Adaptively attribute hiding hierarchical inner product encryption
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption. 2012 / 4 / 18. Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric ). Functional Encryption. Secret key with parameter. Public key pk. Parameter. sk. Decryption. Encryption. Plain text. Cipher

Download Presentation

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Adaptively attribute hiding hierarchical inner product encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

2012 / 4 / 18

Tatsuaki Okamoto ( NTT ),

Katsuyuki Takashima ( Mitsubishi Electric ).


Functional encryption

Functional Encryption

Secret key

with parameter

Public key

pk

Parameter

sk

Decryption

Encryption

Plain

text

Cipher

text

Plain

text

Relation

R( , ) holds

  • This type is called Predicate Encryption in [BSW11].


Inner product encryption ipe ksw08

Inner Product Encryption ( IPE ) [KSW08]


Adaptive secure weakly attribute hiding ipe

(Adaptive Secure &) Weakly Attribute-Hiding IPE

Challenger

Some additional information on may be revealed

to a person with a matching key , i.e.,


Adaptive secure fully attribute hiding ipe

(Adaptive Secure &) Fully Attribute-Hiding IPE

Challenger

No additional information on is revealed even to

any person with a matching key , i.e.,

For each run of the game, the variable

is defined as

otherwise.

if


Adaptively attribute hiding hierarchical inner product encryption

Previous works of Attribute-Hiding IPE

  • [ KSW08 ] : Fully attribute-hidingbut selectively secure IPE

  • [ LOS+10 ] : Adaptively secure butweakly attribute-

  • hiding IPE based on a non-standard assumption

  • [ OT10 ] : Adaptively secure butweakly attribute-hiding

  • IPE based on the DLINassumption

  • [ AFV11 ] : Selectivelysecure andweakly attribute-hiding

  • IPE based on the LWEassumption

This work

Adaptively secure and fully attribute-hiding IPE

based on the DLINassumption


Adaptively attribute hiding hierarchical inner product encryption

Our Results

  • Adaptively secure and fully attribute-hiding IPE

  • based on the DLINassumption (basic scheme)

  • A variant IPE with a shorter (O(n)-size) master public key

  • and shorter (O(1)-size) secret keys (excluding the description of )

  • An extension to Hierarchical IPE (HIPE) with the same security


Adaptively attribute hiding hierarchical inner product encryption

Key Techniques

  • We extend Dual System Encryption (DSE) for our purpose

  • with various forms,i.e., normal, temporal 1, temporal 2 and

  • unbiased ….

  • Fully-AH IPE should deal with both cases,

matching and non-matching keys (to challenge CT),

while weakly-AH IPE deals with only the non-matching case.

  • All forms of a secret-key do not depend on whether

  • it is matching or not.

  • Dual Pairing Vector Space (DPVS) approach provides

  • rich basic transformations for achieving these various forms.

  • Large (-dim.) hidden subspaces gives

  • new types (Types 1-3) of information theoretical tricks

  • and various forms of computational reductions.


Adaptively attribute hiding hierarchical inner product encryption

Dual Pairing Vector Space Approach (I)

Dual Bases :

using symmetric pairing groups

Vector space

where

is a generator of

( Canonical ) pairing operation:

and

For

where

s.t.

basis of

for

s.t.

for

i.e.,

dual orthonormal bases of


Adaptively attribute hiding hierarchical inner product encryption

DPVS Approach (II)

  • Dual Pairing Vector Space (DPVS) approach :

with ( the canonical

Cryptographic Construction using

pairing and ) random dual bases as a master key pair

  • DLIN-based security from [OT10] machinery

  • Notation :

For

we denote

and

Basic Fact for Our Construction

For the above

and

from dual orthonormality of


Adaptively attribute hiding hierarchical inner product encryption

(master secret)

Vector Decomposition Problem (VDP) :

Hard to calculate

from

Intractable Problems on DPVS

(master public)

Dual Basis Computation Problem (DBP) :

Decisional Subspace Problem (DSP) :

from

E.g., hard to calculate

  • Hard to distinguish

and

where

and

and

VDP Assump.

DBP Assump.

Security of our IPE is proven under DLIN assumption, through variants of DSP.

DSP Assump.

DLIN Assump.


Basic idea for constructing ipe using dpvs

Basic Idea for Constructing IPE using DPVS

where


Weakly attribute hiding ipe scheme in ot10

Weakly Attribute-Hiding IPE Scheme in [OT10]

where


Proposed basic fully attribute hiding ipe scheme

Proposed (Basic) Fully Attribute-Hiding IPE Scheme

where


Game 0

-> Game 0’

Challenger

Game 0

otherwise

if

  • Game 0’ is the same as real security game, Game 0, except that

flip a coin before setup and the game is aborted if

  • We define that wins with prob. 1/2 when the game is aborted in Game 0’.

negligible from [OT10]

target of this talk


Dual system encryption dse methodology i

Dual System Encryption (DSE) Methodology (I)

Simulator

Challenge ciphertext  Semi-func.

Keys  Semi-func. (one by one)

Semi-func. challenge ciphertext  Random

i.e., Advantage of adversary = 0

Simulator can change them

under the above conditions.


Dse methodology ii

DSE Methodology (II)

Normal ciphertext

Semi-func. ciphertext

Normal key

Semi-func. key

This semi-func. form of keys cannot be used for fully-AH.

Need to introduce new forms with preserving functionality


Adaptively attribute hiding hierarchical inner product encryption

Extension of DSE (I):

R-preserving ciphertexts independent of challenge bit

(all but negligible prob.)

for

I.e.,

&

Independent of bit

preserving

Aim of game transformation:

Transform to -unbiased CT,


Adaptively attribute hiding hierarchical inner product encryption

Extension of DSE (II):

Randomization in 2-dim. and Swapping

DLIN

Temporal 1

CTwith

preparing the next

randomization

Temporal2 CTwith

DLIN

Temporal 1 Keywith

swapping

Temporal 2 Keywith

Iterate the changes among these 4 forms

for all queried

for


Adaptively attribute hiding hierarchical inner product encryption

Extension of DSE (III):

Last Conceptual Change to Unbiased CT

  • In Game 2- -4,

Temporal2 CTwith

1-st blockfor randomization

2-nd block for keeping

All queried keys are

Temporal 2 Keywith

  • In Game 3,

Unbiased CTwith

which is unbiased of is obtained.

is bounded by advantages for DLIN


Adaptively attribute hiding hierarchical inner product encryption

Comparison of Original and Extension of DSE

  • Original DSE Methodology

Challenge CT  Semi-func.

Keys  Semi-func. (one by one)

CT  Random

random since

  • Extension of DSE

Challenge CT 

Keys 

CT 

 (one by one)

since

CT  Unbiased w.r.t. b


Adaptively attribute hiding hierarchical inner product encryption

Key Ideas for Short Public / Secret Key IPE

We will explain key ideas using -dim. basic IPE.

  • We employ a special form of master secret key basis,

where

and a blank in the matrix denotes

  • Secret-key associated with

Then,

can be compressed to only 3 group elements

as well as


Adaptively attribute hiding hierarchical inner product encryption

Special Basis for fully-AH IPE with Short SK

  • We extend the basic construction to a 5 x 5 block matrix

  • one to achieve full AH security (as our basic IPE).


Adaptively fully ah ipe with constant size sk

Adaptively Fully-AH IPE with Constant-Size SK

SK size


Thank you

Thank You !


  • Login