Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond - - PowerPoint PPT Presentation

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert

Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010

1 / 23

Talk Agenda

1 Lattice-based trapdoor functions and ‘oblivious’ sampling 2 Applications: signatures, ID-based encryption (in RO model) 3 ‘Bonsai trees:’ removing the RO & more advanced apps

2 / 23

Talk Agenda

1 Lattice-based trapdoor functions and ‘oblivious’ sampling 2 Applications: signatures, ID-based encryption (in RO model) 3 ‘Bonsai trees:’ removing the RO & more advanced apps

◮ C. Gentry, C. Peikert, V. Vaikuntanathan (STOC 2008) “Trapdoors for Hard Lattices and New Cryptographic Constructions” ◮ D. Cash, D. Hofheinz, E. Kiltz, C. Peikert (Eurocrypt 2010) “Bonsai Trees, or How to Delegate a Lattice Basis”

2 / 23

This Talk’s Main Message Lattices admit a hierarchy of increasingly powerful ‘trapdoors,’ which enable many rich applications

3 / 23

Part 1: Trapdoor Functions and Oblivious Sampling

4 / 23

Digital Signatures

(Images courtesy xkcd.org) 5 / 23

Digital Signatures

(secret) (public)

(Images courtesy xkcd.org) 5 / 23

Digital Signatures

(secret) (public) “I love you” ✔

(Images courtesy xkcd.org) 5 / 23

Digital Signatures

(secret) (public) “It’s over” ✗

(Images courtesy xkcd.org) 5 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ Trapdoor permutation [DH’76,RSA’77,. . . ] D D x y f

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ Trapdoor permutation [DH’76,RSA’77,. . . ] D D x y

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ Trapdoor permutation [DH’76,RSA’77,. . . ] D D x y f −1

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ Trapdoor permutation [DH’76,RSA’77,. . . ] D D x y f −1 ◮ ‘Hash and sign:’ pk = f, sk = f −1. Sign(msg) = f −1(H(msg)).

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ Trapdoor permutation [DH’76,RSA’77,. . . ] D D x y f −1 ◮ ‘Hash and sign:’ pk = f, sk = f −1. Sign(msg) = f −1(H(msg)). ◮ Candidate TDPs: [RSA’78,Rabin’79,Paillier’99] (“general assumption”) All rely on hardness of factoring:

✗ Complex: 2048-bit exponentiation ✗ Broken by quantum algorithms [Shor’97]

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ New twist: preimage sampleable trapdoor function D R x y f

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ New twist: preimage sampleable trapdoor function D R x y f

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ New twist: preimage sampleable trapdoor function D R x y f −1

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ New twist: preimage sampleable trapdoor function D R x y f −1 ◮ ‘Hash and sign:’ pk = f, sk = f −1. Sign(msg) = f −1(H(msg)).

6 / 23

Central Tool: Trapdoor Functions

◮ Public function f with secret ‘trapdoor’ f −1 ◮ New twist: preimage sampleable trapdoor function D R x y f −1 ◮ ‘Hash and sign:’ pk = f, sk = f −1. Sign(msg) = f −1(H(msg)). ◮ Still secure! Can generate (x, y) in two equivalent ways: REALITY PROOF R y x

f −1

D x y

f

6 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S

s1 s2 b1 b2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

b1 b2 7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2

Technical Issues

1 Generating ‘hard’ lattice together with short basis

7 / 23

GGH Signatures

[GoldreichGoldwasserHalevi’96]

◮ Key idea: pk = ‘bad’ basis B for L, sk = ‘short’ trapdoor basis S ◮ Sign H(msg) ∈ Rn with “nearest-plane” algorithm [Babai’86]

s1 s2

Technical Issues

1 Generating ‘hard’ lattice together with short basis 2 Signing algorithm leaks secret basis!

⋆ Total break after several signatures [NguyenRegev’06] 7 / 23

Blurring a Lattice

8 / 23

Blurring a Lattice

8 / 23

Blurring a Lattice

8 / 23

Blurring a Lattice

‘Uniform’ in Rn when Gaussian std dev ≥ minimum basis length

8 / 23

Blurring a Lattice

‘Uniform’ in Rn when Gaussian std dev ≥ minimum basis length ◮ First used in worst/average-case reductions [Regev’03,MiccReg’04,. . . ]

8 / 23

Blurring a Lattice

‘Uniform’ in Rn when Gaussian std dev ≥ minimum basis length ◮ First used in worst/average-case reductions [Regev’03,MiccReg’04,. . . ] ◮ Now an essential ingredient in many crypto protocols

[GPV’08,PV’08,ACPS’09,CHKP’10,OP’10,. . . ]

8 / 23

Trapdoor Function: Evaluation

f

◮ ‘Bad’ basis for L specifies f

b1 b2 9 / 23

Trapdoor Function: Evaluation

f

◮ ‘Bad’ basis for L specifies f ◮ f(v, x) = v + x for v ∈ L, Gaussian x. ⇒ Output u is uniform over Rn.

v x u 9 / 23

Trapdoor Function: Evaluation

f

◮ ‘Bad’ basis for L specifies f ◮ f(v, x) = v + x for v ∈ L, Gaussian x. ⇒ Output u is uniform over Rn. ◮ Inverting ⇔ decoding u

(hard?)

u 9 / 23

Trapdoor Function: Evaluation

f

◮ ‘Bad’ basis for L specifies f ◮ f(v, x) = v + x for v ∈ L, Gaussian x. ⇒ Output u is uniform over Rn. ◮ Inverting ⇔ decoding u

(hard?)

u

◮ Distribution of preimage offsets x is a discrete Gaussian DL,u Analyzed in

[Ban’93,B’95,R’03,AR’04,MR’04,P’07. . . ]

9 / 23

Trapdoor Function: Evaluation

f

◮ ‘Bad’ basis for L specifies f ◮ f(v, x) = v + x for v ∈ L, Gaussian x. ⇒ Output u is uniform over Rn. ◮ Inverting ⇔ decoding u

(hard?)

u

◮ Distribution of preimage offsets x is a discrete Gaussian DL,u Analyzed in

[Ban’93,B’95,R’03,AR’04,MR’04,P’07. . . ]

Typical fact: DL,u ≤ √n · std dev

9 / 23

Preimage Sampling

f −1

◮ Sample DL,u given any ‘short enough’ basis S: max˜ si ≤ std dev

⋆ Output distribution leaks no information about S ! 10 / 23

Preimage Sampling

f −1

◮ Sample DL,u given any ‘short enough’ basis S: max˜ si ≤ std dev

⋆ Output distribution leaks no information about S !

◮ Randomized “nearest-plane” algorithm [Babai’86,Klein’00,GPV’08]

u s1 s2 10 / 23

Preimage Sampling

f −1

◮ Sample DL,u given any ‘short enough’ basis S: max˜ si ≤ std dev

⋆ Output distribution leaks no information about S !

◮ Randomized “nearest-plane” algorithm [Babai’86,Klein’00,GPV’08]

u s1 s2 10 / 23

Preimage Sampling

f −1

◮ Sample DL,u given any ‘short enough’ basis S: max˜ si ≤ std dev

⋆ Output distribution leaks no information about S !

◮ Randomized “nearest-plane” algorithm [Babai’86,Klein’00,GPV’08]

u s1 s2 10 / 23

Preimage Sampling

f −1

◮ Sample DL,u given any ‘short enough’ basis S: max˜ si ≤ std dev

⋆ Output distribution leaks no information about S !

◮ Randomized “nearest-plane” algorithm [Babai’86,Klein’00,GPV’08]

u s1 s2 10 / 23

Preimage Sampling

f −1

◮ Sample DL,u given any ‘short enough’ basis S: max˜ si ≤ std dev

⋆ Output distribution leaks no information about S !

◮ Randomized “nearest-plane” algorithm [Babai’86,Klein’00,GPV’08]

u s1 s2

◮ Proof idea: DL,u(plane) depends only on dist(u, plane)

10 / 23

Preimage Sampling

f −1

◮ Sample DL,u given any ‘short enough’ basis S: max˜ si ≤ std dev

⋆ Output distribution leaks no information about S !

◮ Randomized “nearest-plane” algorithm [Babai’86,Klein’00,GPV’08]

u s1 s2

◮ Proof idea: DL,u(plane) depends only on dist(u, plane) ◮ [P’10]: Efficient & parallel algorithm for std dev ≥ s1(S) ≈ max˜ si

10 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

11 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

◮ Given a1, . . . , am ∈ Zn

q, consider integer solutions z ∈ Zm of:

fA(z) := Az =   | | | a1 a2 · · · am | | |  

• m ≫ n

    z      =   | |   mod q

11 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

◮ Given a1, . . . , am ∈ Zn

q, consider integer solutions z ∈ Zm of:

fA(z) := Az =   | | | a1 a2 · · · am | | |  

• m ≫ n

    z      =   | |   mod q Easy to find a ‘long’ solution: e.g., z = (q, 0, . . . , 0) — but very hard to find a ‘short’ one!

11 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

◮ Given a1, . . . , am ∈ Zn

q, consider integer solutions z ∈ Zm of:

fA(z) := Az =   | | | a1 a2 · · · am | | |  

• m ≫ n

    z      =   | |   mod q Easy to find a ‘long’ solution: e.g., z = (q, 0, . . . , 0) — but very hard to find a ‘short’ one! Theorem: Worst-Case/Average-Case [Ajtai’96,. . . ,MR’04,GPV’08] For uniform A and q ≥ β√n, finding solution z = 0 where z ≤ β ⇓ Solving β√n-approx GapSVP & more, on any n-dim lattice!

11 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

◮ Given a1, . . . , am ∈ Zn

q, consider integer solutions z ∈ Zm of:

fA(z) := Az =   | | | a1 a2 · · · am | | |  

• m ≫ n

    z      =   | |   mod q Putting it all together:

1 Solutions z form a ‘hard’ lattice L ⊆ Zm

O (0, q) (q, 0) 11 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

◮ Given a1, . . . , am ∈ Zn

q, consider integer solutions z ∈ Zm of:

fA(z) := Az =   | | | a1 a2 · · · am | | |  

• m ≫ n

    z      =   | |   mod q Putting it all together:

1 Solutions z form a ‘hard’ lattice L ⊆ Zm 2

[Ajtai’99,AlwenP’09]: can generate uniform A

together with a short basis S (i.e., AS = 0).

O (0, q) (q, 0) s1 s2 11 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

◮ Given a1, . . . , am ∈ Zn

q, consider integer solutions z ∈ Zm of:

fA(z) := Az =   | | | a1 a2 · · · am | | |  

• m ≫ n

    z      =   | |   mod q Putting it all together:

1 Solutions z form a ‘hard’ lattice L ⊆ Zm 2

[Ajtai’99,AlwenP’09]: can generate uniform A

together with a short basis S (i.e., AS = 0).

3 Gaussian x ↔ syndrome u = Ax = fA(x)

O (0, q) (q, 0) x 11 / 23

A Secure Instantiation

[Ajtai96,. . . ]

◮ Let n = sec param, q = poly(n) − → additive group Zn

q

◮ Given a1, . . . , am ∈ Zn

q, consider integer solutions z ∈ Zm of:

fA(z) := Az =   | | | a1 a2 · · · am | | |  

• m ≫ n

    z      =   | |   mod q Putting it all together:

1 Solutions z form a ‘hard’ lattice L ⊆ Zm 2

[Ajtai’99,AlwenP’09]: can generate uniform A

together with a short basis S (i.e., AS = 0).

3 Gaussian x ↔ syndrome u = Ax = fA(x)

⋆ Given u, hard to find short x ∈ f −1

A (u).

⋆ But given basis S, can sample f −1

A (u)!

O (0, q) (q, 0) x 11 / 23

Part 2: Identity-Based Encryption

12 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) 13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) ⋆ Given mpk, can encrypt to ID “Alice” or “Bob” or . . . 13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) ⋆ Given mpk, can encrypt to ID “Alice” or “Bob” or . . . ⋆ Using msk, authority can calculate skAlice or skBob or . . . 13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) ⋆ Given mpk, can encrypt to ID “Alice” or “Bob” or . . . ⋆ Using msk, authority can calculate skAlice or skBob or . . . ⋆ Messages to Carol remain secret, even given skAlice, skBob, . . . 13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) ⋆ Given mpk, can encrypt to ID “Alice” or “Bob” or . . . ⋆ Using msk, authority can calculate skAlice or skBob or . . . ⋆ Messages to Carol remain secret, even given skAlice, skBob, . . .

(Fast-forward 17 years. . . )

13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) ⋆ Given mpk, can encrypt to ID “Alice” or “Bob” or . . . ⋆ Using msk, authority can calculate skAlice or skBob or . . . ⋆ Messages to Carol remain secret, even given skAlice, skBob, . . .

(Fast-forward 17 years. . . ) ◮ [BonehFranklin’01,. . . ]: construction using bilinear pairings

13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) ⋆ Given mpk, can encrypt to ID “Alice” or “Bob” or . . . ⋆ Using msk, authority can calculate skAlice or skBob or . . . ⋆ Messages to Carol remain secret, even given skAlice, skBob, . . .

(Fast-forward 17 years. . . ) ◮ [BonehFranklin’01,. . . ]: construction using bilinear pairings ◮ [Cocks’01,BGH’07]: quadratic residuosity (mod N = pq)

13 / 23

Identity-Based Encryption

◮ Proposed by [Shamir’84]:

⋆ ‘Master’ keys mpk (public) and msk (held by trusted authority) ⋆ Given mpk, can encrypt to ID “Alice” or “Bob” or . . . ⋆ Using msk, authority can calculate skAlice or skBob or . . . ⋆ Messages to Carol remain secret, even given skAlice, skBob, . . .

(Fast-forward 17 years. . . ) ◮ [BonehFranklin’01,. . . ]: construction using bilinear pairings ◮ [Cocks’01,BGH’07]: quadratic residuosity (mod N = pq) ◮ [GPV’08]: lattices!

13 / 23

‘Learning With Errors’ (LWE) Problem

[Regev’05]

◮ Secret s ∈ Zn

q, uniform ai ∈ Zn q

(here q is prime)

14 / 23

‘Learning With Errors’ (LWE) Problem

[Regev’05]

◮ Secret s ∈ Zn

q, uniform ai ∈ Zn q

(here q is prime)

◮ Goal: distinguish (ai , bi = ai, s + ei) from uniform (ai , bi) a1 , b1 = a1 , s + e1 a2 , b2 = a2 , s + e2 . . .

√n ≤ error ≪ q

14 / 23

‘Learning With Errors’ (LWE) Problem

[Regev’05]

◮ Secret s ∈ Zn

q, uniform ai ∈ Zn q

(here q is prime)

◮ Goal: distinguish (A , b = Ats + e) from uniform (A , b) m            . . . At . . .     ,     . . . b . . .     = Ats + e

√n ≤ error ≪ q

14 / 23

‘Learning With Errors’ (LWE) Problem

[Regev’05]

◮ Secret s ∈ Zn

q, uniform ai ∈ Zn q

(here q is prime)

◮ Goal: distinguish (A , b = Ats + e) from uniform (A , b) m            . . . At . . .     ,     . . . b . . .     = Ats + e

√n ≤ error ≪ q

◮ Recall: as hard as worst-case lattice problems [Regev’05,P’09]

14 / 23

‘Learning With Errors’ (LWE) Problem

[Regev’05]

◮ Secret s ∈ Zn

q, uniform ai ∈ Zn q

(here q is prime)

◮ Goal: distinguish (A , b = Ats + e) from uniform (A , b) m            . . . At . . .     ,     . . . b . . .     = Ats + e

√n ≤ error ≪ q

◮ Recall: as hard as worst-case lattice problems [Regev’05,P’09] ◮ Observe: given short nonzero z ∈ Zm such that Az = 0 mod q, z, b = Az, s + z, e ≈ 0 mod q z, b = uniform mod q

14 / 23

‘Learning With Errors’ (LWE) Problem

[Regev’05]

◮ Secret s ∈ Zn

q, uniform ai ∈ Zn q

(here q is prime)

◮ Goal: distinguish (A , b = Ats + e) from uniform (A , b) m            . . . At . . .     ,     . . . b . . .     = Ats + e

√n ≤ error ≪ q

◮ Recall: as hard as worst-case lattice problems [Regev’05,P’09] ◮ Observe: given short nonzero z ∈ Zm such that Az = 0 mod q, z, b = Az, s + z, e ≈ 0 mod q z, b = uniform mod q = ⇒ z is a ‘weak’ trapdoor, for distinguishing LWE from uniform

14 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e

15 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e u = Ax = fA(x)

(public key) 15 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e u = Ax = fA(x)

(public key)

b = Ats + e

(ciphertext ‘preamble’) 15 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e u = Ax = fA(x)

(public key)

b = Ats + e

(ciphertext ‘preamble’)

b′ = u, s + e′

(‘pad’) 15 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e u = Ax = fA(x)

(public key)

b = Ats + e

(ciphertext ‘preamble’)

b′ + bit · ⌊ q

2⌋

(‘payload’)

b′ = u, s + e′

(‘pad’) 15 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e u = Ax = fA(x)

(public key)

b = Ats + e

(ciphertext ‘preamble’)

x, b ≈ u, s b′ + bit · ⌊ q

2⌋

(‘payload’)

b′ = u, s + e′

(‘pad’) 15 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e u = Ax = fA(x)

(public key)

b = Ats + e

(ciphertext ‘preamble’)

x, b ≈ u, s b′ + bit · ⌊ q

2⌋

(‘payload’)

b′ = u, s + e′

(‘pad’)

? (A, u, b, b′)

15 / 23

Warm-Up: Public-Key Encryption

A x ← Gauss s, e u = Ax = fA(x)

(public key)

b = Ats + e

(ciphertext ‘preamble’)

x, b ≈ u, s b′ + bit · ⌊ q

2⌋

(‘payload’)

b′ = u, s + e′

(‘pad’)

? (A, u, b, b′)

15 / 23

ID-Based Encryption

mpk = A s, e u = H(“Alice”)

(‘identity’ key)

b = Ats + e

(ciphertext randomness)

x, b ≈ u, s b′ + bit · ⌊ q

2⌋

(‘payload’)

b′ = u, s + e′

(‘pad’)

x ← f −1

A (u)

16 / 23

Part 3: Bonsai Trees: Removing the Random Oracle and More Advanced Applications

17 / 23

CONTROLLED

• r

NATURAL ?

18 / 23

CONTROLLED

• r

NATURAL ?

◮ Bonsai: collection of techniques for selective control of tree growth, for the creation of natural aesthetic forms

18 / 23

Bonsai Trees in Cryptography

fε f0 f00 f01 f1 f10 f11

1 Hierarchy of TDFs

(Functions specified by public key, random oracle, interaction, . . . )

19 / 23

Bonsai Trees in Cryptography

fε f0 f00 f01 f1 f10 f11

1 Hierarchy of TDFs

(Functions specified by public key, random oracle, interaction, . . . )

2 Techniques for selective ‘control’ of growth & delegation of control

19 / 23

Bonsai Trees in Cryptography

fε f0 f00 f01 f1 f10 f11

1 Hierarchy of TDFs

(Functions specified by public key, random oracle, interaction, . . . )

2 Techniques for selective ‘control’ of growth & delegation of control 3 Applications: ‘hash-and-sign,’ (hierarchical) IBE

— all without random oracles!

19 / 23

Bonsai Trees: Abstract Properties

fε f0 f00 f01 f1 f10 f11

20 / 23

Bonsai Trees: Abstract Properties

fε f0 f00 f01 f1 f10 f11

1 Controlling fv (knowing trapdoor) =

⇒ controlling fvz, for all z.

20 / 23

Bonsai Trees: Abstract Properties

fε f0 f00 f01 f1 f10 f11

1 Controlling fv (knowing trapdoor) =

⇒ controlling fvz, for all z.

2 Can grow a controlled branch off of any uncontrolled node.

20 / 23

Bonsai Trees: Abstract Properties

fε f0 f00 f01 f1 f10 f11

1 Controlling fv (knowing trapdoor) =

⇒ controlling fvz, for all z.

2 Can grow a controlled branch off of any uncontrolled node.

(Allows simulation to embed its challenge into the tree, while still being able to answer queries.)

20 / 23

Bonsai Trees: Abstract Properties

fε f0 f00 f01 f1 f10 f11

1 Controlling fv (knowing trapdoor) =

⇒ controlling fvz, for all z.

2 Can grow a controlled branch off of any uncontrolled node.

(Allows simulation to embed its challenge into the tree, while still being able to answer queries.)

3 Can delegate control of any subtree, w/o endangering ancestors.

20 / 23

Bonsai Trees: Realization

Property 1: Control fv ⇒ Control fvz Short basis S1 for A1 ⇒ short basis S for A = [A1 | A2], for any A2.

21 / 23

Bonsai Trees: Realization

Property 1: Control fv ⇒ Control fvz Short basis S1 for A1 ⇒ short basis S for A = [A1 | A2], for any A2. ◮ Using S1, compute a short integer soln X to A1X = −A2 mod q. Then: A · S = [A1 | A2] · S1 X I

• S

= 0 mod q.

21 / 23

Bonsai Trees: Realization

Property 1: Control fv ⇒ Control fvz Short basis S1 for A1 ⇒ short basis S for A = [A1 | A2], for any A2. ◮ Using S1, compute a short integer soln X to A1X = −A2 mod q. Then: A · S = [A1 | A2] · S1 X I

• S

= 0 mod q.

(In fact, X need not be short — we have ˜ S = ˜

S1 0 0 I

• , so ˜

S = ˜ S1.)

21 / 23

Bonsai Trees: Realization

Property 1: Control fv ⇒ Control fvz Short basis S1 for A1 ⇒ short basis S for A = [A1 | A2], for any A2. ◮ Using S1, compute a short integer soln X to A1X = −A2 mod q. Then: A · S = [A1 | A2] · S1 X I

• S

= 0 mod q.

(In fact, X need not be short — we have ˜ S = ˜

S1 0 0 I

• , so ˜

S = ˜ S1.)

Property 2: Grow a Controlled Branch Given (uncontrolled) A1, create controlled extension A = [A1 | A2].

21 / 23

Bonsai Trees: Realization

Property 1: Control fv ⇒ Control fvz Short basis S1 for A1 ⇒ short basis S for A = [A1 | A2], for any A2. ◮ Using S1, compute a short integer soln X to A1X = −A2 mod q. Then: A · S = [A1 | A2] · S1 X I

• S

= 0 mod q.

(In fact, X need not be short — we have ˜ S = ˜

S1 0 0 I

• , so ˜

S = ˜ S1.)

Property 2: Grow a Controlled Branch Given (uncontrolled) A1, create controlled extension A = [A1 | A2]. ◮ Just generate A2 with short basis S2. Then use above technique to control A !

21 / 23

Bonsai Trees: Realization

Property 1: Control fv ⇒ Control fvz Short basis S1 for A1 ⇒ short basis S for A = [A1 | A2], for any A2. ◮ Using S1, compute a short integer soln X to A1X = −A2 mod q. Then: A · S = [A1 | A2] · S1 X I

• S

= 0 mod q.

(In fact, X need not be short — we have ˜ S = ˜

S1 0 0 I

• , so ˜

S = ˜ S1.)

Property 3: Securely Delegate Control ? ◮ Basis S contains S1, so unsafe to reveal!

21 / 23

Bonsai Trees: Realization

Property 1: Control fv ⇒ Control fvz Short basis S1 for A1 ⇒ short basis S for A = [A1 | A2], for any A2. ◮ Using S1, compute a short integer soln X to A1X = −A2 mod q. Then: A · S = [A1 | A2] · S1 X I

• S

= 0 mod q.

(In fact, X need not be short — we have ˜ S = ˜

S1 0 0 I

• , so ˜

S = ˜ S1.)

Property 3: Securely Delegate Control ? ◮ Basis S contains S1, so unsafe to reveal! Solution: Use S to sample new Gaussian basis.

21 / 23

Other Applications of Today’s Tools

1 Noninteractive (Statistical) Zero Knowledge [PV’08] 2 Universally Composable Oblivious Transfer [PVW’08] 3 CCA-Secure Encryption [P’09] 4 Many-add, Single-mult Homomorphic Encryption [GHV’10] 5 Bonsai trees with smaller keys [ABB’10] 6 (Bi-)Deniable Encryption [OP’10] 7 Whatever you can invent!

22 / 23

Closing Thoughts

◮ A hierarchy of trapdoors for lattices: Short vector

(decryption)

< Short basis

(sampling)

< Short basis for ‘ancestor’ lattice

(delegation)

< · · ·

23 / 23

Closing Thoughts

◮ A hierarchy of trapdoors for lattices: Short vector

(decryption)

< Short basis

(sampling)

< Short basis for ‘ancestor’ lattice

(delegation)

< · · ·

Thanks!

23 / 23