Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Published byKristian Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters."— Presentation transcript:

1 Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters

2 2 Identity-Based Encryption [S84,BF01,C01] Public ParamsMSK ID’ ID Authority Decrypt iff ID’ = ID

3 IBE Security [BF01] Challenger M 0, M 1, ID *  ID i (challenge ID) Attacker Public Params ID 1 … ID Q bEnc(M b, PP, ID * ) b’ Adv = Pr[b’=b] -1/2

4 IBE Security Proofs  “Partitioning” [BF01, C01, CHK03, BB04, W05] Simulator Challenge Space ID Space Priv. Key Space  2 Goals:  Answer Attacker Queries  Use Attacker Response Attacker

5 Partitioning and Aborts Simulator ID Space Priv. Key Space Challenge Space ID 1 ID 2 … … ID Q ID * (challenge ID)  Attacker Abort and try again

6 Finding a Balance Simulator Challenge Space ID Space Priv. Key Space  Aborts effect security loss  Challenge Space -> “right size”  C.S. = 1/Q (for Q queries ) => 1/Q no abort

7 Structure gives problems!  Hierarchical IBE  Q queries per HIBE level => (1/Q) depth loss  Attribute-Based Encryption similar :edu :gov Partitioning won’t work!

8 The Gentry Approach [G06,GH09]  Ready for both  Shove degree Q poly into Short params => Complex Assumption

9 Our Results  IBE (w/ short parameters)  HIBE  Broadcast Encryption  Full Security  Simple Assumption: Decision Linear Given: g, u, v, g a, u b, Dist: v a+b from R

10 Dual System Encryption  2 types of Keys & CTs ID Normal ID Semi-Functional ID Normal Semi-Functional Used in real system ID  Types are indist. (with a caveat)

11 Principles Simulator  No aborts  Change things slowly  Hybrid over keys form  Goal: Everything Semi Functional I’m ready for anything!

12 Proof Overview – 3 Steps Simulator 1)Challenge CT  Semi Func. 2)Keys  Semi. Func. (one at a time!!) 3)Argue Security ID 1 ID 2 … ID Q ID * ID 1 ID 2 ID Q ID

13 Problem: Simulator can test keys! Simulator  Create S.F. CT for “Bob” and unknown key for “Bob”  Decryption works iff key is normal “Bob” ?

14 Resolution: Tweak Semantics  Add “tags” t c, t k to C.T. and Key  Decrypt iff ID c = ID k AND t c  t k  Negl. correctness error (can patch)  SW08 revocation ID c, t c ID K, t K

15 Problem: Simulator can test keys! Simulator  Sim. Picks A, B 2 Z p : F(ID) = A ¢ ID + B  Challenge CT and unknown key tags  F(ID) “Bob”, t k =x ? “Bob”, t c =x  Dec. Fails regardless of Semi Functionality!  2 different IDs look independent  Hybrid  simple assumption

16 How it is built  Subgroup version N= p 1 p 2 p 3 ID Normal ID Normal S.F. ID S.F. p2p2 p1p1 p3p3

17 Glimpse of Subgroup Construction Setup:  Similarities to Boneh-Boyen04  D. Linear same concepts, more messy KeyGen(ID): Encrypt(ID,M):

18 Conclusions and Speculation  Dual Encryption: Change Forms First!  One by one  Small Assumptions  HIBE, B.E. became easier  Prediction: ABE + Functional Enc.  Need new techniques  Prediction: Simple Assumptions & Full Security

19 Dual Interpretation Selective Security + Assumptions were bad  Not ultimately necessary Interpretation 1: They lead us in the right directions  Full secure schemes “look like” selective  Gentry06 beyond partitioning Alternative:

20 20 Thank you

21 The Gentry Approach [G06,GH09]  Ready for both  Simulator 1-key per identity – always looks good  Shove degree Q poly into Short params => Complex Assumption

Download ppt "Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Allison Lewko TexPoint fonts used in EMF.

Allison Lewko TexPoint fonts used in EMF.
Functional Encryption & Property Preserving Encryption

Functional Encryption & Property Preserving Encryption
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
See you at the next conference! Hope you like our slides Hello everybody!

See you at the next conference! Hope you like our slides Hello everybody!
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),

On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Dennis Hofheinz, Jessica Koch, Christoph Striecks

Dennis Hofheinz, Jessica Koch, Christoph Striecks
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

Similar presentations

Ads by Google