Déjà Q All Over Again

Size: px

Start display at page:

Download "Déjà Q All Over Again"

Joleen Cummings
5 years ago
Views:

Royal Holloway, February 2017 1/43 Bilinear Groups and Assumptions Reductions Symmetric Schemes Conclusions

1 Royal Holloway, February /43 Bilinear Groups and Assumptions Reductions Symmetric Schemes Conclusions Déjà Q All Over Again Melissa Chase 1 Mary Maller 2 1 MSR Redmond Sarah Meiklejohn 2 2 University College London

2 2/43

3 3/43 Subgroup Hiding certain q-type Assumptions

4 /43 Example: Broadcast Encryption Methods of delivering encrypted content over a broadcast channel where only qualified users can decrypt the content. Example Boneh Gentry and Waters broadcast encryption scheme [BGW-Crypto05]. Pairing based solution Short ciphertexts and private keys Collusion resistant

5 5/43 The q-bdhe Assumption The BGW broadcast encryption scheme bases its security on the q-bdhe assumption [BGW-Crypto05]. Given g,g c,g α,...,g αq,g αq+2,...,g α2q it is hard to distinguish e(g,g c ) q+1 from random.

6 5/43 The q-bdhe Assumption The BGW broadcast encryption scheme bases its security on the q-bdhe assumption [BGW-Crypto05]. Given g,g c,g α,...,g αq,?,g αq+2,...,g α2q it is hard to distinguish e(g,g c ) q+1 from random.

7 Déjà Q: Using Dual Systems to Revisit q-type Assumptions [CM-Eurocrypt14] Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 1 2. Pr[break q-type assumption] O(q) Pr[break subgroup hiding] 6/43 1 Asymmetric composite order bilinear groups do exist - see [BRS-JNT11].

8 /43 [CM-Eurocrypt14]: Contributions Decides Computes Source Group given info in one group given info in both groups Target Group given info in one group given info in both groups q-bdhe

9 8/43 Our Contributions: Broader Decides Computes Source Group given info in one group given info in both groups Target Group given info in one group given info in both groups q-bdhe

10 9/43 Our Contributions: Tighter Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 2 p 3. Pr[break q-type assumption] O(log q) Pr[break subgroup hiding]

11 0/43 Outline of Presentation

12 1/43 Bilinear Groups Standard Bilinear Groups: G = (N,G,H,G T,e,g,h). N = group order; prime or composite G = H = kn, G T = λn G =< g >, H =< h > e : G H G T Properties Bilinearity: e(g a,h b ) = e(g,h) ab Non-degeneracy: e(x,y) = 1 y H x = 1.

13 2/43 Subgroup Hiding [BGN - TCC05]

14 2/43 Subgroup Hiding [BGN - TCC05]

15 2/43 Subgroup Hiding [BGN - TCC05]

16 3/43 Parameter Hiding [Lewko-Eurocrypt12]

17 3/43 Parameter Hiding [Lewko-Eurocrypt12]

18 3/43 Parameter Hiding [Lewko-Eurocrypt12]

19 3/43 Parameter Hiding [Lewko-Eurocrypt12]

20 4/43 Outline of Presentation

21 5/43 Reductions we can Cover

22 6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

23 6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

24 6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

25 6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

26 6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

27 6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

28 7/43 Déjà Q: Reduction Techniques

29 7/43 Déjà Q: Reduction Techniques

30 7/43 Déjà Q: Reduction Techniques

31 7/43 Déjà Q: Reduction Techniques

32 7/43 Déjà Q: Reduction Techniques

33 8/43 Our Tight Reduction Techniques Double the randomness.

34 8/43 Our Tight Reduction Techniques Double the randomness.

35 8/43 Our Tight Reduction Techniques Double the randomness.

36 8/43 Our Tight Reduction Techniques Double the randomness.

37 8/43 Our Tight Reduction Techniques Double the randomness.

38 8/43 Our Tight Reduction Techniques Double the randomness.

39 9/43 Result Given g ρ 1(x),...,g ρ q(x),h σ 1(x),...,h σ q(x) ĥ Then Adv[Deciding e(g,ĥ) f(x) from random] (3 + log(q + 2)) Pr[Breaks Subgroup Hiding]

40 20/43 Result Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 2 p 3. Pr[break q-type assumption] O(log q) Pr[break subgroup hiding]

41 21/43 Outline of Presentation

22/43 Example: Broadcast Encryption Methods of delivering encrypted content over a broadcast channel where only qualified users can decrypt the content.

42 22/43 Example: Broadcast Encryption Methods of delivering encrypted content over a broadcast channel where only qualified users can decrypt the content. Example Boneh Gentry and Waters broadcast encryption scheme [BGW-Crypto05]. Pairing based solution Short ciphertexts and private keys Collusion resistant

43 23/43 Broadcast Encryption The asymmetric q-bdhe assumption: given ĥ,g α,h α,...,g αq,h αq,g αq+2,h αq+2,...,g α2q,h α2q it is hard to distinguish e(g,ĥ) q+1 from random is tightly implied by subgroup hiding and parameter hiding. The BGW broadcast encryption scheme is implied by the symmetric q-bdhe assumption.

44 24/43 Symmetric Reductions The previous asymmetric reduction fails in the symmetric case. Adversary given components that would allow it to trivially break subgroup hiding in the symmetric case (e(g 1,H 2 ) = 1). Show how to push through the same reduction in the symmetric case by adding randomness from a fourth subgroup. Symmetric schemes can also be translated into asymmetric groups.

45 25/43 The Asymmetric BGW Variant Techniques from [AGOT-Crypto14]. g p0[1] di gi p0[0] gc p1[0] vi C0 = G = G&H = H p2[0] Ci p2[1] p1[1]

46 26/43 Identity Based KEM [ACF-Eurocrypt09] g Bi g1 gc p1[0] gij hi p0[0] C p2[0] p3[0] skid p0[1] p1[1] p2[1] p3[1] p4[0] p4[1]

47 27/43 ABE Scheme [Waters08] The less efficient construction. g ga gi msk gc p0[1] p1[0] p5[1] p5[0] K hi L p0[0] p1[1] C' p2[1] Ci Kx p3[1] p2[0] p4[0] p3[0] p4[1]

48 28/43 HIBE Scheme [BBG-Eurocrypt05] g yi gc g1 a1 g2 g3 hi B p0[0] p1[0] p0[1] msk bi C p2[0] a0 p1[1] p2[1]

49 29/43 Outline of Presentation

50 30/43 Open Problems How can we analyse are q-type assumptions in prime order groups? How can we analyse are q-power knowledge of exponent assumptions ("non-falsifiable" assumptions)? How can we analyse are q-type when the adversary has inputs from both source groups and the challenge component is also in the source group?

51 31/43 Thank-you for Listening.

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, Japan @Eurocrypt 2014, Copenhagen