Cryptology ePrint Archive: Report 2021/222

Quantum-safe HIBE: does it cost a Latte?

Raymond K. Zhao and Sarah McCarthy and Ron Steinfeld and Amin Sakzad and Máire O’Neill

Abstract: In addition to providing quantum-safe traditional PKI, lattices support advanced primitives such as identity-based encryption (IBE). These schemes have shown promising results in terms of practicality, but still have disadvantages such as the reliance on a single master key. Hierarchical identity-based encryption (HIBE) schemes address this problem, as well as lending themselves to more realistic organisational structures. To date, several HIBE schemes over lattices have been proposed but there has been little in the way of practical evaluation.

This paper provides the first complete C implementation and benchmarking of Latte, a promising HIBE scheme proposed by the United Kingdom (UK) The National Cyber Security Centre (NCSC) in 2017 and endorsed by European Telecommunications Standards Institute (ETSI). We also propose further optimisations for the KeyGen, Delegate, and sampling components of Latte. As expected, the KeyGen, Extract, and Delegate components are the most time consuming, with Extract experiencing a 35% decrease in op/s from the first to second hierarchical level at 80-bit security. Our optimised implementation of the Delegate function takes 1 second at this security level on a desktop machine at 4.2GHz, significantly faster than the order of minutes estimated in the ETSI technical report. Furthermore, our optimised Latte Encrypt/Decrypt implementation reaches speeds up to 4.6x faster than the ETSI implementation.

Category / Keywords: implementation / lattice-based cryptography, hierarchical identity-based encryption, advanced primitives, software design

Date: received 27 Feb 2021

Contact author: raymond zhao at monash edu

Available format(s): PDF | BibTeX Citation

Version: 20210302:202612 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]