Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Slides:



Advertisements
Similar presentations
Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Advertisements

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
See you at the next conference! Hope you like our slides Hello everybody!
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Dennis Hofheinz, Jessica Koch, Christoph Striecks
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Identity Based Encryption
1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
Computer Security CS 426 Lecture 3
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
8. Data Integrity Techniques
Functional Encryption: An Introduction and Survey Brent Waters.
Cryptography Lecture 8 Stefan Dziembowski
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
CIS 5371 Cryptography Introduction.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
Normal : Simi-fuctional :. Normal : Simi-fuctional :
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
CS426Fall 2010/Lecture 251 Computer Security CS 426 Lecture 26 Review of Some Mid-Term Problems.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
1 Efficient Selective-ID IBE Without Random Oracle Dan Boneh Stanford University Xavier Boyen Voltage Security.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Topic 36: Zero-Knowledge Proofs
Authenticated encryption
Modern symmetric-key Encryption
Cryptography Lecture 12.
Topic 30: El-Gamal Encryption
Topic 3: Perfect Secrecy
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Topic 7: Pseudorandom Functions and CPA-Security
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
The power of Pairings towards standard model security
Presentation transcript:

Dual System Encryption: Concept, History and Recent works Jongkil Kim

Introduction Strategy of Security Proof Partitioning Technique Dual System Encryption – Semi-functionality – Nominally Semi-functionality Encodings References

Strategy of Security Proof Claim: Proof by contradiction Mathematical problem is hard Our Construction is secure under a security model Assume that Our Construction is not secure under a security model Mathematical Problem is not hard CONTRADICT! Our constuction is secure!

Strategy of Security Proof Assume that Our Construction is not secure under a security model Mathematical Problem is not hard Assume there exists an adversary to harm our security model We can break mathematical hard problem using the adversary Show that our security model equals to mathematical hard problem.

Strategy of Security Proof “Harms the security model”? – An adversary having non-negligible advantage to win security games. Notation and Definition – X: a decryption, Y: a predicate, R: Function Between X and Y R(X,Y) = 1, then a key can decrypt the ciphertext. Otherwise (R(X,Y) = 0), it does not. Example, in IBE, R(ID A, ID A ) = 1, but R(ID A, ID B ) = 0 – Public key encryption system consists of four radnomized algorithms: Setup, KeyGen, Enc, Dec

Adaptive security model (CPA Security) Setup Phase I Challenge Phase II Guess Run Setup Simulator Adversary Public key query Public key Run KeyGen(MSK,PP, X i ) Private key query (X i ; ) Private key Run Enc(PP, M B,Y) Challenge query (M 0, M 1, Y) Challenge Cipehrtext Run KeyGen(MSK, PP, X i ) Private key query (X i ; ) Private key Guess? 0 or 1 Y Selective

Partitioning Technique Partitioning the key space => Only Selective Security if functionality of Public key scheme become complecate. (such as ABE, IPE, Spatial Encryption,…) Key Space X1X1 X2X2 XqXq X4X4 X9X9 X5X5 X7X7 X6X6 X 10 X8X8 … Y Phase I Phase II Challenge Key Space X1X1 X2X2 XqXq X4X4 X9X9 X5X5 X7X7 X6X6 X 10 X8X8 … Y

Dual System Encryption Introduced by Waters [Crypto 2009] It uses semi-functional ciphertext and semi- functional keys which are only used in the security proof. In Dual System Encryption, the security of an encryption scheme is proved by showing following – Semi-functional ciphertext invariance – Semi-functional key invariance – Semi-functional security

Semi-functionality Decrypt?Normal KeySemi-functional Key Normal Ciphertext Semi-functional Ciphertext We must show that two security games are invariant – Game Real : All keys and the challenge ciphertext are normal – Game Final : All keys and the challenge ciphertext are semi- functional. Additionally, the message are replaced by the random message. – Between both, Game 0, Game 1, Game 2,… Game q Yes! No…

Semi-functional Ciphertext Invariance Invariance between Game Real and Game 0 Setup Phase I Challenge Phase II Guess Simulator Adversary Public key query Public key Private key query (X) Private key Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X) Private key Guess? 0 or 1 Game Real Semi-functional Game 0 ≈ (Invariant)

Invariance of two games Assume that two games are indistinguishable Mathematical Problem is hard Assume there exists an adversary who distinguishes two games We can break mathematical hard problem using the adversary Show that distinguishing two games equals to mathematical hard problem.

Semi-functional Ciphertext Invariance Invariance between Game 0 and Game q Phase I Challenge Phase II Simulator Adversary Private key query (X 1 ) Private key 1 Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X q ) Private key q Game 0 Semi-functional Private key query (X 2 ) Private key 2 … … Game 1 ≈ Semi-functional ≈ Game 2 Semi-functional ≈ Game q Semi-functional …

Semi-functional Key Invariance – Mathematical Induction We already showed Game 0 is invariant with Game Real We now show Game k is invariant with Game k-1 – This is a critical part of the security proof because the relation between k th key and challenge ciphertext is changed. – We must proof the normal key which can decrypt the normal CT is indistinguishable from the semi- function key which cannot.

Semi-functional Key Invariance Assume there exists an adversary who distinguishes two games We can break mathematical hard problem using the adversary Show that distinguishing two games equals to mathematical hard problem. + The simulator can distinguish the k th key by generating valid semi- functional ciphertext for k th key and trying to decrypt it with the k th key. No limitation for the simulator in the security model! Invaraiace between Game k-1 and Game k

Dual System Encryption How to prevent this paradox – In Waters’ construction, – If the simulator generate the semi-functional ciphertext to distinguish Tag c must be equal to Tag k. Tag c = F(ID Y ) = A·ID Y + B Tag k = F(ID X ) = A·ID X + B – But, this is hidden by pair wise independent argument because ID X does not equal to ID Y if A and B are initially information theoretically hidden.

Nominally Semi-functionality Introduced by Lewko and Waters [TCC 2010] Similar with Water’s Construction – If the simulator generates a semi-functional ciphertext for testing whether k th key is semi- functional or normal, semi-functional part is going to be cancel out. So, k th key is nominally semi-functional because it can decrypt the semi-functional challenge ciphertext.

How to hide the Nominality We also must show that this nominally semi-functional key is invariant with Semi-functional key. In other words, we must show that the correlation between semi-functional parts in the nominally semi- functional key and the challenge ciphertext is hidden. By using following – Pair wise independent – n-wise independent – Linearly independent – Information Theoretically Hidden Maybe there are some more but not so many!

Hidden Lemma General Lemma for semi-functional key invariance But, this is the abstract of two lemmas Assume there exists an adversary who distinguishes Game k-1 and Game k We can break mathematical hard problem(SD) using the adversary

Nominally Semi-functionality IBE in composite order – KeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) Z 1, K 2 := g 1 r Z 2 – Enc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s, C 2 := g 1 s(A ID +B) – SFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’a Z 1, K 2 := g 1 r g 2 r’ Z 2 – SFEnc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ b

Hidden Lemmas Let Game k ’ is the game identical with Game k-1, but the k th key is nominally semi functional. Assume there exists an adversary who distinguishes Game k-1 and Game k ‘ We can break mathematical hard problem using the adversary NSFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’(A’ ID + B’) Z 1, K 2 := g 1 r g 2 r’ Z 2 SFEnc(PP,ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ (A’ ID +B’)

Hidden Lemmas Let Game k ’ is the game identical with Game k-1, but the k th key is nominally semi functional. Assume there exists an adversary who distinguishes Game k ‘ and Game k We can break information theoretically hidden argument using the adversary NSFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’(A’ ID +B’) Z 1, K 2 := g 1 r g 2 r’ Z 2 SFEnc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ (A’ ID + B’) a b

Why this is possible? The semi-functional parts of private key and ciphertext are just twins of their normal parts But, why is applying information hidden argument possible? Public key and other semi- functional keys does not reveal any information about the semi- functional parts!

Semi-functional Security Invariance between Game q and Game Final Setup Phase I Challenge Phase II Guess Simulator Adversary Public key query Public key Private key query (X) Private key Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X) Private key Guess? 0 or 1 Game q Semi-functional Game Final ≈ (Invariant) R: Rand message R Semi-functional

DSE via Encodings Pair Encoding [Eurocrypto 2014] and Predicate Encoding [TCC 2014] – Many public key schemes proved by Dual System Encryption share a same proof strategy. – It means it can be formalized! => New direction of the security proof! We only need our new scheme satisfy following properties – Linearity – Parameter Vanishing – Perfect Master key hiding

DSE via Encoding Linearity – K(α’;x,h,r’) + K(α’’;x,h,r’’) = K(α’ +α’’;x,h,r’+r’’) Parameter vanishing – K(α;x,h,0) = K(α;x,h’,0) Perfect master key hiding – Given c(s;y,h), for all α, α’, If R(x,y)=0, K(α;x,h,r) and K(α’;x,h,r) are statistically invariant.

Encoding example (IBE) Construction – Setup(λ) -> N = p 1 p 2 p 3, PP = { g 1 A, g 1 B }, MSK = {α, X 3 } – KeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) Z 1, K 2 := g 1 r Z 2 – Enc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s, C 2 := g 1 s(A ID +B) – Dec(SK ID, CT ID ) M = C · e(K 2, C 2 )/e(K 1, C 1 )

Encoding example Encoding – K(α;ID,(A,B),r) = (α + r(A ID + B), r) – c(s;ID,(A,B)) = (s, s(A ID + B)) Linearity – (α+ r(A ID + B), r) + (α’ + r’(A ID + B), r’) =(α + α’ + (r+r’) (A ID + B), r+r’) Parameter vanishing – (α+ 0 (A ID + B), 0) + (α + 0(A’ ID + B’), 0)

Encoding example Encoding – K(α;ID,(A,B),r) = (α + r(A ID + B), r) – c(s;ID,(A,B)) = (s, s(A ID + B)) Perfect Master key hiding – Given (s, s(A ID* + B)) – For ID which does not equal to ID*, A ID + B is randomly distributed (pairwise independent). – Hence, (α + r(A ID + B),r) is statistically invariant with (α’ + r(A ID + B),r) to the adversary

References [Eurocrypto 2014] N. Attrapadung. Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more. In P. Q. Nguyen and E. Oswald, editors, EUROCRYPT, volume 8441 of Lecture Notes in Computer Science, pages 557{577. Springer, [Crypto 2009] B. Waters. Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions. In S. Halevi, editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 619{636. Springer, [TCC 2014] H. Wee. Dual system encryption via predicate encodings. In Y. Lindell, editor, TCC, volume 8349 of Lecture Notes in Computer Science, pages 616{637. Springer, [TCC 2010] A. Lewko and B. Waters. New techniques for dual system encryption and fully secure hibe with short ciphertexts. In TCC, 2010.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.