Junqing Gong Xiaolei Dong, Jie Chen, Zhenfu Cao Shanghai Jiao - - PowerPoint PPT Presentation
Junqing Gong Xiaolei Dong, Jie Chen, Zhenfu Cao Shanghai Jiao Tong University East China Normal University ASIACRYPT 2016, Hanoi, Vietnam Dec 7, 2016 background motivation strategy technical result 1: revisiting
ASIACRYPT 2016, Hanoi, Vietnam Dec 7, 2016
Xiaolei Dong, Jie Chen, Zhenfu Cao East China Normal University Junqing Gong Shanghai Jiao Tong University
ππ’ π½πΈ π‘ππ½πΈ πππ πππ
β¦
revealed keys ππ’ π½πΈ π‘ππ½πΈ πππ πππ πππ
β¦
revealed keys ππ’ challenger adversary π βπ {0,1} π½πΈ
π β IDβ
πππ πβ² π½πΈ
π
π‘ππ½πΈπ ππ’π½πΈβ,ππ π0, π1 π = πβ²? π½πΈ
π
π‘ππ½πΈπ
formal definition
π½πΈ π‘ππ½πΈ πππ πππ πππ
β¦
revealed keys ππ’ challenger adversary π βπ {0,1} π½πΈ
π β IDβ
πππ πβ² π½πΈ
π
π‘ππ½πΈπ ππ’π½πΈβ,ππ π0, π1 π = πβ²? π½πΈ
π
π‘ππ½πΈπ
formal definition
π½πΈ π‘ππ½πΈ πππ πππ πππ query phase
β¦
revealed keys ππ’ challenger adversary π βπ {0,1} π½πΈ
π β IDβ
πππ πβ² π½πΈ
π
π‘ππ½πΈπ ππ’π½πΈβ,ππ π0, π1 π = πβ²? π½πΈ
π
π‘ππ½πΈπ
formal definition
π½πΈ π‘ππ½πΈ πππ πππ πππ query phase challenge phase
ππΆ
reduction loss = ππ΅/ππΆ
ππΆ
reduction loss = ππ΅/ππΆ
ππΆ tighter reduction smaller reduction loss
reduction loss = ππ΅/ππΆ
ππΆ tighter reduction smaller reduction loss more efficient implementation better theoretical result
basic/single-challenge setting + multiple challenge queries: more than one challenge ct + multiple instances: multiple mpk
query phase challenge phase
β¦β¦
query phase challenge phase challenge phase query phase
πππ1, πππ2, β¦ , ππππ€ πβ²
basic/single-challenge setting + multiple challenge queries: more than one challenge ct + multiple instances: multiple mpk
single-challenge setting multi-challenge setting
query phase challenge phase
β¦β¦
query phase challenge phase challenge phase query phase
πππ1, πππ2, β¦ , ππππ€ πβ²
basic/single-challenge setting + multiple challenge queries: more than one challenge ct + multiple instances: multiple mpk
single-challenge setting multi-challenge setting NOT tightness preserving
query phase challenge phase
β¦β¦
query phase challenge phase challenge phase query phase
πππ1, πππ2, β¦ , ππππ€ πβ²
basic/single-challenge setting + multiple challenge queries: more than one challenge ct + multiple instances: multiple mpk
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k more realistic
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k more realistic more efficient in general
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k
assumption ciphertext size CW13 k-lin 2k + 2k BKP14 k + (k+1) = 2k + 1
assumption ciphertext size CW13 k-lin 2k + 2k BKP14 k + (k+1) = 2k + 1
assumption ciphertext size CW13 k-lin 2k + 2k BKP14 k + (k+1) = 2k + 1
MAC tag for ID
commitment key commitment to SKMAC: MAC tag for ID
commitment key commitment to SKMAC: Groth-Sahai proof for correctness of the tag MAC tag for ID
a simple substitution
a simple substitution
a simple substitution
οΌ no ππ,π ; οΌ ππ,π are in the normal space; οΌ π²π,π are in the SF space.
rewrite define
rewrite define
k+1 k k
MPK CT SK
k+1 k k+1 1 k
k+1 k k
MPK CT SK
k+1 k k+1 1 k
[CGW15] J. Chen, R. Gay, H. Wee. Improved Dual System ABE in Prime-Order Groups via Predicate Encodings. EUROCRYPT 2015.
k+1 k k
MPK CT SK
k+1 k
π, π β π Γ {0,1}
k+1 1 k
k+1 k k
MPK CT SK
k+1 k
π, π β π Γ {0,1}
k+1 1 k
simple sk (no base π)
they do not need parameter-hiding property
k+1 k k
MPK CT SK
k+1 k
π, π β π Γ {0,1}
k+1 1 k
smaller matrices
they employ a better mechanism for nested-hiding indistinguishability
simple sk (no base π)
they do not need parameter-hiding property
dual system group nested dual system group CW14 CW13 CGW15 extension identity based encryption non-tight tight
dual system group nested dual system group CW14 CW13 CGW15 simplified BKP14 similar similar identity based encryption non-tight tight
dual system group nested dual system group CW14 CW13 CGW15 simplified BKP14 identity based encryption non-tight tight similar similar
nested dual system group prime-order instantiation CW13 realize
nested dual system group generalized nested dual system group prime-order instantiation CW13 realize
nested dual system group generalized nested dual system group prime-order instantiation CW13 prime-order instantiation motivated by BKP14 and CGW15 realize realize
nested dual system group generalized nested dual system group prime-order instantiation CW13 prime-order instantiation motivated by BKP14 and CGW15 realize simplified BKP14 realize
revisit
revisit
k+1 k k
MPK
k+1 k k+1 1 k
[GCD+16] J. Gong, J. Chen, X. Dong, Z. Cao, S. Tang. Extended Nested Dual System Groups, Revisited. PKC 2016. [GHKW16] R. Gay, D. Hofheinz, E. Kiltz, H. Wee. Tightly CCA-Secure Encryption without Pairings. EUROCRYPT 2016.
k+1 k k
MPK
k+1 k k+1 1 k
Dimension extension:
3k 3k 3k
[GCD+16] J. Gong, J. Chen, X. Dong, Z. Cao, S. Tang. Extended Nested Dual System Groups, Revisited. PKC 2016. [GHKW16] R. Gay, D. Hofheinz, E. Kiltz, H. Wee. Tightly CCA-Secure Encryption without Pairings. EUROCRYPT 2016.
[GCD+16] J. Gong, J. Chen, X. Dong, Z. Cao, S. Tang. Extended Nested Dual System Groups, Revisited. PKC 2016. [GHKW16] R. Gay, D. Hofheinz, E. Kiltz, H. Wee. Tightly CCA-Secure Encryption without Pairings. EUROCRYPT 2016.
Define bases for three spaces: normal space β§-semi-functional space βΌ-semi-functional space
[GCD+16] J. Gong, J. Chen, X. Dong, Z. Cao, S. Tang. Extended Nested Dual System Groups, Revisited. PKC 2016. [GHKW16] R. Gay, D. Hofheinz, E. Kiltz, H. Wee. Tightly CCA-Secure Encryption without Pairings. EUROCRYPT 2016.
Define bases for three spaces:
normal space β§-semi-functional space βΌ-semi-functional space
[GCD+16] J. Gong, J. Chen, X. Dong, Z. Cao, S. Tang. Extended Nested Dual System Groups, Revisited. PKC 2016. [GHKW16] R. Gay, D. Hofheinz, E. Kiltz, H. Wee. Tightly CCA-Secure Encryption without Pairings. EUROCRYPT 2016.
CT SK
CT SK
CT SK
unchanged: k ο k unchanged: k ο k
generalized nested dual system group prime-order instantiation motivated by BKP14 and CGW15 realize
generalized extended nested dual system group generalized nested dual system group prime-order instantiation motivated by BKP14 and CGW15 realize
[GCD+16]
generalized extended nested dual system group generalized nested dual system group prime-order instantiation [GCD+16] + [GHKW16] prime-order instantiation motivated by BKP14 and CGW15 realize
[GCD+16]
generalized extended nested dual system group generalized nested dual system group prime-order instantiation [GCD+16] + [GHKW16] prime-order instantiation motivated by BKP14 and CGW15 realize realize
[GCD+16]
generalized extended nested dual system group generalized nested dual system group prime-order instantiation [GCD+16] + [GHKW16] prime-order instantiation motivated by BKP14 and CGW15 realize realize
[GCD+16]
revisit extend
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime k-lin 2k + 2k BKP14 no prime k-lin k + (k+1) HKS15 yes composite static 1 + 1 AHY15 yes prime stronger 2-lin 4 + 4 (k=2) GCD+16 yes prime k-lin 3k + 3k stronger k-lin 2k + 2k this work yes prime k-lin k+3k
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime
4 BKP14 no prime
3 HKS15 yes composite static 2 AHY15 yes prime stronger 2-lin 8 GCD+16 yes prime
6 stronger 2-lin 8 this work yes prime
4
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime
4 BKP14 no prime
3 HKS15 yes composite static 2 AHY15 yes prime stronger 2-lin 8 GCD+16 yes prime
6 stronger 2-lin 8 this work yes prime
4
multi-challenge bilinear groups assumption ciphertext size CW13 no composite & prime
4 BKP14 no prime
3 HKS15 yes composite static 2 AHY15 yes prime stronger 2-lin 8 GCD+16 yes prime
6 stronger 2-lin 8 this work yes prime
4
1.
revisit/simplify BKP14 IBE
οΌ a new instantiation of (generalized) nested dual system group οΌ compare CW13 and BKP14 in a more clear way 2.
extend simplified BKP14 to the multi-challenge setting
οΌ achieve short ciphertexts (also high performance in other aspects) under standard assumption οΌ lead to the most efficient concrete construction
οΌ both of them are weak anonymous [AHY15] οΌ βweakβ means each id has unique secret key
additional feature