Predicate Encryption for MultiDimensional Range Queries from Lattices


 Phoebe Bailey
 10 months ago
 Views:
Transcription
1 Predicate Encryption for MultiDimensional Range Queries from Lattices Romain Gay and Pierrick Méaux and Hoeteck Wee ENS, Paris, France Abstract. We construct a latticebased predicate encryption scheme for multidimensional range and multidimensional subset ueries. Our scheme is selectively secure and weakly attributehiding, and its security is based on the standard learning with errors (LWE) assumption. Multidimensional range and subset ueries capture many interesting applications pertaining to searching on encrypted data. To the best of our knowledge, these are the first latticebased predicate encryption schemes for functionalities beyond IBE and inner product. 1 Introduction Predicate encryption [BW07, SBC + 07, KSW08] is a new paradigm for publickey encryption that supports search ueries on encrypted data. In predicate encryption, ciphertexts are associated with descriptive values x in addition to a plaintext, secret keys are associated with a uery predicate f, and a secret key decrypts the ciphertext to recover the plaintext if and only if f (x) = 1. The security reuirement for predicate encryption enforces privacy of x and the plaintext even amidst multiple search ueries, namely an adversary holding secret keys for different uery predicates learns nothing about x and the plaintext if none of them is individually authorized to decrypt the ciphertext. Multidimensional range ueries. Following [BW07, SBC + 07], we focus on predicate encryption for multidimensional range ueries, as captured by the following examples: For network intrusion detection on logfiles, we would encrypt network flows labeled with a set of attributes from the network header, such as the source and destination addresses, port numbers, timestamp, and protocol numbers. We could then issue auditors with restricted secret keys that can only decrypt the network flows that fall within a particular range of IP addresses and some specific time period. For credit card fraud investigation, we would encrypt credit card transactions labeled with a set of attributes such as time, costs and zipcodes. We could then issue investigators with restricted secret keys that decrypt transactions over $1,000 which took place in the last month and originated from a particular range of zipcodes. For online dating, we would encrypt personal profiles labeled with dating preferences pertaining to age, height, weight and salary. Secret keys are associated with specific attributes and can only decrypt profiles for which the attributes match the dating preferences. Supported in part by ANR14CE (Project EnBiD). INRIA and ENS. Supported in part by ANR13JS (Project CLE). ENS and CNRS. Supported in part by ANR14CE (Project EnBiD), NSF Award CNS , ERC Project CryptoCloud (FP7/ Grant Agreement no ), the Alexander von Humboldt Foundation and a Google Faculty Research Award.
2 More generally, in multidimensional range ueries, we are given a point (z 1,..., z D ) [T ] D and interval ranges [x 1, y 1 ],...,[x D, y D ] [T ] and we want to know if (x 1 z 1 y 1 ) (x D z D y D ). We also consider more general multidimensional subset ueries where we are given subset S 1,...,S D [T ] and we want to know if (z 1 S 1 ) (z D S D ). Note that in the first two examples, the search ueries are associated with the keys, whereas in the third example, the search ueries are associated with the ciphertext. We will refer to encryption schemes for the former as keypolicy schemes, and schemes for the latter as ciphertextpolicy schemes. In all of these examples, it is important that unauthorized parties do not learn the contents of the ciphertexts, nor of the metadata associated with the ciphertexts, such as the network header or dating preferences. On the other hand, it is often okay to leak the metadata to authorized parties. We stress that privacy of the metadata is an additional security reuirement provided by predicate encryption but not attributebased encryption [GPSW06, GVW13]. Prior works. The first constructions of predicate encryption for multidimensional range ueries were given in the works of Boneh and Waters [BW07] and Shi, et. al [SBC + 07]; all of these constructions rely on bilinear groups and achieve parameters that are linear in the number of dimensions D. The latter work also presents a generic brute force construction based on any anonymous IBE, where the parameters grow exponentially in D. 1.1 Our contributions In this work, we construct a latticebased predicate encryption scheme for multidimensional range ueries, whose security is based on the standard learning with errors (LWE) assumption. Our scheme is selectively secure and weakly attributehiding, that is, we only guarantee privacy of the ciphertext attribute against collusions that are not authorized to decrypt the challenge ciphertext. The scheme is best suited for applications where the range T is very large but the number of dimensions D is a small constant, as is the case for the three applications outlined earlier and also the scenario considered in [SBC + 07]. In addition, we extend our techniues to multidimensional subset ueries, where we obtain improved efficiency over prior schemes [BW07]. We summarize our schemes in Table 1 and 2. Our approach. At a high level, our approach follows that of Shi et al. [SBC + 07], who showed how to boost an anonymous IBE scheme into a predicate encryption scheme for multidimensional range ueries. We show how to carry out a similar transformation over lattices, starting from the LWEbased anonymous IBE schemes in [CHKP10, ABB10a, AFV11]. We highlight the main novelties in this work: First, we present a more modular and conceptually simpler approach for handling multidimensional range ueries. We construct our scheme for the simpler ANDOREQ predicate (conjunction of disjunction of eualities), and present a combinatorial reduction from multidimensional range ueries to this predicate. The simpler ANDOREQ predicate is symmetric, which immediately yields both keypolicy and ciphertextpolicy schemes for multidimensional range ueries. We can only prove security for our latticebased ANDOREQ predicate encryption under an at most one promise, which necessitates a more delicate reduction from multidimensional range ueries to ANDOREQ where we decompose range ueries into disjoint subintervals. Indeed, the same technical issue arises in the previous pairingbased schemes. To handle the inner disjunction of euality like (X = a) (X = b) for the keypolicy ANDOREQ predicate where X is associated with the ciphertext and (a, b) with the key, our new ciphertext is 2
3 Table 1. Summary of existing predicate encryption schemes for multidimensional range ueries: given a point (z 1,..., z D ) [T ] D and interval ranges [x 1, y 1 ],...,[x D, y D ] [T ], we want to know if (x 1 z 1 y 1 ) (x D z D y D ). Here, D denotes the number of dimensions and T the number of points in each dimension. We omit the poly(n) multiplicative overhead, where n is the security parameter. Source Public key size Ciphertext size Secret key size Encryption time Decryption time Attributehiding [BW07] (KP) O(D T ) O(D T ) O(D) O(D T ) O(D) fully [SBC + 07] (KP, CP) O(D logt ) O(D logt ) O(D logt ) O(D logt ) O((logT ) D ) weakly this paper (KP, CP) O(D logt ) O(D logt ) O(D logt ) O(D logt ) O((logT ) D ) weakly Table 2. Summary of existing predicate encryption schemes for multidimensional subset ueries: given a point (z 1,..., z D ) [T ] D and subsets S 1,...,S D [T ], we want to know if (z 1 S 1 ) (z D S D ). Here, D denotes the number of dimension and T the size of the sets. We omit the poly(n) multiplicative overhead, where n is the security parameter. (KP) stands for keypolicy and (CP) stands for ciphertextpolicy. Source Public key size Ciphertext size Secret key size Encryption time Decryption time Attributehiding this paper (KP) O(D) O(D) O(D T ) O(D) O(T D ) weakly this paper (CP) O(D T ) O(D T ) O(D) O(D T ) O(D) weakly an anonymous IBE ciphertext for the identity X, and the key comprises two IBE keys for a and b; decryption works by trying all possible IBE keys. Following [SBC + 07], we will pad the plaintext with zeroes, so that we know which of the decryptions corresponds to the correct plaintext. To handle the outer conjunction, we rely on secret sharing, as with prior latticebased fuzzy IBE [ABV + 12]. Correctness for the inner disjunction reuires more care than that in the bilinear groups. Roughly speaking, we need to show that decrypting an IBE ciphertext for identity a with a key for identity b a yields a randomlooking value. The straightforward argument that relies on IBE security yields computational correctness. To achieve statistical correctness in the latticebased setting, we rely on a simple but seemingly novel analysis of the output of latticebased trapdoor sampling algorithms (c.f. Lemma 13). The intuition for security for the inner disjunction is as follows: if X is different from a and b, then both X and the plaintext remain hidden via security of the underlying IBE. On the other hand, if X is eual to one of a,b, then the decryptor does learn the exact value of X, which means that we cannot hope to achieve strong attributehiding using these techniues. To establish the weak attributehiding for the general ANDOREQ, we rely on techniues from latticebased inner product encryption [AFV11]. To the best of our knowledge, this is the first latticebased predicate encryption scheme for functionalities beyond IBE and inner product [CHKP10, ABB10a, AFV11, Xag13], and we hope that it would inspire further research into latticebased predicate encryption. We defer a more detailed overview of our construction to Section 4. Organization. The rest of the paper is organized as follows. We recall the relevant background on lattices and the security model of predicate encryption in Section 2. We introduce the socalled ANDOREQ predicate, and show how to reduce multidimensional subset ueries and multidimensional range ueries to ANDOREQ in Section 3. We give our latticebased predicate encryption scheme for AND 3
4 OREQ in Section 4, and we show that it gives an efficient construction for multidimensional range ueries. Finally, we show in Section 5 how to improve the construction of Section 4 in order to obtain an efficient scheme for multidimensional subset ueries. 2 Preliminaries Notations. We denote by s R S the fact that s is picked uniformly at random from a finite set S or from a distribution. By PPT, we denote a probabilistic polynomialtime algorithm. Throughout this paper, we use 1 n as the security parameter. For every vector u Z n, we write u = (u 1,...,u n ), and for any matrix M Z n m, we write M i,j the (i, j ) entry of M. For any x R, we denote by x the largest integer less than or eual to x. For any z [0,1], we denote by z the closest integer to z. Randomness extraction. We use the following variant of the leftover hash lemma [ILL89, DORS08] from [ABB10a]: Lemma 1 ([ABB10a], Lemma 13). Let m > (n + 1)log + ω(logn), > 2 be a prime number, R R { 1,1} m l mod, where l = l(n) is polynomial in n. Let A R Z n m, B R Z n l ; For all vectors u Z m the distribution (A, AR, u R) is statistically close from the distribution (A, B, u R). LWE Assumption. [Reg05], The decisional Learning With Error problem (dlwe) was introduced by Regev Definition 1 (dlwe). For an integer = (n) 2, an adversary A and an error distribution χ = χ(n) over Z, we define the following advantage function: where Adv dlwe n,m,,χ A := Pr[A(A, z 0 ) = 1] Pr[A(A, z 1 ) = 1] A R Z n m, s R Z n, e R χ m, z 0 := s A + e and z 1 R Z m The dlwe n,m,,χ assumption asserts that for all PPT adversaries A, the advantage Adv dlwe n,m,,χ A negligible function in n. is a Throughout the paper, we denote by χ max < the bound on the noise distribution χ. 2.1 Lattice preliminaries Lattices. For any matrix A Z n m and any vector p Z n, we define the orthogonal ary lattice of A: Λ (A) := {u Zm : Au = 0 mod } and the shifted lattice: Λ p (A) := {u Z m : Au = p mod }. Similarly, for any matrix P Z n l, we define: Λ P (A) := {U Zm l : AU = P mod }. Matrix norms. For any vector x, we denote by x its l 2 norm. For any matrix R Z n l three following norms: we define the 4
5 1. R denotes the maximum of the l 2 norm over the columns of R. 2. R GS denotes the GramSchmidt norm of R (see [BGG + 14] for further details). 3. R 2 denotes the operator norm of R defined as R 2 = sup x =1 Rx. Note that for any matrix S Z l m, and any vector e Z n, we have R S R 2 S, and e F e F. Gaussian distributions. For any positive parameter σ R >0, let ρ σ (x) := exp( π x 2 /σ 2 ) be the Gaussian function on R n of center 0 and parameter σ. For any n N and any subset D of Z n, we define ρ σ (D) := ρ σ (x) the discrete integral of ρ σ over D, and D D,σ the discrete Gaussian distribution over D of parameter σ. That is, for all y D, we have D D,σ (y) := ρ σ(y) ρ σ (D). Lemma 2 ([BGG + 14], Lemma 2.5). Let n,m,l, > 0 be integers and σ > 0 be a Gaussian parameter. For all A Z n m, P Z n l, U R D Λ P (A),σ and R R { 1,1} m m, with overwhelming probability in m, x D U σ m, R 2 20 m Trapdoor generators. The following lemmas state properties of algorithms for generating short basis of lattices. Lemma 3 ([Ajt96, AP09, MP12]). Let n,m, > 0 be integers with prime and m = Θ(n log ). There is a PPT algorithm TrapGen defined as follows: TrapGen(1 n,1 m, ): Inputs: a security parameter n, an integer m such that m = Θ(n log ), and a prime modulus. Outputs: a matrix A Z n m and a basis T A Z m m for Λ (A) such that the distribution of A is negl(n) close to uniform and T A GS = O( n log ), with all but negligible probability in n. Lemma 4 ([MP12]). Let n,m, > 0 be integers with prime and m = Θ(n log ). There is a fullrank matrix G such that the lattice Λ (G) has a publicly known basis T G Z m m with T G GS 5. Lemma 5 ([GPV08], Lemmas 5.1 and 5.2). Let m 2n log. With all but negl(n) probability, A R Z n m columns of A generate Z n ). Assume A Z n m close: 2.2 Sampling algorithms is full rank (i.e. the subsetsums of the is fullrank and σ = ω( logn). Then, the following distributions are statistically {(u, Au) : u R D Z m,σ} and {(u, p) : p R Z n, u R D Λ p (A),σ } Given a matrix F := [A B] and a matrix P, we would like to sample random lownorm matrices U such that FU = P. Specifically, we want to sample U from the distribution D Λ P (F),σ. The following lemma tells us we could do so given either (1) a lownorm basis T A of Λ (A) using RightSample, or (2) a lownorm matrix R and an invertible matrix H such that B = HG+AR using LeftSample. We will use (1) in the actual scheme, and (2) in the security proof. 5
6 Lemma 6 ( [GPV08, ABB10b, CHKP10, MP12] and [BGG + 14], Lemma 2.8). There exist PPT algorithms RightSample and LeftSample such that: RightSample(A, T A, B, P,σ): Inputs: fullrank matrices A, B Z n m, a basis T A of Λ (A), a matrix P Zn (l+n) and a Gaussian parameter σ = O( T A GS ). Output: a matrix U Z 2m (l+n) whose distribution is statistically close to D Λ P [A B],σ ω( logm). Remark 1. We can sample a short matrix U = U 1 Z 2m (l+k) in the same way that [ABB10b]. That is, we first sample the bottom part U 2 Z m (l+k) U 2 from D Z m (l+k) and then, we sample the top part,σ ω( logn) U 1 Z m (l+k) from a distribution statistically close to D Λ P BU 2 (A),σ ω( logm), using T A. LeftSample(A, R, G, H, P,σ) : Inputs: a fullrank matrix A Z n m Lemma 4, an invertible matrix H Z n n, a matrix R Z m m, a fullrank matrix G Z n m as defined in, a matrix P Z n (l+n) and a Gaussian parameter σ = O( R 2 ). Output: a matrix U Z 2m (l+n) whose distribution is statistically close to D Λ P [A HG+AR],σ ω( logm). 2.3 Predicate Encryption A predicate encryption scheme for a predicate P(, ) consists of four algorithms (Setup,Enc,KeyGen,Dec): Setup(1 n,x,y,m) (mpk,msk). The setup algorithm gets as input the security parameter n, the attribute universe X, the predicate universe Y, and the message space M. Enc(mpk, x,m) ct. The encryption algorithm gets as input mpk, an attribute x X and a message m M. It outputs a ciphertext ct. KeyGen(mpk,msk, y) sk y. The key generation algorithm gets as input msk and a value y Y. It outputs a secret key sk y. Note that y is public given sk y. Dec(mpk,sk y,ct) m. The decryption algorithm gets as input sk y and a ciphertext ct. It outputs a message m. Correctness. We reuire that for all (x, y) X Y such that P(x, y) = 1 and all m M, Pr[ct Enc(mpk, x,m);dec(sk y,ct) = m)] = 1 negl(n), where the probability is taken over (mpk,msk) Setup(1 n,x,y,m) and the coins of Enc. 6
7 Security Model. For a stateful adversary A, we define the advantage function (x0, x 1 ) A(1λ ); β R {0,1}; AdvA PE (n) := Pr β = β (mpk,msk) Setup(1 n,x,y,m); : 1 (m 0,m 1 ) A KeyGen(msk, ) (mpk); 2 ct Enc(mpk, x β,m β ); β A KeyGen(msk, ) (ct) with the restriction that all ueries y that A makes to KeyGen(msk, ) satisfies P(x0, y) = P(x 1, y) = 0 (that is, sk y does not decrypt ct). A predicate encryption scheme is selectively secure and weakly attributehiding 1 if for all PPT adversaries A, the advantage AdvA PE (n) is a negligible function in n. 3 Reductions Amongst Predicates 3.1 ANDOREQ predicate In this section we state our general predicate, and exhibit the reductions from multidimensional subset ueries and multidimensional range ueries to the latter. This general predicate is symmetric (c.f. Lemma 11), which will allow us to obtain both ciphertextpolicy and keypolicy predicate encryption schemes in Section 4. Disjunction of euality ueries. Here, P OREQ : Z l Zl {0,1}, and P OREQ(x, y) = 1 iff l ( ) xi = y i. We generalize the previous predicate to a multidimensional setting as follows P ANDOREQ Z D l {0,1}, and: D l ( ) P ANDOREQ (X, Y) = 1 iff Xi,j = Y i,j j =1 : Z D l We impose a socalled at most one promise on the input domains of the predicate for our predicate encryption scheme in Section 4. This technical property is reuired for our latticebased instantiations (see Remark 3 in Section 4) and also implicitly used in prior pairingbased ones. We define the predicate P AT MOST ONE : Z l Zl {0,1} and its multidimensional variant P AND AT MOST ONE : Z D l P AT MOST ONE (x, y) = 1 iff there exists at most one j [l], x j = y j Z D l {0,1} by: P AND AT MOST ONE (X, Y) = 1 iff i [D], there exists at most one j [l] s.t. X i,j = Y i,j We reuire that the input domains X,Y Z D l for P ANDOREQ satisfy the at most one promise, namely for all X X, Y Y, P AND AT MOST ONE (X, Y) = 1 1 In an adaptively secure scheme, the adversary specifies (x 0, x 1 ) after seeing mpk and making key ueries. In a fully attributehiding scheme, the adversary is allowed key ueries y for which P(x 0, y) = P(x 1, y) = 1, in which case the challenge messages m 0,m 1 must be eual. 7
8 Indeed, the promise is satisfied by all of our reductions in this section. 3.2 Multidimensional subset ueries Predicate (ciphertextpolicy). Here, P CPSUBSET : {0,1} D T [T ] D {0,1} and D P CPSUBSET (W, z) = 1 iff W i,zi = 1 For each dimension i [D], the i th row of W is the characteristic vector of a subset of [T ]. Reducing P CPSUBSET to P ANDOREQ. We map (W, z) {0,1} D T [T ] D to ( W, Z) Z D T Z D T where W is the matrix W where zeros are replaced by 1, that is, for all (i, j ) [D] [T ], W i,j = 1 if W i,j = 1, and W i,j = 1 otherwise. (We need this modification in order to satisfy the at most one promise.) Z Z D T denotes the matrix whose i th row is e zi Z 1 T, where (e 1,...,e T ) denotes the standard basis of Z 1 T. For instance, we map ((0, 1, 1), 2) to (( 1, 1, 1),(0, 1, 0)). We can check that the following lemma holds: Lemma 7 (P CPSUBSET to P ANDOREQ ). Let (W, z) {0,1} D T [T ] D, and ( W, Z) Z D T above. Z D T defined as P CPSUBSET (W, z) = 1 iff P ANDOREQ ( W, Z) = 1 P AND AT MOST ONE ( W, Z) = Multidimensional range ueries Predicate (keypolicy). Here, P KPRANGE : [T ] D I(T ) D {0,1} and P KPRANGE (z, I) = 1 iff I(T ) denotes the set of all intervals of [T ]. D (z j I j ), where We show how to reduce P KPRANGE to P ANDOREQ, which involves rewriting points and intervals as vectors. j =1 Writing points and intervals as vectors. For simplicity, we write t for logt. In order to realize the at most one promise, we need to decompose intervals into disjoint subintervals where each subinterval contains all the points with some fixed prefix, e.g. [010,110] can be written as [010,011] [100,101] [110,110]. Indeed, any interval in [T ] can be partitioned into at most 2t disjoint subintervals with this property [DVOS00, Lemma 10.10]. 2 In addition, we can ensure that there are exactly 2t subintervals by padding with empty intervals ε (using empty intervals ensures that no point ever lies in more than one of these 2t subintervals). Lemma 8 (interval to vector [DVOS00]). There is an efficient PPT algorithm IntVec that on input I [T ] outputs (w 1, w 2,..., w 2t ) ( {0,1} {ε} ) 2t, where t := logt, with the following properties: for each i = 1,..., t, we have w 2i 1, w 2i {0,1} i {ε}; 2 See for a visualization. 8
9 for all z [T ], we have z I iff one of w 1,..., w 2t is a prefix of z; for all z [T ], at most one of w 1,..., w 2t is a prefix of z. Here, ε is not a prefix of any string. For instance, IntVec([010, 110]) = (ε, ε, 01, 10, 110, ε). Remark 2 (Hashing bit strings into Z ). We map {0,1} t {ε} where t := logt into Z in the straightforward way, which reuires that T + 1. We can handle also larger T by using matrices over Z à la [ABB10a, Section 5]. Now we give the description of algorithm PtVec, used to map points to vectors. PtVec: On input z [T ], output (v 1,..., v 2t ) Z 2t, where v 2i 1 = v 2i := i bit prefix of z, i = 1,..., t. For instance, PtVec(011) = (0, 0, 01, 01, 011, 011). Lemma 9. For any point z [T ] and any interval I [T ], z I iff P OREQ (PtVec(z),IntVec(I )) = 1 P AT MOST ONE (PtVec(z),IntVec(I )) = 1. Lemma 9 follows readily from Lemma 8. Reducing P KPRANGE to P ANDOREQ. We map (z, I) to (PtVec D (z),intvec D (I)) where PtVec D (z) Z D 2t denotes the matrix whose i th row is PtVec(z i ) IntVec D (I) Z D 2t denotes the matrix whose j th row is IntVec(I j ) Lemma 10 (P KPRANGE to P ANDOREQ ). For all z [T ] D and I (I[T ]) D, P KPRANGE (z,i) = 1 iff P ANDOREQ (PtVec D (z),intvec D (I)) = 1 P AND AT MOST ONE (PtVec D (z),intvec D (I)) = 1 Lemma 10 follows readily from Lemma 9, applied to each dimension i [D]. Predicate (ciphertextpolicy). Here, P CPRANGE : I(T ) D [T ] D {0,1} and P CPRANGE (I, z) = 1 iff D ( ) z j I j j =1 The predicates P OREQ and P AT MOST ONE are symmetric: Lemma 11 (Symmetry of P OREQ and P AT MOST ONE ). For all x, y Z l, we have: P OREQ (x, y) = 1 P OREQ (y, x) = 1 P AT MOST ONE (x, y) = 1 P AT MOST ONE (y, x) = 1 Thanks to this symmetry, we can reduce P CPRANGE to P ANDOREQ in the same way we did for P KPRANGE. 9
10 Reducing P CPRANGE to P ANDOREQ. Following the previous reduction, we map (I, z) to (IntVec D (I),PtVec D (z)). Lemma 12 (P CPRANGE to P ANDOREQ ). For all I (I[T ]) D and z [T ] D, P CPRANGE (I, z) = 1 iff P ANDOREQ (IntVec D (I),PtVec D (z)) = 1 P AND AT MOST ONE (IntVec D (I),PtVec D (z)) = 1. Lemma 12 follows from Lemma 10 and Lemma Predicate Encryption for ANDOREQ Here we describe our predicate encryption scheme for the ANDOREQ predicate defined in Section 3.1, selectively secure and latticebased. Recall that P ANDOREQ : Z D l Z D l {0,1}, and P ANDOREQ (X, Y) = 1 iff D j =1 l ( ) Xi,j = Y i,j The security of our scheme relies on the fact the ciphertext attributes and secret key predicates come from a restricted domain X,Y Z D l satisfying the at most one promise, namely for all X X, Y Y, P AND AT MOST ONE (X, Y) = 1 Indeed, the promise is satisfied by all of our reductions in Section 3.1. Overview. We begin with the special case D = 1. Given an attribute matrix x Z 1 l, the ciphertext is an LWE sample corresponding to a matrix of the form [ A A1 + x 1 G A l + x l G ] where A, the A i s and G are publicly known matrices, and the message is masked using an LWE sample corresponding to a public matrix P. The secret key corresponding to y Z 1 l is a collection of l short matrices U 1,...,U l such that for all j [l], [ A Aj + y j G ] U j = P To understand how decryption works, let us first suppose that there exists a uniue j such that x j = y j and that the decryptor knows j ; then, the decryptor can use U j to recover the plaintext. However, since the decryptor does not know x, he will try to decrypt the ciphertext using each of U 1,...,U l. We will also need to pad the plaintext with redundant zeros so that the decryptor can identify the correct plaintext. To establish security with respect to some selective challenge x, we will need to simulate secret keys for all y such that x j y j for all j [l]. We can then simulate U j using an allbutone simulation (while puncturing at x ) exactly as in prior IBE schemes in [ABB10a]. In order to establish weak attributehiding, j we adopt a similar strategy to that for inner product encryption in [AFV11]: roughly speaking, we will show that the challenge ciphertext is computational indistinguishable from an encryption of a random plaintext message under a random attribute x. 10
11 Higher dimensions. Given an attribute matrix X Z D l, the ciphertext is an LWE sample corresponding to a matrix of the form [ A A1,1 + X 1,1 G A 1,l + X 1,l G A 2,1 + X 2,1 G A D,l + X D,l G ] The secret key corresponding to Y Z D l is a collection of D l short matrices U 1,1,...,U D,l such that for i [D], j [l]: [ A Ai,j + Y i,j G ] U i,j = P i where P 1,...,P D is an additive secretsharing of P. For correctness, observe that if there exist indices (j 1,..., j D ) [l] D such that for all i [D] X i,ji = Y i,ji then the decryptor can use U 1,j1,, U D,jD to recover the plaintext. As with the case D = 1, the decryptor will need to enumerate over all (j 1,..., j D ) [l] D. To simulate secret keys for Y with respect to some selective challenge X, we first fix i such that X i,j Y i,j for all j [l]. Without loss of generality, suppose i = 1, that is, for all j [l], X 1,j Y 1,j. Using the "at most one" promise on X and Y, we know that for all i 2, we have X i,j = Y i,j for at most one j [l], which we call j i. That is, there exists a vector of indices (j 2,..., j D ) [l] D 1 such that for all i 2 and all j j i, we have X i,j Y i,j. We then proceed as follows: Sample random short matrices U 2,j2,...,U D,jD, which in turn determines the shares P 2,...,P D. Use an allbutone simulation strategy to sample the short matrices U i,j, for all i 2, and j j i. Define P 1 := P D i=2 P i and use an allbutone simulation strategy to sample the remaining short matrices in the secret key. Note that the construction relies crucially on the at most one promise on X and Y. In fact, the scheme given in Section 4.1 is insecure if this promise is not fulfilled, that is, there is a PPT adversary that wins the game defined in Section 2.3 with non negligible advantage. The attack goes as follows. Suppose that the adversary holds a secret key for Y Z D l such that P ANDOREQ (X, Y) = 0 and P AND AT MOST ONE (X, Y) = 0. Since P AND AT MOST ONE (X, Y) = 0, for some dimension i [D], there are at least two indices j 1, j 2 [l] such that X i,j1 = Y i,j1 and X i,j2 = Y i,j2, and therefore, both short matrices U i,j1 and U i,j2 allow to recover the same LWE sample corresponding to the matrix P i, up to some error. When X i,j2 Y i,j2 however, U i,j2 with the corresponding (i, j 2 ) component of the ciphertext only gives a uniformly random vector. Therefore, the fact that U i,j1 and U i,j2 both decrypts to (almost) the same LWE sample tells the adversary that X i,j1 = Y i,j1 and X i,j2 = Y i,j2 with high probability, contradicting the fact that the scheme is weakly attribute hiding. This induces an attack whose running time is polynomial in the security parameter. 4.1 Construction Let n N be the security parameter. Let the attribute space X and predicate space Y be subsets of Z D l satisfying the at most one promise. Let = (n), m = m(n,l,d) and χ max = χ max (n,,l,d) be positive integers. Let σ = σ(n,,l,d) be a Gaussian parameter. Setup(1 n,x,y,m): On inputs the security parameter n, X Z D l, Y Z D l and M := {0,1} k, do: Pick (A, T A ) TrapGen(1 n,1 m, ). For all i [D] and all j [l], pick A i,j R Z n m. 11
12 Pick P R Z n (k+n). Compute (G, T G ) as defined in Lemma 4. Output mpk := (P, A, A 1,1,...,A D,l, G, T G ) and msk := T A Enc(mpk, X, b): On input mpk, X X and b {0,1} k, do: Pick s R Z n, e R χ m, and compute c 0 := s A + e. For all i [D] and all j [l], do: Pick R i,j { 1,1} m m. Compute c i,j := s ( A i,j + X i,j G ) + e R i,j. Set b := (b,0,...,0) {0,1} k+n, pick e R χ k+n, and compute c f := s P + e + b /2. Output ct := (c 0, c 1,1,...,c D,l, c f ) KeyGen(mpk, msk, Y): On input the public parameters mpk, the master secret key msk, and a predicate matrix Y Y, do: Secret share P as {P i,i [D]}, such that D P i = P. For all i [D] and all j [l] : Sample a short matrix U i,j Z 2m (k+n) such that [ A A i,j + Y i,j G ] U i,j = P i using RightSample(A, T A, A i,j + Y i,j G, P i,σ) with σ = O( n log ). output the secret key sk Y = (U 1,1,...,U D,l ) Dec(mpk,sk Y,ct): On input the public parameters mpk, a secret key sk Y = (U 1,1,...,U D,l ) for a predicate matrix Y, and a ciphertext ct = (c 0, c 1,1,...,c D,l, c f ), do: For all (j 1,..., j D ) [l] D, compute d := c f D [ ] c0 c i,ji Ui,ji mod. If d /2 {0,1} k 0 n, then output the first k bits of d /2. For any z [0,1], we denote by z the closest integer to z. Otherwise, abort. Running time. The running times are: O(D l poly(n)) for encryption; O(D l poly(n)) for key generation; O(l D poly(n)) for decryption. The above numbers take into account matrix multiplications and additions. When done naively, the above Dec algorithm takes O(D l D poly(n)) time. However, if one saves the intermediate results [ c0 c i,j ] Ui,j for all (i, j ) [D] [l], one can do it in O(l D poly(n)) time. 4.2 Correctness Lemma 13. Suppose that χ max is such that χ max /4 (1 + D ( m) s 2m ) 1 where s = σ ω( logn). Let (X, Y) X Y such that P ANDOREQ (X, Y) = 1. Let sk Y = (U 1,1,...,U D,l ) KeyGen(mpk, msk, Y) 12
13 and ct = (c 0,...,c f ) Enc(mpk, X, b) With overwhelming probability in n, Dec does not abort and outputs b. Proof. Recall that Dec computes d for all (j 1,..., j D ) [ l ] D. We consider two cases: Case 1: i, X i,ji = Y i,ji. We show that with overwhelming probability in n, For all i [D], This implies [ A Ai,ji + X i,ji G ] U i,ji = P i thus d /2 D [ A Ai,ji + X i,ji G ] U i,ji = P D ] D [c 0 c i,ji Ui,ji s [ A A i,ji + X i,ji G ] U i,ji = s P c f b /2 = (b,0,...,0) := b. and thus d b /2. To obtain d /2 = b, it suffices to bound the error term and show that e D (e e R i,ji )U i,ji < /4. We know that e χ max. In addition, for all i [D], (e e R i,ji )U i,ji (e e R i,ji ) U i,ji ( e + ) Ri 2,ji e U i,ji By Lemma 6, Ui,ji σ ω( logn) 2m and by Lemma 2, Ri,ji 2 20 m. Combining these bounds, we obtain e D (e e R i,ji )U i,ji χ max + D χ max ( m) σ ω( logm) 2m We will set the parameters in Section 4.4 so that the uantity on the right is bounded by /4. Case 2: i, X i,j i Y i,j i. We show that the computed value d has a distribution which is statistically close to uniform, and therefore the probability that the last n bits of are all 0 is negligible in n. By an analogous calculation to that in Case 1, we have: d /2 D [ A Ai,ji + X i,ji G ] D U i,ji = P + [0 (X i,ji Y i,ji )G ] U i,ji We know that there exists some i [D] such that X i,j i Y i,j i, and we focus on [ 0 s (X i,j i Y i,j i )G ] U i,j i By Remark 1, we know that the bottom part U 2 Z m (k+n) of U i,j i is sampled from D Z m,σ ω( logn). Therefore, since X i,j i Y i,j i 0 and G is a fullrank matrix, by Lemma 5, we know that the distribution of GU 2 is indistinguishable from uniform over Z n (k+n) and then, the entire sum is indistinguishable 13
14 from uniform over Z k+n. Therefore, d = c f D [ ] c0 c i,ji Ui,ji mod is indistinguishable from uniform over Z k+n, and the probability that the last n bits of d /2 are all 0 is negligible in n. 4.3 Proof of Security Lemma 14. For any adversary A on the predicate encryption scheme, there exists an adversary B on the LWE assumption whose running time is roughly the same as that of A and such that AdvA PE (n) AdvdLWE n,m+n+k,,χ + negl(n) B The proof follows via a series of games, analogous to those in [AFV11]. We first define several auxiliary algorithms for generating the simulated ciphertexts and secret keys, upon which we can describe the games. Auxiliary algorithms. We introduce the following auxiliary algorithms: Setup(1 n,x,y,m, A, P, X ): on a security parameter n, an attribute space X Z D l, a predicate space Y Z D l satisfying the at most one promise, a message space M := {0,1} k, a matrix A Z n m, a matrix P Z n (k+n) and the challenge attribute matrix X, do: Compute (G, T G ) as defined in Lemma 4. For all i [D] and all j [l], pick R i,j { 1,1} m m and set A i,j := AR i,j X i,j G. Output mpk := (P, A, A 1,1,...,A D,l, G, T G ) and msk := (X, R 1,1,, R D,l, T A ) Ẽnc(mpk, b; msk, d 0, d f ): On input the public parameters mpk, a message b {0,1} k, the master secret key msk, and the extra inputs d 0 Z m, d f Z k+n do: Set c 0 := d 0, For all i [D] and all j [l], compute c i,j := d 0 R i,j, Compute b := (b,0,...,0) {0,1} k+n, and set c f := d f + b /2. Output (c 0,...,c f ). KeyGen(mpk, msk, Y, X ): On input the public parameters mpk, the master secret key msk, a predicate matrix Y and the challenge attribute matrix X do: If P(X, Y) = 1, abort. Otherwise, since P(X, Y) = 0, there must exist a i [D] such that for all j [l], X i,j Y i,j. By the at most one property, for all i [D], there is at most one j i [l] such that X i,j i = Y i,ji. We proceed in three steps : 1. First, for all i [D] \ {i } we sample: U i,ji R D Z 2m (k+n),σ ω( logn) with σ = O( n log ) and set ] P i := [A AR i,ji U i,ji Z n (k+n) 14
15 2. Next, we set P i to be: P i := P P i i i 3. We sample the remaining matrices as follows: U i,j LeftSample(A, R i,j, G,Y i,j X i,j, P i,σ). This is possible because Y i,j X i,j 0, whenever i = i or whenever j j i. Output (U 1,1,...,U D,l ). Game seuence. We present a series of games. We write Adv xxx to denote the advantage of A in Game xxx. Game 0 : is the real security game, as defined in Section 2.3. Game 1 : same as Game 0, except that the challenger runs Setup(1 n,x,y,m; A, P, X β ) and Ẽnc(mpk, b β; msk, s A + e, s P + e ) with (A, T A ) R TrapGen(1 n,1 m ), P R Z n (k+n), s R Z n, e R χ m, and e R χ k+n. Game 2 : same as Game 1 except that the challenger runs KeyGen. Game 3 : same as Game 2 except that the challenger runs Ẽnc(mpk, b β ; msk, d 0, d f ) where d 0 R Z m and d f R Z k+n. Game 4 : is the same as Game 3 except that the challenger runs KeyGen. We show in the following lemmas that each pair of games (Game i,game i+1 ) are either statistically indistinguishable or computationally indistinguishable under the decisionlwe assumption. Finally, we show in Lemma 19 that no information is leaked about β is the last game Game 4. Lemma 15 (Game 0 to Game 1 ). For all m > (n + 1)log + ω(logn), we have Adv 0 Adv 1 = negl(n). Proof. From Game 0 to Game 1, we switch from Setup,Enc to Setup,Ẽnc. Note that the only difference between Game 0 and Game 1 is that for all i [D] and j [l], the matrix A i,j is set to be A i,j R Z n m in Game 0, whereas it is set to be A i,j := AR i,j X i,j G in Game 1, where R i,j R { 1,1} m m. The matrix A i,j only appears in the mpk and in the component c i,j = s (A i,j + X i,j G) + e R i,j of the ciphertext. Therefore it suffices to show that the distribution of (A, e, A i,j, e R i,j ) in Game 0 and Game 1 are statistically close, that is, (A, e, A i,j, e R i,j ) s (A, e, AR i,j X i,j G, e R i,j ) where A i,j R Z n m, R i,j R { 1,1} m m, and e R χ m. Observe that (A, e, A i,j, e R i,j ) (A, e, A i,j X i,j G, e R i,j ) since A i,j R Z n m s (A, e, AR i,j X i,j G, e R i,j ) by Lemma 1 Lemma 16 (Game 1 to Game 2 ). Adv 1 Adv 2 = negl(n). 15
16 Proof. From Game 1 to Game 2, we switch from KeyGen to KeyGen. Therefore, it suffices to show that for any predicate Y such that P(X, Y) = 0, the following distributions are statistically close: KeyGen(mpk,msk, Y) s KeyGen(mpk, msk, Y, X ) We write: F i,j := ( A A i,j + Y i,j G ) ) = (A AR i,j + (Y i,j X i,j )G Z n 2m. Since P(X, Y) = 0, we know that there must exist a i [D] such that Y i,j X for all j [l]. Because i,j P AND AT MOST ONE (X, Y) = 1, we know that for all i [D], there is at most one j i [l] such that Y i,i j = X. i,i j We proceed in three steps: 1. First, we argue that the joint distribution {P i, U i,ji : i [D],i i } is statistically close in KeyGen and in KeyGen. This follows readily from Lemma Next, we argue that the joint distribution {P i : i [D]} is statistically close in KeyGen and in KeyGen. This follows readily from secret sharing. 3. Finally, fix P 1,...,P D. We argue that the distribution of the remaining matrices is statistically close in KeyGen and in KeyGen. This follows from Lemma 6, which tells us that the output U i,j of both RightSample in KeyGen and LeftSample in KeyGen, are statistically close to D Λ P i (F i,j ),σ ω( logn). We can sample these U i,j in KeyGen applying LeftSample because Y i,j X i,j 0 whenever i = i or whenever j j i. Remark 3. Note that the "at most one" promise is crucial here, because when Y i,j X = 0, we cannot ) i,j use LeftSample to sample a short matrix U i,j such that (A AR i,j + (Y i,j X i,j )G U i,j = P i. If there exists "at most one" j i [l] such that Y i,ji X = 0, we can sample a short matrix U i,j i i,ji from some discrete Gaussian distribution, and set P i to be P i := ( A AR i,j + 0 G ) U i,j. Lemma 5 ensures that both U i,j and P i are correctly distributed. However, if there exist at least 2 indices j i and j i [l] such that Y i,j i X = i,j i Y i,j X = 0, then there is more than one matrix that we cannot sample using LeftSample, and the i i,j i previous techniue does not work anymore. Lemma 17 (Game 2 to Game 3 ). There exists an adversary B whose running time is roughly the same as that of A and such that Adv 2 Adv 3 Adv dlwe n,m+k+n,,χ B Note that only difference between Game 2 and Game 3 is that we switch the distribution of the inputs (d 0, d D+1 ) to Ẽnc from LWE instances to random ones. Proof. On input an LWE challenge where A R Z n m and P R Z n (k+n) A and proceeds as follows: runs Setup(1 n,x,y,m; A, P, X β ) as in Game 2; (A, P, d 0, d D+1 ) answers A s private key ueries by using KeyGen as in Game 2 ; and (d 0, d D+1 ) is either (s A + e, s P + e ) or random, B simulates runs Ẽnc(mpk, b β; msk, d 0, d D+1 ) to generate the challenge ciphertext; Finally, A guesses if it is interacting with a Game 2 or a Game 3 challenger. B outputs A s guess as the answer to the LWE challenge it is trying to solve. 16
17 When the LWE challenge is pseudorandom as in Definition 1, the adversary s view is as in Game 2. When the LWE challenge is random the adversary s view is as in Game 3. Therefore, B s advantage in solving LWE is the same as A s advantage in distinguishing Game 2 and Game 3. Lemma 18 (Game 3 to Game 4 ). Adv 3 Adv 4 = negl(n) Proof. The differences between Game 3 and Game 4 are: In Game 3, A R Z n m, and T A :=, whereas in Game 4, (A, T A ) R TrapGen(1 n,1 m ). In Game 3, the challenger answers the adversary s secret key using the KeyGen algorithm, whereas he answers using the KeyGen algorithm in Game 4. The proof is the same as the one of Lemma 16, by symmetry of the games. Lemma 19 (Game 4 ). We have Adv 4 1/2 = negl(n) Proof. In Game 4, both the challenge ciphertext and the secret keys are independent of β. Moreover, by Lemma 1, we know that for all i [D], for all j [l] the two following distributions are statistically close (A, A i,j ) s (A, AR i,j X i,j G) where A i,j R Z n m, R i,j R { 1,1} m m, and e R χ m. Thus, the mpk does not leak any information on X β. Therefore, we get Adv 4 1/2 = negl(n). 4.4 Parameter selection By Lemma 1, we need m > (n + 1)log + ω(logn) By Lemma 3, and Lemma 4, we reuire m = Θ(n log ) By Lemma 5, we need m 2n log By Lemma 6, we need σ = O( T A GS ) and σ = O( T G GS (1 + R 2 )) where T A GS = O( n log ) and R 2 20 m with overwhelming probability in n, according to Lemma 3 and Lemma 5, respectively. For correctness of decryption, we reuire χ max /4 (1 + D ( m) s 2m ) 1, where s = σ ω( logn). Conseuently we take m = Θ(n log ), σ = O ( n log ) and χ max = O ( (D (n log ) 3/2 s) 1) where s = σ ω( logn). 4.5 Putting everything together for multidimensional range ueries When D denotes the number of dimensions and T the number of points in each, combining the preceding scheme with the reduction in Section 3.3, we get a scheme for P CPRANGE and P KPRANGE with ciphertexts and secret keys of sizes O(D logt ) and running times O(D logt poly(n)) for encryption and key generation, O((logT ) D poly(n)) for decryption. 17
18 5 Shorter Ciphertexts and Secret Keys for MultiDimensional Subset Queries The predicate encryption scheme for P ANDOREQ exhibited in Section 4 together with the reductions presented in Section 3 lead to efficient predicate encryption schemes for multidimensional subset ueries. Indeed, when D denotes the dimension and T denotes the size of the sets, we obtain a predicate encryption scheme for P KPSUBSET and P CPSUBSET with ciphertexts and secret keys of size O(D T ). However, in this section we show how we can improve the size of the secret keys and ciphertexts in order to obtain: ciphertexts of size O(D) for P KPSUBSET secret keys of size O(D) for P CPSUBSET 5.1 Multidimensional subset ueries, ciphertext policy We can obtain a predicate encryption scheme for P CPSUBSET using the reduction to P ANDOREQ defined in section 3.2, with secret keys of size O(D T ). We reduce the size of the secret keys size down to O(D) using the fact that in each dimension, only one of the T matrices in the secret key is needed to decrypt. On the one hand, for each dimension i, the reduction maps a point z [T ] into the vector e z. Therefore, for all j z the KeyGen algorithm generates a short matrix U i,j which is a preimage of some target for the matrix [ A A i,j + 0 G ]. On the other hand, a characteristic vector w {0,1} T, is mapped into a 1,1 vector. Thus, for all j, the (i, j ) th component of the ciphertext is an LWE sample corresponding to the matrix [ A i,j + G ], { 1,1}. Conseuently, the matrices U i,j for j z do not yield any useful information to decrypt the ciphertext. Therefore, we can remove them, and still satisfies correctness. Moreover, it is clear that removing parts of the secret key will not affect the security. Removing these matrices, we obtain a scheme whose secret keys have size O(D), and whose decryption algorithm runs in time O(D poly(n)) (instead of O(T D poly(n))). Construction. Let n N be the security parameter and T, D positive integers. Let = (n,t,d), m = m(n,t,d) and χ max = χ max (n,t,d) be positive integers, and σ = σ(n,t,d) be a Gaussian parameter. Setup(1 n,x,y,m): on a security parameter n, an attribute space X := {0,1} D T, a predicate space Y := Z D, and a message space M := {0,1}k, do: Pick (A, T A ) TrapGen(1 n,1 m, ). Pick A 1,1,...,A D,T R Z n m. Pick P R Z n (k+n). Compute (G, T G ) as defined in Lemma 4. Output: mpk := (P, A, A 1,1,...,A D,T, G, T G ) and msk := T A Enc(mpk, X, b): On input the public parameters mpk, an predicate matrix X X, and a message b {0,1} k, do: Pick s R Z n, e R χ m, and compute c 0 := s A + e. for all i [D] and all j [T ], do: Pick R i,j { 1,1} n m. 18
19 Compute c i,j := s ( A i,j + X i,j G ) + e R i,j. Set b := (b,0,...,0) {0,1} k+n, pick an e R χ k+n, and compute c f := s P + e + b /2. Output: ct := (c 0, c 1,1,...,c D,T, c f ) KeyGen(mpk, msk, y): On input the public parameters mpk, the master secret key msk, and an attribute vector y Y, do: Secret share P as {P i,i [D]}, such that D P i = P. For all i [D]: Sample a short matrix U i Z 2m (k+n) such that [ A A i,yi + G ] U i = P i using RightSample(A, T A, A i,yi + G, P i,σ) with σ = O( n log ). Output the secret key sk Y = (U 1,...,U D ). Dec(mpk,sk y,ct): On input the public parameters mpk, a secret key sk y = (U 1,...,U D ) for an attribute vector y, and a ciphertext ct = (c 0, c 1,1,...,c D,T, c f ), do: Compute d := c f ] D [ c0 c i,yi Ui mod. Output the first k bits of d /2. For any z [0,1], we denote by z the closest integer of z. Correctness and security. Correctness and security proofs follow readily from those of P ANDOREQ in Section Multidimensional subset ueries, keypolicy The following scheme is similar (however simpler) to the one presented in Section 4 for P ANDOREQ. Overview. We begin with the special case D = 1. Given an attribute vector x [T ] D, the ciphertext is an LWE sample corresponding to the matrix [ A A 1 + xg ] and the message is masked using an LWE sample corresponding to a public matrix P. The secret key corresponding to Y {0,1} T is a collection of T short matrices U 1,...,U T such that: [ A A1 + j G ] U j = P if Y j = 1 U j = if Y j = 0 For correctness, observe that if Y x = 1, then the decryptor can use U x to recover the plaintext. However, since the decryptor does not know x, he will try to decrypt the ciphertext using each of U 1,...,U T. We will need to pad the plaintext with redundant zeroes so that the decryptor can identify the correct plaintext. To establish security with respect to some selective challenge x, we will need to simulate the secret keys for all Y such that Y x = 0. Observe that for all j = 1,...,T, Y j = 1 = j x We can then simulate U j using an allbutone simulation (while puncturing at x ) exactly as in prior IBE schemes in [ABB10a]. In order to establish weak attributehiding, we adopt a similar strategy to that for inner product encryption in [AFV11]. 19
20 Higher dimensions. Given an attribute vector x [T ] D, the ciphertext is an LWE sample corresponding to the matrix [ A A 1 + x 1 G A D + x D G ]. The secret key corresponding to Y {0,1} D T is a collection of D T short matrices U 1,1,...,U D,T such that for j = 1,...,T,i = 1,...,D: where P 1,...,P D is an additive secretsharing of P. [ A Ai + j G ] U i,j = P i if Y i,j = 1 U i,j = if Y i,j = 0 For correctness, observe that if Y 1,x1 = Y 2,x2 =... = Y D,xD = 1, then the decryptor can use U 1,x1,, U D,xD to recover the plaintext. As with the case D = 1, the decryptor will need to enumerate over all x [T ] D. To simulate secret keys for Y with respect to some selective challenge x, first we fix i such that Y k,x = 0. i Without loss of generality, suppose i = 1, that is, Y 1,x 1 = 0. We then proceed as follows: Sample random short matrices U 2,x 2,...,U D,x, which in turn determines the shares P 2,...,P D D. Define P 1 := P D i=2 P i and use an allbutone simulation strategy to sample the remaining short matrices in the secret key. Construction. Let n N be the security parameter and T, D be positive integers. Let = (n), m = m(n,t,d) and χ max = χ max (n,,t,d) be positive integers, and σ = σ(n,,t,d) be a Gaussian parameter. Setup(1 n,x,y,m): on n, X := Z D, Y := {0,1}D T and M := {0,1} k, do: Pick (A, T A ) TrapGen(1 n,1 m, ). Pick A 1,...,A D R Z n m. Pick P R Z n (k+n). Compute (G, T G ) as defined in Lemma 4. Output: mpk := (P, A, A 1,...,A D, G, T G ) and msk := T A Enc(mpk, x, b): On input mpk, x X and b {0,1} k : Pick s R Z n, e R χ m, and compute c 0 := s A + e. For all i [D]: Pick R i { 1,1} m m. Compute c i := s ( A i + x i G ) + e R i. Set b := (b,0,...,0) {0,1} k+n, pick e R χ k+n, and compute c f := s P + e + b /2. Output: ct := (c 0, c 1,...,c D, c f ) KeyGen(mpk,msk, Y): On input mpk, msk, and Y Y, do: Secret share P as {P i,i [D]}, such that D P i = P. For all i [D] and j [T ]: If Y i,j = 1 then sample a short matrix U i,j Z 2m (k+n) [ A Ai + j G ] U i,j = P i such that using RightSample(A, T A, A i + j G, P i,σ) with σ = O( n log ). 20
21 Otherwise set U i,j :=. Output the secret key sk Y = (U 1,1,...,U D,T ). Dec(mpk,sk Y,ct): On input the public parameters mpk, a secret key sk Y = (U 1,1,...,U D,T ) for a predicate matrix Y, and a ciphertext ct = (c 0, c 1,...,c D, c f ), do: For all x = (x 1,..., x D ) [T ]D, compute d x := c f D [ ] c0 c i Ui,x mod. i dx If /2 {0,1} k 0 n for exactly one vector x [T ] D, then output the first k bits of z [0,1], we denote by z the closest integer of z. Otherwise, abort. dx /2. For any Correctness. Lemma 20. Suppose that parameters χ max is such that χ max /4 (1 + D ( m) s 2m ) 1. where s = σ ω( logn). Let sk Y = (U 1,1,...,U D,T ) KeyGen(mpk,msk, Y), ct = (c 0,...,c D+1 ) Enc(mpk, x, b), and d Dec(mpk,sk Y,ct) If P(x, Y) = 1, then with overwhelming probability in n, Dec does not abort and d = b. The proof of Lemma 20 is essentially the same than the proof of Lemma 13, for P ANDOREQ. We refer to the latter for further details. Proof of Security. Lemma 21. For any adversary A, there exists an adversary B whose running time is roughly the same as that of A and such that AdvA PE (n) AdvdLWE n,m+n+k,,χ + negl(n) We proceed exactly as in Section 4.3 with the same auxiliary algorithms. B Auxiliary algorithms. Setup(1 n,x,y,m; A, P, x ): on n, X := [T ] D, Y := {0,1} T D, M := {0,1} k, A Z n m, P Z n (k+n) X, do the following: Compute (G, T G ) as defined in Lemma 4. For all i [D], pick R i { 1,1} m m and set A i := AR i x i G. Output mpk := (P, A, A 1,...,A D, G, T G ) and msk := (x, R 1,...,R D, T A ). Ẽnc(mpk, b; msk, d 0, d D+1 ): On mpk, b {0,1} k, msk, and the extra inputs d 0 Z m, d D+1 Z k+n following: Set c 0 := d 0, For all i [D], compute c i := d 0 R i, Compute b := (b,0,...,0) {0,1} k+n, and set c D+1 := d D+1 + b /2. and x do the 21
Riding on Asymmetry: Efficient ABE for Branching Programs
Riding on Asymmetry: Efficient ABE for Branching Programs Sergey Gorbunov and Dhinakaran Vinayagamurthy Abstract. In an AttributeBased Encryption ABE scheme the ciphertext encrypting a message µ, is associated
More informationTargeted Homomorphic Attribute Based Encryption
Targeted Homomorphic Attribute Based Encryption Zvika Brakerski David Cash Rotem Tsabary Hoeteck Wee Abstract In (keypolicy) attribute based encryption (ABE), messages are encrypted respective to attributes
More informationNew Lower Bounds on Predicate Entropy for Function Private PublicKey Predicate Encryption
New Lower Bounds on Predicate Entropy for Function Private PublicKey Predicate Encryption Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of
More informationBackground: Lattices and the LearningwithErrors problem
Background: Lattices and the LearningwithErrors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationFully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits Dan Boneh Craig Gentry Sergey Gorbunov Shai Halevi Valeria Nikolaenko Gil Segev Vinod Vaikuntanathan Dhinakaran Vinayagamurthy
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationFunctionPrivate SubspaceMembership Encryption and Its Applications
FunctionPrivate SubspaceMembership Encryption and Its Applications Dan Boneh 1, Ananth Raghunathan 1, and Gil Segev 2, 1 Stanford University {dabo,ananthr}@cs.stanford.edu 2 Hebrew University segev@cs.huji.ac.il
More information5.4 ElGamal  definition
5.4 ElGamal  definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationAttributebased Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attributebased Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationApplied cryptography
Applied cryptography Identitybased Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationCompact Reusable Garbled Circuits. Dhinakaran Vinayagamurthy
Compact Reusable Garbled Circuits by Dhinakaran Vinayagamurthy A thesis submitted in conformity with the requirements for the degree of Master of Science Graduate Department of Computer Science University
More informationG Advanced Cryptography April 10th, Lecture 11
G.30001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationBetter Security for Functional Encryption for Inner Product Evaluations
Better Security for Functional Encryption for Inner Product Evaluations Michel Abdalla, Florian Bourse, Angelo De Caro, and David Pointcheval Département d Informatique, École normale supérieure {michel.abdalla,florian.bourse,angelo.decaro,david.pointcheval}@ens.fr
More informationAn efficient variant of BonehGentryHamburg's identitybased encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences  Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of BonehGentryHamburg's
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationSecure and Practical IdentityBased Encryption
Secure and Practical IdentityBased Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationNew Proof Methods for AttributeBased Encryption: Achieving Full Security through Selective Techniques
New Proof Methods for AttributeBased Encryption: Achieving Full Security through Selective Techniques Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomialtime decoding algorithm A such that: Given
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationFully Secure Functional Encryption: AttributeBased Encryption and (Hierarchical) Inner Product Encryption
Fully Secure Functional Encryption: ttributebased Encryption and (Hierarchical) Inner Product Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu mit Sahai UCL sahai@cs.ucla.edu
More informationLecture 16: Public Key Encryption:II
Lecture 16: Public Key Encryption:II Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 1 / 17 Last time PKE from ANY trapdoor
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationIdentityBased Encryption from the DiffieHellman Assumption
IdentityBased Encryption from the DiffieHellman Assumption Nico Döttling Sanjam Garg University of California, Berkeley Abstract We provide the first constructions of identitybased encryption and hierarchical
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosenplaintext
More informationNotes on PropertyPreserving Encryption
Notes on PropertyPreserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is propertypreserving encryption. This is encryption
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, EeChien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from OneWay Functions
Columbia University  Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationCS 355: TOPICS IN CRYPTOGRAPHY
CS 355: TOPICS IN CRYPTOGRAPHY DAVID WU Abstract. Preliminary notes based on course material from Professor Boneh s Topics in Cryptography course (CS 355) in Spring, 2014. There are probably typos. Last
More informationOutline. Provable Security in the Computational Model. III Signatures. PublicKey Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI PublicKey Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationLecture 7: BonehBoyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: BonehBoyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the BonehBoyen IBE system,
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a postquantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationRSAOAEP and CramerShoup
RSAOAEP and CramerShoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSAOAEP Preliminaries for the proof Proof of INDCCA2 security
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationEmbedAugmentRecover: Function Private Predicate Encryption from Minimal Assumptions in the PublicKey Setting
EmbedAugmentecover: Function Private Predicate Encryption from Minimal Assumptions in the PublicKey Setting Sihar Patranabis and Debdeep Muhopadhyay Department of Computer Science and Engineering Indian
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A nontechnical account of the history of publickey cryptography and the colorful characters involved. 2 / 1 Recall
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosenplaintext attack (CPA) is an attack model for cryptanalysis which
More informationParallel CoinTossing and ConstantRound Secure TwoParty Computation
Parallel CoinTossing and ConstantRound Secure TwoParty Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationTowards MultiHop Homomorphic IdentityBased Proxy ReEncryption via Branching Program
1 Towards MultiHop Homomorphic IdentityBased Proxy ReEncryption via Branching Program Zengpeng Li, Chunguang Ma, Ding Wang Abstract Identitybased Proxy reencryption IBPRE is a powerful cryptographic
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationA LatticeBased Universal Thresholdizer for Cryptographic Systems
A LatticeBased Universal Thresholdizer for Cryptographic Systems Dan Boneh Rosario Gennaro Steven Goldfeder Sam Kim Abstract We develop a general approach to thresholdizing a large class of (nonthreshold)
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationIDbased Encryption Scheme Secure against Chosen Ciphertext Attacks
IDbased Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {caozf,
More informationLeakageresilient Attributebased Encryptions with Fast Decryption: Model, Analysis and Construction
Leakageresilient ttributebased Encryptions with Fast Decryption: Model, nalysis and Construction Mingwu Zhang,, Wei Shi, Chunzhi Wang, Zhenhua Chen,Yi Mu May 1, 2013 bstract Traditionally, in attributebased
More informationFunctionPrivate IdentityBased Encryption: Hiding the Function in Functional Encryption
FunctionPrivate IdentityBased Encryption: Hiding the Function in Functional Encryption Dan Boneh Ananth Raghunathan Gil Segev Abstract We put forward a new notion, function privacy, in identitybased
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationMultiInput Functional Encryption
MultiInput Functional Encryption S. Dov Gordon Jonathan Katz FengHao Liu Elaine Shi HongSheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling finegrained access to encrypted
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical publickey
More informationNonInteractive ZK:The FeigeLapidotShamir protocol
NonInteractive ZK: The FeigeLapidotShamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationLecture 22. m n c (k) i,j x i x j = c (k) k=1
Notes on Complexity Theory Last updated: June, 2014 Jonathan Katz Lecture 22 1 N P PCP(poly, 1) We show here a probabilistically checkable proof for N P in which the verifier reads only a constant number
More informationFHE Circuit Privacy Almost For Free
FHE Circuit Privacy Almost For Free Florian Bourse, Rafaël Del Pino, Michele Minelli, and Hoeteck Wee ENS, CNRS, INRIA, and PSL Research University, Paris, France {fbourse,delpino,minelli,wee}@di.ens.fr
More informationTwo Comments on Targeted Canonical Derandomizers
Two Comments on Targeted Canonical Derandomizers Oded Goldreich Department of Computer Science Weizmann Institute of Science Rehovot, Israel. oded.goldreich@weizmann.ac.il April 8, 2011 Abstract We revisit
More informationCryptographically Enforced RBAC
Cryptographically Enforced RBAC Anna Lisa Ferrara 1, Georg Fuchsbauer 2, and Bogdan Warinschi 1 1 University of Bristol, UK, anna.lisa.ferrara@bristol.ac.uk,bogdan@cs.bris.ac.uk 2 Institute of Science
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationLecture 11: Hash Functions, MerkleDamgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, MerkleDamgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review CollisionResistant Hash Functions
More informationCSA E0 235: Cryptography (19 Mar 2015) CBCMAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBCMAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining  Message Authentication
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationOAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland
OAEP Reconsidered Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract The OAEP encryption scheme was introduced by Bellare and
More informationIdeal Lattices and RingLWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and RingLWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 RingLWE and its hardness from ideal lattices 2 Open questions
More informationSolving Systems of Modular Equations in One Variable: How Many RSAEncrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSAEncrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics RuhrUniversität Bochum, 44780 Bochum,
More informationProperty Preserving Symmetric Encryption Revisited
Property Preserving Symmetric Encryption Revisited Sanjit Chatterjee 1 and M. Prem Laxman Das 2 1 Department of Computer Science and Automation, Indian Institute of Science sanjit@csa.iisc.ernet.in 2 Society
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationLecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security
Lecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad  Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationLattice Basis Delegation in Fixed Dimension and ShorterCiphertext Hierarchical IBE
Lattice Basis Delegation in Fixed Dimension and ShorterCiphertext Hierarchical IBE Shweta Agrawal 1, Dan Boneh 2, and Xavier Boyen 3 1 University of Texas, Austin 2 Stanford University 3 Université de
More informationPublicKey Encryption: ElGamal, RSA, Rabin
PublicKey Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum TelAviv University Fall Semester, 2011 12 PublicKey Encryption Syntax Encryption algorithm: E. Decryption
More information5 Pseudorandom Generators
5 Pseudorandom Generators We have already seen that randomness is essential for cryptographic security. Following Kerckhoff s principle, we assume that an adversary knows everything about our cryptographic
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRSbased NIZK shuffle argument OUR RESULTS
More informationLecture 9 and 10: Malicious Security  GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security  GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationInstantiating the Dual System Encryption Methodology in Bilinear Groups
Instantiating the Dual System Encryption Methodology in Bilinear Groups Allison Lewko joint work with Brent Waters Motivation classical public key cryptography: Alice Bob Eve Motivation functional encryption:
More informationFunctional Encryption: Decentralized and Delegatable
Functional Encryption: Decentralized and Delegatable Nishanth Chandran Vipul Goyal Aayush Jain Amit Sahai Abstract Recent advances in encryption schemes have allowed us to go far beyond point to point
More informationPeculiar Properties of LatticeBased Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of LatticeBased Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationNonMalleable Encryption: Equivalence between Two Notions, and an IndistinguishabilityBased Characterization
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 99, Lecture Notes in Computer Science Vol. 1666, M. Wiener ed., SpringerVerlag, 1999. This revised version corrects some mistakes
More informationA Beginner s Guide To The General Number Field Sieve
1 A Beginner s Guide To The General Number Field Sieve Michael Case Oregon State University, ECE 575 case@engr.orst.edu Abstract RSA is a very popular public key cryptosystem. This algorithm is known to
More informationHighPrecision Arithmetic in Homomorphic Encryption
HighPrecision Arithmetic in Homomorphic Encryption Hao Chen 1, Kim Laine 2, Rachel Player 3, and Yuhou Xia 4 1 Microsoft Research, USA haoche@microsoft.com 2 Microsoft Research, USA kim.laine@microsoft.com
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationOn Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles
A preliminary version of this paper appears in Advances in Cryptology  CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions
More informationAttributeBased Encryption Schemes with ConstantSize Ciphertexts
AttributeBased Encryption Schemes with ConstantSize Ciphertexts Nuttapong Attrapadung 1, Javier Herranz 2, Fabien Laguillaume 3, Benoît Libert 4, Elie de Panafieu 5, and Carla Ràfols 2 1 Research Center
More informationLecture 14  CCA Security
Lecture 14  CCA Security Boaz Barak November 7, 2007 Key exchange Suppose we have following situation: Alice wants to buy something from the well known website Bob.com Since they will exchange private
More information14 DiffieHellman Key Agreement
14 DiffieHellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss numbertheoretic constructions
More information15 PublicKey Encryption
15 PublicKey Encryption So far, the encryption schemes that we ve seen are symmetrickey schemes. The same key is used to encrypt and decrypt. In this chapter we introduce publickey (sometimes called
More informationDual System Encryption via Doubly Selective Security: Framework, Fullysecure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fullysecure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Abstract Dual
More informationLecture 18  Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18  Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPAsecure public key encryption scheme such that oracle
More information