Identity Based Encryption from the Diffie-Hellman Assumption Sanjam Garg University of California, Berkeley (Joint work with Nico DΓΆttling)
Identity Based Encryption from the Diffie-Hellman Assumption
Sanjam GargUniversity of California, Berkeley(Joint work with Nico DΓΆttling)
Private-Key Encryption
ππ = πΈπΈπΈπΈππ(πΎπΎ,ππ)
Alice Bob
πΎπΎ
ππ
πΎπΎ
ππ
Public-Key Encryption [DH76,RSA78,GM82]
πΈπΈπΈπΈππ(πππππ΅π΅π΅π΅π΅π΅,ππ)
Alice Bob
Obtain πππππ΅π΅π΅π΅π΅π΅
ππ
π π πππ΅π΅π΅π΅π΅π΅
Identity-Based Encryption (IBE) [Shamir84]
Identity of the recipient used as the public key
πΈπΈπΈπΈππ(πππππππππππππππππ. ππππππ,ππ)
Alice Bob
CA/PKG
πππππππππππππππππ. ππππππ
πππΎπΎπ΅π΅π΅π΅π΅π΅πππππππππππ.πππ΅π΅ππ
ππ
pp
Identity-Based Encryption (IBE) [Shamir84]
Four Algorithms: (ππ,πΎπΎ,πΈπΈ,π·π·)
ππ 1ππ β ππππ,πππ π ππ ππππ are public parametersπππ π ππ is the master secret-key
πΎπΎ πππ π ππ, πΌπΌπ·π· β π π πππΌπΌπΌπΌ π π πππΌπΌπΌπΌ secret key for πΌπΌπ·π·
πΈπΈ ππππ, πΌπΌπ·π·,ππ β ππ encrypt using ππππ and πΌπΌπ·π·
π·π· π π πππΌπΌπΌπΌ, ππ β ππ decrypt ππ using π π πππΌπΌπΌπΌ
Full Security of IBE [BF01]
Challenger AdversaryπππππΌπΌπ·π·
ππ 1ππ β ππππ,πππ π ππ
π π πππΌπΌπΌπΌ = πΎπΎ(πππ π ππ, πΌπΌπ·π·)
πΌπΌπ·π·β
ππ β {0,1}ππ = πΈπΈ(ππππ, πΌπΌπ·π·β, ππ)
πΌπΌπ·π·
π π πππΌπΌπΌπΌ = πΎπΎ(πππ π ππ, πΌπΌπ·π·)πΌπΌπ·π· β πΌπΌπ·π·β
ππβ² β {0,1}|Pr ππ = ππβ² β 1/2| β πΈπΈππππ(ππ)
Selective Security of IBE [CHK04]
Challenger AdversaryπππππΌπΌπ·π·
ππ 1ππ β ππππ,πππ π ππ
π π πππΌπΌπΌπΌ = πΎπΎ(πππ π ππ, πΌπΌπ·π·)
πΌπΌπ·π·β
ππ β {0,1}ππ = πΈπΈ(ππππ, πΌπΌπ·π·β, ππ)
πΌπΌπ·π·
π π πππΌπΌπΌπΌ = πΎπΎ(πππ π ππ, πΌπΌπ·π·)πΌπΌπ·π· β πΌπΌπ·π·β
ππβ² β {0,1}|Pr ππ = ππβ² β 1/2| β πΈπΈππππ(ππ)
Can we realize IBE?
Yes, we can! [Boneh and Franklin, CRYPTO 01]
Hierarchical IBE [HL02,GS02]
Bob
πππΎπΎπ΅π΅π΅π΅π΅π΅πππππππππππ.πππ΅π΅ππ
Use πππΎπΎπΌπΌπΌπΌ to compute πππΎπΎπΌπΌπΌπΌ|πΌπΌπΌπΌβ² for any πΌπΌπ·π·πΌ
πππππππππππππππππ. ππππππ|π΄π΄πππ΄π΄ππππ2,2018
IBE ConstructionsPairings Lattices
(LWE)Quadratic
ResiduocityIBE w/RO BF01 GPV08 Cocks01
BGH07IBE no RO CHK03
BB04, W05G06, W09
CHKP10ABB10, MP12
??
HIBE GS03, BB04β¦ CHKP10β¦ ??
Can we realize IBE from weaker assumptions?
Negative Evidence
Trapdoor Permutations [BPRVW08]
Decisional Diffie-Hellman Assumption
[PRV12]
OWF PRG PRF
Private-key crypto
Public-Key Encryption
Trapdoor Functions
Signatures
Public-key crypto
IBE
Hierarchical IBE
ABE [SW05]
Reduce the Gap!
Our Results
β’ Main result: IBE from Computational Diffie-Hellman Assumption (Fully-secure)
β’ Or, the hardness of Factoring
β’ Selectively-Secure HIBEβ’ In fact, from any IBE scheme!
Avoid impossibilities using non-black-box techniques.
How do we get it?
Garbled RAM [LO13,GHLORW14,GLOS15,GLO15,GMP16,GGMP16,CDGGMP17]
Witness Encryption[CS00,GGSW13,BH15,CDGGMP17]
How do we get it?
Compress two keys
ππππ0 ππππ1
ππππ
β’ ππππ = ππππ0 = ππππ1β’ Encryption can be done
to either ππππ0 or ππππ1knowing just ππππ
β’ Decryption can be done using ππππ0, ππππ1 and the right secret key
β’ ππππ looses information about ππππ0or ππππ1
ππ = πΈπΈπΈπΈππ2(ππππ, ππ,ππ)ππ
Alice Bob
Cara
How known schemes from stronger assumptions compress two keys?
ππππ0 ππππ1
ππππ
β’ ππππ0 or ππππ1 are correlated
β’ Structured assumptionsβ’ Impossibility results:
Similar intuition
Our goal: Compress Uncorrelated Keys!
Our Construction: Tools
Hash with EncryptionYaoβs Garbled Circuits+
Tool I: Hash with Encryption
Three Algorithms: (π»π»,πΈπΈ,π·π·)
H π₯π₯ β β β is short (say ππ-bits)π₯π₯ is 2ππ-bits
πΈπΈ (β, ππ, ππ),ππ β ππ where ππ β 2ππ and ππ β 0,1π·π· ππ, π₯π₯ β ππ if π»π» π₯π₯ = β and π₯π₯ππ = ππ
Reminiscent of Witness Encryption [GGSW13] or laconic OT [CDGGMP17].
Security: π₯π₯,πΈπΈ (β, ππ, 1 β π₯π₯ππ), 0 β π₯π₯,πΈπΈ (β, ππ, 1 β π₯π₯ππ), 1
Security: Hard to compute π₯π₯, π₯π₯β²such that π»π» π₯π₯ = π»π» π₯π₯πΌ
Tool I: Hash with Encryption
Hash Parameters π΄π΄1,0 π΄π΄2,0π΄π΄1,1 π΄π΄2,1
β¦π΄π΄ππ,0π΄π΄ππ,1
β’ H π₯π₯ β ββ = οΏ½
ππβ[ππ]
π΄π΄ππ,π₯π₯ππ
β’ πΈπΈ (β, ππ, ππ),ππ β ππ =π΄π΄1,0π π π΄π΄2,0
π π
π΄π΄1,1π π π΄π΄2,1
π π β¦π΄π΄ππ,0π π
π΄π΄ππ,1π π , βπ π βππ
β’ D ππ, π₯π₯ : Set βπ π = βππβ[ππ]π΄π΄ππ,π₯π₯πππ π
π΄π΄ππ,1βπ΅π΅π π
Security can be argued based on DDH
πππ₯π₯,πππ¦π¦ ,πππ₯π₯π¦π¦β πππ₯π₯ ,πππ¦π¦,ππππ
Tool 2: Yaoβs Garbled Circuits (πΊπΊπππ΄π΄ππππππ,πΈπΈπΈπΈππππ)[Yao86, AIK04, AIK05, LP09, BHR12]
πΊπΊπππ΄π΄ππππππ πΆπΆ β οΏ½ΜοΏ½πΆ, ππππππππ,0, ππππππππ,1 ππ
πΈπΈπΈπΈππππ οΏ½ΜοΏ½πΆ, ππππππππ,π₯π₯ππ β πΆπΆ(π₯π₯)
Security: (οΏ½ΜοΏ½πΆ, ππππππππ,π₯π₯ππ) β ππππππ(πΆπΆ π₯π₯ )
How do we compress?
ππππ = π»π» ππππ0 ππππ1
ππππ0 ππππ1
ππππ
How do we encrypt?
ππππ = π»π» ππππ0 ππππ1
ππππ0 ππππ1
ππππ
ππ = πΈπΈπΈπΈππ2(ππππ, ππ,ππ)ππ
ππππππ,π΅π΅,ππ π₯π₯1. Abort if ππππ β π»π» π₯π₯ .2. If ππ = 0 then ππππ = π₯π₯ 1 β¦ ππ
else ππππ = π₯π₯ ππ + 1 β¦ 2ππ3. Output πΈπΈπΈπΈππ(ππππ,ππ)
Alice Bob
Cara
How do we encrypt?
ππππ = π»π» ππππ0 ππππ1
ππππ0 ππππ1
ππππ
ππ = πΈπΈπΈπΈππ2(ππππ, ππ,ππ)ππ
πΈπΈπΈπΈππ2(ππππ, ππ,ππ)β’ Circuit πΆπΆππ(ππππ) = πΈπΈπΈπΈππ ππππ,ππβ’ πΊπΊπππ΄π΄ππππππ πΆπΆππ β οΏ½ΜοΏ½πΆ, ππππππππ,0, ππππππππ,1 ππβ’ β ππ β {ππππ + 1, ππππ + ππ}, πΎπΎ β {0,1}β’ ππππ,πΎπΎ= πΈπΈ ππππ, ππ, πΎπΎ , ππππππππ,πΎπΎβ’ ππ = οΏ½ΜοΏ½πΆ, ππππ,πΎπΎ
Alice Bob
Cara
How to decrypt?
β’Decrypt ππ = οΏ½ΜοΏ½πΆ, ππππ,πΎπΎ using ππππ1, ππππ2 and π π πππ΅π΅
β’Recall ππ1,0 = πΈπΈ ππππ, ππππ + 1,0 , ππππππ1,0 and
ππ1,1 = πΈπΈ ππππ, ππππ + 1,1 , ππππππ1,1β’ which one can be decrypted? β’ ππ1,ππππππ,1 which decrypts to ππππππ1,ππππππ,1
β’ Similarly, for each ππ decrypt ππππ,0 or ππππ,1β’Evaluate(οΏ½ΜοΏ½πΆ, {ππππππππ,ππππππ,ππ}) outputs πΈπΈπΈπΈππ πππππ΅π΅ ,ππ
How to compress more keys/Bootstrapping?
β’ Using a Merkel Tree
β’ Exponentially Many Keysβ’ Grow the tree dynamically β as needed
Chameleon Encryption
Five Algorithms: (ππ,π»π»,π»π»β1,πΈπΈ,π·π·)
ππ 1ππ,πΈπΈ β ππ, π‘π‘ ππ is the hash Keyππ is the hash trapdoor
H ππ, π₯π₯; π΄π΄ β β β is short (say ππ-bits)ππβππ ππ, (ππ, ππ),πππ β πππ π―π― ππ,ππ; ππ = π―π―(ππ,ππβ²; ππβ²)
πΈπΈ ππ, (β, ππ, ππ),ππ β ππ where ππ β πΈπΈ and ππ β 0,1π·π· ππ, (π₯π₯, π΄π΄) β ππ if π»π» ππ, π₯π₯; π΄π΄ = β and π₯π₯ππ = ππ
Security: ππ, π₯π₯, π΄π΄,πΈπΈ ππ, (β, ππ, 1 β π₯π₯ππ), 0 β ππ, π₯π₯, π΄π΄,πΈπΈ ππ, (β, ππ, 1 β π₯π₯ππ), 1
Bootstrapping
ππ0
ππ1
ππβ
β0,0
β1,0 β1,1
ββ,0 ββ,1 ββ,2ββ2 ββ,2ββ1
ππππ,ππ = π»π»β1(π‘π‘ππ , (0β, π΄π΄ππ,ππβ² ),βππ+1,2ππ|βππ+1,2ππ+1)
βππ,ππ = π»π»(ππππ , 0β; π΄π΄ππ,ππβ² )
π‘π‘0
πππ π ππ
π‘π‘1
π‘π‘β
ππππ,ππ = π»π»β1(π‘π‘0, (0β, π΄π΄0,0β² ),β1,0|β1,1)
Bootstrapping
ππππ,ππππ0
ππ1
ππβ
ππππ,ππ
ππβ,ππ
β0,0
β1,0 β1,1
ββ,0 ββ,1 ββ,2ββ2 ββ,2ββ1
Secret-key for πΌπΌπ·π·
ππππ,ππ = π»π»β1(π‘π‘ππ , (0β, π΄π΄ππ,ππβ² ),βππ+1,2ππ|βππ+1,2ππ+1)
βππ,ππ = π»π»(ππππ , 0β; π΄π΄ππ,ππβ² )
π‘π‘0
πππ π ππ
π‘π‘1
π‘π‘β
Bootstrapping
ππππ,ππππ0
ππ1
ππβ
ππππ,ππ
ππβ,ππ
β0,0
β1,0 β1,1
ββ,0 ββ,1 ββ,2ββ2 ββ,2ββ1
Cipher for πΌπΌπ·π·,ππ
ππ
οΏ½πΆπΆ0
οΏ½πΆπΆ1
οΏ½πΆπΆβ
Open Problems and Related Works
β’ Can we make the scheme efficient?β’ IBE from any PKE?β’ ABE from weaker assumptions?
β’ Techniques have other applications:β’ Laconic OT [CDGGMP17]β’ Anonymous IBE [BLSV18]β’ Circular Security [BLSV18,DGHM18,KT18]β’ Two-round MPC [GS17, GS18, BL18]β’ Adaptive garbled circuits/RAM [GS18a, GS18b]β’ Laconic Function Evaluation [QWW18]
Thank You! Questions?