Lattice HIBE with Faster Trapdoor Delegation and Applications

Abstract

In this paper, we propose a lattice-based HIBE scheme in the standard model with faster trapdoor delegation. It is proven secure under the Learning With Errors assumption. Inspired by Canetti et al.’s transformation (Eurocrypt’03), an HIBE can be converted into a forward-secure public-key encryption (FS-PKE) scheme, and the efficiency of key update relies on the efficiency of trapdoor delegation. For applications, our HIBE with faster delegation can be used to generate a lattice-based FS-PKE with faster key update. Furthermore, we also obtain a lattice-based forward-secure signature (FSS) scheme combining HIBE-like key-update technique with Zhang et al.’s short signature construction in the standard model (Crypto’16).

Appendices

A Some Formal Definitions

We give a formal definition of the security notion for a FS-PKE scheme called FS-INDr-CPA.

Definition 6

A forward-secure public-key encryption scheme is secure in the sense of FS-INDr-CPA if the advantage of any PPT adversary in the following game is negligible in the security parameter \(\kappa \).

• Setup. The experiment generates a fresh key pair \((PK,SK_0)\), and hands PK to the adversary.

• Attack. The adversary issues one \( \textsf {Break{-}in}(t) \) query. On input \(t\le T\), the key \(SK_{t} \) is computed via \(\textsf {Upd}(PK,t-1,\cdots \textsf {Upd}(PK,0,SK_0)\cdots )\) and then given to the adversary.

• Challenge. The adversary \(\mathcal {A}\) outputs a challenge plaintext \(M^*\) and time period \(t^*<t \). The experiment chooses a uniformly random ciphertext \(C_0\) from the ciphertext space, and computes \(C_1\leftarrow \textsf {Enc}(PK,t^*,M^*)\). Then it randomly chooses a bit \(b\leftarrow \{0,1\}\), and gives \(C^*= C_{b}\) to the adversary \(\mathcal {A}\).

• Guess. The adversary outputs a guess \(b'\in \{0,1\}\), it succeeds if \(b'=b\). The adversary’s advantage is the absolute the value of the difference between its success probability and 1/2.

We then present a formal definition of the security notion for a FSS scheme called FS-EUF-CMA.

Definition 7

We say a FSS is secure in the sense of FS-EUF-CMA if the success probability of any PPT adversary is negligible in the following game. The adversary \(\mathcal {A}\) is given PK and access to the following oracles:

\(\mathsf {Break}\)-\(\mathsf {in}\)::

On input \( t'\le T \), this oracle computes the key \( SK_{t'}\), and then returns it to the adversary.

\(\mathsf {Signing}\)::

On input a message M and a period t,this oracle runs \( \sigma \leftarrow \textsf {Sig}(PK,SK_t,M) \), and returns \(\sigma \). Let \( \mathcal {O}_{t} \) be the set of queried messages for a time period t. Set \( \mathcal {O}_{t}=\mathcal {O}_{t}\cup \{M\} \).

Oracle \(\textsf {Break{-}in}\) is queried only once. At the end of the game, the adversary outputs its forgery \((t^*,M^*,\sigma ^*)\). We determine the adversary wins the game if \( t^*<t' \), \( \textsf {Ver}(PK,t^*,M^*,\sigma ^*)=1 \) and \( M^*\notin \mathcal {O}_{t^*} \).

B Proof of Theorem 1

Proof

In the following, we use a sequence of games from Game 0 to Game 3. In particular, we note that the main difference between our and Agrawal-Boneh-Boyen HIBE’s security proofs is the way of answering \(\mathcal {A}\)’s secret-key queries in Game 2.

• Game 0. This is the original INDr-sID-CPA game from Definition 3 between an adversary \(\mathcal {A}\) against our scheme and a challenger \(\mathcal {S}\).

• Game 1. This game is identical to Game 0 except that the challenger \(\mathcal {S}\) changes the setup and the challenge phases as follows.

  • Setup. Recall that the identity that \(\mathcal {A}\) intends to attack is \(\textsf {ID}^*=(id_1^*,\cdots , id_j^*)\). Instead of choosing \(\mathbf {A}_1,\cdots ,\mathbf {A}_L\) randomly, \(\mathcal {S}\) chooses \(\mathbf{R} _i\leftarrow D_{\mathbb {Z},\bar{s}}^{2nk\times nk}\) with Gaussian parameter \(\bar{s}\ge \omega _n\) and sets \( \mathbf {A}_i=\mathbf{A} {} \mathbf{R} _i-H(id_i^*)\mathbf{G} \) where we define \(H(id_i^*)=\mathbf{0} \) for \(i>j\).

  • Challenge. This is identical to Game 0 except that the challenger \(\mathcal {S}\) uses \(\bar{\mathbf{R }}_j=\left[ \mathbf{R} _1|\mathbf{R} _1|\cdots |\mathbf{R} _j|\mathbf{R} _j\right] \) when generating the challenge ciphertext, instead of sampling a random \( \bar{\mathbf{R }}_j\leftarrow D_{\mathbb {Z},\bar{s}}^{2nk\times 2jnk}\).

  For appropriate distribution of \(\mathbf{R} _i\), the matrix \( \mathbf{A} _i \) is uniformly random up to \(\textsf {negl}(n)\) statistical distance for \(i=1,\cdots , L\). Observe that \(\bar{\mathbf{R }}_j\) in Game 1 is distributed identically to that in Game 0. Thus \(\mathcal {A}\)’ views in Game 0 and 1 are indistinguishable statistically.

• Game 2. We now change the way of generating \(\mathbf{A} \) and the users’ private keys.

  • Setup. The challenger \(\mathcal {S}\) generates \(\mathbf{A} \) as a random matrix in \(\mathbb {Z}_q^{n\times 2nk}\).

  • Phase 1 and Phase 2. To respond to a private key query for \(\textsf {ID}=(id_1,\cdots ,id_l)\) which is not a prefix of \(\textsf {ID}^*\), the challenger \(\mathcal {S}\) works as follows.

    1. 1.

       Build \(\mathbf{F} _\textsf {ID}=\left[ \mathbf{A} |\mathbf{A} _{1,id_1}|\cdots |\mathbf{A} _{l,id_l}\right] \), for each \(i\in [1,l]\),

       $$\begin{aligned} \mathbf{A} _{i,id_i}= \left[ \mathbf{AR} _i+(H(id_i)-H(id_i^*))\mathbf{G} |\mathbf{AR} _i+(H(id_i)-H(id_i^*))\mathbf{G} \right] . \end{aligned}$$
    2. 2.

       Find the largest \(x\in [1,l]\) such that \(H(id_x)\ne H(id_x^*)\). If \(x=l\), rewrite \( \mathbf{F} _\textsf {ID}=\left[ \bar{\mathbf {F}}_\textsf {ID}|\mathbf{AR} _l+(H(id_l)-H(id_l^*))\mathbf{G} \right] \). Then we have \(\left[ -\mathbf{R} _l^{\textsf {T}}| \mathbf{0} |\cdots |\mathbf{0} \right] ^{\textsf {T}} \) is a \( \mathbf{G} \)-trapdoor for \( \bar{\mathbf {F}}_{\textsf {ID}}\) with tag \(H(id_l)-H(id_l^*)\). Else, rewrite \( \mathbf{F} _\textsf {ID}=\left[ \bar{\mathbf {F}}_\textsf {ID}|\mathbf{A} _{x+1,id_{x+1}}|\cdots \right] \), then \(\left[ -\mathbf{R} _x^{\textsf {T}}| \mathbf{0} |\cdots |\mathbf{0} \right] ^{\textsf {T}} \) is a \( \mathbf{G} \)-trapdoor for \( \bar{\mathbf {F}}_{\textsf {ID}}\) with tag \(H(id_x)-H(id_x^*)\). Denote \(\bar{\mathbf {R}}_\textsf {ID}=\left[ -\mathbf{R} _x^{\textsf {T}}| \mathbf{0} |\cdots |\mathbf{0} \right] ^{\textsf {T}}\in \mathbb {Z}^{m_x\times nk}\) where

       $$\begin{aligned} m_x=\left\{ \begin{aligned} 2nk+(2x-1)nk&{x<l}\\ 2nk+2(l-1)nk&{x=l } \end{aligned} \right. \end{aligned}$$

       Run \(\mathbf{R} _\textsf {ID}\leftarrow \textsf {DelTrap}(\mathbf{F} _\textsf {ID},\bar{\mathbf {R}}_\textsf {ID},H(id_x)-H(id_x^*),\mathbf{I} _n,s_l)\). Give \(\mathbf{R} _\textsf {ID}\) to \(\mathcal {A}\).

  For any identity \(\textsf {ID}\), the corresponding secret key \(\mathbf{R} _\textsf {ID}\) is generated from the algorithm \(\textsf {DelTrap}\) with same Gaussian parameter both in Games 1 and 2. Thus the adversary’s advantage in Game 2 is at most negligibly different from its advantage in Game 1.

• Game 3. We now modify the challenge phase as follows.

  • Challenge. \(\mathcal {S}\) chooses random vectors \(b_0\leftarrow \mathbb {Z}_q\), \(\mathbf{b} _1\leftarrow \mathbb {Z}_q^{m}\) uniformly, and compute \(c_0^*=b_0+\frac{q}{2}M^*\), \(\mathbf{c} _1^*=\left[ \begin{array}{c} \mathbf{b} _1\\ \bar{\mathbf{R }}_j^{\textsf {T}}{} \mathbf{b} _1 \end{array}\right] \) where \( \bar{\mathbf{R }}_j=\left[ \mathbf{R} _1|\mathbf{R} _1|\cdots |\mathbf{R} _j|\mathbf{R} _j\right] \).

  Since the challenge ciphertext is always a fresh random element in the ciphertext space, \(\mathcal {A}\)’s advantage in Game 3 is zero. Lemma 2 shows that \( \mathcal {A} \)’s advantage in distinguishing Game 2 and 3 is the same as \(\mathcal {B}\)’s advantage in solving LWE problem.

In conclusion, if there exists a PPT adversary \(\mathcal {A}\) breaking the INDr-sID-CPA security of our HIBE scheme, then we can construct an algorithm \(\mathcal {B}\) solving the LWE\(_{q,\alpha }\) problem, which completes the proof.\(\square \)

Lemma 2

If there exists a PPT adversary \(\mathcal {A}\) who has non-negligible advantage \( \epsilon \) in distinguishing Games 2 and 3, then there exists an algorithm \(\mathcal {B}\) solving the LWE\(_{q,\alpha }\) problem with advantage \( \epsilon \).

Proof

We construct an algorithm \(\mathcal {B}\) for the LWE\(_{q,\alpha }\) problem as follows. Given the LWE\(_{q,\alpha }\) instance \((\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] ,\left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] )\in \mathbb {Z}_q^{n\times (2nk+1)}\times \mathbb {Z}_q^{2nk+1}\). \(\mathcal {B}\) simulates Game 3 for \(\mathcal {A}\) except that it replaces \((\mathbf{A} ,\mathbf{u} )\) in the setup phase and \( (\mathbf{b} _1,b_0) \) in the challenge phase with \( (\hat{\mathbf{A }},\hat{\mathbf{u }}) \) and \((\hat{\mathbf{b }}_1,\hat{b}_0)\), respectively.

Observe that if \((\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] ,\left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] )\) are valid LWE\(_{q,\alpha }\) tuples, we have \( \left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] =\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] ^{\textsf {T}}{} \mathbf{s} +\left[ \mathbf{x} _1|x_0\right] \) for some uniformly random vector \( \mathbf{s} \leftarrow \mathbb {Z}_q^n \) and random noise vector \( \left[ \mathbf{x} _1|x_0\right] \leftarrow D_{\mathbb {Z},\alpha q}^{2nk+1}\). Therefore, the ciphertext \(C_1=(c_0^*,\mathbf{c} _1^*)\) is defined as \( c_0^*=\hat{\mathbf{u }}^{\textsf {T}}{} \mathbf{s} +x_0+\frac{q}{2}M^* \) and \(\mathbf{c} _1^*=\mathbf{F} _{\textsf {ID}^*}^{\textsf {T}}{} \mathbf{s} +\left[ \begin{array}{c} \mathbf{x} _1\\ \bar{\mathbf{R }}_j^{\textsf {T}}{} \mathbf{x} _1 \end{array}\right] \), and thus \(C_1\) is distributed exactly as in Game 2. If \(\left[ \hat{\mathbf{A }}|\hat{\mathbf{u }}\right] \) is uniform in \( \mathbb {Z}_q^{n\times (2nk+1)} \) and \(\left[ \hat{\mathbf{b }}_1|\hat{b}_0\right] \) is uniform in \( \mathbb {Z}_q^{2nk+1} \), we have \(C_1=(c_0^*,\mathbf{c} _1^*)\) is distributed exactly as in Game 3.

If \(\mathcal {A}\) succeeds in guessing if it is interacting with a Game 2 or Game 3 challenger, then \(\mathcal {B}\) outputs \(\mathcal {A}\)’s guess as the answer to the LWE\(_{q,\alpha }\) challenge instance. \(\square \)

C Proof of Theorem 3

Proof

If there exists a PPT adversary \( \mathcal {A} \) who can break forward-secure unforgeability, then we can construct an ISIS solver \(\mathcal {B}\) by invoking \(\mathcal {A}\). The solver \(\mathcal {B}\) first obtains an input sample \( (\mathbf{A} ,\mathbf{u} ) \) of ISIS problem, then it picks a random time period \(t^*\) and hopes that \(\mathcal {A}\) produces a forgery pertaining to \(t^*\). It constructs each \( \mathbf{A} _i=\mathbf{A} {} \mathbf{R} _i-H(id_i^*)\mathbf{G} \) for short random \(\mathbf{R} _i\) with \( \textsf {ID}_{t^*}=(id_1^*,\cdots ,id_j^*)\) where we define \( H(id_k^*)=\mathbf{0} \) for \(k>j\). It also runs the trapdoor generation algorithm of PHF to generate a key K together with a trapdoor td. Then \(\mathcal {B}\) gives the public key \( PK=(\mathbf{A} ,\mathbf{A} _1,\cdots ,\mathbf{A} _L,\mathbf{u} ,K) \) to \(\mathcal {A}\) and stores td.

For \(t>t^*\), we have \( \textsf {ID}_t \) and each right sibling of the nodes on the path from root to \(\textsf {ID}_t\) are not prefixes of \(\textsf {ID}_{t^*} \). To respond to any secret-key query for t with \(t>t^*\), from the proof of Theorem 1, \(\mathcal {B}\) can generate \(\mathbf{R} _{\textsf {ID}_t}\) and \(S_t\), and thus it can output \(SK_t=(\mathbf{R} _{\textsf {ID}_t},S_t)\).

For a signing query with input (M, t), \(\mathcal {B}\) computes \(\mathcal {H}_K(M)=\mathbf{AR} _M+\mathbf{H} _M\mathbf{G} \) using the trapdoor td. By programmability of PHF, we have that \( \mathbf{H} _M \) is invertible with a certain probability. Thus \(\mathcal {B}\) knows \(\mathbf{R} _{\textsf {ID}_t|M}=\left[ -\mathbf{R} _{M}^\textsf {T}|\mathbf{0} |\cdots |\mathbf{0} \right] \) as a \(\mathbf{G} \)-trapdoor for \(\mathbf{F} _{\textsf {ID}_t|M}\) with tag \(\mathbf{H} _M\), and then it samples \( \mathbf{e} \leftarrow \textsf {SampleD}(\mathbf{R} _{\textsf {ID}_t|M},\mathbf{F} _{\textsf {ID}_t|M}, \mathbf{H} _M,\mathbf{u} ,s) \) as a signature on message M pertaining to t.

Finally \(\mathcal {A}\) outputs a valid signature \( \mathbf{e} ^* \) on a new message \( M^* \) for the time period \(t^*\) with the probability \(\frac{1}{T}\). From the properties of PHF (Definition 2 of [29]), we have \( \mathcal {H}_K(M^*)=\mathbf{AR} _{M^*} +\mathbf{H} _{M^*}{} \mathbf{G} \) with \(\mathbf{H} _{M^*}=\mathbf{0} \) with non-negligible probability. With \(\mathbf{F} _{\textsf {ID}_{t^*}|M^*}{} \mathbf{e} ^*=\left[ \mathbf{A} |\mathbf{AR} _1|\mathbf{AR} _1|\cdots |\mathbf{AR} _j|\mathbf{AR} _j|\mathbf{AR} _{M^*}\right] \mathbf{e} ^*=\mathbf{u} \), we have a short vector \( \mathbf{x} =\left[ \mathbf{I} _{2nk}|\mathbf{R} _1|\mathbf{R} _1|\cdots |\mathbf{R} _j|\mathbf{R} _j|\mathbf{R} _{M^*}\right] \mathbf{e} ^* \) such that \(\mathbf{Ax} =\mathbf{u} \), solving the ISIS problem.