# Adaptively secure efficient lattice (H)IBE in standard model with short public parameters

03 Nov 2012-pp 153-172

TL;DR: A scheme to divide an l-bit identity into l′ blocks of l/l′ so that size of the vector $\overrightarrow{V}$ can be reduced from l elements of G to l′ elements ofG is presented.

Abstract: Independent work by Chatterjee and Sarkar [9] and Naccache [16] provided a variant of Waters' IBE to reduce public parameters. The idea is to divide an l-bit identity into l′ blocks of l/l′ so that size of the vector $\overrightarrow{V}$ can be reduced from l elements of G to l′ elements of G. We name this technique as blocking technique. This leads to some associated degradation in security reduction. In this paper our contribution is two fold: First we apply Waters' [21] idea to convert Agrawal et al. [1] selective-ID secure lattice HIBE to adaptive-ID secure HIBE then using blocking technique we reduce the public parameters. Second we present efficient lattice identity based encryption in standard model with smaller public key size which is variant of [1]. Using blocking technique our scheme reduces public key size by a factor of β at the cost of increasing (β−lg (β))2 number of bits in q where q is size of field Zq. There is an interesting trade-off between reducing the public parameter size and increase in the computational cost. For 160-bit identities we show that compared to scheme [1] the public parameter size can be reduced by almost 90% while increasing the computation cost by only 8.71% for appropriate choice of β.

##### Citations

More filters

•

TL;DR: This work presents a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficientlylarge.

Abstract: An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of copyrighted function which was presented by Naccache, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based copyrighted function. Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightly larger (constant) overhead, however, it additionally achieves efficient black-box traitor tracing (against any pirate construction).

649 citations

•

01 Jan 2010

TL;DR: Cryptosystems I and II: Cryptography between Wonderland and Underland as discussed by the authors, a simple BGN-type Cryptosystem from LWE, or Bonsai Trees, or how to delegate a Lattice Basis.

Abstract: Cryptosystems I.- On Ideal Lattices and Learning with Errors over Rings.- Fully Homomorphic Encryption over the Integers.- Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups.- Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption.- Obfuscation and Side Channel Security.- Secure Obfuscation for Encrypted Signatures.- Public-Key Encryption in the Bounded-Retrieval Model.- Protecting Circuits from Leakage: the Computationally-Bounded and Noisy Cases.- 2-Party Protocols.- Partial Fairness in Secure Two-Party Computation.- Secure Message Transmission with Small Public Discussion.- On the Impossibility of Three-Move Blind Signature Schemes.- Efficient Device-Independent Quantum Key Distribution.- Cryptanalysis.- New Generic Algorithms for Hard Knapsacks.- Lattice Enumeration Using Extreme Pruning.- Algebraic Cryptanalysis of McEliece Variants with Compact Keys.- Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds.- IACR Distinguished Lecture.- Cryptography between Wonderland and Underland.- Automated Tools and Formal Methods.- Automatic Search for Related-Key Differential Characteristics in Byte-Oriented Block Ciphers: Application to AES, Camellia, Khazad and Others.- Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR.- Computational Soundness, Co-induction, and Encryption Cycles.- Models and Proofs.- Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks.- Cryptographic Agility and Its Relation to Circular Encryption.- Bounded Key-Dependent Message Security.- Multiparty Protocols.- Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography.- Adaptively Secure Broadcast.- Universally Composable Quantum Multi-party Computation.- Cryptosystems II.- A Simple BGN-Type Cryptosystem from LWE.- Bonsai Trees, or How to Delegate a Lattice Basis.- Efficient Lattice (H)IBE in the Standard Model.- Hash and MAC.- Multi-property-preserving Domain Extension Using Polynomial-Based Modes of Operation.- Stam's Collision Resistance Conjecture.- Universal One-Way Hash Functions via Inaccessible Entropy.- Foundational Primitives.- Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions.- Constructing Verifiable Random Functions with Large Input Spaces.- Adaptive Trapdoor Functions and Chosen-Ciphertext Security.

320 citations

••

04 Dec 2016TL;DR: In this paper, Chen et al. proposed a secure IBE scheme based on the hardness of a computational/search problem, rather than a decisional problem such as DDH and DLIN on bilinear maps with sublinear public parameter size.

Abstract: In this paper, we present new adaptively secure identity-based encryption IBE schemes. One of the distinguishing properties of the schemes is that it achieves shorter public parameters than previous schemes. Both of our schemes follow the general framework presented in the recent IBE scheme of Yamada Eurocrypt 2016, employed with novel techniques tailored to meet the underlying algebraic structure to overcome the difficulties arising in our specific setting. Specifically, we obtain the following:
- Our first scheme is proven secure under the ring learning with errors RLWE assumption and achieves the best asymptotic space efficiency among existing schemes from the same assumption. The main technical contribution is in our new security proof that exploits the ring structure in a crucial way. Our technique allows us to greatly weaken the underlying hardness assumption e.g., we assume the hardness of RLWE with a fixed polynomial approximation factor whereas Yamada's scheme requires a super-polynomial approximation factor while improving the overall efficiency.
- Our second IBE scheme is constructed on bilinear maps and is secure under the 3-computational bilinear Diffie-Hellman exponent assumption. This is the first IBE scheme based on the hardness of a computational/search problem, rather than a decisional problem such as DDH and DLIN on bilinear maps with sub-linear public parameter size.

69 citations

••

08 May 2016TL;DR: An attribute-based encryption scheme for branching programs that simultaneously satisfies the following properties for the first time: the scheme achieves compact secret keys, the security is proven under the LWE assumption with polynomial approximation factors, and the scheme can deal with unbounded length branching programs.

Abstract: In this paper, we present two new adaptively secure identity-based encryption IBE schemes from lattices. The size of the public parameters, ciphertexts, and private keys are $$\tilde{O}n^2 \kappa ^{1/d}$$, $$\tilde{O}n$$, and $$\tilde{O}n$$ respectively. Here, n is the security parameter, $$\kappa $$ is the length of the identity, and $$d\in \mathbb {N}$$ is a flexible constant that can be set arbitrary but will affect the reduction cost. Ignoring the poly-logarithmic factors hidden in the asymptotic notation, our schemes achieve the best efficiency among existing adaptively secure IBE schemes from lattices. In more detail, our first scheme is anonymous, but proven secure under the LWE assumption with approximation factor $$n^{\omega 1}$$. Our second scheme is not anonymous, but proven adaptively secure assuming the LWE assumption for all polynomial approximation factors.
As a side result, based on a similar idea, we construct an attribute-based encryption scheme for branching programs that simultaneously satisfies the following properties for the first time: Our scheme achieves compact secret keys, the security is proven under the LWE assumption with polynomial approximation factors, and the scheme can deal with unbounded length branching programs.

47 citations

### Cites methods from "Adaptively secure efficient lattice..."

...Another possible approach would be to use a technique from Naccache’s IBE scheme [36], as is done in [44]....

[...]

••

10 Aug 2016TL;DR: This work focuses on the implementation security issues related to postquantum schemes and their applications in e-commerce, e.g. the supply and demand for identity protection in the e-sports industry.

Abstract: Although postquantum cryptography is of growing practical concern, not many works have been devoted to implementation security issues related to postquantum schemes.

38 citations

##### References

More filters

••

19 Aug 2001TL;DR: This work proposes a fully functional identity-based encryption scheme (IBE) based on the Weil pairing that has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem.

Abstract: We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem. Our system is based on the Weil pairing. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.

7,083 citations

••

23 Aug 1985TL;DR: In this article, the authors introduce a novel type of cryptographic scheme, which enables any pair of users to communicate securely and to verify each other's signatures without exchanging private or public keys, without keeping key directories, and without using the services of a third party.

Abstract: In this paper we introduce a novel type of cryptographic scheme, which enables any pair of users to communicate securely and to verify each other’s signatures without exchanging private or public keys, without keeping key directories, and without using the services of a third party. The scheme assumes the existence of trusted key generation centers, whose sole purpose is to give each user a personalized smart card when he first joins the network. The information embedded in this card enables the user to sign and encrypt the messages he sends and to decrypt and verify the messages he receives in a totally independent way, regardless of the identity of the other party. Previously issued cards do not have to be updated when new users join the network, and the various centers do not have to coordinate their activities or even to keep a user list. The centers can be closed after all the cards are issued, and the network can continue to function in a completely decentralized way for an indefinite period.

6,902 citations

••

22 May 2005TL;DR: A public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP, and an efficient solution to the learning problem implies a

*quantum*, which can be made classical.Abstract: Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical.Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size O(n2) and encrypting a message increases its size by O(n)(in previous cryptosystems these values are O(n4) and O(n2), respectively). In fact, under the assumption that all parties share a random bit string of length O(n2), the size of the public key can be reduced to O(n).

2,620 citations

••

22 May 2005TL;DR: This work first presents their IBE construction and reduces the security of the scheme to the decisional Bilinear Diffie-Hellman (BDH) problem, and shows that their techniques can be used to build a new signature scheme that is secure under the computational Diffie -Hellman assumption without random oracles.

Abstract: We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles We first present our IBE construction and reduce the security of our scheme to the decisional Bilinear Diffie-Hellman (BDH) problem Additionally, we show that our techniques can be used to build a new signature scheme that is secure under the computational Diffie-Hellman assumption without random oracles

2,188 citations

••

02 May 2004TL;DR: The first secure IBE scheme without random oracles was presented in this article, where the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively.

Abstract: We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles.

1,917 citations