dual system encryption framework in prime order groups
play

Dual System Encryption Framework in Prime-Order Groups via - PowerPoint PPT Presentation

Sep 10, 2023 •34 likes •634 views

1 Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings Nuttapong Attrapadung (Nuts) AIST, Japan Asiacrypt 2016 Hanoi, Vietnam, December 7, 2016 2 Our Main Result in One Slide A Generic Framework for

  1. 1 Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings Nuttapong Attrapadung (Nuts) AIST, Japan Asiacrypt 2016 Hanoi, Vietnam, December 7, 2016

  2. 2 Our Main Result in One Slide A Generic Framework for Fully Secure ABE in Prime-order Groups Implies many first fully-secure & prime-order instantiations: ABE for regular languages, Short-ciphertext ABE, etc.

  3. 3 1 Introduction

  4. 4 Attribute Based Encryption (ABE) [SW05] ABE for predicate R: X × Y → {0,1} Key for Ciphertext for Decrypt x ∈ X y ∈ Y (encrypt M) M if R(x,y)=1 ? if R(x,y)=0

  5. 5 More Complete Picture of ABE Setup Master Public key Master Secret key x y,M Encrypt KeyGen Key for Ciphertext for Decrypt x ∈ X y ∈ Y (encrypt M) M if R(x,y)=1 ? if R(x,y)=0

  6. 6 Example of Predicates 1. Key-Policy ABE for Boolean Formulae [GPSW06] • suitable for content-based access control. Movie Drama OR Disney AND Japanese Soccer Animation Movie Disney policy x attribute set y associated to associated to • R(x,y)=1 iff y satisfies x.

  7. 7 Example of Predicates 2. Ciphertext-Policy ABE for Boolean Formulae [BSW07,W11] • suitable for person-based access control. Ph.D. OR CS AND Thai CEO Asian Ph.D. CS attribute set x policy y associated to associated to • R(x,y)=1 iff x satisfies y.

  8. 8 Example of Predicates 3. Dual-Policy ABE for Boolean Formulae [ A I09] OR Blood AND Fat value Heart date:201507 Blood date:201507 y 1 x 1 y 2 x 2 OR Doctor:K AND Department:X AND Patient:Bob Nurse Hospital:T Clinic:A Doctor:K Hospital:T • R(x,y)=1 iff y 1 satisfies x 1 AND x 2 satisfies y 2 .

  9. 9 More Examples of Predicates (1/2) R ( x , y ) = 1 What Predicate iff x ∈ { 0 , 1 } n y ∈ { 0 , 1 } n x = y Identity Based (IBE) [S84, BB04,..] x ∈ Z n y ∈ Z n � x , y � = 0 Inner Product (IPE) p p [KSW08] y x x � y � = � Doubly Spatial (DSE) Z n [H11] (affine spaces in ) p

  10. 10 More Examples of Predicates (2/2) R ( x , y ) = 1 What Predicate iff Span Program [GPSW06,…] Finite Automata [W12, A 14] f ( · ) y f ( y ) = 1 f Branching Program in that class [GVW13,IW14] Circuits [GGHSW13,GVW13]

  11. 11 Is there a generic way to design ABE for arbitrary predicate R ?

  12. 12 Yes, using recent generic frameworks [A. Eurocrypt 14], [Wee TCC14] “Pair encoding” for R Fully secure ABE for R ⇒ + Subgroup Decision • Advantage of pair encoding: security is much easier! • Perfect [ A 14,W14] : Info-theoretic argument. • Computational [ A 14] : Similar to selective security. • But yield ABEs in composite-order groups .

  13. 13 Motivation for Prime-order Groups • Better efficiency than composite-order groups. [G13] • Element size: 256 bits vs 3072 bits • Bilinear pairing: 254 times faster

  14. 14 Recent Prime-order Frameworks • [Chen,Gay,Wee EC15], [Agrawal, Chase TCC16] • extending [W14,A14]. • but only for perfect encoding • This work : both perfect & computational encoding

  15. 15 Computational enc covers many more Computational encoding • boolean formula [A14,AY15,AHY15] - KP, CP, DP - fully unbounded - short-key or short-ciphertext • boolean formula over doubly-spatial - KP, CP, DP [A14,AY15] • finite automata (regular language) Perfect encoding - KP, CP, DP [W12,A14,AY15] • IBE, IPE, Spatial • boolean formula with some bounds [LOSTW10,W14, A14,…]

  16. 16 Our Main Theorem Fully secure ABE for R Pair encoding for R ⇒ (Prime-order) + Matrix DH [EHK+13] Security of pair encoding: same as [A14] ☺ Syntax: more restricted, but all current encodings satisfy! [A14] Fully secure ABE for R Pair encoding for R ⇒ (Composite-order) + Subgroup Decision

  17. 17 Instantiations: Apply to Existing Encodings Computational encoding • boolean formula [A14,AY15,AHY15] The first fully-secure & - KP, CP, DP prime-order schemes - fully unbounded - short-key or short-ciphertext • boolean formula over doubly-spatial - KP, CP, DP [A14,AY15] • finite automata (regular language) Perfect encoding - KP, CP, DP [W12,A14,AY15] • IBE, IPE, Spatial • branching program • boolean formula with - KP, CP, DP some bounds - unbounded [new] [LOSTW10,W14, A14,…] - short-key or short-ciphertext [new]

  18. 18

  19. 19 2 Scheme

  20. 20 Bilinear Maps e : G 1 × G 2 → G T PrimeG ( λ ) → ( e , p , g 1 , g 2 ) groups of prime order p G 1 , G 2 : generators g 1 ∈ G 1 , g 2 ∈ G 2 CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) N = pq groups of composite order G 1 , G 2 : g 1 ∈ G 1 , p , ˆ g 1 ∈ G 1 , q , g 2 ∈ G 2 , p , ˆ g 2 ∈ G 2 , q

  21. 21 Pair Encoding Scheme (PES) [ A 14] Syntax : Param ( κ ) → n k r h m 1 , m 2 Enc 1 ( x , N ) → k k x ( α , r r , h h ) and c s h Enc 2 ( y , N ) → c c y ( s s , h h ) w 1 , w 2 and E ∈ Z m 1 × w 1 E Pair ( x , y , N ) → E N h ] w 1 h ] m 1 c s h k r h c c y ∈ Z N [ s s , h k k x ∈ Z N [ α , r r , h where and have variables: h r s α , h h = ( h 1 , . . . , h n ) , r r = ( r 1 , . . . , r m 2 ) , s s = ( s 0 , . . . , s w 2 ) α , r i , h k r i , s j , h k s j Ensure linearity and only monomials .

  22. 22 Pair Encoding Scheme (PES) [ A 14] Syntax : Param ( κ ) → n k r h m 1 , m 2 Enc 1 ( x , N ) → k k x ( α , r r , h h ) and c s h Enc 2 ( y , N ) → c c y ( s s , h h ) w 1 , w 2 and E ∈ Z m 1 × w 1 E Pair ( x , y , N ) → E N h ] w 1 h ] m 1 c s h k r h c c y ∈ Z N [ s s , h k k x ∈ Z N [ α , r r , h where and have variables: h r s α , h h = ( h 1 , . . . , h n ) , r r = ( r 1 , . . . , r m 2 ) , s s = ( s 0 , . . . , s w 2 ) α , r i , h k r i , s j , h k s j and only monomials . Correctness : k E c R ( x , y ) = 1 k k x E Ec c � y = α s 0 ⇒

  23. 23 Fully Secure ABE from PES [ A 14, simplified] CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) , Setup ( λ , κ ) : ← Z n PES . Param ( κ ) → n , h h h $ $ ← Z N , α N , � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2

  24. 24 Fully Secure ABE from PES [ A 14, simplified] CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) , Setup ( λ , κ ) : ← Z n PES . Param ( κ ) → n , h h h $ $ ← Z N , α N , � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2 ← Z w 2 Encrypt ( PK , y , M ) : c s PES . Enc 2 ( y , N ) → ( c c y , w 1 , w 2 ) , s s $ N , c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1

  25. 25 Fully Secure ABE from PES [ A 14, simplified] CompositeG ( λ ) → ( e , N , g 1 , ˆ g 1 , g 2 , ˆ g 2 ) , Setup ( λ , κ ) : ← Z n PES . Param ( κ ) → n , h h h $ $ ← Z N , α N , � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2 ← Z w 2 Encrypt ( PK , y , M ) : c s PES . Enc 2 ( y , N ) → ( c c y , w 1 , w 2 ) , s s $ N , c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 ← Z m 2 r KeyGen ( MSK , x ) : k r r PES . Enc 1 ( x , N ) → ( k k x , m 1 , m 2 ) , $ N , k r h SK = g k k x ( α , r r , h h ) 2

  26. 26 Fully Secure ABE from PES [ A 14, simplified] c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 k r h SK = g k k x ( α , r r , h h ) 2 E PES . Pair ( x , y , N ) → E E , Decrypt ( CT y , SK x ) : E c E Ec c � k , g k k � � � k E c = e ( g 1 , g 2 ) k k x E Ec c � y = e ( g 1 , g 2 ) α s 0 e e e g y x 1 2 M M e ( g M 1 , g M M 1 M 2 M M 2 ) := e ( g 1 , g 2 ) M M � 2 M M 1 e where e

  27. 27 Fully Secure ABE from PES [ A 14, simplified] � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h 2 , g α MSK = 2 c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 k r h SK = g k k x ( α , r r , h h ) 2

  28. 28 Example: IBE [BB04,LW10] ( h 1 , h 2 ) � 1 , e ( g 1 , g 2 ) α � h g 1 , g h h PK = � � h g 2 , g h h s 0 ( h 1 + yh 2 ) , s 0 2 , g α � � MSK = 2 c s h c c y ( s s , h h ) � � , e ( g 1 , g 2 ) α s 0 · M g CT = 1 k r h SK = g k k x ( α , r r , h h ) α + r 1 ( h 1 + xh 2 ) , r 1 � � 2 If x = y E E E s 0 ( h 1 y + h 2 ) = α s 0 α + r 1 ( h 1 + xh 2 ) , r 1 0 1 � � s 0 − 1 0

  29. 29 Towards Prime-order Setting Substitute scalar by vector/matrix as in [Chen, Wee C13] . α � Z d + 1 H k � Z ( d + 1 ) × ( d + 1 ) H h k H �� α p �� p s j � Z d r i � Z d s r s j s r i r �� �� p p Z ∈ Z ( d + 1 ) × ( d + 1 ) B Z with a distribution S d , B B , Z Generators : pick p 2 � G ( d + 1 ) × d 1 � G ( d + 1 ) × d Z L g Z ZL L B L g B BL L g 2 g 1 �� �� 2 1 d d 1 d 1 where . L B L = L L := ... d + 1 1 0 (left projection)

  30. 30 Towards Prime-order Setting s j � Z d H k � Z ( d + 1 ) × ( d + 1 ) s s j s H h k H �� p �� p 1 � G ( d + 1 ) × d B L g B BL L g 1 �� 1 Exponentiations : H B L � G ( d + 1 ) × d g h k g H H k B BL L �� 1 1 1 B L s s j B BL Ls s j � G ( d + 1 ) × 1 g g �� 1 1 1 H B L s h k s j H H k B BL Ls s j � G ( d + 1 ) × 1 g g �� 1 1 1 (tweaked from [CW13] , which is not directly applicable.)

Recommend

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman (Stanford University) 1 Elliptic curves:

1.09k views • 77 slides
Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel

Schur-rings (S-rings) Automorphism groups of S-rings Final (personal) remarks Automorphism groups of Schur rings over cyclic groups of prime-power order Reinhard Pschel joint work with Mikhail Klin Institut fr Algebra Technische

1.47k views • 98 slides
Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5

The groups of order p 7 Eamonn OBrien and Michael Vaughan-Lee The groups of order p 7 p. 1 Groups of order p k for k = 1 , 2 , . . . , 6 p = 2 p = 3 p 5 p 1 1 1 p 2 2 2 2 p 3 5 5 5 p 4 14 15 15 p 5 51 67 u p 6 267 504

663 views • 33 slides
Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS

Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS

Construction of latin squares of prime order Theorem. If p is prime, then there exist p 1 MOLS of order p . Construction: The elements in the latin square will be the elements of Z p , the integers modulo p . Addition and multiplication will be

257 views • 8 slides
A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special Class of Non-Commutative Groups Koji Nuida National Institute of Advanced Industrial Science and Technology (AIST), Japan (Japan Science and

1.24k views • 57 slides
The dual space of precompact groups Salvador Hern andez Universitat Jaume I The dual space of

The dual space of precompact groups Salvador Hern andez Universitat Jaume I The dual space of

The dual space of precompact groups Salvador Hern andez Universitat Jaume I The dual space of precompact groups - Presented at the AHA 2013 Conference Granada, May 20 - 24, 2013. - Joint work with M. Ferrer and V. Uspenskij . . . . .

840 views • 70 slides
Dual Universities and the Dual System is there a new shift towards academic pathways in

Dual Universities and the Dual System is there a new shift towards academic pathways in

Presentation at the Ontario Institute for Studies of Education, Toronto 13.9.18 Prof. Dr. Dr. h.c. Thomas Deissinger, University of Konstanz, Chair of Business Education Dual Universities and the Dual System is there a new shift towards

336 views • 30 slides
Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore

Introduction BGN protocol with a symmetric pairing BGN conversions Our implementation Conclusion Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves Aurore Guillevic C2, Dinard, France C2 2012 1/23 grid

558 views • 23 slides
On the Prime Graph Question for 4-primary Groups I Andreas B achle and Leo Margolis Vrije

On the Prime Graph Question for 4-primary Groups I Andreas B achle and Leo Margolis Vrije

On the Prime Graph Question for 4-primary Groups I Andreas B achle and Leo Margolis Vrije Universiteit Brussel and Universit at Stuttgart Brock International Conference on Groups, Rings and Group Rings July 28 to August 01, 2014 Notations

1.22k views • 69 slides
On the capabillity of p -groups of class two and prime exponent Arturo Magidin University of

On the capabillity of p -groups of class two and prime exponent Arturo Magidin University of

On the capabillity of p -groups of class two and prime exponent Arturo Magidin University of Louisiana at Lafayette Groups St Andrews 2013 Arturo Magidin Capability Definition A group G is capable if and only if there exists K such that G

901 views • 63 slides
Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e Homomorphic Encryption R Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all

556 views • 12 slides
Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e Homomorphic Encryption R Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all

838 views • 14 slides
Property (T) for quantum groups from the Property (T) for groups dual point of view Quantum

Property (T) for quantum groups from the Property (T) for groups dual point of view Quantum

Property (T) for quantum groups from the dual point of view David Kyed Property (T) for quantum groups from the Property (T) for groups dual point of view Quantum groups Property (T) for quantum groups David Kyed The dual picture

936 views • 61 slides
System Thinking and System Dynamics in public policy making: some experiences of the Prime

System Thinking and System Dynamics in public policy making: some experiences of the Prime

Prime Ministers Strategy Unit System Thinking and System Dynamics in public policy making: some experiences of the Prime Minister's Strategy Unit Nick Mabey (Senior Advisor, UK Prime Ministers Strategy Unit) There is nothing a

1.03k views • 60 slides
Prime monomial ideals of subsemigroup algebras of free nilpotent groups Tomer Bauer joint work

Prime monomial ideals of subsemigroup algebras of free nilpotent groups Tomer Bauer joint work

. . . . . . . . . . . . . . . Prime monomial ideals of subsemigroup algebras of free nilpotent groups Tomer Bauer joint work with Beeri Greenfeld Department of Mathematics Bar-Ilan University Groups, Rings and Associated

989 views • 32 slides
The Classification of Finite Groups of Order 16 Kyle Whitcomb Department of Mathematics and

The Classification of Finite Groups of Order 16 Kyle Whitcomb Department of Mathematics and

The Classification of Finite Groups of Order 16 Kyle Whitcomb Department of Mathematics and Computer Science University of Puget Sound Tacoma, Washington May 5, 2015 Finite Groups of Order 16 Outline 1 Definitions and Notation 2 Preliminary

859 views • 51 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode Configurable Configurable feature is to meet different application scenarios: Real-Time System Mode: Instruction and Data Local Memory (ILM, DLM)

329 views • 21 slides
Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic Encryption Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all x,y G,

1.79k views • 165 slides
Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan

Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU Miyako Ohkubo, NICT Mathematical structures in cryptography Cyclic prime order group G

622 views • 19 slides
ON COLEMAN AUTOMORPHISMS OF FINITE GROUPS AND THEIR MINIMAL NORMAL SUBGROUPS Arne Van Antwerpen

ON COLEMAN AUTOMORPHISMS OF FINITE GROUPS AND THEIR MINIMAL NORMAL SUBGROUPS Arne Van Antwerpen

ON COLEMAN AUTOMORPHISMS OF FINITE GROUPS AND THEIR MINIMAL NORMAL SUBGROUPS Arne Van Antwerpen June 19, 2017 1 DEFINITIONS Definition Let G be a finite group and Aut ( G ) . If for any prime p dividing the order of G and any Sylow

528 views • 28 slides
Social Benefits Management System Under Prime Ministers Digital India Initiative Under Prime

Social Benefits Management System Under Prime Ministers Digital India Initiative Under Prime

Launch Of Social Benefits Management System Under Prime Ministers Digital India Initiative Under Prime Ministers Digital India Initiative By Shri Thaawarchand Gehlot Honable Union Minister of Social Justice & Empowerment on 27 th

671 views • 45 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
A second order finite volume scheme on space-adaptive staggered grids in 3D Wolfram Rosenbaum

A second order finite volume scheme on space-adaptive staggered grids in 3D Wolfram Rosenbaum

1 A second order finite volume scheme on space-adaptive staggered grids in 3D Wolfram Rosenbaum Prof. Dr. Sebastian Noelle RWTH Aachen, Germany Staggered grid construction in 1D 2 How to construct dual cells dual cell dual grid primal

510 views • 21 slides

More recommend