Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Published byElla Groomes Modified over 10 years ago

Similar presentations

Presentation on theme: "Dual System Encryption: Concept, History and Recent works Jongkil Kim."— Presentation transcript:

1 Dual System Encryption: Concept, History and Recent works Jongkil Kim

2 Introduction Strategy of Security Proof Partitioning Technique Dual System Encryption – Semi-functionality – Nominally Semi-functionality Encodings References

3 Strategy of Security Proof Claim: Proof by contradiction Mathematical problem is hard Our Construction is secure under a security model Assume that Our Construction is not secure under a security model Mathematical Problem is not hard CONTRADICT! Our constuction is secure!

4 Strategy of Security Proof Assume that Our Construction is not secure under a security model Mathematical Problem is not hard Assume there exists an adversary to harm our security model We can break mathematical hard problem using the adversary Show that our security model equals to mathematical hard problem.

5 Strategy of Security Proof “Harms the security model”? – An adversary having non-negligible advantage to win security games. Notation and Definition – X: a decryption, Y: a predicate, R: Function Between X and Y R(X,Y) = 1, then a key can decrypt the ciphertext. Otherwise (R(X,Y) = 0), it does not. Example, in IBE, R(ID A, ID A ) = 1, but R(ID A, ID B ) = 0 – Public key encryption system consists of four radnomized algorithms: Setup, KeyGen, Enc, Dec

6 Adaptive security model (CPA Security) Setup Phase I Challenge Phase II Guess Run Setup Simulator Adversary Public key query Public key Run KeyGen(MSK,PP, X i ) Private key query (X i ; ) Private key Run Enc(PP, M B,Y) Challenge query (M 0, M 1, Y) Challenge Cipehrtext Run KeyGen(MSK, PP, X i ) Private key query (X i ; ) Private key Guess? 0 or 1 Y Selective

7 Partitioning Technique Partitioning the key space => Only Selective Security if functionality of Public key scheme become complecate. (such as ABE, IPE, Spatial Encryption,…) Key Space X1X1 X2X2 XqXq X4X4 X9X9 X5X5 X7X7 X6X6 X 10 X8X8 … Y Phase I Phase II Challenge Key Space X1X1 X2X2 XqXq X4X4 X9X9 X5X5 X7X7 X6X6 X 10 X8X8 … Y

8 Dual System Encryption Introduced by Waters [Crypto 2009] It uses semi-functional ciphertext and semi- functional keys which are only used in the security proof. In Dual System Encryption, the security of an encryption scheme is proved by showing following – Semi-functional ciphertext invariance – Semi-functional key invariance – Semi-functional security

9 Semi-functionality Decrypt?Normal KeySemi-functional Key Normal Ciphertext Semi-functional Ciphertext We must show that two security games are invariant – Game Real : All keys and the challenge ciphertext are normal – Game Final : All keys and the challenge ciphertext are semi- functional. Additionally, the message are replaced by the random message. – Between both, Game 0, Game 1, Game 2,… Game q Yes! No…

10 Semi-functional Ciphertext Invariance Invariance between Game Real and Game 0 Setup Phase I Challenge Phase II Guess Simulator Adversary Public key query Public key Private key query (X) Private key Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X) Private key Guess? 0 or 1 Game Real Semi-functional Game 0 ≈ (Invariant)

11 Invariance of two games Assume that two games are indistinguishable Mathematical Problem is hard Assume there exists an adversary who distinguishes two games We can break mathematical hard problem using the adversary Show that distinguishing two games equals to mathematical hard problem.

12 Semi-functional Ciphertext Invariance Invariance between Game 0 and Game q Phase I Challenge Phase II Simulator Adversary Private key query (X 1 ) Private key 1 Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X q ) Private key q Game 0 Semi-functional Private key query (X 2 ) Private key 2 … … Game 1 ≈ Semi-functional ≈ Game 2 Semi-functional ≈ Game q Semi-functional …

13 Semi-functional Key Invariance – Mathematical Induction We already showed Game 0 is invariant with Game Real We now show Game k is invariant with Game k-1 – This is a critical part of the security proof because the relation between k th key and challenge ciphertext is changed. – We must proof the normal key which can decrypt the normal CT is indistinguishable from the semi- function key which cannot.

14 Semi-functional Key Invariance Assume there exists an adversary who distinguishes two games We can break mathematical hard problem using the adversary Show that distinguishing two games equals to mathematical hard problem. + The simulator can distinguish the k th key by generating valid semi- functional ciphertext for k th key and trying to decrypt it with the k th key. No limitation for the simulator in the security model! Invaraiace between Game k-1 and Game k

15 Dual System Encryption How to prevent this paradox – In Waters’ construction, – If the simulator generate the semi-functional ciphertext to distinguish Tag c must be equal to Tag k. Tag c = F(ID Y ) = A·ID Y + B Tag k = F(ID X ) = A·ID X + B – But, this is hidden by pair wise independent argument because ID X does not equal to ID Y if A and B are initially information theoretically hidden.

16 Nominally Semi-functionality Introduced by Lewko and Waters [TCC 2010] Similar with Water’s Construction – If the simulator generates a semi-functional ciphertext for testing whether k th key is semi- functional or normal, semi-functional part is going to be cancel out. So, k th key is nominally semi-functional because it can decrypt the semi-functional challenge ciphertext.

17 How to hide the Nominality We also must show that this nominally semi-functional key is invariant with Semi-functional key. In other words, we must show that the correlation between semi-functional parts in the nominally semi- functional key and the challenge ciphertext is hidden. By using following – Pair wise independent – n-wise independent – Linearly independent – Information Theoretically Hidden Maybe there are some more but not so many!

18 Hidden Lemma General Lemma for semi-functional key invariance But, this is the abstract of two lemmas Assume there exists an adversary who distinguishes Game k-1 and Game k We can break mathematical hard problem(SD) using the adversary

19 Nominally Semi-functionality IBE in composite order – KeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) Z 1, K 2 := g 1 r Z 2 – Enc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s, C 2 := g 1 s(A ID +B) – SFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’a Z 1, K 2 := g 1 r g 2 r’ Z 2 – SFEnc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ b

20 Hidden Lemmas Let Game k ’ is the game identical with Game k-1, but the k th key is nominally semi functional. Assume there exists an adversary who distinguishes Game k-1 and Game k ‘ We can break mathematical hard problem using the adversary NSFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’(A’ ID + B’) Z 1, K 2 := g 1 r g 2 r’ Z 2 SFEnc(PP,ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ (A’ ID +B’)

21 Hidden Lemmas Let Game k ’ is the game identical with Game k-1, but the k th key is nominally semi functional. Assume there exists an adversary who distinguishes Game k ‘ and Game k We can break information theoretically hidden argument using the adversary NSFKeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) g 2 r’(A’ ID +B’) Z 1, K 2 := g 1 r g 2 r’ Z 2 SFEnc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s g 2 s’, C 2 := g 1 s(A ID +B) g 2 s’ (A’ ID + B’) a b

22 Why this is possible? The semi-functional parts of private key and ciphertext are just twins of their normal parts But, why is applying information hidden argument possible? Public key and other semi- functional keys does not reveal any information about the semi- functional parts!

23 Semi-functional Security Invariance between Game q and Game Final Setup Phase I Challenge Phase II Guess Simulator Adversary Public key query Public key Private key query (X) Private key Challenge query (M 0, M 1, Y) Challenge Cipehrtext (M B ) Private key query (X) Private key Guess? 0 or 1 Game q Semi-functional Game Final ≈ (Invariant) R: Rand message R Semi-functional

24 DSE via Encodings Pair Encoding [Eurocrypto 2014] and Predicate Encoding [TCC 2014] – Many public key schemes proved by Dual System Encryption share a same proof strategy. – It means it can be formalized! => New direction of the security proof! We only need our new scheme satisfy following properties – Linearity – Parameter Vanishing – Perfect Master key hiding

25 DSE via Encoding Linearity – K(α’;x,h,r’) + K(α’’;x,h,r’’) = K(α’ +α’’;x,h,r’+r’’) Parameter vanishing – K(α;x,h,0) = K(α;x,h’,0) Perfect master key hiding – Given c(s;y,h), for all α, α’, If R(x,y)=0, K(α;x,h,r) and K(α’;x,h,r) are statistically invariant.

26 Encoding example (IBE) Construction – Setup(λ) -> N = p 1 p 2 p 3, PP = { g 1 A, g 1 B }, MSK = {α, X 3 } – KeyGen(PP, MSK, ID) -> SK ID = {K 1, K 2 } K 1 := g 1 α + r(A ID + B) Z 1, K 2 := g 1 r Z 2 – Enc(PP, ID) -> CT ID = {C, C 1, C 2 } C:= M · e(g 1, g 1 ) αs, C 1 := g 1 s, C 2 := g 1 s(A ID +B) – Dec(SK ID, CT ID ) M = C · e(K 2, C 2 )/e(K 1, C 1 )

27 Encoding example Encoding – K(α;ID,(A,B),r) = (α + r(A ID + B), r) – c(s;ID,(A,B)) = (s, s(A ID + B)) Linearity – (α+ r(A ID + B), r) + (α’ + r’(A ID + B), r’) =(α + α’ + (r+r’) (A ID + B), r+r’) Parameter vanishing – (α+ 0 (A ID + B), 0) + (α + 0(A’ ID + B’), 0)

28 Encoding example Encoding – K(α;ID,(A,B),r) = (α + r(A ID + B), r) – c(s;ID,(A,B)) = (s, s(A ID + B)) Perfect Master key hiding – Given (s, s(A ID* + B)) – For ID which does not equal to ID*, A ID + B is randomly distributed (pairwise independent). – Hence, (α + r(A ID + B),r) is statistically invariant with (α’ + r(A ID + B),r) to the adversary

29 References [Eurocrypto 2014] N. Attrapadung. Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more. In P. Q. Nguyen and E. Oswald, editors, EUROCRYPT, volume 8441 of Lecture Notes in Computer Science, pages 557{577. Springer, 2014. [Crypto 2009] B. Waters. Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions. In S. Halevi, editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 619{636. Springer, 2009. [TCC 2014] H. Wee. Dual system encryption via predicate encodings. In Y. Lindell, editor, TCC, volume 8349 of Lecture Notes in Computer Science, pages 616{637. Springer, 2014. [TCC 2010] A. Lewko and B. Waters. New techniques for dual system encryption and fully secure hibe with short ciphertexts. In TCC, 2010.

Download ppt "Dual System Encryption: Concept, History and Recent works Jongkil Kim."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
See you at the next conference! Hope you like our slides Hello everybody!

See you at the next conference! Hope you like our slides Hello everybody!
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),

On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Dennis Hofheinz, Jessica Koch, Christoph Striecks

Dennis Hofheinz, Jessica Koch, Christoph Striecks
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Identity Based Encryption

Identity Based Encryption

Similar presentations

Ads by Google