Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product...
-
Upload
elijah-mcdermott -
Category
Documents
-
view
217 -
download
2
Transcript of Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product...
Fully Secure Functional Encryption: Attribute-Based Encryption and
(Hierarchical) Inner Product Encryption
Allison LewkoThe University of Texas at Austin
Tatsuaki OkamotoNTT
Amit SahaiUCLA
Katsuyuki TakashimaMitsubishi Electric
Brent WatersThe University of Texas at Austin
Functional Encryption
• Functionality f(x,y) – specifies what will be learned about ciphertext
xy
Application
Who should be able to read my data?
access policy
Attribute-Based Encryption [SW05]
Ciphertexts: associated with access formulas
Secret Keys: associated with attributes
(A Ç B) Æ C
{A, C}
Decryption:
{A, C} Message{A, C} satisfies (AÇB)ÆC
(A Ç B) Æ C
ABE Example
Medicalresearcher
OR
Doctor
AND
Hospital Y
AND
Company X
{Doctor, Hospital Z} {Nurse, Hospital Y}
ABE AlgorithmsMSK Public Params
Security Definition (ABE) [IND-CPA GM84]
Challenger AttackerPublic Params
MSK
Setup PhaseKey Query Phase I
S1
S1
S2S2
Challenge PhaseKey Query Phase II
Attacker must guess b
Si : set of attributes
Proving Security
Hard problem
ABE attackerSimulator
Hard problemABE
breaks ABE
Challenges in Proving Security
Simulator must:
• respond to key requests
• leverage attacker’s success on challenge
Partitioning
Previous approach for IBE – Partitioning [BF01, BB04, W05]
Key Space
Challenge
Key Requests
We hope:
Key Request
Key Request
Challenge
Key Request Abort
Challenge Abort
Partitioning with More StructureID0
ID0:ID1 ID0:ID2
ID0:ID1:ID3 ID0:ID2:ID4 ID0:ID2:ID5
HIBE:
Exponential security degradation in depth
ABE: ( A Ç B Ç C) Æ (A Ç D) …
Exponential security degradation in formula length
Previous Solutions
Selective Security Model:• Attacker declares challenge before seeing Public Parameters
• A weaker model of security
• To go to standard model by guessing –> exponential loss
Until recently, only results were in this model
Exception: Fully secure HIBE with polynomially many levels [G06, GH09]
Dual System Encryption [W09]
• New methodology for proving full security
• No partitioning, no aborts
• Simulator prepared to make any key and use any key as the challenge
Dual System Encryption
Normal
Semi-Functional
Normal Semi-FunctionalUsed in real system
Types are indistinguishable (with a caveat)
Hybrid Security ProofNormal keys and ciphertext
Normal keys, S.F. ciphertext
S.F. ciphertext, keys turn S.F. one by one Security now mucheasier to prove
Previously on Dual System Encryption…
• [W09] Fully secure IBE and HIBE
• [LW10] Fully secure HIBE with short CTs
• negligible correctness error• ciphertext size linear in depth of hierarchy
• no correctness error• CT = constant # group elements• closely resembles selectively secure scheme [BBG05]
Our Results - ABE
• Fully secure ABE • arbitrary monotone access formulas• security proven from static assumptions• closely resembles selectively secure schemes [GPSW06, W08]
ABE – Solution Framework
G = a bilinear group of order N = p1p2p3
e: G £ G ! GT is a bilinear mapSubgroups Gp1
, Gp2, Gp3
– orthogonal under e, e.g. e(Gp1, Gp2
) = 1
Gp1
Gp2
Gp3
Gp1 = main scheme
Gp2 = semi-functional space
Gp3 = randomization for keys
ABE – Solution Framework
Normal
Normal
S.F.
S.F.
Gp1Gp2
Gp3
Decryption: Key paired with CT under e
Technical Challenge
• Achieve nominal semi-functionality: [LW10]
• S.F. key and S.F. CT correlated - decryption works in simulator’s view
• regular S.F. key in attacker’s view
?
simulator can’t test for S.F.
Key Technique
• Semi-functional space imitates the main scheme• Linear Secret Sharing Scheme: shares reconstructed
in parallel in Gp1 and Gp2
Regular s.f. : red secret is random, masks blue result
Nominal s.f. : red secret is 0, won’t hinder decryption
shares sharessecret secret
Key Technique
Attacker doesn’t have key capable of decrypting
Attacker can’t distinguishnominal from regular s.f.
Oh no! I wasfooled!
Value shared in s.f. space is info-theoretically hidden
Illustrative Example
AND
shared value = x
A Bshare = z share = x-z
{A}
?
?
Technical Challenge
• Hiding the shared value in the CT: • blinding factors linked to attributes
where g1 2 Gp1 g2 2 Gp2
• Ciphertext elements are of the form:
g1a±1+ z1r1 g2
±2 + z2r2 g1r1g2
r2
share blinding
random
share blinding
random
Attributes can only be used once in the formula
Encoding Solution
Example: To use an attribute A up to 4 times :
A
A:1 A:2 A:3 A:4
(A Æ B) Ç (A Æ C) becomes (A:1 Æ B) Ç (A:2 Æ C)
max times used fixed at setup
It would be better to get rid of the one-use restrictionOpen problem
Summary of ABE result
• Full security ABE
• Static assumptions
• Similar to selectively secure schemes
Inner Product Encryption [KSW08]
Ciphertexts and secret keys: associated with vectors
x v
Decryption:
v x if x ¢ v = 0 Message
Advantage: ciphertext policy can be hidden
Coming Attractions
• Stay tuned for CRYPTO 2010:
• full security for Inner Product/ Attribute-Based Encryption from decisional Linear Assumption
• by Okamoto and Takashima
Questions?