Partitioning via Non-Linear Polynomial Functions: More Compact IBEs - PowerPoint PPT Presentation

Partitioning via Non-Linear Polynomial Functions: More Compact IBEs from Ideal Lattices and Bilinear Maps Shuichi Katsumata (The University of Tokyo) Shota Yamada (AIST)

ASIACRYPT Born in 1991 (Japan) Me Born in 1991 (Japan)

Background Adaptively secure identity-based encryption  From Lattices Adaptively secure lattice IBE requires long public parameters compared to selectively secure ones.  From Bilinear Maps Adaptively secure bilinear map-based IBE under search problems require long public parameters. Topic of This Talk Can we achieve more compact IBEs??

Our Results: New Adaptively Secure IBEs • Both based on partitioning technique with non-linear functions • New IBE from ideal lattices: – Improve currently best scheme of [Yam16]: super-poly modulus → poly modulus RLWE – Use commutativity of Ring in an essential way • New IBE from bilinear maps: – First scheme with sub-linear-size mpk from search problem rather than decisional problem – Boneh-Boyen technique in the construction rather than in the security proof

Agenda I. Preliminaries II. Lattice Section  Previous Works  Our Work III. Bilinear Map Section  Previous Works  Our Work IV. Summary

Adaptive Security for IBE

Agenda I. Preliminaries II. Lattice Section  Previous Works  Our Work III. Bilinear Map Section  Previous Works  Our Work IV. Summary

Template Construction (1) A u KeyGen Secret key for ID: e A H(ID) u short vector e A lattice for ID

Template Construction A u KeyGen Secret key for ID: e A H(ID) u short vector e A lattice for ID Small errors Encryption s u A H(ID) s x

Template for Security Proof Partitioning Technique We embed the problem instance into the public parameters so that Publicly Computable A G H(ID) R ID In the simulation, We hope

Template for Security Proof Partitioning Technique We embed the problem instance into the public parameters so that Simulator’s Gadget Trapdoor Publicly matrix Computable A G H(ID) R ID (Needs to be “small” ) Only Known to Simulator In the simulation, We hope

Hashing the Identities Ex. [ABB10]+[Boy10] 𝜆 : ID Length B i H(ID) B 0 i∈S(ID) Example ) ID Length 𝜆 = 6 0 1 0 0 1 1 ID =010011 S(ID )={2, 5, 6} B 1 B 2 B 3 B 4 B 5 B 6

Hashing the Identities Ex. [ABB10]+[Boy10] 𝜆 : ID Length B i H(ID) B 0 i∈S(ID) In Simulation Set 𝑧 𝑗 A B i R i G Then 𝑧 0 + 𝑧 𝑗 A H(ID) R ID G i∈S(ID)

Hashing the Identities Ex. [ABB10]+[Boy10] 𝜆 : ID Length B i H(ID) B 0 Long public key! 𝑗∈𝑇(𝐽𝐸) #matrices linear in ID length In Simulation Set 𝑧 𝑗 A B i R i G Then F(ID): Linear Function 𝑧 0 + 𝑧 𝑗 A H(ID) R ID G 𝑗∈𝑇(𝐽𝐸)

Hashing the Identities Ex. [Yam16] (Currently, the most (asymptotically) compact lattice-based IBE) 𝐂 1,1 , ⋯ , 𝐂 1, 𝜆 (𝐁, 𝐯, 𝐂 0 ) 𝐂 2,1 , ⋯ , 𝐂 2, 𝜆 G −1 ( ) B 2,j B 1,i H(ID) B 0 (𝑗,𝑘)∈𝑇(𝐽𝐸) Create 𝜆 matrices from 2 𝜆 matrices Artificial 𝝀 Matrices

Hashing the Identities Ex. [Yam16] (Currently, the most (asymptotically) compact lattice-based IBE) 𝐂 1,1 , ⋯ , 𝐂 1, 𝜆 (𝐁, 𝐯, 𝐂 0 ) 𝐂 2,1 , ⋯ , 𝐂 2, 𝜆 G −1 ( ) B 2,j B 1,i H(ID) B 0 (𝑗,𝑘)∈𝑇(𝐽𝐸) In Simulation Set 𝑧 𝑗,𝑘 A B i,j R i,j G Then 𝑧 0 + 𝑧 1,𝑗 𝑧 2,𝑘 A H(ID) R ID G 𝑗∈𝑇(𝐽𝐸)

Hashing the Identities Ex. [Yam16] (Currently, the most (asymptotically) compact lattice-based IBE) 𝐂 1,1 , ⋯ , 𝐂 1, 𝜆 (𝐁, 𝐯, 𝐂 0 ) 𝐂 2,1 , ⋯ , 𝐂 2, 𝜆 G −1 ( ) B 2,j B 1,i H(ID) B 0 Shorter public key! (𝑗,𝑘)∈𝑇(𝐽𝐸) #matrices sqrt in ID length In Simulation Set 𝑧 𝑗,𝑘 A B i,j R i,j G F(ID): Non-Linear Function Then 𝑧 0 + 𝑧 1,𝑗 𝑧 2,𝑘 A H(ID) R ID G 𝑗∈𝑇(𝐽𝐸)

Hashing the Identities Ex. [Yam16] (Currently, the most (asymptotically) compact lattice-based IBE) 𝐂 1,1 , ⋯ , 𝐂 1, 𝜆 (𝐁, 𝐯, 𝐂 0 ) 𝐂 2,1 , ⋯ , 𝐂 2, 𝜆 Downside G −1 ( ) B 2,j B 1,i H(ID) B 0 Shorter public key! For the scheme to be (𝑗,𝑘)∈𝑇(𝐽𝐸) #matrices sqrt in ID length In Simulation secure, the modulus size Set 𝒓 must be super-poly 𝑧 𝑗,𝑘 A B i,j R i,j G F(ID): Non-Linear Function Then 𝑧 0 + 𝑧 1,𝑗 𝑧 2,𝑘 A H(ID) R ID G 𝑗∈𝑇(𝐽𝐸)

Agenda I. Preliminaries II. Lattice Section  Previous Works  Our Work III. Bilinear Map Section  Previous Works  Our Work IV. Summary

A Closer Look at [Yam16] In Simulation A G H(ID) R ID Several conditions on 𝐒 ID and 𝑧 𝑗,𝑘 ’s must hold for the security proof to hold.

Main Obstacle of [Yam16] R ID  For the simulation to succeed 𝑧 1,𝑘 must grow proportionally with Q (#query).

Main Obstacle of [Yam16] R ID Simulator’s “small” Trapdoor  For the simulation to succeed 𝑧 1,𝑘 must grow proportionally with Q (#query).  For the trapdoor 𝐒 ID to work, 𝑧 1,𝑗 must be small compared with q (modulus size).

Main Obstacle of [Yam16] R ID  For the simulation to succeed 𝑧 1,𝑘 must grow proportionally with Q (#query).  For the trapdoor 𝐒 ID to work, 𝑧 1,𝑗 must be small compared with q (modulus size). q needs to be ∀ Q :poly(n) < y < q super-poly(n)!!

Initial Idea (that doesn’t quite work) 𝑜×𝑜 Extend the definition of 𝑧 𝑗,𝑘 ∈ ℤ 𝑟 to 𝐙 1,𝑘 ∈ ℤ 𝑟 𝐂 𝑗,𝑘 = 𝐁𝐒 𝑗,𝑘 + 𝑧 𝑗,𝑘 𝐇 𝐂 𝑗,𝑘 = 𝐁𝐒 𝑗,𝑘 + 𝐙 𝑗,𝑘 𝐇 Before After 𝐙 𝑗,𝑘 𝑧 𝑗,𝑘 “pack” Q in 𝑜 2 entries “pack” Q in one entry  𝑧 𝑗,𝑘 needs to be big.  Each entry of 𝐙 𝑗,𝑘 can be => Big modulus q small. => Small modulus q

Why it doesn’t work We can’t compute the hash homomorphically!! Since we loose commutativity of 𝐁 and 𝐙 𝑗,𝑘 . 𝐂 = 𝐁𝐒 + 𝐙𝐇, 𝐂′ = 𝐁𝐒′ + 𝐙′𝐇 Let

Why it doesn’t work We can’t compute the hash homomorphically!! Since we loose commutativity of 𝐁 and 𝐙 𝑗,𝑘 . 𝐂 = 𝐁𝐒 + 𝐙𝐇, 𝐂′ = 𝐁𝐒′ + 𝐙′𝐇 Let 𝐂 ⋅ 𝐇 −1 𝐂 ′ = 𝐁𝐒 + 𝐙𝐇 ⋅ 𝐇 −1 𝐂 ′

Why it doesn’t work We can’t compute the hash homomorphically!! Since we loose commutativity of 𝐁 and 𝐙 𝑗,𝑘 . 𝐂 = 𝐁𝐒 + 𝐙𝐇, 𝐂′ = 𝐁𝐒′ + 𝐙′𝐇 Let 𝐂 ⋅ 𝐇 −1 𝐂 ′ = 𝐁𝐒 + 𝐙𝐇 ⋅ 𝐇 −1 𝐂 ′ = 𝐁𝐒 ⋅ 𝐇 −𝟐 𝐂 ′ + 𝐙(𝐁𝐒 ′ + 𝐙 ′ 𝐇)

Why it doesn’t work We can’t compute the hash homomorphically!! Since we loose commutativity of 𝐁 and 𝐙 𝑗,𝑘 . 𝐂 = 𝐁𝐒 + 𝐙𝐇, 𝐂′ = 𝐁𝐒′ + 𝐙′𝐇 Let 𝐂 ⋅ 𝐇 −1 𝐂 ′ = 𝐁𝐒 + 𝐙𝐇 ⋅ 𝐇 −1 𝐂 ′ = 𝐁𝐒 ⋅ 𝐇 −𝟐 𝐂 ′ + 𝐙(𝐁𝐒 ′ + 𝐙 ′ 𝐇) = 𝐁𝐒 ⋅ 𝐇 −𝟐 𝐂 ′ + 𝐙𝐁𝐒 ′ + 𝐙𝐙 ′ 𝐇 GOOD!! BAD!! GOOD!! Can’t obtain In general, 𝐙𝐁𝐒 ′ ≠ 𝐁𝐙𝐒′ H(ID) = 𝐁𝐒 ID + F ID 𝐇

Idea (that works) Move to the polynomial ring setting. 𝑜 (or a subring of ℤ 𝑟 𝑜×𝑜 ) as the View elements of ℤ 𝑟 polynomial ring 𝑆 𝑟 = ℤ 𝑟 [𝑌]/(𝑌 𝑜 + 1) . 𝑜−1 𝑏 0 𝑏 𝑗 𝑌 𝑗 ∈ 𝑆 𝑟 𝑜 ∋ ⋮ ℤ 𝑟 𝑏 𝑜−1 𝑗=0

Idea (that works) Move to the polynomial ring setting. 𝑜 (or a subring of ℤ 𝑟 𝑜×𝑜 ) as the View elements of ℤ 𝑟 polynomial ring 𝑆 𝑟 = ℤ 𝑟 [𝑌]/(𝑌 𝑜 + 1) . 𝑜−1 𝑏 0 𝑏 𝑗 𝑌 𝑗 ∈ 𝑆 𝑟 𝑜 ∋ ⋮ ℤ 𝑟 𝑏 𝑜−1 𝑗=0 𝒄 = 𝒃𝑺 + 𝑧𝒉 , where Then, 𝑙×𝑙 , 𝑙 , 𝑺 ∈ 𝑆 𝑟 𝐂 = 𝐁𝐒 + y𝐇 𝒃, 𝒄, 𝒉 ∈ 𝑆 𝑟 𝑧 ∈ 𝑆 𝑟 y ∈ ℤ 𝑟

Why it works 𝑙 , ※ 𝒃, 𝒄, 𝒉 ∈ 𝑆 𝑟 𝒄 = 𝒃𝑺 + 𝑧𝒉 𝑙×𝑙 , 𝑧 ∈ 𝑆 𝑟 𝑺 ∈ 𝑆 𝑟  When 𝑧 𝑗,𝑘 ∈ 𝑆 𝑟 , we get commutativity 𝑙 for free. with 𝒃 ∈ 𝑆 𝑟  Since 𝑧 𝑗,𝑘 ∈ 𝑆 𝑟 can be viewed as vectors 𝑜 , we can “pack” Q in n entries , which in ℤ 𝑟 allows us to use poly-sized modulus q.

Some Ignored Problems  𝑆 𝑟 is no longer a field, so even when 𝒃𝑺 𝐽𝐸 + F 𝑧 ID 𝒉 for F 𝑧 ID ≠ 0 , the trapdoor may not be useful in case 𝑆 𝑟 is not invertible.  In Yam16, the “smudging” technique was used to create the challenge ciphertext, however, this necessarily leads to super-poly modulus q.

Agenda I. Preliminaries II. Lattice Section  Previous Works  Our Work III. Bilinear Map Section  Previous Works  Our Work IV. Summary

IBE from Search Problems on Bilinear Maps • Dual system encryption methodology inherently requires decisional problem. (SXDH, DLIN, Matrix- DDH,…)

IBE from Search Problems on Bilinear Maps • Dual system encryption methodology inherently requires decisional problem. (SXDH, DLIN, Matrix- DDH,…) • Known Solutions: Waters IBE Boneh-Boyen IBE + Hardcore function