Compact Adaptively Secure ABE from -Lin: Beyond NC 1 and Towards NL - - PowerPoint PPT Presentation

Compact Adaptively Secure ABE from 𝑙-Lin: Beyond NC1 and Towards NL

Huijia (Rachel) Lin and Ji Luo

1 / 42

Attribute-Based Encryption [SW05]

Setup → mpk, msk KeyGen msk, 𝑔 → sk Enc mpk, 𝑦, 𝜈 → ct

𝑦, ct

policy attribute message

• Correctness. Learn 𝜈 if 𝑔 𝑦 ≠ 0

(sk is authorized)

sk

Compact: ct = 𝑃 𝑦 Expressive: 𝑔 ∈ powerful class of functions

Dec sk, 𝑔, ct, 𝑦 → 𝜈𝑔 𝑦

2 / 42

Attribute-Based Encryption [SW05]

Setup → mpk, msk KeyGen msk, 𝑔

𝑗 → sk𝑗

Enc mpk, 𝑦, 𝜈 → ct

𝑦, ct

• Security. Hide 𝜈 if 𝑔

𝑗 𝑦 = 0 for all 𝑗

(sk𝑗’s are unauthorized)

sk𝑗’s Message is hidden given arbitrary number of unauthorized keys.

Collusion Resistance

3 / 42

Adaptive IND-CPA Security

Exp𝑐

mpk 𝑔

𝑟

sk𝑔

𝑟

𝑔

𝑟

sk𝑔

𝑟

ct ← Enc 𝑦, 𝜈𝑐

if for all queried keys 𝑔

𝑟 𝑦 = 0, then Exp0 ≈ Exp1

𝑦, 𝜈0, 𝜈1

4 / 42

(Weaker) Selective IND-CPA Security

Exp𝑐

mpk 𝑔

𝑟

sk𝑔

𝑟

𝑔

𝑟

sk𝑔

𝑟

𝜈0, 𝜈1 ct ← Enc 𝑦, 𝜈𝑐

if for all queried keys 𝑔

𝑟 𝑦 = 0, then Exp0 ≈ Exp1

𝑦,

Adaptive Security

5 / 42

Challenging to have it all

Compactness: ct = 𝑃 𝑦 Adaptive Security Standard Assumptions

• Goal. Have it ALL for expressive classes of policies.

Previously, the largest class was 𝐎𝐃𝟐 [KW19].

Contribution 1. Extend to ABP.

Arithmetic Branching Programs ⊇ NC1, arithmetic computation over ℤ𝑞. NC1 and ABP are non-uniform: Each sk works with attribute of fixed length.

6 / 42

Challenging to have it all

the first ABE for uniform computation with all above

Contribution 2. L, NL * (log-space Turing machines)

* relaxed compactness ABE for uniform computation: Each sk works with attribute of any length.

Compactness: ct = 𝑃 𝑦 Adaptive Security Standard Assumptions DFA, NFA (regular languages)

7 / 42

Related Works: Non-Uniform Model

NOT compact NOT adaptive NON-standard assumptions

all-in-one: compact, adaptive, standard assumptions

[LOSTW10] for MSP [GPSW06] for MSP [GVW13, BGGHNSVV14] for Τ 𝑄 poly [LW12] for MSP

𝑟-type assumption

[KW19] for NC1 [GW20] for BP concurrent this work for ABP ⟸ 𝑙-Lin in pairing groups

8 / 42

Related Works: Uniform Model

NOT compact NOT adaptive NON-standard assumptions

all-in-one: compact, adaptive, standard assumptions [Wat12, Att14, AMY19, GWW19] for DFA [GW20] for DFA concurrent this work for DFA, NFA

• r
• r

[GW20] for NFA concurrent beyond finite automata [AS16] for P (FE, based on iO) this work for L, NL ct = 𝑃 𝑦 𝑈𝑇2𝑇 sk = 𝑃 TM (relaxed compactness)

𝑙-Lin

9 / 42

New General Framework

Inner-Product Functional Encryption Arithmetic Key Garbling Scheme ABE

information-theoretic tool

1-ABE

1-key = 1-ciphertext secret-key special randomized encoding computational tool

10 / 42

1-ABE via AKGS and IPFE

𝜈𝑔 𝑦

Randomized Encoding Partially Hiding [IW14]

sk𝑔,𝜈 ct𝑦 Simple: RE is linear in 𝑦. Secure: ෣ 𝜈𝑔 𝑦 hides 𝜈 beyond 𝜈𝑔 𝑦 . It does not hide 𝑔, 𝑦. ෣ 𝜈𝑔 𝑦

use 𝜈 as one-time pad convenience – 𝜈 in secret key

compute using IPFE ⟹

11 / 42

AKGS

Arithmetic Key Garbling Scheme

𝑔: ℤ𝑞

𝑜 → ℤ𝑞

𝑦 ∈ ℤ𝑞

𝑜

• 1. Label functions: 𝑀1, … , 𝑀𝑛 ← Garble 𝑔, 𝜈; 𝑠
• 2. Garblings:

ℓ1, … , ℓ𝑛 = 𝑀1 𝑦 , … , 𝑀𝑛 𝑦

𝑔, 𝑦, ℓ1, … , ℓ𝑛 Eval 𝑔, 𝑦, ℓ1, … , ℓ𝑛 = 𝜈𝑔 𝑦

a.k.a. “labels”

Security (partial hiding). Sim 𝑔, 𝑦, 𝜈𝑔 𝑦 → ℓ1, … , ℓ𝑛

not hidden

12 / 42

Linearity.

• 1. 𝑀1, … , 𝑀𝑛 are linear in 𝑦:

𝑀𝑘 𝑦 = 𝑀𝑘, 𝑦

• 2. coefficients of 𝑀1, … , 𝑀𝑛 are linear in 𝜈, 𝑠
• 3. Eval is linear in ℓ1, … , ℓ𝑛

Arithmetic Key Garbling Scheme

𝑔: ℤ𝑞

𝑜 → ℤ𝑞

𝑦 ∈ ℤ𝑞

𝑜

• 1. Label functions: 𝑀1, … , 𝑀𝑛 ← Garble 𝑔, 𝜈; 𝑠
• 2. Garblings:

ℓ1, … , ℓ𝑛 = 𝑀1 𝑦 , … , 𝑀𝑛 𝑦

Eval 𝑔, 𝑦, ℓ1, … , ℓ𝑛 = 𝜈𝑔 𝑦 𝑔, 𝑦, ℓ1, … , ℓ𝑛 thanks to partial hiding

13 / 42

Inner-Product Functional Encryption

isk 2 ← KeyGen msk, 𝒘 2 ict 1 ← Enc msk, 𝒗 1

𝒗, 𝒘

T

Function-Hiding Property isk 𝒘1 isk 𝒘2 ⋯ isk 𝒘𝐽 isk 𝒗1 ict 𝒗2 ⋯ ict 𝒗𝐾 isk 𝒘1

′

isk 𝒘2

′

⋯ isk 𝒘𝐽

′

isk 𝒗1

′

ict 𝒗2

′

⋯ ict 𝒗𝐾

′

≈

if 𝒗𝑗, 𝒘𝑘 = 𝒗𝑗

′, 𝒘𝑘 ′ for all 𝑗, 𝑘

Adaptive Security: Τ isk ict can interleave. Dec

14 / 42

Pairing-Based IPFE [ALS16, LV16]

isk 2 ← KeyGen msk, 𝒘 2 ict 1 ← Enc msk, 𝒗 1

𝒗, 𝒘

T

Asymmetric Pairing Groups 𝐻1: 𝑏 1 = 𝑕1

𝑏

𝐻2: 𝑐 2 = 𝑕2

𝑐

pairing

• peration

𝑏𝑐 T = 𝑕T

𝑏𝑐 ∈ 𝐻T

Dec

= pairing

15 / 42

1-ABE via AKGS and IPFE

sk𝑔,𝜈 ct𝑦

𝑀1, … , 𝑀𝑛 ← Garble 𝑔, 𝜈

= isk 𝑀𝑘

𝑘∈ 𝑛

= ict 𝑦 𝜈𝑔 𝑦

T

Eval

linear

IPFE Dec

labels in the exponent

ℓ𝑘 = 𝑀𝑘 𝑦

T

Intuitions for Security.

• IPFE ⟹ only ℓ𝑘’s are revealed
• AKGS ⟹ only 𝜈𝑔 𝑦 is revealed

16 / 42

Selective Security of 1-ABE

Real World

sk𝑔,𝜈 ct𝑦 { isk ( ict ( 𝑀𝑘 𝑦 ) } )

• want. 𝜈 is hidden

s.t. 𝑔 𝑦 = 0 𝑦 ℓ𝑘 = 𝑀𝑘 𝑦 𝑀1, … , 𝑀𝑛 ← Garble 𝑔, 𝜈

Next step: hardwire labels in secret key

17 / 42

Hardwire Labels in Secret Key via IPFE

sk𝑔,𝜈 ct𝑦 { isk ( ict ( 𝑦 ℓ𝑘 1 ) } ) s.t. 𝑔 𝑦 = 0 𝑦 𝑀1, … , 𝑀𝑛 ← Garble 𝑔, 𝜈 ℓ𝑘 = 𝑀𝑘 𝑦

• want. 𝜈 is hidden

Next step: simulate labels

18 / 42

Simulate Labels via AKGS

sk𝑔,𝜈 ct𝑦 { isk ( ict ( 𝑦 ℓ𝑘 1 ) } ) s.t. 𝑔 𝑦 = 0 𝑦 ℓ1, … , ℓ𝑛 ← Sim 𝑔, 𝑦, 𝜈𝑔 𝑦

• want. 𝜈 is hidden

19 / 42

s.t. 𝑔 𝑦 = 0 𝑦

Adaptive Security?

sk𝑔,𝜈 ct𝑦 { isk ( ict ( 𝑦 ℓ𝑘 1 ) } ) ℓ1, … , ℓ𝑛 ← Sim 𝑔, 𝑦, 𝜈𝑔 𝑦

• Idea. Rely on special structure of simulator.

need 𝑦 to simulate

20 / 42

Special Simulation Structure

ℓ1, … , ℓ𝑛 are uniformly random subject to correctness: Eval 𝑔, 𝑦, ℓ1, … , ℓ𝑛 = 𝜈𝑔 𝑦 .

Simulator

• 1. Draw ℓ2, … , ℓ𝑛 ← ℤ𝑞.
• 2. Find unique ℓ1 s.t. evaluation is correct.

☺ independent of 𝑦

Real Garbling

☺ only one label depends on 𝑦 linear constraint

21 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Simulation for Adaptive Security

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 ) ) ℓ1 1 isk ( ) ℓ2 ⋮ isk ( ) ℓ𝑘

find ℓ1 s.t. Eval 𝑔, 𝑦, … = 𝜈𝑔 𝑦

ℓ2 ← ℤ𝑞 ℓ𝑘 ← ℤ𝑞 ⋮ ⋮

• Idea. Put ℓ1 in ciphertext

equation depends on 𝑦

22 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Simulation for Adaptive Security

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) 1 isk ( ) ℓ2 ⋮ isk ( ) ℓ𝑘 ℓ2 ← ℤ𝑞 ℓ𝑘 ← ℤ𝑞 ⋮ ⋮

find ℓ1 s.t. Eval 𝑔, 𝑦, … = 0

23 / 42

Real World vs. Simulation

Real World Simulation

sk𝑔,𝜈 isk ( 𝑀1 ) sk𝑔,𝜈 isk ( 0 1 ) ct𝑦 ict ( 𝑦 ) ct𝑦 ict ( 𝑦 ℓ1 ) 1

𝑘 > 1 {isk ( 𝑀𝑘

)}

𝑘 > 1 {isk ( 0

)} ℓ𝑘

𝑀1, … , 𝑀𝑛 ← Garble 𝑔, 𝜈 ℓ1, … , ℓ𝑛 = 𝑀1 𝑦 , … , 𝑀𝑛 𝑦 ℓ2, … , ℓ𝑛 ← ℤ𝑞 find ℓ1 s.t. Eval ⋯ = 𝜈𝑔 𝑦 = 0

same distribution of labels need same labels to use IPFE honestly generated labels simulated labels

24 / 42

Bridging the Gap: Piecewise Security

𝑀1, … , 𝑀𝑛 ← Garble 𝑔, 𝜈

ℓ1 is uniquely determined by Eval ⋯ = 𝜈𝑔 𝑦 . Labels are marginally random given subsequent label functions.

for 𝑘 > 1 and all 𝑦: 𝑀𝑘 𝑦 , 𝑀𝑘+1, … , 𝑀𝑛 ≡ $, 𝑀𝑘+1, … , 𝑀𝑛

We show that AKGS for ABP [IW14] is piecewise secure.

piecewise security

25 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Adaptive Security of 1-ABE

Real World

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑀1 𝑦 ) ) isk ( 𝑀2 ) ⋮ isk ( 𝑀𝑘 ) ℓ1 = 𝑀1 𝑦

Next step: hardwire ℓ1 in ciphertext

26 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Hardwire ℓ1 in Ciphertext via IPFE

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) isk ( 𝑀2 ) ⋮ isk ( 𝑀𝑘 ) ℓ1 = 𝑀1 𝑦

Next step: find unique ℓ1 from correctness equation

27 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Find Unique ℓ1 via AKGS

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) isk ( 𝑀2 ) ⋮ isk ( 𝑀𝑘 )

find ℓ1 s.t. Eval ⋯ = 𝜈𝑔 𝑦

28 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

• Goal. Simulate ℓ2 as Random

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) isk ( 𝑀2 ⋮ isk ( 𝑀𝑘 ) ℓ2 = 𝑀2 𝑦

Next step: hardwire ℓ2 in ciphertext

)

find ℓ1 s.t. Eval ⋯ = 𝜈𝑔 𝑦 = 0

29 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Hardwire ℓ2 in Ciphertext via IPFE

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) ℓ2 isk ( ) 1 ⋮ isk ( 𝑀𝑘 ) ℓ2 = 𝑀2 𝑦

Next step: replace ℓ2 by random

find ℓ1 s.t. Eval ⋯ = 𝜈𝑔 𝑦 = 0

30 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Replace ℓ2 by Random via AKGS

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) ℓ2 isk ( ) 1 ⋮ isk ( 𝑀𝑘 ) ℓ2 ← ℤ𝑞

find ℓ1 s.t. Eval ⋯ = 𝜈𝑔 𝑦 = 0

Next step: put ℓ2 back into secret key

31 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Put ℓ2 Back into Secret Key via IPFE

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) 1 isk ( ) ℓ2 ⋮ isk ( 𝑀𝑘 ) ℓ2 ← ℤ𝑞

find ℓ1 s.t. Eval ⋯ = 𝜈𝑔 𝑦 = 0

Next step: simulate the other labels

Goal achieved: simulate ℓ2

32 / 42

⋮ s.t. 𝑔 𝑦 = 0 𝑦

Adaptive Security of 1-ABE

Final Simulation

sk𝑔,𝜈 ct𝑦 isk ( ict ( 𝑦 1 ℓ1 ) ) 1 isk ( ) ℓ2 ⋮ isk ( ) ℓ𝑘 𝜈 is hidden

find ℓ1 s.t. Eval ⋯ = 𝜈𝑔 𝑦 = 0

ℓ2 ← ℤ𝑞 ⋮ ℓ𝑘 ← ℤ𝑞 ⋮

33 / 42

Adaptively Secure 1-ABE

sk ct 1 1 multi-ciphertext security ? make it public-key ?

uses msk multi {

} { isk ( 𝑀𝑘 ) } ict ( 𝑦 )

34 / 42

Multi-Ciphertext Security

sk { ⟦ isk ( 𝑀𝑘 ) ⟧2 } ct1 ⟦ ict ( 𝑦1 ) ⟧1 ct2 ⟦ ict ( 𝑦2 ) ⟧1 ⟦𝑀𝑘 𝑦1 ⟧T ⟦𝑀𝑘 𝑦2 ⟧T

• Problem. Label functions (its randomness) cannot be reused.
• Idea. Use DDH to rerandomize them.

35 / 42

Multi-Ciphertext Security

sk { ⟦ isk ( 𝑀𝑘 ) ⟧2 } ct1 ⟦ ict ( 𝜍1𝑦1 ) ⟧1 ct2 ⟦ ict ( 𝜍2𝑦2 ) ⟧1 ⟦𝜍1𝑀𝑘 𝑦1 ⟧T ⟦𝜍2𝑀𝑘 𝑦2 ⟧T

• Problem. 𝜍𝑀𝑘 T is not pseudorandom given 𝜍 1, 𝑀𝑘 2.
• Idea. Use IPFE to move 𝜍 into the same group as 𝑀𝑘’s, then use DDH.
• Intuition. Label functions are

pseudorandom via DDH.

36 / 42

Adaptively Secure Secret-Key ABE

sk ct make it public-key ?

uses msk

{ ⟦ isk ( 𝑀𝑘 ) ⟧2 } ⟦ ict ( 𝜍𝑦 ) ⟧1

multi {

}

multi {

} multi-ciphertext security Slotted IPFE

37 / 42

Public-Key ABE via Slotted IPFE

sk { ⟦ isk ( 𝑀𝑘 ) ⟧2 }

multi {

} IPFE with

public slot private slot

+ ct ⟦ ict ( 𝜍𝑦 ) ⟧1

multi {

}

Enc using mpk (or msk) Enc needs msk not hidden function-hiding

make it public-key ? make it public-key

for scheme for proof KeyGen needs msk

38 / 42

ABP for

function-hiding IPFE piecewise secure AKGS 1-ABE full ABE

slotted IPFE ABP for

uniform computation: more challenges

39 / 42

Ideas for Uniform Model

DFA/NFA/L/NL = matrix multiplication piecewise secure AKGS for each input length unique challenge: # ℓ, 𝒔 ∝ 𝑦 𝑈𝑇2𝑇 TM

(or 𝑦 ⋅ TM for DFA/NFA)

ct ∝ 𝑦 𝑈𝑇2𝑇 sk ∝ TM ≪ Neither sk nor ct can fit all label functions / labels!

40 / 42

as if we did Garble 𝑔, 𝜈; 𝒔x ⊗ 𝒔f

Tensoring for Expansion

sk𝑁 ct𝑦,𝑈,𝑇

# isk, 𝒔f ∝ 𝑅 # ict, 𝒔x ∝ 𝑂𝑈𝑇2𝑇

IPFE Dec Intuition. 𝒔x ⊗ 𝒔f T ≈

DDH 𝒔 T

with 𝒔f isk1 isk2 ⋯ isk# with 𝒔x ict1 ict2 ⋮ ict# ℓ11 ℓ21 ℓ12 ℓ22 ⋮ ℓ#1 ⋮ ℓ#2 ⋯ ⋯ ℓ1# ℓ2# ⋱ ⋯ ⋮ ℓ## # ℓ ∝ 𝑂𝑈𝑇2𝑇𝑅

41 / 42

function-hiding IPFE

ABP DFA/NFA L/NL for

piecewise secure AKGS 1-ABE full ABE

slotted IPFE

ia.cr/2020/318

Thank you!

42 / 42