 Hi everyone, I'll be talking about master key KDM secure identity-based encryption from bearings This is a joint work with Sanjam garg and Mohammed Agiabadi First, let me give you some context on KDM security key-dependent message consider a public encryption scheme and An encryption of a message M the security of the public encryption scheme guarantees that The message the plain text M is hidden as long as the secret key is not revealed But now consider the message The secret key itself Then to hide the secret key You need to rely on the security of the public encryption scheme and to argue security of the scheme You need The secret key to be hidden in the first place So there is a circular issue here And in fact in in general, it's not clear If whether semantic security of public encryption implies key dependent message security where In general the message can depend on the secret key So the adversary can choose a function and gets an encryption of the function applied on the secret key And security should still hold even in the presence of such encryption So this Setting can appear a little bit artificial maybe at first sight, but in fact it It arises in many different settings Example would be fully homomorphic encryption where which uses Gentry's bootstrapping Where a homomorphic encryption encrypts its own secret key, but it's also used In many other places such as function secret sharing or it's used to build designated verifier non-interactive zero-knowledge proofs or even in very recent IE constructions Let me present you the state of the art for key dependent message security of encryption The first important results Will be an amplification to RM that says that to achieve KDM security For any function described by a bounded south circuit It is sufficient to prove KDM security for much-respected castle function namely affine functions And it turns out There exists some KDM secure chosen plain Secure encryption scheme for affine functions And in fact, you can build it from pretty much any Assumption that is public encryption such as DDH LWE Quadrature quesitivity LPN CDH In the case of KDM chosen plain text attack is well understood It's pretty much solved But how about chosen cipher text attack Which is a defect to security notion for encryption and because it captures in particular man in the middle attacks CCN KDM encryption is much harder to get This has been solved by Kame Nishital Which builds KDM CCA secure encryption scheme from any KDM CPA secure plus an IZK That relies on the norium paradigm But this comes at the use of extra assumption and IZK Then it's hope finds builds Directly from pairings KDM CCA secure encryption, which is simpler and more efficient But still the pairings is a qualitatively stronger assumption. That's what's needed for public key encryption for KDM CPA public encryption So Kitagawa and Tanaka in 2018 showed that any CCA in CCA encryption that relies on hash proof system That can be built from DDH QR or decisional composite residuosity And which are similar assumption that what's needed for KDM CPA encryption all of this can be Upgraded to KDM CCA All right, and later on Kitagawa and Matsuda showed that in fact KDM CPA encryption KDM CCA encryptions are equivalent Which is remarkable Because this is not known to be true in the ined CPA For in CPA in CCA encryption. This is true in the KDM world So all of this to say that the situation for KDM secure Public key encryption is Well understood the case is pretty much solved even though for KDM CCA encryption it took much longer and it was more challenging So now the question is What about KDM security for more advanced encryption schemes? in fact the example I gave such as fully homomorphic encryption require a circular security of More advanced encryption scheme than simple vanilla public key encryption Our contribution to answer this question Tackles the case of identity-based encryption Which is one of the simplest non-trivial generalization of public key encryption? It's fairly well understood. In fact, you can build identity-based encryption from all of these assumptions that give public key encryption It's a natural starting point to answer this question Let me recall briefly what identity-based encryption is Essentially identity-based encryption is a public key encryption where any bit string can serve as the public key So there are some public parameters in the sky and with this Anybody can encrypt a message under some identity which could be for example an email address and that serves as a public key and and Users receive specific secret key which are called user secret key and which depend on their identity and with this Users are able to decrypt a message as long as the identity match Hearing and if the identity don't match the user secret key should not reveal anything about the encrypted message So these users secret key are generated from a so-called master secret key That is built by a trusted third party In fact security even if an adversary gets access to many users secret key as long as none of the Corrupted secret key can decrypt the ciphertext This is standard security for identity-based encryption The only known results Secure identity-based encryption From standard assumption is by Alperin, Sheriff and Picard and They consider a setting where in addition to user secret keys The adversary gets access to encryption of messages that are functions of user secret keys chosen by the adversary and They build this from LWE This is an interesting first step, but in fact it fails to capture some application in particular a One interesting application of IABE is to get CCA secure public encryption by the CHK transform And in fact this notion of KDM security doesn't allow to obtain KDM CCA secure encryption So a stronger notion is master key KDM security Which is essentially the same except now the adversary can get access to Encryptions of messages that are functions on the master secret key and not the user secret key and that turns out to be sufficient To apply the CHK transform among other things This is a more desirable and a stronger KDM security notion and this is what we achieve in our work We build this from standard assumption in pairing groups so first I'll Recall briefly how the KDM CPA encryption of BHHO works Because this is on a building block for our construction And it relies on the DDH assumption and then I'm gonna show that is actually BHHO techniques are compatible with a some identity-based encryption that rely on pairings that Use the dual system encryption methodology introduced by Wethers and in fact Combining this to is possible, but it's not enough to get KDM identity-based encryption And I'll show you in the last step how to actually get The result we want All right, so let's see how the KDM CPA encryption of BHHO looks like so We'll be using a primer group generated by a little G and For now think of the secret key as just a random vector of exponent And the public contains a random vector of group elements G to the A here and also The inner product of this G to the A with K in the exponent Which is just one group element to encrypt One samples a random exponent R and computes a randomized Variants of the public key. So this is gonna be G to the A times R. I just exponentiated the vector here and The key encapsulation here will also be just a randomized version of that and this is multiplied by a Message that is a group element So to decrypt it is simple you just use the secret key and Multiply it with the header of the ciphertext here to get the encapsulation key and recover the message So far so good There is a problem though If we want to get KDM security that means the message is gonna be a fine function on the secret key However, there is a mismatch between the ciphertext space, which is a group element and the secret key space which is exponents And also to apply the amplification results that I mentioned what we want is actually on a fine function on the Binary decomposition on the bits description of the secret key So the way BHHO solves this issue is by taking a secret key to be a vector of group elements G to the K instead of exponents But still to decrypt one needs to recover K the vector of exponents So to solve this dilemma BHHO Sets the vector K to be a bit string So that it's actually efficient To brute force the then get the discrete logarithm of G to the K So that decryption is efficient Of course, as I mentioned Needs to be taken appropriately large so that there is enough entropy in the secret key to ensure security So now let me show you the in the techniques used to prove in CPA security of the scheme even before going into KDM security So security will rely on a computational assumption, which is DDH and which Says that it is hard to distinguish a random vector That is proportional to G to the A Right, so it's blue. It's in the span of G to the A. It's G to the A raised to some exponent from a uniformly random vector of group elements G to the U that does not lie in the span of G to the A All right, so these two things are computationally indistinguishable and now at this point of the proof We will rely on a statistical argument a Random vector K multiplied by a blue Vector is independent statistically from a random vector K multiplied by a Linearity independent Vector of group elements G to the U. So linear independence translates into statistical independence All right, and suppose who knows this is called a universal hash function and Now because this value here is completely independent from that value It can serve as a one-time pad and hide the message M. All right, this is roughly how the proof goes and Now suppose actually the message is of the form K times W plus gamma and a fine function of the key And now we'll use this G to the U and we'll shift it appropriately Just like this so that This basically removes the key component of the message And now we are back essentially to the previous setting of in CPA encryption Okay, so we will be using the same statistical argument To hide the message it's which is switched to zero This is what we obtain at this point. We want to switch back this red vector here G to the U Back to the span of a All right, the reason we do that is because we Want to basically move on after we've done the first challenge ciphertext So we have made this challenge ciphertext independent of the message and we want to keep doing this for many Chinese ciphertexts and every time we'll be using entropy from the secret key K and More precisely we'll be using the projection of K under the red the red space So to do that and to use it as a one-time pad we need to switch back every type of text Back to the blue space here. All right But the the header of the ciphertext will still be in the red subspace That means it is still not in the span of a G to the a Right, and this is because we have performed this switch which was necessary to prove KDM security So as I said, then we move on to the next Chinese ciphertext and repeat the exact same argument Right using chance and so on and so forth so now I'm gonna give I'm gonna explain exactly the same proof again, but in a much higher level view So that was a little bit technical now I'm just gonna abstract away most of the details and I'm gonna repeat the proof So now for the sake of simplicity consider the secret key has two bit of entropy the blue bit and the red bit The public key allows to create ciphertext with the blue entropy Which contains a header and an encapsulation That hides the message which is a function of the secret key. So the proof we've just seen starts by Switching this ciphertext from the blue space to the red space using the DDH assumption and now the statistical Argument uses the entropy of the red space, which is not revealed by the public key To hide the message effort of SK as we have seen before Which back the encapsulation to the blue space and we move Ciphertext and so on and so forth. This is how the proof looks like Now let me show you that existing identity-based encryption from pairing Are compatible with the VHHO proof techniques in particular that is the case for IBE relying on the methodology that's called dual system encryption by Watters In this IBE We have now a secret key that's called a master secret key that Has before as two bits of entropy the blue bit the red bit public key allows users to compute ciphertext with blue bits of entropy and That are associated with identity The new technical novelty here is that the adversary not only gets to see the public key and the challenge ciphertext But also user secret keys Which in this IBE looks like this they are the master secret key Which contains the blue and the red bit of entropy plus a mask that lies in the blue subspace and now We want to do the same proof as VHHO, which first involves switching the ciphertext blue component to the red component using a subgroup membership assumption in our case DDH and So that is done in the current challenge ciphertext here and now The hope is to use the entropy from that red block to hide the message to act as a one-time bad But now the statistical argument that was used before doesn't hold in particular because the user secret key Partially reveals some information about this red entropy. They contain the red entropy bit of the master secret key So that doesn't hold anymore We'll solve this technical challenge using dual system encryption methodology Which consists of first a switching one by one the user secret key From so we'll switch this This block from blue to red Again using a computational assumption So we'll have two computational assumption one in the ciphertext space and one in the secret key space So technically the ciphertext will belong to a group G1 secret key will belong to group G2 both of which are prime order and There will be combined using what's called a pairing Which goes from G1 to G2 and ends up in the target group and It's possible to assume DHH in G1 and G2 All right, so this is what allows to switch from blue to red in our case and So once we've done that for a particular user secret key We will be using a statistical one-time argument that Uses the fact that the identity from this user secret key doesn't match The identity from the current challenge ciphertext. In fact, it should not If the identity match by correctness of the scheme, we should be able to recover the message And there would be no security So we need to use the fact that this identity don't match and this is where it's used This argument is one time this is important. It's um in the case of identity-based encryption It typically relies on pairwise independent hash function And it allows us to say that this red block this entropy is independent from that one and so this red entropy conserves as a mask for the Red entropy bit of the master secret key here. So what that does is Remove the red bit of entropy of the master secret key So now we have like a truncated user secret key That doesn't even decrypt correctly the challenge ciphertext. We are considering But that's okay. It was not supposed to decrypt it anyway because the identity don't match And of course as a sanity check this user secret key should still be able to decrypt correctly honestly generated ciphertext from the public key Right so to summarize and this is a core ideas of dual system encryption methodology There is two type of key of user secret key the full one That contains all the bits of entropy of msk that decrypts blue ciphertext and red one Which allows to switch from blue to red And there is no way to notice the difference and then there is a truncated User secret key which is technically called semi functional Which only decrypts correctly the honestly generated ciphertext, but not the challenge ciphertext all right So what are we done here was So after that we switch back the mask to the blue space. So we've done Effectively we've hidden completely the red entropy bit of the master secret key. We've removed it from the user secret key. All right And this will be done again for every user secret key one by one Right, so we'll just repeat the exact same argument And so on and so forth um At the end we'll essentially have removed the red component of all the user secret keys And now we can ignore them And perform the exact same bh ho proof as we've seen before now We can actually say this red block here will statistically hide the message And we're done We've well we are done for the first challenge cipher Now it seems like we have succeeded to build a master key kdm secure identity base encryption But in fact Let's be careful here. We'll we have only considered one challenge ciphertext And you may think oh well, let's just do a hybrid argument and do the exact same thing for all ciphertext one by one But in fact that doesn't work. We'll see why And also note that as opposed to the typical in cpa setting For which one challenge ciphertext implies many challenge ciphertext Generically using a hybrid argument. This is not the case for kdm security All right, one challenge ciphertext does not imply many challenge ciphertext So what goes wrong if to the second ciphertext? We'll do the same proof again. So it starts with the blue space and we want to turn it into Uh, like we were in a turn this blue boxes into red boxes using computational assumption But first If we want to be able to switch blue to red, this should not be noticed by the adversary In particular, if you have a user secret keys that's truncated semi functional, this is clearly noticeable So the first thing we do even before moving on to the second ciphertext It's to switch back all the user secret key to full mode All right, just by reverting the changes we've done before So we can do that And and now we can perform The same argument on the ciphertext. So we switch it to red and so on and so forth And now uh, we want to rely on this statistical argument that we've used before But it fails because this argument was one time and it only talks about one identity the identity of one user secret key And one challenge ciphertext And it fails because here If you look at the header of the ciphertext, there are many of them that are in the red subspace So in fact for this to work It would need to be an argument that taking takes into account Many challenge ciphertext. So we cannot use pairwise independence We need to use something stronger All right, so typical dual system encryption Uh, fundamentally fails for that reason that it does not take into account many challenge ciphertext At once All right, so the technical reason is the the header here cannot be switched back to blue Because of the shift I've showed you before. All right So we need to use another argument So as I've said our scheme uses a An argument that Handles all the ciphertext challenge ciphertext at once All right, and these borrows techniques from uh, how finds precaution tricks Uh, which actually achieves this in a different setting Namely, they achieve they they show techniques that handles many challenge ciphertext to get 90 secure identity based encryption where the security loss does not grow with the number of challenge ciphertext So these techniques Uh, we adapt and they were from a fairly different context and this is remarkable that it's useful and to achieve Uh, a different goal namely kdm security for identity based encryption This is the last, uh piece of Technical tools that we use to get master key kdm identity based encryption So to summarize we've built the first kdm secure identity based encryption which satisfies A master key kdm security where the adversary not only gets to see user secret keys But also encryptions of messages That are function of the master secret key Which is strong enough to capture applications such as chk transform to get kdm cca secure encryption And natural open problems include Building the same thing but from weaker assumptions such as cdh This is a legitimate question to ask since we know how to build identity based encryption from cdh And more generally interesting question include Uh, can we build kdm secure advanced encryption? For example homomorphic encryption from standard assumption Come to my talk. Thank you for your attention