Identity Based Encryption from lattices Pauline Bert October 3, - - PowerPoint PPT Presentation

Identity Based Encryption from lattices

Pauline Bert October 3, 2017

Outline

Preliminaries The first IBE from lattices Our IBE from lattices Ring-LWE construction Implementation

1

Identity Based Encryption

Alice

idBob = ‘bob@bob.fr’

Bob

M = Decrypt(mpk, skidBob, C)

Private Key Generator

(mpk, msk) C = Encrypt(mpk, idBob, M) A u t h e n t i fi c a t i

• n

skidBob

1984 Concept introduced by Shamir, 2001 First realizations based on bilinear maps (by Boneh and Franklin) and on quadratic residue assumptions (by Cocks), 2008 First lattice based IBE, by Gentry, Peikert, and Vaikuntanathan.

2

Identity Based Encryption

Alice

idBob = ‘bob@bob.fr’

Bob

M = Decrypt(mpk, skidBob, C)

Private Key Generator

(mpk, msk) C = Encrypt(mpk, idBob, M) A u t h e n t i fi c a t i

• n

skidBob

Advantages:

• we no longer need certificates, PKI, cross-certification, revocation

lists etc.,

• we can add information together with the identity, for e.g.,

identity | 2017 or identity | 25.04.2017.

2

Identity Based Encryption

Alice

idBob = ‘bob@bob.fr’

Bob

M = Decrypt(mpk, skidBob, C)

Private Key Generator

(mpk, msk) C = Encrypt(mpk, idBob, M) A u t h e n t i fi c a t i

• n

skidBob

Contributions:

• We propose a new IBE scheme,
• We implement it to see if this kind of construction can be practical.

2

Preliminaries

Lattices

Basis A lattice Λ ⊆ Rn is the set of all integer linear combinations of some linearly independent basis vectors B = {b1, · · · , bk}, Λ = L(B) = k

• i=1

zibi : zi ∈ Z

• .

3

Lattices

t SVP Given a basis B of a lattice Λ, find one of the shortest non zero vector of Λ. CVP Given a basis B of a lattice Λ, and a vector t ∈ Rn find the closest lattice vector of the target vector t.

3

Learning With Errors problem

Given  

A , s A + e

  where:

• A ←

֓ U(Zn×m

q

),

• s ←

֓ U(Zn

q),

• e ←

֓ DZm,αq. The search problem is to find s. The decision problem is to distinguish

• A

, s A + e

• from
• A

, b

• with b ←

֓ U(Zm

q ).

→ This two variants are equivalent.

4

Short Integer Solution problem

Given an uniformly random matrix A ← ֓ U(Zn×m

q

), the Inhomogeneous Short Integer Solution problem is to find a non trivial short vector x ∈ Zm such that x ≤ β and:

A x = u mod q.

The Short Integer Solution problem is to find a non trivial short vector x ∈ Zm such that x ≤ β and Ax = 0 mod q. − → LWE/SIS are hard: Regev/Ajtai gave reductions from worst-case problems on lattices (eg. approximate decisional SVP problem) to the average-case LWE/SIS problems.

5

The first IBE from lattices

Public Key Encryption of Dual-Regev1

In this scheme, users share a public matrix A ← ֓ U(Zn×m

q

).

Alice Bob

x ← ֓ DZm,γ s ← ֓ U(Zn

q),

e ← ֓ DZm,αq M ∈ {0, 1}, e′ ← ֓ DZ,αq c1 − cT

0 x =

e′ − eTx

• small

+ M.⌊q/2⌋ u = A x cT

0 = sTA + eT

c1 = sTu + e′ + M.⌊q/2⌋

1

Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan (2008). “How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions”. In: STOC 2008. http://eprint.iacr.org/2007/432.pdf.

6

Full trapdoor for LWE and SIS

A full trapdoor for the LWE and SIS problems is a short basis TA of the lattice Λ⊥

q (A) = {x ∈ Zm such that Ax = 0

mod q}.

• Given A, it’s hard to find such basis,
• we can generate A together with TA,
• we can use TA to solve the SIS problem, i.e. find a non trivial

x ∈ Zm s.t. Ax = 0 mod q, (resp. Ax = u mod q).

7

The first IBE from lattices

Let H : {0, 1}∗ → Zn

q a hash function.

Alice Bob PKG

(A, TA) Use TA to generate xBob such that AxBob = uBob s ← ֓ U(Zn

q),

e ← ֓ DZm,αq M ∈ {0, 1}, e′ ← ֓ DZ,αq uBob = H(‘bob@bob.fr’) c1 − cT

0 xBob =

e′ − eTxBob

• small

+M.⌊q/2⌋ cT

0 = sTA + eT

c1 = sTuBob + e′ + M.⌊q/2⌋ x

B

• b

8

Our IBE from lattices

Trapdoor construction2

Let k = ⌈log2 q⌉, the matrix A ∈ Zn×m

q

is now generated with a trapdoor matrix R as: A = (A′ | HG − A′R) .

• G ∈ Zn×nk

q

a public ‘gadget matrix’ associated to an highly structured basis,

• A′ ←

֓ U

• Zn×(m−nk)

q

• a uniform matrix,
• H ∈ Zn×n

q

an invertible tag,

• R ←

֓ DZ(m−nk)×nk,β the trapdoor matrix associated to H, − → Smaller trapdoor, faster algorithms.

2

Daniele Micciancio and Chris Peikert (2012). “Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller”. In: EUROCRYPT 2012. https://eprint.iacr.org/2011/501.pdf.

9

Our IBE scheme (1)

We can remark that, if A = (A′ | HG − A′R) has trapdoor R with tag H, then A − (0 | H′G) = (A′ | (H − H′)G − A′R) has also trapdoor R but with tag (H − H′), − → (H − H′) needs to be invertible − → FRD map3. FRD map A function F : Zn

q → Zn×n q

is an encoding with Full-Rank Differences if:

• for all u ∈ Zn

q the matrix F(u) is invertible,

• for all distinct u, v ∈ Zn

q the matrix F(u) − F(v) is full rank.

3

Shweta Agrawal, Dan Boneh, and Xavier Boyen (2010). “Efficient Lattice (H) IBE in the Standard Model”. In: EUROCRYPT 2010. http://www.iacr.org/archive/eurocrypt2010/66320276/66320276.pdf.

10

IBE scheme of ABB Alice Bob PKG

B, C ← ֓ U(Zn×m

q

), u ← ֓ U(Zn

q)

mpk = (A, B, C, u) and msk = TA

xBob such that ABobxBob = u s ← ֓ U(Zn

q),

e ← ֓ DZm,αq M ∈ {0, 1}, e′ ← ֓ DZ,αq HBob = F(‘bob@bob.fr’) ABob = (A | B + HBobC) c1 − cT

0 xBob =

e′ − eTxBob

• small

+M.⌊q/2⌋ cT

0 = sTABob + eT

c1 = sTu + e′ + M.⌊q/2⌋ xBob

11

Our IBE scheme (2) Alice Bob PKG

A = (A′ | − A′R), u ← ֓ U(Zn

q)

mpk = (A, u) and msk = R

xBob such that ABobxBob = u s ← ֓ U(Zn

q),

e ← ֓ DZm,αq M ∈ {0, 1}, e′ ← ֓ DZ,αq HBob = F(‘bob@bob.fr’) ABob = A + (0 | HBobG) = (A′ | HBobG − A′R) c1 − cT

0 xBob =

e′ − eTxBob

• small

+M.⌊q/2⌋ cT

0 = sTABob + eT

c1 = sTu + e′ + M.⌊q/2⌋ xBob

11

Private key extraction (1)

Given A = (A′ | HG − A′R), H, R and a target vector u ∈ Zn

q,

→ we want to get a short vector x such that Ax = u mod q. First idea:

• 1. Compute v = H−1u,
• 2. Sample a short vector y such that Gy = v mod q,
• 3. Then x =

R

I

• y works.

12

Private key extraction (1)

Given A = (A′ | HG − A′R), H, R and a target vector u ∈ Zn

q,

→ we want to get a short vector x such that Ax = u mod q. First idea:

• 1. Compute v = H−1u,
• 2. Sample a short vector y such that Gy = v mod q,
• 3. Then x =

R

I

• y works.

Proof: Ax = (A′ | HG − A′R) R

I

• y

= A′Ry + (HG − A′R) y = H Gy

• H−1u

= u

12

Private key extraction (1)

Given A = (A′ | HG − A′R), H, R and a target vector u ∈ Zn

q,

→ we want to get a short vector x such that Ax = u mod q. First idea:

• 1. Compute v = H−1u,
• 2. Sample a short vector y such that Gy = v mod q,
• 3. Then x =

R

I

• y works.

Proof: Ax = (A′ | HG − A′R) R

I

• y

= A′Ry + (HG − A′R) y = H Gy

• H−1u

= u − → x leaks the trapdoor matrix R, has covariance COVx = r 2 R

I

• ( RT I ).

12

Private key extraction (2)

Solution: add perturbation vector p to correct the distribution4:

• 1. Sample p ←

֓ DZm,COVp,

→ need to compute the square root of the matrix COVp = γ2I − r 2 ( R

I ) ( RT I ).

• 2. Compute v = H−1 (u − Ap),
• 3. Sample a short y such that Gy = v mod q,
• 4. Then x = p +

R

I

• y has covariance

COVx = COVp + r 2 R

I

• ( RT I ) = γ2I and satisfies Ax = u.

4

Chris Peikert (2010). “An Efficient and Parallel Gaussian Sampler for Lattices”. In: Advances in Cryptology–CRYPTO 2010. https://eprint.iacr.org/2010/088.pdf.

13

Ring-LWE construction

From random lattice to ideal lattice (1)

Consider the rings R = Z[x]/(xn + 1) or Rq = R/qR, with n a power of 2. If we have s, a ∈ Rq, s = s0 + s1x + · · · + sn−1xn−1, s · a =

• s0

s1 · · · sn−1

• 

     a0 a1 · · · an−1 −an−1 a0 · · · an−2 ... −a1 −a2 · · · a0      

• =rot(a)

− → Smaller storage, faster operations.

14

From random lattice to ideal lattice (2)

Random lattice: integer elements in Z or Zq.

A ← ֓ U(Zn×m

q

)

LWE: Given

• A , sTA + eT

find s ∈ Zn

q.

SIS: Given A, find a short vector x ∈ Zm such that Ax = u. Ideal lattice: polynomial elements in R

• r Rq, with n a power of 2.

· · · rot(a1) rot(am/n)

Ring-LWE: Given

• s · a1 + e1, · · · , s · am/n + em/n
• find s ∈ Rq.

Ring-SIS: Given a1, · · · , am/n, find x1, · · · , xm/n such that

m/n

• i=1

ai · xi = u.

15

Implementation

Librairies used

• NFLlib5 / GMP 6 for the operations over the ring

Rq = Zq[x]/(xn + 1) with n a power of two, q a product of primes

• f size 14, 30 or 62 bits.
• FLINT 7 / MPFR 8 for the operations over Q[x]/(xn + 1).

5

Carlos Aguilar-Melchor et al. (2016). “NFLlib: NTT-based Fast Lattice Library”. In: RSA Conference Cryptographers’ Track. https://hal.archives-ouvertes.fr/hal-01242273/file/main.pdf.

6https://gmplib.org/ 7http://www.flintlib.org/ 8http://www.mpfr.org/

16

Proposed parameters / Timings (ms)

n m ⌈log2 q⌉ λ 9 KeyGen Extract Enc Dec 256 60 30 52 1525 215 0,59 0,06 512 60 30 100 4690 690 1,3 0,12 1024 60 30 192 14960 1360 2,4 0,2 where

• n is the degree of the polyomials,
• m is the number of polynomials in the master public key,
• k is the size of the modulus q.

9https://bitbucket.org/malb/lwe-estimator

17

Comparison with other implementations (ms)

Scheme Assumption λ Extract Enc Dec Our Ring-LWE 100 690 1,3 0,12 Our Ring-LWE 192 1360 2,4 0,2 GPV10 NTRU/Ring-LWE 80 8,6 0,91 0,62 GPV NTRU/Ring-LWE 192 32,7 1,87 1,27 BF11 DL 128 0,55 7,51 5,05 BF DL 192 3,44 40,3 34,2

10

Leo Ducas, Vadim Lyubashevsky, and Thomas Prest (2014). “Efficient identity-based encryption over NTRU lattices”. In: ASIACRYPT 2014. https://eprint.iacr.org/2014/794.pdf.

11

Aurore Guillevic (2013). “Arithmetic of pairings on algebraic curves for cryptography”. https://tel.archives-ouvertes.fr/tel- 00921940/file/Guillevic2013thesis.pdf. PhD thesis.

18

Comparison with other implementations (ms)

Scheme Assumption λ Extract Enc Dec Our Ring-LWE 100 690 1,3 0,12 Our Ring-LWE 192 1360 2,4 0,2 GPV NTRU/Ring-LWE 80 8,6 0,91 0,62 GPV NTRU/Ring-LWE 192 32,7 1,87 1,27 BF DL 128 0,55 7,51 5,05 BF DL 192 3,44 40,3 34,2

• We proposed a IBE scheme based on the Ring-LWE assumption, and

we implement it. − → Future work: omptimize our code, and improve the construction.

18