The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin)
Provable Security How to show your cryptosystem is secure: Cryptosystem If Assumption Holds then Cryptosystem Secure Assumption Prove contrapositive
What if the Assumption is False? Cryptosystem Assumption Cannot reason about security Adversary can use the attack on assumption to break cryptosystem
How to Pick a Good Assumption? Increase the size of parameters e.g., RSA assumes factoring a large number into 2 primes is hard Factor: 77, 3869, 7269, Use a family of assumptions As you increase a parameter k you become more confident in the security of the assumption Example: k-linear [HK7, Sha7]
Family of Strictly Weaker Assumptions < < < < A k+ A A 2 A k An assumption A k+ is weaker than assumption A k, if If A k holds then so does A k+ (Breaking A k+ also breaks A k ) The assumption, A k+, is strictly weaker than assumption, A k, if A k+ is weaker than A k And an oracle for A k does not help break A k+
DDH Assumption Given < g, g a, g b, T > For some g, g a, g b, T G Does T =? g ab It is hard to compute a discrete log in a finite cyclic group G No polynomial time algorithm can achieve non-negligible advantage deciding
Bilinear Maps e: G G G T Bilinear: e g a, g b = e(g, g) ab for all a, b Z p Non-Degenerate: If g generates G, then e(g, g) Computable: e is efficiently computable on all input DDH does not hold for groups in which bilinear maps can be computed < g, g a, g b, T =? g ab > e g a, g b =? e(g, T)
DBDH Assumption How can we use DDH in bilinear groups? Given < g, g a, g b, g c, T > For some g, g a, g b, g c G and T G T Does T =? e(g, g) abc Hard to compute discrete log: in G and G T Bilinear maps have 2 inputs Can t undo a bilinear map No polynomial time algorithm can achieve non-negligible advantage deciding
Decision Linear (DLIN) Assumption How can we use DDH in settings where bilinear maps exist? Given < g, g s, g s 2, g s r, g s 2r 2, T > g, g s, g s 2, g s r, g s 2r 2, T G Does T =? g r +r 2 This is like 2 DDH problems: g, g s, g r, g s r It is hard to compute discrete logs Bilinear maps only pair 2 elements (not 3: g s, g s 2, g r +r 2 ) No polynomial time algorithm can achieve non-negligible advantage deciding, even in generic bilinear groups [BBS4] Only a decisional problem computationally same as DDH
k-linear Family of Assumptions k-linear generalizes the Linear Assumption -Linear is DDH 2-Linear is Linear Assumption For k Given < g, g s,, g s k, g s r,, g s kr k, T > g, g s,, g s k, g s r,, g s kr k, T G Does T =? g r + +r k This is like k DDH problems No polynomial time algorithm can achieve non-negligible advantage deciding Only a decisional problem computationally same as DDH
How are DLIN and DBDH Related? If DLIN holds, then so does DBDH < g, g s, g s 2, g s r, g s 2r 2, T =? g r +r 2 > DLIN Instance < g, g s, g s 2, T =? g r +r 2, e g s r, g s 2 e g s 2r 2, g s > = < g, g s, g s 2, T =? g r +r 2, e(g, g) (s s 2 )(r +r 2 ) > DBDH Decider [BW6]
Can extend DBDH to a Family of Assumptions? DLIN DDH DBDH Why? For k > 2 unclear how k-linear and DBDH are related k-linear only operates in the source group Example: Boneh-Boyen IBE the message is hidden in target group k-linear???? This is should be like k DBDH problems
Failed Attempt Given g, g a, g b, g s,, g s k, g s r,, g s kr k ε and T ε G T Does T? = e g, g s i abr i i = e g, g abs ir i i = e g, g ab(s r + +s k r k ) Embeds k DBDH instances: (g, g a, g b, g s ir i, e g, g ab(s ir i ) ) But is equivalent to DBDH: g, g a, g b, g s ir i i = g (s r + +s k r k ), T? = e g, g abs ir i i
k-bdh Assumption Given g, g a, g b, g s,, g s k, g s r,, g s kr k ε G and T ε G T Does T =? e g, g abr i i = e g s i, g s i (a s i )(b s i )r i i = e g, g ab(r + +r k ) Embeds k DBDH instances: (g s i, g a, g b, g s ir i,e g s i, g s i (a s i )(b s i )r i ) And is a family of strictly weaker assumptions!
A Family of Weaker Assumptions If the k-bdh assumption holds, so does the (k+)-bdh assumption g, g x, g y, v,, v k, v r,, v k r k, T =? e g, g xyr i k-bdh Instance i k v k+, r k+ Random Values < g, g x, g y r, v,, v k+, v r,, v k+ k+, T e(g x, g y ) r k+ =? e g, g xyr i i k+ (k+)-bdh Decider >
Evidence of a Family of Strictly Weaker Assumptions An oracle for k-bdh does not help in deciding a (k+)-bdh instance Similar to the separation proof of k-linear [Sha7] Generic Group Model [BS84,Nechaev94,Shoup97] Interact with adversary using an idealized version of groups Bound the probability of finding an inconsistency if actual groups were used Oracle to k-bdh is implemented as a modified k-multilinear map maps k elements in G and one element G T to an element group G M
Application: IBE Setup: Public parameters: g, u = g x, v = g s,, v k = g s r r k, v,, v k k, w,, w k Master key: s,, s k, r,, rk, x KeyGen(ID): Select random n,, n k Z p For each i k output K A,i, K B,i = (g xr i w i u ID n i, vi n i ) Encrypt (m, ID): Select random y,, y k Z p Output C = m e g x, v i r i i k y i For each i k output C A,i, C B,i = (v i yi, w i u ID y i ) Decrypt(c): C i k e(k B,i,C B,i ) i k e(k A,i,C A,i ) = m e gx,v i r i y i i k e(v i n i, w i u ID y i i k ) i k e(gxr i w i uid n i,vi yi ) = m
Conclusions Goal: Introduction the k-bdh Family of Assumptions Relationship to standard assumptions (DDH, k-linear, DBDH) It is a family of strictly weaker assumptions Usable: We construct an IBE in the Boneh-Boyen Framework Future Work IBE construction grows with k (public parameters, keys, encryption) Different applications http://eprint.iacr.org/22/687
Efficient Delegation of Key Generation and Revocation Functionalities in Identity-Based Encryption Jae Hong Seo Myongji University, Republic of Korea Session ID: Session Classification: CRYP-F4 Intermediate
Identity Based Encryption Publish mpk ABC University user@abc.edu time download Issue DK Sender Enc(mpk,, M) User
Revocation Functionality in Identity-Based Encryption Publish mpk ABC University user@abc.edu time download If user leaves the system (by expiration of contract) or user s secret key is leaked (by hacking) and so he want to obtain other secret key? KGC should revoke user s secret key!! (and issues a new key if needed) Sender user
Trivial Approach for Revocation Functionality in IBE Publish mpk ABC University user@abd.edu time download Issue DK,T Sender Enc(mpk,, T, M) User
Trivial Approach for Revocation Functionality in IBE user@abc.edu Publish mpk ABC University time download Revoke DK,T Issue DK,T user2@abc.edu Sender User2 User
Trivial Approach for Revocation Functionality in IBE user@abc.edu Publish mpk ABC University time download Revoke DK,T Issue DK,T user2@abc.edu KGC s role: Issuing/Revoking secret keys Excessive workload for a single KGC Sender User2 User
Our Goal: Delegation of KGC s Roles (Key Generation & Revocation) Publish mpk ABC University time download ABC, Science ABC, Law ABC, Science, Math ABC, Science, Math, prof. Emura
Our Goal: Delegation of KGC s Roles (Key Generation & Revocation) Publish mpk ABC University time download Efficient Key Generation & Revocation ABC, Science Efficient Key Generation & Revocation ABC, Science, Math Efficient Key Generation & Revocation ABC, Science, Math, prof. Emura ABC, Law
Outline Previous Approaches Revocable Symmetric Key Encryption: Broadcast Encryption Revocable Identity-Based Encryption Trivial Approach Exponentially large secret key Our Approach Asymmetric trade Further Study
Broadcast Encryption (BE) Technique Each node has the corresponding key. KEY KEY KEY KEY KEY u u 2 u 3 u 4 u 5 u 6 u 7 u 8 We consider a binary tree kept by KGC
Broadcast Encryption (BE) Technique u u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node
Broadcast Encryption (BE) Technique If u 3, u 4, and u 6 are revoked, first compute triangles containing only non-revoked users. u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked
Broadcast Encryption (BE) Technique Encrypt a session key using KEY, KEY, KEY. Then, only non-revoked user can recover the session key. # of triangles ~ log N (where N is # of leaf nodes) u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked
Revocable IBE: Combining BE technique with IBE scheme Publish mpk ABC University KGC Issue SK time download Size of KU T is logn. KU T Each time period download Enc(mpk,, T, M) Sender user
Revocable IBE: Combining BE technique with IBE scheme Publish mpk ABC University KGC Issue SK time download Size of KU T is logn. KU T Each time period download Enc(mpk,, T, M) Sender user
Revocable IBE: Combining BE technique with IBE scheme Key Revocation Key Generation u u 2 u 3 u 4 u 5 u 6 u 7 u 8 u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked Whenever a user is registered in the system, the user is assigned in the leaf node of binary tree.
Revocable IBE: Combining BE technique with IBE scheme u u 2 u 3 u 4 u 5 u 6 u 7 u 8 u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Key Update Information related to time T Secret Key related to the identity of u 2
Revocable IBE: Combining BE technique with IBE scheme Since u 2 has both related to the same node, u 2 can create a decryption key related to both his identity and time u u 2 u 3 u 4 u 5 u 6 u 7 u 8 u u 2 u 3 u 4 u 5 u 6 u 7 u 8 Key Update Information related to time T Secret Key related to the identity of u 2
Revocable IBE: Combining BE technique with IBE scheme Publish mpk ABC University KGC Issue SK time download Size of KU T is logn. KU T Each time period download Sender Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from KU T and SK user
Trivial Approach for Our Goal ABC, Science, Math, Prof. Emura ABC, Law ABC, Science Hierarchical Structure for Key Generation ABC University
Trivial Approach Binary Tree for Revocation (managed by KGC) ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC, Law ABC, Science, Math, Prof. Emura
Trivial Approach Binary Tree for Revocation Binary Tree for Revocation (managed by KGC) (managed by College) Science u 2 u 3 u 4 u 5 u 6 u 7 Law Math u 2 u 3 u 4 u 5 u 6 u 7 ABC, Science ABC, Law ABC, Science, Math, Prof. Emura
Trivial Approach Binary Tree for Revocation Binary Tree for Revocation (managed by KGC) (managed by College) Binary Tree for Revocation (managed by Department) Math u 2 u 3 u 4 u 5 u 6 u 7 NICT, NSRI Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Law Emura u 2 u 3 u 4 u 5 u 6 u 7 ABC, Science, Math, Prof. Emura
Trivial Approach ABC University Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC Science needs to store log N size secret keys ABC, Science, Math, prof. Emura
Key Update for time period T (managed by KGC) Trivial Approach Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC Science needs to store log N size secret keys ABC, Science, Math, prof. Emura
Key Update for time period T (managed by KGC) Science Trivial is not revoked Approach on time T. () It can create a decryption key relate to its identity & time T. (2) It can generate Key Update for its children. Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law ABC, Science ABC,WNRI Science needs to store log N size secret keys ABC, Science, Math, prof. Emura
Key Update for time period T (managed by KGC) Trivial Approach Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law Key Update for T (managed by Science) Math u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC, Science ABC Math u 2 u 3 u 4 u 5 u 6 u 7 Science needs to store log N size secret keys Binary Tree for Revocation (managed by Science)
Key Update for time period T (managed by KGC) Trivial Approach Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC University Science u 2 u 3 u 4 u 5 u 6 u 7 Law Key Update for T (managed by Science) Does Science need log N size secret key? Math u 2 u 3 u 4 u 5 u 6 u 7 u 8 ABC, Science A Math u 2 u 3 u 4 u 5 u 6 u 7 Science needs to store log N size secret keys Binary Tree for Revocation (managed by Science)
Key Update for time period T (managed by KGC) Trivial Approach Therefore, children should have (logn) 2 subkeys. ABC, Science No! The parent (Science) has log N size secret key and one subkey is used for each time period. A child (Math) does not know which Science subkey u 2 u will 3 ube 4 uused 5 u 6 ufor 7 each u 8 time period. Key Update for T keys (managed by Science) Math u 2 u 3 u 4 u 5 u 6 u 7 u 8 Does SAL need log N size secret key? n-th level user has (logn) n size secret ABC University Binary Tree for Revocation (managed by KGC) Science u 2 u 3 u 4 u 5 u 6 u 7 Law A,WNRI Science needs to store log N size secret keys Binary Tree for Revocation (managed by Science) Math u 2 u 3 u 4 u 5 u 6 u 7
Trivial Approach
Our Approach Asymmetric Trade Product Product
Our Approach Asymmetric Trade Technically difficult part: Separated subkeys do not leak any information. To this end, we used several re-randomization Product techniques. Product
Our Result We propose the first practical RHIBE scheme Our scheme is based on Boneh-Boyen HIBE scheme The size of secret key is O(l 2 log N), where l is user s level. We proved that the proposed scheme satisfies a weaker security notion such as selective security notion.
Further Study Fully secure RHIBE Different revocation method, such as Subset Difference Revocation methodology in functional encryption
Thanks!