junqing gong xiaolei dong jie chen zhenfu cao shanghai
play

Junqing Gong Xiaolei Dong, Jie Chen, Zhenfu Cao Shanghai Jiao - PowerPoint PPT Presentation

Junqing Gong Xiaolei Dong, Jie Chen, Zhenfu Cao Shanghai Jiao Tong University East China Normal University ASIACRYPT 2016, Hanoi, Vietnam Dec 7, 2016 background motivation strategy technical result 1: revisiting


  1. Junqing Gong Xiaolei Dong, Jie Chen, Zhenfu Cao Shanghai Jiao Tong University East China Normal University ASIACRYPT 2016, Hanoi, Vietnam Dec 7, 2016

  2.  background  motivation  strategy  technical result 1: revisiting Blazy-Kiltz-Pan IBE  technical result 2: towards multi-challenge setting  comparison

  3.  background  motivation  strategy  technical result 1: revisiting Blazy-Kiltz-Pan IBE  technical result 2: towards multi-challenge setting  comparison

  4. 𝑛𝑞𝑙 𝑛𝑞𝑙 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸

  5. 𝑛𝑞𝑙 … revealed keys 𝑛𝑞𝑙 𝑛𝑞𝑙 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸

  6. formal definition 𝑛𝑞𝑙 𝑛𝑞𝑙 … 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 revealed keys 𝑛𝑞𝑙 adversary challenger 𝑛 0 , 𝑛 1 𝑛𝑞𝑙 𝑘 ≠ ID ∗ 𝐽𝐸 𝑐 ← 𝑆 {0,1} 𝑑𝑢 𝐽𝐸 ∗ ,𝑛 𝑐 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸 𝑐 ′ 𝑐 = 𝑐′ ?

  7. formal definition 𝑛𝑞𝑙 𝑛𝑞𝑙 … 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 revealed keys 𝑛𝑞𝑙 adversary challenger 𝑛 0 , 𝑛 1 𝑛𝑞𝑙 𝑘 ≠ ID ∗ 𝐽𝐸 𝑐 ← 𝑆 {0,1} 𝑑𝑢 𝐽𝐸 ∗ ,𝑛 𝑐 𝐽𝐸 𝑘 query phase 𝑡𝑙 𝐽𝐸 𝑘 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸 𝑐 ′ 𝑐 = 𝑐′ ?

  8. formal definition 𝑛𝑞𝑙 𝑛𝑞𝑙 … 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 revealed keys 𝑛𝑞𝑙 adversary challenger 𝑛 0 , 𝑛 1 𝑛𝑞𝑙 𝑘 ≠ ID ∗ 𝐽𝐸 𝑐 ← 𝑆 {0,1} 𝑑𝑢 𝐽𝐸 ∗ ,𝑛 𝑐 challenge phase 𝐽𝐸 𝑘 query phase 𝑡𝑙 𝐽𝐸 𝑘 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸 𝑐 ′ 𝑐 = 𝑐′ ?

  9. adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶

  10. adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶 reduction loss = 𝜗 𝐵 /𝜗 𝐶

  11. adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶 reduction loss = 𝜗 𝐵 /𝜗 𝐶 tighter reduction smaller reduction loss

  12. adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶 reduction loss = 𝜗 𝐵 /𝜗 𝐶 better theoretical result tighter reduction smaller reduction loss more efficient implementation

  13. multi-challenge setting basic/single-challenge setting + multiple challenge queries: more than one challenge ct + multiple instances: multiple mpk

  14. 𝑛𝑞𝑙 1 , 𝑛𝑞𝑙 2 , … , 𝑛𝑞𝑙 𝑤 multi-challenge setting query phase basic/single-challenge setting challenge phase + multiple challenge queries: more than one challenge ct query phase + multiple instances: multiple mpk challenge phase …… challenge phase query phase 𝑐 ′

  15. 𝑛𝑞𝑙 1 , 𝑛𝑞𝑙 2 , … , 𝑛𝑞𝑙 𝑤 multi-challenge setting query phase basic/single-challenge setting challenge phase + multiple challenge queries: more than one challenge ct query phase + multiple instances: multiple mpk challenge phase …… good news single-challenge setting multi-challenge setting challenge phase query phase 𝑐 ′

  16. 𝑛𝑞𝑙 1 , 𝑛𝑞𝑙 2 , … , 𝑛𝑞𝑙 𝑤 multi-challenge setting query phase basic/single-challenge setting challenge phase + multiple challenge queries: more than one challenge ct query phase + multiple instances: multiple mpk challenge phase …… good news single-challenge setting multi-challenge setting challenge phase bad news query phase NOT tightness preserving 𝑐 ′

  17.  background  motivation  strategy  technical result 1: revisiting Blazy-Kiltz-Pan IBE  technical result 2: towards multi-challenge setting  comparison

  18. multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin

  19. multi-challenge bilinear groups assumption ciphertext size composite CW13 more realistic no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin

  20. multi-challenge bilinear groups assumption ciphertext size composite CW13 more realistic no k-lin 2k + 2k & prime more efficient in general BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin

  21. almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin

  22. almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin

  23. almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) trade-off 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin

  24. almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime short ciphertext and weak/standard assumption BKP14 no prime k-lin k + (k+1) simultaneously? 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) trade-off 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin

  25.  background  motivation  strategy  technical result 1: revisiting Blazy-Kiltz-Pan IBE  technical result 2: towards multi-challenge setting  comparison

  26. multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 BKP14

  27. assumption ciphertext size CW13 2k + 2k k-lin k + (k+1) = 2k + 1 BKP14 multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 BKP14

  28. assumption ciphertext size CW13 2k + 2k k-lin k + (k+1) = 2k + 1 BKP14 multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 ? BKP14

  29. assumption ciphertext size CW13 2k + 2k k-lin k + (k+1) = 2k + 1 BKP14 multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 possible? ? BKP14 more efficient?

  30. B K P 14 affine MAC Groth-Sahai proof IBE

  31. B K P 14 IBE scheme

  32. B K P 14 IBE scheme MAC tag for ID

  33. B K P 14 IBE scheme commitment to SK MAC : commitment key MAC tag for ID

  34. B K P 14 IBE scheme commitment to SK MAC : commitment key MAC tag for ID Groth-Sahai proof for correctness of the tag

  35. B K P 14 they employ the dual system technique [Waters09], but • IBE scheme normal and semi-functional space is not obvious • incompatible with existing extension method

  36.  background  motivation  strategy  technical result 1: revisiting Blazy-Kiltz-Pan IBE  technical result 2: towards multi-challenge setting  comparison

  37. k-lin assumption

  38. a simple substitution k-lin assumption

  39. a simple substitution k-lin assumption

  40. Observation  no 𝐙 𝑗,𝑐 ;  𝐚 𝑗,𝑐 are in the normal space;  𝐲 𝑗,𝑐 are in the SF space. a simple substitution k-lin assumption

  41. Blazy-Kiltz-Pan IBE

  42. Blazy-Kiltz-Pan IBE rewrite define

  43. Blazy-Kiltz-Pan IBE rewrite define Our simplified version

  44. k k k k+1 k+1 MPK 1 k+1 k CT SK

  45. is similar to CGW15 k k k k+1 k+1 MPK 1 k+1 k CT SK [CGW15] J. Chen, R. Gay, H. Wee. Improved Dual System ABE in Prime-Order Groups via Predicate Encodings. EUROCRYPT 2015.

  46. k k k k+1 k+1 MPK 1 k+1 k 𝑗, 𝑐 ∈ 𝑜 × {0,1} CT SK

  47. k k k k+1 k+1 MPK 1 k+1 k 𝑗, 𝑐 ∈ 𝑜 × {0,1} CT simple sk (no base 𝐂 ) SK they do not need parameter-hiding property

  48. smaller matrices they employ a better mechanism for nested-hiding indistinguishability k k k k+1 k+1 MPK 1 k+1 k 𝑗, 𝑐 ∈ 𝑜 × {0,1} CT simple sk (no base 𝐂 ) SK they do not need parameter-hiding property

  49. identity based encryption non-tight tight dual system group nested dual system group extension CGW15 CW14 CW13

  50. identity based encryption non-tight tight dual system group nested dual system group similar CGW15 CW14 CW13 similar simplified BKP14

  51. identity based encryption non-tight tight dual system group nested dual system group similar CGW15 CW14 CW13 similar simplified BKP14

  52. nested dual system group realize prime-order instantiation CW13

  53. nested dual system group generalized nested dual system group realize prime-order instantiation CW13

Recommend


More recommend