Functional Encryption Lecture 23 ABE from LWE
Functional Encryption f g h KeyGen PK SK SK f PK f(x) Dec SK g x g(x) Enc Dec Ciphertext SK h h(x) Dec
Index-Payload Functions Message x=( � ,m), and functions f π s.t. f π (x)=( � , m iff π ( � )=1) � is the index which is public, and m is output iff π ( � )=1, where π is a predicate Identity-Based Encryption (IBE): π � ( � ) = 1 iff � = � Attribute-Based Encryption (ABE) Key-Policy ABE: � ∈ {0,1} n and π a circuit (policy) over n Boolean variables Ciphertext-Policy ABE: � a circuit (policy) over n Boolean variables, and π evaluates an input circuit on a fixed assignment Predicate Encryption: x=( � ,m) and function f π contains a predicate π s.t. f π (x) = m iff π ( � )=1 ( ⊥ otherwise). Note: Not public-index, as � remains hidden
KP-ABE For Linear Policies PK: g, Y=e(g,g) y , T = (g t1 ,..., g tn ) (n attributes) MSK: y and t a for each attribute a s } a ∈ A , m.Y s ) Enc(m,A;s) = ( A, { T a SK for policy W (with n rows): Let u=(u 1 ... u n ) s.t. Σ a u a = y. For each row a, let x a = ⟨ W a ,u ⟩ /t a . Let Key X = { g x a } a ∈ [n] Dec ( (A, {Z a } a ∈ A ,C); {X a } a ∈ [n] ) : Get Y s = Π a ∈ A e(Z a ,X i ) v a where v = [v 1 ... v n ] s.t. v a =0 if a ∉ A, and v W = [1…1]. m = C/Y s A random vector u for each key to prevent collusion Selective (attribute) security based on Decisional-BDH
Today: KP-ABE From LWE Policy given as an arithmetic circuit f: Z qt → Z q and a value y. Key SK f,y decrypts ciphertext with attribute � iff f( � ) = y. Very expressive policy ⇒ no conceptual distinction between CP-ABE and KP-ABE Can implement CP-ABE also as KP-ABE: � encodes a policy (as bits representing a circuit) and f implements evaluating this policy on attributes hardwired into it
KP-ABE From IBE? Policy is (f,y) where f comes from a very large function family But suppose we had a small number of functions f Then enough to have a set of IBE instances one for each f PK = { K f } one for each f SK f,y = SK for ID y under scheme for f Enc PK ( � ,m) = ( � , { Enc Kf (m;f( � )) } f ) At a high level, will emulate this idea. But will allow constructing K f and Enc Kf (m;y) for any function f using a circuit for f from a few components (corresponding to the inputs to f)
Key-Homomorphism Overview: PK consists of keys K i , i=1,…,t (for t attributes) K 1 ,…, K 1 can be transformed into a public key K f Ciphertext will have the message masked with mask(s), where s is randomly chosen Ciphertext also includes Q i, � i (s) using key K i and attribute � i Q i, � i can be combined into an encoding Q f,f( � ) (s) under key K f MSK can be used to compute SK f,y that can transform Q f,y (s) into mask(s).
KP-ABE From LWE K f (f,y) PKEval f KeyGen PK = (K 1 ,…,K t ,K mask ) K 1 … K t SK f,y can transform Q f,y (s) into Mask(s;K mask ) CT = [ � , Q 1, � 1 (s),…, Q t, � t (s), Q f,f( � ) m + Mask(s;K mask ) ] CTEval f ( � ,m) Enc Dec Q 1, � 1 … Q t, � t If f( � )=y, decode Q f,f( � ) using SK f,y to get Mask(s;K mask )
KP-ABE From LWE PK: K i = [ A 0 | A i ] and K mask = D, where A 0 , A i ← Z qn × m , D ← Z qn × d m >> n log q so that A r is statistically close to uniform even when r has small entries (e.g., bits) Fact: Can pick A along with a trapdoor T A (a “good” basis for the lattice L A ⊥ ) so that, given for any u ∈ Z qn , one can use T A to sample r with small Z q entries (from a discrete Gaussian) that satisfies A r = u Also sample R with small entries so that AR=D for D ∈ Z qn × d Also can sample such an R so that [ A | B ]R = D for any B Need [ A | B ] [ R 1 | R 2 ] T = D. Sample R 2 . Then use T A to sample R 1T s.t. AR 1T = D - BR 2T MSK: Trapdoor T A 0
KP-ABE From LWE PK: K i = [ A 0 | A i ] and K mask = D, where A, A i ← Z qn × m , D ← Z qn × d and MSK: Trapdoor T A 0 K f = [ A 0 | A f ] where A f = PKEval(f,A 1 ,…,A t ) (To be described) For a key A and x ∈ Z q let A ⊞ x denote [A 0 | A + xG], where G is the matrix to invert bit decomposition Q i, � i ( s ) ≈ (A i ⊞ � i ) T s where s ← Z qn and ≈ stands for adding a small noise (as in LWE). (Only one copy ≈ A 0T s included.) Mask( s ;D) ≈ D T s . Include Mask( s ;D) + ⌊ q/2 ⌋ m. Q f , f( � ) ( s ) = CTEval(f, � ,Q 1, � 1 ( s )…,Q t, � t ( s )) ≈ (A f ⊞ f( � )) T s (To be described) SK f,y : Compute A f . Use T A 0 to get R f,y s.t. (A f ⊞ y) R f,y = D Decryption: If f( � )=y, then R f,yT ⋅ Q f , f( � ) ( s ) ≈ D T s . Recover m ∈ {0,1} d .
KP-ABE From LWE K f = [ A 0 | A f ] where A f = PKEval(f,A 1 ,…,A t ) (To be described) Q f , f( � ) ( s ) = CTEval(f, � ,Q 1, � 1 ( s )…,Q t, � t ( s )) ≈ (A f ⊞ f( � )) T s (To be described) CTEval computed gate-by-gate Enough to describe CTEval(f 1 +f 2 , (y 1 ,y 2 ), Q f1,y1 ( s ), Q f2,y2 ( s )) and CTEval(f 1 ⋅ f 2 , (y 1 ,y 2 ), Q f1,y1 ( s ), Q f2,y2 ( s )) Recall Q f1,y1 ( s ) ≈ (A f1 ⊞ y 1 ) T s = [ A 0 | A f1 + y 1 G ] T s Keep ≈ A 0T s aside. To compute [ A g(f1,f2) + g(y 1 ,y 2 )G ] T s for g=+, ⋅ [ A f1 +y 1 G ] T s + [ A f2 +y 2 G ] T s = [ A f1+f2 + (y 1 + y 2 ) G ] T s with A f1 ⋅ f2 A f1+f2 = A f1 + A f2 (errors add up) y 2 ⋅ [ A f1 +y 1 G ] T s - B(A f1 ) T [ A f2 +y 2 G ] T s = [-A f2 B(A f1 ) + y 1 y 2 G] T s err = y 2 ⋅ err 1 + B(A f1 ) T err 2 . Need y 2 to be small.
KP-ABE From LWE Security? Sanity check: Is it secure when no function keys SK f,y are given to the adversary? Security from LWE All components in the ciphertext are LWE samples of the form ⟨ a , s ⟩ +noise, for the same s and random a . Hence all pseudorandom, including the mask D T s + noise Do the secret keys SK f,y make it easier to break security? Claim: No!
KP-ABE From LWE Scheme is selective-secure (under LWE) Recall selective security: Adversary first outputs (x 0 ,x 1 ) s.t. F(x 0 )=F(x 1 ) for all F for which it receives keys. Challenge = Enc(x b ) ABE: x=( � ,m) and F f,y (x) = ( � , m iff f( � )=y) F(x 0 )=F(x 1 ) ⇒ same � * and f( � *) ≠ y Simulated execution (indistinguishable from real) where PK* is designed such that without MSK* can generate SK f,y for all f and all y ≠ f( � *) Breaking encryption for � * will still need breaking LWE! Next time
Recommend
More recommend
