Encry ryption for Quadratic Functions wit ith Applications to - - PowerPoint PPT Presentation
Practical Functional Encry ryption for Quadratic Functions wit ith Applications to Predicate Encry ryption Carmen Elisabetta Zaira Baltico Universit di Catania Dario Catalano Universit di Catania Dario Fiore IMDEA Romain Gay
Carmen Elisabetta Zaira Baltico Università di Catania Dario Catalano Università di Catania Dario Fiore IMDEA Romain Gay (speaker) ENS
Alice
m
Bob f(m)
Setup Alice
m
pk skf msk KeyGen Bob skf → f(m)
Setup Alice
m
Carl pk skf, skg msk KeyGen skg → g(m) Bob skf → f(m)
Setup Alice
m
pk skf, skg msk KeyGen
Adv
Only learns f m , g(m) Carl skg → g(m) Bob skf → f(m) Collusion
Setup Alice
m0
pk skf, skg msk KeyGen
Adv
f m0 = f m1 g m0 = g m1 Carl skg → g(m) Bob skf → f(m)
m1 ≈𝑑
Collusion
𝑛 = Ԧ 𝑦 ∈ ℤ𝑞
𝑜
𝑔 = Ԧ 𝑧 ∈ ℤ𝑞
𝑜
𝑔 𝑛 = Ԧ 𝑦𝑈 Ԧ 𝑧 ∈ ℤ𝑞 ct size = 𝑃(𝑜) Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH
Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings 𝑛 = Ԧ 𝑦, Ԧ 𝑧 ∈ ℤ𝑞
𝑜 × ℤ𝑞 𝑛
𝑔 = 𝑔
𝑗,𝑘 𝑗∈ 𝑜 ,𝑘∈[𝑛] ∈ ℤ𝑞 𝑜×𝑛
𝑔 𝑛 = Ԧ 𝑦𝑈𝑔 Ԧ 𝑧 =
𝑗∈ 𝑜 ,𝑘∈[𝑛]
𝑦𝑗 𝑔
𝑗,𝑘𝑧𝑘 ∈ ℤ𝑞
ct size = 𝑃(𝑜 + 𝑛)
Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings 𝑛 = Ԧ 𝑦, Ԧ 𝑧 ∈ ℤ𝑞
𝑜 × ℤ𝑞 𝑛
𝑔 = 𝑔
𝑗,𝑘 𝑗∈ 𝑜 ,𝑘∈[𝑛] ∈ ℤ𝑞 𝑜×𝑛
𝑔 𝑛 = Ԧ 𝑦𝑈𝑔 Ԧ 𝑧 =
𝑗∈ 𝑜 ,𝑘∈[𝑛]
𝑦𝑗 𝑔
𝑗,𝑘𝑧𝑘 ∈ ℤ𝑞
ct size = 𝑃(𝑜 + 𝑛) ct size = 𝑃(𝑜 ⋅ 𝑛) vs with [ABDP 15]
Quadratic: Private/public key: [AS 17] private [Lin 17] private Our work public Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings
Quadratic: Private/public key: [AS 17] private [Lin 17] private Our work public Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Function- hiding:
Quadratic: Private/public key: [AS 17] private [Lin 17] private Our work public Our work public Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Function- hiding: Assumption: GGM SXDH
Quadratic: Private/public key: [AS 17] private [Lin 17] private Our work public Our work public Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Function- hiding: Assumption: Security: GGM SEL-IND SXDH SEL-IND
SEL-IND
AD-IND
ct size = 𝑃(𝑜 + 𝑛) ct size = 𝑃(𝑜 ⋅ 𝑛) vs Our work: [KSW 08]: 𝑛 = plaintext, Ԧ 𝑦, Ԧ 𝑧 ∈ ℤ𝑞
𝑜 × ℤ𝑞 𝑛
𝑔 𝑛 = plaintext iff Ԧ 𝑦𝑈𝑔 Ԧ 𝑧 = 0
Enc 𝑞𝑙, ( Ԧ 𝑦, Ԧ 𝑧) Enc(𝑞𝑙, Ԧ 𝑦) Enc(𝑞𝑙, Ԧ 𝑧) = , 𝑔 Enc(𝑞𝑙𝑔, 𝑔( Ԧ 𝑦, Ԧ 𝑧)) size 𝑃(𝑜) size 𝑃(𝑛) FE 𝑔: Ԧ 𝑦, Ԧ 𝑧 ∈ ℤ𝑞
𝑜 × ℤ𝑞 𝑛 → Ԧ
𝑦𝑈𝑔 Ԧ 𝑧 ∈ ℤ𝑞 in 𝑈 in 𝑓: × → 𝑈 𝑓 𝑏, 𝑐 = 𝑓 , 𝑏𝑐 in
Private-key FE, GGM
1
Public-key FE, GGM
2
Public-key FE, from standard assumptions
3
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑛𝑡𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] for 𝑋 ←𝑆 𝐻𝑀2
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑛𝑡𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] for 𝑋 ←𝑆 𝐻𝑀2 𝑦𝑗𝑧𝑘 + 𝑠
𝑗𝑡 𝑘 T
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑛𝑡𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] for 𝑋 ←𝑆 𝐻𝑀2 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝑔(Ԧ 𝑠, Ԧ 𝑡) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
= 𝑡𝑙𝑔
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑛𝑡𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] for 𝑋 ←𝑆 𝐻𝑀2 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝑔(Ԧ 𝑠, Ԧ 𝑡) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
= 𝑡𝑙𝑔 𝑡𝑙𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡
𝑈
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑛𝑡𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] for 𝑋 ←𝑆 𝐻𝑀2 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝑔(Ԧ 𝑠, Ԧ 𝑡) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
= 𝑡𝑙𝑔 𝑡𝑙𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡
𝑈
∀𝑔 ∈ Collusion
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑞𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] for 𝑋 ←𝑆 𝐻𝑀2 𝑡𝑙𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡
𝑈
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑞𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] for 𝑋 ←𝑆 𝐻𝑀2 𝑡𝑙𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑞𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝜏𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 , for 𝑋 ←𝑆 𝐻𝑀2, 𝜏 ←𝑆 ℤ𝑞 𝑡𝑙𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝜏𝑔(Ԧ 𝑠, Ԧ 𝑡) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
= 𝑓( 𝜏 , 𝑡𝑙𝑔) [𝜏]
𝑓: × → 𝑈 of order 𝑞. 𝑏 = 𝑏 𝑞𝑙 = 𝑠
𝑗 , 𝑡 𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦𝑗, 𝜏𝑠
𝑗 𝑋 , 𝑋−1 𝑧𝑘
𝑡
𝑘
for 𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 , for 𝑋 ←𝑆 𝐻𝑀2, 𝜏 ←𝑆 ℤ𝑞 𝑡𝑙𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝜏𝑔(Ԧ 𝑠, Ԧ 𝑡) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
= 𝑓( 𝜏 , 𝑡𝑙𝑔) [𝜏] ∀𝑔 ∈ Collusion
𝑠
𝑗 , 𝑡 𝑘 ⇒ (Ԧ
𝑠
𝑗 𝑈, 0 𝑊], 𝑊−1
Ԧ 𝑡
𝑘
𝑡𝑙𝑔 =
𝑗,𝑘
𝑔
𝑗,𝑘𝑠 𝑗𝑡 𝑘 ⇒ 𝑗,𝑘
𝑔
𝑗,𝑘 Ԧ
𝑠
𝑗 𝑈 Ԧ
𝑡
𝑘
DPVS [OT 08]
𝑠
𝑗 , 𝑡 𝑘 ⇒ (Ԧ
𝑠
𝑗 𝑈, 𝑦𝑗 𝑊], 𝑊−1
Ԧ 𝑡𝑘 𝑧𝑘 𝑡𝑙𝑔 =
𝑗,𝑘
𝑔
𝑗,𝑘𝑠 𝑗𝑡 𝑘 ⇒ 𝑗,𝑘
𝑔
𝑗,𝑘 Ԧ
𝑠
𝑗 𝑈 Ԧ
𝑡
𝑘 + 𝑔( Ԧ
𝑦, Ԧ 𝑧) DPVS [OT 08] DLIN assumption
𝑞𝑙 = (Ԧ 𝑠
𝑗 𝑈, 0 𝑊], 𝑊−1
Ԧ 𝑡
𝑘
𝐹𝑜𝑑 𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 = 𝑦𝑗, 𝜏(Ԧ 𝑠
𝑗 𝑈, 0) 𝑋 , 𝑋−1
𝑧𝑘 Ԧ 𝑡𝑘 , for 𝑋 ←𝑆 𝐻𝑀4, 𝜏 ←𝑆 ℤ𝑞
∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 ∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛
𝑡𝑙𝑔 =
𝑗,𝑘
𝑔
𝑗,𝑘 Ԧ
𝑠
𝑗 𝑈 Ԧ
𝑡
𝑘
[𝜏]
𝑞𝑙 = (Ԧ 𝑠
𝑗 𝑈, 0 𝑊], 𝑊−1
Ԧ 𝑡
𝑘
𝐹𝑜𝑑 𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 = 𝑦𝑗, 𝜏(Ԧ 𝑠
𝑗 𝑈, 0) 𝑋 , 𝑋−1
𝑧𝑘 Ԧ 𝑡𝑘 , for 𝑋 ←𝑆 𝐻𝑀4, 𝜏 ←𝑆 ℤ𝑞 𝑔 Ԧ 𝑦, Ԧ 𝑧 + 𝜏𝑡𝑙𝑔) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 ∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛
𝑡𝑙𝑔 =
𝑗,𝑘
𝑔
𝑗,𝑘 Ԧ
𝑠
𝑗 𝑈 Ԧ
𝑡
𝑘
[𝜏]
𝑞𝑙 = (Ԧ 𝑠
𝑗 𝑈, 0 𝑊], 𝑊−1
Ԧ 𝑡
𝑘
𝐹𝑜𝑑 𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 = 𝑦𝑗, 𝜏(Ԧ 𝑠
𝑗 𝑈, 0) 𝑋 , 𝑋−1
𝑧𝑘 Ԧ 𝑡𝑘 , for 𝑋 ←𝑆 𝐻𝑀4, 𝜏 ←𝑆 ℤ𝑞
∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 ∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛
𝑔 Ԧ 𝑦, Ԧ 𝑧 + 𝜏𝑡𝑙𝑔) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
𝑡𝑙𝑔 =
𝑗,𝑘
𝑔
𝑗,𝑘 Ԧ
𝑠
𝑗 𝑈 Ԧ
𝑡
𝑘
[𝜏] ∀𝑔 ∈ Collusion
𝑞𝑙 = (Ԧ 𝑠
𝑗 𝑈, 0 𝑊], 𝑊−1
Ԧ 𝑡
𝑘
𝐹𝑜𝑑 𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 = 𝑦𝑗, 𝜏(Ԧ 𝑠
𝑗 𝑈, 0) 𝑋 , 𝑋−1
𝑧𝑘 Ԧ 𝑡𝑘 , for 𝑋 ←𝑆 𝐻𝑀4, 𝜏 ←𝑆 ℤ𝑞
∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 ∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛
𝑔 Ԧ 𝑦, Ԧ 𝑧 + 𝜏𝑡𝑙𝑔) T ∀𝑔 ∈ ℤ𝑞
𝑜×𝑛
𝑡𝑙𝑔 =
𝑗,𝑘
𝑔
𝑗,𝑘 Ԧ
𝑠
𝑗 𝑈 Ԧ
𝑡
𝑘
[𝜏] ∀𝑔 ∈ Collusion DLIN assumption
Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings 𝑛 = Ԧ 𝑦, Ԧ 𝑧 ∈ ℤ𝑞
𝑜 × ℤ𝑞 𝑛
𝑔 = 𝑔
𝑗,𝑘 𝑗∈ 𝑜 ,𝑘∈[𝑛] ∈ ℤ𝑞 𝑜×𝑛
𝑔 𝑛 = Ԧ 𝑦𝑈𝑔 Ԧ 𝑧 ct size = 𝑃(𝑜 + 𝑛)
Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Quadratic: Assumption: Security: ct size: Our work SXDH & 3-PDDH SEL-IND 6 𝑜 + 𝑛 + 2 Our work GGM AD-IND 2 𝑜 + 𝑛 + 2
Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Open More expressive? standard