David Cash (UCSD) Dennis Hofheinz (KIT) Eike Kiltz (CWI) Chris Peikert (GA)

This work: crypto from lattices 1.Bonsai trees for lattices/basis delegation 2.Applications: new lattice primitives – Hash-and-sign signatures (standard model) – IBE (standard model) – Hierarchical IBE (random oracle model) – Hierarchical IBE (standard model) Independently discovered by [AB09]!

PairingsLattices BF01: IBE ROM BF01: IBE ROM GS02: HIBE ROM GS02: HIBE ROM CHK03: HIBE Selective secure, bit-by-bit CHK03: HIBE Selective secure, bit-by-bit BB04: HIBE Selective secure, Identity at once BB04: HIBE Selective secure, Identity at once Waters05: HIBE Fully secure Waters09: HIBE Fully secure, poly depth Waters09: HIBE Fully secure, poly depth GPV08: IBE ROM GPV08: IBE ROM NEW: HIBE ROM NEW: HIBE ROM HEW: HIBE Selective secure, bit-by-bit HEW: HIBE Selective secure, bit-by-bit ABB10: HIBE Selective secure, Identity at once ABB10: HIBE Selective secure, Identity at once B10/ABB10 HIBE Fully secure You??? HIBE Fully secure, poly depth You??? HIBE Fully secure, poly depth Basis delegation Random oracle model Standard model

Integer lattices A A m  2n  lg(q) n (q,0) (0,q)

Random basis for A Integer lattices A A Non-short basis for L  (A)

Short basis for A Integer lattices A A Short basis for L  (A) [Ajtai96]

A A Encryption from lattices [Regev05, GPV08] A A Secret Key: Short basis for L  (A) Encrypt/decrypt: via “trapdoor function” f A associated to matrix A Security: Learning with errors Encrypt/decrypt: via “trapdoor function” f A associated to matrix A Security: Learning with errors

Bonsai Trees Ancient art of bonsai Techniques for selective control of a tree by arborist Cryptographic bonsai Tree = hierarchy of trapdoor functions Arborist= setup/simulator controls 2 types of growth 1.Undirected growth: no privileged information 2.Controlled growth: privileged information Property: extending control down hierarchy (not up) A A A A

Central new technique: lattice basis delegation A1A1 A1A1 A 1, A 2, short basis for L  (A 1 ) A2A2 A2A2 Basis delegation Short basis for (any) higher- dim. super-lattice L  (A 12 ) A 12 A2A2 A1A1 hard A3A3 A3A3 A2A2 A1A1 A3A3 A 312

Bonsai trees: hierarchy of trapdoor functions

f A 1256 fA1fA1 fA1fA1 f A 125 f A 1234 f A 12 f A 123 Hierarchy of trapdoor functions A1A1 A1A1 A 12 A 123 A 1234 m-dim lattice L  (A 1 ) 2m-dim lattice L  (A 12 ) 4m-dim lattice L  (A 1234 ) A1A1 A1A1 A2A2 A2A2 A3A3 A3A3 A5A5 A5A5 A4A4 A4A4 A6A6 A6A6 A m-dim lattice L  (A 113 ) A1A1 A1A1 4m-dim lattice L  (A 1256 )

f A 1256 fA1fA1 fA1fA1 f A 125 f A 1234 f A 12 f A 123 A1A1 A1A1 A2A2 A2A2 A3A3 A3A3 A5A5 A5A5 A4A4 A4A4 A6A6 A6A6 fA1fA1 fA1fA1 f A 12 f A 1256 f A 125 f A 1234 f A 123 f A 12 f A 1234 f A 123 A1A1 A1A1 A2A2 A2A2 A1A1 A1A1 A2A2 A2A2 A3A3 A3A3 A4A4 A4A4 A5A5 A5A5 Short basis delegation to any higher-dim super-lattice A1A1 A1A1 A 12 A 123 A 125 A 12 A 123 A 1234 A 125 A1A1 A1A1 no trapdoor trapdoor undirected growth controlled growth A 1256 A2A2 A5A5 Hierarchy of trapdoor functions

Application 1: Hierarchical IBE (random oracles)

A A Hierarchical ID-based encryption (ROM) Master Secret Key: Short basis for L  (A) … A ID A A H(ID 1 ) A A Encrypt to ID: Use TDF f A ID associated to matrix A ID A ID Secret Key for ID: Short basis for L  (A ID ) A ID’ H(ID 1,..,ID k ) H(ID 1,…,ID k ) Encrypt to hierarchical identities ID=(ID 1,…,ID k )  IDSpace k Secret key delegation ID’  ID: “controlled growth” A

Application 2: IBE (standard model)

ID-based encryption (standard model) Master Secret Key: Short basis for L  (A 10 ) and L  (A 11 ) A 10 A 11 A 20 A 21 A k1 A k0 … A 10 A 11 A 10 A 20 A k0 ID 0 =0 ID 1 =1 ID k =0 … … A 11 A 21 A k1 … Encrypt to ID  {0,1} k : Use TDF f A ID associated to matrix A ID Secret Key for ID’: Short basis for L  (A ID’ ) A ID A 10 A k0 A ID’ A 21 A 10 A 11 A 20 A 21 A k1 A k0 … Security reduction (selective-ID security) A 10 A 11 A 20 A 21 A k1 A k0 … Master Secret Key: all-but-one setup ID=challenge ID  ID Remarks: Extends to Hierarchical IBE (standard model) Full security (constant depth) using [BB04b] Remarks: Extends to Hierarchical IBE (standard model) Full security (constant depth) using [BB04b]

Hash and sign signatures (standard model) Master Secret Key: Short basis for L  (A 10 ) and L  (A 11 ) A 10 A 11 A 20 A 21 A k1 A k0 … A 10 A 11 Sign M  {0,1} k : Invert TDF f A M associated to matrix A M with short basis for L  (A M ) A 10 A k0 AMAM AMAM A 21 Full UF-CMA security: Add chameleon hash Proof adapts “prefix- simulation” technique [HW09] Full UF-CMA security: Add chameleon hash Proof adapts “prefix- simulation” technique [HW09]

Conclusions Bonsai trees/basis delegation Applications: HIBE/signatures Follow-up work: Improved efficiency of HIBE/sigs [ABB10, B10] Alternative basis delegation [ABB10b] More crypto primitives [R10, WB10, …]