Compact Adaptively Secure ABE for NC1 from k-Lin

Slides:

Advertisements

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Advertisements

Perfect Non-interactive Zero-Knowledge for NP

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Secure Evaluation of Multivariate Polynomials

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

1 Identity-Based Encryption form the Weil Pairing Author ： Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date ：

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

Functional Encryption: An Introduction and Survey Brent Waters.

Theory of Computing Lecture 17 MAS 714 Hartmut Klauck.

On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.

Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.

Week 10Complexity of Algorithms1 Hard Computational Problems Some computational problems are hard Despite a numerous attempts we do not know any efficient.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Key-Policy Attribute-Based Encryption Present by Xiaokui.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman.

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Fully Homomorphic Encryption and Bootstrapping.

Online/Offline Attribute-Based Encryption Brent WatersSusan Hohenberger Presented by Shai Halevi.

Public Key Cryptosystem In Symmetric or Private Key cryptosystems the encryption and decryption keys are either the same or can be easily found from each.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Bounded key-dependent message security

Efficient Leakage Resilient Circuit Compilers

Topic 36: Zero-Knowledge Proofs

Searchable Encryption in Cloud

Carmit Hazay (Bar-Ilan University, Israel)

Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)

On the Size of Pairing-based Non-interactive Arguments

Privacy & Security.

B504/I538: Introduction to Cryptography

Group theory exercise.

Laconic Oblivious Transfer and its Applications

Modern symmetric-key Encryption

Course Business I am traveling April 25-May 3rd

Cryptography CS 555 Lecture 22

Topic 5: Constructing Secure Encryption Schemes

Topic 25: Discrete LOG, DDH + Attacks on Plain RSA

Topic 30: El-Gamal Encryption

CMSC 414 Computer and Network Security Lecture 3

Cryptography for Quantum Computers

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data An, Sanghong KAIST

Cryptography Lecture 25.

Probabilistic Polynomial-Time Calculus

Rishab Goyal Venkata Koppula Brent Waters

Cryptography Lecture 5.

Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)

Functional Encryption: An Introduction and Survey

Two-Round Adaptively Secure Protocols from Standard Assumptions

Oblivious Transfer.

Cryptography Lecture 21.

Identity Based Encryption from the Diffie-Hellman Assumption

Cryptography Lecture 24.

Cryptography Lecture 23.

Presentation transcript:

Compact Adaptively Secure ABE for NC1 from k-Lin Lucas Kowalczyk Hoeteck Wee

Public-Key Encryption skBob Alice Bob

Public-Key Encryption skBob Alice Bob

Attribute-Based Encryption CS Dept PhD US Citizen Alice Bob

Attribute-Based Encryption OR AND AND CS Dept. Tall Dark Handsome PhD Alice

Attribute-Based Encryption OR AND AND 212-555-1234 CS Dept. Tall Dark Handsome PhD Alice

Attribute-Based Encryption OR AND AND 212-555-1234 CS Dept. Tall Dark Handsome PhD Alice

Attribute-Based Encryption OR AND AND 212-555-1234 CS Dept. Tall Dark Handsome PhD Alice

Attribute-Based Encryption OR AND AND 212-555-1234 CS Dept. Tall Dark Handsome PhD U up? 212-555-1234 Alice SK: PhD, CS Dept, US Citizen

Attribute-Based Encryption OR AND AND 212-555-1234 CS Dept. Tall Dark Handsome PhD Alice SK: CS Dept, Tall SK: PhD, Short

Attribute-Based Encryption OR AND AND 212-555-1234 CS Dept. Tall Dark Handsome PhD Alice SK: CS Dept, Tall SK: PhD, Short

(Ciphertext-Policy) Attribute-Based Encryption (CP-ABE) f OR ctf AND AND skx CS Dept. Alice Tall Dark Handsome PhD x = “PhD, CS Dept”

CP-ABE Security Game: (Adaptive) Requirement: f(x) = 0 for all x pk x skx m0, m1, f Encpk, f(mb) Adversary x skx

CP-ABE Security Game: (Selective) Requirement: f(x) = 0 for all x pk x skx m0, m1, f Adversary Encpk, f(mb) x skx

Computational Hardness Assumptions: Static (DDH) Parameterized (q-wBDDH)

ABE State of the art: [LOSTW10] Adaptive Security Static Assumption Monotone Boolean Span Programs OR AND AND CS Dept. Tall Dark Handsome PhD

ABE State of the art: [LOSTW10] Adaptive Security Static Assumption Read-Once Monotone Boolean Span Programs OR AND AND CS Dept. Tall Dark Handsome PhD

ABE State of the art: [LOSTW10] Adaptive Security Static Assumption Read-Once Monotone Boolean Span Programs OR AND AND Tall Dark Handsome PhD Tall

ABE State of the art: [LOSTW10] Adaptive Security Static Assumption Read-Once Monotone Boolean Span Programs OR AND AND Tall Dark Handsome PhD Tall Problem: Read-Once Boolean Formulas is an extremely small function class

[LOSTW10] – “One-Use Restriction” Workaround Given: CP-ABE with one-use restriction -For each attribute a1, …, an desired in a multi-use system, create m copies: a1:1, a1:2, ..., a1:m, a2:1, ..., a2:m, ....................., an:1, ..., an:m to be used in the one-use system. -Associate each copy with unique use in a policy -Treat all m “meta-attributes” as a bundle in secret keys Downside: secret keys + public parameters now grow with parameter m! m is a parameter related to f used in ciphertext! Violates compactness

[LOSTW10] – “One-Use Restriction” Workaround [OT10], [OT12], [LW12], [Attr14], [Wee14], [KL15], [CGW15], [Att16], [AC17], [CGKW18], to name a few Despite much follow-up work in ABE construction technology as well as solutions that sacrifice adaptive security from a standard assumption [GPSW06, GVW13] [LW12, GGHZ14] (Major open problem in Attribute-Based Encryption) No known (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption

Our Contribution: First (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption

Our Contribution: k-Lin Assumption First (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption k-Lin Assumption

Our Contribution: k-Lin Assumption First (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption k-Lin Assumption k = 1 Symmetric External Diffie-Hellman (SXDH) k = 2 Decisional Linear Assumption (DLIN)

(Linear) Secret Sharing for Boolean Formulas Building Block: (Linear) Secret Sharing for Boolean Formulas v OR AND AND Tall Dark PhD CS Dept.

(Linear) Secret Sharing for Boolean Formulas Building Block: (Linear) Secret Sharing for Boolean Formulas v OR v v AND AND Tall Dark PhD CS Dept.

(Linear) Secret Sharing for Boolean Formulas Building Block: (Linear) Secret Sharing for Boolean Formulas v OR v v AND AND Tall Dark PhD CS Dept. v + r1 -r1

(Linear) Secret Sharing for Boolean Formulas Building Block: (Linear) Secret Sharing for Boolean Formulas v OR v v AND AND Tall Dark PhD CS Dept. v + r1 -r1 v + r2 -r2

(Linear) Secret Sharing for Boolean Formulas Building Block: (Linear) Secret Sharing for Boolean Formulas OR AND AND Tall Dark PhD CS Dept. λ1 = v + r1 λ2 = -r1 λ3 = v + r2 λ4 = -r2

(Linear) Secret Sharing for Boolean Formulas Building Block: (Linear) Secret Sharing for Boolean Formulas v OR AND AND Tall Dark PhD CS Dept. λ1 = v + r1 λ2 = -r1

(Linear) Secret Sharing for Boolean Formulas Building Block: (Linear) Secret Sharing for Boolean Formulas ? OR ? ? AND AND Tall Dark PhD CS Dept. λ1 = v + r1 λ4 = -r2

[LOSTW10]: Core Idea Ciphertextf:

[LOSTW10]: Core Idea Ciphertextf:

[LOSTW10]: Core Idea Each attribute Ciphertextf:

[LOSTW10]: Core Idea Each attribute Ciphertextf:

[LOSTW10]: Core Idea Each attribute Ciphertextf: Secret Keyx:

[LOSTW10]: Core Idea Each attribute Ciphertextf: Secret Keyx:

[LOSTW10]: Core Idea Each attribute single-use case: Ciphertextf: Secret Keyx:

[LOSTW10]: Core Idea Each attribute single-use case: Ciphertextf: Secret Keyx:

[LOSTW10]: Core Idea Each attribute single-use case: Ciphertextf: Secret Keyx:

Ciphertextf: Secret Keyx:

BUT guarantee cannot be “rewound” Ciphertextf: Computationally-secure encryption has guarantees across multiple messages (with same ) BUT guarantee cannot be “rewound” need to know which are hidden at ciphertext creation Secret Keyx: solution: guess ahead of time

Ciphertextf:

Ciphertextf: Secret Keyx:

Ciphertextf: Secret Keyx:

Ciphertextf: Secret Keyx:

Ciphertextf: alternative: hybrid over n keys Secret Keyx:

Ciphertextf: alternative: hybrid over n keys Secret Keyx:

Ciphertextf: alternative: hybrid over n keys Secret Keyx:

Ciphertextf: alternative: hybrid over n keys hybrid steps guesses Secret Keyx: main idea: reduce size of guess needed by using a delicate hybrid sequence, resulting in polynomial security loss

Adaptively Secure Yao Secret Sharing for NC1 [JKKKPW17] AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” For every unauthorized input x, there is a sequence of pebbling configurations that obeys the pebbling rules and ends with a single pebble on the output node OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Properties of Pebble(G): Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR AND AND x1 x2 x1 x4

Properties of Pebble(G): Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND x1 x2 x1 x4

Properties of Pebble(G): Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND x1 x2 x1 x4 hybrid steps guesses

Properties of Pebble(G): Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND x1 x2 x1 x4 hybrid steps guesses

Properties of Pebble(G): Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND O(d) [KW18] x1 x2 x1 x4 hybrid steps guesses

Properties of Pebble(G): Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND O(d) [KW18] x1 x2 x1 x4 hybrid steps guesses

Summary: Improved upon pebbling-based argument of [JKKPW17] to show adaptive security of Yao Secret Sharing for NC1 circuits with polynomial security loss. Used secret sharing security within Dual System proof à la [LOSTW10] to get ABE for NC1 with security from k-Lin Assumption. Provide Key and Ciphertext-Policy constructions, as well as unbounded variants.

Looking Forward: adaptively secure ABE for poly-sized circuits? adaptively secure ABE from lattices? attribute-hiding ABE for any class larger than inner products?

Thank you!