## Identity-Based (Lossy) Trapdoor Functions and Applications (2011)

Citations: | 3 - 1 self |

### BibTeX

@MISC{Bellare11identity-based(lossy),

author = {Mihir Bellare and Eike Kiltz and Chris Peikert and Brent Waters},

title = {Identity-Based (Lossy) Trapdoor Functions and Applications},

year = {2011}

}

### OpenURL

### Abstract

We provide the first constructions of identity-based (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identity-based trapdoor functions provide an automatic way to realize, in the identity-based setting, many functionalities previously known only in the public-key setting. In particular we obtain the first deterministic and efficiently searchable IBE schemes and the first hedged IBE schemes, which achieve best possible security in the face of bad randomness. Underlying our constructs is a new definition, of partial lossiness, that may be of broader interest.

### Citations

2912 | L.: A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...each public key pk, an injective, deterministic map Fpk that can be inverted given an associated secret key (trapdoor). The most basic measure of security is one-wayness. The canonical example is RSA =-=[50]-=-. Suppose there is an algorithm that generates a “fake” public key pk ∗ such that F pk ∗ is no longer injective but has image much smaller than its domain and, moreover, given a public key, you can’t ... |

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...e theoretical, the other more applied, yet admittedly both foundational, as we discuss before moving further. Theoretical angle. Trapdoor functions are the primitive that began publickey cryptography =-=[30, 50]-=-. Public-key encryption was built from TDFs. (Via hardcore bits.) Lossy TDFs enabled the first DDH and lattice (LWE) based TDFs [48]. It is striking that identity-based cryptography developed entirely... |

726 | A pseudorandom generator from any one-way function
- H˚astad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...ch, improving upon the linear-time search of PEKS [19]. Boldyreva, Fehr and O’Neill [15] show that lossy TDFs whose lossy branch is a universal hash (called universal lossy TDFs) achieve (via the LHL =-=[14, 37]-=-) PRIV-security for message sequences which are blocksources, meaning each message has some min-entropy even given the previous ones, which remains the best result without ROs. Deterministic IBE and t... |

718 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1984
(Show Context)
Citation Context ...why go backwards to define and construct the latter? The answer is that losssy IB-TDFs enable new applications that we do not know how to get in other ways. Stepping back, identity-based cryptography =-=[54]-=- offers several advantages over its public-key counterpart. Key management is simplified because an entity’s identity functions as their public key. Key revocation issues that plague PKI can be handle... |

262 | Short group signatures
- Boneh, Boyen, et al.
- 2004
(Show Context)
Citation Context ...28, 2, 3]. We aim accordingly to reach our ends with either route and do so successfully. We provide lossy IB-TDFs from a standard pairings assumption, namely the Decision Linear (DLIN) assumption of =-=[18]-=-. We also provide IB-TDFs based on Learning with Errors (LWE) [49], whose hardness follows from the worst-case hardness of certain lattice-related problems [49, 47]. (The same assumption underlies lat... |

238 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...DDH [48], QR[33], DLIN[33], DBDH [23], LWE[48]andHPS(hashproofsystems)[38]. RSA was shown in [42] to be lossy under the Φ-hiding assumption of [25], leading to the first proof of security of RSA-OAEP =-=[12]-=- without random oracles. Lossy TDFs and their benefits belong, so far, to the realm of public-key cryptography. The purpose of this paper is to bring them to identity-based cryptography, defining and ... |

231 |
On Lovász’ lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context ...ctions need m to grow only linearly in n, we will instead use base b = q 1/C for some constant C, which yields ‖T‖ = O(q 1/C · √ n). The following lemma from [34] (using the “nearest-plane” algorithm =-=[5]-=-) says that for appropriate parameters, the LWE one-way function has an inversion trapdoor. Lemma 5.2 Let A ∈ Zn×m q be full-rank. Given A and any basis T ∈ Zm×m of Λ⊥ (A), one can efficiently recover... |

230 | Efficient identity-based encryption without random oracles
- Waters
- 2005
(Show Context)
Citation Context ...s that plague PKI can be handled in alternative ways, for example by using identity+date as the key under which to encrypt to identity [20]. There is thus good motivation to go beyond basics like IBE =-=[20, 29, 53, 16, 17, 56, 34]-=- and identity-based signatures [10, 31] to provide identity-based counterparts of other public-key primitives. Furthermore we would like to do this in a systematic rather than ad hoc way, leading us t... |

223 | Computationally private information retrieval with polylogarithmic communication
- Cachin, Micali, et al.
- 1999
(Show Context)
Citation Context ...lic-key encryption [9]. Lossy TDFs can be constructedfromDDH [48], QR[33], DLIN[33], DBDH [23], LWE[48]andHPS(hashproofsystems)[38]. RSA was shown in [42] to be lossy under the Φ-hiding assumption of =-=[25]-=-, leading to the first proof of security of RSA-OAEP [12] without random oracles. Lossy TDFs and their benefits belong, so far, to the realm of public-key cryptography. The purpose of this paper is to... |

217 |
Identity based encryption from the Weil pairing
- Boneh, Franklin
- 2003
(Show Context)
Citation Context ... (Via hardcore bits.) Lossy TDFs enabled the first DDH and lattice (LWE) based TDFs [48]. It is striking that identity-based cryptography developed entirely differently. The first realizations of IBE =-=[20, 29, 53]-=- directly used randomization and wereneither underlainby, nor gave riseto, any IB-TDFs. We ask whether this asymmetry between the public-key and identity-based worlds (TDFs in one but not the other) i... |

202 | A forward-secure publickey encryption scheme
- Canetti, Halevi, et al.
- 2003
(Show Context)
Citation Context ...e[20]. Thiskey-derivation capability contributessignificantly to the difficulty of realizing the primitive. As with IBE, security may be selective (the adversary must specify id ∗ before seeing pars) =-=[27]-=- or adaptive (no such restriction) [20]. The most direct analog of the definition of lossiness from the public-key setting would ask that there be a way to generate “fake” parameters pars ∗ , indistin... |

201 | Public key encryption with keyword search
- Boneh, Crescenzo, et al.
- 2004
(Show Context)
Citation Context ...n called PRIV that is much stronger than one-wayness [6]. An application is encryption of database records in a way that permits logarithmic-time search, improving upon the linear-time search of PEKS =-=[19]-=-. Boldyreva, Fehr and O’Neill [15] show that lossy TDFs whose lossy branch is a universal hash (called universal lossy TDFs) achieve (via the LHL [14, 37]) PRIV-security for message sequences which ar... |

194 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2004
(Show Context)
Citation Context ...and do so successfully. We provide lossy IB-TDFs from a standard pairings assumption, namely the Decision Linear (DLIN) assumption of [18]. We also provide IB-TDFs based on Learning with Errors (LWE) =-=[49]-=-, whose hardness follows from the worst-case hardness of certain lattice-related problems [49, 47]. (The same assumption underlies lattice-based IBE [34, 28, 2, 3] and public-key lossy TDFs [48].) Non... |

174 |
Cryptosystems based on pairing
- Sakai, Ohgishi, et al.
- 2000
(Show Context)
Citation Context ... (Via hardcore bits.) Lossy TDFs enabled the first DDH and lattice (LWE) based TDFs [48]. It is striking that identity-based cryptography developed entirely differently. The first realizations of IBE =-=[20, 29, 53]-=- directly used randomization and wereneither underlainby, nor gave riseto, any IB-TDFs. We ask whether this asymmetry between the public-key and identity-based worlds (TDFs in one but not the other) i... |

103 | Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert, et al.
- 2008
(Show Context)
Citation Context ...s that plague PKI can be handled in alternative ways, for example by using identity+date as the key under which to encrypt to identity [20]. There is thus good motivation to go beyond basics like IBE =-=[20, 29, 53, 16, 17, 56, 34]-=- and identity-based signatures [10, 31] to provide identity-based counterparts of other public-key primitives. Furthermore we would like to do this in a systematic rather than ad hoc way, leading us t... |

101 | P.: The security of triple encryption and a framework for code-based game-playing proofs
- Bellare, Rogaway
- 2006
(Show Context)
Citation Context ...ocedures of G. The adversary must make exactly one query to Initialize, this being its first oracle query. (This means the adversary can give Initialize an input, an extension of the usual convention =-=[13]-=-.) It must make exactly one query to Finalize, this being its last oracle query. The reply to this query, denoted G A , is called the output of the game, and we let “G A ” denote the event that this g... |

100 | Secure Identity Based Encryption Without Random Oracles. Adv
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...s that plague PKI can be handled in alternative ways, for example by using identity+date as the key under which to encrypt to identity [20]. There is thus good motivation to go beyond basics like IBE =-=[20, 29, 53, 16, 17, 56, 34]-=- and identity-based signatures [10, 31] to provide identity-based counterparts of other public-key primitives. Furthermore we would like to do this in a systematic rather than ad hoc way, leading us t... |

98 | Efficient selective-ID secure identity based encryption without random oracles
- Boneh, Boyen
(Show Context)
Citation Context |

83 | Regev Worst-case to Average-case Reductions based on Gaussian Measures - Micciancio, O - 2004 |

80 | Lossy trapdoor functions and their applications. Cryptology ePrint Archive, Report 2007/279
- Peikert, Waters
- 2007
(Show Context)
Citation Context ...he Decision Linear (DLIN) assumption of [18]. We also provide IB-TDFs based on Learning with Errors (LWE) [49], whose hardness follows from the worst-case hardness of certain lattice-related problems =-=[49, 47]-=-. (The same assumption underlies lattice-based IBE [34, 28, 2, 3] and public-key lossy TDFs [48].) None of these results relies on random oracles. Existing work brought us closer to the door with latt... |

76 | Anonymous Hierarchical Identity-Based Encryption (without Random Oracles). Cryptology ePrint Archive 2006/085
- Boyen, Waters
(Show Context)
Citation Context ...s IBE scheme it becomes possible to implicitly specify per-identity matrices defining the function. No existing anonymous IBE has the properties we need but we build one that does based on methods of =-=[22]-=-. Our results with pairings are stronger because the lossy branches are universal hash functions which is important for applications. Public-key lossy TDFs exist aplenty and IBE schemes do as well. It... |

76 | Introduction to the non-asymptotic analysis of random matrices. ArXiv e-prints - Vershynin - 2010 |

65 | Bonsai trees, or how to delegate a lattice basis
- Cash, Hofheinz, et al.
(Show Context)
Citation Context ...urity notions, one-wayness and lossiness, showing that the second implies the first. The first wave of IBE schemes was from pairings [20, 53, 16, 17, 56, 55] but another is now emerging from lattices =-=[34, 28, 2, 3]-=-. We aim accordingly to reach our ends with either route and do so successfully. We provide lossy IB-TDFs from a standard pairings assumption, namely the Decision Linear (DLIN) assumption of [18]. We ... |

62 |
Deterministic and efficiently searchable encryption
- Bellare, Boldyreva, et al.
(Show Context)
Citation Context ...entity-based realm. As evidence we apply them to achieve identity-based deterministic encryption and identitybased hedged encryption. The first, the counterpart of deterministic public-key encryption =-=[6, 15]-=-, allows efficiently searchableidentity-based encryptionofdatabaseentrieswhilemaintainingthemaximalpossible privacy, bringing the key-management benefits of the identity-based setting to this applicat... |

62 | Security proofs for identity-based identification and signature schemes
- Bellare, Namprempre, et al.
- 2003
(Show Context)
Citation Context ...xample by using identity+date as the key under which to encrypt to identity [20]. There is thus good motivation to go beyond basics like IBE [20, 29, 53, 16, 17, 56, 34] and identity-based signatures =-=[10, 31]-=- to provide identity-based counterparts of other public-key primitives. Furthermore we would like to do this in a systematic rather than ad hoc way, leading us to seek tools that enable the transfer o... |

58 | Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions
- Waters
- 2009
(Show Context)
Citation Context ... 1Contributions in brief. We define IB-TDFs and two associated security notions, one-wayness and lossiness, showing that the second implies the first. The first wave of IBE schemes was from pairings =-=[20, 53, 16, 17, 56, 55]-=- but another is now emerging from lattices [34, 28, 2, 3]. We aim accordingly to reach our ends with either route and do so successfully. We provide lossy IB-TDFs from a standard pairings assumption, ... |

54 | Randomness and the netscape browser - Goldberg, Wagner - 1996 |

52 | Efficient lattice (H)IBE in the standard model
- Agrawal, Boneh, et al.
- 2010
(Show Context)
Citation Context ...urity notions, one-wayness and lossiness, showing that the second implies the first. The first wave of IBE schemes was from pairings [20, 53, 16, 17, 56, 55] but another is now emerging from lattices =-=[34, 28, 2, 3]-=-. We aim accordingly to reach our ends with either route and do so successfully. We provide lossy IB-TDFs from a standard pairings assumption, namely the Decision Linear (DLIN) assumption of [18]. We ... |

49 | Strong key-insulated signature scheme - Dodis, Katz, et al. - 2003 |

44 | On notions of security for deterministic encryption, and efficient constructions without random oracles
- Boldyreva, Fehr, et al.
- 2008
(Show Context)
Citation Context ...unction F pk ∗ that provides information-theoretic security. Lossiness implies one-wayness [48]. Lossy TDFs have quickly proven to be a powerful tool. Applications include IND-CCA [48], deterministic =-=[15]-=-, hedged [7] and selective-opening secure public-key encryption [9]. Lossy TDFs can be constructedfromDDH [48], QR[33], DLIN[33], DBDH [23], LWE[48]andHPS(hashproofsystems)[38]. RSA was shown in [42] ... |

40 | Generating hard instances of the short basis problem - Ajtai - 1999 |

38 | Generating shorter bases for hard random lattices. Cryptology ePrint Archive, Report 2008/521, 2008. http://eprint.iacr.org/. Joël Alwen and Chris Peikert. Generating shorter bases for hard random lattices
- Alwen, Peikert
- 2009
(Show Context)
Citation Context ...ability 2−Ω(m+n) . We need the following lemma showing how to generate a (nearly) uniformly random A ∈ Z n×m q together with a ‘trapdoor’ in the form of a short basis. Such a construction is given in =-=[4]-=-. That work is focused on the standard parameter regime where m = O(nlogq), and does not actually contain a theorem statement for the non-standard parameters m = O(n) that we need. Fortunately, it fol... |

37 | Fast cryptographic primitives and circularsecure encryption based on hard learning problems - Applebaum, Cash, et al. - 2009 |

33 |
Possibility and impossibility results for encryption and commitment secure under selective opening
- Bellare, Hofheinz, et al.
- 2009
(Show Context)
Citation Context ...ss implies one-wayness [48]. Lossy TDFs have quickly proven to be a powerful tool. Applications include IND-CCA [48], deterministic [15], hedged [7] and selective-opening secure public-key encryption =-=[9]-=-. Lossy TDFs can be constructedfromDDH [48], QR[33], DLIN[33], DBDH [23], LWE[48]andHPS(hashproofsystems)[38]. RSA was shown in [42] to be lossy under the Φ-hiding assumption of [25], leading to the f... |

30 | Lattice basis delegation in fixed dimension and shorterciphertext hierarchical IBE - Agrawal, Boneh, et al. - 2010 |

28 | Direct chosen-ciphertext secure identity-based key encapsulation without random oracles. Theoretical Computer Science
- Kiltz, Galindo
- 2009
(Show Context)
Citation Context ...of B is that of A plus O(µ 2 ρ −1 ((µQρ) −1 )) overhead, where ρ = 1 2 ·Advδ-los F,LF,ℓ (A). Proof: Our proof uses a simulation technique due to Waters [56]. We used a slightly improved analysis from =-=[40]-=-. Let Q be the number of queries made by A and let algorithm Aux be defined as above. Let RL0,RLn be the games of Figure 5 with IDSp = {0,1}µ and this Aux. Let E(IS,id ∗ ) denote the event that when F... |

28 | Chosen-ciphertext security via correlated products. Cryptology ePrint Archive, Report 2008/116
- Rosen, Segev
- 2008
(Show Context)
Citation Context ...ed Work. A number of papers have studied security notions of trapdoor functions beyond traditional one-wayness. Besides lossiness [48] there is Rosen and Segev’s notion of correlated-product security =-=[52]-=-, and Canetti and Dakdouk’s extractable trapdoor functions [26]. The notion of adaptive one-wayness for tag-based trapdoor functions from Kiltz, Mohassel and O’Neill [41] can be seen as the special ca... |

25 | Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more
- Boyen
- 2010
(Show Context)
Citation Context ...of F[µ,{0,1} µ,Cf] and alters parameter generation to Algorithm LF[µ,{0,1} µ,Cf].Pg(id) : y $ ← Aux; (pars,msk) $ ← L[µ,{0,1} µ,Cf].Pg(y); Return (pars,msk) . where Aux is a randomized algorithm from =-=[2, 21]-=- that generates y ∈ (Zˆn×ˆn q )µ+1 such that the image of f(y,·)iseither0n×n oroffullrankandf(y,·)ispairwiseindependent,i.e, forallid ̸= id ′ ,PrAux[f(y,id) = 0n×n | f(y,id ′ ) = 0n×n] = 1/(2Q). The f... |

25 | A provable-security treatment of the key-wrap problem
- Rogaway, Shrimpton
- 2006
(Show Context)
Citation Context ...ilemaintainingthemaximalpossible privacy, bringing the key-management benefits of the identity-based setting to this application. The second, counterpart of hedged symmetric and public-key encryption =-=[51, 7]-=-, makes IBE as resistant as possible in the face of low-quality randomness, which is important given the widespread deployment of IBE and the real danger of bad-randomness based attacks evidenced by t... |

24 | More constructions of lossy and correlationsecure trapdoor functions
- Freeman, Goldreich, et al.
- 2010
(Show Context)
Citation Context ...ly proven to be a powerful tool. Applications include IND-CCA [48], deterministic [15], hedged [7] and selective-opening secure public-key encryption [9]. Lossy TDFs can be constructedfromDDH [48], QR=-=[33]-=-, DLIN[33], DBDH [23], LWE[48]andHPS(hashproofsystems)[38]. RSA was shown in [42] to be lossy under the Φ-hiding assumption of [25], leading to the first proof of security of RSA-OAEP [12] without ran... |

24 |
Trapdoors for lattices
- Micciancio, Peikert
(Show Context)
Citation Context ...we need. Fortunately, it follows by a straightforward adaption of the construction using a tradeoff between the base of the logarithm and the length of the trapdoor basis vectors. The concurrent work =-=[44]-=- contains a full (and simpler) proof of this fact. Lemma 5.1 ([4, 44]) Let n, q be positive integers, and let b ≥ 2. For large enough m = O(nlogbq), there is an efficient randomized algorithm that out... |

21 | Programmable hash functions and their applications
- Hofheinz, Kiltz
(Show Context)
Citation Context ...ma 4.1. We remark that wecould usetheproof technique of [11] which avoids theartificial abort but this increases the value of δ, making it dependent on the adversary advantage. The proof technique of =-=[39]-=- could be used to strengthen δ in Theorem 4.4 to O( √ mQ) −1 which is close to the optimal value Q −1 . 5 IB-TDFs from Lattices Here we give a construction of a lossy IB-TDF from lattices (specificall... |

18 |
When private keys are public: Results from the 2008 Debian OpenSSL vulnerability
- Yilek, Rescorla, et al.
- 2009
(Show Context)
Citation Context ...ailability of fresh, high-quality randomness. This is fine in theory but in practice RNGs (random number generators) fail due to poor entropy gathering or bugs, leading to prominent security breaches =-=[35, 36, 24, 46, 45, 1, 57, 32]-=-. Expecting systems to do a better job is unrealistic. Hedged encryption [7] takes poor randomness as a fact of life and aims to deliver best possible security in the face of it, providing privacy as ... |

17 | On bounded distance decoding, unique shortest vectors, and the minnimum distance problem
- Lyubashevsky, Micciancio
- 2009
(Show Context)
Citation Context ... of these results relies on random oracles. Existing work brought us closer to the door with lattices, where one-way IB-TDFs can be built by combining ideas from [34, 28, 2]. Based on techniques from =-=[47, 43]-=- we show how to make them lossy. With pairings, however it was unclear how to even get a one-way IB-TDF, let alone one that is lossy. We adapt the matrix-based framework of [48] so that by populating ... |

13 | Many-to-one trapdoor functions and their relation to public-key cryptosystems
- Bellare, Halevi, et al.
- 1998
(Show Context)
Citation Context ...achieve is best possible and suffices for applications. Closer Look. One’s first attempt may be to build an IB-TDF from an IBE scheme. In the random oracle (RO) model, this can be done by a method of =-=[8]-=-, namely specify the coins for the IBE scheme by hashing the message with the RO. It is entirely unclear how to turn this into a standard model construct and it is also unclear how to make it lossy. T... |

13 |
T.: Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters
- Bellare, Ristenpart
- 2009
(Show Context)
Citation Context ...= Pr RL ˆ n . (18) Now Equation (15) follows from Equations (1), (17), (18), Lemma 4.2 and (a version incorporating the artificial abort of) Lemma 4.1. We remark that wecould usetheproof technique of =-=[11]-=- which avoids theartificial abort but this increases the value of δ, making it dependent on the adversary advantage. The proof technique of [39] could be used to strengthen δ in Theorem 4.4 to O( √ mQ... |

11 |
Hold Your Sessions: An Attack on Java Session-Id Generation
- Gutterman, Malkhi
- 2005
(Show Context)
Citation Context ...ailability of fresh, high-quality randomness. This is fine in theory but in practice RNGs (random number generators) fail due to poor entropy gathering or bugs, leading to prominent security breaches =-=[35, 36, 24, 46, 45, 1, 57, 32]-=-. Expecting systems to do a better job is unrealistic. Hedged encryption [7] takes poor randomness as a fact of life and aims to deliver best possible security in the face of it, providing privacy as ... |

11 | trapdoor func-tions from smooth homomorphic hash proof systems
- Hemenway, Lossy
(Show Context)
Citation Context ...CCA [48], deterministic [15], hedged [7] and selective-opening secure public-key encryption [9]. Lossy TDFs can be constructedfromDDH [48], QR[33], DLIN[33], DBDH [23], LWE[48]andHPS(hashproofsystems)=-=[38]-=-. RSA was shown in [42] to be lossy under the Φ-hiding assumption of [25], leading to the first proof of security of RSA-OAEP [12] without random oracles. Lossy TDFs and their benefits belong, so far,... |

11 | Instantiability of rsa-oaep under chosen-plaintext attack
- Kiltz, O’Neill, et al.
- 2010
(Show Context)
Citation Context ... [15], hedged [7] and selective-opening secure public-key encryption [9]. Lossy TDFs can be constructedfromDDH [48], QR[33], DLIN[33], DBDH [23], LWE[48]andHPS(hashproofsystems)[38]. RSA was shown in =-=[42]-=- to be lossy under the Φ-hiding assumption of [25], leading to the first proof of security of RSA-OAEP [12] without random oracles. Lossy TDFs and their benefits belong, so far, to the realm of public... |

10 | Cryptanalysis of the windows random number generator
- Dorrendorf, Gutterman, et al.
(Show Context)
Citation Context ...ailability of fresh, high-quality randomness. This is fine in theory but in practice RNGs (random number generators) fail due to poor entropy gathering or bugs, leading to prominent security breaches =-=[35, 36, 24, 46, 45, 1, 57, 32]-=-. Expecting systems to do a better job is unrealistic. Hedged encryption [7] takes poor randomness as a fact of life and aims to deliver best possible security in the face of it, providing privacy as ... |