Definitions for Predicate Encryption

Transcription

1 Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy Thursday 12 th April, 2012 Cryptographic Proofs 1

2 Content Results on simulation-based definitions for Secure Predicate Encryption. Work in progress Joint with Manuel Barbosa, Angelo De Caro, Pooya Farshim, Vincenzo Iovino Cryptographic Proofs 2

3 Secure Encryption Scheme Informal: An encryption scheme is secure: An adversary, who knows the encryption algorithm and is given the cyphertext, cannot obtain any information about the cleartext. S. Goldwasser and S. Micali: Probabilistic Encryption and How To Play Mental Poker, STOC 82 Probabilistic Encryption, JCSS 84 Cryptographic Proofs 3

4 Formalization Syntax An Encryption Scheme is a tuple of 3 efficient and probabilistic algorithms: (Gen,E,D) 1 Gen(1 λ ) outputs public and secret keys (pk,sk) with security parameter λ; 2 E(pk, m) outputs ciphertext ct for plaintext m; 3 D(pk, ct, sk) outputs plaintext for ciphertext ct; Correctness: except with probability negligible in λ, if (pk,sk) Gen(1 λ ) then D(pk,E(pk,m),sk) = m Cryptographic Proofs 4

5 Formalization Game-based: (IND-Secure) A game between Adversary and C hallenger: Security Game with security parameter λ 1 C generates (pk,sk) Gen(1 λ ) and sends pk to A; 2 A(pk) returns two messages m 0 and m 1 of the same length; 3 C picks b {0,1} at random, computes ct = E(pk,m b ) sends ct to A; 4 A(pk,ct) outputs b ; Cryptographic Proofs 5

6 Formalization Game-based: (IND-Secure) Definitions 1 A wins if b = b 2 A breaks (Gen,E,D) if A wins with probability 1/2+1/poly(λ); 3 (Gen,E,D) is IND-Secure if no PPT A breaks it. Cryptographic Proofs 6

7 Formalization Simulation-based: (Semantic Security) Real world 1 (pk,sk) Gen(1 λ ); 2 (m,aux) A 0 (pk); 3 ct E(pk,m); 4 α A 1 (pk,ct,aux); Output: (pk,m,aux,α) Ideal world 1 (pk,sk) Gen(1 λ ); 2 (m,aux) A 0 (pk); 3 ct Sim(pk, m ); 4 α A 1 (pk,ct,aux); Output: (pk,m,aux,α) Cryptographic Proofs 7

8 Equivalence of the two notions Theorem (Goldwasser-Micali) (Gen, E, D) is Semantic-Secure iff it is IND-Secure. IND Security implies Semantic Security: Proof s sketch: Simulator computes ct = E(pk,m ) for an arbitrary message m of length m. Cryptographic Proofs 8

9 The original goal: An adversary, who knows the encryption algorithm and is given the cyphertext, cannot obtain any information about the cleartext (except for its length). New questions: Q: Can we control amount of information released by the ciphertexts? Q: Can we give different adversaries the ability to extract different bits of the plaintext? Q: Or compute different predicates of the plaintext? Cryptographic Proofs 9

10 Application scenario Reading s Alice keeps her on a public server. For privacy, messages are sent in encrypted form. Alice dowloads a message, decrypts it, and reads it. Searching s 1st try Alice wants to download all messages with subject=projectx. Alice dowloads all the messages, decrypts all of them, and selects the ones related to ProjectX. Cryptographic Proofs 10

11 Predicate Encryption Syntax Functionality F : K M {0,1} A Predicate Encryption scheme for F is a tuple of 4 efficient and probabilistic algorithms: (Setup, KeyGen, Encrypt, Eval) Predicate Encryption Scheme 1 Setup(1 λ ) outputs public and master secret keys (Pk,Msk) for security parameter λ 2 KeyGen(Msk,k) outputs token Tok k for k K 3 Encrypt(Pk, m) outputs ciphertexts Ct for plaintext m M 4 Eval(Pk,Ct,Tok k ) outputs F(k,m) Cryptographic Proofs 11

12 Game-based Security Notion Security Game with security parameter λ 1 C generates (Pk,Sk) Gen(1 λ ) and sends Pk to A; 2 A asks for tokens Tok k1,tok k2,...,tok kq1 for F(k 1, ),...,F(k q1, ). 3 A outputs two messages m 0 and m 1 of the same length; 4 C picks b {0,1} at random, computes Ct = Encrypt(Pk,m b ) sends Ct to A; 5 A asks for tokens Tok kq1 +1,...,Tok k q for F(k q1 +1, ),...,F(k q, ). 6 A outputs b ; Cryptographic Proofs 12

13 Game-based Security Notion Definitions 1 A wins if b = b and F(k i,m 0 ) = F(k i,m 1 ), i = 1,...,q 2 A breaks (Setup, KeyGen, Encrypt, Eval) if A wins with probability 1/2 + 1/poly(λ) 3 (Setup, KeyGen, Encrypt, Eval) is IND-Secure if no PPT A breaks it Cryptographic Proofs 13

14 Secure Encryption and Secure Predicate Encryption Observation Game-Based Secure Encryption [GM] is Game-Based Secure Predicate Encryption with K = {ǫ} and F(ǫ,m) = m. Cryptographic Proofs 14

15 Some functionalities Equality K = M = {0,1} l F(k,m) = 1 iff k = m [Boneh, Di Crescenzo, Ostrovsky, P Eurocrypt 2004] Hidden Vector Encryption M = {0,1} l,k = {0,1, } l F(k,m) = 1 iff k i = or k i = m i, i = 1,...,l. [Boneh, Waters TCC 2007] [Okamoto, Takashima Eurocrypt 2012] [De Caro, Iovino, P Pairing 2012] Obs: HVE implies Equality Cryptographic Proofs 15

16 Some functionalities Inner Product (Orthogonality) K = M = Z l n F(k,m) = 1 iff i k i m i = 0 (that is, k,m = 0). [Katz, Sahai, Waters Eurocrypt 2008] [Okamoto, Takashima Eurocrypt 2012] Proposition: Inner Product implies HVE [KSW] Cryptographic Proofs 16

17 Weakness of Game-Based Security [Boneh, Sahai, Waters TCC 11] Simple scheme for predicate encryption that was clearly insecure and nonetheless satisfied the Game-based security notion Time for a Simulation-Based Notion of Security. Cryptographic Proofs 17

18 Formalization Simulation-based: (Semantic Security) Informal Real world Ideal world (Pk,Sk) Setup(1 λ ); (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); (m,aux) A KeyGen(Sk, ) 0 (Pk); Ct Encrypt(Pk,m); Ct Sim(Pk, m,(k i,f(k i,m)) q i=1 ); α A 1 (Pk,Ct,aux); α A 1 (Pk,Ct,aux); Output: (Pk,m,α) Output: (Pk,m,α) A 0 has asked and received tokens Tok ki for k i, i = 1,...,q Cryptographic Proofs 18

19 Our Formalization is different from [BSW] Some differences In the [BSW] definition: Pk of Ideal world generated by Simulator Adversary outputs several messages Adversary allowed to ask for tokens after seeing the ciphertext Cryptographic Proofs 19

20 Proof of equivalence breaks down Simulator computes Ct = Encrypt(Pk,m ) for an arbitrary message m of length m. Adversary A 0 : aux includes (Tok ki,f(k i,m)), for i = 1,...,q. Adversary A 1 : Real world: Eval(Pk,Ct,Tok ki ) = F(k i,m), i = 1,...,q Ideal world: Eval(Pk,Ct,Tok ki ) = F(k i,m ), i = 1,...,q Different unless F(k i,m) = F(k i,m ), i = 1,...,q. Cryptographic Proofs 20

21 Pre-image samplability Functionality F : K M {0,1} is PS if there exists an efficient sampler Sam such that for all efficient adversaries A: Adversary A: output: l,(k i,b i ) q i=1, with k i K, i = 1,...,q Sampler Sam: input: l,(k i,b i ) q i=1 output: Message m M s.t. F(k i,m) = b i, i = 1,...,q and m = l Similar to PS of O Neil. Cryptographic Proofs 21

22 Pre-image samplability The simulator Sim input: (Pk, m,(k i,f(k i,m)) q i=1 ) run Sam on input m,(k i,f(k i,m)) q i=1 ) receive m output ct = Encrypt(Pk,m ) Proposition: If a functionality F is PS then Semantic and Game-Based security coincide. Proof from [O Neil] Notice: converse does not seem to hold Cryptographic Proofs 22

23 Inner-Product is PS Sampler Sam: input: ( y i,b i ) q i=1, y i Z l n solve: y i, x = b i i = 1,...,q for x Z l n Corollary: The Okamato-Takashima construction for Inner Product is Semantically Secure. Cryptographic Proofs 23

24 Hidden Vector Encryption K = {0,1, } l and M = {0,1} l For y K and x M { 1, if for each i, y i = or x i = y i ; Match( y, x) = 0, otherwise; Examples y = (1,0,,0,1) x = (0,1,0,0,1) Match( y, x) = 0 y does not match x y = (0,1,,1,0) x = (0,1,0,1,0) Match( y, x) = 1 y matches x Cryptographic Proofs 24

25 If HVE is PS then 3SAT can be efficiently decided Let Sam be a sampler for HVE. Given Φ, m-clause n-variable formula in 3CNF, we can construct (( y 1,b 1 ),...,( y m,b m )) such that x = Sam(( y 1,b 1 ),...,( y m,b m )) is a satisfying truth assignment for Φ Cryptographic Proofs 25

26 If HVE is PS then 3SAT can be efficiently decided Φ = (x 1 x 2 x 3 ) ( x 1 x 3 x 5 ) (x 13 x 21 x 34 ) C 1 C 2 C m ( ) y 1 = n ( ) y 2 = n b 1 = 0 b 2 = 0. y m = ( n ) b m = 0 Cryptographic Proofs 26

27 If HVE is PS then 3SAT can be efficiently decided Let x = (x 1,...,x n ) be the output of Sam. Match( y 1, x) = 0 (x 1,x 2,x 3 ) (0,0,0) C 1 is satisfied Match( y 2, x) = 0 (x 1,x 3,x 5 ) (1,1,0) C 2 is satisfied Match( y m, x) = 0 (x 13,x 21,x 34 ) (0,1,0) C m is satisfied x satisfies Φ Cryptographic Proofs 27

28 IP implies HVE [KSW] There exist two poly-time reductions RMess, RTok: for all x {0,1} l and y {0,1, } l Match( y, x) = 1 iff RMess( x),rtok( yy) = 0 Notice: RMess( x),rtok( yy) Z 2l n Cryptographic Proofs 28

29 Semantically Secure HVE HVE.Setup(1 λ ) := IP.Setup(1 λ ) HVE.Encrypt(Pk, x) := IP.Encrypt(Pk, RMess( x)) HVE.KeyGen(Pk, y) := IP.KeyGen(Pk, RTok( y)) HVE.Test(Pk, Ct, Tok) := IP.Test(Pk, Ct, Tok) Simulator input: (Pk, m,( yy i,b i ) q i=1 ) run Sam for IP and obtain xx IP.Encrypt(Pk, xx) Cryptographic Proofs 29

30 Robust Predicate Encryption Informal: A Robust Predicate Encryption scheme for F : K M {0,1} is a tuple of 5 efficient and probabilistic algorithms: (Setup, KeyGen, Encrypt, Eval, Validate) s.t. Validate(Pk,Ct) = 1 implies m M s.t. 1 Ct = Encrypt(Pk, m) 2 for all k K, Test(Ct,Tok k ) = F(k,m) IP does not give Robust HVE Cryptographic Proofs 30

31 Robust Predicate Encryption Theorem If there exists a Semantically Secure Robust Predicate Encryption scheme for F : K M {0,1} then F is PS. Ideal world (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); Ct Sim(Pk, m,(k i,f(k i,m)) q i=1 ); α A 1 (Pk,Ct,aux); Output: (Pk,m,α) Ct = Encrypt(Pk,m ) Test(Tok ki,ct ) = F(k i,m ) A 0 keeps tokens in aux Test(Tok ki,ct ) = F(k i,m) F(k i,m) = F(k i,m ) PS is necessary and sufficient for Robust Predicate Encryption Cryptographic Proofs 31

32 Corollary If HVE has a Semantically Secure Robust Predicate Encryption scheme then 3SAT can be decided efficiently Notice: even for single message and token non-adaptive adversaries (A 1 does not ask for tokens). Cryptographic Proofs 32

33 What now? What now? 1 weaken the adversary 2 strengthen the simulator Cryptographic Proofs 33

34 HVE is 1-PS Sam(( y 1,1),...,( y q,1)) Observation: if y i1,j,y i2,j then y i1,j = y i2,j Corollary: Semantically Secure and Robust HVE for adversaries A 0 restricted to output x s.t. F( y i, x) = 1, i = 1,...,q Cryptographic Proofs 34

35 q-bounded adversaries (Setup, KeyGen, Encrypt, Eval) game-based secure w.r.t. to q-bounded adevrsaries for functionality: K set of n-input circuits, M = {0,1} n F(C,m) = C(m) Cryptographic Proofs 35

36 New functionality M = ({0,1} n { }) {0,1} n... {0,1} n } {{ } q times K = K {0,1} n 1, if m i = r for some i F ((C,r),(m,m 1,...,m q )) = 0, if m = C(m), otherwise For randomly chosen r,m 1,...,m q, F ((C,r),(m,m 1,...,m q )) = F(C,m) except with negligible probability Cryptographic Proofs 36

37 F is PS The sampler Sam input: ((C 1,r 1 ),b 1 ),...,((C q,r q ),b q ) output: m = (,m 1,...,m q ) { r i, if b i = 1 m i =, if b i = 0 Notice: i = 1,...,q. F ((C i,r i ),m) = b i Cryptographic Proofs 37

38 Giving more power to the Simulator Simulator gets the secret key No problem in [GM] Real world Ideal world (Pk,Sk) Setup(1 λ ); (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); (m,aux) A KeyGen(Sk, ) 0 (Pk); ct E(Pk,m); ct Sim(Pk,Sk, m,(k i,f(k i,m)) q i=1 ); α A 1 (pk,ct,aux); α A 1 (Pk,ct,aux); Output: (Pk,m,α) Output: (Pk,m,α) Cryptographic Proofs 38

39 Simulator gets the secret key Robust Semantic Security for F does not imply F is PS Robust Semantically Secure HVE 1 Pk has a CRS 2 IP + NIZK that plaintext is from reduction on input x {0,1} l 3 Secret key has trapdoor for CRS 4 Simulator uses IP s sampler and fakes the NIZK proof Cryptographic Proofs 39

40 Giving more power to the Simulator Simulator gets the tokens Real world Ideal world (Pk,Sk) Setup(1 λ ); (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); (m,aux) A KeyGen(Sk, ) 0 (Pk); ct E(Pk,m); ct Sim(Pk, m,(f(k i,m),tok i ) q i=1 ); α A 1 (pk,ct,aux); α A 1 (Pk,ct,aux); Output: (Pk,m,α) Output: (Pk,m,α) Cryptographic Proofs 40

41 Giving too much power to the Simulator F(k,m) = f k (m) where {f k } be a family of one-way trapdoor permutations. Setup(1 λ ) (k,τ k ) TPD.Gen(1 λ ) (pk,sk) PKE.Setup(1 λ ) Pk = (pk,k) Msk = (sk,τ k ) return (Pk, Msk) Encrypt(pk, m) return PKE.Encrypt(pk) KeyGen(k, Msk) return Msk Eval(Ct,Tok k ): (sk,τ k ) Tok k m = PKE.Decrypt(Ct, sk) return f k (m) Cryptographic Proofs 41

42 The simulator ct Sim(Pk, m,(f(k i,m),tok i ) q i=1 ) q = 0,1 if q = 0 Easy encrypt any message if q = 1 F(k,m) = f k (m) and Tok 1 = (sk,τ k ) get m from f k (m) and encrypt it Cryptographic Proofs 42

43 Thank you Cryptographic Proofs 43

44 References: Boneh, Sahai, Waters: Functional Encryption: Definitions and Challenges, TCC 2011 Unconditional impossibility results for multimessage and token adaptive O Neil: Definitional Issues in Functional Encryption, Cryptology eprint 2010/556 Pre-image Samplability Work in progress: Manuel Barbosa, Angelo De Caro, Pooya Farshim, Vincenzo Iovino, GP. Cryptographic Proofs 44