9.2 IBE From Lattices

9.2.5 Agrawal-Boneh-Boyen IBE

A use of the general pre-image sampling technique given in [5] is to obtain an IBE scheme which is secure without random oracles. Along with the pre-image sampling method some additional intuition is required. In the Gentry-Peikert-Vaikuntanathan IBE scheme of the previous section, an identity is mapped to an element u and the trapdoor S is used to find a pre-image. The matrix A defines the forward computation and does not depend on the identity. At a broad level, this can be thought to be similar to the Boneh-Franklin IBE scheme where identities are mapped into elliptic curve points and the decryption key is the s-fold scalar multiple of this point.

A different way to approach the problem of constructing a lattice-based IBE scheme while keeping within the framework of pre-image sampleable trapdoor function is to change the roles of the range point and the matrix mapping. In [5], the range point u is fixed and independent of the identity. The matrix A is changed to[A0|A₁+H(id)B], where the matrices A₀,A₁and B are specified as part of the public parameters and H :ZZⁿ_q→ZZⁿ_q^×n is a public function which maps an iden- tity (considered to be an element of ZZⁿ_q) to a matrix. The function H mapsZZⁿ_qto ZZⁿ_q^×nand satisfies a property called “full rank difference” in [5]: for any two distinct u,v∈ZZⁿ_q, the matrix H(u)−H(v)is full rank.

This change of roles is to be seen in conjunction with the general pre-image sampling method of [56]. Consider a matrix F= [A,AR+B], where A and B are inZZⁿ_q^×mand R∈ {−1,1}^m×m. Two pre-image sampling methodsSampleLeftand SampleRight are described.SampleLeft works with a short basis for A and is based on the generalised pre-image sampling in [5] described above.SampleRight is based on a lattice delegation technique from [146]. In the actual IBE scheme, only SampleLeftis required whereasSampleRightis required during the simulation in the security argument. The details of the Agrawal-Boneh-Boyen IBE scheme is as follows.

Set-Up. Given n and q, use the usual trapdoor generation method (due to Ajtai [8]) to generate a matrix A0∈ZZⁿ_q^×mand a short basis S0forΛ^⊥(A0). Select two uniform random matrices A1and B fromZZⁿ_q^×m. Select a uniform random u∈ZZⁿ_q. The public parameters consist of(A0,A1,B,u)whereas the master secret key is S0.

Identities are considered to be elements ofZZⁿ_q. For any identityid, let

F_id= [A₀,A₁+H(id)B].

Key-Gen. Letidbe an identity. Use the short basis S0ofΛ^⊥(A0)to obtain a pre- image e_id∈ZZ^2m_q of u for F_id. (This is theSampleLeftalgorithm which is the gener- alised pre-image sampling method from [55, 146].) Then F_ide_id=u. The pre-image e_idis a decryption key for the identityid.

Encrypt. Encryption of a bit b to an identityidis done as follows. Choose a uni- form random s∈ZZⁿ_qand a uniform random matrix R∈ {−1,1}^m×m. Sample noise elements x∈ZZqand y∈ZZ^m_q respectively using distributionsΨα andΨ^m_α ^{and set} z=R^Ty. The ciphertext is(c0,c1)where

c0=u^Ts+x+b⌊q/2⌋, c1=F^T_ids+ y

z

∈ZZ^2m_q .

Decrypt. Given a ciphertext (c0,c1)encrypted to an identityidand a decryption key eidforid, decryption is done as follows. Compute w=c0−e^T_idc1∈ZZq. Compare wand⌊q/2⌋as integers. If|w− ⌊q/2⌋|<⌊q/4⌋, then output 1, else output 0.

Note that the masking of a message is similar to that of the previous scheme. A standard analysis shows that decryption succeeds with overwhelming probability.

The matrix R plays a crucial role in the security reduction. Security is proved in the selective-identity model. The adversary specifies a target identityid^∗and then the simulator sets up the IBE scheme.

Security is based on the LWE problem. In the actual IBE scheme, a trapdoor for the matrix A0is known. On the other hand, in the instance of the LWE problem, the trapdoor for the matrix A0will not be known. But, the simulator in the proof still needs to be able to answer key extraction queries. This is done by generating a trapdoor for the matrix B and using theSampleRightalgorithm as follows.

Suppose the adversary specifiesid^∗as the target identity. The simulator now sets up the IBE scheme by first generating u in the usual manner. The simulator then gen- erates a random matrix A0∈ZZⁿ_q^×mand a pair(B,T)using the trapdoor generation algorithm, where B∈ZZⁿ_q^×m and T is a short basis for the latticeΛ^⊥(B). Gener- ation of the challenge ciphertext will require a random matrix R^∗∈ {−1,1}^m×m. Since this does not depend on the adversary’s queries, it is chosen during set-up.

The matrix A1is defined to be

A1=A0R^∗−H(id^∗)B.

The public parameters(A0,A1,B,u)are declared. Note that the simulator does not possess a trapdoor for A0but does possess a trapdoor for B.

Suppose the adversary makes a key extraction query on an identityid. Then F_id is of the form

Fid= [A0,A1+H(id)B] = [A0,A0R^∗+ (H(id)−H(id^∗))B].

By the full difference rank property of H, it follows that H(id)−H(id^∗)is non- singular. Also, with high probability B is non-singular and hence the matrix B^′= (H(id)−H(id^∗))B is also non-singular. Knowledge of the trapdoor T for B allows the simulator to use theSampleRightalgorithm to obtain a pre-image of u for F_id. (Note thatSampleRightrequires a short basis for B^′whereas the simulator actually has a short basis for B. This fact is glossed over in [5].) So, the simulator is able to answer any key extraction query except onid^∗.

The distribution of(c^∗₀,c^∗₁)in the actual scheme is that of an LWE instance where the input is from the “real” distribution. As is usual, in the last game of the security reduction this is taken from a “random” distribution, i.e.,(c^∗₀,c^∗₁) is chosen uni- formly at random fromZZ_q×ZZ^2m_q . Then the adversary has no advantage in winning the selective-identity game. Also, it is shown that distinguishing between the two games is bounded above by the advantage of solving the LWE problem.

Extension to HIBE. Using the generalised pre-image sampling method of [55] de- scribed earlier or the delegation method of [146], it is possible to obtain a selective- identity secure HIBE scheme. The essential idea is to be able to generate a trapdoor for a larger matrix from a trapdoor for a smaller matrix. To get a HIBE scheme, for an identityid= (id1, . . . ,id_ℓ), the definition of Fidis changed to the following.

Fid= [A₀,A₁+H(id₁)B, . . . ,A_ℓ+H(id_ℓ)B].

The matrices A0,A₁, . . . ,A_ℓ,B are given in the public parameters. A decryption key for id is a pre-image of u for Fid. This key, however, is not sufficient informa- tion to enable further delegation. For that a trapdoor is required. A basis delegation technique will allow the following. Consider an identity with i levels(id1, . . . ,id_i) and letID_|i−1be the identity consisting of the first(i−1)components ofid. Then F_id

|i−1 = [A0,A1+H(id1)B, . . . ,Ai−1+H(idi−1)B] and suppose that a short basis S_id|i−1 is known forΛ^⊥(Fid_|i−1). Then using generalised pre-image sampling (or the technique from [146]) it is possible to generate a short basis Sid_i forΛ^⊥(Fid_i)where F_idi = [A₀,A₁+H(id₁)B, . . . ,A_i+H(id_i)B].

This method of basis delegation increases the dimension of the lattice with in- crease in the length of the identity tuple. In [6], a HIBE construction is described where key delegation can be done without increasing lattice dimension.

Extension to adaptive-identity security. One may note that the simulation tech- nique used in the security reduction is reminiscent of the simulation technique used for the Boneh-Boyen selective-identity secure IBE scheme (BB-IBE1). This scheme was modified by Waters [169] to obtain an adaptive-identity secure IBE scheme. In a similar manner, it is possible to modify the current scheme. Consider the identity as a sequence ofℓbitsid= (id1, . . . ,id_ℓ)∈ {−1,1}^ℓ. The public parameters con- sist of matrices A0, C and matrices A1, . . . ,A_ℓone for each bit of the identity. The function Fidis now changed to the following.

F_id=

"

A₀,C+

∑

ℓ i=1

idiA_i

# .

The resulting IBE scheme will be adaptive-identity secure with shorter ciphertexts compared to the IBE scheme in [56]. The public key size is quite large, an n× m matrix for each bit of the identity. It is conceivable that the strategy used by Chatterjee-Sarkar [60] and Naccache [137] to reduce the public parameter size in Waters [169] scheme will also apply in the current context. This issue, however, is not addressed in [5].

Another issue not addressed in [5] is the question of adaptive-identity secure HIBE scheme. As suggested in Waters [169], using independent sets of public pa- rameters for each level of the HIBE extends the IBE scheme in [169] to a HIBE scheme. Using completely independent public parameters for each level of the HIBE leads to a very large size for the public parameters. A modification suggested by Chatterjee and Sarkar [61] (as discussed in Chapter 7) is to reuse most of the public parameters for different levels and only introduce a single random element for each HIBE level. It is conceivable that this method will work in the current context. The details though need to be carefully worked out.