Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Size: px

Start display at page:

Download "Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More"

Walter Ellis
5 years ago
Views:

1 Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, 2014, Copenhagen

2 Our Results in One Slide Instantiations:! Framework for fully-secure FE (with tighter reduction) The first fully secure FE for regular languages ABE with short ciphertext unbounded ABE and more

3 Our Results in One Slide Instantiations:! Framework for fully-secure FE (with tighter reduction) The first fully secure FE for regular languages ABE with short ciphertext unbounded ABE focus in this talk and more

4 1 Introduction

5 Functional Encryption Syntax FE for predicate R:A B {0,1} or family {R k } k Setup(k,1 λ ) Encrypt(Y,M,PK) KeyGen(X,MSK,PK) Decrypt(CT,SK) PK, MSK CT SK M if R(X,Y)=1 for ciphertext attribute Y for key attribute X FE here means the class Public-index Predicate Encryption of FE [BSW11].

6 Definition of Full Security for FE Adversary X Y,M 0,M 1 X guess b q 1 times once q 2 times PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X) Challenger Non-triviality condition: R(X,Y)=0

7 Definition of Selective Security for FE Adversary Y X M 0,M 1 X guess b q 1 times once q 2 times PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X) Challenger Non-triviality condition: R(X,Y)=0

8 Approaches for Full Security for key for challenge Partitioning IBE [BB04b, Waters05] Seem not to work with richer FE ID space normal semifunctional Dual-System Encryption [Waters09] Work also with richer FE: ABE [LOSTW10,OT10,LW12,] Inner-product enc [OT12,] Spatial encryption [AL10,]

9 Dual System Also Offers Simplicity. An original FE scheme Selectively-secure Similar scheme but in composite-order bilinear group A candidate for fully-secure scheme

10 Boneh-Boyen IBE (selectively secure) Lewko-Waters IBE (fully secure) CT=(g s, g s(h 1+h 2 ID), e(g,g) αs M) CT=(g 1 s, g 1 s(h 1 +h 2 ID), e(g 1,g 1 ) αs M) SK=(g α+r(h 1+h 2 ID ), g r ) SK=(g 1 α+r(h 1 +h 2 ID ) g 3 w 1, g1 r g 3 w 2)

11 Boneh-Boyen IBE (selectively secure) Lewko-Waters IBE (fully secure) CT=(g s, g s(h 1+h 2 ID), e(g,g) αs M) CT=(g 1 s, g 1 s(h 1 +h 2 ID), e(g 1,g 1 ) αs M) SK=(g α+r(h 1+h 2 ID ), g r ) SK=(g 1 α+r(h 1 +h 2 ID ) g 3 w 1, g1 r g 3 w 2) Abstract Selective Secure FE Abstract Fully Secure FE? CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) SK=g 1 k(α,r,h) CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) SK=g 1 k(α,r,h) ᐧg 3 w Apply to any scheme?

12 Successful Applications Selective Full IBE BB04 LW10 ABE Spatial Encryption GPSW06 BH08 LOSTW10 AL10 Unsuccessful Applications FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Selective Waters12 ALP11 RW13 Full??? } Open problem!

13 We ask: Why did traditional dual systems fail for some schemes? How to overcome that barrier?

14 To systematically answer, we provide a generic framework.

15 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Perfectly secure pair encoding Computationally secure encoding Doubly selective security

16 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Perfectly secure pair encoding Fully secure FE Computationally secure encoding Doubly selective security Fully secure FE + tighter reduction

17 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Perfectly secure pair encoding Fully secure FE Generalize traditional dual-systems, which implicitly use info-theoretic argument.

18 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Generalize Lewko-Waters12 ABE + New techniques for tighter reduction. Computationally secure encoding Fully secure FE + tighter reduction

19 A Glance at Pair Encoding Recall the abstract scheme CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) SK=g 1 k(α,r,h) ᐧg 3 w Pair encoding consists of c( ) and k( ).

20 Our Answer to Instantiations Selective Fully-secure FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Waters12 ALP11 RW13

21 Our Answer to Instantiations Selective Fully-secure FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Waters12 ALP11 RW13 Why traditional dual systems failed: (Implicit) encodings were not perfect.

22 Our Answer to Instantiations FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Selective Waters12 ALP11 RW13 Fully-secure New! New! New! Why traditional dual systems failed: (Implicit) encodings were not perfect. How to overcome: Use computationally secure encodings

23 A Glance at Tighter Reduction All prior dual-system proofs (except [Chen-Wee Crypto13]) Game 1 1 key/1 game Game q all Reduction=O(q all ), q all= q 1 +q 2

24 A Glance at Tighter Reduction All prior dual-system proofs (except [Chen-Wee Crypto13]) Game 1 Our new approach 1 q 1 one big jump! 1 key/1 game q 2 keys in 1 game Game q all Reduction=O(q all ), q all= q 1 +q 2 q all Reduction=O(q 1 )

25 Related work on Dual-System Framework [Chen-Wee Crypto13]: Dual-system groups Unify prime- and composite-order groups but only to specific predicates (HIBE). Ours unifies for any predicate (but specific to composite-order). [Wee TCC14]: Predicate Encoding Independently abstracting perfectly secure encoding.

26 2 Framework

27 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Enc1(X) Enc2(Y) k(α,r,h) c(s,h) where r=(r 1,,r m ) where s=(s,s 1,,s w )

28 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Param(k) h where h=(h 1,,h m ) Enc1(X) Enc2(Y) k(α,r,h) c(s,h) where r=(r 1,,r m ) where s=(s,s 1,,s w )

29 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Param(k) h where h=(h 1,,h m ) Enc1(X) Enc2(Y) Pair(X,Y) k(α,r,h) c(s,h) E where r=(r 1,,r m ) where s=(s,s 1,,s w ) Correctness : If R(X,Y)=1, k(α,r,h) E c(s,h) T =αs

30 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Param(k) h where h=(h 1,,h m ) Enc1(X) Enc2(Y) Pair(X,Y) k(α,r,h) c(s,h) E where r=(r 1,,r m ) where s=(s,s 1,,s w ) Correctness : If R(X,Y)=1, k(α,r,h) E c(s,h) T =αs Security: If R(X,Y)=0, to be defined.

31 Additional Requirements Parameter-vanishing k(α,0,h) = k(α,0,0) Linearity for k Linearity for c k(α 1,r 1,h)+k(α 2,r 2,h) = k(α 1 +α 2,r 1 +r 2,0) c(s 1 +s 2,h) = c(s 1,h)+c(s 2,h) Linearity implies homogeneity: k(0,0,0)=0, c(0,0)=0

32 Pair Encoding: Example for IBE Param 2 That is, h=(h 1,h 2 ) Enc1(ID) k(α,r,h) = ( α+r(h 1 +h 2 ID), r) Enc2(ID ) Pair(ID,ID ) c(s,h) E = ( s, s(h 1 +h 2 ID ) ) = Correctness If ID=ID (α+r(h 1 +h 2 ID), r) s s(h 1 +h 2 ID ) = αs

33 Composite-order Bilinear Groups G, G T of order N=p 1 p 2 p 3 with bilinear map e: G G G T have prime-order subgroups G 1, G 2, G 3 Orthogonality: e(g i, g j )=1 iff i j Subgroup Decision: Decide if T G 1 or T G 12

34 Constructing FE from Pair Encoding FE for predicate R from Pair encoding for R Setup PK=(g 1, g 1 h, e(g 1,g 1 ) α, g 3 ), MSK=α Encrypt(Y,M,PK) CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) Enc2(Y)=c(s,h) KeyGen(X,MSK) SK=g 1 k(α,r,h). R 3 Enc1(X)=k(α,r,h) Decrypt(CT,SK) e(g 1 k(α,r,h)e, g 1 c(s,h) ᐧR 3 ) = e(g 1,g 1 ) αs k(α,r,h) E c(s,h) T =αs

35 Security Proof of Our Framework

36 Semi-functional Ciphertexts/Keys Can Be Defined in Terms of Pair Encoding Scheme g 1 c(s,h) ᐧg 2 c(0,0)=0 g c(s,h) ᐧg c( s,h) 1 2 e(g 1,g 1 ) αs unmodified g 1 k(α,r,h) ᐧg 2 k(0,0,0)=0 g k(α,r,h) ᐧg k(0, r,h) 1 2 g 1 k(α,r,h) ᐧg 2 k(α, r,h) g 1 k(α,r,h) ᐧg 2 k(α,0,0) Each randomness except semi-param h is fresh for each.

37 Semi-functional Ciphertexts/Keys Can Be Defined in Terms of Pair Encoding Scheme C g 1 c(s,h) ᐧg 2 c(0,0)=0 K g 1 k(α,r,h) ᐧg 2 k(0,0,0)=0 C g c(s,h) ᐧg c( s,h) 1 2 K1 g k(α,r,h) ᐧg k(0, r,h) 1 2 e(g 1,g 1 ) αs unmodified K2 K3 g 1 k(α,r,h) ᐧg 2 k(α, r,h) g 1 k(α,r,h) ᐧg 2 k(α,0,0) Each randomness except semi-param h is fresh for each.

38 Recall Definition for Full Security X Y,M 0,M 1 X guess b PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X)

39 Recall Definition for Full Security K K K }q1 K C K K K K q 2 } Notation in timeline X Y,M 0,M 1 X guess b PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X)

40 Aim of the Proof Real game: all normal K K K K C K K K K Final game: all semi-functional K3 K3 K3 K3 C K3 K3 K3 K3

41 Final Game Adversary will have no advantage. Intuition: decryption contains random e(g 2,g 2 ) αs C g c(s,h) ᐧg c( s,h) 1 2 K3 g 1 k(α,r,h) ᐧg 2 k(α,0,0) K3 K3 K3 K3 C K3 K3 K3 K3

42 Game Sequence in the Proof K K K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3

43 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3

44 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3

45 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K K K C K K K K K3 K3 K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3

46 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K K K C K K K K K3 K3 K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3

47 Game Subsequence Indistinguishability based on K Subgroup Decision K1 Security of encoding K2 K3 Subgroup Decision

48 Game Subsequence Indistinguishability based on K Subgroup Decision K1 Security of encoding K2 K3 Subgroup Decision Intuition: These two do not depend on encoding. Use linearity, param-vanishing of k and orthogonality of G.

49 Game Subsequence Indistinguishability based on K Subgroup Decision K1 Security of encoding K2 K3 Subgroup Decision

50 The 2nd Transition K1 K2 g k(α,r,h) ᐧg k(0, r,h) 1 2 g k(α,r,h) ᐧg k(α, r,h) 1 2 Security of encoding (to be defined)

51 The 2nd Transition K1 K2 g k(α,r,h) ᐧg k(0, r,h) 1 2 g k(α,r,h) ᐧg k(α, r,h) 1 2 Security of encoding (to be defined) Idea: just define security of encoding to be exactly the indistinguishability of these two games!

52 The 2nd Transition In More Details K3 K3 K1 K K C K K K3 K3 K2 K K C K K g k(α,0,0) 2 { g 2 k(0, r,h) g 2 k(α, r,h) g c( s,h) 2 Only these are correlated via semi-param h. Isolating all other keys.

53 Defining Security of Encoding Computationally secure encoding Cannot distinguish { g 2 k(0, r,h) g 2 k(α, r,h) g c( s,h) 2

54 Defining Security of Encoding Perfectly secure encoding Identical (info-theoretic) { k(0, r, h) k(α, r, h) c( s,h) Computationally secure encoding Cannot distinguish { g 2 k(0, r,h) g 2 k(α, r,h) g c( s,h) 2

55 Defining Security of Encoding Perfectly secure encoding Identical (info-theoretic) { k(0, r, h) k(α, r, h) c( s,h) Computationally secure encoding Cannot distinguish { g 2 k(0, r,h) g 2 k(α, r,h) 1st flavor: k before c g c( s,h) 2 2nd flavor: c before k

56 Computationally Security 1: k before c once X For R(X,Y)=0 once Y guess b pick h, b { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1 g c( s,h) 2

57 Computationally Security 1: k before c For Transitions of Pre-challenge Keys K3 K3 K1 K K C K K K3 K3 K2 K K C K K once X For R(X,Y)=0 once Y guess b pick h, b { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1 g c( s,h) 2

58 Computationally Security 2: c before k Y For R(X,Y)=0 X guess b once once pick h, b g c( s,h) 2 { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1

59 Computationally Security 2: c before k For Transitions of Post-challenge Keys K3 K3 C K3 K3 K1 K K K3 K3 C K3 K3 K2 K K Y For R(X,Y)=0 X guess b once once pick h, b g c( s,h) 2 { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1

60 Tighter Security Proof K K C K K K3 K3 K K C K3 K3 K3 K3 }O(q 1 ) }O(q 2 ) New! O(1)

61 Refining Computationally Security 2 For Transitions of Post-challenge Keys K3 K3 C K1 K1 K3 K3 C K2 K2 For R(X,Y)=0 Y X guess b once q 2 times pick h, b g c( s,h) 2 { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1

62 Doubly Selective Security Y program h X The 2nd notion is called Selective Master-key Hiding since the order of queries mimics selective security of FE but in semi-functional space. X program h Y The 1st notion is called Co-Selective Master-key Hiding since the order of queries mimics co-selective security of FE but in semi-functional space.

X program h Y The 1st notion is called Co-Selective Master-key Hiding since the order of queries Can borrow proof

63 Doubly Selective Security Y program h X The 2nd notion is called Selective Master-key Hiding since the order of queries Can borrow proof techniques mimics selective security of FE for selective security of FE but in semi-functional space. X program h Y The 1st notion is called Co-Selective Master-key Hiding since the order of queries Can borrow proof techniques mimics co-selective security of for co-selective security of FE FE but in semi-functional space. or selective security of its dual!

64 3 Instantiations

65 Fully Secure IBE Lewko-Waters IBE k=(α+r(h 1 +h 2 ID), r) c=(s, s(h 1 +h 2 ID )) h=(h 1,h 2 ) Our new IBE h=(h 1,h 2,h 3 ) k=(α+r 1 (h 1 +h 2 ID)+r 2 h 3, r 1, r 2 ) c=(s, s(h 1 +h 2 ID ), sh 3 ) Encoding is perfect. f(x)=h 1 +h 2 x is pair-wise independent Full security of IBE: O(q all ) to Subgroup Decision Encoding is perfect. Encoding is also selective under 3-party DH. Full security of IBE: O(q 1 ) to Subgroup Decision plus O(1) to 3-party DH

66 Fully Secure IBE Public key Ciphertext, key Reduction Assumption Waters 05 O(n) O(1) O(nq all ) DBDH Gentry 06 O(1) O(1) O(1) q all -ABDHE Waters 09 O(1) O(1) O(q all ) DBDH,DLIN Lewko-Waters 10 O(1) O(1) O(q all ) subgroup Chen-Wee 13 O(n) O(1) O(n) DLIN Our IBE O(1) O(1) n = ID length O(q 1 ) 3DH, subgroup

67 FE for Regular Languages Security Reduction Assumption Waters 12 selective O(1) Q-type Our FE for regular languages full O(q 1 ) Q-type, subgroup

68 FE for Regular Languages Selective security of our encoding Borrow techniques from selective security of Waters. Hence, use a similar Q-type assumption to Waters. Q is ciphertext attribute size of one query. Q is not the number of queries (q 1,q 2 ).! Co-selective security of our encoding New techniques, new Q-type assumption.

69 KP-ABE with Short Ciphertext Ciphertext size Key size Security Reduction Assumption A.-Libert- Panafieu 11 O(1) O(tk) selective O(1) Q-type Takashima 14 O(1) O(tk) selective O(q all ) DLIN Our ABE w/ short ciphertext O(1) O(tk) full O(q 1 ) Q-type, subgroup t = max attribute set in ciphertext, k= policy size for key

70 Unbounded KP-ABE Lewko-Waters 11 Lewko-Waters 12 Okamoto- Takashima 12b Rouselakis- Waters 13 Our unbounded ABE Large universe? Unbounded attribute repetition? Security Reduction Assumption yes yes selective O(q all ) subgroup no yes full Q-type, subgroup yes no full O(q all ) DLIN yes yes selective O(1) Q-type yes yes full O(q all ) O(q 1 ) Q-type, subgroup

71 More Results Generic dual scheme conversion for perfectly-secure encoding. Convert key-policy to ciphertext-policy (& vice versa) Fully-secure dual (ciphertext-policy) FE for regular languages. Unification of schemes based on dual systems and some improvements.

72 Take-Home Ideas Our framework can be considered as a method for boosting doubly selectively security (of encoding) to fully security (of FE). Why does it matters? Proving double selective security of encoding can use techniques from proving classical selective security.

73 Thank you

74 Recall the Definitions of Semi-Keys K K1 K2 K3 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 g k(α,r,h) ᐧg k(α, r,h) 1 2 g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Security of encoding Subgroup Decision

75 Proof for the 1st Transition K K1 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 Subgroup Decision Subgroup Decision problem: Decide if T G 1 or T G 12

76 Proof for the 1st Transition Simulated by K K1 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 g 1 k(α,r,h ) ᐧ( g 1 t 1 ) k(0,r,h ) T g 1 k(α,r,h ) ᐧ(g 1 t 1g2 t 2) k(0,r,h ) Subgroup Decision problem: Decide if T G 1 or T G 12

77 Proof for the 1st Transition Simulated by K K1 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 g 1 k(α,r,h ) ᐧ( g 1 t 1 ) k(0,r,h ) T g 1 k(α,r,h ) ᐧ(g 1 t 1g2 t 2) k(0,r,h ) Subgroup Decision problem: Decide if T G 1 or T G 12 Simulation is OK due to linearity, param-vanishing of k and parameter-hiding of G: h=h mod p 1 and h=h mod p 2 are independent.

78 Proof for the 3rd Transition is similar Simulated by K2 K3 g k(α,r,h) ᐧg k(α, r,h) 1 2 g 1 k(α,r,h) ᐧg 2 k(α,0,0) g 1 k(α,r,h ) ᐧ(g 1 t 1g2 t 2) k(α,r,h ) T g 1 k(α,r,h ) ᐧ( g 1 t 1 ) k(α,r,h )

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Abstract Dual