Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Description:

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai – PowerPoint PPT presentation

Number of Views:343
Avg rating:3.0/5.0
Slides: 30
Provided by: cryptoRdF
Category:

less

Transcript and Presenter's Notes

Title: Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption


1
Fully Secure Functional Encryption
Attribute-Based Encryption and (Hierarchical)
Inner Product Encryption
Allison Lewko
Tatsuaki Okamoto
Amit Sahai
The University of Texas at Austin
NTT
UCLA
Katsuyuki Takashima
Brent Waters
Mitsubishi Electric
The University of Texas at Austin
2
Functional Encryption
  • Functionality f(x,y) specifies what will be
    learned about ciphertext

y
3
Application
Who should be able to read my data?
access policy
4
Attribute-Based Encryption SW05
Ciphertexts associated with access formulas
(A Ç B) Æ C
Secret Keys associated with attributes
A, C
Decryption
A, C satisfies (AÇB)ÆC
A, C
Message
(A Ç B) Æ C
5
ABE Example
OR
AND
AND
Medical researcher
Company X
Doctor
Hospital Y
Doctor, Hospital Z
Nurse, Hospital Y
6
ABE Algorithms
  • Setup (, U)
  • Encrypt(PP, M, Access formula)
  • KeyGen(PP, MSK, Set of attributes)
  • Decrypt(PP, SK, CT) M

7
Security Definition (ABE) IND-CPA GM84
Setup Phase
Key Query Phase I
Challenge Phase
Key Query Phase II
Challenger
Attacker
S1
S1
S2
Si set of attributes
S2
M0, M1, access policy A
Enc(Mb, A, PP)
Same as Phase I in both phases, no queried Si
can satisfy A
Attacker must guess b
8
Proving Security
?
Hard problem
Hard problem
ABE
ABE attacker
Simulator
breaks ABE
9
Challenges in Proving Security
Simulator must
  • respond to key requests
  • leverage attackers success on challenge

10
Partitioning
Previous approach for IBE Partitioning BF01,
BB04, W05
Key Space
We hope
Key Request
Key Requests
Key Request
Key Request
Abort
Challenge
Challenge
Abort
Challenge
11
Partitioning with More Structure
ID0
HIBE
ID0ID1
ID0ID2
ID0ID1ID3
ID0ID2ID4
ID0ID2ID5
Exponential security degradation in depth
ABE
( A Ç B Ç C) Æ (A Ç D)
Exponential security degradation in formula
length
12
Previous Solutions
Selective Security Model
  • Attacker declares challenge before seeing Public
    Parameters
  • A weaker model of security
  • To go to standard model by guessing gt
    exponential loss

Until recently, only results were in this model
Exception Fully secure HIBE with polynomially
many levels G06, GH09
13
Dual System Encryption W09
  • New methodology for proving full security
  • No partitioning, no aborts
  • Simulator prepared to make any key and use any
    key as the challenge

14
Dual System Encryption
Normal
Semi-Functional
Used in real system
?
?
Normal
?
Semi-Functional
Types are indistinguishable (with a caveat)
15
Hybrid Security Proof
Normal keys and ciphertext
Normal keys, S.F. ciphertext
S.F. ciphertext, keys turn S.F. one by one
Security now much easier to prove
16
Previously on Dual System Encryption
  • W09 Fully secure IBE and HIBE
  • LW10 Fully secure HIBE with short CTs
  • negligible correctness error
  • ciphertext size linear in depth of hierarchy
  • no correctness error
  • CT constant group elements
  • closely resembles selectively secure scheme
    BBG05

17
Our Results - ABE
  • Fully secure ABE
  • arbitrary monotone access formulas
  • security proven from static assumptions
  • closely resembles selectively secure
  • schemes GPSW06, W08

18
ABE Solution Framework
  • G a bilinear group of order N p1p2p3

e G G ! GT is a bilinear map
Subgroups Gp1, Gp2, Gp3 orthogonal under e,
e.g. e(Gp1, Gp2) 1
Gp1 main scheme
Gp1
Gp2 semi-functional space
Gp3
Gp2
Gp3 randomization for keys
19
ABE Solution Framework
Gp1
Gp2
Gp3
Normal
S.F.
Decryption Key paired with CT under e
Normal
S.F.
20
Technical Challenge
  • Achieve nominal semi-functionality LW10
  • S.F. key and S.F. CT correlated
  • - decryption works in simulators view
  • regular S.F. key in attackers view

simulator cant test for S.F.
21
Key Technique
  • Semi-functional space imitates the main scheme
  • Linear Secret Sharing Scheme shares
    reconstructed in parallel in Gp1 and Gp2

shares
shares
secret
secret
Regular s.f. red secret is random, masks blue
result
Nominal s.f. red secret is 0, wont hinder
decryption
22
Key Technique
Attacker doesnt have key capable of decrypting
Attacker cant distinguish nominal from regular
s.f.
Oh no! I was fooled!
Value shared in s.f. space is info-theoretically
hidden
23
Illustrative Example
?
shared value x
AND
A
B
?
share z
share x-z
A
24
Technical Challenge
  • Hiding the shared value in the CT
  • blinding factors linked to attributes
  • Ciphertext elements are of the form

share
blinding
share
blinding
g1a1 z1r1 g22 z2r2 g1r1g2r2

random
random
where g1 2 Gp1 g2 2 Gp2
Attributes can only be used once in the formula
25
Encoding Solution
Example To use an attribute A up to 4 times
A
A1
A2
A3
A4
(A Æ B) Ç (A Æ C) becomes (A1 Æ B) Ç (A2 Æ C)
max times used fixed at setup
It would be better to get rid of the one-use
restriction
Open problem
26
Summary of ABE result
  • Full security ABE
  • Static assumptions
  • Similar to selectively secure schemes

27
Inner Product Encryption KSW08
Ciphertexts and secret keys associated with
vectors
x
v
Decryption
if x v 0
Message
x
v
Advantage ciphertext policy can be hidden
28
Coming Attractions
  • Stay tuned for CRYPTO 2010
  • full security for Inner Product/ Attribute-Based
    Encryption from decisional Linear Assumption
  • by Okamoto and Takashima

29
Questions?
Write a Comment
User Comments (0)
About PowerShow.com