# Dual System Encryption: Concept, History and Recent works Jongkil Kim.

## Presentation on theme: "Dual System Encryption: Concept, History and Recent works Jongkil Kim."— Presentation transcript:

Dual System Encryption: Concept, History and Recent works Jongkil Kim

Introduction Strategy of Security Proof Partitioning Technique Dual System Encryption – Semi-functionality – Nominally Semi-functionality Encodings References

Strategy of Security Proof Claim: Proof by contradiction Mathematical problem is hard Our Construction is secure under a security model Assume that Our Construction is not secure under a security model Mathematical Problem is not hard CONTRADICT! Our constuction is secure!

Strategy of Security Proof Assume that Our Construction is not secure under a security model Mathematical Problem is not hard Assume there exists an adversary to harm our security model We can break mathematical hard problem using the adversary Show that our security model equals to mathematical hard problem.

Strategy of Security Proof “Harms the security model”? – An adversary having non-negligible advantage to win security games. Notation and Definition – X: a decryption, Y: a predicate, R: Function Between X and Y R(X,Y) = 1, then a key can decrypt the ciphertext. Otherwise (R(X,Y) = 0), it does not. Example, in IBE, R(ID A, ID A ) = 1, but R(ID A, ID B ) = 0 – Public key encryption system consists of four radnomized algorithms: Setup, KeyGen, Enc, Dec

Adaptive security model (CPA Security) Setup Phase I Challenge Phase II Guess Run Setup Simulator Adversary Public key query Public key Run KeyGen(MSK,PP, X i ) Private key query (X i ; ) Private key Run Enc(PP, M B,Y) Challenge query (M 0, M 1, Y) Challenge Cipehrtext Run KeyGen(MSK, PP, X i ) Private key query (X i ; ) Private key Guess? 0 or 1 Y Selective

Partitioning Technique Partitioning the key space => Only Selective Security if functionality of Public key scheme become complecate. (such as ABE, IPE, Spatial Encryption,…) Key Space X1X1 X2X2 XqXq X4X4 X9X9 X5X5 X7X7 X6X6 X 10 X8X8 … Y Phase I Phase II Challenge Key Space X1X1 X2X2 XqXq X4X4 X9X9 X5X5 X7X7 X6X6 X 10 X8X8 … Y

Dual System Encryption Introduced by Waters [Crypto 2009] It uses semi-functional ciphertext and semi- functional keys which are only used in the security proof. In Dual System Encryption, the security of an encryption scheme is proved by showing following – Semi-functional ciphertext invariance – Semi-functional key invariance – Semi-functional security

Semi-functionality Decrypt?Normal KeySemi-functional Key Normal Ciphertext Semi-functional Ciphertext We must show that two security games are invariant – Game Real : All keys and the challenge ciphertext are normal – Game Final : All keys and the challenge ciphertext are semi- functional. Additionally, the message are replaced by the random message. – Between both, Game 0, Game 1, Game 2,… Game q Yes! No…

Semi-functional Ciphertext Invariance Invariance between Game Real and Game 0 Setup Phase I Challenge Phase II Guess Simulator Adversary Public key query Public key Private key query (X) Private key Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X) Private key Guess? 0 or 1 Game Real Semi-functional Game 0 ≈ (Invariant)

Invariance of two games Assume that two games are indistinguishable Mathematical Problem is hard Assume there exists an adversary who distinguishes two games We can break mathematical hard problem using the adversary Show that distinguishing two games equals to mathematical hard problem.

Semi-functional Ciphertext Invariance Invariance between Game 0 and Game q Phase I Challenge Phase II Simulator Adversary Private key query (X 1 ) Private key 1 Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X q ) Private key q Game 0 Semi-functional Private key query (X 2 ) Private key 2 … … Game 1 ≈ Semi-functional ≈ Game 2 Semi-functional ≈ Game q Semi-functional …

Semi-functional Key Invariance – Mathematical Induction We already showed Game 0 is invariant with Game Real We now show Game k is invariant with Game k-1 – This is a critical part of the security proof because the relation between k th key and challenge ciphertext is changed. – We must proof the normal key which can decrypt the normal CT is indistinguishable from the semi- function key which cannot.

Semi-functional Key Invariance Assume there exists an adversary who distinguishes two games We can break mathematical hard problem using the adversary Show that distinguishing two games equals to mathematical hard problem. + The simulator can distinguish the k th key by generating valid semi- functional ciphertext for k th key and trying to decrypt it with the k th key. No limitation for the simulator in the security model! Invaraiace between Game k-1 and Game k

Dual System Encryption How to prevent this paradox – In Waters’ construction, – If the simulator generate the semi-functional ciphertext to distinguish Tag c must be equal to Tag k. Tag c = F(ID Y ) = A·ID Y + B Tag k = F(ID X ) = A·ID X + B – But, this is hidden by pair wise independent argument because ID X does not equal to ID Y if A and B are initially information theoretically hidden.

Nominally Semi-functionality Introduced by Lewko and Waters [TCC 2010] Similar with Water’s Construction – If the simulator generates a semi-functional ciphertext for testing whether k th key is semi- functional or normal, semi-functional part is going to be cancel out. So, k th key is nominally semi-functional because it can decrypt the semi-functional challenge ciphertext.

How to hide the Nominality We also must show that this nominally semi-functional key is invariant with Semi-functional key. In other words, we must show that the correlation between semi-functional parts in the nominally semi- functional key and the challenge ciphertext is hidden. By using following – Pair wise independent – n-wise independent – Linearly independent – Information Theoretically Hidden Maybe there are some more but not so many!

Hidden Lemma General Lemma for semi-functional key invariance But, this is the abstract of two lemmas Assume there exists an adversary who distinguishes Game k-1 and Game k We can break mathematical hard problem(SD) using the adversary

Nominally Semi-functionality IBE in composite order – KeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) Z 1, K 2 := g 1 r Z 2 – Enc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s, C 2 := g 1 s(A ID +B) – SFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’a Z 1, K 2 := g 1 r g 2 r’ Z 2 – SFEnc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ b

Hidden Lemmas Let Game k ’ is the game identical with Game k-1, but the k th key is nominally semi functional. Assume there exists an adversary who distinguishes Game k-1 and Game k ‘ We can break mathematical hard problem using the adversary NSFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’(A’ ID + B’) Z 1, K 2 := g 1 r g 2 r’ Z 2 SFEnc(PP,ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ (A’ ID +B’)

Hidden Lemmas Let Game k ’ is the game identical with Game k-1, but the k th key is nominally semi functional. Assume there exists an adversary who distinguishes Game k ‘ and Game k We can break information theoretically hidden argument using the adversary NSFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’(A’ ID +B’) Z 1, K 2 := g 1 r g 2 r’ Z 2 SFEnc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ (A’ ID + B’) a b

Why this is possible? The semi-functional parts of private key and ciphertext are just twins of their normal parts But, why is applying information hidden argument possible? Public key and other semi- functional keys does not reveal any information about the semi- functional parts!

Semi-functional Security Invariance between Game q and Game Final Setup Phase I Challenge Phase II Guess Simulator Adversary Public key query Public key Private key query (X) Private key Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X) Private key Guess? 0 or 1 Game q Semi-functional Game Final ≈ (Invariant) R: Rand message R Semi-functional

DSE via Encodings Pair Encoding [Eurocrypto 2014] and Predicate Encoding [TCC 2014] – Many public key schemes proved by Dual System Encryption share a same proof strategy. – It means it can be formalized! => New direction of the security proof! We only need our new scheme satisfy following properties – Linearity – Parameter Vanishing – Perfect Master key hiding

DSE via Encoding Linearity – K(α’;x,h,r’) + K(α’’;x,h,r’’) = K(α’ +α’’;x,h,r’+r’’) Parameter vanishing – K(α;x,h,0) = K(α;x,h’,0) Perfect master key hiding – Given c(s;y,h), for all α, α’, If R(x,y)=0, K(α;x,h,r) and K(α’;x,h,r) are statistically invariant.

Encoding example (IBE) Construction – Setup(λ) -> N = p 1 p 2 p 3, PP = { g 1 A, g 1 B }, MSK = {α, X 3 } – KeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) Z 1, K 2 := g 1 r Z 2 – Enc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s, C 2 := g 1 s(A ID +B) – Dec(SK ID, CT ID ) M = C · e(K 2, C 2 )/e(K 1, C 1 )

Encoding example Encoding – K(α;ID,(A,B),r) = (α + r(A ID + B), r) – c(s;ID,(A,B)) = (s, s(A ID + B)) Linearity – (α+ r(A ID + B), r) + (α’ + r’(A ID + B), r’) =(α + α’ + (r+r’) (A ID + B), r+r’) Parameter vanishing – (α+ 0 (A ID + B), 0) + (α + 0(A’ ID + B’), 0)

Encoding example Encoding – K(α;ID,(A,B),r) = (α + r(A ID + B), r) – c(s;ID,(A,B)) = (s, s(A ID + B)) Perfect Master key hiding – Given (s, s(A ID* + B)) – For ID which does not equal to ID*, A ID + B is randomly distributed (pairwise independent). – Hence, (α + r(A ID + B),r) is statistically invariant with (α’ + r(A ID + B),r) to the adversary

References [Eurocrypto 2014] N. Attrapadung. Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more. In P. Q. Nguyen and E. Oswald, editors, EUROCRYPT, volume 8441 of Lecture Notes in Computer Science, pages 557{577. Springer, 2014. [Crypto 2009] B. Waters. Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions. In S. Halevi, editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 619{636. Springer, 2009. [TCC 2014] H. Wee. Dual system encryption via predicate encodings. In Y. Lindell, editor, TCC, volume 8349 of Lecture Notes in Computer Science, pages 616{637. Springer, 2014. [TCC 2010] A. Lewko and B. Waters. New techniques for dual system encryption and fully secure hibe with short ciphertexts. In TCC, 2010.

Download ppt "Dual System Encryption: Concept, History and Recent works Jongkil Kim."

Similar presentations