Fully Secure Functional Encryption: Attribute-Based Encryption and

(Hierarchical) Inner Product Encryption

Allison LewkoThe University of Texas at Austin

Tatsuaki OkamotoNTT

Amit SahaiUCLA

Katsuyuki TakashimaMitsubishi Electric

Brent WatersThe University of Texas at Austin

Functional Encryption

• Functionality f(x,y) – specifies what will be learned about ciphertext

xy

Application

Who should be able to read my data?

access policy

Attribute-Based Encryption [SW05]

Ciphertexts: associated with access formulas

Secret Keys: associated with attributes

(A Ç B) Æ C

{A, C}

Decryption:

{A, C} Message{A, C} satisfies (AÇB)ÆC

(A Ç B) Æ C

ABE Example

Medicalresearcher

OR

Doctor

AND

Hospital Y

AND

Company X

{Doctor, Hospital Z} {Nurse, Hospital Y}

ABE AlgorithmsMSK Public Params

Security Definition (ABE) [IND-CPA GM84]

Challenger AttackerPublic Params

MSK

Setup PhaseKey Query Phase I

S1

S1

S2S2

Challenge PhaseKey Query Phase II

Attacker must guess b

Si : set of attributes

Proving Security

Hard problem

ABE attackerSimulator

Hard problemABE

breaks ABE

Challenges in Proving Security

Simulator must:

• respond to key requests

• leverage attacker’s success on challenge

Partitioning

Previous approach for IBE – Partitioning [BF01, BB04, W05]

Key Space

Challenge

Key Requests

We hope:

Key Request

Key Request

Challenge

Key Request Abort

Challenge Abort

Partitioning with More StructureID0

ID0:ID1 ID0:ID2

ID0:ID1:ID3 ID0:ID2:ID4 ID0:ID2:ID5

HIBE:

Exponential security degradation in depth

ABE: ( A Ç B Ç C) Æ (A Ç D) …

Exponential security degradation in formula length

Previous Solutions

Selective Security Model:• Attacker declares challenge before seeing Public Parameters

• A weaker model of security

• To go to standard model by guessing –> exponential loss

Until recently, only results were in this model

Exception: Fully secure HIBE with polynomially many levels [G06, GH09]

Dual System Encryption [W09]

• New methodology for proving full security

• No partitioning, no aborts

• Simulator prepared to make any key and use any key as the challenge

Dual System Encryption

Normal

Semi-Functional

Normal Semi-FunctionalUsed in real system

Types are indistinguishable (with a caveat)

Hybrid Security ProofNormal keys and ciphertext

Normal keys, S.F. ciphertext

S.F. ciphertext, keys turn S.F. one by one Security now mucheasier to prove

Previously on Dual System Encryption…

• [W09] Fully secure IBE and HIBE

• [LW10] Fully secure HIBE with short CTs

• negligible correctness error• ciphertext size linear in depth of hierarchy

• no correctness error• CT = constant # group elements• closely resembles selectively secure scheme [BBG05]

Our Results - ABE

• Fully secure ABE • arbitrary monotone access formulas• security proven from static assumptions• closely resembles selectively secure schemes [GPSW06, W08]

ABE – Solution Framework

G = a bilinear group of order N = p1p2p3

e: G £ G ! GT is a bilinear mapSubgroups Gp1

, Gp2, Gp3

– orthogonal under e, e.g. e(Gp1, Gp2

) = 1

Gp1

Gp2

Gp3

Gp1 = main scheme

Gp2 = semi-functional space

Gp3 = randomization for keys

ABE – Solution Framework

Normal

Normal

S.F.

S.F.

Gp1Gp2

Gp3

Decryption: Key paired with CT under e

Technical Challenge

• Achieve nominal semi-functionality: [LW10]

• S.F. key and S.F. CT correlated - decryption works in simulator’s view

• regular S.F. key in attacker’s view

?

simulator can’t test for S.F.

Key Technique

• Semi-functional space imitates the main scheme• Linear Secret Sharing Scheme: shares reconstructed

in parallel in Gp1 and Gp2

Regular s.f. : red secret is random, masks blue result

Nominal s.f. : red secret is 0, won’t hinder decryption

shares sharessecret secret

Key Technique

Attacker doesn’t have key capable of decrypting

Attacker can’t distinguishnominal from regular s.f.

Oh no! I wasfooled!

Value shared in s.f. space is info-theoretically hidden

Illustrative Example

AND

shared value = x

A Bshare = z share = x-z

{A}

?

?

Technical Challenge

• Hiding the shared value in the CT: • blinding factors linked to attributes

where g1 2 Gp1 g2 2 Gp2

• Ciphertext elements are of the form:

g1a±1+ z1r1 g2

±2 + z2r2 g1r1g2

r2

share blinding

random

share blinding

random

Attributes can only be used once in the formula

Encoding Solution

Example: To use an attribute A up to 4 times :

A

A:1 A:2 A:3 A:4

(A Æ B) Ç (A Æ C) becomes (A:1 Æ B) Ç (A:2 Æ C)

max times used fixed at setup

It would be better to get rid of the one-use restrictionOpen problem

Summary of ABE result

• Full security ABE

• Static assumptions

• Similar to selectively secure schemes

Inner Product Encryption [KSW08]

Ciphertexts and secret keys: associated with vectors

x v

Decryption:

v x if x ¢ v = 0 Message

Advantage: ciphertext policy can be hidden

Coming Attractions

• Stay tuned for CRYPTO 2010:

• full security for Inner Product/ Attribute-Based Encryption from decisional Linear Assumption

• by Okamoto and Takashima

Questions?