Improved Dual System ABE in Prime-Order Groups via ...gay/CGW15.pdf · Improved Dual System ABE in Prime-Order Groups via Predicate Encodings Jie Chen –East China Normal University,

Improved Dual System ABE in Prime-Order Groups via Predicate Encodings

Jie Chen – East China Normal University, Shanghai

Romain Gay – ENS, Paris

Hoeteck Wee – ENS, Paris

Improved Dual System ABE in Prime-Order Groups via Predicate Encodings

Jie Chen – East China Normal University, Shanghai

Romain Gay – ENS, Paris

Hoeteck Wee – ENS, Paris

Attribute-Based Encryption

ABE: online dating

Alice

Edward

pk :

profile

Charlie David

[Sahai,Waters’05; Goyal,Pandey,Sahai,Waters’06]

ABE: online dating

Alice

Edward

pk :

profile

tall ˅ (phd ˄ cs)

phd ˄ cs

Charlie David

cs phd ˄ math


ABE: online dating

Alice

Charlie David

Edward

pk :

profile

cs

tall ˅ (phd ˄ cs)

phd ˄ math

phd ˄ cs


ABE: online dating

Alice

Charlie David

Edward

pk :

profile

cs

tall ˅ (phd ˄ cs)

phd ˄ math

phd ˄ cs

collusion


Modular framework for ABE

Compiler

encoding

[Attrapadung 14, Wee 14]

P

Adaptively secure ABE for P


Composite-ordergroups

encoding


P




encoding


P

Dual system encryption [Waters 09]




encoding


Prime-ordergroups

encoding ++

Our work

P P


DSE [Waters 09]


Our contributions

1. New techniques for simulating composite-order groups

Our contributions


2. New efficient ABEs

Our contributions



functionality improvements

ABE for boolean formula sk, ct 50% shorter

Our contributions



functionality improvements

ABE for boolean formula sk, ct 50% shorter

ABE for arithmetic formula First adaptively secure scheme

Composite-order groups

e : ×Gp Gq

p,q primes

[Boneh, Goh, Nissim’05; Lewko, Waters’10]

↓GT

×Gp Gq

×


e : ×Gp Gq

p,q primes


↓GT

×Gp Gq

×

e(Gq, Gp)=1


e : ×Gp Gq

p,q primes


↓GT

×Gp Gq

×

e(Gp,Gq)=1


e : ×Gp Gq

p,q primes


↓GT

×Gp Gq

×

Subgroup membership:

random ≈c random ∙ random∈ Gp ∈ Gp ∈ Gq


e : ×Gp Gq

p,q primes


↓GT

×Gp Gq

×

Parameter hiding:

Gp = < g1> , Gq = < g2>

For all w ∈ ℤpq

given g1w , g2

w is hidden


e : ×Gp Gq

p,q primes


↓GT

×Gp Gq

×

Parameter hiding:

Gp = < g1> , Gq = < g2>

For all w ∈ ℤpq

given g1w , g2

w is hidden

ct

sk

ct

sk DSE [Waters 09]

Simulating composite-order groups

• [Freeman 10, MSF 10, Seo 12, HHHRR14] -> parameter hiding?

• DPVS: [OT 08, OT 09, Lewko 12, CLLWW 12] -> not compact

• [CW 13, BKP 14] -> not all predicate


G1 = < g1 > , G2 = < g2 > , GT of order p ,

e: G1 × G2 → GT

e g1x, g2

y= e(g1, g2)

xy


G1 = < g1 > , G2 = < g2 > , GT of order p ,

e: G1 × G2 → GT

e [x]1, [y]2 = [xy]T


G1 = < g1 > , G2 = < g2 > , GT of order p ,

e: G1 × G2 → GT

e [x]1, [y]2 = [xy]T

Matrix assumptions [EHKRV 13, MRV15]:

[A r]1 ≈c [u]1

A ∈ ℤpk+1 ×k, r ←R ℤp

k u ←R ℤp(k+1)


G1 = < g1 > , G2 = < g2 > , GT of order p ,

e: G1 × G2 → GT

e [x]1, [y]2 = [xy]T

Matrix assumptions [EHKRV 13, MRV15]:

[A r]1 ≈c [u]1

DDH: A =1a

, a ←R ℤp k-Lin: A =

1⋱

a1 ⋯

1ak

, a1, … , ak ←R ℤp


e : G1k+1 =

×

G2k+1 =

↓

GT

×? ?

e: G1 × G2 → GT G1, G2 of order p

×? ?

e([x]1, y]2 = [xTy]T


e : G1k+1 =

×

G2k+1 =

↓

GT

×? ?


×? ?

e([X]1, Y]2 = [XTY]T


e : G1k+1 =

×

G2k+1 =

↓

GT

×< [A]1 > ?


×< [B]1 > ?

• [A]1, [B]2 ←R k-Lin


e : G1k+1 =

×

G2k+1 =

↓

GT

×< [A]1 > ?


×< [B]1 > < [a⊥]2 >

• [A]1, [B]2 ←R k-Lin• a⊥ ←R A⊥

e([A]1,[a⊥]2)=1


e : G1k+1 =

×

G2k+1 =

↓

GT

×< [A]1 > < [b⊥]1 >


×< [B]1 > < [a⊥]2 >

• [A]1, [B]2 ←R k-Lin• a⊥ ←R A⊥

• b⊥ ←R B⊥

e([b⊥]1, [B]2)=1


e : G1k+1 =

×

G2k+1 =

↓

GT

×< [A]1 > < [b⊥]1 >


×< [B]1 > < [a⊥]2 >

• [A]1, [B]2 ←R k-Lin• a⊥ ←R A⊥

• b⊥ ←R B⊥


e : G1k+1 =

×

G2k+1 =

↓

GT

×< [A]1 > < [b⊥]1 >


×< [B]1 > < [a⊥]2 >

[A]1, [b⊥]1 : basis of G1k+1

[B]2, [a⊥]2 : basis of G2k+1


e : G1k+1 =

×

G2k+1 =

↓

GT

×< [A]1 > < [b⊥]1 >


×< [B]1 > < [a⊥]2 >


[A r]1 ≈c [A r]1 ∙ [r′b⊥]1 = [u]1

k-Lin in G1


e : G1k+1 =

×

G2k+1 =

↓

GT

×< [A]1 > < [b⊥]1 >


×< [B]1 > < [a⊥]2 >


[B s]1 ≈c [B s]1 ∙ [s′a⊥]1 = [v]1

k-Lin in G2


×< [A]1 > < [b⊥]1 >

×< [B]1 > < [a⊥]1 >

↓

GT

×

G1k+1=

G2k+1=

G =

G =

↓

GT

×Gp Gq

×Gp Gq


×< [A]1 > < [b⊥]1 >

×< [B]1 > < [a⊥]1 >

↓

GT

×

G1k+1=

G2k+1=

G =

G =

↓

GT

×< g1 > < g2 >

×< g1 > < g2 >


×< [A]1 > < [b⊥]1 >

×< [B]1 > < [a⊥]1 >

↓

GT

×

G1k+1=

G2k+1=

G =

G =

↓

GT

×< g1 > < g2 >

×< g1 > < g2 >

g1r

[Ar ]1


×< [A]1 > < [b⊥]1 >

×< [B]1 > < [a⊥]1 >

↓

GT

×

G1k+1=

G2k+1=

G =

G =

↓

GT

×< g1 > < g2 >

×< g1 > < g2 >

g1r

g1s

[Ar ]1

[Bs ]2


×< [A]1 > < [b⊥]1 >

w ←R ℤpq

×< [B]1 > < [a⊥]1 >

↓

GT

×

G1k+1=

G2k+1=

G =

G =

↓

GT

×< g1w > < g2

w >

×< g1w > < g2

w >


×< [WTA]1 > < [WTb⊥]1 >

w ←R ℤpq W ←R ℤpk+1 ×(k+1)

×< [WB]1 > < [Wa⊥]1 >

↓

GT

×

G1k+1=

G2k+1=

G =

G =

↓

GT

×< g1w > < g2

w >

×< g1w > < g2

w >


g1w ,Given g2

w is hidden[ATW]1and[WB]2

Given(a⊥)TWb⊥

is hidden

Parameter hiding:

w ←R ℤpq W ←R ℤpk+1 ×(k+1)


w → W ∈ ℤpk+1 ×(k+1)

s → s ∈ ℤpk

g1s → [As ]1

g1ws → [WTAs ]1

r → r ∈ ℤpk

g1r → [Br ]2

g1wr → [WBr ]2

ct sk



encoding


Prime-ordergroups

encoding ++

Our work

P P


DSE [Waters 09]


Conclusion

New efficient ABEs for boolean formula of size n:

reference (static) assumption |sk| , |ct|

[A14, W14] Composite-order |sk| , |ct| = n + O(1) g.e.

Conclusion




[Lewko 12, CLL+ 12] k-Lin |sk| , |ct| = O( (k+1)(n + O(1)) ) g.e.

Conclusion





[our work] k-Lin |sk| , |ct| = (k+1)(n + O(1)) g.e.

Conclusion





[our work] k-Lin |sk| , |ct| = (k+1)(n + O(1)) g.e.

Open problem k-Lin |sk| , |ct| = n + k + O(1) ? g.e.

Thank you!

Questions?

Documents

Improved Dual System ABE in Prime-Order Groups via ...gay/CGW15.pdf · Improved Dual System ABE in Prime-Order Groups via Predicate Encodings Jie Chen –East China Normal University,