Déjà Q All Over Again

Similar documents
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Gentry IBE Paper Reading

Déjà Q: Encore! Un Petit IBE

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Non- browser TLS Woes

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

Identity Based Encryption

Pairing-Based Cryptography An Introduction

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

Efficient Identity-based Encryption Without Random Oracles

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Function-Hiding Inner Product Encryption

Déjà Q: Using Dual Systems to Revisit q-type Assumptions

Instantiating the Dual System Encryption Methodology in Bilinear Groups

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

New Constructions of Revocable Identity-Based Encryption from Multilinear Maps

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures

Unbounded HIBE and Attribute-Based Encryption

Boneh-Franklin Identity Based Encryption Revisited

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

A Comment on Gu Map-1

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Contribution to functional encryption through encodings

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

arxiv: v1 [cs.cr] 24 Feb 2017

Cryptography from Pairings

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Expressive Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption

A New Functional Encryption for Multidimensional Range Query

White-Box Security Notions for Symmetric Encryption Schemes

REMARKS ON IBE SCHEME OF WANG AND CAO

Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Low Overhead Broadcast Encryption from Multilinear Maps

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations

Recent Advances in Identity-based Encryption Pairing-based Constructions

A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Functional Encryption for Regular Languages

Efficient Identity-Based Encryption Without Random Oracles

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Toward Hierarchical Identity-Based Encryption

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Fully Key-Homomorphic Encryption and its Applications

Lattice Cryptography

Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

An efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing

Hierarchical identity-based encryption

Attribute-Based Encryption with Fast Decryption

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Adaptive CCA Broadcast Encryption with Constant-Size Secret Keys and Ciphertexts

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

General Impossibility of Group Homomorphic Encryption in the Quantum World

Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext

Sequential and Dynamic Frameproof Codes

Discrete logarithm and related schemes

Identity-based encryption

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency

Attribute-Based Encryption Optimized for Cloud Computing

Searchable encryption & Anonymous encryption

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Private Puncturable PRFs from Standard Lattice Assumptions

A Profitable Sub-Prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups

Solution of Exercise Sheet 7

Adaptive Security in Broadcast Encryption Systems

non-trivial black-box combiners for collision-resistant hash-functions don t exist

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Dynamic Key-Aggregate Cryptosystem on Elliptic Curves for Online Data Sharing

/

Advanced Topics in Cryptography

A survey on quantum-secure cryptographic systems

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts

Open problems in lattice-based cryptography

Predicate Privacy in Encryption Systems

Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)

A New Attack on RSA with Two or Three Decryption Exponents

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Adaptively Secure Non-Interactive Threshold Cryptosystems

An Efficient Broadcast Encryption Supporting Designation and Revocation Mechanisms

Transcription:

Royal Holloway, February 2017 1/43 Bilinear Groups and Assumptions Reductions Symmetric Schemes Conclusions Déjà Q All Over Again Melissa Chase 1 Mary Maller 2 1 MSR Redmond Sarah Meiklejohn 2 2 University College London

2/43

3/43 Subgroup Hiding certain q-type Assumptions

/43 Example: Broadcast Encryption Methods of delivering encrypted content over a broadcast channel where only qualified users can decrypt the content. Example Boneh Gentry and Waters broadcast encryption scheme [BGW-Crypto05]. Pairing based solution Short ciphertexts and private keys Collusion resistant

5/43 The q-bdhe Assumption The BGW broadcast encryption scheme bases its security on the q-bdhe assumption [BGW-Crypto05]. Given g,g c,g α,...,g αq,g αq+2,...,g α2q it is hard to distinguish e(g,g c ) q+1 from random.

5/43 The q-bdhe Assumption The BGW broadcast encryption scheme bases its security on the q-bdhe assumption [BGW-Crypto05]. Given g,g c,g α,...,g αq,?,g αq+2,...,g α2q it is hard to distinguish e(g,g c ) q+1 from random.

Déjà Q: Using Dual Systems to Revisit q-type Assumptions [CM-Eurocrypt14] Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 1 2. Pr[break q-type assumption] O(q) Pr[break subgroup hiding] 6/43 1 Asymmetric composite order bilinear groups do exist - see [BRS-JNT11].

/43 [CM-Eurocrypt14]: Contributions Decides Computes Source Group given info in one group given info in both groups Target Group given info in one group given info in both groups q-bdhe

8/43 Our Contributions: Broader Decides Computes Source Group given info in one group given info in both groups Target Group given info in one group given info in both groups q-bdhe

9/43 Our Contributions: Tighter Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 2 p 3. Pr[break q-type assumption] O(log q) Pr[break subgroup hiding]

0/43 Outline of Presentation

1/43 Bilinear Groups Standard Bilinear Groups: G = (N,G,H,G T,e,g,h). N = group order; prime or composite G = H = kn, G T = λn G =< g >, H =< h > e : G H G T Properties Bilinearity: e(g a,h b ) = e(g,h) ab Non-degeneracy: e(x,y) = 1 y H x = 1.

2/43 Subgroup Hiding [BGN - TCC05]

2/43 Subgroup Hiding [BGN - TCC05]

2/43 Subgroup Hiding [BGN - TCC05]

3/43 Parameter Hiding [Lewko-Eurocrypt12]

3/43 Parameter Hiding [Lewko-Eurocrypt12]

3/43 Parameter Hiding [Lewko-Eurocrypt12]

3/43 Parameter Hiding [Lewko-Eurocrypt12]

4/43 Outline of Presentation

5/43 Reductions we can Cover

6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

6/43 Aim of Reduction Model q-type assumption as a game. Transition to statistically impossible game. [CM-Eurocrypt14]

7/43 Déjà Q: Reduction Techniques

7/43 Déjà Q: Reduction Techniques

7/43 Déjà Q: Reduction Techniques

7/43 Déjà Q: Reduction Techniques

7/43 Déjà Q: Reduction Techniques

8/43 Our Tight Reduction Techniques Double the randomness.

8/43 Our Tight Reduction Techniques Double the randomness.

8/43 Our Tight Reduction Techniques Double the randomness.

8/43 Our Tight Reduction Techniques Double the randomness.

8/43 Our Tight Reduction Techniques Double the randomness.

8/43 Our Tight Reduction Techniques Double the randomness.

9/43 Result Given g ρ 1(x),...,g ρ q(x),h σ 1(x),...,h σ q(x) ĥ Then Adv[Deciding e(g,ĥ) f(x) from random] (3 + log(q + 2)) Pr[Breaks Subgroup Hiding]

20/43 Result Subgroup Hiding Specific classes of q-type & assumptions in asymmetric Parameter Hiding bilinear groups of order N = p 1 p 2 p 3. Pr[break q-type assumption] O(log q) Pr[break subgroup hiding]

21/43 Outline of Presentation

22/43 Example: Broadcast Encryption Methods of delivering encrypted content over a broadcast channel where only qualified users can decrypt the content. Example Boneh Gentry and Waters broadcast encryption scheme [BGW-Crypto05]. Pairing based solution Short ciphertexts and private keys Collusion resistant

23/43 Broadcast Encryption The asymmetric q-bdhe assumption: given ĥ,g α,h α,...,g αq,h αq,g αq+2,h αq+2,...,g α2q,h α2q it is hard to distinguish e(g,ĥ) q+1 from random is tightly implied by subgroup hiding and parameter hiding. The BGW broadcast encryption scheme is implied by the symmetric q-bdhe assumption.

24/43 Symmetric Reductions The previous asymmetric reduction fails in the symmetric case. Adversary given components that would allow it to trivially break subgroup hiding in the symmetric case (e(g 1,H 2 ) = 1). Show how to push through the same reduction in the symmetric case by adding randomness from a fourth subgroup. Symmetric schemes can also be translated into asymmetric groups.

25/43 The Asymmetric BGW Variant Techniques from [AGOT-Crypto14]. g p0[1] di gi p0[0] gc p1[0] vi C0 = G = G&H = H p2[0] Ci p2[1] p1[1]

26/43 Identity Based KEM [ACF-Eurocrypt09] g Bi g1 gc p1[0] gij hi p0[0] C p2[0] p3[0] skid p0[1] p1[1] p2[1] p3[1] p4[0] p4[1]

27/43 ABE Scheme [Waters08] The less efficient construction. g ga gi msk gc p0[1] p1[0] p5[1] p5[0] K hi L p0[0] p1[1] C' p2[1] Ci Kx p3[1] p2[0] p4[0] p3[0] p4[1]

28/43 HIBE Scheme [BBG-Eurocrypt05] g yi gc g1 a1 g2 g3 hi B p0[0] p1[0] p0[1] msk bi C p2[0] a0 p1[1] p2[1]

29/43 Outline of Presentation

30/43 Open Problems How can we analyse are q-type assumptions in prime order groups? How can we analyse are q-power knowledge of exponent assumptions ("non-falsifiable" assumptions)? How can we analyse are q-type when the adversary has inputs from both source groups and the challenge component is also in the source group?

31/43 Thank-you for Listening.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback