Instantiating the Dual System Encryption Methodology in Bilinear Groups Allison Lewko joint work with Brent Waters
Motivation classical public key cryptography: Alice Bob Eve
Motivation functional encryption: Who should have access to my data? What should they learn? Alice
Moving Beyond PKE Identity-Based Encryption [S84, BF01, C01]: Public parameters Bob Master Authority Alice Bob
Security Challenge: Collusion Master Authority Attacker
IBE Security Model Public Parameters ID 1 ID 1 ID*, M 0, M 1 Challenger M b ID* Attacker ID k ID k
Collusion Resistance from Bilinear Map Master Key add randomness, tie to identity add randomness, tie to identity Bob message Apply bilinear map, randomness cancels out!
Construction [BB04]
Proof Challenges Master Key? Instance ID 1 ID 1 T? Hard Problem Simulator Attacker ID* Simulator must balance competing goals
Partitioning Approach ID space We IF: hope: Private Keys Challenge ID ID 1 1 ID 2 ID* ID 3 ID* Abort! Abort!
Limitations of Partitioning Higher functionalities like HIBE, ABE: More structure on key space Partition must respect structure Sharp degradation in parameters or Weaker security model (selective security)
Dual System Encryption[W09] Used in real system Normal Normal Semi-Functional
Dual System Security Proof Simulation: SK 0 SK 1 SK q Security now easy to prove
Key Step Instance T?? Hard Problem Simulator Attacker Simulator cannot know nature of key!
Paradox??? Test Decryption??? What prevents this? Simulator Attacker Not allowed to Ask for key that Can decrypt!
Nominal Semi-Functionality [LW10]? Correlation! Decryption always succeeds Simulator
How is Nominality Hidden? Public Parameters PP V PP - random variable Internal View V - has some entropy Simulator Attacker
Idea for Semi-Functional Space Shadows the normal space No longer tied by Public Params Disconnect from PP = entropy
Constructing Dual Systems
Typical Subgroup Roles Normal Space Extra Randomization Semi-functional Space
Hard Problems? Example: Subgroup Decision Problems
Entropy in the S.F. Space G p1 Entropy G p3 G p2 PP 2 G p1 V PP = V projected onto G p1
Example: Dual System BB IBE [LW10] Semi-functional Normal Randomization Semi-functional
Security Proof Sketch Step 1: changing ciphertext to semifunctional Hard problem: given g 2 G p1 ; g 3 2 G p3, distinguish T 2 G p1 from T 2 G p1 p 2 known to simulator Public Parameters: g; u = g a ; h = g b ; e(g; g) Ciphertext: T; T aid +b If T = g s, this is g s ; (u ID h) s Normal CT If T = g s g x 2, this is g s g x 2; (u ID h) s g x(aid +b) 2 Semi-functional CT
Randomness in Semi-functional Space Public parameters g; u = g a ; h = g b only reveal a; b mod p 1 Chinese Remainder Theorem: Conditioned on a; b mod p 1, values a; b mod p 2 uniformly random g x 2; g x(aid +b) 2 random in G 2 p 2 Coprime subgroup orders useful for randomization
Security Proof Sketch (continued) Step 2: Changing key to semi-functional Hard problem: given g 2 G p1 ; g 3 2 G p3, X 1 X 2 2 G p1 p 2, Y 2 Y 3 2 G p2 p 3 distinguish T 2 G p1 p 3 from T 2 G p1 p 2 p 3 known to simulator Public Parameters: g; u = g a ; h = g b ; e(g; g) S.F. CT: X 1 X 2 ; (X 1 X 2 ) aid +b SK ID : g T aid+b ; T Y 2 Y 3 used to make S.F. keys
Nominality in Semi-functional Space Semi-funcational key parts: (T 2 ) aid+b ; T 2 Semi-functional ciphertext parts: X 2 ; X aid +b 2 ID 6= ID pairwise independence aid + b; aid + b uniformly random
Security Proof Sketch (continued) Step 3: Switching to a random message Hard problem: given g 2 G p1 ; g 2 2 G p2 ; g 3 2 G p3, g X 2 2 G p1 p 2, g s Y 2 2 G p1 p 2 distinguish T = e(g; g) s from T random 2 G T Public Parameters: g; u = g a ; h = g b ; e(g; g) = e(g X 2 ; g) S.F. CT: g s Y 2 ; (g s Y 2 ) aid +b ; MT S.F. Keys: (g X 2 )(u ID h) r g x 2g y 3 ; gr g v 2g z 3
Working with Prime Order Groups G: prime order p, generator g g ~x = (g x 1 ; g x 2 ; : : : ; g x d ) e(g ~x ; g ~y ) := Q d i=1 e(gx i ; g y i ) = e(g; g) ~x ~y G p1! g <~w;~x> G p2! g <~y;~z> e(g a~w+b~x ; g c~y+d~z ) = 1 Given g ~w ; g ~x, hard to distinguish g a~w+b~x from g a~w+b~x+c~y+d~z Approach used in [W09,F10,OT10] among others
Further Applications Techniques extend to higher functionalities e.g. Attribute-Based Encryption [SW05] Ciphertext-Policy: AND {student, cs} CS OR math student
Further Directions Even more flexible functionalities Security from different assumptions Relationships between primitives/instantiations?
Questions?