dual system encryption framework in prime order groups
play

Dual System Encryption Framework in Prime-Order Groups via - PowerPoint PPT Presentation

Sep 10, 2023 •34 likes •634 views

1 Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings Nuttapong Attrapadung (Nuts) AIST, Japan Asiacrypt 2016 Hanoi, Vietnam, December 7, 2016 2 Our Main Result in One Slide A Generic Framework for

  1. 1 Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings Nuttapong Attrapadung (Nuts) AIST, Japan Asiacrypt 2016 Hanoi, Vietnam, December 7, 2016

  2. 2 Our Main Result in One Slide A Generic Framework for Fully Secure ABE in Prime-order Groups Implies many first fully-secure & prime-order instantiations: ABE for regular languages, Short-ciphertext ABE, etc.

  3. 3 1 Introduction

  4. 4 Attribute Based Encryption (ABE) [SW05] ABE for predicate R: X × Y → {0,1} Key for Ciphertext for Decrypt x ∈ X y ∈ Y (encrypt M) M if R(x,y)=1 ? if R(x,y)=0

  5. 5 More Complete Picture of ABE Setup Master Public key Master Secret key x y,M Encrypt KeyGen Key for Ciphertext for Decrypt x ∈ X y ∈ Y (encrypt M) M if R(x,y)=1 ? if R(x,y)=0

  6. 6 Example of Predicates 1. Key-Policy ABE for Boolean Formulae [GPSW06] • suitable for content-based access control. Movie Drama OR Disney AND Japanese Soccer Animation Movie Disney policy x attribute set y associated to associated to • R(x,y)=1 iff y satisfies x.

  7. 7 Example of Predicates 2. Ciphertext-Policy ABE for Boolean Formulae [BSW07,W11] • suitable for person-based access control. Ph.D. OR CS AND Thai CEO Asian Ph.D. CS attribute set x policy y associated to associated to • R(x,y)=1 iff x satisfies y.

  8. 8 Example of Predicates 3. Dual-Policy ABE for Boolean Formulae [ A I09] OR Blood AND Fat value Heart date:201507 Blood date:201507 y 1 x 1 y 2 x 2 OR Doctor:K AND Department:X AND Patient:Bob Nurse Hospital:T Clinic:A Doctor:K Hospital:T • R(x,y)=1 iff y 1 satisfies x 1 AND x 2 satisfies y 2 .

  9. 9 More Examples of Predicates (1/2) R ( x , y ) = 1 What Predicate iff x ∈ { 0 , 1 } n y ∈ { 0 , 1 } n x = y Identity Based (IBE) [S84, BB04,..] x ∈ Z n y ∈ Z n � x , y � = 0 Inner Product (IPE) p p [KSW08] y x x � y � = � Doubly Spatial (DSE) Z n [H11] (affine spaces in ) p

  10. 10 More Examples of Predicates (2/2) R ( x , y ) = 1 What Predicate iff Span Program [GPSW06,…] Finite Automata [W12, A 14] f ( · ) y f ( y ) = 1 f Branching Program in that class [GVW13,IW14] Circuits [GGHSW13,GVW13]

  11. 11 Is there a generic way to design ABE for arbitrary predicate R ?

  12. 12 Yes, using recent generic frameworks [A. Eurocrypt 14], [Wee TCC14] “Pair encoding” for R Fully secure ABE for R ⇒ + Subgroup Decision • Advantage of pair encoding: security is much easier! • Perfect [ A 14,W14] : Info-theoretic argument. • Computational [ A 14] : Similar to selective security. • But yield ABEs in composite-order groups .

  13. 13 Motivation for Prime-order Groups • Better efficiency than composite-order groups. [G13] • Element size: 256 bits vs 3072 bits • Bilinear pairing: 254 times faster

  14. 14 Recent Prime-order Frameworks • [Chen,Gay,Wee EC15], [Agrawal, Chase TCC16] • extending [W14,A14]. • but only for perfect encoding • This work : both perfect & computational encoding

  15. 15 Computational enc covers many more Computational encoding • boolean formula [A14,AY15,AHY15] - KP, CP, DP - fully unbounded - short-key or short-ciphertext • boolean formula over doubly-spatial - KP, CP, DP [A14,AY15] • finite automata (regular language) Perfect encoding - KP, CP, DP [W12,A14,AY15] • IBE, IPE, Spatial • boolean formula with some bounds [LOSTW10,W14, A14,…]

  16. 16 Our Main Theorem Fully secure ABE for R Pair encoding for R ⇒ (Prime-order) + Matrix DH [EHK+13] Security of pair encoding: same as [A14] ☺ Syntax: more restricted, but all current encodings satisfy! [A14] Fully secure ABE for R Pair encoding for R ⇒ (Composite-order) + Subgroup Decision

  17. 17 Instantiations: Apply to Existing Encodings Computational encoding • boolean formula [A14,AY15,AHY15] The first fully-secure & - KP, CP, DP prime-order schemes - fully unbounded - short-key or short-ciphertext • boolean formula over doubly-spatial - KP, CP, DP [A14,AY15] • finite automata (regular language) Perfect encoding - KP, CP, DP [W12,A14,AY15] • IBE, IPE, Spatial • branching program • boolean formula with - KP, CP, DP some bounds - unbounded [new] [LOSTW10,W14, A14,…] - short-key or short-ciphertext [new]

  18. 18

  19. 19 2 Scheme

  20. 20 Bilinear Maps e : G 1 × G 2 → G T PrimeG ( λ ) → ( e , p , g 1 , g 2 ) groups of prime order p G 1 , G 2 : generators g 1 ∈ G 1 , g 2 ∈ G 2 CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) N = pq groups of composite order G 1 , G 2 : g 1 ∈ G 1 , p , ˆ g 1 ∈ G 1 , q , g 2 ∈ G 2 , p , ˆ g 2 ∈ G 2 , q

  21. 21 Pair Encoding Scheme (PES) [ A 14] Syntax : Param ( κ ) → n k r h m 1 , m 2 Enc 1 ( x , N ) → k k x ( α , r r , h h ) and c s h Enc 2 ( y , N ) → c c y ( s s , h h ) w 1 , w 2 and E ∈ Z m 1 × w 1 E Pair ( x , y , N ) → E N h ] w 1 h ] m 1 c s h k r h c c y ∈ Z N [ s s , h k k x ∈ Z N [ α , r r , h where and have variables: h r s α , h h = ( h 1 , . . . , h n ) , r r = ( r 1 , . . . , r m 2 ) , s s = ( s 0 , . . . , s w 2 ) α , r i , h k r i , s j , h k s j Ensure linearity and only monomials .

  22. 22 Pair Encoding Scheme (PES) [ A 14] Syntax : Param ( κ ) → n k r h m 1 , m 2 Enc 1 ( x , N ) → k k x ( α , r r , h h ) and c s h Enc 2 ( y , N ) → c c y ( s s , h h ) w 1 , w 2 and E ∈ Z m 1 × w 1 E Pair ( x , y , N ) → E N h ] w 1 h ] m 1 c s h k r h c c y ∈ Z N [ s s , h k k x ∈ Z N [ α , r r , h where and have variables: h r s α , h h = ( h 1 , . . . , h n ) , r r = ( r 1 , . . . , r m 2 ) , s s = ( s 0 , . . . , s w 2 ) α , r i , h k r i , s j , h k s j and only monomials . Correctness : k E c R ( x , y ) = 1 k k x E Ec c � y = α s 0 ⇒

  23. 23 Fully Secure ABE from PES [ A 14, simplified] CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) , Setup ( λ , κ ) : ← Z n PES . Param ( κ ) → n , h h h $ $ ← Z N , α N , � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2

  24. 24 Fully Secure ABE from PES [ A 14, simplified] CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) , Setup ( λ , κ ) : ← Z n PES . Param ( κ ) → n , h h h $ $ ← Z N , α N , � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2 ← Z w 2 Encrypt ( PK , y , M ) : c s PES . Enc 2 ( y , N ) → ( c c y , w 1 , w 2 ) , s s $ N , c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1

  25. 25 Fully Secure ABE from PES [ A 14, simplified] CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) , Setup ( λ , κ ) : ← Z n PES . Param ( κ ) → n , h h h $ $ ← Z N , α N , � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2 ← Z w 2 Encrypt ( PK , y , M ) : c s PES . Enc 2 ( y , N ) → ( c c y , w 1 , w 2 ) , s s $ N , c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 ← Z m 2 r KeyGen ( MSK , x ) : k r r PES . Enc 1 ( x , N ) → ( k k x , m 1 , m 2 ) , $ N , k r h SK = g k k x ( α , r r , h h ) 2

  26. 26 Fully Secure ABE from PES [ A 14, simplified] c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 k r h SK = g k k x ( α , r r , h h ) 2 E PES . Pair ( x , y , N ) → E E , Decrypt ( CT y , SK x ) : E c E Ec c � k , g k k � � � k E c = e ( g 1 , g 2 ) k k x E Ec c � y = e ( g 1 , g 2 ) α s 0 e e e g y x 1 2 M M e ( g M 1 , g M M 1 M 2 M M 2 ) := e ( g 1 , g 2 ) M M � 2 M M 1 e where e

  27. 27 Fully Secure ABE from PES [ A 14, simplified] � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2 c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 k r h SK = g k k x ( α , r r , h h ) 2

  28. 28 Example: IBE [BB04,LW10] ( h 1 , h 2 ) � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h s 0 ( h 1 + yh 2 ) , s 0 2 , g α � � MSK = 2 c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 k r h SK = g k k x ( α , r r , h h ) α + r 1 ( h 1 + xh 2 ) , r 1 � � 2 If x = y E E E s 0 ( h 1 y + h 2 ) = α s 0 α + r 1 ( h 1 + xh 2 ) , r 1 0 1 � � s 0 − 1 0

  29. 29 Towards Prime-order Setting Substitute scalar by vector/matrix as in [Chen, Wee C13] . α � Z d + 1 H k � Z ( d + 1 ) × ( d + 1 ) H h k H �� α p �� p s j � Z d r i � Z d s r s j s r i r �� �� p p Z ∈ Z ( d + 1 ) × ( d + 1 ) B Z with a distribution S d , B B , Z Generators : pick p 2 � G ( d + 1 ) × d 1 � G ( d + 1 ) × d Z L g Z ZL L B L g B BL L g 2 g 1 �� �� 2 1 d d 1 d 1 where . L B L = L L := ... d + 1 1 0 (left projection)

  30. 30 Towards Prime-order Setting s j � Z d H k � Z ( d + 1 ) × ( d + 1 ) s s j s H h k H �� p �� p 1 � G ( d + 1 ) × d B L g B BL L g 1 �� 1 Exponentiations : H B L � G ( d + 1 ) × d g h k g H H k B BL L �� 1 1 1 B L s s j B BL Ls s j � G ( d + 1 ) × 1 g g �� 1 1 1 H B L s h k s j H H k B BL Ls s j � G ( d + 1 ) × 1 g g �� 1 1 1 (tweaked from [CW13] , which is not directly applicable.)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

1.09k views • 77 slides
Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Schur-rings (S-rings) Automorphism groups of S-rings Final (personal) remarks Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel joint work with Mikhail Klin Institut fr Algebra Technische

1.47k views • 98 slides
Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

The groups of order p 7 Eamonn OBrien and Michael Vaughan-Lee The groups of order p 7 p. 1 Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5 5 5 p 4 14 15 15 p 5 51 67 u p 6 267 504

663 views • 33 slides
Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS

Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS

Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS of order p . Construction: The elements in the latin square will be the elements of Z p , the integers modulo p . Addition and multiplication will be

257 views • 8 slides
A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special Class of Non-Commutative Groups Koji Nuida National Institute of Advanced Industrial Science and Technology (AIST), Japan (Japan Science and

1.24k views • 57 slides
The dual space of precompact groups Salvador Hern andez Universitat Jaume I The dual space of

The dual space of precompact groups Salvador Hern andez Universitat Jaume I The dual space of

The dual space of precompact groups Salvador Hern andez Universitat Jaume I The dual space of precompact groups - Presented at the AHA 2013 Conference Granada, May 20 - 24, 2013. - Joint work with M. Ferrer and V. Uspenskij . . . . .

840 views • 70 slides
Dual Universities and the Dual System is there a new shift towards academic pathways in

Dual Universities and the Dual System is there a new shift towards academic pathways in

Presentation at the Ontario Institute for Studies of Education, Toronto 13.9.18 Prof. Dr. Dr. h.c. Thomas Deissinger, University of Konstanz, Chair of Business Education Dual Universities and the Dual System is there a new shift towards

336 views • 30 slides
Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore Guillevic C2, Dinard, France C2 2012 1/23 grid

558 views • 23 slides
On the Prime Graph Question for 4-primary Groups I Andreas B achle and Leo Margolis Vrije

On the Prime Graph Question for 4-primary Groups I Andreas B achle and Leo Margolis Vrije

On the Prime Graph Question for 4-primary Groups I Andreas B achle and Leo Margolis Vrije Universiteit Brussel and Universit at Stuttgart Brock International Conference on Groups, Rings and Group Rings July 28 to August 01, 2014 Notations

1.22k views • 69 slides
On the capabillity of p -groups of class two and prime exponent Arturo Magidin University of

On the capabillity of p -groups of class two and prime exponent Arturo Magidin University of

On the capabillity of p -groups of class two and prime exponent Arturo Magidin University of Louisiana at Lafayette Groups St Andrews 2013 Arturo Magidin Capability Definition A group G is capable if and only if there exists K such that G

901 views • 63 slides
Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e Homomorphic Encryption R Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all

556 views • 12 slides
Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e Homomorphic Encryption R Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all

838 views • 14 slides
Property (T) for quantum groups from the Property (T) for groups dual point of view Quantum

Property (T) for quantum groups from the Property (T) for groups dual point of view Quantum

Property (T) for quantum groups from the dual point of view David Kyed Property (T) for quantum groups from the Property (T) for groups dual point of view Quantum groups Property (T) for quantum groups David Kyed The dual picture

936 views • 61 slides
System Thinking and System Dynamics in public policy making: some experiences of the Prime

System Thinking and System Dynamics in public policy making: some experiences of the Prime

Prime Ministers Strategy Unit System Thinking and System Dynamics in public policy making: some experiences of the Prime Minister's Strategy Unit Nick Mabey (Senior Advisor, UK Prime Ministers Strategy Unit) There is nothing a

1.03k views • 60 slides
Prime monomial ideals of subsemigroup algebras of free nilpotent groups Tomer Bauer joint work

Prime monomial ideals of subsemigroup algebras of free nilpotent groups Tomer Bauer joint work

. . . . . . . . . . . . . . . Prime monomial ideals of subsemigroup algebras of free nilpotent groups Tomer Bauer joint work with Beeri Greenfeld Department of Mathematics Bar-Ilan University Groups, Rings and Associated

989 views • 32 slides
The Classification of Finite Groups of Order 16 Kyle Whitcomb Department of Mathematics and

The Classification of Finite Groups of Order 16 Kyle Whitcomb Department of Mathematics and

The Classification of Finite Groups of Order 16 Kyle Whitcomb Department of Mathematics and Computer Science University of Puget Sound Tacoma, Washington May 5, 2015 Finite Groups of Order 16 Outline 1 Definitions and Notation 2 Preliminary

859 views • 51 slides
WHAT WORKS: DELIVERING PUBLIC EMPLOYMENT SERVICES 18 May 2018 Tony Wilson, Director of Policy

WHAT WORKS: DELIVERING PUBLIC EMPLOYMENT SERVICES 18 May 2018 Tony Wilson, Director of Policy

WHAT WORKS: DELIVERING PUBLIC EMPLOYMENT SERVICES 18 May 2018 Tony Wilson, Director of Policy and Research, Learning and Work Institute tony.wilson@learningandwork.org.uk @LWtonywilson THIS PRESENTATION The UK experience of Public

542 views • 26 slides
Valeo in China Edouard de Pirey Valeo China President 1 Property of Valeo. Duplication

Valeo in China Edouard de Pirey Valeo China President 1 Property of Valeo. Duplication

Valeo in China Edouard de Pirey Valeo China President 1 Property of Valeo. Duplication prohibited Valeo Strategy CO 2 emissions reduction and intuitive driving Development in Asia and emerging countries 2 Property of Valeo. Duplication

1.19k views • 49 slides
SPADE: The System S Declarative Stream Processing Engine B.Gedik, H. Andrade, K. Wu, P. Yu, and

SPADE: The System S Declarative Stream Processing Engine B.Gedik, H. Andrade, K. Wu, P. Yu, and

SPADE: The System S Declarative Stream Processing Engine B.Gedik, H. Andrade, K. Wu, P. Yu, and M. Doo (SIGMOD. 2008) Presented by Kenneth Lui (wckl2) 10 th Nov 2015 1 Outline Background - Stream Processing Engine , System S

606 views • 41 slides
Donna E. Wood, Norma Strachan, and Valrie Roy ASPECT Annual Conference Nov. 2018 } What is the

Donna E. Wood, Norma Strachan, and Valrie Roy ASPECT Annual Conference Nov. 2018 } What is the

Donna E. Wood, Norma Strachan, and Valrie Roy ASPECT Annual Conference Nov. 2018 } What is the Public Employment Service or PES? } A Pan-Canadian Look at the PES in 2015 } Key Questions Explored in the Book } Criteria to Compare Provincial

394 views • 20 slides
Eugeniusz Rosoowski ELECTRICAL POWER ENGINEERING Diploma Seminar General information Eugeniusz

Eugeniusz Rosoowski ELECTRICAL POWER ENGINEERING Diploma Seminar General information Eugeniusz

ELECTRICAL POWER ENGINEERING Diploma Seminar Eugeniusz Rosoowski ELECTRICAL POWER ENGINEERING Diploma Seminar General information Eugeniusz Rosoowski, Professor, PhD, DSc email: eugeniusz.rosolowski@pwr.edu.pl home page:

456 views • 13 slides
Services risks & opportunities Indigenous Communities Respond to Threats: Conflict

Services risks & opportunities Indigenous Communities Respond to Threats: Conflict

Payment for Environmental Services risks & opportunities Indigenous Communities Respond to Threats: Conflict Resolution and Negotiation Strategies: 18 July 2017 Polly Grace, Legal Officer PES: Risks & opportunities 1. What is

300 views • 14 slides
Abstract: Updates on Board rule changes within the last year, general updates on initiatives the

Abstract: Updates on Board rule changes within the last year, general updates on initiatives the

Abstract: Updates on Board rule changes within the last year, general updates on initiatives the Board is working on, information on enforcement statistics, and the engineering Code of Conduct. Title: Texas Board of Professional Engineers

1.06k views • 73 slides
Breaking Paradigms in Control Building Design By Robert Frye Tennessee Valley Authority April 6,

Breaking Paradigms in Control Building Design By Robert Frye Tennessee Valley Authority April 6,

Breaking Paradigms in Control Building Design By Robert Frye Tennessee Valley Authority April 6, 2017 NEW NEW Paradigms PARADIGMS PARADIGMS AHEAD AHEAD 1) We accept live terminals in close proximity with our electricians and operators.

827 views • 26 slides

More recommend