Bonsai Trees,or how to delegate a lattice basis

David Cash (UCSD) Dennis Hofheinz (KIT)Eike Kiltz (CWI)Chris Peikert (GA)

This work: crypto from lattices

1. Bonsai trees for lattices/basis delegation2. Applications: new lattice primitives– Hash-and-sign signatures (standard model)– IBE (standard model)– Hierarchical IBE (random oracle model)– Hierarchical IBE (standard model)

Independently discovered by [AB09]!

Pairings LatticesBF01: IBE

ROM

GS02: HIBEROM

CHK03: HIBESelective secure,

bit-by-bit

BB04: HIBESelective secure,Identity at once

Waters05: HIBE Fully secure

Waters09: HIBEFully secure,poly depth

GPV08: IBEROM

NEW: HIBEROM

HEW: HIBESelective secure,

bit-by-bit

ABB10: HIBESelective secure,Identity at once

B10/ABB10 HIBE Fully secure

You??? HIBEFully secure,poly depth

Basis delegation

Rand

om o

racl

e m

odel

Stan

dard

mod

el

Integer lattices

A

Matrix A Zqm x n

m 2nlg(q)

n

(q,0)

(0,q)

m-dim Lattice L(A)={xZm :xA = 0 mod q}

Random basis for A

Integer lattices

A

Matrix A Zqm x n Non-short basis for L(A)

Short basis for A

Integer lattices

A

Matrix A Zqm x n Short basis for L(A)

[Ajtai96]

A

Encryption from lattices [Regev05, GPV08]

A

Public-key:Matrix A Zq

m x n

Secret Key:Short basis for L(A)

Encrypt/decrypt: via “trapdoor function” fA associated to matrix A

Security: Learning with errors

Bonsai Trees

Ancient art of bonsai • Techniques for selective control

of a tree by arborist

Cryptographic bonsai• Tree = hierarchy of trapdoor functions• Arborist = setup/simulator controls 2 types of

growth1. Undirected growth:

no privileged information 2. Controlled growth:

privileged information • Property: extending control down hierarchy (not up)

A

A

Central new technique: lattice basis delegation

A1

A1, A2, short basis for L(A1)

A2 Basis delegation

Short basis for (any) higher-dim. super-lattice L(A12)

A12

A2

A1hard

A3

A2

A1

A3A312

Bonsai trees: hierarchy of trapdoor functions

fA1256

fA1

fA125

fA1234

fA12

f A 123

Hierarchy of trapdoor functions

A1

A12

A123

A1234

m-dim lattice L(A1)

2m-dim lattice L(A12)

4m-dim latticeL(A1234)A1 A2 A3 A5A4 A6

A1256

3m-dim lattice L(A113)

A14m-dim lattice L(A1256)

fA1256

fA1

fA125

fA1234

fA12

f A 123

A1 A2 A3 A5A4 A6

fA1

fA12

fA1256

fA125

fA1234

f A 123

fA12

fA1234

f A 123

A1 A2A1 A2 A3 A4 A5

Short basis delegation to any higher-dim super-lattice

A1

A12

A123 A125

A12

A123

A1234

A125

A1

no tr

apdo

or

trap

door

undirectedgrowth

controlledgrowth

A1256

A2

A5

Hierarchy of trapdoor functions

Application 1: Hierarchical IBE (random oracles)

A

Hierarchical ID-based encryption (ROM)

Master Public-key: Matrix A Zq

m x n

Master Secret Key: Short basis for L(A)

…

AID

A

H(ID1)

A

Encrypt to ID: Use TDF fAID

associated to matrix AID

AID

Secret Key for ID: Short basis for L(AID)

AID’

H(ID1,..,IDk)H(ID1,…,IDk)

Encrypt to hierarchical identities ID=(ID1,…,IDk)IDSpacek

Secret key delegation ID’ID: “controlled growth” A

Application 2: IBE (standard model)

ID-based encryption (standard model)Master Public-key: Matrices Aij Zq

m x n

Master Secret Key: Short basis for L(A10) and L(A11)

A10 A11

A20 A21

Ak1Ak0

…

A10 A11

A10

A20

Ak0

ID0=0

ID1=1

IDk=0

…

AIDZqkm x n

…A11

A21

Ak1

…

Encrypt to ID{0,1}k: Use TDF fAID

associated to matrix AID

Secret Key for ID’: Short basis for L(AID’)

AID

A10

Ak0

AID’

A21

A10 A11

A20 A21

Ak1Ak0

…Security reduction (selective-ID security)

A10 A11

A20 A21

Ak1Ak0

…Master Secret Key: all-but-one setup ID=challenge ID

ID

Remarks:• Extends to Hierarchical IBE (standard model)• Full security (constant depth) using [BB04b]

Hash and sign signatures (standard model)

Master Public-key: Matrices Aij Zq

m x n

Master Secret Key: Short basis for L(A10) and L(A11)

A10 A11

A20 A21

Ak1Ak0

…

A10 A11

Sign M{0,1}k : Invert TDF fAM associated

to matrix AM with short

basis for L(AM)

A10

Ak0

AM

A21

Full UF-CMA security:• Add chameleon hash• Proof adapts “prefix-simulation” technique [HW09]

Conclusions• Bonsai trees/basis delegation• Applications: HIBE/signatures

• Follow-up work: • Improved efficiency of HIBE/sigs [ABB10, B10]• Alternative basis delegation [ABB10b]• More crypto primitives [R10, WB10, …]

Thank you!