Lattice Part 8: Identity-Based and Functional Encryption From Lattices

maocred@gmail.com (Halois) — Sun, 25 Aug 2024 21:00:08 +0800

Reading: Peikert’s survey is the right wide-angle backbone here because it keeps advanced lattice constructions on one trapdoor-and-sampling axis instead of letting IBE, ABE, and FE turn into unrelated acronyms.¹ Boneh-Shoup is useful for a second reason: it separates public-key encryption, identity-based encryption, attribute-based encryption, and functional encryption at the interface level before we even choose lattices.²

The only extra primitive beyond Parts 0-3 is GPV-style trapdoor sampling: a hidden short basis is not merely evidence for a hard relation; it is a usable interface for sampling short preimages.³ Once that interface exists, the next question is forced: can decryption authority be derived, specialized, or delegated instead of being one monolithic secret key?

That is the organizing mechanism of this chapter. IBE, HIBE, ABE, and FE are different answers to the same question: given a master trapdoor, what short secret material can we derive for a public label, a hierarchy path, an attribute policy, or a function key, and what exactly should that derived key be allowed to recover?⁴⁵⁶

IBE on As it was

Lattice Part 8: Identity-Based and Functional Encryption From Lattices