Embed Size (px)
DESCRIPTION
Bonsai Trees, or how to delegate a lattice basis. David Cash (UCSD) Dennis Hofheinz (KIT) Eike Kiltz (CWI) Chris Peikert (GA). This work: crypto from lattices. Bonsai trees for lattices/basis delegation Applications: new lattice primitives Hash-and-sign signatures (standard model) - PowerPoint PPT Presentation
Citation preview
Bonsai Trees,or how to delegate a lattice basis
David Cash (UCSD) Dennis Hofheinz (KIT)Eike Kiltz (CWI)Chris Peikert (GA)
This work: crypto from lattices
1. Bonsai trees for lattices/basis delegation2. Applications: new lattice primitives– Hash-and-sign signatures (standard model)– IBE (standard model)– Hierarchical IBE (random oracle model)– Hierarchical IBE (standard model)
Independently discovered by [AB09]!
Pairings LatticesBF01: IBE
ROM
GS02: HIBEROM
CHK03: HIBESelective secure,
bit-by-bit
BB04: HIBESelective secure,Identity at once
Waters05: HIBE Fully secure
Waters09: HIBEFully secure,poly depth
GPV08: IBEROM
NEW: HIBEROM
HEW: HIBESelective secure,
bit-by-bit
ABB10: HIBESelective secure,Identity at once
B10/ABB10 HIBE Fully secure
You??? HIBEFully secure,poly depth
Basis delegationRa
ndom
ora
cle
mod
elSt
anda
rd m
odel
Integer lattices
A
Matrix A Zqm x n
m 2nlg(q)
n
(q,0)
(0,q)
m-dim Lattice L(A)={xZm :xA = 0 mod q}
Random basis for A
Integer lattices
A
Matrix A Zqm x n Non-short basis for L(A)
Short basis for A
Integer lattices
A
Matrix A Zqm x n Short basis for L(A)
[Ajtai96]
A
Encryption from lattices [Regev05, GPV08]
A
Public-key:Matrix A Zq
m x n
Secret Key:Short basis for L(A)
Encrypt/decrypt: via “trapdoor function” fA associated to matrix A
Security: Learning with errors
Bonsai Trees
Ancient art of bonsai • Techniques for selective control
of a tree by arborist
Cryptographic bonsai• Tree = hierarchy of trapdoor functions• Arborist = setup/simulator controls 2 types of
growth1. Undirected growth:
no privileged information 2. Controlled growth:
privileged information • Property: extending control down hierarchy (not up)
A
A
Central new technique: lattice basis delegation
A1
A1, A2, short basis for L(A1)
A2 Basis delegation
Short basis for (any) higher-dim. super-lattice L(A12)
A12
A2
A1hard
A3
A2
A1
A3A312
Bonsai trees: hierarchy of trapdoor functions
fA1256
fA1
fA125
fA1234
fA12
f A 123
Hierarchy of trapdoor functions
A1
A12
A123
A1234
m-dim lattice L(A1)
2m-dim lattice L(A12)
4m-dim latticeL(A1234)A1 A2 A3 A5A4 A6
A1256
3m-dim lattice L(A113)
A14m-dim lattice L(A1256)
fA1256
fA1
fA125
fA1234
fA12
f A 123
A1 A2 A3 A5A4 A6
fA1
fA12
fA1256
fA125
fA1234
f A 123
fA12
fA1234
f A 123
A1 A2A1 A2 A3 A4 A5
Short basis delegation to any higher-dim super-lattice
A1
A12
A123 A125
A12
A123
A1234
A125
A1
no tr
apdo
or
trap
door
undirectedgrowth
controlledgrowth
A1256
A2
A5
Hierarchy of trapdoor functions
Application 1: Hierarchical IBE (random oracles)
A
Hierarchical ID-based encryption (ROM)
Master Public-key: Matrix A Zq
m x n
Master Secret Key: Short basis for L(A)
…
AID
A
H(ID1)
A
Encrypt to ID: Use TDF fAID
associated to matrix AID
AID
Secret Key for ID: Short basis for L(AID)
AID’
H(ID1,..,IDk)H(ID1,…,IDk)
Encrypt to hierarchical identities ID=(ID1,…,IDk)IDSpacek
Secret key delegation ID’ID: “controlled growth” A
Application 2: IBE (standard model)
ID-based encryption (standard model)Master Public-key: Matrices Aij Zq
m x n
Master Secret Key: Short basis for L(A10) and L(A11)
A10 A11
A20 A21
Ak1Ak0
…
A10 A11
A10
A20
Ak0
ID0=0
ID1=1
IDk=0
…
AIDZqkm x n
…A11
A21
Ak1
…
Encrypt to ID{0,1}k: Use TDF fAID
associated to matrix AID
Secret Key for ID’: Short basis for L(AID’)
AID
A10
Ak0
AID’
A21
A10 A11
A20 A21
Ak1Ak0
…Security reduction (selective-ID security)
A10 A11
A20 A21
Ak1Ak0
…Master Secret Key: all-but-one setup ID=challenge ID
ID
Remarks:• Extends to Hierarchical IBE (standard model)• Full security (constant depth) using [BB04b]
Hash and sign signatures (standard model)
Master Public-key: Matrices Aij Zq
m x n
Master Secret Key: Short basis for L(A10) and L(A11)
A10 A11
A20 A21
Ak1Ak0
…
A10 A11
Sign M{0,1}k : Invert TDF fAM associated
to matrix AM with short
basis for L(AM)
A10
Ak0
AM
A21
Full UF-CMA security:• Add chameleon hash• Proof adapts “prefix-simulation” technique [HW09]
Conclusions• Bonsai trees/basis delegation• Applications: HIBE/signatures
• Follow-up work: • Improved efficiency of HIBE/sigs [ABB10, B10]• Alternative basis delegation [ABB10b]• More crypto primitives [R10, WB10, …]
Thank you!
