1 / 25

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption. 2012 / 4 / 18. Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric ). Functional Encryption. Secret key with parameter. Public key pk. Parameter. sk. Decryption. Encryption. Plain text. Cipher

kina
Download Presentation

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric ).

  2. Functional Encryption Secret key with parameter Public key pk Parameter sk Decryption Encryption Plain text Cipher text Plain text Relation R( , ) holds • This type is called Predicate Encryption in [BSW11].

  3. Inner Product Encryption ( IPE ) [KSW08]

  4. (Adaptive Secure &) Weakly Attribute-Hiding IPE Challenger Some additional information on may be revealed to a person with a matching key , i.e.,

  5. (Adaptive Secure &) Fully Attribute-Hiding IPE Challenger No additional information on is revealed even to any person with a matching key , i.e., For each run of the game, the variable is defined as otherwise. if

  6. Previous works of Attribute-Hiding IPE • [ KSW08 ] : Fully attribute-hidingbut selectively secure IPE • [ LOS+10 ] : Adaptively secure butweakly attribute- • hiding IPE based on a non-standard assumption • [ OT10 ] : Adaptively secure butweakly attribute-hiding • IPE based on the DLINassumption • [ AFV11 ] : Selectivelysecure andweakly attribute-hiding • IPE based on the LWEassumption This work Adaptively secure and fully attribute-hiding IPE based on the DLINassumption

  7. Our Results • Adaptively secure and fully attribute-hiding IPE • based on the DLINassumption (basic scheme) • A variant IPE with a shorter (O(n)-size) master public key • and shorter (O(1)-size) secret keys (excluding the description of ) • An extension to Hierarchical IPE (HIPE) with the same security

  8. Key Techniques • We extend Dual System Encryption (DSE) for our purpose • with various forms,i.e., normal, temporal 1, temporal 2 and • unbiased …. • Fully-AH IPE should deal with both cases, matching and non-matching keys (to challenge CT), while weakly-AH IPE deals with only the non-matching case. • All forms of a secret-key do not depend on whether • it is matching or not. • Dual Pairing Vector Space (DPVS) approach provides • rich basic transformations for achieving these various forms. • Large (-dim.) hidden subspaces gives • new types (Types 1-3) of information theoretical tricks • and various forms of computational reductions.

  9. Dual Pairing Vector Space Approach (I) Dual Bases : using symmetric pairing groups Vector space where is a generator of ( Canonical ) pairing operation: and For where s.t. basis of for s.t. for i.e., dual orthonormal bases of

  10. DPVS Approach (II) • Dual Pairing Vector Space (DPVS) approach : with ( the canonical Cryptographic Construction using pairing and ) random dual bases as a master key pair • DLIN-based security from [OT10] machinery • Notation : For we denote and Basic Fact for Our Construction For the above and from dual orthonormality of

  11. (master secret) Vector Decomposition Problem (VDP) : Hard to calculate from Intractable Problems on DPVS (master public) Dual Basis Computation Problem (DBP) : Decisional Subspace Problem (DSP) : from E.g., hard to calculate • Hard to distinguish and where and and VDP Assump. DBP Assump. Security of our IPE is proven under DLIN assumption, through variants of DSP. DSP Assump. DLIN Assump.

  12. Basic Idea for Constructing IPE using DPVS where

  13. Weakly Attribute-Hiding IPE Scheme in [OT10] where

  14. Proposed (Basic) Fully Attribute-Hiding IPE Scheme where

  15. -> Game 0’ Challenger Game 0 otherwise if • Game 0’ is the same as real security game, Game 0, except that flip a coin before setup and the game is aborted if • We define that wins with prob. 1/2 when the game is aborted in Game 0’. negligible from [OT10] target of this talk

  16. Dual System Encryption (DSE) Methodology (I) Simulator Challenge ciphertext  Semi-func. Keys  Semi-func. (one by one) Semi-func. challenge ciphertext  Random i.e., Advantage of adversary = 0 … Simulator can change them under the above conditions.

  17. DSE Methodology (II) Normal ciphertext Semi-func. ciphertext Normal key Semi-func. key This semi-func. form of keys cannot be used for fully-AH. Need to introduce new forms with preserving functionality

  18. Extension of DSE (I): R-preserving ciphertexts independent of challenge bit (all but negligible prob.) for I.e., & Independent of bit preserving Aim of game transformation: Transform to -unbiased CT,

  19. Extension of DSE (II): Randomization in 2-dim. and Swapping DLIN Temporal 1 CTwith preparing the next randomization Temporal2 CTwith DLIN Temporal 1 Keywith swapping Temporal 2 Keywith Iterate the changes among these 4 forms for all queried for

  20. Extension of DSE (III): Last Conceptual Change to Unbiased CT • In Game 2- -4, Temporal2 CTwith 1-st blockfor randomization 2-nd block for keeping All queried keys are Temporal 2 Keywith • In Game 3, Unbiased CTwith which is unbiased of is obtained. is bounded by advantages for DLIN

  21. Comparison of Original and Extension of DSE • Original DSE Methodology Challenge CT  Semi-func. Keys  Semi-func. (one by one) CT  Random random since • Extension of DSE Challenge CT  Keys  CT   (one by one) since  CT  Unbiased w.r.t. b

  22. Key Ideas for Short Public / Secret Key IPE We will explain key ideas using -dim. basic IPE. • We employ a special form of master secret key basis, where and a blank in the matrix denotes • Secret-key associated with Then, can be compressed to only 3 group elements as well as

  23. Special Basis for fully-AH IPE with Short SK • We extend the basic construction to a 5 x 5 block matrix • one to achieve full AH security (as our basic IPE).

  24. Adaptively Fully-AH IPE with Constant-Size SK SK size

  25. Thank You !

More Related