Identity Based Encryption from lattices Pauline Bert October 3, - PowerPoint PPT Presentation

Identity Based Encryption from lattices Pauline Bert October 3, 2017

Outline Preliminaries The first IBE from lattices Our IBE from lattices Ring-LWE construction Implementation 1

Identity Based Encryption Private Key Generator ( mpk , msk ) A u t h e n t i fi sk id Bob c a t i o n Alice C = Encrypt ( mpk , id Bob , M ) Bob id Bob = ‘bob@bob.fr’ M = Decrypt ( mpk , sk id Bob , C ) 1984 Concept introduced by Shamir, 2001 First realizations based on bilinear maps (by Boneh and Franklin) and on quadratic residue assumptions (by Cocks), 2008 First lattice based IBE, by Gentry, Peikert, and Vaikuntanathan. 2

Identity Based Encryption Private Key Generator ( mpk , msk ) A u t h e n t i sk id Bob fi c a t i o n Alice C = Encrypt ( mpk , id Bob , M ) Bob id Bob = ‘bob@bob.fr’ M = Decrypt ( mpk , sk id Bob , C ) Advantages: • we no longer need certificates, PKI, cross-certification, revocation lists etc. , • we can add information together with the identity, for e.g. , identity | 2017 or identity | 25 . 04 . 2017. 2

Identity Based Encryption Private Key Generator ( mpk , msk ) A u t h e n t i fi sk id Bob c a t i o n Alice C = Encrypt ( mpk , id Bob , M ) Bob id Bob = ‘bob@bob.fr’ M = Decrypt ( mpk , sk id Bob , C ) Contributions: • We propose a new IBE scheme, • We implement it to see if this kind of construction can be practical. 2

Preliminaries

Lattices Basis A lattice Λ ⊆ R n is the set of all integer linear combinations of some linearly independent basis vectors B = { b 1 , · · · , b k } , � k � � Λ = L ( B ) = z i b i : z i ∈ Z . i = 1 3

Lattices t SVP Given a basis B of a lattice Λ , find one of the shortest non zero vector of Λ . CVP Given a basis B of a lattice Λ , and a vector t ∈ R n find the closest lattice vector of the target vector t . 3

Learning With Errors problem Given   s e , + A A   where: • A ← ֓ U ( Z n × m ) , q ֓ U ( Z n • s ← q ) , • e ← ֓ D Z m , α q . The search problem is to find s . � � s e The decision problem is to distinguish , A A + � � b ֓ U ( Z m from , with b ← q ) . A → This two variants are equivalent. 4

Short Integer Solution problem ֓ U ( Z n × m Given an uniformly random matrix A ← ) , the Inhomogeneous q Short Integer Solution problem is to find a non trivial short vector x ∈ Z m such that � x � ≤ β and: x = u A mod q . The Short Integer Solution problem is to find a non trivial short vector x ∈ Z m such that � x � ≤ β and Ax = 0 mod q . − → LWE/SIS are hard: Regev/Ajtai gave reductions from worst-case problems on lattices (eg. approximate decisional SVP problem) to the average-case LWE/SIS problems. 5

The first IBE from lattices

Public Key Encryption of Dual-Regev 1 ֓ U ( Z n × m In this scheme, users share a public matrix A ← ) . q Alice Bob u = A x x ← ֓ D Z m , γ c T 0 = s T A + e T ֓ U ( Z n s ← q ) , e ← ֓ D Z m , α q c 1 − c T c 1 = s T u + e ′ + M . ⌊ q / 2 ⌋ 0 x = M ∈ { 0 , 1 } , e ′ − e T x + M . ⌊ q / 2 ⌋ e ′ ← ֓ D Z , α q � �� � small 1 Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan (2008). “How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions”. In: STOC 2008 . http://eprint.iacr.org/2007/432.pdf . 6

Full trapdoor for LWE and SIS A full trapdoor for the LWE and SIS problems is a short basis T A of the lattice q ( A ) = { x ∈ Z m such that Ax = 0 Λ ⊥ mod q } . • Given A , it’s hard to find such basis, • we can generate A together with T A , • we can use T A to solve the SIS problem, i.e. find a non trivial x ∈ Z m s.t. Ax = 0 mod q , (resp. Ax = u mod q ). 7

The first IBE from lattices Let H : { 0 , 1 } ∗ → Z n q a hash function. PKG Use T A to generate x Bob ( A , T A ) such that Ax Bob = u Bob x B o b Alice Bob c T 0 = s T A + e T ֓ U ( Z n s ← q ) , e ← ֓ D Z m , α q c 1 − c T c 1 = s T u Bob + e ′ + M . ⌊ q / 2 ⌋ 0 x Bob = M ∈ { 0 , 1 } , e ′ − e T x Bob + M . ⌊ q / 2 ⌋ e ′ ← ֓ D Z , α q � �� � u Bob = H ( ‘bob@bob.fr’ ) small 8

Our IBE from lattices

Trapdoor construction 2 Let k = ⌈ log 2 q ⌉ , the matrix A ∈ Z n × m is now generated with a trapdoor q matrix R as: A = ( A ′ | HG − A ′ R ) . • G ∈ Z n × nk a public ‘gadget matrix’ associated to an highly q structured basis, � � • A ′ ← Z n × ( m − nk ) ֓ U a uniform matrix, q • H ∈ Z n × n an invertible tag, q • R ← ֓ D Z ( m − nk ) × nk , β the trapdoor matrix associated to H , − → Smaller trapdoor, faster algorithms. 2 Daniele Micciancio and Chris Peikert (2012). “Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller”. In: EUROCRYPT 2012 . https://eprint.iacr.org/2011/501.pdf . 9

Our IBE scheme (1) We can remark that, if A = ( A ′ | HG − A ′ R ) has trapdoor R with tag H , then A − ( 0 | H ′ G ) = ( A ′ | ( H − H ′ ) G − A ′ R ) has also trapdoor R but with tag ( H − H ′ ) , → ( H − H ′ ) needs to be invertible − → FRD map 3 . − FRD map A function F : Z n q → Z n × n is an encoding with Full-Rank Differences if: q • for all u ∈ Z n q the matrix F ( u ) is invertible, • for all distinct u , v ∈ Z n q the matrix F ( u ) − F ( v ) is full rank. 3 Shweta Agrawal, Dan Boneh, and Xavier Boyen (2010). “Efficient Lattice (H) IBE in the Standard Model”. In: EUROCRYPT 2010 . http://www.iacr.org/archive/eurocrypt2010/66320276/66320276.pdf . 10

IBE scheme of ABB PKG x Bob such that ֓ U ( Z n × m ֓ U ( Z n B , C ← ) , u ← q ) q A Bob x Bob = u mpk = ( A , B , C , u ) and msk = T A x Bob Alice Bob c T 0 = s T A Bob + e T ֓ U ( Z n s ← q ) , e ← ֓ D Z m , α q c 1 − c T 0 x Bob = c 1 = s T u + e ′ + M . ⌊ q / 2 ⌋ M ∈ { 0 , 1 } , e ′ − e T x Bob + M . ⌊ q / 2 ⌋ e ′ ← ֓ D Z , α q � �� � small H Bob = F ( ‘bob@bob.fr’ ) A Bob = ( A | B + H Bob C ) 11

Our IBE scheme (2) PKG x Bob such that A = ( A ′ | − A ′ R ) , u ← ֓ U ( Z n q ) A Bob x Bob = u mpk = ( A , u ) and msk = R x Bob Alice Bob c T 0 = s T A Bob + e T ֓ U ( Z n s ← q ) , e ← ֓ D Z m , α q c 1 − c T 0 x Bob = c 1 = s T u + e ′ + M . ⌊ q / 2 ⌋ M ∈ { 0 , 1 } , e ′ − e T x Bob + M . ⌊ q / 2 ⌋ e ′ ← ֓ D Z , α q � �� � small H Bob = F ( ‘bob@bob.fr’ ) A Bob = A + ( 0 | H Bob G ) = ( A ′ | H Bob G − A ′ R ) 11

Private key extraction (1) Given A = ( A ′ | HG − A ′ R ) , H , R and a target vector u ∈ Z n q , → we want to get a short vector x such that Ax = u mod q . First idea: 1. Compute v = H − 1 u , 2. Sample a short vector y such that Gy = v mod q , � R � 3. Then x = y works. I 12

Private key extraction (1) Given A = ( A ′ | HG − A ′ R ) , H , R and a target vector u ∈ Z n q , → we want to get a short vector x such that Ax = u mod q . First idea: 1. Compute v = H − 1 u , 2. Sample a short vector y such that Gy = v mod q , � R � 3. Then x = y works. I Proof: � R Ax = ( A ′ | HG − A ′ R ) � y I = A ′ Ry + ( HG − A ′ R ) y = H Gy = u ���� H − 1 u 12

Private key extraction (1) Given A = ( A ′ | HG − A ′ R ) , H , R and a target vector u ∈ Z n q , → we want to get a short vector x such that Ax = u mod q . First idea: 1. Compute v = H − 1 u , 2. Sample a short vector y such that Gy = v mod q , � R � 3. Then x = y works. I Proof: � R Ax = ( A ′ | HG − A ′ R ) � y I = A ′ Ry + ( HG − A ′ R ) y = H Gy = u ���� H − 1 u − → x leaks the trapdoor matrix R , has covariance COV x = r 2 � R � ( R T I ) . I 12

Private key extraction (2) Solution: add perturbation vector p to correct the distribution 4 : 1. Sample p ← ֓ D Z m , COV p , → need to compute the square root of the matrix COV p = γ 2 I − r 2 ( R I ) ( R T I ) . 2. Compute v = H − 1 ( u − Ap ) , 3. Sample a short y such that Gy = v mod q , � R � 4. Then x = p + y has covariance I COV x = COV p + r 2 � R � ( R T I ) = γ 2 I and satisfies Ax = u . I 4 Chris Peikert (2010). “An Efficient and Parallel Gaussian Sampler for Lattices”. In: Advances in Cryptology–CRYPTO 2010 . https://eprint.iacr.org/2010/088.pdf . 13

Ring-LWE construction

From random lattice to ideal lattice (1) Consider the rings R = Z [ x ] / ( x n + 1 ) or R q = R / qR , with n a power of 2. If we have s , a ∈ R q , s = s 0 + s 1 x + · · · + s n − 1 x n − 1 ,   · · · a 0 a 1 a n − 1   − a n − 1 · · · a 0 a n − 2 � �   s · a = s 0 s 1 · · · s n − 1   ...     − a 1 − a 2 · · · a 0 � �� � = rot ( a ) − → Smaller storage, faster operations. 14

From random lattice to ideal lattice (2) Random lattice: integer Ideal lattice: polynomial elements in R elements in Z or Z q . or R q , with n a power of 2. ֓ U ( Z n × m A ← ) rot ( a 1 ) · · · rot ( a m / n ) q LWE: Ring-LWE: � A , s T A + e T � � � Given find Given s · a 1 + e 1 , · · · , s · a m / n + e m / n s ∈ Z n q . find s ∈ R q . SIS: Ring-SIS: Given A , find a short Given a 1 , · · · , a m / n , find x 1 , · · · , x m / n vector x ∈ Z m such that m / n � such that a i · x i = u . Ax = u . i = 1 15

Implementation