Adaptively Attribute-Hiding
( Hierarchical ) Inner Product Encryption
2012 / 4 / 18
Tatsuaki Okamoto ( NTT ),
Katsuyuki Takashima ( Mitsubishi Electric ).
1
Functional Encryption
Secret key
with parameter
Public key
pk
Plain
text
Parameter
Encryption
Cipher
text
sk
Decryption
Plain
text
Relation
R( , ) holds
• This type is called Predicate Encryption in [BSW11].2
Inner Product Encryption ( IPE ) [KSW08]



3
(Adaptive Secure &) Weakly Attribute-Hiding IPE
Challenger
Some additional information on may be revealed
to a person with a matching key
, i.e.,
4
(Adaptive Secure &) Fully Attribute-Hiding IPE
Challenger
No additional information on
is revealed even to
any person with a matching key
, i.e.,
For each run of the game, the variable
if
is defined as
otherwise.
5
Previous works of Attribute-Hiding IPE
[ KSW08 ] : Fully attribute-hiding but selectively secure IPE
[ LOS+10 ] : Adaptively secure but weakly attributehiding IPE based on a non-standard assumption
[ OT10 ] : Adaptively secure but weakly attribute-hiding
IPE based on the DLIN assumption
[ AFV11 ] : Selectively secure and weakly attribute-hiding
IPE based on the LWE assumption
This work
Adaptively secure and fully attribute-hiding IPE
based on the DLIN assumption
6
Our Results
Adaptively secure and fully attribute-hiding IPE
based on the DLIN assumption (basic scheme)
A variant IPE with a shorter (O(n)-size) master public key
and shorter (O(1)-size) secret keys (excluding the description
of )
An extension to Hierarchical IPE (HIPE) with the same security
7
Key Techniques
We extend Dual System Encryption (DSE) for our purpose
with various forms, i.e., normal, temporal 1, temporal 2 and
unbiased ….
 Fully-AH IPE should deal with both cases,
matching and non-matching keys (to challenge CT),
while weakly-AH IPE deals with only the non-matching case.
 All forms of a secret-key do not depend on whether
it is matching or not.
Dual Pairing Vector Space (DPVS) approach provides
rich basic transformations for achieving these various forms.
 Large ( -dim.) hidden subspaces gives
new types (Types 1-3) of information theoretical tricks
and various forms of computational reductions.
8
Dual Pairing Vector Space Approach (I)
Vector space
using symmetric pairing groups
where is a generator of
( Canonical ) pairing operation:
and
For
where
Dual Bases :
basis of
s.t.
for
s.t.
for
dual orthonormal bases of
i.e.,
9
DPVS Approach (II)
Dual Pairing Vector Space (DPVS) approach :
Cryptographic Construction using
with ( the canonical
pairing and ) random dual bases as a master key pair
 DLIN-based security from [OT10] machinery
Notation :
For
we denote
and
Basic Fact for Our Construction
For the above
and
from dual orthonormality of
10
Intractable Problems on DPVS
Dual Basis Computation Problem (DBP) :
 Hard to calculate
(master secret) from
(master public)
Vector Decomposition Problem (VDP) :
 E.g., hard to calculate
from
Decisional Subspace Problem (DSP) :
 Hard to distinguish
and
where
and
and
DBP Assump. VDP Assump.
DSP Assump.
Security of our IPE is proven
under DLIN assumption,
through variants of DSP.
DLIN Assump.
11
Basic Idea for Constructing IPE using DPVS
where
12
Weakly Attribute-Hiding IPE Scheme in [OT10]
where
13
Proposed (Basic) Fully Attribute-Hiding IPE Scheme
where
14
Challenger
Game 0 -> Game 0’
if
otherwise
Game 0’ is the same as real security game, Game 0, except that
flip a coin
before setup and the game is aborted if
We define that
wins with prob. 1/2 when the game is aborted in Game 0’.
negligible from [OT10]
target of this talk
15
Dual System Encryption (DSE) Methodology (I)
1) Challenge ciphertext  Semi-func.
2) Keys  Semi-func. (one by one)
3) Semi-func. challenge ciphertext  Random
i.e., Advantage of adversary = 0
Simulator
…
Simulator can change them
under the above conditions.
16
DSE Methodology (II)
Normal
ciphertext
Semi-func.
ciphertext
Normal
key
Semi-func.
key
This semi-func. form of keys cannot be used for fully-AH.
Need to introduce new forms with preserving functionality
17
Extension of DSE (I):
R-preserving ciphertexts independent of challenge bit
for
(all but negligible prob.)
I.e.,
Independent of bit
& preserving
Aim of game transformation:
Transform to -unbiased CT,
18
Extension of DSE (II):
Randomization in 2-dim.
and Swapping
DLIN
Temporal 1
CT with
randomization
preparing the next
Temporal 2
CT with
DLIN
Temporal 1
Key with
Temporal 2
Key with
swapping
Iterate the changes among these 4 forms
for
for all queried
19
Extension of DSE (III):
Last Conceptual Change to Unbiased CT
In Game 2- -4,
Temporal 2
CT with
All queried keys are
Temporal 2
Key with
1-st block for
randomization
2-nd block for
keeping
In Game 3,
Unbiased
CT with
which is unbiased of
is obtained.
is bounded by advantages for DLIN
20
Comparison of Original and Extension of DSE
Original DSE Methodology
1) Challenge CT
 Semi-func.
 Semi-func. (one by one)
2) Keys
3) CT  Random
random since
Extension of DSE
1) Challenge CT
2) Keys



(one by one)
CT 

3) CT  Unbiased w.r.t. b
since
21
Key Ideas for Short Public / Secret Key IPE
We will explain key ideas using
-dim. basic IPE.
We employ a special form of master secret key basis,
where
and a blank in the matrix denotes
Secret-key associated with
Then,
can be compressed to only 3 group elements
as well as
22
Special Basis
for fully-AH IPE with Short SK
We extend the basic construction to a 5 x 5 block matrix
one to achieve full AH security (as our basic IPE).
23
Adaptively Fully-AH IPE with Constant-Size SK
SK size
24
Thank You !
25