Programmable Hash Functions in the Multilinear Setting Eduarda S. - PowerPoint PPT Presentation

Programmable Hash Functions in the Multilinear Setting Eduarda S. V. Freire, Dennis Hofheinz, Kenneth G. Paterson and Christoph Striecks CRYPTO 2013 - Santa Barbara, CA, U.S.A. August 20, 2013

Programmable Hash Functions (PHFs) – Part 1 Overview of PHFs [HK08] abstraction of random oracles that can also be instantiated in the standard model maps a bitstring X to a group element H( X ) ∈ G a special trapdoor allows us to write H( X ) = c a X h b X for previously chosen c , h used to employ partitioning techniques in security proofs – H( X ) contains a challenge component iff a X � = 0 1 if a X = 0; H( X ) = h b X hk ← HGen(1 k ) if a X � = 0; H( X ) = c a X h b X H hk ( X ) ← HEval( hk , X ) ( hk ′ , td ) ← TGen(1 k , c , h ) : hk sc = hk ′ ( a X , b X ) ← TEval( td , X ) : H hk ′ ( X ) = c a X h b X 1 We may also find the case where H( X ) contains a challenge component iff a X = 0 2/13

Programmable Hash Functions (PHFs) – Part 1 Overview of PHFs [HK08] abstraction of random oracles that can also be instantiated in the standard model maps a bitstring X to a group element H( X ) ∈ G a special trapdoor allows us to write H( X ) = c a X h b X for previously chosen c , h used to employ partitioning techniques in security proofs – H( X ) contains a challenge component iff a X � = 0 1 ( m , n )–PHF: for any X 1 , . . . , X m , Z 1 , . . . , Z n (with X i � = Z j ) Pr[ a X 1 = . . . a X m = 0 ∧ a Z 1 , . . . , a Z n � = 0] is noticeable 1 We may also find the case where H( X ) contains a challenge component iff a X = 0 2/13

Programmable Hash Functions (PHFs) – Part 2 Previous PHF Constructions [HK08,HJK11] ( m , n ) = (1 , poly), i.e., (1 , q ( k )) for every polynomial q ( k ) In [W05] Waters implicitly uses a (1 , poly)–PHF ( m , n ) = ( m , 1), for fixed m 3/13

Programmable Hash Functions (PHFs) – Part 2 Previous PHF Constructions [HK08,HJK11] ( m , n ) = (1 , poly), i.e., (1 , q ( k )) for every polynomial q ( k ) In [W05] Waters implicitly uses a (1 , poly)–PHF ( m , n ) = ( m , 1), for fixed m Limitations of PHFs PHFs were initially meant as a standard model replacement for random oracles (poly , n )–PHFs would be very useful. Do they exist? 3/13

Programmable Hash Functions (PHFs) – Part 2 Previous PHF Constructions [HK08,HJK11] ( m , n ) = (1 , poly), i.e., (1 , q ( k )) for every polynomial q ( k ) In [W05] Waters implicitly uses a (1 , poly)–PHF ( m , n ) = ( m , 1), for fixed m Limitations of PHFs PHFs were initially meant as a standard model replacement for random oracles (poly , n )–PHFs would be very useful. Do they exist? [HMS12]: impossibility result 3/13

Our Work: MPHFs + Applications Construction of (poly , n )–MPHFs we construct analogues of (poly , n )–PHFs by adapting the original PHF definition we work in a setting where multilinear maps are available 4/13

Our Work: MPHFs + Applications Construction of (poly , n )–MPHFs we construct analogues of (poly , n )–PHFs by adapting the original PHF definition we work in a setting where multilinear maps are available Our Applications using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM. SM versions of Boneh-Franklin (BF) IBE , Boneh-Lynn-Shacham (BLS) signatures , and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE we derive hierarchical versions of the BF, BLS, and SOK schemes 4/13

Our Work: MPHFs + Applications Construction of (poly , n )–MPHFs we construct analogues of (poly , n )–PHFs by adapting the original PHF definition we work in a setting where multilinear maps are available this yields the first SM Our Applications secure ID-NIKE scheme using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM. SM versions of Boneh-Franklin (BF) IBE , Boneh-Lynn-Shacham (BLS) signatures , and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE we derive hierarchical versions of the BF, BLS, and SOK schemes ours is the first fully secure H-ID-NIKE scheme with security either in the SM or in the ROM 4/13

Our Work: MPHFs + Applications Construction of (poly , n )–MPHFs we construct analogues of (poly , n )–PHFs by adapting the original PHF definition we work in a setting where multilinear maps are available this yields the first SM Our Applications secure ID-NIKE scheme using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM. SM versions of Boneh-Franklin (BF) IBE , Boneh-Lynn-Shacham (BLS) signatures , and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE we derive hierarchical versions of the BF, BLS, and SOK schemes in this talk we focus on our H-ID-NIKE construction ours is the first fully secure H-ID-NIKE scheme with security either in the SM or in the ROM 4/13

Our Work: MPHFs + Applications Construction of (poly , n )–MPHFs we construct analogues of (poly , n )–PHFs by adapting the original PHF definition we work in a setting where multilinear maps are available this yields the first SM Our Applications secure ID-NIKE scheme using our MPHFs we give standard model versions of cryptographic schemes whose security have so far only been proven in the ROM. SM versions of Boneh-Franklin (BF) IBE , Boneh-Lynn-Shacham (BLS) signatures , and Sakai-Ohgishi-Kasahara (SOK) ID-NIKE we derive hierarchical versions of the BF, BLS, and SOK schemes in this talk we focus on our H-ID-NIKE construction We use an abstraction of multilinear maps that is compatible with the recent “noisy” candidate for multilinear maps of Garg, Gentry, and Halevi ours is the first fully secure H-ID-NIKE scheme [GGH13]. with security either in the SM or in the ROM 4/13

Multilinear Maps Multilinear Maps ℓ –group system: G 1 , G 2 , . . . , G ℓ , p , { e i , j } i , j ≥ 1 , i + j ≤ ℓ e i , j : G i × G j → G i + j (bilinear maps) e as shorthand for e i , j j linear map for h j ∈ G i j and i 1 + . . . + i j ≤ ℓ we abbreviate e ( h 1 , . . . , h j ) := e ( h 1 , e ( h 2 , . . . , e ( h j − 1 , h j ) . . . ))) 5/13

Multilinear Maps Multilinear Maps ℓ –group system: G 1 , G 2 , . . . , G ℓ , p , { e i , j } i , j ≥ 1 , i + j ≤ ℓ e i , j : G i × G j → G i + j (bilinear maps) e as shorthand for e i , j j linear map for h j ∈ G i j and i 1 + . . . + i j ≤ ℓ we abbreviate e ( h 1 , . . . , h j ) := e ( h 1 , e ( h 2 , . . . , e ( h j − 1 , h j ) . . . ))) Hardness Assumptions ( ℓ +1)–power assumption: Given ( g , g x ) (for g ← G 1 and uniform x ) ) x ∈ G ℓ from random S ∈ G ℓ distinguish S = e ( g x , . . . , g x � �� � ℓ times ℓ –MDDH assumption: Given ( g , g x 1 , . . . , g x ℓ +1 ) (for g ← G 1 and uniform x i ) distinguish S = e ( g x 1 , . . . , g x ℓ ) x ℓ +1 ∈ G ℓ from random S ∈ G ℓ 5/13

MPHFs - Definition instead of H( X ) = c a X h b X for c and h in the target group Our Definition of MPHFs we assume an ℓ –group system MPG ℓ ← MG ℓ (1 k ) for chosen { c i } i ∈ [ ℓ ] , h ∈ G 1 , a special trapdoor allows us to write H( X ) = e ( c 1 , . . . , c ℓ ) a X e ( B X , h ) ∈ G ℓ hk ← HGen(1 k ) H hk ( X ) ← HEval( hk , X ) ( hk ′ , td ) ← TGen(1 k , c 1 , . . . , c ℓ , h ) : hk sc = hk ′ ( a X ∈ Z , B X ∈ G ℓ − 1 ) ← TEval( td , X ) : H hk ′ ( X ) = e ( c 1 , . . . , c ℓ ) a X e ( B X , h ) 6/13

MPHFs - Definition Our Definition of MPHFs we assume an ℓ –group system MPG ℓ ← MG ℓ (1 k ) for chosen { c i } i ∈ [ ℓ ] , h ∈ G 1 , a special trapdoor allows us to write H( X ) = e ( c 1 , . . . , c ℓ ) a X e ( B X , h ) ∈ G ℓ ( m , n )–MPHF: for any X 1 , . . . , X m , Z 1 , . . . , Z n (with X i � = Z j ) Pr[ a X 1 = . . . a X m = 0 ∧ a Z 1 , . . . , a Z n � = 0] is noticeable 6/13

MPHFs – Our Constructions MM: (poly , 1)–MPHF into G ℓ from AHF: { 0 , 1 } k → { 0 , 1 } ℓ HGen(1 k ) hk := ( h 1 , 0 , . . . , h ℓ, 0 , h 1 , 1 , . . . , h ℓ, 1 ) ← G 1 \ 1 HEval( hk , X ) ( t 1 , . . . , t ℓ ) := AHF( X ); MM hk ( X ) := e ( h 1 , t 1 , . . . , h ℓ, t ℓ ) ∈ G ℓ Admissible Hash Function (AHF) special type of hash function that has certain combinatorial properties can be constructed, for example, from codes 7/13

MPHFs – Our Constructions MM: (poly , 1)–MPHF into G ℓ from AHF: { 0 , 1 } k → { 0 , 1 } ℓ HGen(1 k ) hk := ( h 1 , 0 , . . . , h ℓ, 0 , h 1 , 1 , . . . , h ℓ, 1 ) ← G 1 \ 1 HEval( hk , X ) ( t 1 , . . . , t ℓ ) := AHF( X ); MM hk ( X ) := e ( h 1 , t 1 , . . . , h ℓ, t ℓ ) ∈ G ℓ (poly , n )–MPHF Assume H = (HGen , HEval) is a (poly , 1)–MPHF into G ℓ , then we construct a (poly , n )–MPHF H ′ = (HGen ′ , HEval ′ ) into G ℓ HGen ′ (1 k ) hk ′ = ( hk ν ) ν ∈ [ n ] for hk ν ← HGen(1 k ) HEval ′ ( hk , X ) H ′ hk ′ ( X ) := � ν ∈ [ n ] H hk ν ( X ) 7/13

H-ID-NIKE – Definition and Security Model id = ( id 1 , . . . , id d ) ∈ IDS d Three algorithms: TA for user at level d ∈ [ L ] Setup , Del , ShK L : level of hierarchy root: level 0 id 1 id 2 id 3 id 4 id 5 id 6 id 7 id 8 id 9 id 10 id 11 id 12 id 13 id 14 id 15 id 16 id 17 id 18 id 19 8/13

H-ID-NIKE – Definition and Security Model ( mpk , msk ) ← Setup(1 k , L ) TA msk = usk ǫ id 1 id 2 id 3 id 4 id 5 id 6 id 7 id 8 id 9 id 10 id 11 id 12 id 13 id 14 id 15 id 16 id 17 id 18 id 19 8/13