2 Functional Encryption Plain text Encryption Cipher text Public key pk Decryption Plain text Secret key with parameter Parameter sk Relation R(, ) holds This type is called Predicate Encryption in [BSW11].
3 Inner Product Encryption ( IPE ) [KSW08]
4 (Adaptive Secure &) Weakly Attribute-Hiding IPE Challenger Some additional information on may be revealed to a person with a matching key, i.e.,
5 (Adaptive Secure &) Fully Attribute-Hiding IPE Challenger No additional information on is revealed even to any person with a matching key, i.e., For each run of the game, the variable is defined as if otherwise.
6 [ LOS + 10 ] : Adaptively secure but weakly attribute- hiding IPE based on a non-standard assumption [ KSW08 ] : Fully attribute-hiding but selectively secure IPE Previous works of Attribute-Hiding IPE [ OT10 ] : Adaptively secure but weakly attribute-hiding IPE based on the DLIN assumption [ AFV11 ] : Selectively secure and weakly attribute-hiding IPE based on the LWE assumption Adaptively secure and fully attribute-hiding IPE based on the DLIN assumption This work
7 Our Results Adaptively secure and fully attribute-hiding IPE based on the DLIN assumption (basic scheme) A variant IPE with a shorter ( O(n) -size) master public key and shorter ( O(1) -size) secret keys (excluding the description of ) An extension to Hierarchical IPE (HIPE) with the same security
8 Key Techniques Dual Pairing Vector Space (DPVS) approach provides rich basic transformations for achieving these various forms. All forms of a secret-key do not depend on whether it is matching or not. Large ( -dim.) hidden subspaces gives new types (Types 1-3) of information theoretical tricks and various forms of computational reductions. We extend Dual System Encryption (DSE) for our purpose with various forms, i.e., normal, temporal 1, temporal 2 and unbiased …. Fully-AH IPE should deal with both cases, matching and non-matching keys (to challenge CT), while weakly-AH IPE deals with only the non-matching case.
9 Dual Pairing Vector Space Approach (I) Vector space using symmetric pairing groups whereis a generator of ( Canonical ) pairing operation: For and where dual orthonormal bases of i.e., Dual Bases : basis of for s.t.
10 DPVS Approach (II) with ( the canonical Cryptographic Construction using Dual Pairing Vector Space (DPVS) approach : pairing and ) random dual bases as a master key pair DLIN-based security from [OT10] machinery For and we denote Notation : Basic Fact for Our Construction For the aboveand from dual orthonormality of
11 Intractable Problems on DPVS Security of our IPE is proven under DLIN assumption, through variants of DSP. Vector Decomposition Problem (VDP) : Dual Basis Computation Problem (DBP) : Hard to calculate (master secret) from (master public) E.g., hard to calculate from Decisional Subspace Problem (DSP) : Hard to distinguish and where DBP Assump.VDP Assump. DSP Assump. DLIN Assump.
12 Basic Idea for Constructing IPE using DPVS where
13 Weakly Attribute-Hiding IPE Scheme in [OT10] where
14 Proposed (Basic) Fully Attribute-Hiding IPE Scheme where
15 Game 0 Challenger We define that wins with prob. 1/2 when the game is aborted in Game 0. negligible from [OT10] target of this talk -> Game 0 if otherwise Game 0 is the same as real security game, Game 0, except that flip a coin before setup and the game is aborted if
16 Dual System Encryption (DSE) Methodology (I) 1)Challenge ciphertext Semi-func. 2)Keys Semi-func. (one by one) 3)Semi-func. challenge ciphertext Random i.e., Advantage of adversary = 0 Simulator can change them under the above conditions. Simulator …
17 DSE Methodology (II) Normal key Semi-func. key This semi-func. form of keys cannot be used for fully-AH. Need to introduce new forms with preserving functionality Normal ciphertext Semi-func. ciphertext
18 Extension of DSE (I): R-preserving ciphertexts independent of challenge bit Aim of game transformation: Transform to -unbiased CT, for (all but negligible prob.) I.e., & Independent of bitpreserving
19 Extension of DSE (II): Randomization in 2-dim. and Swapping Temporal 1 Key with DLIN Temporal 1 CT with DLIN Temporal 2 Key with swapping Temporal 2 CT with randomization Iterate the changes among these 4 forms for all queried for preparing the next
20 Extension of DSE (III): Last Conceptual Change to Unbiased CT Temporal 2 CT with Temporal 2 Key with 1-st block for randomization 2-nd block for keeping In Game 2- -4, All queried keys are Unbiased CT with which is unbiased of is obtained. In Game 3, is bounded by advantages for DLIN
21 Original DSE Methodology Comparison of Original and Extension of DSE 1)Challenge CT Semi-func. 2)Keys Semi-func. (one by one) 3)CT Random Extension of DSE 1)Challenge CT 2)Keys CT random since since 3)CT Unbiased w.r.t. b (one by one)
22 Key Ideas for Short Public / Secret Key IPE We will explain key ideas using -dim. basic IPE. We employ a special form of master secret key basis, where and a blank in the matrix denotes Secret-key associated with can be compressed to only 3 group elements Then, as well as
23 Special Basis for fully-AH IPE with Short SK We extend the basic construction to a 5 x 5 block matrix one to achieve full AH security (as our basic IPE).
24 Adaptively Fully-AH IPE with Constant-Size SK SK size