vs. strong attribute hiding for PE
  • *

*We actually allow a relaxation of this definition

slide-56
SLIDE 56

Tool: Blind Garbled Circuits

We instantiate all uses of garbled circuits when deferring encryption with Blind Garbled Circuits

slide-57
SLIDE 57

Tool: Blind Garbled Circuits

We instantiate all uses of garbled circuits when deferring encryption with Blind Garbled Circuits

  • You don’t even know if you evaluated a garbled circuit or ‘evaluated’

a random string (if plain circuit output is random)

slide-58
SLIDE 58

Tool: Blind Garbled Circuits

We instantiate all uses of garbled circuits when deferring encryption with Blind Garbled Circuits

  • First use of this security property of Point-and-Permute GCs
  • Can be constructed from OWFs using “Point-and-Permute” garbled

circuits [BMR90]

  • You don’t even know if you evaluated a garbled circuit or ‘evaluated’

a random string (if plain circuit output is random)

slide-59
SLIDE 59

Constructing Blind IBE

BIBE wBIBE

(non-black-box)

[this work]

Blind Batch Encryption CDH LPN

[this work] (CDH)

[this work]

+ Blind Garbled PKE

slide-60
SLIDE 60

Conclusions

slide-61
SLIDE 61

Conclusions

  • Weakly Compact IBE is an abstraction which tells us exactly

how IBE is different from PKE

slide-62
SLIDE 62

Conclusions

  • Batch Encryption is powerful, especially when

combined with garbled circuits

  • Weakly Compact IBE is an abstraction which tells us exactly

how IBE is different from PKE

slide-63
SLIDE 63

Conclusions

  • Batch Encryption is powerful, especially when

combined with garbled circuits

  • Weakly Compact IBE is an abstraction which tells us exactly

how IBE is different from PKE

  • Blindness is an interesting and useful security property which

captures some notion of security against authorized users

slide-64
SLIDE 64

Conclusions

  • Batch Encryption is powerful, especially when

combined with garbled circuits

Thank you!

  • Weakly Compact IBE is an abstraction which tells us exactly

how IBE is different from PKE

  • Blindness is an interesting and useful security property which

captures some notion of security against authorized users