Fully Secure Functional Encryption AttributeBased Encryption and Hierarchical
Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The University of Texas at Austin NTT UCLA Katsuyuki Takashima Mitsubishi Electric Brent Waters The University of Texas at Austin
Functional Encryption • Functionality f(x, y) – specifies what will be learned about ciphertext y x
Application Who should be able to read my data? access policy
Attribute-Based Encryption [SW 05] Ciphertexts: associated with access formulas (A Ç B) Æ C Secret Keys: associated with attributes {A, C} Decryption: {A, C} satisfies (AÇB)ÆC {A, C} (A Ç B) Æ C Message
ABE Example OR AND Medical Company X researcher {Doctor, Hospital Z} AND Doctor Hospital Y {Nurse, Hospital Y}
ABE Algorithms q Setup (¸, U) MSK Public Params q Encrypt(PP, M, Access formula) q Key. Gen(PP, MSK, Set of attributes) q Decrypt(PP, SK, CT) M
Security Definition (ABE) [IND-CPA GM 84] Key Challenge Query Setup Query Phase. II I Challenger Attacker Public Params S 1 MSK S 1 S 2 Si : set of attributes M 0, M 1, access policy A Enc(M , PP)I – in both phases, no queried Si can satisfy A Same as Phase b, A Attacker must guess b
Proving Security Hard problem Hard. ABE problem Simulator breaks ABE attacker
Challenges in Proving Security Simulator must: • respond to key requests • leverage attacker’s success on challenge
Partitioning Previous approach for IBE – Partitioning [BF 01, BB 04, W 05] Key Space We hope: Key Requests Key Request Abort Challenge Abort
Partitioning with More Structure ID 0 HIBE: ID 0: ID 1: ID 3 ID 0: ID 2: ID 4 ID 0: ID 2: ID 5 Exponential security degradation in depth ABE: ( A Ç B Ç C) Æ (A Ç D) … Exponential security degradation in formula length
Previous Solutions Selective Security Model: • Attacker declares challenge before seeing Public Parameters • A weaker model of security • To go to standard model by guessing –> exponential loss Until recently, only results were in this model Exception: Fully secure HIBE with polynomially many levels [G 06, GH 09]
Dual System Encryption [W 09] • New methodology for proving full security • No partitioning, no aborts • Simulator prepared to make any key and use any key as the challenge
Dual System Encryption Used in real system Normal Semi-Functional Types are indistinguishable (with a caveat)
Hybrid Security Proof Normal keys and ciphertext Normal keys, S. F. ciphertext, keys turn S. F. one by one Security now much easier to prove
Previously on Dual System Encryption… • [W 09] Fully secure IBE and HIBE • negligible correctness error • ciphertext size linear in depth of hierarchy • [LW 10] Fully secure HIBE with short CTs • no correctness error • CT = constant # group elements • closely resembles selectively secure scheme [BBG 05]
Our Results - ABE • Fully secure ABE • arbitrary monotone access formulas • security proven from static assumptions • closely resembles selectively secure schemes [GPSW 06, W 08]
ABE – Solution Framework G = a bilinear group of order N = p 1 p 2 p 3 e: G £ G ! GT is a bilinear map Subgroups Gp , Gp 1 2 3 – orthogonal under e, e. g. e(Gp 1, Gp 2) = 1 Gp Gp = main scheme 1 1 Gp Gp 2 3 Gp = semi-functional space 2 Gp = randomization for keys 3
ABE – Solution Framework G p 1 G p 2 Normal S. F. Decryption: Key paired with CT under e Normal S. F. G p 3
Technical Challenge • Achieve nominal semi-functionality: [LW 10] ? simulator can’t test for S. F. • S. F. key and S. F. CT correlated - decryption works in simulator’s view • regular S. F. key in attacker’s view
Key Technique • Semi-functional space imitates the main scheme • Linear Secret Sharing Scheme: shares reconstructed in parallel in Gp 1 and Gp 2 shares secret Regular s. f. : red secret is random, masks blue result Nominal s. f. : red secret is 0, won’t hinder decryption
Key Technique Attacker doesn’t have key capable of decrypting Attacker can’t distinguish nominal from regular s. f. Oh no! I was fooled! Value shared in s. f. space is info-theoretically hidden
Illustrative Example ? shared value = x AND A B ? share = z share = x-z {A}
Technical Challenge • Hiding the shared value in the CT: • blinding factors linked to attributes • Ciphertext elements are of the form: share blinding g 1 a± 1+ z 1 r 1 g 2± 2 + z 2 r 2 random where g 1 r 1 g 2 r 2 random g 1 2 G p 1 g 2 2 G p 2 Attributes can only be used once in the formula
Encoding Solution Example: To use an attribute A up to 4 times : A A: 1 A: 2 A: 3 A: 4 (A Æ B) Ç (A Æ C) becomes (A: 1 Æ B) Ç (A: 2 Æ C) max times used fixed at setup It would be better to get rid of the one-use restriction Open problem
Summary of ABE result • Full security ABE • Static assumptions • Similar to selectively secure schemes
Inner Product Encryption [KSW 08] Ciphertexts and secret keys: associated with vectors x v Decryption: v x if x ¢ v = 0 Message Advantage: ciphertext policy can be hidden
Coming Attractions • Stay tuned for CRYPTO 2010: • full security for Inner Product/ Attribute-Based Encryption from decisional Linear Assumption • by Okamoto and Takashima
Questions?
- Slides: 29