1 / 29

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. Allison Lewko. Tatsuaki Okamoto. Amit Sahai. The University of Texas at Austin. NTT. UCLA. Katsuyuki Takashima. Brent Waters. Mitsubishi Electric.

kamea
Download Presentation

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The University of Texas at Austin NTT UCLA Katsuyuki Takashima Brent Waters Mitsubishi Electric The University of Texas at Austin

  2. x Functional Encryption • Functionality f(x,y) – specifies what will be learned about ciphertext y

  3. Application Who should be able to read my data? access policy

  4. Attribute-Based Encryption [SW05] Ciphertexts: associated with access formulas (A Ç B) Æ C Secret Keys: associated with attributes {A, C} Decryption: {A, C} satisfies (AÇB)ÆC {A, C} Message (A Ç B) Æ C

  5. ABE Example OR AND AND Medical researcher Company X Doctor Hospital Y {Doctor, Hospital Z} {Nurse, Hospital Y}

  6. MSK Public Params ABE Algorithms • Setup (¸, U) • Encrypt(PP, M, Access formula) • KeyGen(PP, MSK, Set of attributes) • Decrypt(PP, SK, CT) M

  7. MSK Public Params Security Definition (ABE) [IND-CPA GM84] Key Query Phase II Key Query Phase I Challenge Phase Setup Phase Challenger Attacker S1 S1 S2 Si : set of attributes S2 M0, M1, access policy A Enc(Mb, A, PP) Same as Phase I – in both phases, no queried Si can satisfy A Attacker must guess b

  8. Proving Security  Hard problem Hard problem ABE ABE attacker Simulator breaks ABE

  9. Challenges in Proving Security Simulator must: • respond to key requests • leverage attacker’s success on challenge

  10. Partitioning Previous approach for IBE – Partitioning [BF01, BB04, W05] Key Space We hope: Key Request Key Requests Key Request Key Request Abort Challenge Challenge Abort Challenge

  11. Partitioning with More Structure ID0 HIBE: ID0:ID1 ID0:ID2 ID0:ID1:ID3 ID0:ID2:ID4 ID0:ID2:ID5 Exponential security degradation in depth ABE: ( AÇBÇC) Æ (AÇD) … Exponential security degradation in formula length

  12. Previous Solutions Selective Security Model: • Attacker declares challenge before seeing Public Parameters • A weaker model of security • To go to standard model by guessing –> exponential loss Until recently, only results were in this model Exception: Fully secure HIBE with polynomially many levels [G06, GH09]

  13. Dual System Encryption [W09] • New methodology for proving full security • No partitioning, no aborts • Simulator prepared to make any key and use any key as the challenge

  14. Dual System Encryption Normal Used in real system Semi-Functional   Normal  Semi-Functional Types are indistinguishable (with a caveat)

  15. Hybrid Security Proof Normal keys and ciphertext Normal keys, S.F. ciphertext S.F. ciphertext, keys turn S.F. one by one Security now much easier to prove

  16. Previously on Dual System Encryption… • [W09] Fully secure IBE and HIBE • [LW10] Fully secure HIBE with short CTs • negligible correctness error • ciphertext size linear in depth of hierarchy • no correctness error • CT = constant # group elements • closely resembles selectively secure scheme [BBG05]

  17. Our Results - ABE • Fully secure ABE • arbitrary monotone access formulas • security proven from static assumptions • closely resembles selectively secure schemes [GPSW06, W08]

  18. ABE – Solution Framework G = a bilinear group of order N = p1p2p3 e: G £ G !GT is a bilinear map Subgroups Gp1, Gp2, Gp3 – orthogonal under e, e.g. e(Gp1, Gp2) = 1 Gp1 = main scheme Gp1 Gp2 = semi-functional space Gp3 Gp2 Gp3 = randomization for keys

  19. ABE – Solution Framework Gp1 Gp2 Gp3 Normal S.F. Decryption: Key paired with CT under e Normal S.F.

  20. ? Technical Challenge • Achieve nominal semi-functionality: [LW10] • S.F. key and S.F. CT correlated - decryption works in simulator’s view • regular S.F. key in attacker’s view simulator can’t test for S.F.

  21. Key Technique • Semi-functional space imitates the main scheme • Linear Secret Sharing Scheme: shares reconstructed in parallel in Gp1and Gp2 shares secret shares secret Regular s.f. : red secret is random, masks blue result Nominal s.f. : red secret is 0, won’t hinder decryption

  22. Key Technique Attacker doesn’t have key capable of decrypting Attacker can’t distinguish nominal from regular s.f. Oh no! I was fooled! Value shared in s.f. space is info-theoretically hidden

  23. Illustrative Example ? shared value = x AND A B ? share = z share = x-z {A}

  24. Technical Challenge • Hiding the shared value in the CT: • blinding factors linked to attributes • Ciphertext elements are of the form: share blinding share blinding g1a±1+ z1r1g2±2 + z2r2g1r1g2r2 random random whereg12Gp1g22Gp2 Attributes can only be used once in the formula

  25. Encoding Solution Example: To use an attribute A up to 4 times : A A:1 A:2 A:3 A:4 (A Æ B) Ç (A Æ C) becomes (A:1 Æ B) Ç (A:2 Æ C) max times used fixed at setup It would be better to get rid of the one-use restriction Open problem

  26. Summary of ABE result • Full security ABE • Static assumptions • Similar to selectively secure schemes

  27. Inner Product Encryption [KSW08] Ciphertexts and secret keys: associated with vectors x v Decryption: if x ¢v = 0 Message x v Advantage: ciphertext policy can be hidden

  28. Coming Attractions • Stay tuned for CRYPTO 2010: • full security for Inner Product/ Attribute-Based Encryption from decisional Linear Assumption • by Okamoto and Takashima

  29. Questions?

More Related