 Hello and welcome everyone. I'm David and in this talk I will be presenting joint work with T-Boyager and Rafa Akurig about constructing efficient, adaptive-lead, secure IBEs and VRS from near-collision resistant hash functions. When we construct identity-based encryption schemes and very far random functions, we want the constructions to be efficient and to have at least adaptive CPA security. Furthermore, we ideally want the construction to be in the standard model and to have a small and no significant tightness loss. In this paper we show how we can use near-collision resistance, a natural assumption for hash functions, instead of the random oracle model, in order to achieve adaptive security. We do that by showing how to construct a more efficient IBE came from LWE and from the bilinear divi-hayman assumption. Furthermore, we also show how the technique can be used to construct an efficient, very far random function from the Q-Decisioner bilinear divi-hayman inversion assumption. Finally, we also show how the technique can be used to prove the IBE came by my two co-authors from Asia Crypt 2018, this very short ciphertext secure with significantly less security loss. However, we won't have the time to discuss all construction details. Therefore, I will focus on introducing near-collision resistance as a natural assumption for hash functions to efficiently replace the random oracle and on showcasing our techniques by using them to construct an IBE came from the decisional bilinear divi-hayman assumption. Our construction is mostly a variant of the Waters IBE, but with much shorter publicities. So, for an overview of the presentation, I will first compare the efficiency of our constructions to previous constructions for an overview and to showcase what can be achieved with our techniques. Since we want to discuss our variant of the Waters IBE in more detail, I will quickly recap identity-based key encapsulation mechanisms and what they are, what their properties are and in which scenario and how they are used. Afterwards, I will quickly introduce near-collision resistance and how it can be used to achieve adaptive security. That is, I will introduce our hash function assumption for near-collision resistance and then give an intuition on how we can leverage this assumption for hash functions to achieve adaptive security without random oracles. Finally, I will then present our efficient version of the Waters IBE and how a near-collision resistance is used in our construction. Now, let us begin by a more detailed overview of our constructions. First, let us look at IBEs from standard assumptions of the discrete logarithm type. That is, for example, the Decisional B-Linear Diffie-Helman assumption which underlies our construction and also the Waters IBE. If we now compare these constructions, what sticks out is that except for the Bonnet Franklin IBE which is in the random oracle model, only the Waters IBE and ours achieve user secret keys and ciphertexts of only two group elements each. However, Waters IBE has the large downside of having a master public key of linearly many group elements which is compared to many of the other constructions very large. However, with our techniques, we are able to boil this down to only logarithmically many and as we will look into the scheme later on, we will also see that this number is not only asymptotically small but also concretely. Next, let us look at IBEs from Q-Tag assumptions. In particular, at the IBE came from my two co-authors from AsiaCrypt 2018 which is based on the Bonniboyen IBE from EuroCrypt 2004 which was only selectively secure. The construction at AsiaCrypt 2018 has one big downside and that is its very large tightness loss. However, we are able to address this tightness loss with a more efficient reduction technique by Yamada from EuroCrypt 2017 in conjunction with near collision resistance. That allows us to make the reduction much more tight and now let's look at the numbers. We see that the security loss of the AsiaCrypt 2018 scheme is the runtime of the adversary to the 7 over its advantage to the 4 and we are able to reduce this to its runtime to the cubed over its advantage squared which is still large but much better and much smaller. And if we now look at the other parameters of these schemes, we see that only the ones from AsiaCrypt and ours which technically the same with a different security proof achieve ciphertext of only one group element compared to the one of Bonniboyen from EuroCrypt 2004 and the one from Gentry at EuroCrypt. Next, we look into IB cams from LWE which have post-puntum security and in particular its IB cam from Yamada from Crypto 2017 which we adapt to near collision resistance and by that are able to make a lot more efficient. So, if we now look at numbers of the parameters of previous IB cams or IBEs we see that most of them are very efficient in terms of number of vectors for the user secret keys and ciphertexts which is at least asymptotically all constant for most of the constructions. However, the parameter that is still very large is the size of the master public key. This is different for different constructions but most constructions have parameter sizes of log squared security parameter or log cubed security parameter and we are able to boil this down to only logarithmic number of matrices in the master public key. What is notable is that asymptotically speaking also the scheme from Crypto 2016 achieves the same if we assume Q is the number of user secret key queries by the adversary to be polynomial. However, we point out that this number is in concrete terms much larger than the number of matrices in our scheme. Next we also want to look into VRFs or verifiable random functions and in particular we want to look into our adaptation of Yamada's VRF from Crypto 2017 with near collision resistance. Near collision resistance here allows us to prove adaptive security but achieve very efficient parameters. As asymptotically speaking we achieve public key and proof sizes of only logarithmic number of group elements but this is not only asymptotically very efficient but also concretely. We achieve public keys that contain only 10 group elements and proofs of correctness that only consist of 9 group elements or security parameter of 128. So if we now look at an overview of all the schemes of most VRFs from before we see that there are many of them but we also see that most of them have log squared, log cubed, security parameter or similar number of group elements in the public keys and in particular in the proofs of correctness which is really important for communication efficiency because the proofs of correctness will probably be sent much more often than the public keys. One construction that stands out here is run by Elin Lisa Kohl from PKC 2019 which achieves almost a constant number of group elements in the proof of correctness However, as I stated, our construction also achieves concretely very small number of group elements in the proof of correctness however being asymptotically less efficient than Kohl's VRF. Summing up, our constructions can improve over previous constructions and many different aspects while at the same time avoiding the random algorithm model and only making, as we will see, very natural assumption for hash functions. Since we want to look into our variant of Waters IBE in more detail I will now quickly recall the security properties and syntax of IB cams and that is what our construction syntactically will be. Identity-based key encapsulation mechanisms we usually consider a scenario with three parties trusted authority and Alice and Bob where Alice and Bob want to exchange messages confidentially In the beginning the trusted authority generates a master secret key and a master public key and then publishes the master public key, while keeping the master secret key to itself. Now that all have the master public key, they need user secret keys in order to decrypt messages later on so they can ask the trusted authority to get a user secret key, in this case we will show this for Bob and after Bob authenticated himself to the trusted authority in some mean the trusted authority generates a user secret key for Bob and then sends the user secret key to Bob Now that Bob can decrypt messages to him, or better said decapsulate messages to him Alice can encapsulate a secret key to Bob, that is she runs the encapsulation algorithm which results in a ciphertext and a symmetric secret key and then sends ciphertext to Bob Bob now using his user secret key can decapsulate the ciphertext to the same symmetric key Now both Alice and Bob can use standard symmetric encryption primitives like AEDs for example to exchange messages confidentially without any public key encryption and so from this point on It's common for key encapsulation mechanisms in IB chem can be used to generically construct a fully-fledged IBE when it is used in conjunction with the data encapsulation mechanism or short DEM This data encapsulation mechanism could for example be instantiated with some symmetric encryption scheme In terms of properties we want correctness, that is if Alice encapsulates a secret key to Bob and Bob always gets back the same secret key by decapsulating Of course only if he has a correct secret key from the trust and authority and both share the master public key So for security we consider the following security experiment between a challenger and a distinguisher First the challenger generates a master public key and a master secret key and sends a master public key to the distinguisher The distinguisher then may make several user secret key queries So it can query the challenger for user secret keys for identities of his choice and get these At some point the distinguisher has to state a challenge identity ID star for which he gets back the encapsulation under that identity So the ciphertext and either the correct symmetric key that is encapsulated in that ciphertext or a random element from the key space Then the distinguisher may make further queries but not for the challenge identity and again gets back user secret keys for the identities that he's queried Finally at some point he has to state its guess whether he was given the correct symmetric key or if he got a random key that does not match the ciphertext that he was given for the challenge As usual with such security experiments we say that the abchem is secure If every distinguisher that has a polynomial runtime only has a success probability of one-half plus something negligible in guessing the correct bit B Now that we recall to the properties of the entity-based key encapsulation mechanisms and how they are used we will now look into adaptive security from near-collision resistance that is we will informally introduce near-collision resistance as a natural assumption for hash functions and then show how it can be used to achieve adaptive security without using the random oracle model Informally when we assume that a hash function is near-collision resistant we assume that the birthday attack is the fastest algorithm in finding a collision on any given subset of output bits of the hash function To illustrate this let us look at the following example In the trivial case for collision of the whole hash function we just assume that the success probability of the birthday attack is optimal for every potential runtime of an adversary that is for example for this for this hash function with 16 output bits we roughly assume that every algorithm that runs in time t has a probability of finding a collision of at most t squared over 2 to the 16 However for near-collision resistance we now want to look at the subset of the output bits so for example if we now consider a prefix of length 6 then for near-collision resistance we assume that there is also no faster algorithm than the birthday attack to find the collision on the prefix meaning we assume that the prefix is as secure as a shorter collision resistant hash function meaning specifically for any algorithm that has a runtime of t we assume that on this prefix that algorithm can only find a collision with the probability of t squared over 2 to the 6 However for near-collision resistance we also want this to hold for permutations that is it doesn't matter where we put these 6 positions the probability of finding a collision keeps bounded by t squared over 2 to the 6 Next let us look into how we can leverage near-collision resistance to prove adaptive security without the random algorithm model Our approach is to use the runtime ta and the advantage epsilon a of the adversary in the reduction to choose a subset of output bits We want to choose i such that based on the adversary's advantage it can find a collision on i with probability larger than epsilon half and that at the same time there are only polynomially many possibilities for the hash function value on the subset i These two goals seem difficult to achieve at the same time but obviously any sufficiently small set i will allow for a collision with a non-digital probability However this is no issue because in the reduction we can assume that epsilon is non-digital therefore the bound of epsilon over 2 for a collision on the subset i is still achievable even if there are only polynomially many possibilities for hash function outputs on the subset i Then the idea is to guess the hash of the challenge identity on the subset of output bits in i The trick then is that if both goals are achieved then this guess will be correct with a non-digital probability and at the same time the adversary will not query a user-secret key for an identity that also matches the guess because that would imply a collision Of course these two goals are still conflicting with each other because we have to make i large enough to make a collision sufficiently unlikely and at the same time small enough Thus there is an ideal choice such that it is just large enough to guarantee a sufficient collision resistance but not any larger Choosing it of exactly the size will allow us to make the probability to guess correctly as large as possible by that to achieve a better tiredness of the reduction Concretely what previous similar constructions did was to choose i as the prefix of the length of the smallest power of 2 that is larger than the ideal size In this example if the ideal size of i would be 5 they would use the prefix of length 8 Then they would use several IBE schemes in parallel One for each potential prefix length with an identity space of all possible prefixes of that length Since they only consider prefixes of lengths of power of 2 they are only logarithmic in the schemes in parallel Furthermore they can use in some cases aggregation techniques in order to make the constructions more efficient In the reduction they would then just produce the security of the IBE with the fitting identity space This makes the approach rather straightforward but comes with the cost of a large security loss in the reduction Because in a not ideal size a set i is used and as in this case the set that is used in the worst case has a size that is quadratically larger than what would be ideal Our trick now is to first present the ideal size of the set as a sum of powers of 2 For example for 5 we can just represent that as 2 to the 0 plus 2 to the 0 2 meaning 1 plus 4 Then we split the hash function into consecutive blocks of powers of 2 Meaning the first block h0 would be just the first bit, the second block h1 would be the second bit and the third bit and so on and so forth So this looks like this We would then choose the set i as the block that together has the ideal size For simplicity we will keep this notion of h2, h0 and so on throughout the presentation and view them as hash functions on their own However this is only on a syntactical level of course this is still one hash function The downside of this approach is that it requires us to make the reduction more complicated Because there is not a single, if we would just use several IBE schemes in parallel There wouldn't be a single IBE scheme that we could reduce the security to For this example with the block 0 and 2 we would have to reduce the security of the first IBE scheme and the third IBE scheme And this doesn't work out that well anymore However we can indeed do this without sacrificing any efficiency And that is what we look into next when discussing our variant of Rotas IBE that uses exactly this approach of near collision resistance And this partitioning of the hash function into logarithmic many blocks And many blocks as usual for the Rotas IBE we have two generators g and h And we have that p elements x, u prime and we have one ui element for each block of the hash function Meaning we say that the hash function has l plus one many blocks As you can see there are only logarithmically many of these ui values And then we have that our master secret key is just h to the x And the master public key consists of g and then g to the prime and g to the ui for all i from 0 up to l And the pairing between hx and g Meaning that we in some way also put h to the x in the master public key and z by z bound to the master secret key What is now important for our construction is this function ui, u of id This function is just the sum of u prime plus the product between all ui and hi Meaning we interpret hi of an identity as in that p element and multiply it with ui This function is so important because it's very crucial for our reduction in which we use it in the following way In the reduction we will be doing the following We will draw a uniformly random element a from that p and further uniformly random elements also from that p Namely r prime and r0 up to rl where as you might have guessed the r prime corresponds to u prime And the r i values correspond to the ui values Furthermore for all the blocks for which which are in the index set i We also draw a uniformly random guess for them named ki Now we define u such that it contains this a component if and only if i is in the index set i Otherwise which is just r i Furthermore we set u prime as r prime minus a times the sum over all r i times ki For all the i in the index set i Now what we ask ourselves is Under which condition is if we set ui and u prime this way is the a component of u of id 0 And for that we look at the following function or the following terms We ask ourselves when does her told that 0 times a is minus a times the sum of over all r i times ki For all indices in the index set plus a times the sum over all indices in the index set For r i times h i of id And if we now slightly move things around we see that this holds if and only if The sum of over all indices in the index set over r i times ki minus h of id if that is 0 In particular this is the case if we have that all ki are identical to h i of our identity For all i in the index set Of course there is also another way other ways in which this could be 0 But in those cases we can reduce to the discrete logarithm Meaning any adversaries that finds another index i id Another identity id for which this holds can also solve the discrete logarithm problem And therefore this is very unlikely So over all this a component is 0 if and only if our guess is indeed correct And then in the reduction we can embed this such that we can extract a solution to the underlying decision Be linear if you have an assumption if and only if we have that this a component is 0 And that we can answer the adversaries queries if and only if this a component is not 0 Now let us look into the concrete key size of the master public key of our variant of the Waters IBE Since this is the aspect in which our construction or proof improves over the previous construction We require a hash function with 2 times lambda or lambda as security parameter plus 3 output bits That means we will have the logarithm of that plus 1 many blocks And for the security parameter 128 this means that we will all have only 9 blocks in the hash function You can now instantiate that on baritoneerich curves that means that the master public key will consist of 11 group elements From the G1 group and from one group element of the target group On these curves the G1 elements will have 256 bits and the target group elements will have 3072 bits Now summing up that overall we achieve only 736 bytes in the complete master public key which is quite small And that without using the random logarithm methodology The takeaway message of our work is that near collision resistance as a mild hash function assumption Can be used to replace the random logarithm methodology without sacrificing a lot of efficiency We have shown that it can be used to construct highly efficient IBEs and VRFs And maybe there are more potential constructions maybe some by you If you have any questions feel free to drop us an email or refer to the paper and laugh at McLeese Thank you for your attention and have a nice day