lattice based proxy re encryption
play

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena - PowerPoint PPT Presentation

Sep 19, 2023 •366 likes •971 views

Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Grtz Institute for IT Security Ruhr University Bochum Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions

  1. Lattice-based Proxy Re-encryption PKC 2014 , 26.03.14 Elena Kirshanova Horst Görtz Institute for IT Security Ruhr University Bochum

  2. Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

  3. The informal definition of a Proxy Re-Encyption PRE based on lattices|PKC 2014|26.03.14 3/23

  4. The informal definition of a Proxy Re-Encyption PRE based on lattices|PKC 2014|26.03.14 3/23

  5. The informal definition of a Proxy Re-Encyption PRE based on lattices|PKC 2014|26.03.14 3/23

  6. The informal definition of a Proxy Re-Encyption PRE based on lattices|PKC 2014|26.03.14 3/23

  7. The formal Definition Definition 1 (Proxy Re-Encryption) A unidirectional Proxy Re-Encryption (PRE) is a tuple of algorithms: ◮ ( pk , sk ) ← KeyGen ( 1 n ) ◮ c pk ← Enc ( pk , m ) ◮ m ← Dec ( sk , c ) PRE based on lattices|PKC 2014|26.03.14 4/23

  8. The formal Definition Definition 1 (Proxy Re-Encryption) A unidirectional Proxy Re-Encryption (PRE) is a tuple of algorithms: ◮ ( pk , sk ) ← KeyGen ( 1 n ) ◮ c pk ← Enc ( pk , m ) ◮ m ← Dec ( sk , c ) ◮ rk pk → pk ′ ← ReKeyGen ( pk , sk , pk ′ ) PRE based on lattices|PKC 2014|26.03.14 4/23

  9. The formal Definition Definition 1 (Proxy Re-Encryption) A unidirectional Proxy Re-Encryption (PRE) is a tuple of algorithms: ◮ ( pk , sk ) ← KeyGen ( 1 n ) ◮ c pk ← Enc ( pk , m ) ◮ m ← Dec ( sk , c ) ◮ rk pk → pk ′ ← ReKeyGen ( pk , sk , pk ′ ) ◮ c ′ ← ReEnc ( rk pk → pk ′ , c pk ) PRE based on lattices|PKC 2014|26.03.14 4/23

  10. PRE-CCA1 Security (simplified) PRE CCA1 A A , Π ( n ) pk ∗ ( pk , pk ′ ) rk pk → pk ′ ( Dec ( c ) , pk ) · · · m 0 , m 1 m 0 , m 1 ∈ M b ← { 0 , 1 } c ∗ = Enc ( pk ∗ , m b ) c ∗ If b = b ′ output 1 b ′ ∈ { 0 , 1 } b ′ else output 0

  11. PRE-CCA1 Security (simplified) PRE CCA1 A A , Π ( n ) pk ∗ ( pk , pk ′ ) rk pk → pk ′ ( Dec ( c ) , pk ) · · · m 0 , m 1 m 0 , m 1 ∈ M b ← { 0 , 1 } c ∗ = Enc ( pk ∗ , m b ) c ∗ If b = b ′ output 1 b ′ ∈ { 0 , 1 } b ′ else output 0

  12. PRE-CCA1 Security (simplified) PRE CCA1 A A , Π ( n ) pk ∗ ( pk , pk ′ ) rk pk → pk ′ ( Dec ( c ) , pk ) · · · m 0 , m 1 m 0 , m 1 ∈ M b ← { 0 , 1 } c ∗ = Enc ( pk ∗ , m b ) c ∗ If b = b ′ output 1 b ′ ∈ { 0 , 1 } b ′ else output 0

  13. PRE-CCA1 Security (simplified) PRE CCA1 A A , Π ( n ) pk ∗ ( pk , pk ′ ) rk pk → pk ′ ( Dec ( c ) , pk ) · · · m 0 , m 1 m 0 , m 1 ∈ M b ← { 0 , 1 } c ∗ = Enc ( pk ∗ , m b ) c ∗ If b = b ′ output 1 b ′ ∈ { 0 , 1 } b ′ else output 0

  14. PRE-CCA1 Security (simplified) PRE CCA1 A A , Π ( n ) pk ∗ ( pk , pk ′ ) rk pk → pk ′ ( Dec ( c ) , pk ) · · · m 0 , m 1 m 0 , m 1 ∈ M b ← { 0 , 1 } c ∗ = Enc ( pk ∗ , m b ) c ∗ If b = b ′ output 1 b ′ ∈ { 0 , 1 } b ′ else output 0

  15. PRE-CCA1 Security (simplified) PRE CCA1 A A , Π ( n ) pk ∗ ( pk , pk ′ ) rk pk → pk ′ ( Dec ( c ) , pk ) · · · m 0 , m 1 m 0 , m 1 ∈ M b ← { 0 , 1 } c ∗ = Enc ( pk ∗ , m b ) c ∗ If b = b ′ output 1 b ′ ∈ { 0 , 1 } b ′ else output 0

  16. PRE-CCA1 Security (simplified) PRE CCA1 A A , Π ( n ) pk ∗ ( pk , pk ′ ) rk pk → pk ′ ( Dec ( c ) , pk ) · · · m 0 , m 1 m 0 , m 1 ∈ M b ← { 0 , 1 } c ∗ = Enc ( pk ∗ , m b ) c ∗ If b = b ′ output 1 b ′ ∈ { 0 , 1 } b ′ else output 0 PRE based on lattices|PKC 2014|26.03.14 5/23

  17. Desired properties of PRE schemes ◮ Unidirectional (rk pk → pk ′ � = rk pk ′ → pk ) PRE based on lattices|PKC 2014|26.03.14 6/23

  18. Desired properties of PRE schemes ◮ Unidirectional (rk pk → pk ′ � = rk pk ′ → pk ) ◮ Non-interactive (ReKeyGen ( pk , sk , pk ′ ) ) PRE based on lattices|PKC 2014|26.03.14 6/23

  19. Desired properties of PRE schemes ◮ Unidirectional (rk pk → pk ′ � = rk pk ′ → pk ) ◮ Non-interactive (ReKeyGen ( pk , sk , pk ′ ) ) ◮ Collusion ‘safe’ PRE based on lattices|PKC 2014|26.03.14 6/23

  20. Desired properties of PRE schemes ◮ Unidirectional (rk pk → pk ′ � = rk pk ′ → pk ) ◮ Non-interactive (ReKeyGen ( pk , sk , pk ′ ) ) ◮ Collusion ‘safe’ ◮ Key optimal ◮ Non-transitive ◮ Proxy invisibility PRE based on lattices|PKC 2014|26.03.14 6/23

  21. Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

  22. PRE overview Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA PRE based on lattices|PKC 2014|26.03.14 8/23

  23. PRE overview Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA PRE based on lattices|PKC 2014|26.03.14 8/23

  24. PRE overview Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA [CH07] ✗ ✗ ✗ DBDH IND-CCA PRE based on lattices|PKC 2014|26.03.14 8/23

  25. PRE overview Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA [CH07] ✗ ✗ ✗ DBDH IND-CCA [Xag10] ✗ ✗ ✗ LWE IND-CPA PRE based on lattices|PKC 2014|26.03.14 8/23

  26. PRE overview Unidirectional Non-interactive Collusion-safe Assumption Security Model [BBS98] ✗ ✗ ✗ DDH IND-CPA [AFGH06] ✓ ✓ ✓ eDBDH IND-CPA [CH07] ✗ ✗ ✗ DBDH IND-CCA [Xag10] ✗ ✗ ✗ LWE IND-CPA This work ✓ ✓ ✓ LWE IND-CCA1 PRE based on lattices|PKC 2014|26.03.14 8/23

  27. Main result Theorem 2 Our unidirectional Proxy Re-Encryption scheme is IND-CCA1-secure assuming the hardness of decision-LWE. PRE based on lattices|PKC 2014|26.03.14 9/23

  28. Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

  29. Lattice definition ◮ Lattice Λ of dimension m is a discrete additive subgroup of Z m . b 1 b 2 PRE based on lattices|PKC 2014|26.03.14 11/23

  30. Lattice definition ◮ Lattice Λ of dimension m is a discrete additive subgroup of Z m . b 1 b 2 ◮ Basis B = { b 1 , . . . , b k } : Λ( B ) = { Bz : z ∈ Z k } . PRE based on lattices|PKC 2014|26.03.14 11/23

  31. Gaussians on Lattices v ← D Λ , s ⇔ v ∝ ρ s ( x ) = exp ( − π � x � 2 s 2 ) PRE based on lattices|PKC 2014|26.03.14 12/23

  32. One-way functions from lattices � � ◮ Public ∈ Z n × m A , q = poly ( n ) , m ≈ n log q q PRE based on lattices|PKC 2014|26.03.14 13/23

  33. One-way functions from lattices � � ◮ Public ∈ Z n × m A , q = poly ( n ) , m ≈ n log q q SIS LWE g A ( s , e ) = s t A + e t mod q ∈ Z m u := f A ( x ) = Ax mod q ∈ Z n q q PRE based on lattices|PKC 2014|26.03.14 13/23

  34. One-way functions from lattices � � ◮ Public ∈ Z n × m A , q = poly ( n ) , m ≈ n log q q SIS LWE g A ( s , e ) = s t A + e t mod q ∈ Z m u := f A ( x ) = Ax mod q ∈ Z n q q : sample x ′ ← D Λ u , s f − 1 g − 1 : find the unique s A A s.t. Ax ′ = u (or e ) PRE based on lattices|PKC 2014|26.03.14 13/23

  35. G-trapdoor [PM12] and a short R ← Z ¯ nk × nk define ◮ For a uniform A 0 ∈ Z n × ¯ m q � I � − R A = [ A 0 | G ] = [ A 0 | G − A 0 R ] I for some G with easy f − 1 and g − 1 G . G PRE based on lattices|PKC 2014|26.03.14 14/23

  36. G-trapdoor [PM12] and a short R ← Z ¯ nk × nk define ◮ For a uniform A 0 ∈ Z n × ¯ m q � I � − R A = [ A 0 | G ] = [ A 0 | G − A 0 R ] I for some G with easy f − 1 and g − 1 G . G ◮ [ A 0 | A 0 R ] is uniform by the leftover hash lemma, so is A . PRE based on lattices|PKC 2014|26.03.14 14/23

  37. G-trapdoor [PM12] and a short R ← Z ¯ nk × nk define ◮ For a uniform A 0 ∈ Z n × ¯ m q � I � − R A = [ A 0 | G ] = [ A 0 | G − A 0 R ] I for some G with easy f − 1 and g − 1 G . G ◮ [ A 0 | A 0 R ] is uniform by the leftover hash lemma, so is A . � R � ◮ A · = G I PRE based on lattices|PKC 2014|26.03.14 14/23

  38. Outline 1 Definition of PRE and Security Model 2 Previous constructions and our contribution 3 One-way functions on lattices 4 Extended G-trapdoor and Re-Encryption

  39. Extended G-trapdoor ◮ Idea: generate multiple R -transformations trapdoor for g A � �� � A = [ A 0 | G − A 0 R 1 | G − A 0 R 2 ] � �� � trapdoor for f A ◮ R 1 allows to sample short vectors (i.e. generate rk) ◮ R 2 allows to invert s t A + e t (i.e. decrypt) PRE based on lattices|PKC 2014|26.03.14 16/23

  40. Encryption ◮ pk = [ A 0 | G − A 0 R 1 | G − A 0 R 2 ] ∈ Z n × m , sk := [ R 1 | R 2 ] q PRE based on lattices|PKC 2014|26.03.14 17/23

  41. Encryption ◮ pk = [ A 0 | G − A 0 R 1 | G − A 0 R 2 ] ∈ Z n × m , sk := [ R 1 | R 2 ] q ◮ Enc ( mes , pk ) : c 1 = s t · pk + e t 1 mod q , c 2 = s t · A aux + e t 2 + enc ( mes ) mod q , $ $ and enc ( mes ) := mes · ⌊ q − Z n − Z n × nk for s ← q , e 1 , e 2 ← D s , A aux ← 2 ⌋ . q PRE based on lattices|PKC 2014|26.03.14 17/23

Recommend

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo,

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nu nez , Isaac Agudo, and Javier Lopez Network, Information and

929 views • 38 slides
Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC

Identity-Based Encryption Cocks IBE Scheme Algebraic Structure Applications Conclusion Identity-Based Cryptosystems and Quadratic Residuosity Marc Joye Proxy: Fabrice Benhamouda PKC 2016 Tapei, Taiwan 1 / 20 Identity-Based Encryption

655 views • 38 slides
Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services

Outline Introduction Support technologies Privacy-preserving IDaaS system Conclusions Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services David Nu nez , Isaac Agudo, and Javier Lopez Network,

422 views • 24 slides
Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology

Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 1 / 19 Talk Agenda Encryption schemes with special features: 2 / 19 Talk Agenda

876 views • 71 slides
Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption t Libert 1 San Ling 2 Fabrice Mouhartem 1 Beno Khoa Nguyen 2 Huaxiong Wang 2 1 Ecole Normale Sup erieure de Lyon (France) 2 Nanyang Technological

618 views • 46 slides
Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide

1 2 Comparing proofs of security The target KEMs (all proposed for lattice-based encryption for wide deployment, IND-CCA2): 640 , 976 , 1344 . frodo Daniel J. Bernstein 512 , 768 , 1024 . kyber 128 , 192 , 256 . lac Primary objective of

1.2k views • 104 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal

Visualizing size-security tradeoffs for lattice-based encryption Daniel J. Bernstein Horizontal axis: ciphertext size Why focus on size instead of CPU time? Fitting into existing frameworks and protocols. Data from Google. Long term:

835 views • 23 slides
How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20 november 2019 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1 1 LWE hard

1.07k views • 81 slides
Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl,

S C I E N C E P A S S I O N T E C H N O L O G Y Single-Trace Side-Channel Attacks on Masked Lattice-Based Encryption Robert Primas, Peter Pessl, Stefan Mangard IAIK, Graz University of Technology, Austria CHES 2017,

753 views • 58 slides
Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, & Peter Scholl Fully Homomorphic Encryption (FHE) Supports homomorphic

791 views • 40 slides
Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint

. . . . . . Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen 1 Joint work with DIAC 2012, Stockholm, July 6 Guido Bertoni 1 ,

739 views • 49 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing

I n t e r n s L i g h t n i n g T a l k s Proxy editing PiTiVi Proxy editing Anton Belka, antonbelka@gmail.com GUADEC 2013 The TM Conference GUADEC Proxy editing What is proxy editing? Proxy editing is the ability to

1.75k views • 143 slides
Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with

Innovations in permutation-based encryption & authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With Errors s where = + A b A r b A e LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has

345 views • 15 slides
Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and

Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and

Web Proxy Caching Model Web Servers Aggregate Proxy Workload server Web Clients Factors and Levels Cache size Cache Replacement Policy Recency-based LRU Frequency-based LFU-Aging Size-based GD-Size Workload

303 views • 3 slides
Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14

Entwurfsmuster und Frameworks Proxy Oliver Haase Oliver Haase Emfra Proxy 1/14 Description I Classification : Object-based structural pattern Also known as : Surrogate Purpose : Control access to a subject through

435 views • 14 slides
January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here.

January 29, 2018 Proxy Statements under Maryland Law 2018 The 2018 proxy season is here. Based on our experience reviewing proxy statements for Maryland public companies, we would like to call your attention to certain matters of Maryland

272 views • 12 slides
Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan

Permutation-based encryption, authentication and authenticated encryption Guido Bertoni 1 , Joan Daemen 1 , Michal Peeters 2 , and Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Abstract. While mainstream symmetric cryptography has

519 views • 12 slides
GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument

GLM Proxy Data Monte Bateman Proxy Data Creator Introduction GLM is an optical instrument Closest analog is LIS LIS is LEO; has a limited time on station for a particular storm Have several ground-based, 24x7 networks;

133 views • 10 slides

More recommend