Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko he University of Texas at Austin Tatsuaki Okamoto NTT Amit Sahai UCLA Katsuyuki Takashima Mitsubishi Electric Brent Waters The University of Texas at Austin
29
Embed
Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko The University of Texas at Austin.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Fully Secure Functional Encryption: Attribute-Based Encryption and
(Hierarchical) Inner Product Encryption
Allison LewkoThe University of Texas at Austin
Tatsuaki OkamotoNTT
Amit SahaiUCLA
Katsuyuki TakashimaMitsubishi Electric
Brent WatersThe University of Texas at Austin
Functional Encryption
• Functionality f(x,y) – specifies what will be learned about ciphertext
xy
Application
Who should be able to read my data?
access policy
Attribute-Based Encryption [SW05]
Ciphertexts: associated with access formulas
Secret Keys: associated with attributes
(A Ç B) Æ C
{A, C}
Decryption:
{A, C} Message{A, C} satisfies (AÇB)ÆC
(A Ç B) Æ C
ABE Example
Medicalresearcher
OR
Doctor
AND
Hospital Y
AND
Company X
{Doctor, Hospital Z} {Nurse, Hospital Y}
ABE AlgorithmsMSK Public Params
Security Definition (ABE) [IND-CPA GM84]
Challenger AttackerPublic Params
MSK
Setup PhaseKey Query Phase I
S1
S1
S2S2
Challenge PhaseKey Query Phase II
Attacker must guess b
Si : set of attributes
Proving Security
Hard problem
ABE attackerSimulator
Hard problemABE
breaks ABE
Challenges in Proving Security
Simulator must:
• respond to key requests
• leverage attacker’s success on challenge
Partitioning
Previous approach for IBE – Partitioning [BF01, BB04, W05]
Key Space
Challenge
Key Requests
We hope:
Key Request
Key Request
Challenge
Key Request Abort
Challenge Abort
Partitioning with More StructureID0
ID0:ID1 ID0:ID2
ID0:ID1:ID3 ID0:ID2:ID4 ID0:ID2:ID5
HIBE:
Exponential security degradation in depth
ABE: ( A Ç B Ç C) Æ (A Ç D) …
Exponential security degradation in formula length
Previous Solutions
Selective Security Model:• Attacker declares challenge before seeing Public Parameters
• A weaker model of security
• To go to standard model by guessing –> exponential loss
Until recently, only results were in this model
Exception: Fully secure HIBE with polynomially many levels [G06, GH09]
Dual System Encryption [W09]
• New methodology for proving full security
• No partitioning, no aborts
• Simulator prepared to make any key and use any key as the challenge
Dual System Encryption
Normal
Semi-Functional
Normal Semi-FunctionalUsed in real system
Types are indistinguishable (with a caveat)
Hybrid Security ProofNormal keys and ciphertext
Normal keys, S.F. ciphertext
S.F. ciphertext, keys turn S.F. one by one Security now mucheasier to prove
Previously on Dual System Encryption…
• [W09] Fully secure IBE and HIBE
• [LW10] Fully secure HIBE with short CTs
• negligible correctness error• ciphertext size linear in depth of hierarchy
• no correctness error• CT = constant # group elements• closely resembles selectively secure scheme [BBG05]