Cryptology. Scribe: Fabrice Mouhartem M2IF

Similar documents
6.892 Computing on Encrypted Data October 28, Lecture 7

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Efficient Lattice (H)IBE in the Standard Model

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Identity-based encryption

SIS-based Signatures

Searchable encryption & Anonymous encryption

Notes for Lecture 16

Background: Lattices and the Learning-with-Errors problem

Lattice-based Multi-signature with Linear Homomorphism

CS Topics in Cryptography January 28, Lecture 5

6.892 Computing on Encrypted Data September 16, Lecture 2

Ideal Lattices and NTRU

Hierarchical identity-based encryption

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Functional Encryption for Inner Product Predicates from Learning with Errors

Lecture 6: Lattice Trapdoor Constructions

Classical hardness of Learning with Errors

Lattice Cryptography

Lecture 7: Boneh-Boyen Proof & Waters IBE System

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Chosen-Ciphertext Security from Subset Sum

Gentry IBE Paper Reading

Gentry s SWHE Scheme

Practical Fully Homomorphic Encryption without Noise Reduction

Recent Advances in Identity-based Encryption Pairing-free Constructions

Classical hardness of the Learning with Errors problem

Multikey Homomorphic Encryption from NTRU

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Lattice Based Crypto: Answering Questions You Don't Understand

Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems

Public Key Cryptography

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Some security bounds for the DGHV scheme

Lattice Cryptography

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Forward-Secure Identity-based Broadcast Encryption Scheme from Lattice

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE

Attribute-based Encryption & Delegation of Computation

Revocable Identity-Based Encryption from Lattices

Short Exponent Diffie-Hellman Problems

Applied cryptography

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Fully Homomorphic Encryption - Part II

Open problems in lattice-based cryptography

Semantic Security of RSA. Semantic Security

How to Delegate a Lattice Basis

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

G Advanced Cryptography April 10th, Lecture 11

Efficient Identity-Based Encryption Without Random Oracles

Classical hardness of Learning with Errors

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

A Group Signature Scheme from Lattice Assumptions

Fully Homomorphic Encryption and Bootstrapping

Adaptive-ID Secure Revocable Identity-Based Encryption from Lattices via Subset Difference Method

On the power of non-adaptive quantum chosen-ciphertext attacks

Boneh-Franklin Identity Based Encryption Revisited

CRYPTANALYSIS OF COMPACT-LWE

A Strong Identity Based Key-Insulated Cryptosystem

Fully Homomorphic Encryption

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

A Comment on Gu Map-1

10 Concrete candidates for public key crypto

Secure and Practical Identity-Based Encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Fully Homomorphic Encryption

Secure Certificateless Public Key Encryption without Redundancy

Efficient Identity-based Encryption Without Random Oracles

A survey on quantum-secure cryptographic systems

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

How to Encrypt with the LPN Problem

Multi-key fully homomorphic encryption report

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Fuzzy Identity Based Encryption from Lattices

A Note on Discrete Gaussian Combinations of Lattice Vectors

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures

Solving LWE with BKW

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Shai Halevi IBM August 2013

Pairing-Based Cryptography An Introduction

1 Number Theory Basics

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lossy Trapdoor Functions and Their Applications

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Riding on Asymmetry: Efficient ABE for Branching Programs

Lattice-Based Dual Receiver Encryption and More

Towards Multi-Hop Homomorphic Identity-Based Proxy Re-Encryption via Branching Program

REMARKS ON IBE SCHEME OF WANG AND CAO

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Ecient Public Trace and Revoke from Standard Assumptions

Transcription:

Cryptology Scribe: Fabrice Mouhartem M2IF

Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description can be found in [1] and the second tool can be retrieved in [2]. Tool 1 There exists a probabilistic polynomial time algorithm GenBasis that takes n, m, with m bigger than a Ω(n log n as inputs, and returns a matrix T (called the trapdoor of A of size m n in Z m n such that: (A, Unif 2 n The maximum norm of a row of T is uasilinear: the t i s form a basis of the lattice: T = max t i = O (n log n i Λ (A = { x Z m : x T A = 0 mod } Remark. For this algorithm to be polynomial time, n and m are written in unary in order to make the input exponentially bigger. Tool 2 Let L be a n-dimensional lattice with basis (b i, a vector c in Z n and s greater than max b i Ω ( log n. There exists a probabilistic pseudo-random polynomial time algorithm GPVSample that samples from D L,s,c : b c 2 D L,s,c (b exp ( π s 2 For such an s we have the following properties: max b L D L,s,c(b 2 n and Pr ( b c s n 2 n b D L,s,c 1

1.1 The Gentry-Peikert-Vaikuntanathan Identity Based Encryption scheme In this section we will present the Gentry Peikert Vaikuntanathan Identity Based Encryption [2]. It is a cryptosystem which security is based on the Learning With Errors problem. Setup We sample A, T using tool 1. Let s = O (n log n n. We define the master public key and the master secret key with: MP K : A, MSK : T Key extract(msk, id We first take u = H(id, where H is a hash function from a binary word to Z n modeled as a random oracle. Then we use linear algebra to find r 0 Z m such that r T 0 A = u T mod Finally we use tool 2 to sample r from the distribution: r 0 + D Λ (A,s, r 0 }{{} r 1 Thus: r T A = r T 0 A + r T 1 A = r T 0 A + 0 = u T And we have (tail bound with probability at least 1 2 n : mod r = r 0 + r 1 = r 1 ( r 0 ns r is id s secret key sk id. Enc(MP K, id, M {0, 1} Let u := H(id. We sample s from U(Z n and (e 1, e 2 from D Z m,α D Z,α (gaussian, and we send: c 1 = As + e 1 c 2 = u, s + e 2 + /2 M Dec(sk id, (c 1, c 2 We compute c 2 r T c 1 = e 2 + /2 M r T e 1 mod if the result is greater than /4, output 1, else output 0. 2

Correctness Let us compute the decryption error: e 2 r T e 1 e 2 + r e 1 α n + α m n r (with probability 1 c2 n for some constant c α n[1 + m mn log log n We have to set α such that α n[1 + m log log ] 8 Remark. The parameter α is some 1 poly(m,n,log α n[1 + m log log ] 1 8 Security Indistinguishability under Chosen Plaintext Attack (IND-CPA with selective-id security in the Random Oracle Model (ROM. Security Game We have an attacker A and a challenger C, as we are in the selective-id assumption, A starts by choosing and identity id to attack and send it to C. Then C selects master public and secret keys from Setup and send the master public key (MPK to A. Algorithm A starts by making extraction ueries for id different from id and also Random Oracle ueries to C. Without loss of generality if id is different from id. We assume that H(id is always ueried just before Extract(id. H(id is ueried before the challenge phase. As we are encrypting a bit, there is no need to produce two different messages M 0, M 1 as they will be 0 and 1. This is why C decides to encrypt a bit b with identity secret key id and send the resulting ciphertext c to A. Finally A returns a bit b, and wins if b is b. From this initial game we derive the following games: Game 0 Real game Game 1 Change Setup to Setup : We sample: the matrix A uniform and the vector u uniform (u is H(id Change Extract to Extract : if Extract (id has been ueried before then give same answer. else sample r from D Z m,s,0 set u := r T A. return that sk id is r and H(id is u. Enc stays the same as in Game 0. Using tool 1 we have that: (A in game 0, A in Game 1 2 n 3

For all fresh Random Oracle ueries, the reply is uniform. Distribution of sk id (conditioned on A, H(id = u are u U(Z m Question: Does the following experiment r r T 0 + D Λ (A,s, r 0 r D Z m,s,0 u = r T A gives the same distribution for (r, u? (the proof is somewhat non-trivial, left as exercise. Game 2 Enc changed to Enc in challenge phase: Enc (MP K, id, M : Unif + (0, 0,..., 0, /2 M Z m+1 0 Unif Z m+1 As depicted as follow: /2 M Any adversary that can distinguish between Games 1 and 2 may be able to break Learning With Errors (LWE. LWE input : (B, b. Answer b = Bs+c if in Game 1 or b = unif if in Game 2: the matrix B is built as u concatenated at the right of u. Enc: b + (0, 0,..., 0, /2 M 1.2 The Agrawal-Boneh-Boyen IBE The Agrawal Boneh Boyen Identity Based Encryption [3] scheme is based on the Learning With Errors problem. An interesting property of this scheme is that it is provably secure in the standard model, therefore we have no need of a random oracle assumption. Encoding of identities as matrices in Z n n : we want a map H from ID to Z n n { H(id H(id is full rank/invertible id id such that Let Φ(x be a degree n irreducible polynomial modulo (as the density is greater than 1/n and irreducibility can be tested in polynomial time, then the Φ-generation is polynomial-time. ID = Z [x] /(Φ(x ID = n 4

H(id = [id, x id mod Φ,..., x n 1 id mod Φ] The k-th column coefficients of H(id consists in the x k id(x mod Φ: id x id x2 id x 3 id... x n 1 id modφ Remark. The map: ID H(ID id H(id is a ring homomorphism: H(id + id = H(id + H(id and H(id id = H(id H(id The set ID is a field: H(id H(id = 0 = id = id, then we can embed F n into Z n n Setup We generate A 0, T 0 using tool 1. And we sample matrices A 1, B uniform in Z m n. The vector u is sampled uniform in Z n. We return: MSK = T 0, MP K = (A 0, A 1, B, u Extract(MP K, id Define A id : ( A A id = 0 A 1 + B H(id and Z 3m n ( ( T0 0 A 0 T = 0 I A i + B H(id T id = ( T0 T How to find T such that T id A id = 0? To find t i such that t T i A 0 =..., proceed as in GP V s Extract: ( mn t i O log log n 2m T 0 A 0 = 0 mod m A B The matrix T id is small (largest row smaller than O ( mn log log n. It is made of linearly independent rows. Further, we have T id A id = 0. We then have 3m linearly independent short vectors in Λ (A id. It is sufficient to efficiently sample from D Λ (A id,s,c for all c and s greater u 5

than an Ω(m 1.5 n log log n. (like in GP V s extract Using gaussian tail bound, we sample r such that: r T A id = u T mod r O ( ms Enc(MP K, id, M {0, 1} Recover: Sample: A id = A 0 A 1 + BH(id s U(Z n e 1 D Z 2m,α R { 1, 1} m 2m set e 2 := R e 1 e 2 D Z,α Send c = (c 1, c 2, c 3 with the following components: c 1 = A 0 s + e 1 + 0 c 2 = A 1 + B H(id + e 2 + 0 c 3 = 0 + e 3 + /2 M Dec(sk id, (c 1, c 2, c 3 Compute: ( c 3 r T c1 c 2 = /2 M + (decryption noise Correctness Get a bound on decryption noise. Set α such that decryption noise is smaller than /8 with probability greater than 1 k2 n for some constant k. Security IND-CPA selective id in the standard model. Game 0 real game Game 1 change Setup and Extract: Change setup to setup : The Challenger gets id from Adversary. He samples: R { 1, 1} m 2m (to be used for challenge T B, B tool 1 A 0 Z m n u Z n 6

Set A 1 = R A 0 BH(id We want that A 0, A, B, u should look as in Game 0. For A 0, B and u it is ok as they are chosen uniformly in Game 0. For A 1 with small statistical distance to uniform by the Leftover Hash Lemma (LHL. Therefore: Change Extract to Extract (id id : (MP K Game0, MP K Game1 2 Ω(n ( ( A A id = 0 A = 0 A 1 + B H(id R A 0 + B(H(id H(id How do I find a T id for A id using T B? T B B = 0 = T B B (H(id H(id = 0 ( ( ( I T A0 = 0 0 T B B The vectors t i are small, constructed as the T in real Extract. Possible as = H(id H(id is full rank. Rest of Extract is identical to Extract ( ( ( I T I A B 0 T B R I R A 0 + BH(id id = 0 }{{} A 0 BH(id id } {{ } T id Game 2 Enc in challenge phase : Unif + (0, 0,..., /2 M Z 3m+1 Exercise : show that if an adversary can distinguish Games 2 and 3 it may be used to break LWE. (how to extend LWE s b into a cipertext? Note: the correctness proof is not trivial and is based of a strengthened Leftover Hash Lemma. 7

Bibliography [1] Joël Alwen and Chris Peikert. Generating shorter bases for hard random lattices. Theory of Computing Systems 48.3 (2011: 535-553. [2] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. Proceedings of the fortieth annual ACM symposium on Theory of computing. ACM, 2008. [3] Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (H IBE in the standard model. Advances in Cryptology EUROCRYPT 2010. Springer Berlin Heidelberg, 2010. 553-572. 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback