Identity Based Encryption from the Diffie-Hellman Assumption€¦ · 𝐸𝐸𝑝𝑝𝑝𝑝,𝐼𝐼,𝑚𝑚𝐷𝐷→𝑐𝑐 encrypt using 𝑝𝑝𝑝𝑝and 𝐼𝐼𝐷𝐷

Identity Based Encryption from the Diffie-Hellman Assumption

Sanjam GargUniversity of California, Berkeley(Joint work with Nico Döttling)

Private-Key Encryption

𝑐𝑐 = 𝐸𝐸𝐸𝐸𝑐𝑐(𝐾𝐾,𝑚𝑚)

Alice Bob

𝐾𝐾

𝑚𝑚

𝐾𝐾

𝑐𝑐

Public-Key Encryption [DH76,RSA78,GM82]

𝐸𝐸𝐸𝐸𝑐𝑐(𝑝𝑝𝑘𝑘𝐵𝐵𝐵𝐵𝐵𝐵,𝑚𝑚)

Alice Bob

Obtain 𝑝𝑝𝑘𝑘𝐵𝐵𝐵𝐵𝐵𝐵

𝑚𝑚

𝑠𝑠𝑘𝑘𝐵𝐵𝐵𝐵𝐵𝐵

Identity-Based Encryption (IBE) [Shamir84]

Identity of the recipient used as the public key

𝐸𝐸𝐸𝐸𝑐𝑐(𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑚𝑚𝑏𝑏𝑏𝑏𝑏𝑏. 𝑐𝑐𝑏𝑏𝑚𝑚,𝑚𝑚)

Alice Bob

CA/PKG

𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑚𝑚𝑏𝑏𝑏𝑏𝑏𝑏. 𝑐𝑐𝑏𝑏𝑚𝑚

𝑆𝑆𝐾𝐾𝐵𝐵𝐵𝐵𝐵𝐵𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏.𝑐𝑐𝐵𝐵𝑏𝑏

𝑚𝑚

pp

Identity-Based Encryption (IBE) [Shamir84]

Four Algorithms: (𝑆𝑆,𝐾𝐾,𝐸𝐸,𝐷𝐷)

𝑆𝑆 1𝜆𝜆 → 𝑝𝑝𝑝𝑝,𝑚𝑚𝑠𝑠𝑘𝑘 𝑝𝑝𝑝𝑝 are public parameters𝑚𝑚𝑠𝑠𝑘𝑘 is the master secret-key

𝐾𝐾 𝑚𝑚𝑠𝑠𝑘𝑘, 𝐼𝐼𝐷𝐷 → 𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼 𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼 secret key for 𝐼𝐼𝐷𝐷

𝐸𝐸 𝑝𝑝𝑝𝑝, 𝐼𝐼𝐷𝐷,𝑚𝑚 → 𝑐𝑐 encrypt using 𝑝𝑝𝑝𝑝 and 𝐼𝐼𝐷𝐷

𝐷𝐷 𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼, 𝑐𝑐 → 𝑚𝑚 decrypt 𝑐𝑐 using 𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼

Full Security of IBE [BF01]

Challenger Adversary𝑝𝑝𝑝𝑝𝐼𝐼𝐷𝐷

𝑆𝑆 1𝜆𝜆 → 𝑝𝑝𝑝𝑝,𝑚𝑚𝑠𝑠𝑘𝑘

𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼 = 𝐾𝐾(𝑚𝑚𝑠𝑠𝑘𝑘, 𝐼𝐼𝐷𝐷)

𝐼𝐼𝐷𝐷∗

𝑏𝑏 ← {0,1}𝑐𝑐 = 𝐸𝐸(𝑝𝑝𝑝𝑝, 𝐼𝐼𝐷𝐷∗, 𝑏𝑏)

𝐼𝐼𝐷𝐷

𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼 = 𝐾𝐾(𝑚𝑚𝑠𝑠𝑘𝑘, 𝐼𝐼𝐷𝐷)𝐼𝐼𝐷𝐷 ≠ 𝐼𝐼𝐷𝐷∗

𝑏𝑏′ ∈ {0,1}|Pr 𝑏𝑏 = 𝑏𝑏′ − 1/2| ≈ 𝐸𝐸𝑛𝑛𝑏𝑏(𝜆𝜆)

Selective Security of IBE [CHK04]

Challenger Adversary𝑝𝑝𝑝𝑝𝐼𝐼𝐷𝐷

𝑆𝑆 1𝜆𝜆 → 𝑝𝑝𝑝𝑝,𝑚𝑚𝑠𝑠𝑘𝑘

𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼 = 𝐾𝐾(𝑚𝑚𝑠𝑠𝑘𝑘, 𝐼𝐼𝐷𝐷)

𝐼𝐼𝐷𝐷∗

𝑏𝑏 ← {0,1}𝑐𝑐 = 𝐸𝐸(𝑝𝑝𝑝𝑝, 𝐼𝐼𝐷𝐷∗, 𝑏𝑏)

𝐼𝐼𝐷𝐷

𝑠𝑠𝑘𝑘𝐼𝐼𝐼𝐼 = 𝐾𝐾(𝑚𝑚𝑠𝑠𝑘𝑘, 𝐼𝐼𝐷𝐷)𝐼𝐼𝐷𝐷 ≠ 𝐼𝐼𝐷𝐷∗

𝑏𝑏′ ∈ {0,1}|Pr 𝑏𝑏 = 𝑏𝑏′ − 1/2| ≈ 𝐸𝐸𝑛𝑛𝑏𝑏(𝜆𝜆)

Can we realize IBE?

Yes, we can! [Boneh and Franklin, CRYPTO 01]

Hierarchical IBE [HL02,GS02]

Bob

𝑆𝑆𝐾𝐾𝐵𝐵𝐵𝐵𝐵𝐵𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏.𝑐𝑐𝐵𝐵𝑏𝑏

Use 𝑆𝑆𝐾𝐾𝐼𝐼𝐼𝐼 to compute 𝑆𝑆𝐾𝐾𝐼𝐼𝐼𝐼|𝐼𝐼𝐼𝐼′ for any 𝐼𝐼𝐷𝐷𝐼

𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑚𝑚𝑏𝑏𝑏𝑏𝑏𝑏. 𝑐𝑐𝑏𝑏𝑚𝑚|𝐴𝐴𝑝𝑝𝐴𝐴𝑏𝑏𝑏𝑏2,2018

IBE ConstructionsPairings Lattices

(LWE)Quadratic

ResiduocityIBE w/RO BF01 GPV08 Cocks01

BGH07IBE no RO CHK03

BB04, W05G06, W09

CHKP10ABB10, MP12

??

HIBE GS03, BB04… CHKP10… ??

Can we realize IBE from weaker assumptions?

Negative Evidence

Trapdoor Permutations [BPRVW08]

Decisional Diffie-Hellman Assumption

[PRV12]

OWF PRG PRF

Private-key crypto

Public-Key Encryption

Trapdoor Functions

Signatures

Public-key crypto

IBE

Hierarchical IBE

ABE [SW05]

Reduce the Gap!

Our Results

• Main result: IBE from Computational Diffie-Hellman Assumption (Fully-secure)

• Or, the hardness of Factoring

• Selectively-Secure HIBE• In fact, from any IBE scheme!

Avoid impossibilities using non-black-box techniques.

How do we get it?

Garbled RAM [LO13,GHLORW14,GLOS15,GLO15,GMP16,GGMP16,CDGGMP17]

Witness Encryption[CS00,GGSW13,BH15,CDGGMP17]

How do we get it?

Compress two keys

𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑝𝑝

• 𝑝𝑝𝑝𝑝 = 𝑝𝑝𝑘𝑘0 = 𝑝𝑝𝑘𝑘1• Encryption can be done

to either 𝑝𝑝𝑘𝑘0 or 𝑝𝑝𝑘𝑘1knowing just 𝑝𝑝𝑝𝑝

• Decryption can be done using 𝑝𝑝𝑘𝑘0, 𝑝𝑝𝑘𝑘1 and the right secret key

• 𝑝𝑝𝑝𝑝 looses information about 𝑝𝑝𝑘𝑘0or 𝑝𝑝𝑘𝑘1

𝑐𝑐 = 𝐸𝐸𝐸𝐸𝑐𝑐2(𝑝𝑝𝑝𝑝, 𝑏𝑏,𝑚𝑚)𝑚𝑚

Alice Bob

Cara

How known schemes from stronger assumptions compress two keys?

𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑝𝑝

• 𝑝𝑝𝑘𝑘0 or 𝑝𝑝𝑘𝑘1 are correlated

• Structured assumptions• Impossibility results:

Similar intuition

Our goal: Compress Uncorrelated Keys!

Our Construction: Tools

Hash with EncryptionYao’s Garbled Circuits+

Tool I: Hash with Encryption

Three Algorithms: (𝐻𝐻,𝐸𝐸,𝐷𝐷)

H 𝑥𝑥 → ℎ ℎ is short (say 𝜆𝜆-bits)𝑥𝑥 is 2𝜆𝜆-bits

𝐸𝐸 (ℎ, 𝑏𝑏, 𝑏𝑏),𝑚𝑚 → 𝑐𝑐 where 𝑏𝑏 ∈ 2𝜆𝜆 and 𝑏𝑏 ∈ 0,1𝐷𝐷 𝑐𝑐, 𝑥𝑥 → 𝑚𝑚 if 𝐻𝐻 𝑥𝑥 = ℎ and 𝑥𝑥𝑏𝑏 = 𝑏𝑏

Reminiscent of Witness Encryption [GGSW13] or laconic OT [CDGGMP17].

Security: 𝑥𝑥,𝐸𝐸 (ℎ, 𝑏𝑏, 1 − 𝑥𝑥𝑏𝑏), 0 ≈ 𝑥𝑥,𝐸𝐸 (ℎ, 𝑏𝑏, 1 − 𝑥𝑥𝑏𝑏), 1

Security: Hard to compute 𝑥𝑥, 𝑥𝑥′such that 𝐻𝐻 𝑥𝑥 = 𝐻𝐻 𝑥𝑥𝐼

Tool I: Hash with Encryption

Hash Parameters 𝐴𝐴1,0 𝐴𝐴2,0𝐴𝐴1,1 𝐴𝐴2,1

…𝐴𝐴𝑛𝑛,0𝐴𝐴𝑛𝑛,1

• H 𝑥𝑥 → ℎℎ = �

𝑏𝑏∈[𝑛𝑛]

𝐴𝐴𝑏𝑏,𝑥𝑥𝑖𝑖

• 𝐸𝐸 (ℎ, 𝑏𝑏, 𝑏𝑏),𝑚𝑚 → 𝑐𝑐 =𝐴𝐴1,0𝑠𝑠 𝐴𝐴2,0

𝑠𝑠

𝐴𝐴1,1𝑠𝑠 𝐴𝐴2,1

𝑠𝑠 …𝐴𝐴𝑛𝑛,0𝑠𝑠

𝐴𝐴𝑛𝑛,1𝑠𝑠 , ℎ𝑠𝑠 ⊕𝑚𝑚

• D 𝑐𝑐, 𝑥𝑥 : Set ℎ𝑠𝑠 = ∏𝑏𝑏∈[𝑛𝑛]𝐴𝐴𝑏𝑏,𝑥𝑥𝑖𝑖𝑠𝑠

𝐴𝐴𝑏𝑏,1−𝐵𝐵𝑠𝑠

Security can be argued based on DDH

𝑏𝑏𝑥𝑥,𝑏𝑏𝑦𝑦 ,𝑏𝑏𝑥𝑥𝑦𝑦≈ 𝑏𝑏𝑥𝑥 ,𝑏𝑏𝑦𝑦,𝑏𝑏𝑟𝑟

Tool 2: Yao’s Garbled Circuits (𝐺𝐺𝑏𝑏𝐴𝐴𝑏𝑏𝑏𝑏𝑛𝑛,𝐸𝐸𝐸𝐸𝑏𝑏𝑏𝑏)[Yao86, AIK04, AIK05, LP09, BHR12]

𝐺𝐺𝑏𝑏𝐴𝐴𝑏𝑏𝑏𝑏𝑛𝑛 𝐶𝐶 → �̃�𝐶, 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,0, 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,1 𝑏𝑏

𝐸𝐸𝐸𝐸𝑏𝑏𝑏𝑏 �̃�𝐶, 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,𝑥𝑥𝑖𝑖 → 𝐶𝐶(𝑥𝑥)

Security: (�̃�𝐶, 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,𝑥𝑥𝑖𝑖) ≈ 𝑆𝑆𝑏𝑏𝑚𝑚(𝐶𝐶 𝑥𝑥 )

How do we compress?

𝑝𝑝𝑝𝑝 = 𝐻𝐻 𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑝𝑝

How do we encrypt?

𝑝𝑝𝑝𝑝 = 𝐻𝐻 𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑝𝑝

𝑐𝑐 = 𝐸𝐸𝐸𝐸𝑐𝑐2(𝑝𝑝𝑝𝑝, 𝑏𝑏,𝑚𝑚)𝑚𝑚

𝑃𝑃𝑝𝑝𝑝𝑝,𝐵𝐵,𝑏𝑏 𝑥𝑥1. Abort if 𝑝𝑝𝑝𝑝 ≠ 𝐻𝐻 𝑥𝑥 .2. If 𝑏𝑏 = 0 then 𝑝𝑝𝑘𝑘 = 𝑥𝑥 1 … 𝜆𝜆

else 𝑝𝑝𝑘𝑘 = 𝑥𝑥 𝜆𝜆 + 1 … 2𝜆𝜆3. Output 𝐸𝐸𝐸𝐸𝑐𝑐(𝑝𝑝𝑘𝑘,𝑚𝑚)

Alice Bob

Cara

How do we encrypt?

𝑝𝑝𝑝𝑝 = 𝐻𝐻 𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑘𝑘0 𝑝𝑝𝑘𝑘1

𝑝𝑝𝑝𝑝

𝑐𝑐 = 𝐸𝐸𝐸𝐸𝑐𝑐2(𝑝𝑝𝑝𝑝, 𝑏𝑏,𝑚𝑚)𝑚𝑚

𝐸𝐸𝐸𝐸𝑐𝑐2(𝑝𝑝𝑝𝑝, 𝑏𝑏,𝑚𝑚)• Circuit 𝐶𝐶𝑏𝑏(𝑝𝑝𝑘𝑘) = 𝐸𝐸𝐸𝐸𝑐𝑐 𝑝𝑝𝑘𝑘,𝑚𝑚• 𝐺𝐺𝑏𝑏𝐴𝐴𝑏𝑏𝑏𝑏𝑛𝑛 𝐶𝐶𝑏𝑏 → �̃�𝐶, 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,0, 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,1 𝑏𝑏• ∀ 𝑏𝑏 ∈ {𝑏𝑏𝜆𝜆 + 1, 𝑏𝑏𝜆𝜆 + 𝜆𝜆}, 𝛾𝛾 ∈ {0,1}• 𝑐𝑐𝑏𝑏,𝛾𝛾= 𝐸𝐸 𝑝𝑝𝑝𝑝, 𝑏𝑏, 𝛾𝛾 , 𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,𝛾𝛾• 𝑐𝑐 = �̃�𝐶, 𝑐𝑐𝑏𝑏,𝛾𝛾

Alice Bob

Cara

How to decrypt?

•Decrypt 𝑐𝑐 = �̃�𝐶, 𝑐𝑐𝑏𝑏,𝛾𝛾 using 𝑝𝑝𝑘𝑘1, 𝑝𝑝𝑘𝑘2 and 𝑠𝑠𝑘𝑘𝐵𝐵

•Recall 𝑐𝑐1,0 = 𝐸𝐸 𝑝𝑝𝑝𝑝, 𝑏𝑏𝜆𝜆 + 1,0 , 𝑏𝑏𝑏𝑏𝑏𝑏1,0 and

𝑐𝑐1,1 = 𝐸𝐸 𝑝𝑝𝑝𝑝, 𝑏𝑏𝜆𝜆 + 1,1 , 𝑏𝑏𝑏𝑏𝑏𝑏1,1• which one can be decrypted? • 𝑐𝑐1,𝑝𝑝𝑘𝑘𝑏𝑏,1 which decrypts to 𝑏𝑏𝑏𝑏𝑏𝑏1,𝑝𝑝𝑘𝑘𝑏𝑏,1

• Similarly, for each 𝑏𝑏 decrypt 𝑐𝑐𝑏𝑏,0 or 𝑐𝑐𝑏𝑏,1•Evaluate(�̃�𝐶, {𝑏𝑏𝑏𝑏𝑏𝑏𝑏𝑏,𝑝𝑝𝑘𝑘𝑏𝑏,𝑖𝑖}) outputs 𝐸𝐸𝐸𝐸𝑐𝑐 𝑝𝑝𝑘𝑘𝐵𝐵 ,𝑚𝑚

How to compress more keys/Bootstrapping?

• Using a Merkel Tree

• Exponentially Many Keys• Grow the tree dynamically – as needed

Chameleon Encryption

Five Algorithms: (𝑆𝑆,𝐻𝐻,𝐻𝐻−1,𝐸𝐸,𝐷𝐷)

𝑆𝑆 1𝜆𝜆,𝐸𝐸 → 𝑘𝑘, 𝑡𝑡 𝑘𝑘 is the hash Key𝒕𝒕 is the hash trapdoor

H 𝑘𝑘, 𝑥𝑥; 𝐴𝐴 → ℎ ℎ is short (say 𝜆𝜆-bits)𝐇𝐇−𝟏𝟏 𝒕𝒕, (𝒙𝒙, 𝒓𝒓),𝒙𝒙𝒙 → 𝒓𝒓𝒙 𝑯𝑯 𝒌𝒌,𝒙𝒙; 𝒓𝒓 = 𝑯𝑯(𝒌𝒌,𝒙𝒙′; 𝒓𝒓′)

𝐸𝐸 𝑘𝑘, (ℎ, 𝑏𝑏, 𝑏𝑏),𝑚𝑚 → 𝑐𝑐 where 𝑏𝑏 ∈ 𝐸𝐸 and 𝑏𝑏 ∈ 0,1𝐷𝐷 𝑐𝑐, (𝑥𝑥, 𝐴𝐴) → 𝑚𝑚 if 𝐻𝐻 𝑘𝑘, 𝑥𝑥; 𝐴𝐴 = ℎ and 𝑥𝑥𝑏𝑏 = 𝑏𝑏

Security: 𝑘𝑘, 𝑥𝑥, 𝐴𝐴,𝐸𝐸 𝑘𝑘, (ℎ, 𝑏𝑏, 1 − 𝑥𝑥𝑏𝑏), 0 ≈ 𝑘𝑘, 𝑥𝑥, 𝐴𝐴,𝐸𝐸 𝑘𝑘, (ℎ, 𝑏𝑏, 1 − 𝑥𝑥𝑏𝑏), 1

Bootstrapping

𝑘𝑘0

𝑘𝑘1

𝑘𝑘ℓ

ℎ0,0

ℎ1,0 ℎ1,1

ℎℓ,0 ℎℓ,1 ℎℓ,2ℓ−2 ℎℓ,2ℓ−1

𝒓𝒓𝒊𝒊,𝒋𝒋 = 𝐻𝐻−1(𝑡𝑡𝑏𝑏 , (0∗, 𝐴𝐴𝑏𝑏,𝑗𝑗′ ),ℎ𝑏𝑏+1,2𝑗𝑗|ℎ𝑏𝑏+1,2𝑗𝑗+1)

ℎ𝑏𝑏,𝑗𝑗 = 𝐻𝐻(𝑘𝑘𝑏𝑏 , 0∗; 𝐴𝐴𝑏𝑏,𝑗𝑗′ )

𝑡𝑡0

𝑚𝑚𝑠𝑠𝑘𝑘

𝑡𝑡1

𝑡𝑡ℓ

𝒓𝒓𝟎𝟎,𝟎𝟎 = 𝐻𝐻−1(𝑡𝑡0, (0∗, 𝐴𝐴0,0′ ),ℎ1,0|ℎ1,1)

Bootstrapping

𝒓𝒓𝟎𝟎,𝟎𝟎𝑘𝑘0

𝑘𝑘1

𝑘𝑘ℓ

𝒓𝒓𝟏𝟏,𝟎𝟎

𝒓𝒓ℓ,𝟏𝟏

ℎ0,0

ℎ1,0 ℎ1,1

ℎℓ,0 ℎℓ,1 ℎℓ,2ℓ−2 ℎℓ,2ℓ−1

Secret-key for 𝐼𝐼𝐷𝐷

𝒓𝒓𝒊𝒊,𝒋𝒋 = 𝐻𝐻−1(𝑡𝑡𝑏𝑏 , (0∗, 𝐴𝐴𝑏𝑏,𝑗𝑗′ ),ℎ𝑏𝑏+1,2𝑗𝑗|ℎ𝑏𝑏+1,2𝑗𝑗+1)

ℎ𝑏𝑏,𝑗𝑗 = 𝐻𝐻(𝑘𝑘𝑏𝑏 , 0∗; 𝐴𝐴𝑏𝑏,𝑗𝑗′ )

𝑡𝑡0

𝑚𝑚𝑠𝑠𝑘𝑘

𝑡𝑡1

𝑡𝑡ℓ

Bootstrapping

𝒓𝒓𝟎𝟎,𝟎𝟎𝑘𝑘0

𝑘𝑘1

𝑘𝑘ℓ

𝒓𝒓𝟏𝟏,𝟎𝟎

𝒓𝒓ℓ,𝟏𝟏

ℎ0,0

ℎ1,0 ℎ1,1

ℎℓ,0 ℎℓ,1 ℎℓ,2ℓ−2 ℎℓ,2ℓ−1

Cipher for 𝐼𝐼𝐷𝐷,𝑚𝑚

𝑚𝑚

�𝐶𝐶0

�𝐶𝐶1

�𝐶𝐶ℓ

Open Problems and Related Works

• Can we make the scheme efficient?• IBE from any PKE?• ABE from weaker assumptions?

• Techniques have other applications:• Laconic OT [CDGGMP17]• Anonymous IBE [BLSV18]• Circular Security [BLSV18,DGHM18,KT18]• Two-round MPC [GS17, GS18, BL18]• Adaptive garbled circuits/RAM [GS18a, GS18b]• Laconic Function Evaluation [QWW18]

Thank You! Questions?