Compact Adaptively Secure ABE from -Lin: Beyond NC 1 and Towards NL - PowerPoint PPT Presentation

Compact Adaptively Secure ABE from 𝑙 -Lin: Beyond NC 1 and Towards NL Huijia (Rachel) Lin and Ji Luo 1 / 42

Attribute-Based Encryption [SW05] Setup → mpk, msk KeyGen msk, 𝑔 → sk policy Compact: ct = 𝑃 𝑦 sk Expressive: 𝑔 ∈ powerful class of functions 𝑦, ct Enc mpk, 𝑦, 𝜈 → ct Dec sk, 𝑔, ct, 𝑦 → 𝜈𝑔 𝑦 attribute message Correctness. Learn 𝜈 if 𝑔 𝑦 ≠ 0 ( sk is authorized) 2 / 42

Attribute-Based Encryption [SW05] Setup → mpk, msk KeyGen msk, 𝑔 𝑗 → sk 𝑗 Collusion Resistance sk 𝑗 ’s Message is hidden given arbitrary number of unauthorized keys. 𝑦, ct Enc mpk, 𝑦, 𝜈 → ct Security. Hide 𝜈 if 𝑔 𝑗 𝑦 = 0 for all 𝑗 ( sk 𝑗 ’s are unauthorized) 3 / 42

Adaptive IND-CPA Security mpk 𝑔 𝑟 sk 𝑔 𝑟 Exp 𝑐 𝑦, 𝜈 0 , 𝜈 1 ct ← Enc 𝑦, 𝜈 𝑐 𝑔 𝑟 sk 𝑔 𝑟 if for all queried keys 𝑔 𝑟 𝑦 = 0 , then Exp 0 ≈ Exp 1 4 / 42

(Weaker) Selective IND-CPA Security 𝑦, Adaptive mpk Security 𝑔 𝑟 sk 𝑔 𝑟 Exp 𝑐 𝜈 0 , 𝜈 1 ct ← Enc 𝑦, 𝜈 𝑐 𝑔 𝑟 sk 𝑔 𝑟 if for all queried keys 𝑔 𝑟 𝑦 = 0 , then Exp 0 ≈ Exp 1 5 / 42

Challenging to have it all Compactness: ct = 𝑃 𝑦 NC 1 and ABP Adaptive Security are non-uniform : Each sk works with Standard Assumptions attribute of fixed length. Goal. Have it ALL for expressive classes of policies. Previously, the largest class was 𝐎𝐃 𝟐 [KW19]. Contribution 1. Extend to ABP . A rithmetic B ranching P rograms ⊇ NC 1 , arithmetic computation over ℤ 𝑞 . 6 / 42

Challenging to have it all Compactness: ct = 𝑃 𝑦 ABE for uniform Adaptive Security computation: Each sk works with Standard Assumptions attribute of any length. Contribution 2. DFA , NFA (regular languages) the first ABE for uniform computation with all above L , NL * (log-space Turing machines) * relaxed compactness 7 / 42

Related Works: Non-Uniform Model NON-standard NOT compact NOT adaptive assumptions [LOSTW10] for MSP [GPSW06] for MSP [LW12] for MSP 𝑟 -type assumption [GVW13, BGGHNSVV14] for Τ 𝑄 poly all-in-one: compact, adaptive, standard assumptions [KW19] for NC 1 ⟸ 𝑙 -Lin in pairing groups this work for ABP concurrent [GW20] for BP 8 / 42

Related Works: Uniform Model NON-standard NOT compact or NOT adaptive or assumptions [Wat12, Att14, AMY19, GWW19] for DFA concurrent [GW20] for NFA all-in-one: compact, adaptive, standard assumptions this work for DFA, NFA concurrent [GW20] for DFA 𝑙 -Lin beyond finite automata [AS16] for P (FE, based on iO) ct = 𝑃 𝑦 𝑈𝑇2 𝑇 this work for L, NL (relaxed compactness) sk = 𝑃 TM 9 / 42

New General Framework computational tool information-theoretic tool I nner- P roduct A rithmetic K ey F unctional E ncryption G arbling S cheme special randomized encoding 1-key 1-ABE = 1-ciphertext secret-key ABE 10 / 42

1-ABE via AKGS and IPFE convenience – 𝜈 in secret key Partially Hiding [IW14] AKGS sk 𝑔,𝜈 Randomized Encoding ෣ 𝜈𝑔 𝑦 𝜈𝑔 𝑦 ct 𝑦 use 𝜈 as one-time pad Secure: ෣ 𝜈𝑔 𝑦 hides 𝜈 beyond 𝜈𝑔 𝑦 . It does not hide 𝑔, 𝑦 . Simple: RE is linear in 𝑦 . compute using IPFE ⟹ 11 / 42

Arithmetic Key Garbling Scheme 1. Label functions: 𝑀 1 , … , 𝑀 𝑛 ← Garble 𝑔, 𝜈; 𝑠 ℓ 1 , … , ℓ 𝑛 = 𝑀 1 𝑦 , … , 𝑀 𝑛 𝑦 2. Garblings: a.k.a. “labels” 𝑜 → ℤ 𝑞 𝑔, 𝑦, ℓ 1 , … , ℓ 𝑛 𝑔: ℤ 𝑞 𝑜 𝑦 ∈ ℤ 𝑞 Eval 𝑔, 𝑦, ℓ 1 , … , ℓ 𝑛 = 𝜈𝑔 𝑦 Security (partial hiding). Sim 𝑔, 𝑦, 𝜈𝑔 𝑦 → ℓ 1 , … , ℓ 𝑛 not hidden 12 / 42

Arithmetic Key Garbling Scheme 1. Label functions: 𝑀 1 , … , 𝑀 𝑛 ← Garble 𝑔, 𝜈; 𝑠 ℓ 1 , … , ℓ 𝑛 = 𝑀 1 𝑦 , … , 𝑀 𝑛 𝑦 2. Garblings: 𝑜 → ℤ 𝑞 𝑔, 𝑦, ℓ 1 , … , ℓ 𝑛 𝑔: ℤ 𝑞 𝑜 𝑦 ∈ ℤ 𝑞 Eval 𝑔, 𝑦, ℓ 1 , … , ℓ 𝑛 = 𝜈𝑔 𝑦 Linearity. 1. 𝑀 1 , … , 𝑀 𝑛 are linear in 𝑦 : 𝑀 𝑘 𝑦 = 𝑀 𝑘 , 𝑦 thanks to 2. coefficients of 𝑀 1 , … , 𝑀 𝑛 are linear in 𝜈, 𝑠 partial hiding 3. Eval is linear in ℓ 1 , … , ℓ 𝑛 13 / 42

Inner-Product Functional Encryption Dec isk 2 ← KeyGen msk, 𝒘 2 𝒗, 𝒘 T ict 1 ← Enc msk, 𝒗 1 Function-Hiding Property isk 𝒘 1 isk 𝒘 2 ⋯ isk 𝒘 𝐽 Adaptive Security: Τ isk ict can interleave. isk 𝒗 1 ict 𝒗 2 ⋯ ict 𝒗 𝐾 ′ ′ ′ isk 𝒘 1 isk 𝒘 2 ⋯ isk 𝒘 𝐽 ≈ ′ for all 𝑗, 𝑘 ′ , 𝒘 𝑘 if 𝒗 𝑗 , 𝒘 𝑘 = 𝒗 𝑗 ′ ′ ′ isk 𝒗 1 ict 𝒗 2 ⋯ ict 𝒗 𝐾 14 / 42

Pairing-Based IPFE [ALS16, LV16] Dec isk 2 ← KeyGen msk, 𝒘 2 𝒗, 𝒘 T ict 1 ← Enc msk, 𝒗 1 = pairing Asymmetric Pairing Groups 𝑏 𝐻 1 : 𝑏 1 = 𝑕 1 pairing 𝑏𝑐 ∈ 𝐻 T 𝑏𝑐 T = 𝑕 T operation 𝑐 𝐻 2 : 𝑐 2 = 𝑕 2 15 / 42

1-ABE via AKGS and IPFE 𝑀 1 , … , 𝑀 𝑛 ← Garble 𝑔, 𝜈 sk 𝑔,𝜈 = isk 𝑀 𝑘 labels in the exponent 𝑘∈ 𝑛 IPFE ℓ 𝑘 = 𝑀 𝑘 𝑦 Dec T ct 𝑦 = ict 𝑦 Eval linear Intuitions for Security. 𝜈𝑔 𝑦 T • IPFE ⟹ only ℓ 𝑘 ’s are revealed • AKGS ⟹ only 𝜈𝑔 𝑦 is revealed 16 / 42

Selective Security of 1-ABE Real World Next step: hardwire labels in secret key 𝑦 s.t. 𝑔 𝑦 = 0 want. 𝜈 is hidden sk 𝑔,𝜈 𝑀 𝑘 0 { isk ( ) } 𝑀 1 , … , 𝑀 𝑛 ← Garble 𝑔, 𝜈 ℓ 𝑘 = 𝑀 𝑘 𝑦 ct 𝑦 𝑦 0 ict ( ) 17 / 42

Hardwire Labels in Secret Key via IPFE Next step: simulate labels 𝑦 s.t. 𝑔 𝑦 = 0 want. 𝜈 is hidden sk 𝑔,𝜈 ℓ 𝑘 0 { isk ( ) } 𝑀 1 , … , 𝑀 𝑛 ← Garble 𝑔, 𝜈 ℓ 𝑘 = 𝑀 𝑘 𝑦 ct 𝑦 𝑦 1 ict ( ) 18 / 42

Simulate Labels via AKGS 𝑦 s.t. 𝑔 𝑦 = 0 want. 𝜈 is hidden sk 𝑔,𝜈 ℓ 𝑘 0 { isk ( ) } ℓ 1 , … , ℓ 𝑛 ← Sim 𝑔, 𝑦, 𝜈𝑔 𝑦 ct 𝑦 𝑦 1 ict ( ) 19 / 42

Adaptive Security? need 𝑦 to simulate sk 𝑔,𝜈 ℓ 𝑘 0 { isk ( ) } ℓ 1 , … , ℓ 𝑛 ← Sim 𝑔, 𝑦, 𝜈𝑔 𝑦 𝑦 s.t. 𝑔 𝑦 = 0 ct 𝑦 𝑦 1 ict ( ) Idea. Rely on special structure of simulator. 20 / 42

Special Simulation Structure Real Garbling ℓ 1 , … , ℓ 𝑛 are uniformly random subject to correctness: Eval 𝑔, 𝑦, ℓ 1 , … , ℓ 𝑛 = 𝜈𝑔 𝑦 . linear constraint Simulator ☺ independent of 𝑦 1. Draw ℓ 2 , … , ℓ 𝑛 ← ℤ 𝑞 . 2. Find unique ℓ 1 s.t. evaluation is correct. ☺ only one label depends on 𝑦 21 / 42

Simulation for Adaptive Security equation depends on 𝑦 find ℓ 1 s.t. Eval 𝑔, 𝑦, … = 𝜈𝑔 𝑦 sk 𝑔,𝜈 0 ℓ 1 isk ( ) ℓ 2 ← ℤ 𝑞 0 ℓ 2 isk ( ) ⋮ ⋮ ℓ 𝑘 ← ℤ 𝑞 ℓ 𝑘 0 isk ( ) ⋮ ⋮ 𝑦 s.t. 𝑔 𝑦 = 0 ct 𝑦 𝑦 1 ict ( ) Idea. Put ℓ 1 in ciphertext 22 / 42

Simulation for Adaptive Security sk 𝑔,𝜈 0 1 0 isk ( ) ℓ 2 ← ℤ 𝑞 0 0 ℓ 2 isk ( ) ⋮ ⋮ ℓ 𝑘 ← ℤ 𝑞 ℓ 𝑘 0 0 isk ( ) ⋮ ⋮ 𝑦 s.t. 𝑔 𝑦 = 0 find ℓ 1 s.t. Eval 𝑔, 𝑦, … = 0 ct 𝑦 𝑦 ℓ 1 1 ict ( ) 23 / 42

Real World vs. Simulation Real World Simulation sk 𝑔,𝜈 sk 𝑔,𝜈 isk ( 𝑀 1 0 0 isk ( 0 1 0 ) ) 𝑘 > 1 {isk ( 𝑀 𝑘 ℓ 𝑘 0 0 𝑘 > 1 {isk ( 0 0 )} )} ct 𝑦 ict ( 𝑦 0 0 ct 𝑦 ict ( 𝑦 ℓ 1 1 ) ) need same labels to use IPFE 𝑀 1 , … , 𝑀 𝑛 ← Garble 𝑔, 𝜈 ℓ 2 , … , ℓ 𝑛 ← ℤ 𝑞 ℓ 1 , … , ℓ 𝑛 = 𝑀 1 𝑦 , … , 𝑀 𝑛 𝑦 find ℓ 1 s.t. Eval ⋯ = 𝜈𝑔 𝑦 = 0 honestly generated labels simulated labels same distribution of labels 24 / 42

Bridging the Gap: Piecewise Security 𝑀 1 , … , 𝑀 𝑛 ← Garble 𝑔, 𝜈 Labels are marginally random given subsequent label functions. for 𝑘 > 1 and all 𝑦 : piecewise 𝑀 𝑘 𝑦 , 𝑀 𝑘+1 , … , 𝑀 𝑛 ≡ $, 𝑀 𝑘+1 , … , 𝑀 𝑛 security ℓ 1 is uniquely determined by Eval ⋯ = 𝜈𝑔 𝑦 . We show that AKGS for ABP [IW14] is piecewise secure. 25 / 42

Adaptive Security of 1-ABE Next step: hardwire ℓ 1 in ciphertext Real World sk 𝑔,𝜈 𝑀 1 0 0 0 isk ( ) isk ( 𝑀 2 0 0 0 ) ⋮ 𝑀 𝑘 0 0 0 isk ( ) ⋮ 𝑦 ℓ 1 = 𝑀 1 𝑦 s.t. 𝑔 𝑦 = 0 ct 𝑦 𝑦 0 0 0 ict ( ) 26 / 42

Hardwire ℓ 1 in Ciphertext via IPFE Next step: find unique ℓ 1 from correctness equation sk 𝑔,𝜈 0 1 0 0 isk ( ) isk ( 𝑀 2 0 0 0 ) ⋮ 𝑀 𝑘 0 0 0 isk ( ) ⋮ 𝑦 ℓ 1 = 𝑀 1 𝑦 s.t. 𝑔 𝑦 = 0 ct 𝑦 𝑦 ℓ 1 0 0 ict ( ) 27 / 42

Find Unique ℓ 1 via AKGS sk 𝑔,𝜈 0 1 0 0 isk ( ) isk ( 𝑀 2 0 0 0 ) ⋮ 𝑀 𝑘 0 0 0 isk ( ) ⋮ find ℓ 1 s.t. 𝑦 s.t. 𝑔 𝑦 = 0 Eval ⋯ = 𝜈𝑔 𝑦 ct 𝑦 𝑦 ℓ 1 0 0 ict ( ) 28 / 42

Goal. Simulate ℓ 2 as Random Next step: hardwire ℓ 2 in ciphertext sk 𝑔,𝜈 0 1 0 0 isk ( ) isk ( 𝑀 2 0 0 0 ) ℓ 2 = 𝑀 2 𝑦 ⋮ 𝑀 𝑘 0 0 0 isk ( ) ⋮ 𝑦 find ℓ 1 s.t. s.t. 𝑔 𝑦 = 0 Eval ⋯ = 𝜈𝑔 𝑦 = 0 ct 𝑦 𝑦 ℓ 1 0 0 ict ( ) 29 / 42