Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

Transcription

1 Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings Nuttapong Attrapadung, Shota Yamada AIST, 2015

2 Our Main Results in One Slide Instantiations: The first fully secure Generic dual conversion for ABE CP-ABE with short key CP-ABE all-unbounded (for boolean formulae, span programs)

3 1 Introduction

4 Attribute Based Encryption (ABE) ABE for predicate R: X Y {0,1} Key for x X Decrypt Ciphertext for y Y (encrypt m) m? if R(x,y)=1 if R(x,y)=0

5 A Predicate Its Dual Predicate R: X Y {0,1} R: Y X {0,1} R(y,x) := R(x,y)

6 Key-Policy ABE Ciphertext-Policy ABE R: P A {0,1} R: A P {0,1} Key for Ciphertext for Key for Ciphertext for policy p P attribute a A attribute a A policy p P R(p,a) iff p satisfies a R(a,p) iff p satisfies a

7 Motivation KP-ABE, CP-ABE Definitions: directly related. Constructions: NO known relation. Can we generically convert an ABE to its dual? So that we would only construct KP, and get also CP. Might be difficult? Historically, CP [BSW07, Waters11] was harder to achieve than KP [GPSW06].

8 Related Work for Dual Conversion Converting KP-ABE for boolean formulae predicate Small classes of predicates Its dual CP: only for bounded-size formulae [GJPS08]. Converting KP-ABE for all boolean circuits Implies general predicates, but must start with ABE for circuits. Its dual CP: only for bounded-size circuits [GGHSW13]. Due to the use of universal circuits. Summary: less expressivity, and much less efficient.

9 Our Focus Goal: Generic dual conversion for any predicate. Preserving full security, expressivity, and efficiency. Tool: Use a generic ABE framework of [A14]. An abstraction of dual-system encryption [Waters09] for achieving fully-secure ABE. [A14] N. Attrapadung, Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More, Eurocrypt 2014.

10 2 Our Result Overview

11 Our Main Result: Dual Conversion Fully secure ABE for arbitrary R Generic Conversion Fully secure ABE for its dual, R Restricted to ABE In the pair encoding framework [A14].

12 Recall The Pair Encoding Framework Main Theorem in [A14] Pair Encoding for predicate R Generic Conversion Fully secure ABE for R If pair encoding is Perfectly secure or Doubly selectively secure.

13 Our Main Result: More Precisely Doubly selective pair encoding for arbitrary R Generic Conversion Doubly selective pair encoding for its dual, R

14 The Only Previous Dual Conversion A Side Result in [A14] Perfectly secure pair encoding for arbitrary R Generic Conversion Perfectly secure pair encoding for its dual, R

15 Implications: Solving Open Problems Perfectly secure encodings known KP, CP boolean formula with some bounds [LOSTW10, W14, A14] spatial, inner-product, No fully-secure ABE known before Doubly selective encodings known KP unbounded boolean formula KP short-ciphertext for boolean formula KP over doubly-spatial KP regular languages CP regular languages [all in A14] [NEW! all implied by this work] CP unbounded boolean formula CP short-key for boolean formula CP over doublyspatial

16 3 Recall Pair Encoding

17 Recall Pair Encoding and ABE [A14] Pair Encoding for R ABE for R Param h PK=(g 1 h, e(g 1,g 1 ) α ), MSK=α Enc1(x) k x (α,r,h) SK=g 1 kx(α,r,h) Enc2(y) c y (s,h) CT=(g 1 cy(s,h), e(g 1,g 1 ) αs 0 M) Pair(k x,c y ) αs 0 Dec e(g 1,g 1 ) αs 0 if R(x,y)=1 if R(x,y)=1 s 0 = first entry in s. Require some linearity properties. Use composite-order bilinear groups. (Neglect details here).

18 Security Definitions of Pair Encoding Perfect security Identical (info-theoretic) { k x (0, r, h) k x (α, r, h) c y ( s,h) for R(x,y)=0 Doubly selective security Cannot distinguish { g 2 k x(0, r,h) g 2 kx(α, r,h) g 2 cy( s,h) for R(x,y)=0 Selective notion: queries c before k. Co-selective notion: queries k before c. ( then ) ( then )

19 Intuition Behind Pair Encoding Security Switch Keys from Normal to Semi-functional [A14] normal K semi-1 K1 semi-2 K2 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg ^ k(0, r,h) ^ 1 2 g k(α,r,h) ᐧg ^ ^ k(α, r,h) ^ 1 2 Subgroup Decision Security of encoding 1 2 semi-3 K3 ^ g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Only for self-containment, will not use here.

20 4 Our Conversion

21 Basic Idea for Dual Conversion Encoding for R Encoding for R Enc1 maps x X Enc1 maps y Y defined using Enc2 Enc2 maps y Y Enc2 maps x X defined using Enc1

22 Our Dual Conversion Encoding for R Encoding for R Param h Param h = (h,b) Enc1 k x (α,r,h) Enc1 k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2 c y (s,h) Enc2 c x (r,h) = ( k x (bs 0,r,h), s 0 ) where s = s r = (s 0, r)

23 Our Dual Conversion Encoding for R Encoding for R Param h Param h = (h,b) Enc1 k x (α,r,h) Enc1 k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2 c y (s,h) Enc2 c x (r,h) = ( k x (bs 0,r,h), s 0 ) Pair(k x,c y ) = αs 0 Pair: Pair(k x,c y ) = bs 0 s 0 (α+bs 0 ) (s 0 ) - bs 0 s 0 = αs 0 where s = s r = (s 0, r)

24 Our Dual Conversion The same conversion as in [A14]. [A14] only proved for the perfectly secure encodings. We make it work also for doubly secure encodings.

25 Our New Theorems Encoding for R is selective then Encoding for R is co-selective Encoding for R is co-selective then Encoding for R is selective Intuition: Swap key/cipher encodings Query order is reversed. Hence selective becomes co-selective (and vice versa).

26 Difficulty in Proving Theorems Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

27 Difficulty in Proving Theorems Encoding for R Encoding for R { k x (0,r,h) Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Given IND here Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

28 Difficulty in Proving Theorems Encoding for R Encoding for R { k x (0,r,h) { k y (0,s,h) Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Given IND here Goal: to prove IND here. But it totally differs from k x. Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

29 Proof Idea Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

30 Proof Idea Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

31 Proof Idea Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

32 Proof Idea Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) But this becomes unknown, too. Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

33 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

34 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) SI M define b on unknown α Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

35 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α cancellation of two unknowns! Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) SI M define b on unknown α Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

36 New Instantiations KP-ABE [A14] all-unbounded for span programs Apply Conversion CP-ABE all-unbounded for span programs KP-ABE [A14] short-ciphertext for span programs Apply Conversion CP-ABE short-key for span programs Doubly selective secure under some Extended DH Exponent assumptions [A14].

37 5 Concluding Remarks

38 More Results Dual-Policy ABE Conjunctively combine ABE and its dual [AI09]. We also provide a conversion from ABE to DP-ABE. More refinement: New specific CP-ABE with tighter reduction. Full version at

39 Thank you

40 Intuition Behind Pair Encoding Security Switch Keys from Normal to Semi-functional [A14] normal K semi-1 K1 semi-2 K2 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg ^ k(0, r,h) ^ 1 2 g k(α,r,h) ᐧg ^ ^ k(α, r,h) ^ 1 2 Subgroup Decision Security of encoding 1 2 semi-3 K3 ^ g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Only for self-containment, will not use here.

41 Revocable Hierarchical Identity-Based Encryption: History-Free Update, Security Against Insiders, and Short Ciphertexts 1 2 Jae Hong Seo and Keita Emura 1. Myongji University, Korea 2. NICT, Japan #RSAC

42 Contents #RSAC Identity-based encryption with revocation (RIBE) Trivial Way (by Boneh and Franklin 2001) Scalable construction (by Boldyreva, Goyal, and Kumar, 2008) Revocable Hierarchical IBE (RHIBE): CT-RSA 2013, Seo and Emura History-preserving updates approach Security against outsider Long-size ciphertext (ciphertext size depends on the level of hierarchy) Our RHIBE Constructions History-free updates approach Security against insider Constant-size ciphertext (in terms of the hierarchy level) 2

43 #RSAC Identity-Based Encryption and Revocation 3

44 Identity-Based Encryption (IBE) #RSAC Publish mpk 1 time download KGC Issue sk Bob@rsa.com Enc(mpk,, M) Sender Receiver 4

45 Identity-Based Encryption (IBE) #RSAC Publish mpk 1 time download KGC Enc(mpk,, M) Issue sk Bob@rsa.com How to revoke Bob s secret key? Sender Receiver 5

46 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Bob@rsa.com Sender 6 Receiver

47 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Bob@rsa.com Enc(mpk, T, M) Sender Receiver 7

48 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Issue sk T if is not revoked on time T. Bob@rsa.com Enc(mpk, T, M) Sender Receiver 8

49 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity Sender KGC Issue sk if is not revoked on time T. Bob@rsa.com Problem: The overhead on KGC is Enc(mpk, T, M) linearly increased in the number of users (O(N-R)) 9 T Receiver

50 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download KGC Issue sk Bob@rsa.com Enc(mpk,, T, M) Sender Receiver 10

51 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk Bob@rsa.com Enc(mpk,, T, M) Sender Receiver 11

52 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk Bob@rsa.com Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from ku T and sk Sender 12 Receiver

53 Revocation Capability in IBE: Boldyreva et al. Only log-size Overhead!! (NNL: Naor-Naor-Lotspiech, O(Rlog(N/R))) Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk Bob@rsa.com #RSAC Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from ku T and sk Sender 13 Receiver

54 Broadcast Encryption (BE) Technique Complete Subtree (CS) #RSAC Each user is assigned to a node u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 We consider a binary tree kept by KGC 14

55 Broadcast Encryption (BE) Technique Complete Subtree (CS) Each user is issued secret keys on the path to the root node by KGC (sk ) #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node 15

56 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 16

57 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 17

58 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 18

59 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users Contain node information which is determined by who will be revoked #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 19

60 Broadcast Encryption (BE) Technique Complete Subtree (CS) #RSAC From log N size public information ku T, only non-revoked users can extract useful information. dk T sk and ku T u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node 20

61 Scalable Revocable IBE First construction A. Boldyreva, V. Goyal, and V. Kumar. Identity-based encryption with efficient revocation. In ACM CCS 2008 First adaptive secure scheme B. Libert and D. Vergnaud. Adaptive-ID secure revocable identity-based encryption. In CT-RSA Considering decryption key exposure resistance J. H. Seo and K. Emura. Revocable identity-based encryption revisited: Security model and construction. In PKC An adversary is allowed to obtain #RSAC SD-based construction K. Lee, D. H. Lee, and J. H. Park. Efficient revocable identity-based encryption via subset difference methods, eprint.iacr.org/2014/132,

62 #RSAC Revocable Hierarchical IBE (RHIBE) 22

63 Revocable Hierarchical IBE (RHIBE) A low-level user can stay in the system only if her parent also stays in the current time period. subkey 1 First-level users have O(log N)-size KGC secret key (as in RIBE) skid 1 = subkey logn Second-level users have log N subkeys for each parent's subkey (in total (log N) 2 -size subkeys) skid 2 = subkey 1 *subkey 1 #RSAC subkey 1 *subkey logn One of subkeys will be used for computing kut. subkey logn *subley logn Trivial combination of RIBE and HIBE will result in an impractical scheme with an exponential number of secret keys 23

64 Revocable Hierarchical IBE (RHIBE) The first RHIBE scheme with polynomial size secret keys (Seo-Emura, CT-RSA 2013) skid 2 = Asymmetric trade between secret key size and generating time for secret key A parent gives half-computed subkeys, and children generate suitable subkeys subkey 1 *subkey 1 subkey 1 *subkey logn subkey logn *subley logn (log N) 2 -size subkeys skid 2 = subkey 1 subkey logn subkey 1 Product of partial keys (log N) 2 -size subkeys subkey logn 2(log N)-size half-computed subkeys #RSAC 24

65 Revocable Hierarchical IBE (RHIBE) The first RHIBE scheme with polynomial size secret keys (Seo-Emura, CT-RSA 2013) Asymmetric trade between secret key size and generating time for History-preserving secret key key updates For the A parent calculation, gives a half-computed child needs to know subkeys, and children generate suitable which subkeys partial key of the ancestor was used in each time period. Product of subkey 1 *subkey subkey 1 1 partial keys skid Such 2 = information subkey 1 *subkey is also announced in the subkey logn logn skid 2 = (log N) subkey 2 -size key updates 1 subkeys subkey logn *subley logn subkey logn (log N) 2 -size subkeys 2(log N)-size half-computed subkeys #RSAC 25

66 Our Contribution History-Free Update Low-level users do not need to know what ancestors did during key updates. Security Against Insiders An adversary is allowed to obtain state information Short Ciphertexts Constant-size ciphertext in terms of the level of hierarchy Two constructions: Shorter secret keys and ciphertexts Complete Subtree (CS) Subset Difference (SD) KGC #RSAC 26

67 Main Idea for History-Free Update R(H)IBE: KGC (or a parent user) issues a long-term secret key sk ID using msk (or sk parent-id ). KGC (or a parent user) broadcasts key update information ku T which is computed by msk (or sk parent-id ). A (child) user can generate the decryption key dk ID,T from sk ID and ku T if he/she is not revoked at time T. Two situations are equivalent: A user ID is not revoked at time T The user can generate the decryption key dk ID,T Re-define the key update algorithm #RSAC 27

68 Main Idea for History-Free Update Previous syntax #RSAC Our modification No parent secret key is required (for history-free approach) State information takes a role of the delegation key dk is used instead of sk and ku 28

69 Main Idea for History-Free Update Previous syntax #RSAC Our modification The secret key is used only for generating the decryption key dk. No parent secret key is required (for history-free approach) State information takes a role of the delegation key Low-level users do not need to know what ancestors did during key updates. dk is used instead of sk and ku 29

70 Proposed RHIBE Scheme (CS) Based on the BBG HIBE scheme BBG HIBE (ID) + Boneh-Boyen IBE (Time) Give a reduction to the BBG HIBE scheme. [BBG05] Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. EUROCRYPT (Boneh-Boyen hash) If ID k is not revoked, then there exists the same θ (CS method) #RSAC BBG HIBE (ID) 30 BB IBE (Time) With re-randomization for decryption key exposure resistance

71 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC 31 revoked

72 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC Key Update info contains information about a point f v 3 (w ) 32 revoked

73 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC The secret key sk u3 contains information about a point f v 3 (w) Key Update info contains information about a point f v 3 (w ) 33 revoked

74 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC The secret key sk u3 contains information about a point f v 3 (w) Key Update info contains information about a point f v 3 (w ) Using Lagrange interpolation, u3 can recover f v 3 (x) but u5 and u6 do not. 34 revoked

75 Proposed RHIBE Scheme (SD) #RSAC The main part is the same as that of the LLP RIBE scheme. K. Lee, D. H. Lee, and J. H. Park. Efficient revocable identity-based encryption via subset difference methods, eprint.iacr.org/2014/132, One difference is: we introduce the false master key for historyfree construction so that sk does not contain the master key α See the paper for details 35

76 Comparison #RSAC 36

77 Comparison #RSAC DBDH q-weak Bilinear Diffie-Hellman Inversion 37

78 Conclusion and Future work #RSAC RHIBE: History-free update, insider security, short ciphertext, and DKER The reduction to the underlying HIBE requires the challenge identity for the security proof. Adaptive-ID secure RHIBE under a static assumption with these desirable properties 38