Download presentation

Presentation is loading. Please wait.

Published byElijah McDermott Modified over 2 years ago

1
Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko The University of Texas at Austin Tatsuaki Okamoto NTT Amit Sahai UCLA Katsuyuki Takashima Mitsubishi Electric Brent Waters The University of Texas at Austin

2
Functional Encryption Functionality f(x,y) – specifies what will be learned about ciphertext x y

3
Application Who should be able to read my data? access policy

4
Attribute-Based Encryption [SW05] Ciphertexts: associated with access formulas Secret Keys: associated with attributes (A Ç B) Æ C {A, C} Decryption: {A, C} Message {A, C} satisfies (A Ç B) Æ C (A Ç B) Æ C

5
ABE Example Medical researcher OR Doctor AND Hospital Y AND Company X {Doctor, Hospital Z} {Nurse, Hospital Y}

6
ABE Algorithms Setup ( ¸, U) Encrypt(PP, M, Access formula) KeyGen(PP, MSK, Set of attributes) Decrypt(PP, SK, CT) M MSKPublic Params

7
Security Definition (ABE) [IND-CPA GM84] ChallengerAttacker Public Params MSK Setup PhaseKey Query Phase I S1S1 S1S1 S2S2 S2S2 Challenge PhaseKey Query Phase II Attacker must guess b S i : set of attributes

8
Proving Security Hard problem ABE attacker Simulator Hard problemABE breaks ABE

9
Challenges in Proving Security Simulator must: respond to key requests leverage attackers success on challenge

10
Partitioning Previous approach for IBE – Partitioning [BF01, BB04, W05] Key Space Challenge Key Requests We hope: Key Request Challenge Key RequestAbort Challenge Abort

11
Partitioning with More Structure ID 0 ID 0 :ID 1 ID 0 :ID 2 ID 0 :ID 1 :ID 3 ID 0 :ID 2 :ID 4 ID 0 :ID 2 :ID 5 HIBE: Exponential security degradation in depth ABE:( A Ç B Ç C) Æ (A Ç D) … Exponential security degradation in formula length

12
Previous Solutions Selective Security Model: Attacker declares challenge before seeing Public Parameters A weaker model of security To go to standard model by guessing –> exponential loss Until recently, only results were in this model Exception: Fully secure HIBE with polynomially many levels [G06, GH09]

13
Dual System Encryption [W09] New methodology for proving full security No partitioning, no aborts Simulator prepared to make any key and use any key as the challenge

14
Dual System Encryption Normal Semi-Functional Normal Semi-Functional Used in real system Types are indistinguishable (with a caveat)

15
Hybrid Security Proof Normal keys and ciphertext Normal keys, S.F. ciphertext S.F. ciphertext, keys turn S.F. one by one Security now much easier to prove

16
Previously on Dual System Encryption… [W09] Fully secure IBE and HIBE [LW10] Fully secure HIBE with short CTs negligible correctness error ciphertext size linear in depth of hierarchy no correctness error CT = constant # group elements closely resembles selectively secure scheme [BBG05]

17
Our Results - ABE Fully secure ABE arbitrary monotone access formulas security proven from static assumptions closely resembles selectively secure schemes [GPSW06, W08]

18
ABE – Solution Framework G = a bilinear group of order N = p 1 p 2 p 3 e: G £ G ! G T is a bilinear map Subgroups G p 1, G p 2, G p 3 – orthogonal under e, e.g. e(G p 1, G p 2 ) = 1 Gp1Gp1 Gp2Gp2 Gp3Gp3 G p 1 = main scheme G p 2 = semi-functional space G p 3 = randomization for keys

19
ABE – Solution Framework Normal S.F. Gp1Gp1 Gp2Gp2 Gp3Gp3 Decryption: Key paired with CT under e

20
Technical Challenge Achieve nominal semi-functionality: [LW10] S.F. key and S.F. CT correlated - decryption works in simulators view regular S.F. key in attackers view ? simulator cant test for S.F.

21
Key Technique Semi-functional space imitates the main scheme Linear Secret Sharing Scheme: shares reconstructed in parallel in G p 1 and G p 2 Regular s.f. : red secret is random, masks blue result Nominal s.f. : red secret is 0, wont hinder decryption shares secret

22
Key Technique Attacker doesnt have key capable of decrypting Attacker cant distinguish nominal from regular s.f. Oh no! I was fooled! Value shared in s.f. space is info-theoretically hidden

23
Illustrative Example AND shared value = x AB share = zshare = x-z {A} ? ?

24
Technical Challenge Hiding the shared value in the CT: blinding factors linked to attributes where g 1 2 G p 1 g 2 2 G p 2 Ciphertext elements are of the form: g 1 a ± 1 + z 1 r 1 g 2 ± 2 + z 2 r 2 g 1 r 1 g 2 r 2 shareblinding random shareblinding random Attributes can only be used once in the formula

25
Encoding Solution Example: To use an attribute A up to 4 times : A A:1A:2A:3A:4 (A Æ B) Ç (A Æ C) becomes (A:1 Æ B) Ç (A:2 Æ C) max times used fixed at setup It would be better to get rid of the one-use restriction Open problem

26
Summary of ABE result Full security ABE Static assumptions Similar to selectively secure schemes

27
Inner Product Encryption [KSW08] Ciphertexts and secret keys: associated with vectors x v Decryption: v x if x ¢ v = 0 Message Advantage: ciphertext policy can be hidden

28
Coming Attractions Stay tuned for CRYPTO 2010: full security for Inner Product/ Attribute-Based Encryption from decisional Linear Assumption by Okamoto and Takashima

29
Questions?

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google