1 adaptively attribute-hiding ( hierarchical ) inner product encryption 2012 / 4 / 18 tatsuaki...
TRANSCRIPT
![Page 1: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/1.jpg)
1
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
2012 / 4 / 18
Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric ).
![Page 2: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/2.jpg)
2
Functional Encryption
Plaintext
Encryption Ciphertext
Public key pk
Decryption Plaintext
Secret key with parameter
Parametersk
Relation R( , ) holds
• This type is called Predicate Encryption in [BSW11].
![Page 3: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/3.jpg)
3
Inner Product Encryption ( IPE ) [KSW08]
![Page 4: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/4.jpg)
4
(Adaptive Secure &) Weakly Attribute-Hiding IPE
Challenger
Some additional information on may be revealed to a person with a matching key , i.e.,
![Page 5: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/5.jpg)
5
(Adaptive Secure &) Fully Attribute-Hiding IPEChallenger
No additional information on is revealed even to any person with a matching key , i.e.,
For each run of the game, the variable is defined as
if otherwise.
![Page 6: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/6.jpg)
6
[ LOS+10 ] : Adaptively secure but weakly attribute- hiding IPE based on a non-standard assumption
[ KSW08 ] : Fully attribute-hiding but selectively secure IPE
Previous works of Attribute-Hiding IPE
[ OT10 ] : Adaptively secure but weakly attribute-hiding
IPE based on the DLIN assumption[ AFV11 ] : Selectively secure and weakly attribute-hiding
IPE based on the LWE assumption
Adaptively secure and fully attribute-hiding IPE based on the DLIN assumption
This work
![Page 7: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/7.jpg)
7
Our Results
Adaptively secure and fully attribute-hiding IPE based on the DLIN assumption (basic scheme)
A variant IPE with a shorter (O(n)-size) master public key and shorter (O(1)-size) secret keys (excluding the description
of )
An extension to Hierarchical IPE (HIPE) with the same security
![Page 8: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/8.jpg)
8
Key Techniques
Dual Pairing Vector Space (DPVS) approach provides rich basic transformations for achieving these various forms.
All forms of a secret-key do not depend on whether it is matching or not.
Large ( -dim.) hidden subspaces gives new types (Types 1-3) of information theoretical tricks and various forms of computational reductions.
We extend Dual System Encryption (DSE) for our purpose with various forms, i.e., normal, temporal 1, temporal 2 and unbiased …. Fully-AH IPE should deal with both cases,matching and non-matching keys (to challenge CT),
while weakly-AH IPE deals with only the non-matching case.
![Page 9: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/9.jpg)
9
Dual Pairing Vector Space Approach (I)
Vector space using symmetric pairing groupswhere is a generator of
( Canonical ) pairing operation:
For
and
where
dual orthonormal bases of
i.e.,
Dual Bases :basis of
for
for
s.t.
s.t.
![Page 10: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/10.jpg)
10
DPVS Approach (II)
with ( the canonicalCryptographic Construction using
Dual Pairing Vector Space (DPVS) approach :
pairing and ) random dual bases as a master key pair
DLIN-based security from [OT10] machinery
For and we denote
Notation :
Basic Fact for Our Construction
For the above and
from dual orthonormality of
![Page 11: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/11.jpg)
11
Intractable Problems on DPVS
Security of our IPE is proven under DLIN assumption, through variants of DSP.
Vector Decomposition Problem (VDP) :
Dual Basis Computation Problem (DBP) : Hard to calculate (master secret) from (master public)
E.g., hard to calculate from
Decisional Subspace Problem (DSP) : Hard to distinguish
and
and
and where
DBP Assump.
VDP Assump.
DSP Assump.
DLIN Assump.
![Page 12: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/12.jpg)
12
Basic Idea for Constructing IPE using DPVS
where
![Page 13: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/13.jpg)
13
Weakly Attribute-Hiding IPE Scheme in [OT10]
where
![Page 14: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/14.jpg)
14
Proposed (Basic) Fully Attribute-Hiding IPE Scheme
where
![Page 15: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/15.jpg)
15
Game 0Challenger
We define that wins with prob. 1/2 when the game is aborted in Game 0’.
negligible from [OT10] target of this talk
-> Game 0’
if otherwise
Game 0’ is the same as real security game, Game 0, except that
flip a coin before setup and the game is aborted if
![Page 16: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/16.jpg)
16
Dual System Encryption (DSE) Methodology (I)
1) Challenge ciphertext Semi-func.
2) Keys Semi-func. (one by one)
3) Semi-func. challenge ciphertext Randomi.e., Advantage of adversary = 0
Simulator can change themunder the above conditions.
Simulator
…
![Page 17: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/17.jpg)
17
DSE Methodology (II)
Normal key
Semi-func. key
This semi-func. form of keys cannot be used for fully-AH. Need to introduce new forms with preserving functionality
Normal ciphertext
Semi-func. ciphertext
![Page 18: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/18.jpg)
18
Extension of DSE (I):R-preserving ciphertexts independent of challenge bit
Aim of game transformation:
Transform to -unbiased CT,
for (all but negligible prob.)
I.e.,
&Independent of bit preserving
![Page 19: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/19.jpg)
19
Extension of DSE (II): Randomization in 2-dim. and Swapping
Temporal 1 Key with
DLIN
Temporal 1 CT with
DLIN
Temporal 2 Key with
swapping
Temporal 2 CT with
randomization
Iterate the changes among these 4 forms for all queried for
preparing the next
![Page 20: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/20.jpg)
20
Extension of DSE (III): Last Conceptual Change to Unbiased CT
Temporal 2 CT with
Temporal 2 Key with
1-st block for randomization
2-nd block for keeping
In Game 2- -4,
All queried keys are
Unbiased CT with
which is unbiased of is obtained.
In Game 3,
is bounded by advantages for DLIN
![Page 21: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/21.jpg)
21
Original DSE Methodology
Comparison of Original and Extension of DSE
1) Challenge CT Semi-func.
2) Keys Semi-func. (one by one)
3) CT Random
Extension of DSE
1) Challenge CT
2) Keys
CT
random since
since
3) CT Unbiased w.r.t. b
(one by one)
![Page 22: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/22.jpg)
22
Key Ideas for Short Public / Secret Key IPE
We will explain key ideas using -dim. basic IPE.
We employ a special form of master secret key basis,
where and a blank in the matrix denotes
Secret-key associated with
can be compressed to only 3 group elementsThen,as well as
![Page 23: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/23.jpg)
23
Special Basis for fully-AH IPE with Short SK
We extend the basic construction to a 5 x 5 block matrix one to achieve full AH security (as our basic IPE).
![Page 24: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/24.jpg)
24
Adaptively Fully-AH IPE with Constant-Size SK
SK size
![Page 25: 1 Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption 2012 / 4 / 18 Tatsuaki Okamoto ( NTT ), Katsuyuki Takashima ( Mitsubishi Electric](https://reader035.vdocuments.site/reader035/viewer/2022070306/5515de4455034638038b4ad6/html5/thumbnails/25.jpg)
25
Thank You !