Junqing Gong Xiaolei Dong, Jie Chen, Zhenfu Cao Shanghai Jiao Tong University East China Normal University ASIACRYPT 2016, Hanoi, Vietnam Dec 7, 2016
background motivation strategy technical result 1: revisiting Blazy-Kiltz-Pan IBE technical result 2: towards multi-challenge setting comparison
background motivation strategy technical result 1: revisiting Blazy-Kiltz-Pan IBE technical result 2: towards multi-challenge setting comparison
𝑛𝑞𝑙 𝑛𝑞𝑙 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸
𝑛𝑞𝑙 … revealed keys 𝑛𝑞𝑙 𝑛𝑞𝑙 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸
formal definition 𝑛𝑞𝑙 𝑛𝑞𝑙 … 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 revealed keys 𝑛𝑞𝑙 adversary challenger 𝑛 0 , 𝑛 1 𝑛𝑞𝑙 𝑘 ≠ ID ∗ 𝐽𝐸 𝑐 ← 𝑆 {0,1} 𝑑𝑢 𝐽𝐸 ∗ ,𝑛 𝑐 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸 𝑐 ′ 𝑐 = 𝑐′ ?
formal definition 𝑛𝑞𝑙 𝑛𝑞𝑙 … 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 revealed keys 𝑛𝑞𝑙 adversary challenger 𝑛 0 , 𝑛 1 𝑛𝑞𝑙 𝑘 ≠ ID ∗ 𝐽𝐸 𝑐 ← 𝑆 {0,1} 𝑑𝑢 𝐽𝐸 ∗ ,𝑛 𝑐 𝐽𝐸 𝑘 query phase 𝑡𝑙 𝐽𝐸 𝑘 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸 𝑐 ′ 𝑐 = 𝑐′ ?
formal definition 𝑛𝑞𝑙 𝑛𝑞𝑙 … 𝐽𝐸 𝑘 𝑡𝑙 𝐽𝐸 𝑘 revealed keys 𝑛𝑞𝑙 adversary challenger 𝑛 0 , 𝑛 1 𝑛𝑞𝑙 𝑘 ≠ ID ∗ 𝐽𝐸 𝑐 ← 𝑆 {0,1} 𝑑𝑢 𝐽𝐸 ∗ ,𝑛 𝑐 challenge phase 𝐽𝐸 𝑘 query phase 𝑡𝑙 𝐽𝐸 𝑘 𝑑𝑢 𝐽𝐸 𝑡𝑙 𝐽𝐸 𝑐 ′ 𝑐 = 𝑐′ ?
adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶
adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶 reduction loss = 𝜗 𝐵 /𝜗 𝐶
adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶 reduction loss = 𝜗 𝐵 /𝜗 𝐶 tighter reduction smaller reduction loss
adversary A against IBE solver B for hard problem 𝜗 𝐵 reduction 𝜗 𝐶 reduction loss = 𝜗 𝐵 /𝜗 𝐶 better theoretical result tighter reduction smaller reduction loss more efficient implementation
multi-challenge setting basic/single-challenge setting + multiple challenge queries: more than one challenge ct + multiple instances: multiple mpk
𝑛𝑞𝑙 1 , 𝑛𝑞𝑙 2 , … , 𝑛𝑞𝑙 𝑤 multi-challenge setting query phase basic/single-challenge setting challenge phase + multiple challenge queries: more than one challenge ct query phase + multiple instances: multiple mpk challenge phase …… challenge phase query phase 𝑐 ′
𝑛𝑞𝑙 1 , 𝑛𝑞𝑙 2 , … , 𝑛𝑞𝑙 𝑤 multi-challenge setting query phase basic/single-challenge setting challenge phase + multiple challenge queries: more than one challenge ct query phase + multiple instances: multiple mpk challenge phase …… good news single-challenge setting multi-challenge setting challenge phase query phase 𝑐 ′
𝑛𝑞𝑙 1 , 𝑛𝑞𝑙 2 , … , 𝑛𝑞𝑙 𝑤 multi-challenge setting query phase basic/single-challenge setting challenge phase + multiple challenge queries: more than one challenge ct query phase + multiple instances: multiple mpk challenge phase …… good news single-challenge setting multi-challenge setting challenge phase bad news query phase NOT tightness preserving 𝑐 ′
background motivation strategy technical result 1: revisiting Blazy-Kiltz-Pan IBE technical result 2: towards multi-challenge setting comparison
multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin
multi-challenge bilinear groups assumption ciphertext size composite CW13 more realistic no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin
multi-challenge bilinear groups assumption ciphertext size composite CW13 more realistic no k-lin 2k + 2k & prime more efficient in general BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin
almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin
almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin
almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime BKP14 no prime k-lin k + (k+1) 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) trade-off 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin
almost-tightly secure IBE multi-challenge bilinear groups assumption ciphertext size composite CW13 no k-lin 2k + 2k & prime short ciphertext and weak/standard assumption BKP14 no prime k-lin k + (k+1) simultaneously? 1 + 1 HKS15 yes composite static AHY15 yes prime stronger 2-lin 4 + 4 (k=2) trade-off 3k + 3k k-lin GCD+16 yes prime 2k + 2k stronger k-lin
background motivation strategy technical result 1: revisiting Blazy-Kiltz-Pan IBE technical result 2: towards multi-challenge setting comparison
multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 BKP14
assumption ciphertext size CW13 2k + 2k k-lin k + (k+1) = 2k + 1 BKP14 multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 BKP14
assumption ciphertext size CW13 2k + 2k k-lin k + (k+1) = 2k + 1 BKP14 multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 ? BKP14
assumption ciphertext size CW13 2k + 2k k-lin k + (k+1) = 2k + 1 BKP14 multi-challenge world single-challenge world AHY15 CW13 HKS15 GCD+16 possible? ? BKP14 more efficient?
B K P 14 affine MAC Groth-Sahai proof IBE
B K P 14 IBE scheme
B K P 14 IBE scheme MAC tag for ID
B K P 14 IBE scheme commitment to SK MAC : commitment key MAC tag for ID
B K P 14 IBE scheme commitment to SK MAC : commitment key MAC tag for ID Groth-Sahai proof for correctness of the tag
B K P 14 they employ the dual system technique [Waters09], but • IBE scheme normal and semi-functional space is not obvious • incompatible with existing extension method
background motivation strategy technical result 1: revisiting Blazy-Kiltz-Pan IBE technical result 2: towards multi-challenge setting comparison
k-lin assumption
a simple substitution k-lin assumption
a simple substitution k-lin assumption
Observation no 𝐙 𝑗,𝑐 ; 𝐚 𝑗,𝑐 are in the normal space; 𝐲 𝑗,𝑐 are in the SF space. a simple substitution k-lin assumption
Blazy-Kiltz-Pan IBE
Blazy-Kiltz-Pan IBE rewrite define
Blazy-Kiltz-Pan IBE rewrite define Our simplified version
k k k k+1 k+1 MPK 1 k+1 k CT SK
is similar to CGW15 k k k k+1 k+1 MPK 1 k+1 k CT SK [CGW15] J. Chen, R. Gay, H. Wee. Improved Dual System ABE in Prime-Order Groups via Predicate Encodings. EUROCRYPT 2015.
k k k k+1 k+1 MPK 1 k+1 k 𝑗, 𝑐 ∈ 𝑜 × {0,1} CT SK
k k k k+1 k+1 MPK 1 k+1 k 𝑗, 𝑐 ∈ 𝑜 × {0,1} CT simple sk (no base 𝐂 ) SK they do not need parameter-hiding property
smaller matrices they employ a better mechanism for nested-hiding indistinguishability k k k k+1 k+1 MPK 1 k+1 k 𝑗, 𝑐 ∈ 𝑜 × {0,1} CT simple sk (no base 𝐂 ) SK they do not need parameter-hiding property
identity based encryption non-tight tight dual system group nested dual system group extension CGW15 CW14 CW13
identity based encryption non-tight tight dual system group nested dual system group similar CGW15 CW14 CW13 similar simplified BKP14
identity based encryption non-tight tight dual system group nested dual system group similar CGW15 CW14 CW13 similar simplified BKP14
nested dual system group realize prime-order instantiation CW13
nested dual system group generalized nested dual system group realize prime-order instantiation CW13
Recommend
More recommend