Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

Similar documents
Fully Secure Unbounded Inner-Product and Attribute-Based Encryption

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Function-Hiding Inner Product Encryption

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

A Study of Pair Encodings: Predicate Encryption in Prime Order Groups

6.892 Computing on Encrypted Data October 28, Lecture 7

Unbounded Inner Product Functional Encryption from Bilinear Maps

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

A New Functional Encryption for Multidimensional Range Query

Lattice-Based Non-Interactive Arugment Systems

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

Shorter Identity-Based Encryption via Asymmetric Pairings

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

A Study of Pair Encodings: Predicate Encryption in Prime Order Groups

Contribution to functional encryption through encodings

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Gentry IBE Paper Reading

Efficient Identity-based Encryption Without Random Oracles

Déjà Q All Over Again

Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

Shorter IBE and Signatures via Asymmetric Pairings

PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED

REMARKS ON IBE SCHEME OF WANG AND CAO

Better Security for Functional Encryption for Inner Product Evaluations

Notes on Alekhnovich s cryptosystems

A New Approach on Bilinear Pairings and Its Applications. Tatsuaki Okamoto

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

Functional Encryption for Inner Product Predicates from Learning with Errors

Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings

Expressive Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts

Embed-Augment-Recover: Function Private Predicate Encryption from Minimal Assumptions in the Public-Key Setting

Decentralized Policy-Hiding Attribute-Based Encryption with Receiver Privacy

Towards a Unified Theory of Cryptographic Agents

Identity-based encryption

Multi-Input Functional Encryption

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Fully Key-Homomorphic Encryption and its Applications

Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

arxiv: v1 [cs.cr] 24 Feb 2017

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Definitional Issues in Functional Encryption

Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks

Applied cryptography

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Generic Transformations of Predicate Encodings: Constructions and Applications

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Lightweight Symmetric-Key Hidden Vector Encryption without Pairings

Hidden-Vector Encryption with Groups of Prime Order

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

Cryptology. Scribe: Fabrice Mouhartem M2IF

Lossy Trapdoor Functions and Their Applications

Multi-Input Functional Encryption for Unbounded Arity Functions

Instantiating the Dual System Encryption Methodology in Bilinear Groups

Generic Constructions for Chosen-Ciphertext Secure Attribute Based Encryption

Distribution Design. Ariel Gabizon. Amos Beimel. Eyal Kushilevitz.

Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

Decentralizing Inner-Product Functional Encryption

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Function-Private Subspace-Membership Encryption and Its Applications

Attribute-Based Encryption with Fast Decryption

Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization

Functional Encryption for Regular Languages

Boneh-Franklin Identity Based Encryption Revisited

Secure Certificateless Public Key Encryption without Redundancy

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Efficient IBE with Tight Reduction to Standard Assumption in the Multi-challenge Setting

Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption

From Minicrypt to Obfustopia via Private-Key Functional Encryption

Simple Functional Encryption Schemes for Inner Products

Leakage-resilient Attribute-based Encryptions with Fast Decryption: Model, Analysis and Construction

Attribute-Based Encryption Schemes with Constant-Size Ciphertexts

Unbounded HIBE and Attribute-Based Encryption

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

Adaptively Secure Functional Encryption for Finite Languages from DLIN Assumption

Déjà Q: Encore! Un Petit IBE

Non-Interactive Secure Multiparty Computation

Homomorphic Secret Sharing for Low Degree Polynomials

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

New Proof Techniques for DLIN-Based Adaptively Secure Attribute-Based Encryption

A Strong Identity Based Key-Insulated Cryptosystem

1 Public-key encryption

Efficient Conversion of Secret-shared Values Between Different Fields

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1

Lecture 2: Program Obfuscation - II April 1, 2009

On the Achievability of Simulation-Based Security for Functional Encryption

Keyword Search and Oblivious Pseudo-Random Functions

Transcription:

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan 2 Mitsubishi Electric 5-1-1 Ofuna, Kamakura, Kanagawa, 247-8501 Japan ASIACRYPT 2018 December 02 06, 2018

Outline 1 Introduction 2 Preliminaries 3 The Proposed Strongly Partially-Hiding Predicate Encryption (PHPE) Scheme 4 Conclusion P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018

Functional Encryption (FE) Setup authority holds a master secret key msk and publishes public system parameters mpk. An encrypter uses mpk to encrypt message M M, creating ciphertext ct. A decrypter obtains a private decryption key sk(f ) for function F F, generated using msk by the authority. sk(f ) can be used to decrypt ct to recover F (M), but nothing more about M. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 1

Various Security Notions for FE Indistinguishability-based (IND) Security: Distinguishing encryptions of any two messages is infeasible for a group of colluders which do not have a decryption key that decrypts the ciphertexts to distinct values. Simulation-based (SIM) Security: There exists a polynomial-time simulator that given F 1 (M),..., F qkey (M) for M M, F 1,..., F qkey F, outputs the view of the colluders given encryption of M and sk(f 1 ),..., sk(f qkey ). In general, SIM security is stronger than IND security. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 2

Various Security Notions for FE Adaptive (AD) Security: The adversary is allowed to make ciphertext and decryption key queries at any point of time during the security experiment. Semi-Adaptive (S-AD) Security: The adversary is restricted to submit its ciphertext queries immediately after viewing the public parameters, and can make decryption key queries only after that. Selective (SEL) Security: The adversary is bound to declare its ciphertext queries even before the public parameters are generated. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 3

Predicate Encryption (PE) Predicate family: R = {R(Y, ) : X {0, 1} Y Y}, X, Y = sets of attributes. Message space M = X M, where M contains the actual payloads. Functionality F RY associated with predicate R(Y, ) R: F RY (X, msg) = { msg if R(Y, X) = 1 if R(Y, X) = 0 } (X, msg) M = X M. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 4

Various Security Notions for PE Strong Attribute Hiding (S-AH): Recovering the payload from a ciphertext generated w.r.t X X should be infeasible for a group of colluders not having an authorized decryption key. The ciphertext should conceal X from any group of colluders, even those with authorized decryption keys. Weak Attribute Hiding (W-AH): The payload and X should only remain hidden to colluders in possession of unauthorized keys. Payload Hiding (PLH): The payload should remain hidden to colluders with unauthorized keys. Also known as attribute-based encryption (ABE). P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 5

State of the Art in Attribute-Hiding PE Several works developed ABE and W-AH PE schemes supporting unbounded collusions even for general circuits under standard computational assumptions. Known standard-assumption-based S-AH PE schemes supporting unbounded number of authorized colluders are restricted to inner products. It is known that S-AH PE scheme for NC 1 predicates implies indistinguishability obfuscation (IO) for general circuits. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 6

A Motivating Question Can we design PE scheme for some sufficiently expressive predicate family (e.g., NC 1 ) that is secure against an unbounded number of colluders under standard computational assumption such that the S-AH guarantee holds for a limited segment (e.g., belonging to some subclass of NC 1 ) of each predicate in the predicate family? P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 7

The Effort of Wee In TCC 2017, Wee presented a PE scheme in bilinear groups of prime order secure under the k-lin assumption. X = F n q F n q, Y = F (q,n,n) abp ip. For any f F (q,n,n) abp ip and ( x, z) F n q F n q, f( x, z) = (f 1 ( x),..., f n ( x)) z, where f 1,..., f n : F n q F q are arithmetic branching programs (ABP). P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 8

The Attribute-Hiding Characteristics of Wee s PE Scheme The predicate family: R abp ip = {R abp ip (f, (, )) : F n q F n q {0, 1} f F (q,n,n) abp ip }, where { R abp ip 1 if f( x, z) = 0, (f, ( x, z)) = 0 if f( x, z) 0. Other than hiding the payload, ct generated for ( x, z) F n q F n q conceals z but not x. The concealment of z is strong, i.e., even against colluders possessing authorized keys. This security notion is termed as strongly partially-hiding security. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 9

The Advantages and Limitations of Wee s PE Scheme This PE scheme simultaneously generalizes ABE for boolean formulas and ABP s, and S-AH inner-product PE (IPE). The scheme is strongly partially-hiding against an unbounded number of authorized colluders. The security is proven in the SIM framework. The downside of this scheme is that it only achieves semi-adaptive security. Semi-adaptive security is known to be essentially equivalent to the selective security. The known generic conversion from selective to adaptive security does not work for PE schemes not supporting general circuits. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 10

Our Results We design a PE scheme for the predicate family R abp ip that achieves SIM-based adaptively strongly partially hiding security. The scheme supports any a priori bounded number of ciphertext queries and unbounded number of authorized decryption key queries. This is the best possible in the SIM-based adaptive security framework. This resolves an open problem posed by Wee in TCC 2017. The scheme is also adaptively strongly partially-hiding in the IND framework against unbounded number of ciphertext and authorized decryption key queries. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 11

Our Results Our construction is built in asymmetric bilinear groups of prime order. The security is derived under the simultaneous external decisional linear (SXDLIN) assumption. As a byproduct, we also obtain the first SIM-based adaptively S-AH IPE scheme supporting unbounded number of authorized colluders. We extend the IND-based S-AH methodology of [OT12a, OT12b] to the framework of SIM security and beyond inner products. [OT12a] : Tatsuaki Okamoto and Katsuyuki Takashima. In EUROCRYPT 2012. [OT12b] : Tatsuaki Okamoto and Katsuyuki Takashima. In ASIACRYPT 2012. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 12

Comparison with Existing Attribute-Hiding PE Schemes Schemes Supported Predicates IND SIM [OT10] IP SP (poly, poly, poly)-ad Attribute Hiding Weak (IP-part) Computational Assumptions DLIN [OT12a] IP (poly, poly, poly)-ad Strong DLIN [Agr17] GC IP (, poly, bdd)-s-ad (, 1, bdd)-s-ad Strong (IP-part) [Wee17] ABP IP (, poly, poly)-s-ad (, 1, poly)-s-ad Strong (IP-part) Ours ABP IP (poly, poly, poly)-ad (poly, bdd, poly)-ad Strong (IP-part) [OT10] : Tatsuaki Okamoto and Katsuyuki Takashima. In CRYPTO 2010. [OT12a] : Tatsuaki Okamoto and Katsuyuki Takashima. In EUROCRYPT 2012. [Agr17] : Shweta Agrawal. In CRYPTO 2017. [Wee17] : Hoeteck Wee. In TCC 2017. LWE k-lin SXDLIN P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 13

Arithmetic Branching Program ABP ABP Γ = (V, E, v 0, v 1, φ) computing f : F d q F q : (V, E): A directed acyclic graph. v 0, v 1 V : Special vertices called the source and the sink respectively. φ: A labeling function assigning to each edge in E an affine function in one of the input variables with coefficients in F q. For any w F d q, f( w) = P [ e P φ(e) w ], where is the set of all v 0 -v 1 paths P in Γ. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 14

Algorithm PGB(f) for f : F n q F n q F q F (q,n,n) abp ip Construct the ABP Γ computing f such that: Γ has m + n + 1 vertices. The variables z j s only appear on edges leading into the sink vertex. Any vertex has at most one outgoing edge with a label of degree one. Using the algorithm of [IK02], compute the matrix representation of Γ,...... 0 1...... 0 0 1...... 0..................... L = 0 0 0... 1... 0 0 0 0... 0 1... 0 z 1............... 0 0 0... 0 0... 1 z n (m+n) (m+n) with f( x, z) = det(l( x, z)) ( x, z) F n q F n q, and s in the j th row indicating affine functions in x ρ(j ) for all j [m], where ρ : [m] [n ]. [IK02] : Yuval Ishai and Eyal Kushilevitz. In ICALP 2002. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 15

An Illustrative Example f((x 1, x 2 ), (z 1, z 2 )) = f 1 (x 1, x 2 )z 1 + f 2 (x 1, x 2 )z 2 = x 1 z 1 + x 2 z 2, where f 1 (x 1, x 2 ) = x 1, f 2 (x 1, x 2 ) = x 2 L((x 1, x 2 ), (z 1, z 2 )) v 0 v 2 x 1 z 1 v 1 = 1 x 1 0 0 1 0 x 2 0 0 1 0 z 1 0 0 1 z 2 1 z 2 v 3 x 2 v 4 ABP Γ Computing f P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 16

Algorithm PGB(f) for f : F n q F n q F q F (q,n,n) abp ip Contd. Choose r U F m+n 1 q, and compute ( ) r L = (α 1 1 x ρ(1) + γ 1,..., α m x ρ(m) + γ m, z 1 + σ 1,..., z n + σ n ). Output ( ) ({σ j } j [n], {α j, γ j } j [m]), ρ : [m] [n ]. Each of {σ j } j [n], {α j, γ j } j [m] are linear functions of r. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 17

Algorithm REC(f, x) for f : F n q F n q F q F (q,n,n) abp ip, x F n q Generate the matrix representation L F (m+n) (m+n) q of the ABP Γ computing f. Output the cofactors ({Ω j } j [m], {Ω j } j [n] ) F m+n q of L in order. of all the entries in the last column The first m + n 1 columns of L involve only {x ι } ι [n ]. Hence, all the cofactors are computable. Given ({Ω j } j [n], {Ω j } j [m]) and ({z j + σ j } j [n], {α j x ρ(j ) + γ j } j [m]) for any z F n q, recover f( x, z) = Ω j (α j x ρ(j ) + γ j ) + Ω j (z j + σ j ). j [m] j [n] P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 18

Bilinear Groups Bilinear group params G = (q, G 1, G 2, G T, g 1, g 2, e) R G bpg (1 λ ): q N: Prime integer. G 1, G 2, G T : Cyclic multiplicative groups of order q with polynomial-time computable group operations. g 1 G 1, g 2 G 2 : Generators. e : G 1 G 2 G T : Mapping satisfying the following: Bilinearity : e(g δ 1, gˆδ 2 ) = e(g 1, g 2 ) δˆδ for all δ, ˆδ F q. Non-degeneracy : e(g 1, g 2 ) 1 GT, where 1 GT denotes the identity element of the group G T. params G is said to be asymmetric if no efficiently computable isomorphism exists between G 1 and G 2. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 19

Dual Pairing Vector Spaces (DPVS) DPVS params V = (q, V 1, V 2, G T, A 1, A 2, e) R G dpvs (1 λ, d, params G ): q N: Prime integer. V t = G d t for t [2]: d-dimensional vector spaces over F q under vector addition and scalar multiplication defined componentwise. l 1 d l A t = {a (t,l) {}}{{}}{ = ( 1 Gt,..., 1 Gt, g t, 1 Gt,..., 1 Gt )} l [d] of V t for t [2]: Canonical bases, where 1 Gt = identity element of G t. e : V 1 V 2 G T, e(v, w) = e(g v l 1, gw l 2 ) G T for all v = (g v 1 1,..., gv d 1 ) V 1, l [d] w = (g w 1 2,..., gw d 2 ) V 2. e satisfies the following: Bilinearity : e(δv, δw) = e(v, w) δˆδ for all δ, δ F q, v V 1, and w V 2. {}}{ Non-degeneracy : If e(v, w) = 1 GT for all w V 2, then v = ( 1 G1,..., 1 G1 ). Similar statement also holds with the vectors v and w interchanged. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 20 d

Dual Orthonormal Basis Generator G ob (1 λ, N, (d 1,..., d N )) Generate params G = (q, G 1, G 2, G T, g 1, g 2, e) R G bpg (1 λ ). Sample ψ U F q \{0} and compute g T = e(g 1, g 2 ) ψ. For ı [N], perform the following: Generate params Vı = (q, V ı,1, V ı,2, G T, A ı,1, A ı,2, e) R G dpvs (1 λ, d ı, params G ). Sample B (ı) = (b (ı) l,k ) U GL(d ı, F q ). Compute B (ı) = (b (ı) l,k ) = ψ((b(ı) ) 1 ). For all l [d ı ], let b (ı,l) and b (ı,l) be the l th rows of B (ı) and B (ı). Compute b (ı,l) = ( b (ı,l) ) Aı,1, b (ı,l) = ( b (ı,l) ) Aı,2 for l [d ı ], and set B ı = {b (ı,1),..., b (ı,dı) }, B ı = {b (ı,1),..., b (ı,dı) }. B ı and B ı are dual orthonormal in the sense that for all l, l [d ı ], { e(b (ı,l), b (ı,l ) gt, if l = l ) =, 1 GT, otherwise. Set params = ({params Vı } ı [N], g T ). Return (params, {B ı, B ı } ı [N] ). P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 21

PHPE.Setup(1 λ, 1 n, 1 n ) n +n Generate (params, {B ı, B ı } ı [n +n]) R G ob (1 λ, n {}}{ + n, ( 9,..., 9)). For ı [n + n], set B ı = {b (ı,1), b (ı,2), b (ı,9) }, B ı = {b (ı,1), b (ı,2), b (ı,7), b (ı,8) }. Output mpk = (params, { B ı } ı [n +n]) and msk = { B ı } ı [n +n]. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 22

PHPE.Encrypt(mpk, ( x, z) F n q F n q ) Sample ω U F q. For ι [n ], sample ϕ ι U Fq, and compute c (ι ) = (ω(1, x ι ), 0 4, 0 2, ϕ ι ) B ι. For ι [n], sample ϕ ι U Fq, and compute Output ct = ( x, {c (ι ) } ι [n ], {c (ι) } ι [n] ). c (ι) = (ω(1, z ι ), 0 4, 0 2, ϕ ι ) Bn +ι. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 23

PHPE.KeyGen(mpk, msk, f F (q,n,n) abp ip ) Generate Sample ζ U F q. ( ({σ j } j [n], {α j, γ j } j [m]), ρ : [m] [n ]) R PGB(f). For j [m], sample κ (j ) U F 2 q, and compute k (j ) = ((γ j, α j ), 0 4, κ (j ), 0) B ρ(j ). For j [n], sample κ (j) U F 2 q, and compute k (j) = ((σ j, ζ), 0 4, κ (j), 0) B n +j. Output sk(f) = (f, {k (j ) } j [m], {k (j) } j [n] ). P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 24

PHPE.Decrypt(mpk, sk(f) = (f, {k (j ) } j [m], {k (j) } j [n] ), ct = ( x, {c (ι ) } ι [n ], {c (ι) } ι [n] )) Compute Λ j = e(c (ρ(j )), k (j ) ) = g ω(α j x ρ(j ) +γ j ) T for j [m], and Λ j = e(c (j), k (j) ) = for j [n]. g ω(ζz j+σ j ) T Determine ({Ω j } j [m], {Ω j } j [n] ) = REC(f, x). ( Compute Λ = j [m] )( Λ Ω j j Λ Ω ) j j = g ωζf( x, z) T. j [n] If R abp ip (f, ( x, z)) = 1, i.e., f( x, z) = 0, then Λ = 1 GT, while if R abp ip (f, ( x, z)) = 0, i.e., f( x, z) 0, then Λ 1 GT with all but negligible probability 2/q, i.e., except when ω = 0 or ζ = 0. Output 1, if Λ = 1 GT, and 0, otherwise. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 25

Concluding Remarks and Open Problems We achieved SIM-based S-AH security against adaptive adversaries for PE schemes supporting expressive predicate families under standard computational assumption in bilinear groups. We designed a SIM-based adaptively strongly partially-hiding PE (PHPE) scheme for predicates computing ABP s on public attributes, followed by an IP on private attributes. The proposed scheme is proven secure for any a priori bounded number of ciphertexts and unbounded number of authorized decryption keys. An intriguing open problem is to identify the largest predicate class for which S-AH PE scheme supporting unbounded number of authorized decryption key queries can be realized from a standard computational assumption. P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 26

Thanking Note P. Datta et al. Adaptively SIM-Secure Attribute-Hiding PE ASIACRYPT 2018 27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback