Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Improved Dual System ABE in Prime-Order Groups via Predicate Encodings
Jie Chen – East China Normal University, Shanghai
Romain Gay – ENS, Paris
Hoeteck Wee – ENS, Paris
Improved Dual System ABE in Prime-Order Groups via Predicate Encodings
Jie Chen – East China Normal University, Shanghai
Romain Gay – ENS, Paris
Hoeteck Wee – ENS, Paris
Attribute-Based Encryption
ABE: online dating
Alice
Edward
pk :
profile
Charlie David
[Sahai,Waters’05; Goyal,Pandey,Sahai,Waters’06]
ABE: online dating
Alice
Edward
pk :
profile
tall ˅ (phd ˄ cs)
phd ˄ cs
Charlie David
cs phd ˄ math
[Sahai,Waters’05; Goyal,Pandey,Sahai,Waters’06]
ABE: online dating
Alice
Charlie David
Edward
pk :
profile
cs
tall ˅ (phd ˄ cs)
phd ˄ math
phd ˄ cs
[Sahai,Waters’05; Goyal,Pandey,Sahai,Waters’06]
ABE: online dating
Alice
Charlie David
Edward
pk :
profile
cs
tall ˅ (phd ˄ cs)
phd ˄ math
phd ˄ cs
collusion
[Sahai,Waters’05; Goyal,Pandey,Sahai,Waters’06]
Modular framework for ABE
Compiler
encoding
[Attrapadung 14, Wee 14]
P
Adaptively secure ABE for P
Modular framework for ABE
Composite-ordergroups
encoding
[Attrapadung 14, Wee 14]
P
Adaptively secure ABE for P
Modular framework for ABE
Composite-ordergroups
encoding
[Attrapadung 14, Wee 14]
P
Dual system encryption [Waters 09]
Adaptively secure ABE for P
Modular framework for ABE
Composite-ordergroups
encoding
Adaptively secure ABE for P
Prime-ordergroups
encoding ++
Our work
P P
[Attrapadung 14, Wee 14]
DSE [Waters 09]
Adaptively secure ABE for P
Our contributions
1. New techniques for simulating composite-order groups
Our contributions
1. New techniques for simulating composite-order groups
2. New efficient ABEs
Our contributions
1. New techniques for simulating composite-order groups
2. New efficient ABEs
functionality improvements
ABE for boolean formula sk, ct 50% shorter
Our contributions
1. New techniques for simulating composite-order groups
2. New efficient ABEs
functionality improvements
ABE for boolean formula sk, ct 50% shorter
ABE for arithmetic formula First adaptively secure scheme
Composite-order groups
e : ×Gp Gq
p,q primes
[Boneh, Goh, Nissim’05; Lewko, Waters’10]
↓GT
×Gp Gq
×
Composite-order groups
e : ×Gp Gq
p,q primes
[Boneh, Goh, Nissim’05; Lewko, Waters’10]
↓GT
×Gp Gq
×
e(Gq, Gp)=1
Composite-order groups
e : ×Gp Gq
p,q primes
[Boneh, Goh, Nissim’05; Lewko, Waters’10]
↓GT
×Gp Gq
×
e(Gp,Gq)=1
Composite-order groups
e : ×Gp Gq
p,q primes
[Boneh, Goh, Nissim’05; Lewko, Waters’10]
↓GT
×Gp Gq
×
Subgroup membership:
random ≈c random ∙ random∈ Gp ∈ Gp ∈ Gq
Composite-order groups
e : ×Gp Gq
p,q primes
[Boneh, Goh, Nissim’05; Lewko, Waters’10]
↓GT
×Gp Gq
×
Parameter hiding:
Gp = < g1> , Gq = < g2>
For all w ∈ ℤpq
given g1w , g2
w is hidden
Composite-order groups
e : ×Gp Gq
p,q primes
[Boneh, Goh, Nissim’05; Lewko, Waters’10]
↓GT
×Gp Gq
×
Parameter hiding:
Gp = < g1> , Gq = < g2>
For all w ∈ ℤpq
given g1w , g2
w is hidden
ct
sk
ct
sk DSE [Waters 09]
Simulating composite-order groups
• [Freeman 10, MSF 10, Seo 12, HHHRR14] -> parameter hiding?
• DPVS: [OT 08, OT 09, Lewko 12, CLLWW 12] -> not compact
• [CW 13, BKP 14] -> not all predicate
Simulating composite-order groups
G1 = < g1 > , G2 = < g2 > , GT of order p ,
e: G1 × G2 → GT
e g1x, g2
y= e(g1, g2)
xy
Simulating composite-order groups
G1 = < g1 > , G2 = < g2 > , GT of order p ,
e: G1 × G2 → GT
e [x]1, [y]2 = [xy]T
Simulating composite-order groups
G1 = < g1 > , G2 = < g2 > , GT of order p ,
e: G1 × G2 → GT
e [x]1, [y]2 = [xy]T
Matrix assumptions [EHKRV 13, MRV15]:
[A r]1 ≈c [u]1
A ∈ ℤpk+1 ×k, r ←R ℤp
k u ←R ℤp(k+1)
Simulating composite-order groups
G1 = < g1 > , G2 = < g2 > , GT of order p ,
e: G1 × G2 → GT
e [x]1, [y]2 = [xy]T
Matrix assumptions [EHKRV 13, MRV15]:
[A r]1 ≈c [u]1
DDH: A =1a
, a ←R ℤp k-Lin: A =
1⋱
a1 ⋯
1ak
, a1, … , ak ←R ℤp
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×? ?
e: G1 × G2 → GT G1, G2 of order p
×? ?
e([x]1, y]2 = [xTy]T
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×? ?
e: G1 × G2 → GT G1, G2 of order p
×? ?
e([X]1, Y]2 = [XTY]T
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×< [A]1 > ?
e: G1 × G2 → GT G1, G2 of order p
×< [B]1 > ?
• [A]1, [B]2 ←R k-Lin
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×< [A]1 > ?
e: G1 × G2 → GT G1, G2 of order p
×< [B]1 > < [a⊥]2 >
• [A]1, [B]2 ←R k-Lin• a⊥ ←R A⊥
e([A]1,[a⊥]2)=1
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×< [A]1 > < [b⊥]1 >
e: G1 × G2 → GT G1, G2 of order p
×< [B]1 > < [a⊥]2 >
• [A]1, [B]2 ←R k-Lin• a⊥ ←R A⊥
• b⊥ ←R B⊥
e([b⊥]1, [B]2)=1
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×< [A]1 > < [b⊥]1 >
e: G1 × G2 → GT G1, G2 of order p
×< [B]1 > < [a⊥]2 >
• [A]1, [B]2 ←R k-Lin• a⊥ ←R A⊥
• b⊥ ←R B⊥
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×< [A]1 > < [b⊥]1 >
e: G1 × G2 → GT G1, G2 of order p
×< [B]1 > < [a⊥]2 >
[A]1, [b⊥]1 : basis of G1k+1
[B]2, [a⊥]2 : basis of G2k+1
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×< [A]1 > < [b⊥]1 >
e: G1 × G2 → GT G1, G2 of order p
×< [B]1 > < [a⊥]2 >
Subgroup membership:
[A r]1 ≈c [A r]1 ∙ [r′b⊥]1 = [u]1
k-Lin in G1
Simulating composite-order groups
e : G1k+1 =
×
G2k+1 =
↓
GT
×< [A]1 > < [b⊥]1 >
e: G1 × G2 → GT G1, G2 of order p
×< [B]1 > < [a⊥]2 >
Subgroup membership:
[B s]1 ≈c [B s]1 ∙ [s′a⊥]1 = [v]1
k-Lin in G2
Simulating composite-order groups
×< [A]1 > < [b⊥]1 >
×< [B]1 > < [a⊥]1 >
↓
GT
×
G1k+1=
G2k+1=
G =
G =
↓
GT
×Gp Gq
×Gp Gq
Simulating composite-order groups
×< [A]1 > < [b⊥]1 >
×< [B]1 > < [a⊥]1 >
↓
GT
×
G1k+1=
G2k+1=
G =
G =
↓
GT
×< g1 > < g2 >
×< g1 > < g2 >
Simulating composite-order groups
×< [A]1 > < [b⊥]1 >
×< [B]1 > < [a⊥]1 >
↓
GT
×
G1k+1=
G2k+1=
G =
G =
↓
GT
×< g1 > < g2 >
×< g1 > < g2 >
g1r
[Ar ]1
Simulating composite-order groups
×< [A]1 > < [b⊥]1 >
×< [B]1 > < [a⊥]1 >
↓
GT
×
G1k+1=
G2k+1=
G =
G =
↓
GT
×< g1 > < g2 >
×< g1 > < g2 >
g1r
g1s
[Ar ]1
[Bs ]2
Simulating composite-order groups
×< [A]1 > < [b⊥]1 >
w ←R ℤpq
×< [B]1 > < [a⊥]1 >
↓
GT
×
G1k+1=
G2k+1=
G =
G =
↓
GT
×< g1w > < g2
w >
×< g1w > < g2
w >
Simulating composite-order groups
×< [WTA]1 > < [WTb⊥]1 >
w ←R ℤpq W ←R ℤpk+1 ×(k+1)
×< [WB]1 > < [Wa⊥]1 >
↓
GT
×
G1k+1=
G2k+1=
G =
G =
↓
GT
×< g1w > < g2
w >
×< g1w > < g2
w >
Simulating composite-order groups
g1w ,Given g2
w is hidden[ATW]1and[WB]2
Given(a⊥)TWb⊥
is hidden
Parameter hiding:
w ←R ℤpq W ←R ℤpk+1 ×(k+1)
Simulating composite-order groups
w → W ∈ ℤpk+1 ×(k+1)
s → s ∈ ℤpk
g1s → [As ]1
g1ws → [WTAs ]1
r → r ∈ ℤpk
g1r → [Br ]2
g1wr → [WBr ]2
ct sk
Modular framework for ABE
Composite-ordergroups
encoding
Adaptively secure ABE for P
Prime-ordergroups
encoding ++
Our work
P P
[Attrapadung 14, Wee 14]
DSE [Waters 09]
Adaptively secure ABE for P
Conclusion
New efficient ABEs for boolean formula of size n:
reference (static) assumption |sk| , |ct|
[A14, W14] Composite-order |sk| , |ct| = n + O(1) g.e.
Conclusion
New efficient ABEs for boolean formula of size n:
reference (static) assumption |sk| , |ct|
[A14, W14] Composite-order |sk| , |ct| = n + O(1) g.e.
[Lewko 12, CLL+ 12] k-Lin |sk| , |ct| = O( (k+1)(n + O(1)) ) g.e.
Conclusion
New efficient ABEs for boolean formula of size n:
reference (static) assumption |sk| , |ct|
[A14, W14] Composite-order |sk| , |ct| = n + O(1) g.e.
[Lewko 12, CLL+ 12] k-Lin |sk| , |ct| = O( (k+1)(n + O(1)) ) g.e.
[our work] k-Lin |sk| , |ct| = (k+1)(n + O(1)) g.e.
Conclusion
New efficient ABEs for boolean formula of size n:
reference (static) assumption |sk| , |ct|
[A14, W14] Composite-order |sk| , |ct| = n + O(1) g.e.
[Lewko 12, CLL+ 12] k-Lin |sk| , |ct| = O( (k+1)(n + O(1)) ) g.e.
[our work] k-Lin |sk| , |ct| = (k+1)(n + O(1)) g.e.
Open problem k-Lin |sk| , |ct| = n + k + O(1) ? g.e.
Thank you!
Questions?