Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Similar presentations

Presentation on theme: "Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption"— Presentation transcript:

1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric ).

2 Functional Encryption
Secret key with parameter Public key pk Parameter sk Decryption Encryption Plain text Plain text Cipher text Relation R( , ) holds This type is called Predicate Encryption in [BSW11]. 2

3 Inner Product Encryption ( IPE ) [KSW08]
We consider inner-product predicate defined as attributes and predicates are associated to n-dimensional vectors and if the inner-product is equal to zero then predicate holds. Such inner-product encryption is given by 4 algorithms. Setup generates a master key pair. Genkey generates a secret key associated to a predicate Vector v. Enc generates ciphertext for m and vector x. Dec decrypts the ciphertext if and only if the predicate for f Is satisfied by an attribute x. Of course, we require the correctness property for IPE, that is, for correctly generated key and ciphertext, The key decrypts the ciphertext if and only if the Predicate is satidfied by the attribute. Next, we consider weakly attribute-hiding security for IPE. 3

4 (Adaptive Secure &) Weakly Attribute-Hiding IPE
Challenger This is weakly attribute-hiding security game. The challenger generates master key pair, and send pk to the adversary. Adversary asks key queries to challenger adaptively. The challenger replies the key designated. After some these key queries are done, The adversary send two messages and the challenger replied to it By sending generated ciphertext c*. Adversary guesses random bit b, and output the guess b’. Adversary wins if b = b’. The point is the permitted challenge attributes, i,e,, no challenge attributes, x^0 and x^1, satisfy all the queried predicates v, but this is a weak requirement, that is, some privacy on challenge attributes may be revealed to a person with matching key. So, we need a stronger security. Some additional information on may be revealed to a person with a matching key , i.e.,

5 (Adaptive Secure &) Fully Attribute-Hiding IPE
Challenger In this fully attribute hiding game, the adversary can submit matching attributes for all the queried predicates. If the challenge attributes satisfy the queried predicates, then, adversary can decrypt the challenge ciphertext correctly, so challenge plaintexts should be equal. This strong security assures that no unnecessary privacy on challenge attributes x is revealed even to any person with a matching key. No additional information on is revealed even to any person with a matching key , i.e., For each run of the game, the variable is defined as if otherwise.

6 Previous works of Attribute-Hiding IPE
[ KSW08 ] : Fully attribute-hiding but selectively secure IPE [ LOS+10 ] : Adaptively secure but weakly attribute- hiding IPE based on a non-standard assumption [ OT10 ] : Adaptively secure but weakly attribute-hiding IPE based on the DLIN assumption [ AFV11 ] : Selectively secure and weakly attribute-hiding IPE based on the LWE assumption Previously proposed schemes are selectively secure, or adaptively secure but weak attribute-hiding secure. Therefore, to construct an adaptively and fully attribute-hiding secure IPE is an open problem. We address the problem, and propose such a strongly secure inner-product encryption scheme based on the standard DLIN assumption on prime-order pairing groups. This work Adaptively secure and fully attribute-hiding IPE based on the DLIN assumption 6

7 Our Results Adaptively secure and fully attribute-hiding IPE
based on the DLIN assumption (basic scheme) A variant IPE with a shorter (O(n)-size) master public key and shorter (O(1)-size) secret keys (excluding the description of ) An extension to Hierarchical IPE (HIPE) with the same security This slide shows our results. First, we propose an adaptively and fully attribute-hiding secure IPE based on the standard DLIN assumption on prime-order pairing groups. Using our sparse matrix technique, we obtain A varint IPE with a shorter public key and secret keys. Moreover, we extend the construction to a hierarchical IPE with the same security. For this variant, the size of master public key is linear in the dimension n, and the size of secret-keys are constant. 7

8 Key Techniques We extend Dual System Encryption (DSE) for our purpose
with various forms, i.e., normal, temporal 1, temporal 2 and unbiased …. Fully-AH IPE should deal with both cases, matching and non-matching keys (to challenge CT), while weakly-AH IPE deals with only the non-matching case. All forms of a secret-key do not depend on whether it is matching or not. Dual Pairing Vector Space (DPVS) approach provides rich basic transformations for achieving these various forms. Here, we describe our key techniques for obtaining such high security IPE. Previously, only Dual System Encryption methodology can realize adaptively and weakly attribute-hiding IPE scheme, where only non-matching keys are queried, then two forms, normal and semi-functional forms are enough to attain this security. However, in fully-AH IPE security game, both, non-matching and matching queries should be dealed with, so various functional forms are required. Since the forms are functional, these forms are different from semi-functional one, and we extend DSE for our purpose. For achieving these various forms, we use rich basic transformations provided by Dual Pairing Vector Space (DPVS). We use 3 types of computational changes and 3 types of conceptual changes, and our proposed scheme has 2n dimensional hidden subspace, which gives rich trapdoors for simulator to attain high security. Large ( -dim.) hidden subspaces gives new types (Types 1-3) of information theoretical tricks and various forms of computational reductions. 8

9 Dual Pairing Vector Space Approach (I)
using symmetric pairing groups where is a generator of ( Canonical ) pairing operation: For and where dual orthonormal bases of i.e., Dual Bases : basis of for s.t. From now on, we turn to a technical part, and first we review our approach Employed in our CRYPTO 2010 paper. We exemplify a DPVS using symmetric pairing groups. The vector space is the direct product, and Pairing is defined by componentwise like this, So clearly the exponent of the value of pairing is given by inner-product of coefficients vectors x and y. The key technique is random dual bases using random full matrix X. From X, random basis B is obtained, and using adjoint matrix multiplied random psi, the orthonormal basis B* is obtained. So a pair of orthonormal bases (B, B*) is obtained. These are uniformly distributed, and usually used as B is a master pub key and B* is the corresponding master sec key. 9

10 DPVS Approach (II) Dual Pairing Vector Space (DPVS) approach :
with ( the canonical Cryptographic Construction using Dual Pairing Vector Space (DPVS) approach : pairing and ) random dual bases as a master key pair DLIN-based security from [OT10] machinery For and we denote Notation : Our DPVS approach is to construct cryptosystems by V with the pairing and dual bases. So, from [OT10] machinery, the schemes are secure from DLIN. We define one useful notation for DPVS. That is, vector x with suffix basis B represent this linear combination along with basis B. For B*, this notation is similarly defined like this. Here is a basic fact for our construction, that is, for the x and y here, the value of pairing is given by the inner product since B, B* are dually orthonormal. Basic Fact for Our Construction For the above and from dual orthonormality of 10

11 Intractable Problems on DPVS
Vector Decomposition Problem (VDP) : Dual Basis Computation Problem (DBP) : Hard to calculate (master secret) from (master public) E.g., hard to calculate Decisional Subspace Problem (DSP) : Hard to distinguish and where Basic intractable problem on DPVS are Vector Decomposition Problem, its intractability means that coefficient of vector can not be used separately in encryption scheme. Dual Basis Computation Problem means that computing master sec key from pub key is hard. Decisional Subspace Problem, that is, to tell v in a subspace from u in a large space. Its intractability is reduced from that of DLIN, so our scheme is based on DLIN. DBP Assump. VDP Assump. DSP Assump. DLIN Assump. Security of our IPE is proven under DLIN assumption, through variants of DSP. 11 11

12 Basic Idea for Constructing IPE using DPVS
where First, we show the basic idea for constructing IPE scheme. I said previously, that the master public key is random basis B, and the master secret is its dual orthonormal basis B*. Genkey takes master secret and predicate vector v as input, and makes key for v vector as sum of product of component vi and basis vector bi* plus b0*. Algorithm Enc takes attribute vector x and plaintext m along with public parameter. It calculates the sum of products of component xi and basis vector bi plus zeta b0. Zeta is used here, that is, it’s an ephemeral random scalar for decryption. Decryption is simply the pairing of c1 and k*, and divide c2 by that value. From the basic observation we said previously, the exponent of the pairing value is given by multiple of random number and the inner-product of x and v plus zeta. Therefore, if the inner-product is equal to 0, decryption succeeds, otherwise, this value is random and decryption fails except for negligible probability. 12

13 Weakly Attribute-Hiding IPE Scheme in [OT10]
where This is a weakly attribute-hiding IPE scheme given in OT10. In addition to n+1 dimension as before, 2n+1 dimensions are added. This is divided into 3 parts, n, n, 1 dimension, which are corresponding hidden subspace for security, randomness for secret-keys, and randomness for ciphertexts. The most important is this hidden subspace. Using this part, two forms, normal and semi-functional forms are switched. 13

14 Proposed (Basic) Fully Attribute-Hiding IPE Scheme
This slides shows our basic construction for fully-AH IPE. The difference from the weak secure scheme is just this hidden part. It is enlarged to 2n-dimension, which allows changes across various forms. The security proof is very different from our previous OT10 scheme. From now on, we see the security proof. where 14

15 Game 0 -> Game 0’ if otherwise
Challenger if otherwise Game 0’ is the same as real security game, Game 0, except that flip a coin before setup and the game is aborted if First, we change the original fully-AH game, that is Game 0, to Game 0’. In Game 0’, at the start of the game, challenger flip a coin t, and at the challenge phase, the variable s is defined here, if t is not equal to s, then the game is aborted. We define that A wins with prob ½ when the game is aborted in Game 0’. Then, the advantage is bounded by these two values, this conditional probability value is negligible from our result in OT10. We should bound this conditional probability, and this is the target of this talk. We define that wins with prob. 1/2 when the game is aborted in Game 0’. negligible from [OT10] target of this talk

16 Dual System Encryption (DSE) Methodology (I)
Challenge ciphertext  Semi-func. Keys  Semi-func. (one by one) Semi-func. challenge ciphertext  Random i.e., Advantage of adversary = 0 Simulator Then, we briefly recap the dual system encryption methodology. Ciphertexts and keys have two forms, normal and semi-functional. In the real system, only normal forms are used. In the security proof, first, the challenge ciphertext is changed to semi-functional, and then keys are changed to semi-functional, one by one. After all queried keys and challenge ciphertext are semi-functional, then the ciphertext is changed to some random one, in particular, it is independent on bit b. We remark that simulator can change them under the non-matching conditions. Simulator can change them under the above conditions. 16

17 DSE Methodology (II) Normal ciphertext Semi-func. ciphertext
Normal key Semi-func. key Our weak-AH IPE has these normal and semi-functional forms, where this yellow parts are filled with random vectors. In particular, semi-func. SK cannot decrypt semi-func. CT even if these are matching. In the weak-AH game, the adversary cannot recognize the change, or difference, since all queried keys are non-matching. In other words, DSE destoys decryption functionality one by one. So, from this methodology, we cannot achieve fully-AH, where matching keys are queried, and we need to introduce new forms with preserving decryption functionality for security. This semi-func. form of keys cannot be used for fully-AH. Need to introduce new forms with preserving functionality 17

18 R-preserving ciphertexts independent of challenge bit
Extension of DSE (I): R-preserving ciphertexts independent of challenge bit for (all but negligible prob.) I.e., & Independent of bit preserving We will extend DSE for our purpose. We start a simple observation about inner-product predicate, that is, if vector v and x are matching, then the random linear combination is also matching v, and if these are not matching, then the linear combination is not matching all but negligible. Therefore, relation R is preserved under random linear combination of x0 and x1. So, our aim of the game transformation is to transform to this type of b-unbiased ciphertext via game hoppings. Aim of game transformation: Transform to -unbiased CT, 18

19 Randomization in 2-dim. and Swapping
Extension of DSE (II): Randomization in 2-dim and Swapping Temporal 1 CT with DLIN Temporal 2 CT with randomization preparing the next Temporal 1 Key with DLIN Temporal 2 Key with swapping We will very briefly describe the main transformations for ciphertexts and keys. First, based on DLIN computational change, we have this temporal 1 form of CT. And, then (targeted) queried key is changed this temporal 1 form also from DLIN based computational change. The transformations to these forms are the same as before. The next is new and important, by a conceptual change, the ciphertext is chnaged to temporal 2 form, which has this random vector in 2-dim. Space, span x0 and x1. After that, the target key is changed to this temporal 2 form, that is v vector is swapped to this n-dimension. We remark that these forms of keys does not depend on the relation, matching or non-matching with challenge x. Just, v vector is encoded in an appropriate position. This is a key point to accomplish adaptive security in fully AH game. Then, the changes are iterated for all queried vh vectors. Iterate the changes among these 4 forms for all queried for 19

20 Extension of DSE (III): Last Conceptual Change to Unbiased CT
Temporal 2 CT with Temporal 2 Key with 1-st block for randomization 2-nd block for keeping In Game , All queried keys are Unbiased CT with which is unbiased of is obtained. In Game 3, Finally, when the challenge CT and all queried keys are temporal 2 forms, that is, these vectors are kept in the second block in the hidden 2n-dimensional subspace, by using an inter-subspace conceptual base change, this real encoded vector in CT is changed to this unbiased form, this is our goal, and we can bound the previous target conditional probability by the advantages of DLIN assumption. is bounded by advantages for DLIN 20

21 Comparison of Original and Extension of DSE
Original DSE Methodology Challenge CT  Semi-func. Keys  Semi-func. (one by one) CT  Random random since Extension of DSE Challenge CT  Keys  CT   (one by one) As a summary, we compare the original DSE and our extended DSE. In the original DSE, the challenge ciphertext is changed to semi-functional, and then, keys are changed to semi-functional, one by one, and finally, the CT is to some random form. In our extended DSE, first, CT is changed to this temporal 1 form by DLIN assumption. And then, the target key is changed to this temporal 1 form, and then by a conceptual change, ciphertext is changed to this temporal 2 form, so, the target key is changed to this temp. 2 form. And after that, CT is changed back to temp 1 form for the next target queried key. This change is repeated for each queried key. And after that, CT is changed to this unbiased form, and the proof is completed. In the remaining time, we will explain the variant IPE with short secret keys and short public parameter. since CT  Unbiased w.r.t. b 21

22 Key Ideas for Short Public / Secret Key IPE
We will explain key ideas using dim. basic IPE. We employ a special form of master secret key basis, where and a blank in the matrix denotes Secret-key associated with We employ a special form of basis generation matrix like this Where blanks in the matrix are all filled with zeros, and diagonal entries are equal, so it’s a sparse matrix.. Using this matrix X, master secret basis B* is given like this. Given by 2n+3 group elements. And k* is given like this, and can be compressed to only 3 group elements. can be compressed to only 3 group elements Then, as well as

23 Special Basis for fully-AH IPE with Short SK
We extend the basic construction to a 5 x 5 block matrix one to achieve full AH security (as our basic IPE). We extend the basic idea to construct fully-AH short SK IPE by using this block matrix X, where these blocks X_{i,j} has this basic form. So, each n-dim subspace is given by this sparse form basis, and this leads to constant-size SKs. We remark that public parameter are obtained by the adjoint matrix of X, so the number of group elements are also linear in n. 23 23

24 Adaptively Fully-AH IPE with Constant-Size SK
SK size By using this extended form of the sparse matrix, we obtain the adaptively fully-AH IPE with constant-size SKs. The scheme is given by this, the top level of description is almost the same as the full matrix scheme, But secret-keys are given by 11 group elements independent from n, since it uses the sparse matrix. 24 24

25 Thank You ! 25

Download ppt "Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption"

Similar presentations

Ads by Google