Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys!...
Transcript of Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys!...
![Page 1: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/1.jpg)
Dual System Encryption:Realizing IBE and HIBE from Simple Assumptions
Brent Waters
![Page 2: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/2.jpg)
2
Identity-Based Encryption [S84,BF01,C01]
Public Params MSK
ID’
ID
Authority
Decrypt iff ID’ = ID
![Page 3: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/3.jpg)
IBE Security [BF01]
Challenger
M0, M1, ID*
≠ IDi (challenge ID)
Attacker
Public Params
ID1
ID1
…IDQ
IDQ
b Enc(Mb , PP, ID*)
b’
Adv = Pr[b’=b] -1/2
![Page 4: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/4.jpg)
IBE Security Proofs
�“Partitioning” [BF01, C01, CHK03, BB04, W05]
Simulator
Challenge Space
ID Space
Priv. Key Space
�2 Goals:
�Answer Attacker Queries
�Use Attacker Response
Attacker
![Page 5: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/5.jpg)
Partitioning and Aborts
SimulatorID Space
Priv. Key Space Challenge
Space
ID1
ID2…
…
IDQ
ID* (challenge ID)�
Attacker
Abort andtry again
![Page 6: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/6.jpg)
Finding a Balance
Simulator
Challenge Space
ID Space
Priv. Key Space
�Aborts effect security loss
� Challenge Space -> “right size”
�C.S. = 1/Q (for Q queries ) => 1/Q no abort
![Page 7: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/7.jpg)
Structure gives problems!
�Hierarchical IBE
�Q queries per HIBE level => (1/Q)depth loss
�Attribute-Based Encryption similar
:edu:gov
Partitioning won’t work!
![Page 8: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/8.jpg)
The Gentry Approach [G06,GH09]
�Ready for both
�Shove degree Q poly into Short params =>
Complex Assumption
![Page 9: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/9.jpg)
Our Results
�IBE (w/ short parameters)
�HIBE
�Broadcast Encryption
�Full Security
�Simple Assumption: Decision Linear
Given: g, u, v, ga , ub, Dist: va+b from R
![Page 10: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/10.jpg)
Dual System Encryption
�2 types of Keys & CTs
IDNormal
IDSemi-Functional
ID
Normal Semi-FunctionalUsed in real system
�
ID
��
�Types are indist. (with a caveat)
![Page 11: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/11.jpg)
Principles
Simulator
�No aborts
�Change things slowly
�Hybrid over keys form
�Goal: Everything Semi Functional
I’m ready for anything!
![Page 12: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/12.jpg)
Proof Overview – 3 Steps
Simulator
1) Challenge CT � Semi Func.
2) Keys � Semi. Func. (one at a time!!)
3) Argue Security
ID1
ID2
…
IDQ
ID*
ID1
ID2
IDQ
ID
![Page 13: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/13.jpg)
Problem: Simulator can test keys!
Simulator
�Create S.F. CT for “Bob” and unknown key for “Bob”
�Decryption works iff key is normal
“Bob”
?
“Bob”
![Page 14: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/14.jpg)
Resolution: Tweak Semantics
�Add “tags” tc , tk to C.T. and Key
�Decrypt iff IDc = IDk AND tc ≠ tk
�Negl. correctness error (can patch)
�SW08 revocation
IDc , tc IDK , tK
![Page 15: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/15.jpg)
Problem: Simulator can test keys!
Simulator
�Sim. Picks A, B 2 Zp : F(ID) = A ¢ ID + B
�Challenge CT and unknown key tags � F(ID)
“Bob” , tk =x
?
“Bob” , tc =x
�Dec. Fails regardless of Semi Functionality!
�2 different IDs look independent
�Hybrid � simple assumption
![Page 16: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/16.jpg)
How it is built
�Subgroup version N= p1 p2 p3
IDNormal
ID
IDNormal
S.F.
IDS.F.
p2p1 p3
![Page 17: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/17.jpg)
Glimpse of Subgroup Construction
Setup:
�Similarities to Boneh-Boyen04
�D. Linear same concepts, more messy
KeyGen(ID):
Encrypt(ID,M):
![Page 18: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/18.jpg)
Conclusions and Speculation
�Dual Encryption: Change Forms First!
�One by one � Small Assumptions
� HIBE, B.E. became easier
�Prediction: ABE + Functional Enc.
�Need new techniques
�Prediction: Simple Assumptions & Full Security
![Page 19: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/19.jpg)
Dual Interpretation
Selective Security + Assumptions were bad
�Not ultimately necessary
Interpretation 1:
They lead us in the right directions
�Full secure schemes “look like” selective
�Gentry06 beyond partitioning
Alternative:
![Page 20: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/20.jpg)
20
Thank you
![Page 21: Dual System Encryption · SW08 revocation ID c, t c ID K, t K. Problem: Simulator can test keys! Simulator Sim. Picks A, B 2Zp: F(ID) = A ¢ID + B Challenge CT and unknown key tags](https://reader033.fdocuments.in/reader033/viewer/2022052105/60400fa7e205c25ac551fb92/html5/thumbnails/21.jpg)
The Gentry Approach [G06,GH09]
�Ready for both
�Simulator 1-key per identity – always looks good
�Shove degree Q poly into Short params =>
Complex Assumption