Instantiating the Dual System Encryption Methodology in Bilinear Groups

Similar documents
Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

A Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

Carmen s Core Concepts (Math 135)

Unbounded HIBE and Attribute-Based Encryption

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Attribute-Based Encryption Optimized for Cloud Computing

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Identity Based Encryption

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Property Preserving Symmetric Encryption

Searchable encryption & Anonymous encryption

Efficient Identity-Based Encryption Without Random Oracles

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Chapter 8 Public-key Cryptography and Digital Signatures

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Classical hardness of the Learning with Errors problem

Efficient Identity-based Encryption Without Random Oracles

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

1 Number Theory Basics

Gentry IBE Paper Reading

Lossy Trapdoor Functions and Their Applications

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Question: Total Points: Score:

Ma/CS 6a Class 2: Congruences

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture 7: ElGamal and Discrete Logarithms

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Identity-Based Online/Offline Encryption

Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Introduction to Public-Key Cryptosystems:

Public-Key Encryption: ElGamal, RSA, Rabin

Practice Assignment 2 Discussion 24/02/ /02/2018

5199/IOC5063 Theory of Cryptology, 2014 Fall

Identity-based encryption

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Evaluating 2-DNF Formulas on Ciphertexts

CRYPTANALYSIS OF COMPACT-LWE

Lecture Note 3 Date:

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Lecture Notes, Week 6

Cryptographical Security in the Quantum Random Oracle Model

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

G Advanced Cryptography April 10th, Lecture 11

Secure and Practical Identity-Based Encryption

Ma/CS 6a Class 2: Congruences

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 22: RSA Encryption. RSA Encryption

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Mathematical Foundations of Public-Key Cryptography

Public Key Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

ECE596C: Handout #11

The Laws of Cryptography Zero-Knowledge Protocols

Introduction to Cryptography. Lecture 8

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

MATH3302 Cryptography Problem Set 2

Introduction to Modern Cryptography. Benny Chor

Public Key Cryptography

Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations

Single-Database Private Information Retrieval

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures

Applied cryptography

RSA. Ramki Thurimella

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture 11: Key Agreement

Advanced Cryptography 03/06/2007. Lecture 8

Solution to Midterm Examination

Notes for Lecture 17

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

10 Public Key Cryptography : RSA

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Discrete Mathematics GCD, LCM, RSA Algorithm

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Math.3336: Discrete Mathematics. Mathematical Induction

Cryptography and Security Final Exam

CPSC 467b: Cryptography and Computer Security

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Contribution to functional encryption through encodings

The Twin Diffie-Hellman Problem and Applications

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles

Pairing-Based Cryptography An Introduction

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Transcription:

Instantiating the Dual System Encryption Methodology in Bilinear Groups Allison Lewko joint work with Brent Waters

Motivation classical public key cryptography: Alice Bob Eve

Motivation functional encryption: Who should have access to my data? What should they learn? Alice

Moving Beyond PKE Identity-Based Encryption [S84, BF01, C01]: Public parameters Bob Master Authority Alice Bob

Security Challenge: Collusion Master Authority Attacker

IBE Security Model Public Parameters ID 1 ID 1 ID*, M 0, M 1 Challenger M b ID* Attacker ID k ID k

Collusion Resistance from Bilinear Map Master Key add randomness, tie to identity add randomness, tie to identity Bob message Apply bilinear map, randomness cancels out!

Construction [BB04]

Proof Challenges Master Key? Instance ID 1 ID 1 T? Hard Problem Simulator Attacker ID* Simulator must balance competing goals

Partitioning Approach ID space We IF: hope: Private Keys Challenge ID ID 1 1 ID 2 ID* ID 3 ID* Abort! Abort!

Limitations of Partitioning Higher functionalities like HIBE, ABE: More structure on key space Partition must respect structure Sharp degradation in parameters or Weaker security model (selective security)

Dual System Encryption[W09] Used in real system Normal Normal Semi-Functional

Dual System Security Proof Simulation: SK 0 SK 1 SK q Security now easy to prove

Key Step Instance T?? Hard Problem Simulator Attacker Simulator cannot know nature of key!

Paradox??? Test Decryption??? What prevents this? Simulator Attacker Not allowed to Ask for key that Can decrypt!

Nominal Semi-Functionality [LW10]? Correlation! Decryption always succeeds Simulator

How is Nominality Hidden? Public Parameters PP V PP - random variable Internal View V - has some entropy Simulator Attacker

Idea for Semi-Functional Space Shadows the normal space No longer tied by Public Params Disconnect from PP = entropy

Constructing Dual Systems

Typical Subgroup Roles Normal Space Extra Randomization Semi-functional Space

Hard Problems? Example: Subgroup Decision Problems

Entropy in the S.F. Space G p1 Entropy G p3 G p2 PP 2 G p1 V PP = V projected onto G p1

Example: Dual System BB IBE [LW10] Semi-functional Normal Randomization Semi-functional

Security Proof Sketch Step 1: changing ciphertext to semifunctional Hard problem: given g 2 G p1 ; g 3 2 G p3, distinguish T 2 G p1 from T 2 G p1 p 2 known to simulator Public Parameters: g; u = g a ; h = g b ; e(g; g) Ciphertext: T; T aid +b If T = g s, this is g s ; (u ID h) s Normal CT If T = g s g x 2, this is g s g x 2; (u ID h) s g x(aid +b) 2 Semi-functional CT

Randomness in Semi-functional Space Public parameters g; u = g a ; h = g b only reveal a; b mod p 1 Chinese Remainder Theorem: Conditioned on a; b mod p 1, values a; b mod p 2 uniformly random g x 2; g x(aid +b) 2 random in G 2 p 2 Coprime subgroup orders useful for randomization

Security Proof Sketch (continued) Step 2: Changing key to semi-functional Hard problem: given g 2 G p1 ; g 3 2 G p3, X 1 X 2 2 G p1 p 2, Y 2 Y 3 2 G p2 p 3 distinguish T 2 G p1 p 3 from T 2 G p1 p 2 p 3 known to simulator Public Parameters: g; u = g a ; h = g b ; e(g; g) S.F. CT: X 1 X 2 ; (X 1 X 2 ) aid +b SK ID : g T aid+b ; T Y 2 Y 3 used to make S.F. keys

Nominality in Semi-functional Space Semi-funcational key parts: (T 2 ) aid+b ; T 2 Semi-functional ciphertext parts: X 2 ; X aid +b 2 ID 6= ID pairwise independence aid + b; aid + b uniformly random

Security Proof Sketch (continued) Step 3: Switching to a random message Hard problem: given g 2 G p1 ; g 2 2 G p2 ; g 3 2 G p3, g X 2 2 G p1 p 2, g s Y 2 2 G p1 p 2 distinguish T = e(g; g) s from T random 2 G T Public Parameters: g; u = g a ; h = g b ; e(g; g) = e(g X 2 ; g) S.F. CT: g s Y 2 ; (g s Y 2 ) aid +b ; MT S.F. Keys: (g X 2 )(u ID h) r g x 2g y 3 ; gr g v 2g z 3

Working with Prime Order Groups G: prime order p, generator g g ~x = (g x 1 ; g x 2 ; : : : ; g x d ) e(g ~x ; g ~y ) := Q d i=1 e(gx i ; g y i ) = e(g; g) ~x ~y G p1! g <~w;~x> G p2! g <~y;~z> e(g a~w+b~x ; g c~y+d~z ) = 1 Given g ~w ; g ~x, hard to distinguish g a~w+b~x from g a~w+b~x+c~y+d~z Approach used in [W09,F10,OT10] among others

Further Applications Techniques extend to higher functionalities e.g. Attribute-Based Encryption [SW05] Ciphertext-Policy: AND {student, cs} CS OR math student

Further Directions Even more flexible functionalities Security from different assumptions Relationships between primitives/instantiations?

Questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback