Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Based Encryption from the Diffie-Hellman Assumption

Published byRandi Carstensen Modified over 5 years ago

Similar presentations

Presentation on theme: "Identity Based Encryption from the Diffie-Hellman Assumption"β€” Presentation transcript:

1 Identity Based Encryption from the Diffie-Hellman Assumption
Sanjam Garg University of California, Berkeley (Joint work with Nico DΓΆttling)

2 Private-Key Encryption
𝐾 𝐾 𝑐 π‘š Alice Bob 𝑐= 𝐸𝑛𝑐(𝐾, π‘š)

3 Public-Key Encryption [DH76,RSA78,GM82]
Obtain 𝑝 π‘˜ π΅π‘œπ‘ 𝑠 π‘˜ π΅π‘œπ‘ 𝐸𝑛𝑐(𝑝 π‘˜ π΅π‘œπ‘ , π‘š) π‘š Alice Bob

4 Identity-Based Encryption (IBE) [Shamir84, BF01]
Identity of the recipient used as the public key π‘š) π‘š pp Alice Bob First construction based on pairings [BF01] CA/PKG 𝑆 𝐾

5 Reduce the Gap! ABE [SW05] Hierarchical IBE IBE [Pairing, Lattices]
Public-key crypto Public-Key Encryption Trapdoor Functions Private-key crypto Signatures OWF PRG PRF

6 Our Results Main result: IBE from Computational Diffie-Hellman Assumption (Fully-secure) Or, the hardness of Factoring Avoid impossibilities using non-black-box techniques.

7 Challenge? How do we it?

8 Compress two keys 𝑝𝑝 = 𝑝 π‘˜ 0 = 𝑝 π‘˜ 1
Alice Bob 𝑝𝑝 = 𝑝 π‘˜ 0 = 𝑝 π‘˜ 1 Encryption can be done to either 𝑝 π‘˜ 0 or 𝑝 π‘˜ 1 knowing just 𝑝𝑝 Decryption can be done using 𝑝 π‘˜ 0 , 𝑝 π‘˜ 1 and the right secret key 𝑝𝑝 looses information about 𝑝 π‘˜ 0 or 𝑝 π‘˜ 1 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝𝑝 Cara 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, π‘š) π‘š

9 How known schemes from stronger assumptions compress two keys?
𝑝 π‘˜ 0 or 𝑝 π‘˜ 1 are correlated Structured assumptions Impossibility results: Similar intuition 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝𝑝 Our goal: Compress Uncorrelated Keys!

10 Our Construction: Tools
+ Yao’s Garbled Circuits Hash with Encryption

11 Tool I: Hash with Encryption
Three Algorithms: (𝐻,𝐸, 𝐷) H π‘₯ β†’β„Ž β„Ž is short (say πœ†-bits) π‘₯ is 2πœ†-bits 𝐸 (β„Ž,𝑖,𝑏), π‘š →𝑐 where 𝑖 ∈ 2πœ† and 𝑏 ∈ 0,1 𝐷 𝑐, π‘₯ β†’π‘š if 𝐻 π‘₯ =β„Ž and π‘₯ 𝑖 = 𝑏 Security: Hard to compute π‘₯, π‘₯ β€² such that 𝐻 π‘₯ = 𝐻 π‘₯’ Security: π‘₯, 𝐸 (β„Ž,𝑖,1βˆ’ π‘₯ 𝑖 ), 0 β‰ˆπ‘₯, 𝐸 (β„Ž,𝑖,1βˆ’ π‘₯ 𝑖 ), 1 Reminiscent of Witness Encryption [GGSW13] or laconic OT [CDGGMP17].

12 Tool I: Hash with Encryption
Hash Parameters 𝐴 1,0 𝐴 2,0 𝐴 1,1 𝐴 2,1 … 𝐴 𝑛,0 𝐴 𝑛,1 H π‘₯ β†’β„Ž β„Ž= π‘–βˆˆ[𝑛] 𝐴 𝑖, π‘₯ 𝑖 𝐸 (β„Ž,𝑖,𝑏), π‘š →𝑐= 𝐴 1,0 𝑠 𝐴 2,0 𝑠 𝐴 1,1 𝑠 𝐴 2,1 𝑠 … 𝐴 𝑛,0 𝑠 𝐴 𝑛,1 𝑠 , β„Ž 𝑠 βŠ•π‘š D 𝑐, π‘₯ : Set β„Ž 𝑠 = π‘–βˆˆ[𝑛] 𝐴 𝑖, π‘₯ 𝑖 𝑠 Security can be argued based on DDH 𝑔 π‘₯ , 𝑔 𝑦 , 𝑔 π‘₯𝑦 β‰ˆ 𝑔 π‘₯ , 𝑔 𝑦 , 𝑔 π‘Ÿ 𝐴 𝑖,1βˆ’π‘ 𝑠

13 Security: ( 𝐢 , π‘™π‘Žπ‘ 𝑖, π‘₯ 𝑖 )β‰ˆπ‘†π‘–π‘š(𝐢 π‘₯ )
Tool 2: Yao’s Garbled Circuits (πΊπ‘Žπ‘Ÿπ‘π‘™π‘’,πΈπ‘£π‘Žπ‘™) [Yao86, AIK04, AIK05, LP09, BHR12] πΊπ‘Žπ‘Ÿπ‘π‘™π‘’ 𝐢 β†’ 𝐢 , π‘™π‘Ž 𝑏 𝑖,0 , π‘™π‘Ž 𝑏 𝑖,1 𝑖 πΈπ‘£π‘Žπ‘™ 𝐢 , π‘™π‘Žπ‘ 𝑖, π‘₯ 𝑖 →𝐢(π‘₯) Security: ( 𝐢 , π‘™π‘Žπ‘ 𝑖, π‘₯ 𝑖 )β‰ˆπ‘†π‘–π‘š(𝐢 π‘₯ )

14 How do we compress? 𝑝𝑝 = 𝐻 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝𝑝

15 How do we encrypt? 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, π‘š) 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝𝑝 𝑃 𝑝𝑝, 𝑏, π‘š π‘₯
Obfuscation Lens! How do we encrypt? Alice Bob 𝑝𝑝 = 𝐻 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝𝑝 𝑃 𝑝𝑝, 𝑏, π‘š π‘₯ Abort if 𝑝𝑝 ≠𝐻 π‘₯ . If 𝑏 = 0 then π‘π‘˜ = π‘₯ 1β€¦πœ† else π‘π‘˜ = π‘₯ πœ†+1… 2πœ† Output 𝐸𝑛𝑐(π‘π‘˜, π‘š) Cara 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, π‘š) π‘š

16 How do we encrypt? 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, π‘š) 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝𝑝
Alice Bob 𝑝𝑝 = 𝐻 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝 π‘˜ 0 𝑝 π‘˜ 1 𝑝𝑝 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, π‘š) Circuit 𝐢 π‘š (π‘π‘˜) = 𝐸𝑛𝑐 π‘π‘˜, π‘š πΊπ‘Žπ‘Ÿπ‘π‘™π‘’ 𝐢 π‘š β†’ 𝐢 , π‘™π‘Ž 𝑏 𝑖,0 , π‘™π‘Ž 𝑏 𝑖,1 𝑖 βˆ€ π‘–βˆˆ {π‘πœ†+1, π‘πœ†+πœ†}, π›Ύβˆˆ{0,1} 𝑐 𝑖,𝛾 = 𝐸 𝑝𝑝,𝑖,𝛾 , π‘™π‘Ž 𝑏 𝑖,𝛾 𝑐= 𝐢 , 𝑐 𝑖,𝛾 Cara 𝑐= 𝐸𝑛 𝑐 2 (𝑝𝑝, 𝑏, π‘š) π‘š

17 How to decrypt? Decrypt 𝑐= 𝐢 , 𝑐 𝑖,𝛾 using 𝑝 π‘˜ 1 , 𝑝 π‘˜ 2 and 𝑠 π‘˜ 𝛾
Recall 𝑐 1,0 = 𝐸 𝑝𝑝,π›Ύπœ†+1,0 , π‘™π‘Ž 𝑏 1,0 and 𝑐 1,1 =𝐸 𝑝𝑝,π›Ύπœ†+1,1 , π‘™π‘Ž 𝑏 1,1 which one can be decrypted? 𝑐 1,𝑝 π‘˜ 𝛾,1 which decrypts to π‘™π‘Žπ‘ 1,𝑝 π‘˜ 𝛾,1 Similarly, for each 𝑖 decrypt 𝑐 𝑖,0 or 𝑐 𝑖,1 Evaluate( 𝐢 , {π‘™π‘Žπ‘ 𝑖,𝑝 π‘˜ 𝛾,𝑖 }) outputs 𝐸𝑛𝑐 𝑝 π‘˜ 𝛾 , π‘š

18 Many new Applications New constructions of cryptographic primitives from weaker computation assumptions Two round MPC [GS17,GS18,BL18,GIS18] TDF [GD18] from CDH Deterministic Encryption [GGH18] from CDH Beats the efficiency of prior works even under DDH Two-round OT [DGHMW19] form CDH First PIR with polylogarithmic communication under DDH [DGMMIO19] (also rate 1-OT and more) Many new techniques: Can lead to several other improvements!

19 Thank You! Questions? ? ?

Download ppt "Identity Based Encryption from the Diffie-Hellman Assumption"

Similar presentations

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = Γ‘gΓ±, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = Γ‘gΓ±, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
On the Security of the β€œFree-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the β€œFree-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public Key Cryptography

Public Key Cryptography
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with

Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with
Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.

Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

Similar presentations

Ads by Google