New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters
Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 “Bob” Alice employee employee Encrypt to “Bob” Individual + superiors Encrypt to Bob “users with hats” Hierarchical Identity-based Attribute-based Identity-based Encryption [S84,BF01,C01] Encryption [SW05] Encryption [HL02,GS02]
Two Kinds of ABE Ciphertext Policy ABE: {A, C} (A Ç B) Æ C Key Policy ABE: (A Ç B) Æ C {A, C}
Security Goal for ABE Public Params Challenger Attacker S 1 Repeat S 1 MSK M 0 , M 1 , Policy S i : set of attributes Enc(M b , PP, policy) S 2 Repeat S 2
Proof Challenges Hard problem ABE Hard problem ABE attacker Simulator breaks ABE Challenge: simulator must: • respond to key requests • leverage attacker’s success on challenge
Partitioning Proofs Previous approach – Partitioning [BF01, BB04, W05, GPSW06] Key Space We Need: Key Request Keys Simulator Key Request Can Make Key Request Abort Can’t Make Challenge Abort Challenge
Problem: Why Should Attacker Respect the Partition? Two Approaches: 1. Make Attacker Commit (weaker) selective security 2. Guess and quit when wrong HA!
Selectively Secure ABE [GPSW06, W11] Selectively Secure KP-ABE [GPSW06]: Attribute set S Public Parameters Formulas NOT satisfied by S Satisfied Simulator by S
Selectively Secure ABE [GPSW06, W11] Selectively Secure CP-ABE [W11]: Access Policy P Public Parameters Sets NOT satisfying P Simulator Satisfying P
Dual System Encryption [W09] Normal Used in real system Normal Semi-Functional
A Dual System Encryption Proof Hardest step previously done Real Security Game: Hybrid Argument: With info-theoretic argument - Efficiency drawbacks Not Compatible! M b Regardless of Compability! High probability decryption failure Incompatiblity of key/CT Message independent CT Decryption failure
Dual System Encryption Reimagined Decompose: Parameters in S.F. Space “delayed” until Semi-functional Semi-functional first semi-functional component Space object appears! Normal Component Public Parameters Separated from PP Normal Space
The Security Game in S.F. Space Public Params PP in S.F. Space S 1 Repeat M 0 , M 1 , policy Challenger Attacker Enc(M b , PP, policy) S i : sets of attributes S i Repeat
Dividing the Proof: Two Cases Thought experiment: consider attacker requesting one key (generalize to many keys via hybrid argument) Case 1: CT request comes before key Access Policy P Sets NOT satisfying P challenger attacker Satisfying P Like selective CP-ABE! Semi-functional space
Dividing the Proof: Two Cases Thought experiment: consider attacker requesting one key (generalize to many keys via hybrid argument) Case 2: key request comes before CT Set S Formulas NOT satisfied by S challenger attacker Satisfied by S Like selective KP-ABE! Semi-functional space
Proof Schematic Timeline of Game -> Erase Message Partitioning proof Partitioning proof PP Key 1 Key 2 Key 3 Key 4 Key 5 Key 6 CT Expand into Expand into S.F. Space S.F. Space
Summary of Techniques Selective security Selective security proof for KP-ABE proof for CP-ABE Dual System Encryption Fully Secure ABE
Open Problems • Selectively secure CP-ABE from a non-“q-type” assumption ABE for more general policies (ideally, circuits) • - Progress to be reported later in this session
Thanks for your attention! Questions?
Recommend
More recommend
