 Identity-based encryption is a notion of public key encryption where any string, such as a name or address, can serve as a public key of a user. We usually formalize this via the following four algorithms. There's a setup algorithm that generates a master public key and a master secret key. We think of this algorithm being run by a trusted key authority. There's a key generation algorithm, which is also run by the key authority, which, given any identity, generates a corresponding user secret key. And then there's the encryption algorithm, which, given an identity and the master public key, as well as a message, computes a ciphertext under this identity. And finally, there's the decryption algorithm, which, given a user secret key and a ciphertext computes or outputs the corresponding plaintext message M. And in terms of correctness, we require that this message M that decryption outputs when we decrypt with the user secret key SKID is the same as the message that was encrypted under the identity ID. Security is defined via the following experiment between a challenger and a PPT adversary. First, the challenger generates a pair of master public and master secret keys, and the master public key is given to the adversary. Now, the adversary is allowed to query identity keys for an arbitrary number of identities of his choice. And at some point, the adversary outputs or passes an identity its star and two messages M0 and M1 to the challenger. And we require that this challenge identity its star is different from all the identities for which the adversary has queried keys. The experiment chooses random bit B and encrypts the message Mb under the identity its star. And the resulting ciphertext is given to the adversary. Now, the adversary gets more access to this key oracle. It means he can, again, ask keys for identities. It's conditioned on that they're different from the challenge identity its star and receives the corresponding identity secret keys. In the end, the adversary outputs a guest B prime for the bit B and we say the adversary wins if this bit B prime is identical to the bit B. We say a scheme is in IBE secure if the probability that this guest B prime matches B is at most one half plus negligible. The notion of identity-based encryption was famously introduced by Shamir in a work in 1984, however, without providing a construction. 17 years later, Bonet and Franklin found a construction based on bilinear groups, as well as Clifford Cox provided a construction based on the quadratic residuality assumption. Furthermore, we also know constructions from the LWE problem. And this is pretty much the situation today. We basically know IBE from these three standard assumptions, bilinear maps, LWE, and quadratic residuality. And in the case of quadratic residuality, we even need a random oracle to realize this notion. This might be seen as a rather small pool of hardness assumption. In particular, when we compare this to the notion of public key encryption, where there is a much wider pool of assumptions from which we can instantiate this primitive. So there is somewhat of a perceived gap between the notion of IBE and public key encryption. Furthermore, we know that black box techniques will not suffice to build identity-based encryption from trapdoor permutations, CCA encryption, or the decisional Diffie-Hellman assumption. Furthermore, reinforcing this perceived gap between identity-based encryption and public key encryption. What I'm going to show you in this work will be the first fully secure identity-based encryption scheme from the computational Diffie-Hellman assumption without the use of bilinear pairings. And our construction will be based on the computational Diffie-Hellman problem, which is to compute G to the AB given G to the A and G to the B, and not the decisional Diffie-Hellman problem, where the task is to distinguish this from uniform. The main ingredient to our approach is evaluating a cryptographic primitive inside garbled circuits. This will allow us to overcome these four mentioned black box impossibility results. Now, we can also instantiate our result from the factoring assumption. And in the paper, we also provide a construction of hierarchical IBE. This was an open problem even for factoring type assumptions, such as the quadratic residuality problem. Now, in the rest of the talk, I am first going to introduce a new notion of encryption. We call chameleon hashing with encryption. And then I'll show you how to construct identity-based encryption from this primitive. So first, let's talk about chameleon hashing with encryption, or, as we like to call it, chameleon encryption for short. A chameleon hashing scheme is a type of collision-resistant hash function with a special collision trapdoor. We formalized this via the following algorithms. There's a generator algorithm which outputs a hashing key and a collision trapdoor. There's a hashing algorithm which takes the hashing key, a message x, and some randomness r, and outputs a hash value. And we require this function to be shrinking the input x. We want it to be compressing. And finally, we require a collision-finding algorithm we call h-inverse, which takes as input the collision trapdoor, pre-image x, and a new pre-image x-prime, and the old randomness r, and outputs a new randomness r-prime, such that x-r and x-prime r-prime collide under this hash function h. So this is chameleon hashing. Our new notion is chameleon hashing with encryption, or chameleon encryption. So we add an encryption aspect to this primitive. And the first extra algorithm that we require is an encryption algorithm which takes a hashing key, a hash value h, an index i, and a bit b, and a message m, and outputs a ciphertext c, and a decryption algorithm, which takes as input the hashing key k, and the pre-image x together with a randomness, and the ciphertext, and outputs a message m-prime. And we require that the message m-prime is identical to m, given that the pre-image x fulfills the condition that x is a pre-image of this hash value h, and it fulfills the condition that the i-th bit of x is b. So if xi is equals b, Bob will be able to decrypt the message m. And if this is not the case, if Bob knows, say, a different pre-image for the hash value h, we require ciphertext indistinguishability. So even if Bob knows a valid pre-image to this hash value h, but its i-th bit is flipped, Bob will not tell whether we've encrypted a 0 or a 1. So now I'm going to show you a simple construction of chameleon encryption from the DDH assumption. In the paper, we can actually do this from the CDH assumption. But for the sake of brevity, I will provide the simplified DDH construction here. The hashing t consists of a group generator g, together with n pairs of group elements gi0 and gi1. The hashing algorithm first computes g to the r, and then the product of the gj xj. That's the output of my chameleon hash function. I am not going to provide the collision finding algorithm on this slide. For details, please refer to the paper. However, I'm straight going to the encryption algorithm. So as a first attempt, we might try to just use the algomal approach. We say the first component of the ciphertext is h to the s. And the second component is just gib to the s times m. That's an algomal encryption. However, this would not be enough for the decrypter to recover this message, since the decrypter doesn't know a discrete logarithm of this h with respect to gib, but rather a pre-image under this hash function. So what we do instead is we add a few extra terms to the ciphertext, in particular a g to the s, and some group elements cj0 and cj1, which are gj0 to the s and gj1 to the s. And what's important here, we don't provide these elements for j equals i, because then one could directly decrypt, and we wouldn't have any security. So how do we decrypt? Decryption basically computes this product. It takes this term e, computes z0 to the r times the product j and not equals i, cjxj, and divides it by c1. So why is this scheme correct? How can we see that this scheme correct? Well, in the first step, we know that this c1 is just h to the s. So let's just plug in h to the s. Now we know that h is a hash value of x using randomness r. So let's plug that inside and already pull the gixi to the s term out. So this is just the hash value with a gixi term pulled out. We can cancel these terms, and what remains is m times gib to the s divided by gixi to the s. And if our preimage actually fulfills this condition that the if bit is b, those two terms cancel out, and we have m. For the security reduction, please refer to the paper. What I'm going to show you now is a deconstruction of identity-based encryption from chameleon encryption. And I'm not going to provide you the full construction but a toy example which showcases all techniques that are used for the full construction. So we are going to build a IDE scheme that we're going to call setup, keygen, encrypt, and decrypt, and we'll only do so for four identities. In my scheme, there will only be four identities, but as I said, the techniques I'm showing you here will generalize to an exponential number of identities from polynomial hardness assumptions. So doing this step from constant to exponential will not require a change in my hardness assumptions. The key generation algorithm that I'm going to show you is stateful. That means when I generate new keys, I need to remember the old keys. This can be de-randomized using pseudo-random functions, but again, for details, please refer to the paper. And as ingredients, we have first a chameleon encryption scheme, gen, h, h inverse, enc, and dec. Second, I'll require a standard in CPA secure public key encryption scheme, k, g, e, and d. And as a third component, I require garbled circuits. I will use garbled circuits. So first, let's look into how key generation works. So the overall idea of this scheme is to arrange the keys in a binary tree. Let's look what the setup algorithm does. The setup algorithm first chooses two pairs of hashing keys and collision trapdoors of the chameleon encryption scheme, k1, t1, and k2, key2. We will associate k1 with the first layer of this tree and k2 with the second layer of this tree. Then we'll compute a hash value h as a hash value of the all-zero string. And we'll write this hash value h into the root. And that's already it. k1 and k2 defines our master public key. The master secret key is given by the corresponding private values, namely the collision trapdoors t1 and t2, and the randomness are used to compute this hash value. Now let's see how key generation works. Say we want to generate a key for the identity 1, 1. In general, we will associate identities with root-to-leaf paths. So the identity 1, 1 goes first left, first left. The identity 1, 0 would go first left, or sorry, first right, then left. So identity keys will be tied to root-to-leaf paths. At first, we'll generate a hash value h0 for this slot here, also as a hash value of 0, and a hash value h1, also as a hash value of 1. So what I would like now is that h is actually the hash value of a concatenation of h0 and h1. But right now, h is the hash value of an all-zero string. So what I'm going to do is I'm using this collision magic of chameleon hash functions. I'm using the collision trapdoor to program h to be the hash value of h0 concatenated h1. Of course, in the process, I'll have to use a new randomness r prime. But under this randomness r prime, h is identical to the hash value of h0 concatenated with h1 under k1. So let's go further. Next thing, I'm going to generate two pairs of public and secret keys for my public key encryption scheme using the algorithm key j. Call the public keys ek10 and ek11. And I'm going to write these two encryption keys into these leaves. For now, I'm going to remember the decryption key dk11. And I'm proceeding as before. I want h1 to be the hash value of ek10 concatenated with ek11. And to do so, I'm going to use the collision magic of my chameleon hash function. And after I found this new random term r1 prime, I actually have the guarantee that h1 is the hash value of ek10 concatenated with ek11. And that's already it. Now I have a identity secret key. This identity secret key consists of h0, h1, and r prime, as well as ek10, ek11, and r1 prime. So it consists of basically all the data along the route to leave path of this tree, plus, additionally, the decryption key dk11. That's how key generation proceeds. Now let's look into encryption and decryption. And to turn this into a working IBE scheme, I need an additional ingredient, namely Yawos garbled circuits. So a garbling scheme consists of an algorithm garble, which takes as input a circuit C and outputs a garbling C tilde of this circuit and a set of labels lab. We also ask for a input garbling function, which takes as an input x and the labels lab and computes a garbled input x tilde. In the case of Yawos garbled circuit, this garbled input function is really simple. Namely, each input wire of this circuit is associated with two labels. And if you want to encode such an x, we will just choose the late for the first, say for the first wire, we will choose the label corresponding to the first bit of x. For the second wire, we'll choose the label corresponding to the second bit of x and so forth. Now, we need a method to evaluate these garbled circuits. This is usually called an eval function, which takes as input a garbled circuit C tilde and garbled inputs. And we require this correctness property that the output of this eval function is identical to what the circuit evaluated on these plain inputs would have produced. In terms of security, we require that C tilde, x tilde, and y tilde, in this case, tell the evaluator nothing more than the result or the output of this circuit, C of x and y. So to simplify the notation on the following slides a little bit, let me introduce two additional functions we don't introduce them in the paper. I'll just introduce them here for a cleaner write up on my slides. Say Alice knows a hash value h and a set of labels, LB, IB. We want to encrypt each label under the key k, the hash value h, and the bit IB. So we want to encrypt LB, IB using index i and bit B in the chameleon encryption. And as a shorthand, I introduce the notion batch encrypts of k, h, and lab for this. So this ciphertext is passed on to the decryptor, who can now use his pre-image and the randomness r to decrypt the encrypted label lixi, namely the labels corresponding to the string x. And this is via definition of the garbled input function in Yaw scheme precisely the garbling of input x under the labels lab. And for this function, I'm going to introduce this shorthand batch decryption of k, x, r, and l. OK. And now we can dive into the encryption algorithm. First, let's, again, draw our binary tree with the master public key here. To encrypt a message m under the master public key and the identity 1, 1, we will first take a circuit t, hardwire a message m into this circuit, and this circuit receives as inputs an encryption key ek 1, 0, and an encryption key ek 1, 1, and outputs an encryption of m under this key ek 1, 1. And what we're going to do with this circuit t, m, is we are going to garble it. And the output of this garbling will be a garbled circuit t tilly and labels lab 1. So we haven't used the master public key at this point. In the next step, we'll take a second circuit p, which has as hardwired input labels lab 1 and takes its input to hash values h0 and h1 and computes as output encrypted labels l1, which is the batch encryption of the labels lab 1 under k2 and the hash value h1. So we take this circuit, we hardwire lab 1 into it, and now we garble it. And the output we call p tilly and lab. And finally, we just take these labels lab and encrypt them under the hash value h, which is provided to us in the master public key. So this hash value h comes from the master public key, and we can use it to batch encrypt these labels and call that l. So that's our ciphertext. The ciphertext consists of l, p tilly, and t tilly. Now let's get into decryption. And first thing we need for decryption is the user or identity secret key. So let's write it back into our tree, h0, h1, and r prime, as well as ek10, ek11, and r1 prime, and the decryption key, dk11. We also need the ciphertext, so let's write down that as well, l, p tilly, and t tilly. And to make the decryption things a little, let me remove the tree and rearrange these terms a little. So now we have the terms that come from the user secret key on the left side and the ciphertext terms on the right side. Now let's see how decryption works and why it works. So if l, p tilly, t tilly is a correctly formed ciphertext, then we know that l is a batch encryption of lab under the hashing key k1 and the hash value h. So as a first step, let's just batch decrypt l using h0, h1, and r prime as a decryption key. Here, and by the correctness of our chameleon encryption scheme, this is actually identical to the garbling of input h0, concatenated h1 under the label's lab. Let's continue. Now we have garbled inputs and we have a garbled circuit. So the obvious thing to do is to evaluate p tilly on x tilly, and the result is some output l1. But since we've evaluated this by the correctness of the garbling scheme, we've just evaluated this circuit p here. So the output l1 is actually identical to the batch encryption of lab one under k2 and h1. Let's proceed. Now we have a batch encryption. The obvious thing to do is to decrypt it using this hash pre-image of h1. And let's call the result x1. But by the correctness of the chameleon encryption scheme, this again corresponds to the garbling of the input ek10, concatenated with ek11. And as a final step, let's evaluate the garbled circuit t tilly on x1 tilly. But by the correctness of this garbled circuit, this ct, which is output by t tilly, is identical to the encryption of m under ek11. And in a final step, we can just use the dk11 to decrypt the ciphertext ct and obtain the message m. So let me wrap up. I've showed you the first identity-based encryption scheme from the computational Dithy-Hellman assumption without pairings. The magic ingredient that we used to circumvent black box impossibility were garbled circuits. In particular, we evaluated encryption functions inside garbled circuits. And as a final open problem, let me just ask, can we realize other advanced public key encryption schemes under the Dithy-Hellman assumption, maybe using similar techniques? Thank you for your attention.