Programmable Hash Functions in the Multilinear Setting Eduarda S. - - PowerPoint PPT Presentation

Programmable Hash Functions in the Multilinear Setting

Eduarda S. V. Freire, Dennis Hofheinz, Kenneth G. Paterson and Christoph Striecks

CRYPTO 2013 - Santa Barbara, CA, U.S.A. August 20, 2013

Programmable Hash Functions (PHFs) – Part 1

Overview of PHFs [HK08] abstraction of random oracles that can also be instantiated in the standard model maps a bitstring X to a group element H(X) ∈ G a special trapdoor allows us to write H(X) = caX hbX for previously chosen c, h used to employ partitioning techniques in security proofs – H(X) contains a challenge component iff aX = 0 1

if aX = 0; H(X) = hbX if aX = 0; H(X) = caX hbX hk ← HGen(1k) Hhk(X) ← HEval(hk, X) (hk′, td) ← TGen(1k, c, h) : hk sc = hk′ (aX , bX ) ← TEval(td, X) : Hhk′(X) = caX hbX

1We may also find the case where H(X) contains a challenge component iff aX = 0 2/13

Programmable Hash Functions (PHFs) – Part 1

Overview of PHFs [HK08] abstraction of random oracles that can also be instantiated in the standard model maps a bitstring X to a group element H(X) ∈ G a special trapdoor allows us to write H(X) = caX hbX for previously chosen c, h used to employ partitioning techniques in security proofs – H(X) contains a challenge component iff aX = 0 1

(m, n)–PHF: for any X1, . . . , Xm, Z1, . . . , Zn (with Xi = Zj) Pr[aX1 = . . . aXm = 0 ∧ aZ1, . . . , aZn = 0] is noticeable

1We may also find the case where H(X) contains a challenge component iff aX = 0 2/13

Programmable Hash Functions (PHFs) – Part 2

Previous PHF Constructions [HK08,HJK11] (m, n) = (1, poly), i.e., (1, q(k)) for every polynomial q(k)

In [W05] Waters implicitly uses a (1, poly)–PHF

(m, n) = (m, 1), for fixed m

3/13

Programmable Hash Functions (PHFs) – Part 2

Previous PHF Constructions [HK08,HJK11] (m, n) = (1, poly), i.e., (1, q(k)) for every polynomial q(k)

In [W05] Waters implicitly uses a (1, poly)–PHF

(m, n) = (m, 1), for fixed m Limitations of PHFs PHFs were initially meant as a standard model replacement for random oracles (poly, n)–PHFs would be very useful. Do they exist?

3/13

Programmable Hash Functions (PHFs) – Part 2

Previous PHF Constructions [HK08,HJK11] (m, n) = (1, poly), i.e., (1, q(k)) for every polynomial q(k)

In [W05] Waters implicitly uses a (1, poly)–PHF

(m, n) = (m, 1), for fixed m Limitations of PHFs PHFs were initially meant as a standard model replacement for random oracles (poly, n)–PHFs would be very useful. Do they exist? [HMS12]: impossibility result

3/13

Our Work: MPHFs + Applications

Construction of (poly, n)–MPHFs we construct analogues of (poly, n)–PHFs by adapting the original PHF definition

we work in a setting where multilinear maps are available

4/13

Our Work: MPHFs + Applications

Construction of (poly, n)–MPHFs we construct analogues of (poly, n)–PHFs by adapting the original PHF definition

we work in a setting where multilinear maps are available

Our Applications using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM.

SM versions of Boneh-Franklin (BF) IBE, Boneh-Lynn-Shacham (BLS) signatures, and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE

we derive hierarchical versions of the BF, BLS, and SOK schemes

4/13

Our Work: MPHFs + Applications

Construction of (poly, n)–MPHFs we construct analogues of (poly, n)–PHFs by adapting the original PHF definition

we work in a setting where multilinear maps are available

Our Applications using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM.

SM versions of Boneh-Franklin (BF) IBE, Boneh-Lynn-Shacham (BLS) signatures, and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE

we derive hierarchical versions of the BF, BLS, and SOK schemes

this yields the first SM secure ID-NIKE scheme

• urs is the first fully secure H-ID-NIKE scheme

with security either in the SM or in the ROM

4/13

Our Work: MPHFs + Applications

Construction of (poly, n)–MPHFs we construct analogues of (poly, n)–PHFs by adapting the original PHF definition

we work in a setting where multilinear maps are available

Our Applications using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM.

SM versions of Boneh-Franklin (BF) IBE, Boneh-Lynn-Shacham (BLS) signatures, and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE

we derive hierarchical versions of the BF, BLS, and SOK schemes in this talk we focus on our H-ID-NIKE construction

this yields the first SM secure ID-NIKE scheme

• urs is the first fully secure H-ID-NIKE scheme

with security either in the SM or in the ROM

4/13

Our Work: MPHFs + Applications

Construction of (poly, n)–MPHFs we construct analogues of (poly, n)–PHFs by adapting the original PHF definition

we work in a setting where multilinear maps are available

Our Applications using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM.

SM versions of Boneh-Franklin (BF) IBE, Boneh-Lynn-Shacham (BLS) signatures, and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE

we derive hierarchical versions of the BF, BLS, and SOK schemes in this talk we focus on our H-ID-NIKE construction We use an abstraction of multilinear maps that is compatible with the recent “noisy” candidate for multilinear maps of Garg, Gentry, and Halevi [GGH13].

this yields the first SM secure ID-NIKE scheme

• urs is the first fully secure H-ID-NIKE scheme

with security either in the SM or in the ROM

4/13

Multilinear Maps

Multilinear Maps ℓ–group system: G1, G2, . . . , Gℓ, p, {ei,j}i,j≥1,i+j≤ℓ ei,j : Gi × Gj → Gi+j (bilinear maps) e as shorthand for ei,j for hj ∈ Gij and i1 + . . . + ij ≤ ℓ we abbreviate e(h1, . . . , hj) := e(h1, e(h2, . . . , e(hj−1, hj) . . .)))

j linear map

5/13

Multilinear Maps

Multilinear Maps ℓ–group system: G1, G2, . . . , Gℓ, p, {ei,j}i,j≥1,i+j≤ℓ ei,j : Gi × Gj → Gi+j (bilinear maps) e as shorthand for ei,j for hj ∈ Gij and i1 + . . . + ij ≤ ℓ we abbreviate e(h1, . . . , hj) := e(h1, e(h2, . . . , e(hj−1, hj) . . .))) Hardness Assumptions (ℓ+1)–power assumption: Given (g, gx) (for g ← G1 and uniform x)

distinguish S = e(g x, . . . , g x

• ℓ times

)x ∈ Gℓ from random S ∈ Gℓ

ℓ–MDDH assumption: Given (g, gx1, . . . , gxℓ+1) (for g ← G1 and uniform xi)

distinguish S = e(g x1, . . . , g xℓ)xℓ+1 ∈ Gℓ from random S ∈ Gℓ

j linear map

5/13

MPHFs - Definition

Our Definition of MPHFs we assume an ℓ–group system MPGℓ ← MGℓ(1k) for chosen {ci}i∈[ℓ], h ∈ G1, a special trapdoor allows us to write H(X) = e(c1, . . . , cℓ)aX e(BX, h) ∈ Gℓ

instead of H(X) = caX hbX for c and h in the target group hk ← HGen(1k) Hhk(X) ← HEval(hk, X) (hk′, td) ← TGen(1k, c1, . . . , cℓ, h) : hk sc = hk′ (aX ∈ Z, BX ∈ Gℓ−1) ← TEval(td, X) : Hhk′(X) = e(c1, . . . , cℓ)aX e(BX , h)

6/13

MPHFs - Definition

Our Definition of MPHFs we assume an ℓ–group system MPGℓ ← MGℓ(1k) for chosen {ci}i∈[ℓ], h ∈ G1, a special trapdoor allows us to write H(X) = e(c1, . . . , cℓ)aX e(BX, h) ∈ Gℓ

(m, n)–MPHF: for any X1, . . . , Xm, Z1, . . . , Zn (with Xi = Zj) Pr[aX1 = . . . aXm = 0 ∧ aZ1, . . . , aZn = 0] is noticeable

6/13

MPHFs – Our Constructions

MM: (poly, 1)–MPHF into Gℓ from AHF: {0, 1}k → {0, 1}ℓ

HGen(1k)

hk := (h1,0, . . . , hℓ,0, h1,1, . . . , hℓ,1) ← G1\1

HEval(hk, X)

(t1, . . . , tℓ) := AHF(X); MMhk(X) := e(h1,t1, . . . , hℓ,tℓ) ∈ Gℓ

Admissible Hash Function (AHF) special type of hash function that has certain combinatorial properties can be constructed, for example, from codes

7/13

MPHFs – Our Constructions

MM: (poly, 1)–MPHF into Gℓ from AHF: {0, 1}k → {0, 1}ℓ

HGen(1k)

hk := (h1,0, . . . , hℓ,0, h1,1, . . . , hℓ,1) ← G1\1

HEval(hk, X)

(t1, . . . , tℓ) := AHF(X); MMhk(X) := e(h1,t1, . . . , hℓ,tℓ) ∈ Gℓ

(poly, n)–MPHF Assume H = (HGen, HEval) is a (poly, 1)–MPHF into Gℓ, then we construct a (poly, n)–MPHF H′ = (HGen′, HEval′) into Gℓ

HGen′(1k)

hk′ = (hkν)ν∈[n] for hkν ← HGen(1k)

HEval′(hk, X)

H′

hk′(X) := ν∈[n] Hhkν (X) 7/13

H-ID-NIKE – Definition and Security Model

TA root: level 0 id = (id1, . . . , idd) ∈ IDSd for user at level d ∈ [L] L: level of hierarchy Three algorithms: Setup, Del, ShK id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

uskid1 ← Del(mpk, msk, id1) uskid2 uskid3 TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

uskid1 ← Del(mpk, msk, id1) uskid2 uskid3 uskid4 ← Del(mpk, uskid1, id4) uskid5 uskid6 TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

uskid1 ← Del(mpk, msk, id1) uskid2 uskid3 uskid4 ← Del(mpk, uskid1, id4) uskid5 uskid6 uskid12 uskid13 uskid14 uskid15 TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

uskid1 ← Del(mpk, msk, id1) uskid2 uskid3 uskid4 ← Del(mpk, uskid1, id4) uskid5 uskid6 uskid12 uskid13 uskid14 uskid15 Kid14,id18 ← ShK(mpk, uskid14, id18) = ShK(mpk, uskid18, id14) TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

uskid1 ← Del(mpk, msk, id1) uskid2 uskid3 uskid4 ← Del(mpk, uskid1, id4) uskid5 uskid6 uskid12 uskid13 uskid14 uskid15 Kid1,id8 ← ShK(mpk, uskid1, id8) = ShK(mpk, uskid8, id1) TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

uskid1 ← Del(mpk, msk, id1) uskid2 uskid3 uskid4 ← Del(mpk, uskid1, id4) uskid5 uskid6 uskid12 uskid13 uskid14 uskid15 Kid1,id8 ← ShK(mpk, uskid1, id8) = ShK(mpk, uskid8, id1) Security Model: extension of the PS model [PS09] for hierarchies – any number of nodes can be compromised at any level in the hierarchy (full security) . AExtract(id),Reveal(id1,id2),Test(id∗

1 ,id∗ 2 )

Restrictions: id cannot be an ancestor of id∗

1 or id∗ 2; no Reveal queries on (id∗ 1, id∗ 2) and

(id∗

2, id∗ 1) is allowed.

TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE – Definition and Security Model

uskid1 ← Del(mpk, msk, id1) uskid2 uskid3 uskid4 ← Del(mpk, uskid1, id4) uskid5 uskid6 uskid12 uskid13 uskid14 uskid15 Kid1,id8 ← ShK(mpk, uskid1, id8) = ShK(mpk, uskid8, id1) Note: The only reasonable secure existing H-ID-NIKE scheme before our work was the one by Gennaro et al. [GHKRRW08]. Drawbacks of Gennaro et al. scheme:

• 1. at higher levels in the hierarchy only a limited number of nodes can be compromised
• 2. security only in the ROM
• 3. shared keys can only be computed between leaf nodes

TA (mpk, msk) ← Setup(1k, L) msk = uskǫ id1 id2 id3 id4 id5 id6 id7 id8 id9 id10 id11 id12 id13 id14 id15 id16 id17 id18 id19

8/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

TA id = (id1, . . . , idd) ∈ ({0, 1}k)d any node can have up to 2k children id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

TA Example: L = 3 MPG2ℓL ← MG2ℓL(1k) x ← Zp, u ← Gℓ hki ← HGen(1k)(i ∈ [L]); msk := x mpk := (MPG2ℓL, {hki}i∈[L], u) id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

uskid1 = Hhk1(id1)x ∈ Gℓ TA Example: L = 3 MPG2ℓL ← MG2ℓL(1k) x ← Zp, u ← Gℓ hki ← HGen(1k)(i ∈ [L]); msk := x mpk := (MPG2ℓL, {hki}i∈[L], u) id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

uskid1 = Hhk1(id1)x ∈ Gℓ uskid6 = e(Hhk1(id1), Hhk2(id6))x ∈ G2ℓ TA Example: L = 3 MPG2ℓL ← MG2ℓL(1k) x ← Zp, u ← Gℓ hki ← HGen(1k)(i ∈ [L]); msk := x mpk := (MPG2ℓL, {hki}i∈[L], u) id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

uskid1 = Hhk1(id1)x ∈ Gℓ uskid6 = e(Hhk1(id1), Hhk2(id6))x ∈ G2ℓ uskid18 = e(Hhk1(id1), Hhk2(id6), Hhk3(id18))x ∈ G3ℓ TA Example: L = 3 MPG2ℓL ← MG2ℓL(1k) x ← Zp, u ← Gℓ hki ← HGen(1k)(i ∈ [L]); msk := x mpk := (MPG2ℓL, {hki}i∈[L], u) id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

uskid1 = Hhk1(id1)x ∈ Gℓ uskid6 = e(Hhk1(id1), Hhk2(id6))x ∈ G2ℓ uskid18 = e(Hhk1(id1), Hhk2(id6), Hhk3(id18))x ∈ G3ℓ Yid14 = e(Hhk1(id1), Hhk2(id4), Hhk3(id14)) ∈ G3ℓ Kid14,id18 = e(uskid18, Yid14) = e(uskid14, Yid18) = e(Hhk1(id1), Hhk2(id6), Hhk3(id18), Hhk1(id1), Hhk2(id4), Hhk3(id14))x ∈ G2ℓ·3 TA Example: L = 3 MPG2ℓL ← MG2ℓL(1k) x ← Zp, u ← Gℓ hki ← HGen(1k)(i ∈ [L]); msk := x mpk := (MPG2ℓL, {hki}i∈[L], u) id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

uskid1 = Hhk1(id1)x ∈ Gℓ uskid6 = e(Hhk1(id1), Hhk2(id6))x ∈ G2ℓ uskid18 = e(Hhk1(id1), Hhk2(id6), Hhk3(id18))x ∈ G3ℓ Yid4 = e(Hhk1(id1), Hhk2(id4)) ∈ G2ℓ Kid4,id18 = e(uskid18, Yid14, u) = e(uskid14, Yid18, u) = e(Hhk1(id1), Hhk2(id6), Hhk3(id18), Hhk1(id1), Hhk2(id4), u)x ∈ G2ℓ·3 TA Example: L = 3 MPG2ℓL ← MG2ℓL(1k) x ← Zp, u ← Gℓ hki ← HGen(1k)(i ∈ [L]); msk := x mpk := (MPG2ℓL, {hki}i∈[L], u) id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

H-ID-NIKE - Our Construction (HIDNIKEMPHF)

uskid1 = Hhk1(id1)x ∈ Gℓ uskid6 = e(Hhk1(id1), Hhk2(id6))x ∈ G2ℓ uskid18 = e(Hhk1(id1), Hhk2(id6), Hhk3(id18))x ∈ G3ℓ Yid4 = e(Hhk1(id1), Hhk2(id4)) ∈ G2ℓ Kid4,id18 = e(uskid18, Yid14, u) = e(uskid14, Yid18, u) = e(Hhk1(id1), Hhk2(id6), Hhk3(id18), Hhk1(id1), Hhk2(id4), u)x ∈ G2ℓ·3 Theorem: Let H be a (poly, 2)–MPHF into Gℓ. Then HIDNIKEMPHF is secure under the (2ℓL + 1) – power assumption. TA Example: L = 3 MPG2ℓL ← MG2ℓL(1k) x ← Zp, u ← Gℓ hki ← HGen(1k)(i ∈ [L]); msk := x mpk := (MPG2ℓL, {hki}i∈[L], u) id1 id4 id5 id6 id12 id13 id14 id15 id16 id17 id18 id19

9/13

Further Notes

On (H-)ID-NIKE HIDNIKEMPHF is the first fully secure H-ID-NIKE scheme either in the Standard Model or in the ROM for L = 1 we reduce HIDNIKEMPHF to a non-hierarchical ID-NIKE scheme IDNIKEMPHF IDNIKEMPHF is the first ID-NIKE scheme secure in the Standard Model when H is instantiated with a RO, then IDNIKEMPHF is the Sakai-Ohgishi-Kasahara ID-NIKE scheme* [SOK00]

• ur (H-)ID-NIKE schemes can also be generalized to work in a setting

with multiple TAs or in a setting where shared keys can be computed by a group of users (instead of 2)

10/13

Further Notes

On (H-)IBE and Signature Schemes using (poly, 1)–MPHFs and similar techniques as before we also

• btain IBE, HIBE and signature schemes which are secure in the

Standard Model

• ur (H-)IBE schemes are (hierarchical) standard model versions of the

Boneh-Franklin IBE scheme

• ur signature schemes are (hierarchical) standard model versions of

the Boneh-Lynn-Shacham signature scheme

11/13

Thank you for your attention!

12/13

Bibliography

[GGH13] Candidate multilinear maps from ideal lattices. Garg, Gentry and Halevi - EUROCRYPT 2013 [GHKRRW08] Strong-resilient and non-interactive hierarchical key-agreement in MANETs. Gennaro, Halevi, Krawczyk, Rabin, Reidt and Wolthusen - ESORICS 2008 [HK08] Programmable hash functions and their applications. Hofheinz, Kiltz - CRYPTO 2008 [HMS12] On the impossibiilty of constructing efficient key encapsulation and programmable hash functions in prime order

• groups. Hanoaka, Matsuda and Schuldt - CRYPTO 2012

[PS09] On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups. Paterson and Srinivasan - Des. Codes Cryptography 2009 [SOK00] Cryptosystems based on pairing. Sakai, Ohgishi and Kasahara - SCIS 2000 [W05] Efficient identity-based encryption without random oracles. Waters - EUROCRYPT 2005

13/13