Fully Secure Functional Encryption: Attribute
advertisement
Fully Secure Functional Encryption:
Attribute-Based Encryption and
(Hierarchical) Inner Product Encryption
Allison Lewko
Tatsuaki Okamoto
Amit Sahai
The University of Texas
at Austin
NTT
UCLA
Katsuyuki Takashima
Mitsubishi Electric
Brent Waters
The University of Texas
at Austin
Functional Encryption
• Functionality f(x,y) – specifies what will be learned
about ciphertext
y
x
Application
Who should be able
to read my data?
access policy
Attribute-Based Encryption [SW05]
Ciphertexts: associated with access formulas
(A Ç B) Æ C
Secret Keys: associated with attributes
{A, C}
Decryption:
{A, C} satisfies (AÇB)ÆC
{A, C}
(A Ç B) Æ C
Message
ABE Example
OR
AND
Medical
Company X
researcher
AND
Doctor
Hospital Y
{Doctor, Hospital Z}
{Nurse, Hospital Y}
ABE Algorithms
Setup (¸, U)
MSK
Public Params
Encrypt(PP, M, Access formula)
KeyGen(PP, MSK, Set of attributes)
Decrypt(PP, SK, CT)
M
Security Definition (ABE) [IND-CPA GM84]
Key
Key
Challenge
Query
Setup
Query
Phase
Phase
PhaseII I
Challenger
Attacker
Public Params
S1
MSK
S1
S2
S2
Si : set of attributes
M0, M1, access policy
Enc(M
, PP)I – in both phases, no queried Si can satisfy
Same as
b, Phase
Attacker must guess b
Proving Security
Hard problem
HardABE
problem
Simulator
breaks ABE
ABE attacker
Challenges in Proving Security
Simulator must:
• respond to key requests
• leverage attacker’s success on challenge
Partitioning
Previous approach for IBE – Partitioning [BF01, BB04, W05]
Key Space
We hope:
Key Request
Key Requests
Key Request
Key Request
Abort
Challenge
Challenge
Challenge
Abort
Partitioning with More Structure
ID0
HIBE:
ID0:ID1
ID0:ID1:ID3
ID0:ID2
ID0:ID2:ID4
ID0:ID2:ID5
Exponential security degradation in depth
ABE:
( A Ç B Ç C) Æ (A Ç D) …
Exponential security degradation in formula length
Previous Solutions
Selective Security Model:
• Attacker declares challenge before seeing Public Parameters
• A weaker model of security
• To go to standard model by guessing –> exponential loss
Until recently, only results were in this model
Exception:
Fully secure HIBE with polynomially many levels [G06, GH09]
Dual System Encryption [W09]
• New methodology for proving full security
• No partitioning, no aborts
• Simulator prepared to make any key and use
any key as the challenge
Dual System Encryption
Used in real system
Normal
Semi-Functional
Normal
Semi-Functional
Types are indistinguishable (with a caveat)
Hybrid Security Proof
Normal keys and ciphertext
Normal keys, S.F. ciphertext
S.F. ciphertext, keys turn S.F. one by one
Security now much
easier to prove
Previously on Dual System Encryption…
• [W09] Fully secure IBE and HIBE
• negligible correctness error
• ciphertext size linear in depth of hierarchy
• [LW10] Fully secure HIBE with short CTs
• no correctness error
• CT = constant # group elements
• closely resembles selectively secure scheme [BBG05]
Our Results - ABE
• Fully secure ABE
• arbitrary monotone access formulas
• security proven from static assumptions
• closely resembles selectively secure
schemes [GPSW06, W08]
ABE – Solution Framework
G = a bilinear group of order N = p1p2p3
e: G £ G ! GT is a bilinear map
Subgroups Gp1, Gp2, Gp3
– orthogonal under e, e.g. e(Gp1, Gp2) = 1
Gp1 = main scheme
Gp1
Gp3
Gp2
Gp2 = semi-functional space
Gp3 = randomization for keys
ABE – Solution Framework
Gp1
Gp2
Normal
S.F.
Decryption: Key paired with CT under e
Normal
S.F.
Gp3
Technical Challenge
• Achieve nominal semi-functionality: [LW10]
?
simulator can’t test for S.F.
• S.F. key and S.F. CT correlated
- decryption works in simulator’s view
• regular S.F. key in attacker’s view
Key Technique
• Semi-functional space imitates the main scheme
• Linear Secret Sharing Scheme: shares reconstructed
in parallel in Gp1 and Gp2
shares
secret
shares
secret
Regular s.f. : red secret is random, masks blue result
Nominal s.f. : red secret is 0, won’t hinder decryption
Key Technique
Attacker doesn’t have
key capable of decrypting
Attacker can’t distinguish
nominal from regular s.f.
Oh no! I was
fooled!
Value shared in s.f. space is info-theoretically hidden
Illustrative Example
?
shared value = x
AND
A
B
?
share = z
share = x-z
{A}
Technical Challenge
• Hiding the shared value in the CT:
• blinding factors linked to attributes
• Ciphertext elements are of the form:
share
blinding
share
blinding
g1a±1+ z1r1 g2±2 + z2r2
random
where
g1r1g2r2
random
g1 2 Gp1 g2 2 Gp2
Attributes can only be used once in the formula
Encoding Solution
Example: To use an attribute A up to 4 times :
A
A:1
A:2
A:3
A:4
(A Æ B) Ç (A Æ C) becomes (A:1 Æ B) Ç (A:2 Æ C)
max times used fixed at setup
It would be better to get rid of the one-use restriction
Open problem
Summary of ABE result
• Full security ABE
• Static assumptions
• Similar to selectively secure schemes
Inner Product Encryption [KSW08]
Ciphertexts and secret keys: associated with vectors
x
v
Decryption:
v
x
if x ¢ v = 0
Advantage: ciphertext policy can be hidden
Message
Coming Attractions
• Stay tuned for CRYPTO 2010:
• full security for Inner Product/ Attribute-Based
Encryption from decisional Linear Assumption
• by Okamoto and Takashima
Questions?
