Dual System Encryption Framework in Prime-Order Groups via - - PowerPoint PPT Presentation
1 Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings Nuttapong Attrapadung (Nuts) AIST, Japan Asiacrypt 2016 Hanoi, Vietnam, December 7, 2016 2 Our Main Result in One Slide A Generic Framework for
Nuttapong Attrapadung (Nuts) AIST, Japan
Asiacrypt 2016 Hanoi, Vietnam, December 7, 2016
1
A Generic Framework for Fully Secure ABE in Prime-order Groups Implies many first fully-secure & prime-order instantiations: ABE for regular languages, Short-ciphertext ABE, etc.
2
3
ABE for predicate R: X × Y → {0,1}
Decrypt
Ciphertext for y∈Y (encrypt M) Key for x∈X M ? if R(x,y)=1 if R(x,y)=0
4
Setup
Master Secret key Master Public key
KeyGen Encrypt
x y,M
Decrypt
Ciphertext for y∈Y (encrypt M) Key for x∈X M ? if R(x,y)=1 if R(x,y)=0
5
Soccer Disney Movie OR AND
policy x associated to attribute set y
associated to
Drama Japanese Disney Animation Movie
6
CEO CS Ph.D. OR AND
policy y associated to attribute set x
associated to
CS Thai Ph.D.
Asian
7
Heart date:201507 Blood OR AND
Blood date:201507 Fat value Patient:Bob Hospital:T Doctor:K OR AND Doctor:K Hospital:T Department:X AND Nurse Clinic:A
x1 x2 y1 y2
8
Identity Based (IBE)
[S84, BB04,..]
Inner Product (IPE)
[KSW08]
Doubly Spatial (DSE)
[H11]
What Predicate
iff (affine spaces in )
x ∈ {0, 1}n y ∈ {0, 1}n x = y R(x, y) = 1 x ∈ Zn
p
y ∈ Zn
p
x, y = 0 x y x y = Zn
p
9
Finite Automata
[W12,A14]
Branching Program
[GVW13,IW14]
Circuits
[GGHSW13,GVW13]
What Predicate
iff
y Span Program
[GPSW06,…]
in that class R(x, y) = 1 f(·) f(y) = 1 f
10
11
“Pair encoding” for R [A. Eurocrypt 14], [Wee TCC14] + Subgroup Decision
Fully secure ABE for R
12
13
14
some bounds
Perfect encoding Computational encoding [LOSTW10,W14, A14,…]
15
Pair encoding for R
[A14] + Subgroup Decision Fully secure ABE for R (Composite-order) Pair encoding for R
+ Matrix DH [EHK+13] Fully secure ABE for R (Prime-order) Syntax: more restricted, but all current encodings satisfy! Security of pair encoding: same as [A14]☺
16
Computational encoding
The first fully-secure & prime-order schemes
Perfect encoding [LOSTW10,W14, A14,…]
some bounds
17
18
19
PrimeG(λ) → (e, p, g1, g2) CompositeG(λ) → (e, N, g1, ˆ g1, g2, ˆ g2) e : G1 × G2 → GT groups of prime order p generators g1 ∈ G1, g2 ∈ G2 G1, G2 : groups of composite order G1, G2 : N = pq g1 ∈ G1,p, ˆ g1 ∈ G1,q, g2 ∈ G2,p, ˆ g2 ∈ G2,q
20
Ensure linearity
Param(κ) → n Syntax: w1, w2 and and m1, m2 Pair(x, y, N) → E E E ∈ Zm1×w1
N
where and have variables: c c cy ∈ ZN[s s s, h h h]w1 k k kx ∈ ZN[α, r r r, h h h]m1 α, h h h = (h1, . . . , hn), r r r = (r1, . . . , rm2), s s s = (s0, . . . , sw2) Enc1(x, N) → k k kx(α, r r r, h h h) Enc2(y, N) → c c cy(s s s, h h h) . α, ri, hkri, sj, hksj and only monomials
21
Param(κ) → n Syntax: w1, w2 and and m1, m2 Pair(x, y, N) → E E E ∈ Zm1×w1
N
where and have variables: c c cy ∈ ZN[s s s, h h h]w1 k k kx ∈ ZN[α, r r r, h h h]m1 α, h h h = (h1, . . . , hn), r r r = (r1, . . . , rm2), s s s = (s0, . . . , sw2) Enc1(x, N) → k k kx(α, r r r, h h h) Enc2(y, N) → c c cy(s s s, h h h) Correctness: R(x, y) = 1 ⇒ k k kxE E Ec c c
y = αs0
. α, ri, hkri, sj, hksj and only monomials
22
MSK =
h h 2, gα 2
PES.Param(κ) → n, α
$
← ZN, h h h
$
← Zn
N,
PK =
h h 1, e(g1, g2)α
CompositeG(λ) → (e, N, g1, ˆ g1, g2, ˆ g2),
23
CT =
c c cy(s s s,h h h) 1
, e(g1, g2)αs0 · M
h h 2, gα 2
PES.Param(κ) → n, Encrypt(PK, y, M) : α
$
← ZN, h h h
$
← Zn
N,
PK =
h h 1, e(g1, g2)α
s s s
$
← Zw2
N ,
PES.Enc2(y, N) → (c c cy, w1, w2), CompositeG(λ) → (e, N, g1, ˆ g1, g2, ˆ g2),
24
CT =
c c cy(s s s,h h h) 1
, e(g1, g2)αs0 · M
k kx(α,r r r,h h h) 2
MSK =
h h 2, gα 2
PES.Param(κ) → n, Encrypt(PK, y, M) : KeyGen(MSK, x) : α
$
← ZN, h h h
$
← Zn
N,
PK =
h h 1, e(g1, g2)α
s s s
$
← Zw2
N ,
r r r
$
← Zm2
N ,
PES.Enc1(x, N) → (k k kx, m1, m2), PES.Enc2(y, N) → (c c cy, w1, w2), CompositeG(λ) → (e, N, g1, ˆ g1, g2, ˆ g2),
25
where CT =
c c cy(s s s,h h h) 1
, e(g1, g2)αs0 · M
k kx(α,r r r,h h h) 2
PES.Pair(x, y, N) → E E E, e e e
E E Ec c c
y
1
, gk
k k
x
2
k kxE E Ec c c
y = e(g1, g2)αs0
e e e(gM
M M1 1 , gM M M2 2 ) := e(g1, g2)M M M
2 M
M M1
Decrypt(CTy, SKx) :
26
CT =
c c cy(s s s,h h h) 1
, e(g1, g2)αs0 · M
k kx(α,r r r,h h h) 2
MSK =
h h 2, gα 2
h h 1, e(g1, g2)α
27
CT =
c c cy(s s s,h h h) 1
, e(g1, g2)αs0 · M
k kx(α,r r r,h h h) 2
MSK =
h h 2, gα 2
h h 1, e(g1, g2)α
(h1, h2)
s0 −1 1 = αs0 If x = y E E E
28
α
p
ri
r ri Zd
p
hk
H Hk Z(d+1)×(d+1)
p
sj
s sj Zd
p
Substitute scalar by vector/matrix as in [Chen, Wee C13]. Generators: pick g1
B BL L L 1 G(d+1)×d 1
g2
Z ZL L L 2 G(d+1)×d 2
L L L :=
1 1
...
d
d + 1
B B B, Z Z Z ∈ Z(d+1)×(d+1)
p
with a distribution Sd, where (left projection) L = B
d
1
.
d
29
ghk
1
H HkB B BL L L 1
G(d+1)×d
1
g
hksj 1
H H HkB B BL L Ls s sj 1
G(d+1)×1
1
Exponentiations:
hk
H Hk Z(d+1)×(d+1)
p
sj
s sj Zd
p
g1
B BL L L 1 G(d+1)×d 1
g
sj 1
B B BL L Ls s sj 1
G(d+1)×1
1
(tweaked from [CW13], which is not directly applicable.)
30
Composite-order groups Prime-order groups g
B B BL L Ls s sj 1
g
B B BJ J Jˆ sj 1
g
B B BL L Ls s sj 1
≈ g
sj 1 ˆ
g
ˆ sj 1
g
sj 1
≈ G1,p1 G1,p × G1,q subgroup whole group
d
1
d
1
subspace whole space
( right projection) J J J =
31
MSK =
Z ZL L L 2 , gH H H
1 Z
Z ZL L L 2
, . . . , gH
H H
n Z
Z ZL L L 2
, gα
2
h h 1
emulate
PK =
B BL L L 1 , gH H H1B B BL L L 1
, . . . , gH
H HnB B BL L L 1
, e(g1, g2)αB
B BL L L
Setup(λ, κ) : PrimeG(λ) → (e, p, g1, g2), H H Hi
$
← Z(d+1)×(d+1)
p
, α
$
← Zd+1
p
, pick B B B, Z Z Z
$
← Sd,
32
PK =
B BL L L 1 , gH H H1B B BL L L 1
, . . . , gH
H HnB B BL L L 1
, e(g1, g2)αB
B BL L L
MSK =
Z ZL L L 2 , gH H H
1 Z
Z ZL L L 2
, . . . , gH
H H
n Z
Z ZL L L 2
, gα
2
KeyGen(MSK, x) : CTy =
c c cy
B BL L LS S S, H
, e(g1, g2)αB
B BL L Ls s s0 · M
k k kx
Z ZL L LR R R, H
S S S
$
← Zd×(w2+1)
p
, R R R
$
← Zd×m2
p
,
33
PK =
B BL L L 1 , gH H H1B B BL L L 1
, . . . , gH
H HnB B BL L L 1
, e(g1, g2)αB
B BL L L
MSK =
Z ZL L L 2 , gH H H
1 Z
Z ZL L L 2
, . . . , gH
H H
n Z
Z ZL L L 2
, gα
2
KeyGen(MSK, x) : CTy =
c c cy
B BL L LS S S, H
, e(g1, g2)αB
B BL L Ls s s0 · M
k k kx
Z ZL L LR R R, H
S S S
$
← Zd×(w2+1)
p
, R R R
$
← Zd×m2
p
, g
hksj 1
H H HkB B BL L Ls s sj 1
g
c c cy(s s s,h h h) 1
c c cy
B BL L LS S S, H
g
sj 1
B B BL L Ls s sj 1
H = (H H H1, . . . , H H Hn)
34
PK =
B BL L L 1 , gH H H1B B BL L L 1
, . . . , gH
H HnB B BL L L 1
, e(g1, g2)αB
B BL L L
MSK =
Z ZL L L 2 , gH H H
1 Z
Z ZL L L 2
, . . . , gH
H H
n Z
Z ZL L L 2
, gα
2
KeyGen(MSK, x) : CTy =
c c cy
B BL L LS S S, H
, e(g1, g2)αB
B BL L Ls s s0 · M
k k kx
Z ZL L LR R R, H
S S S
$
← Zd×(w2+1)
p
, R R R
$
← Zd×m2
p
, gri
2
Z ZL L Lr r ri 2
gk
k kx(α,r r r,h h h) 2
k k kx
Z ZL L LR R R, H
ghkri
2
H H H
k Z
Z ZL L Lr r ri 2
35
CTy =
c c cy
B BL L LS S S, H
, e(g1, g2)αB
B BL L Ls s s0 · M
k k kx
Z ZL L LR R R, H
Decrypt(CTy, SKx) : PES.Pair(x, y, p) → E E E,
j∈[1,w1]
e e e(g
c c cy[j] 1
, gk
k kx[i] 2
)E
E Ei,j = e(g1, g2)αB B BL L Ls s s0
36
e(g
sj 1, ghkri 2 ) = e(g hksj 1
, gri
2)
e(g1, g2)(b
b bH H Hk)·a a a = e(g1, g2)b b b·(H H Hka a a)
e e e(ga
a a 1, g H H H
k b
b b 2
) = e e e(gH
H Hka a a 1
, gb
b b 2)
Correctness of PES implicitly uses In bilinear map on scalars (as used in [A14]), we have sj · (hkri) = (hksj) · ri In bilinear map on vectors here, we have since e e e(gM
M M1 1 , gM M M2 2 ) := e(g1, g2)M M M
2 M
M M1
and recall
37
e(g
hsj 1
, ghkri
2 ) = e(g hksj 1
, ghri
2
) e(gH
H Ha a a 1
, g
H H H
k b
b b 2
) = e(gH
H Hka a a 1
, gH
H H
b
b b 2
) e(g1, g2)(b
b bH H Hk)·(H H Ha a a) = e(g1, g2)(b b bH H H)·(H H Hka a a)
Correctness of PES also implicitly (possibly) uses In bilinear map on scalars (as used in [A14]), we have (hsj) · (hkri) = (hksj) · (hri) But, in bilinear map on vectors here, we have since
38
Correctness of PES also implicitly (possibly) uses (hsj) · (hkri) = (hksj) · (hri) Hence, we simply restrict PES to exclude these. Done by restricting E outputted from Pair. Call this as Rule I.
39
40
x guess b Encrypt Mb PK … … Pictorially in timeline CTy y, M0, M1 SKx SKx x R(x, y) = 0 condition:
41
… … Real game Final game … … Normal “Semi-functional” advantage=0 Modify one at a time.
42
g
c c cy(s s s,h h h) 1
ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
g
c c cy(s s s,h h h) 1
gk
k kx(α,r r r,h h h) 2
= = = gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,0 0,0 0) 2
=
43
g
c c cy(s s s,h h h) 1
ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
g
c c cy(s s s,h h h) 1
gk
k kx(α,r r r,h h h) 2
= = = gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,0 0,0 0) 2
=
N S N N N S N S N S
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
= =
44
g
c c cy(s s s,h h h) 1
ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
g
c c cy(s s s,h h h) 1
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,0 0,0 0) 2
= = = =
N S N N N S N S N S
= =
48
g
c c cy(s s s,h h h) 1
ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
g
c c cy(s s s,h h h) 1
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,0 0,0 0) 2
= = = =
N S N N N S N S N S
= = “Copy” from Normal to SF can use Subgroup Decision. g
sj 1 ˆ
g
ˆ sj 1
g
sj 1
≈ Subgroup Decision
49
g
c c cy(s s s,h h h) 1
ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
g
c c cy(s s s,h h h) 1
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
gk
k kx(α,r r r,h h h) 2
gk
k kx(α,r r r,h h h) 2
ˆ gk
k kx(ˆ α,0 0,0 0) 2
= = = =
N S N N N S N S N S
= = The only remaining hybrid uses the security of PES.
50
ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
S S S 51
ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
S S S
Given which? Computational security [A14] : Perfect security [A14, W14] : info-theoretic sense. For x, y s.t. R(x, y) = 0, x, y (each is queried once by in any order.)
52
g
c c cy
B BL L LS S S, H
N S N N N S N S N S
g
c c cy
B BJ J Jˆ S S S, H
g
c c cy
B BL L LS S S, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
α, Z Z ZJ J Jˆ R R R, H
g
k k kx
Z ZJ J Jˆ R R R, H
g
k k kx
α, 0 0 , 0
53
g
c c cy
B BL L LS S S, H
N S N N N S N S N S
g
c c cy
B BJ J Jˆ S S S, H
g
c c cy
B BL L LS S S, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
α, Z Z ZJ J Jˆ R R R, H
g
k k kx
Z ZJ J Jˆ R R R, H
g
k k kx
α, 0 0 , 0
“Copy” now uses Matrix Diffie-Hellman [EHK+13]. New technique uses random self-reducibility of Mat-DH. g
B B BL L Ls s sj 1
g
B B BJ J Jˆ sj 1
g
B B BL L Ls s sj 1
≈ Matrix DH
54
g
c c cy
B BL L LS S S, H
N S N N N S N S N S
g
c c cy
B BJ J Jˆ S S S, H
g
c c cy
B BL L LS S S, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
Z ZL L LR R R, H
g
k k kx
α, Z Z ZJ J Jˆ R R R, H
g
k k kx
Z ZJ J Jˆ R R R, H
g
k k kx
α, 0 0 , 0
Goal: The remaining hybrid will use the security of PES. Problem: But security of PES was not in “matrix-form”.
55
so that the security of PES implies exactly this hybrid.
S S S
g
c c cy
B BJ J Jˆ S S S, H
g
k k kx
α, Z Z ZJ J Jˆ R R R, H
g
k k kx
Z ZJ J Jˆ R R R, H
Given which?
56
S S S
g
c c cy
B BJ J Jˆ S S S, H
g
k k kx
α, Z Z ZJ J Jˆ R R R, H
g
k k kx
Z ZJ J Jˆ R R R, H
Given which? ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
S S S
Given which? Security of PES Our hybrid
57
S S S
g
c c cy
B BJ J Jˆ S S S, H
g
k k kx
α, Z Z ZJ J Jˆ R R R, H
g
k k kx
Z ZJ J Jˆ R R R, H
Given which? ˆ g
c c cy(ˆ s s s,ˆ h h h) 1
ˆ gk
k kx(ˆ α,ˆ r r r,ˆ h h h) 2
ˆ gk
k kx(0,ˆ r r r,ˆ h h h) 2
S S S
Given which? Security of PES Can be defined solely on syntax.
Call these as Rule 2,3,4.
Our hybrid
58
PES for R
+ Matrix DH [EHK+13] Fully secure ABE for R (Prime-order)
59
encoding to fully secure ABE in prime-order groups.
instantiations for many predicates.
60