Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena - - PowerPoint PPT Presentation

Lattice-based Proxy Re-encryption

PKC 2014, 26.03.14 Elena Kirshanova Horst Görtz Institute for IT Security Ruhr University Bochum

Outline

1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

The informal definition of a Proxy Re-Encyption

PRE based on lattices|PKC 2014|26.03.14 3/23

The informal definition of a Proxy Re-Encyption

PRE based on lattices|PKC 2014|26.03.14 3/23

The informal definition of a Proxy Re-Encyption

PRE based on lattices|PKC 2014|26.03.14 3/23

The informal definition of a Proxy Re-Encyption

PRE based on lattices|PKC 2014|26.03.14 3/23

The formal Definition Definition 1 (Proxy Re-Encryption)

A unidirectional Proxy Re-Encryption (PRE) is a tuple of algorithms:

◮ (pk, sk) ← KeyGen(1n) ◮ cpk ← Enc(pk, m) ◮ m ← Dec(sk, c)

PRE based on lattices|PKC 2014|26.03.14 4/23

The formal Definition Definition 1 (Proxy Re-Encryption)

A unidirectional Proxy Re-Encryption (PRE) is a tuple of algorithms:

◮ (pk, sk) ← KeyGen(1n) ◮ cpk ← Enc(pk, m) ◮ m ← Dec(sk, c) ◮ rkpk→pk′ ← ReKeyGen(pk, sk, pk′)

PRE based on lattices|PKC 2014|26.03.14 4/23

The formal Definition Definition 1 (Proxy Re-Encryption)

A unidirectional Proxy Re-Encryption (PRE) is a tuple of algorithms:

◮ (pk, sk) ← KeyGen(1n) ◮ cpk ← Enc(pk, m) ◮ m ← Dec(sk, c) ◮ rkpk→pk′ ← ReKeyGen(pk, sk, pk′) ◮ c′ ← ReEnc(rkpk→pk′, cpk)

PRE based on lattices|PKC 2014|26.03.14 4/23

PRE-CCA1 Security (simplified)

PRECCA1

A,Π (n)

A pk∗ (pk, pk′) rkpk→pk′ (Dec(c), pk) · · · m0, m1 m0, m1 ∈ M b ← {0, 1} c∗ = Enc(pk∗, mb) c∗ If b = b′ output 1 b′ b′ ∈ {0, 1} else output 0

PRE-CCA1 Security (simplified)

PRECCA1

A,Π (n)

A pk∗ (pk, pk′) rkpk→pk′ (Dec(c), pk) · · · m0, m1 m0, m1 ∈ M b ← {0, 1} c∗ = Enc(pk∗, mb) c∗ If b = b′ output 1 b′ b′ ∈ {0, 1} else output 0

PRE-CCA1 Security (simplified)

PRECCA1

A,Π (n)

A pk∗ (pk, pk′) rkpk→pk′ (Dec(c), pk) · · · m0, m1 m0, m1 ∈ M b ← {0, 1} c∗ = Enc(pk∗, mb) c∗ If b = b′ output 1 b′ b′ ∈ {0, 1} else output 0

PRE-CCA1 Security (simplified)

PRECCA1

A,Π (n)

A pk∗ (pk, pk′) rkpk→pk′ (Dec(c), pk) · · · m0, m1 m0, m1 ∈ M b ← {0, 1} c∗ = Enc(pk∗, mb) c∗ If b = b′ output 1 b′ b′ ∈ {0, 1} else output 0

PRE-CCA1 Security (simplified)

PRECCA1

A,Π (n)

A pk∗ (pk, pk′) rkpk→pk′ (Dec(c), pk) · · · m0, m1 m0, m1 ∈ M b ← {0, 1} c∗ = Enc(pk∗, mb) c∗ If b = b′ output 1 b′ b′ ∈ {0, 1} else output 0

PRE-CCA1 Security (simplified)

PRECCA1

A,Π (n)

A pk∗ (pk, pk′) rkpk→pk′ (Dec(c), pk) · · · m0, m1 m0, m1 ∈ M b ← {0, 1} c∗ = Enc(pk∗, mb) c∗ If b = b′ output 1 b′ b′ ∈ {0, 1} else output 0

PRE-CCA1 Security (simplified)

PRECCA1

A,Π (n)

A pk∗ (pk, pk′) rkpk→pk′ (Dec(c), pk) · · · m0, m1 m0, m1 ∈ M b ← {0, 1} c∗ = Enc(pk∗, mb) c∗ If b = b′ output 1 b′ b′ ∈ {0, 1} else output 0

PRE based on lattices|PKC 2014|26.03.14 5/23

Desired properties of PRE schemes

◮ Unidirectional (rkpk→pk′ = rkpk′→pk)

PRE based on lattices|PKC 2014|26.03.14 6/23

Desired properties of PRE schemes

◮ Unidirectional (rkpk→pk′ = rkpk′→pk) ◮ Non-interactive (ReKeyGen(pk, sk, pk′))

PRE based on lattices|PKC 2014|26.03.14 6/23

Desired properties of PRE schemes

◮ Unidirectional (rkpk→pk′ = rkpk′→pk) ◮ Non-interactive (ReKeyGen(pk, sk, pk′)) ◮ Collusion ‘safe’

PRE based on lattices|PKC 2014|26.03.14 6/23

Desired properties of PRE schemes

◮ Unidirectional (rkpk→pk′ = rkpk′→pk) ◮ Non-interactive (ReKeyGen(pk, sk, pk′)) ◮ Collusion ‘safe’ ◮ Key optimal ◮ Non-transitive ◮ Proxy invisibility

PRE based on lattices|PKC 2014|26.03.14 6/23

Outline

1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

PRE overview

Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA

PRE based on lattices|PKC 2014|26.03.14 8/23

PRE overview

Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA

PRE based on lattices|PKC 2014|26.03.14 8/23

PRE overview

Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA [CH07] ✗ ✗ ✗ DBDH IND-CCA

PRE based on lattices|PKC 2014|26.03.14 8/23

PRE overview

Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA [CH07] ✗ ✗ ✗ DBDH IND-CCA [Xag10] ✗ ✗ ✗ LWE IND-CPA

PRE based on lattices|PKC 2014|26.03.14 8/23

PRE overview

Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA [CH07] ✗ ✗ ✗ DBDH IND-CCA [Xag10] ✗ ✗ ✗ LWE IND-CPA This work ✓ ✓ ✓ LWE IND-CCA1

PRE based on lattices|PKC 2014|26.03.14 8/23

Main result Theorem 2

Our unidirectional Proxy Re-Encryption scheme is IND-CCA1-secure assuming the hardness of decision-LWE.

PRE based on lattices|PKC 2014|26.03.14 9/23

Outline

1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

Lattice definition

◮ Lattice Λ of dimension m is a discrete additive subgroup of Zm.

b1 b2

PRE based on lattices|PKC 2014|26.03.14 11/23

Lattice definition

◮ Lattice Λ of dimension m is a discrete additive subgroup of Zm.

b1 b2

◮ Basis B = {b1, . . . , bk} : Λ(B) = {Bz : z ∈ Zk}.

PRE based on lattices|PKC 2014|26.03.14 11/23

Gaussians on Lattices

v ← DΛ,s ⇔ v ∝ ρs(x) = exp(−πx2

s2 )

PRE based on lattices|PKC 2014|26.03.14 12/23

One-way functions from lattices

◮ Public

• A
• ∈ Zn×m

q

, q = poly(n), m ≈ n log q

PRE based on lattices|PKC 2014|26.03.14 13/23

One-way functions from lattices

◮ Public

• A
• ∈ Zn×m

q

, q = poly(n), m ≈ n log q SIS LWE u := fA(x) = Ax mod q ∈ Zn

q

gA(s, e) = stA + et mod q ∈ Zm

q

PRE based on lattices|PKC 2014|26.03.14 13/23

One-way functions from lattices

◮ Public

• A
• ∈ Zn×m

q

, q = poly(n), m ≈ n log q SIS LWE u := fA(x) = Ax mod q ∈ Zn

q

gA(s, e) = stA + et mod q ∈ Zm

q

f −1

A

: sample x′ ← DΛu,s g−1

A

: find the unique s s.t. Ax′ = u (or e)

PRE based on lattices|PKC 2014|26.03.14 13/23

G-trapdoor [PM12]

◮ For a uniform A0 ∈ Zn× ¯ m q

and a short R ← Z ¯

nk×nk define

A = [A0 | G] I −R I

• = [A0 | G − A0R]

for some G with easy f −1

G

and g−1

G .

PRE based on lattices|PKC 2014|26.03.14 14/23

G-trapdoor [PM12]

◮ For a uniform A0 ∈ Zn× ¯ m q

and a short R ← Z ¯

nk×nk define

A = [A0 | G] I −R I

• = [A0 | G − A0R]

for some G with easy f −1

G

and g−1

G . ◮ [A0 | A0R] is uniform by the leftover hash lemma, so is A.

PRE based on lattices|PKC 2014|26.03.14 14/23

G-trapdoor [PM12]

◮ For a uniform A0 ∈ Zn× ¯ m q

and a short R ← Z ¯

nk×nk define

A = [A0 | G] I −R I

• = [A0 | G − A0R]

for some G with easy f −1

G

and g−1

G . ◮ [A0 | A0R] is uniform by the leftover hash lemma, so is A. ◮ A ·

R I

• = G

PRE based on lattices|PKC 2014|26.03.14 14/23

Outline

1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

Extended G-trapdoor

◮ Idea: generate multiple R-transformations

A = [A0 | G − A0R1 |

• trapdoor for fA

trapdoor for gA

• G − A0R2]

◮ R1 allows to sample short vectors (i.e. generate rk) ◮ R2 allows to invert stA + et (i.e. decrypt)

PRE based on lattices|PKC 2014|26.03.14 16/23

Encryption

◮ pk = [A0 | G − A0R1 | G − A0R2] ∈ Zn×m q

, sk := [R1 | R2]

PRE based on lattices|PKC 2014|26.03.14 17/23

Encryption

◮ pk = [A0 | G − A0R1 | G − A0R2] ∈ Zn×m q

, sk := [R1 | R2]

◮ Enc(mes, pk) :

c1 = st · pk + et

1 mod q,

c2 = st · Aaux + et

2 + enc(mes) mod q,

for s

$

← − Zn

q, e1, e2 ← Ds, Aaux $

← − Zn×nk

q

and enc(mes) := mes · ⌊ q

2⌋.

PRE based on lattices|PKC 2014|26.03.14 17/23

Encryption

◮ pk = [A0 | G − A0R1 | G − A0R2] ∈ Zn×m q

, sk := [R1 | R2]

◮ Enc(mes, pk) :

c1 = st · pk + et

1 mod q,

c2 = st · Aaux + et

2 + enc(mes) mod q,

for s

$

← − Zn

q, e1, e2 ← Ds, Aaux $

← − Zn×nk

q

and enc(mes) := mes · ⌊ q

2⌋. ◮ Dec(c = (c1, c2, Aaux), sk) : recover s using R2:

c1   R2 I   = st[G] + et mod q.

PRE based on lattices|PKC 2014|26.03.14 17/23

Re-Encrytion key generation

◮ Goal: transform c1 = st · pk + et → c′ 1 = st · pk′ +

et

PRE based on lattices|PKC 2014|26.03.14 18/23

Re-Encrytion key generation

◮ Goal: transform c1 = st · pk + et → c′ 1 = st · pk′ +

et c = st[A0 | G − A0R1 | G − A0R2] + et → c′ = st[A′

0 | G − A′ 0R′ 1 | G − A′ 0R′ 2] +

et

PRE based on lattices|PKC 2014|26.03.14 18/23

Re-Encrytion key generation

◮ Goal: transform c1 = st · pk + et → c′ 1 = st · pk′ +

et c = st[A0 | G − A0R1 | G − A0R2] + et → c′ = st[A′

0 | G − A′ 0R′ 1 | G − A′ 0R′ 2] +

et

◮ Use R1 to sample Gaussian x for a vector a:

[A0 | G − A0R1] · x = a

PRE based on lattices|PKC 2014|26.03.14 18/23

Re-Encrytion key generation

◮ Goal: transform c1 = st · pk + et → c′ 1 = st · pk′ +

et c = st[A0 | G − A0R1 | G − A0R2] + et → c′ = st[A′

0 | G − A′ 0R′ 1 | G − A′ 0R′ 2] +

et

◮ Use R1 to sample Gaussian x for a vector a:

[A0 | G − A0R1] · x = a

◮ Extend to matrices in column-wise way:

[A0 | G − A0R1] · [x1, . . . , xn] = [a1, . . . , an]

• A′

PRE based on lattices|PKC 2014|26.03.14 18/23

Re-Encrytion key generation

◮ Goal: transform c1 = st · pk + et → c′ 1 = st · pk′ +

et c = st[A0 | G − A0R1 | G − A0R2] + et → c′ = st[A′

0 | G − A′ 0R′ 1 | G − A′ 0R′ 2] +

et

◮ Use R1 to sample Gaussian x for a vector a:

[A0 | G − A0R1] · x = a

◮ Extend to matrices in column-wise way:

[A0 | G − A0R1] · [x′

1, . . . , x′ n] = [a′ 1, . . . , a′ n]

• G−A′

0R′ 1 PRE based on lattices|PKC 2014|26.03.14 18/23

Re-Encrytion key generation

◮ Goal: transform c1 = st · pk + et → c′ 1 = st · pk′ +

et c = st[A0 | G − A0R1 | G − A0R2] + et → c′ = st[A′

0 | G − A′ 0R′ 1 | G − A′ 0R′ 2] +

et

◮ Use R1 to sample Gaussian x for a vector a:

[A0 | G − A0R1] · x = a

◮ Extend to matrices in column-wise way:

[A0 | G − A0R1] · [x′′

1, . . . , x′′ n] = [a′′ 1, . . . , a′′ n]

• G−A′

0R′ 2 PRE based on lattices|PKC 2014|26.03.14 18/23

Re-Encrytion key generation

pk = [A0|G − A0R1|

• G − A0R2]

rk

− → pk′ = [A′

0| G − A′ 0R′ 1| G − A′ 0R′ 2]

PRE based on lattices|PKC 2014|26.03.14 19/23

Re-Encrytion key generation

pk = [A0|G − A0R1|

• G − A0R2]

rk

− → pk′ = [A′

0| G − A′ 0R′ 1| G − A′ 0R′ 2]

·[X0]

PRE based on lattices|PKC 2014|26.03.14 19/23

Re-Encrytion key generation

pk = [A0|G − A0R1|

• G − A0R2]

rk

− → pk′ = [A′

0| G − A′ 0R′ 1| G − A′ 0R′ 2]

·[X0] ·[X1]

PRE based on lattices|PKC 2014|26.03.14 19/23

Re-Encrytion key generation

pk = [A0|G − A0R1|

• G − A0R2]

rk

− → pk′ = [A′

0| G − A′ 0R′ 1| G − A′ 0R′ 2]

·[X0] ·[X1] ·[X2]

PRE based on lattices|PKC 2014|26.03.14 19/23

Re-Encrytion key generation

pk = [A0|G − A0R1|

• G − A0R2]

rk

− → pk′ = [A′

0| G − A′ 0R′ 1| G − A′ 0R′ 2]

·[X0] ·[X1] ·[X2] rkpk→pk′ = X0 X1 X2 I

• ∈ Zm×m, where all X are gaussian.

PRE based on lattices|PKC 2014|26.03.14 19/23

Re-Encryption

So for c1 = st[A0 | G − A0R1 | G − A0R2] + et mod q

PRE based on lattices|PKC 2014|26.03.14 20/23

Re-Encryption

So for c1 = st[A0 | G − A0R1 | G − A0R2] + et mod q

◮ c′ 1 = ReEnc(cpk, rkpk→pk′) = cpk · rkpk→pk′

PRE based on lattices|PKC 2014|26.03.14 20/23

Re-Encryption

So for c1 = st[A0 | G − A0R1 | G − A0R2] + et mod q

◮ c′ 1 = ReEnc(cpk, rkpk→pk′) = cpk · rkpk→pk′ ◮ c′ 1 = st[A′ 0 | G − A′ 0R′ 1 | G − A′ 0R′ 2] +

et mod q, where et = (e0, e1)t · X0 X1 X2 I

• is as small as

≈ √ 3 · e0X2 + e1.

PRE based on lattices|PKC 2014|26.03.14 20/23

Summary

Proxy re-encryption scheme that

◮ is based on hard problems on lattices ◮ is unidirectional ◮ does not require a trusted party to generate re-encryption keys ◮ uses the ‘Extended G-trapdoor’.

PRE based on lattices|PKC 2014|26.03.14 21/23

Summary

Proxy re-encryption scheme that

◮ is based on hard problems on lattices ◮ is unidirectional ◮ does not require a trusted party to generate re-encryption keys ◮ uses the ‘Extended G-trapdoor’.

Many thanks for your attention!

PRE based on lattices|PKC 2014|26.03.14 21/23

Reference I

Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. Improved proxy re-encryption schemes with applications to secure distributed storage. In ACM TISSEC, pages 29–43, 2006. Matt Blaze, Gerrit Bleumer, and Martin Strauss. Divertible protocols and atomic proxy cryptography. In EUROCRYPT, pages 127–144. Springer-Verlag, 1998. Ran Canetti and Susan Hohenberger. Chosen-ciphertext secure proxy re-encryption. In Proc. of ACM-CCS’007, pages 185–194. ACM Press, 2007.

PRE based on lattices|PKC 2014|26.03.14 22/23

Reference II

Chris Peikert and Daniele Micciancio. Trapdoors for lattices: Simpler, tighter, faster, smaller. In EUROCRYPT, pages 700–718, 2012. Keita Xagawa. Cryptography with Lattices. PhD thesis, Tokyo Institute of Technology, 2010.

PRE based on lattices|PKC 2014|26.03.14 23/23