Identity Based Encryption from the Diffie-Hellman Assumption Sanjam Garg University of California, Berkeley (Joint work with Nico Döttling)

Private-Key Encryption 𝐾 𝐾 𝑐 𝑚 Alice Bob 𝑐= 𝐸𝑛𝑐(𝐾, 𝑚)

Public-Key Encryption [DH76,RSA78,GM82] Obtain 𝑝 𝑘 𝐵𝑜𝑏 𝑠 𝑘 𝐵𝑜𝑏 𝐸𝑛𝑐(𝑝 𝑘 𝐵𝑜𝑏 , 𝑚) 𝑚 Alice Bob

Identity-Based Encryption (IBE) [Shamir84, BF01] Identity of the recipient used as the public key 𝐸𝑛𝑐(𝑏𝑜𝑏@𝑔𝑚𝑎𝑖𝑙.𝑐𝑜𝑚, 𝑚) 𝑚 pp 𝑏𝑜𝑏@𝑔𝑚𝑎𝑖𝑙.𝑐𝑜𝑚 Alice Bob First construction based on pairings [BF01] CA/PKG 𝑆 𝐾 𝑏𝑜𝑏@𝑔𝑚𝑎𝑖𝑙.𝑐𝑜𝑚

Reduce the Gap! ABE [SW05] Hierarchical IBE IBE [Pairing, Lattices] Public-key crypto Public-Key Encryption Trapdoor Functions Private-key crypto Signatures OWF PRG PRF

Our Results Main result: IBE from Computational Diffie-Hellman Assumption (Fully-secure) Or, the hardness of Factoring Avoid impossibilities using non-black-box techniques.

Challenge? How do we it?

Compress two keys 𝑝𝑝 = 𝑝 𝑘 0 = 𝑝 𝑘 1 Alice Bob 𝑝𝑝 = 𝑝 𝑘 0 = 𝑝 𝑘 1 Encryption can be done to either 𝑝 𝑘 0 or 𝑝 𝑘 1 knowing just 𝑝𝑝 Decryption can be done using 𝑝 𝑘 0 , 𝑝 𝑘 1 and the right secret key 𝑝𝑝 looses information about 𝑝 𝑘 0 or 𝑝 𝑘 1 𝑝 𝑘 0 𝑝 𝑘 1 𝑝𝑝 Cara 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, 𝑚) 𝑚

How known schemes from stronger assumptions compress two keys? 𝑝 𝑘 0 or 𝑝 𝑘 1 are correlated Structured assumptions Impossibility results: Similar intuition 𝑝 𝑘 0 𝑝 𝑘 1 𝑝𝑝 Our goal: Compress Uncorrelated Keys!

Our Construction: Tools + Yao’s Garbled Circuits Hash with Encryption

Tool I: Hash with Encryption Three Algorithms: (𝐻,𝐸, 𝐷) H 𝑥 →ℎ ℎ is short (say 𝜆-bits) 𝑥 is 2𝜆-bits 𝐸 (ℎ,𝑖,𝑏), 𝑚 →𝑐 where 𝑖 ∈ 2𝜆 and 𝑏 ∈ 0,1 𝐷 𝑐, 𝑥 →𝑚 if 𝐻 𝑥 =ℎ and 𝑥 𝑖 = 𝑏 Security: Hard to compute 𝑥, 𝑥 ′ such that 𝐻 𝑥 = 𝐻 𝑥’ Security: 𝑥, 𝐸 (ℎ,𝑖,1− 𝑥 𝑖 ), 0 ≈𝑥, 𝐸 (ℎ,𝑖,1− 𝑥 𝑖 ), 1 Reminiscent of Witness Encryption [GGSW13] or laconic OT [CDGGMP17].

Tool I: Hash with Encryption Hash Parameters 𝐴 1,0 𝐴 2,0 𝐴 1,1 𝐴 2,1 … 𝐴 𝑛,0 𝐴 𝑛,1 H 𝑥 →ℎ ℎ= 𝑖∈[𝑛] 𝐴 𝑖, 𝑥 𝑖 𝐸 (ℎ,𝑖,𝑏), 𝑚 →𝑐= 𝐴 1,0 𝑠 𝐴 2,0 𝑠 𝐴 1,1 𝑠 𝐴 2,1 𝑠 … 𝐴 𝑛,0 𝑠 𝐴 𝑛,1 𝑠 , ℎ 𝑠 ⊕𝑚 D 𝑐, 𝑥 : Set ℎ 𝑠 = 𝑖∈[𝑛] 𝐴 𝑖, 𝑥 𝑖 𝑠 Security can be argued based on DDH 𝑔 𝑥 , 𝑔 𝑦 , 𝑔 𝑥𝑦 ≈ 𝑔 𝑥 , 𝑔 𝑦 , 𝑔 𝑟 𝐴 𝑖,1−𝑏 𝑠

Security: ( 𝐶 , 𝑙𝑎𝑏 𝑖, 𝑥 𝑖 )≈𝑆𝑖𝑚(𝐶 𝑥 ) Tool 2: Yao’s Garbled Circuits (𝐺𝑎𝑟𝑏𝑙𝑒,𝐸𝑣𝑎𝑙) [Yao86, AIK04, AIK05, LP09, BHR12] 𝐺𝑎𝑟𝑏𝑙𝑒 𝐶 → 𝐶 , 𝑙𝑎 𝑏 𝑖,0 , 𝑙𝑎 𝑏 𝑖,1 𝑖 𝐸𝑣𝑎𝑙 𝐶 , 𝑙𝑎𝑏 𝑖, 𝑥 𝑖 →𝐶(𝑥) Security: ( 𝐶 , 𝑙𝑎𝑏 𝑖, 𝑥 𝑖 )≈𝑆𝑖𝑚(𝐶 𝑥 )

How do we compress? 𝑝𝑝 = 𝐻 𝑝 𝑘 0 𝑝 𝑘 1 𝑝 𝑘 0 𝑝 𝑘 1 𝑝𝑝

How do we encrypt? 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, 𝑚) 𝑝 𝑘 0 𝑝 𝑘 1 𝑝𝑝 𝑃 𝑝𝑝, 𝑏, 𝑚 𝑥 Obfuscation Lens! How do we encrypt? Alice Bob 𝑝𝑝 = 𝐻 𝑝 𝑘 0 𝑝 𝑘 1 𝑝 𝑘 0 𝑝 𝑘 1 𝑝𝑝 𝑃 𝑝𝑝, 𝑏, 𝑚 𝑥 Abort if 𝑝𝑝 ≠𝐻 𝑥 . If 𝑏 = 0 then 𝑝𝑘 = 𝑥 1…𝜆 else 𝑝𝑘 = 𝑥 𝜆+1… 2𝜆 Output 𝐸𝑛𝑐(𝑝𝑘, 𝑚) Cara 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, 𝑚) 𝑚

How do we encrypt? 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, 𝑚) 𝑝 𝑘 0 𝑝 𝑘 1 𝑝𝑝 Alice Bob 𝑝𝑝 = 𝐻 𝑝 𝑘 0 𝑝 𝑘 1 𝑝 𝑘 0 𝑝 𝑘 1 𝑝𝑝 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, 𝑚) Circuit 𝐶 𝑚 (𝑝𝑘) = 𝐸𝑛𝑐 𝑝𝑘, 𝑚 𝐺𝑎𝑟𝑏𝑙𝑒 𝐶 𝑚 → 𝐶 , 𝑙𝑎 𝑏 𝑖,0 , 𝑙𝑎 𝑏 𝑖,1 𝑖 ∀ 𝑖∈ {𝑏𝜆+1, 𝑏𝜆+𝜆}, 𝛾∈{0,1} 𝑐 𝑖,𝛾 = 𝐸 𝑝𝑝,𝑖,𝛾 , 𝑙𝑎 𝑏 𝑖,𝛾 𝑐= 𝐶 , 𝑐 𝑖,𝛾 Cara 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, 𝑚) 𝑚

How to decrypt? Decrypt 𝑐= 𝐶 , 𝑐 𝑖,𝛾 using 𝑝 𝑘 1 , 𝑝 𝑘 2 and 𝑠 𝑘 𝛾 Recall 𝑐 1,0 = 𝐸 𝑝𝑝,𝛾𝜆+1,0 , 𝑙𝑎 𝑏 1,0 and 𝑐 1,1 =𝐸 𝑝𝑝,𝛾𝜆+1,1 , 𝑙𝑎 𝑏 1,1 which one can be decrypted? 𝑐 1,𝑝 𝑘 𝛾,1 which decrypts to 𝑙𝑎𝑏 1,𝑝 𝑘 𝛾,1 Similarly, for each 𝑖 decrypt 𝑐 𝑖,0 or 𝑐 𝑖,1 Evaluate( 𝐶 , {𝑙𝑎𝑏 𝑖,𝑝 𝑘 𝛾,𝑖 }) outputs 𝐸𝑛𝑐 𝑝 𝑘 𝛾 , 𝑚

Many new Applications New constructions of cryptographic primitives from weaker computation assumptions Two round MPC [GS17,GS18,BL18,GIS18] TDF [GD18] from CDH Deterministic Encryption [GGH18] from CDH Beats the efficiency of prior works even under DDH Two-round OT [DGHMW19] form CDH First PIR with polylogarithmic communication under DDH [DGMMIO19] (also rate 1-OT and more) Many new techniques: Can lead to several other improvements!

Thank You! Questions? ? ?