Compact Adaptively Secure ABE for NC1 from k-Lin

Compact Adaptively Secure ABE for NC1 from k-Lin
Lucas Kowalczyk Hoeteck Wee

Public-Key Encryption
skBob Alice Bob

Attribute-Based Encryption
CS Dept PhD US Citizen Alice Bob

OR AND AND CS Dept. Tall Dark Handsome PhD Alice

OR AND AND CS Dept. Tall Dark Handsome PhD U up? Alice SK: PhD, CS Dept, US Citizen

OR AND AND CS Dept. Tall Dark Handsome PhD Alice SK: CS Dept, Tall SK: PhD, Short

(Ciphertext-Policy) Attribute-Based Encryption
(CP-ABE) f OR ctf AND AND skx CS Dept. Alice Tall Dark Handsome PhD x = “PhD, CS Dept”

CP-ABE Security Game: (Adaptive) Requirement: f(x) = 0 for all x pk x
skx m0, m1, f Encpk, f(mb) Adversary x skx

CP-ABE Security Game: (Selective) Requirement: f(x) = 0 for all x
pk x skx m0, m1, f Adversary Encpk, f(mb) x skx

Computational Hardness Assumptions:
Static (DDH) Parameterized (q-wBDDH)

ABE State of the art: [LOSTW10]
Adaptive Security Static Assumption Monotone Boolean Span Programs OR AND AND CS Dept. Tall Dark Handsome PhD

Adaptive Security Static Assumption Read-Once Monotone Boolean Span Programs OR AND AND CS Dept. Tall Dark Handsome PhD

Adaptive Security Static Assumption Read-Once Monotone Boolean Span Programs OR AND AND Tall Dark Handsome PhD Tall

Adaptive Security Static Assumption Read-Once Monotone Boolean Span Programs OR AND AND Tall Dark Handsome PhD Tall Problem: Read-Once Boolean Formulas is an extremely small function class

[LOSTW10] – “One-Use Restriction” Workaround
Given: CP-ABE with one-use restriction -For each attribute a1, …, an desired in a multi-use system, create m copies: a1:1, a1:2, ..., a1:m, a2:1, ..., a2:m, , an:1, ..., an:m to be used in the one-use system. -Associate each copy with unique use in a policy -Treat all m “meta-attributes” as a bundle in secret keys Downside: secret keys + public parameters now grow with parameter m! m is a parameter related to f used in ciphertext! Violates compactness

[LOSTW10] – “One-Use Restriction” Workaround
[OT10], [OT12], [LW12], [Attr14], [Wee14], [KL15], [CGW15], [Att16], [AC17], [CGKW18], to name a few Despite much follow-up work in ABE construction technology as well as solutions that sacrifice adaptive security from a standard assumption [GPSW06, GVW13] [LW12, GGHZ14] (Major open problem in Attribute-Based Encryption) No known (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption

Our Contribution: First (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption

Our Contribution: k-Lin Assumption
First (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption k-Lin Assumption

Our Contribution: k-Lin Assumption
First (compact) ABE scheme for Boolean formulas that is adaptively secure from a static assumption k-Lin Assumption k = Symmetric External Diffie-Hellman (SXDH) k = Decisional Linear Assumption (DLIN)

(Linear) Secret Sharing for Boolean Formulas
Building Block: (Linear) Secret Sharing for Boolean Formulas v OR AND AND Tall Dark PhD CS Dept.

Building Block: (Linear) Secret Sharing for Boolean Formulas v OR v v AND AND Tall Dark PhD CS Dept.

Building Block: (Linear) Secret Sharing for Boolean Formulas v OR v v AND AND Tall Dark PhD CS Dept. v + r1 -r1

Building Block: (Linear) Secret Sharing for Boolean Formulas v OR v v AND AND Tall Dark PhD CS Dept. v + r1 -r1 v + r2 -r2

Building Block: (Linear) Secret Sharing for Boolean Formulas OR AND AND Tall Dark PhD CS Dept. λ1 = v + r1 λ2 = -r1 λ3 = v + r2 λ4 = -r2

Building Block: (Linear) Secret Sharing for Boolean Formulas v OR AND AND Tall Dark PhD CS Dept. λ1 = v + r1 λ2 = -r1

Building Block: (Linear) Secret Sharing for Boolean Formulas ? OR ? ? AND AND Tall Dark PhD CS Dept. λ1 = v + r1 λ4 = -r2

[LOSTW10]: Core Idea Ciphertextf:

[LOSTW10]: Core Idea Each attribute Ciphertextf:

[LOSTW10]: Core Idea Each attribute Ciphertextf: Secret Keyx:

[LOSTW10]: Core Idea Each attribute single-use case: Ciphertextf:
Secret Keyx:

Ciphertextf: Secret Keyx:

BUT guarantee cannot be “rewound”
Ciphertextf: Computationally-secure encryption has guarantees across multiple messages (with same ) BUT guarantee cannot be “rewound” need to know which are hidden at ciphertext creation Secret Keyx: solution: guess ahead of time

Ciphertextf:

Ciphertextf: Secret Keyx:

Ciphertextf: alternative: hybrid over n keys Secret Keyx:

Ciphertextf: alternative: hybrid over n keys hybrid steps guesses Secret Keyx: main idea: reduce size of guess needed by using a delicate hybrid sequence, resulting in polynomial security loss

Adaptively Secure Yao Secret Sharing for NC1 [JKKKPW17]
AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling”
OR AND AND x1 x2 x1 x4

For every unauthorized input x, there is a sequence of pebbling configurations that obeys the pebbling rules and ends with a single pebble on the output node OR AND AND x1 x2 x1 x4 1 1

Pebble(G): OR AND AND x1 x2 x1 x4 1 1

Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) OR AND AND x1 x2 x1 x4 1 1

Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) OR AND AND x1 x2 x1 x4 1 1

Pebble(G): 1. If G = AND gate, let GC be the first child gate with output wire 0. Pebble(GC), place pebble on G, then Reverse(Pebble(GC)) 2. If G = OR gate, Pebble(GL), Pebble(GR), Reverse(Pebble(GL)),Reverse(Pebble(GL)) 3. If G = input gate, place pebble on G OR AND AND x1 x2 x1 x4 1 1

Properties of Pebble(G):
Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND x1 x2 x1 x4

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND x1 x2 x1 x4 hybrid steps guesses

Hybrid Sequence: inspired by [JKKKPW17] “pebbling” Properties of Pebble(G): 1. Each sequence is of length at most O(2d) OR 2. Each configuration in such a sequence can be described by O( lg s * d) bits [JKKKPW17] AND AND O(d) [KW18] x1 x2 x1 x4 hybrid steps guesses

Summary: Improved upon pebbling-based argument of [JKKPW17] to show adaptive security of Yao Secret Sharing for NC1 circuits with polynomial security loss. Used secret sharing security within Dual System proof à la [LOSTW10] to get ABE for NC1 with security from k-Lin Assumption. Provide Key and Ciphertext-Policy constructions, as well as unbounded variants.

Looking Forward: adaptively secure ABE for poly-sized circuits?
adaptively secure ABE from lattices? attribute-hiding ABE for any class larger than inner products?

Thank you!

Compact Adaptively Secure ABE for NC1 from k-Lin

Similar presentations

Presentation on theme: "Compact Adaptively Secure ABE for NC1 from k-Lin"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Compact Adaptively Secure ABE for NC1 from k-Lin

Similar presentations

Presentation on theme: "Compact Adaptively Secure ABE for NC1 from k-Lin"— Presentation transcript:

Similar presentations

About project

Feedback