optimal broadcast encryption from pairings and lwe - aist
TRANSCRIPT
Optimal Broadcast Encryption from Pairings and LWE
@Simons Institute
Shweta Agrawal (IITM) Shota Yamada (AIST)
Based on the work that will appear at EUROCRYPT 2020
https://eprint.iacr.org/2020/228
1
Our Results in Short
β’ Construct the optimal broadcast encryption (BE) from LWE and pairings.
β Optimal parameter size:|mpk|, |ct|, |sk| = poly( log N, Ξ») = poly(Ξ») where N = # of users in the system
β The first construction without MLM or iO
β Proven secure under LWE in the bilinear generic group model (GGM)
β’ More generally, we construct CP-ABE with special efficiency properties that implies optimal BE
2
Broadcast Encryption
All users in the system ( # of users = N )
Collusion resistance
3
Broadcast Encryption
All users in the system ( # of users = N )
Collusion resistance
Trivial solution:Prepare public key for each user by PKE.
Encrypt the message by each PK.O(N) ciphertext!
βShorter ciphertext possible?
4
Previous Work on Broadcast Encryption
5
|π¦π©π€| |ππ| |π¬π€| Ingredient(s)
Trivial π(π) π(π) π(1) Plain PKE
[BGW05] π(π) π(1) π(1) Bilinear map
[BGW05] π(βπ) π(βπ) π(1) Bilinear map
[BZW14] π(1) π(1) π(1) log N-linear map
Ours π(1) π(1) π(1) Bilinear map & LWE
β’ We ignore poly(π) factors. In particular, poly(logπ) factor is ignored.β’ We discount earlier constructions that do not provide full collusion
resistance and short ciphertext in the table.
Master secret key (msk)
skπ
Decryption
If π π, π = 1Can retrieve ππ π
Master public key (mpk)
ctπ for message ππ π
Attribute-Based Encryption (ABE)
If π π, π = 0
Decryption not possible
CP-ABE for (NC1) circuits: X = (NC1) circuit, Y= string KP-ABE for (NC1) circuits: X = string, Y = (NC1) circuit
6
β’ SK attribute = π β π where π = user index
β’ CT attribute = πΉπ β where π β π , recipients
BE as CP-ABE for NC1 Circuit (1)
πΉπ π =1 if π β π
0 if π β π
π β 0,1 log π
0/1
π = π 2?
π = π |π|?
π = π 1?
β¦
π = π 1, π 2, β¦ , π |π|
7
BE as CP-ABE for NC1 Circuit (2)
β’ Short input (β π(log π))β’ Shallow depth (β π(log π))β’ But, wide width (β π(π))
CP-ABE with width-independent compact parameters is enough for optimal BE!
π β 0,1 log π
0/1
π = π 2?
π = π |π|?
π = π 1?
β¦
πΉπ has
8
Starting Point: BGG+β’ Every existing CP-ABE scheme does not satisfy width-
independent efficiency.
β’ BGG+ does satisfy width-independent efficiency, but it is KP-ABE.
Convert BGG+ KP-ABE into CP-ABE!(while keeping the efficiency)
mpk = poly(π, β, π)
ctπ = poly(π, β, π)
skπ = poly(π, π)
Circuit
Input length = β
Depth = π F
Width = π€
9
Simple Ideas that Donβt Work
We want to convert BGG+ into a CP-ABE.β’ Simply swapping CT and SK?
Secret key can be generated publicly. Secret key will be associated with message.
β’ Using universal circuit? πΉ β Description of πΉ,π₯ β ππ₯ β , where ππ₯ πΉ = πΉ(π₯)then use BGG+
The input length is πΉBGG+ parameters depend
on the input length 10
Decomposability of BGG+
β―
β―
Decomposability:BGG+. Enc(π₯,ππ π) can be divided into the following 2 steps:
1. First generate encodings
π1,0
π1,1
ππ,0
ππ,1
β―
β―
πβ,0
πβ,1 Where β = length of π₯
2. To generate a ciphertext for attribute π₯ β 0,1 β, output
BGG+. ctπ₯ = ππ,π₯π πβ β
Can be generated without knowing π₯
Using BGG+. skπΉ with πΉ π₯ = 1, one can
retrieve msg11
First Attempt: Combining [SS10] and [BGG+14]
ππΎ1,0mpk = β― β―
ππΎ1,1
β― β―BGG+. skπΉ
BGG+.mpkctπΉ =
Encryption for π :
mπ k = corresponding secret keys ππΎπ,π π,π
ππΎπ,0
ππΎπ,1
ππΎβ,0
ππΎβ,1
π1,0π1,1
ππ,0ππ,1
πβ,0πβ,1
Generate BGG+.mpk, BGG+.msk , BGG+. skπΉ , and
12
First Attempt: Combining [SS10] and [BGG+14]
ππΎ1,0mpk = β― β―
ππΎ1,1
β― β―
Generate BGG+.mpk, BGG+.msk , BGG+. skπΉ , and
BGG+. skπΉ
BGG+.mpkctπΉ =
EncππΎ1,0(π1,0)
EncππΎ1,1(π1,1)
skπ₯ = SπΎ1,π₯1 β― β―
EncππΎπ,0(ππ,0)
EncππΎπ,1(ππ,1)
EncππΎβ,0(πβ,0)
EncππΎβ,1(πβ,1)
Decryption:
Recover BGG+. ctπ₯ = ππ,π₯π πβ βand use BGG+. skπΉ to retrieve msg
SπΎπ,π₯π SπΎβ,π₯β
KeyGen for π :
Encryption for π :
mπ k = corresponding secret keys ππΎπ,π π,π
ππΎπ,0
ππΎπ,1
ππΎβ,0
ππΎβ,1
13
Checking the Efficiency of the Scheme
Circuit
Input length = β
Depth = π
skπ₯ =
mpk = β β poly π = poly(π, β)
ctπΉ= β β poly π, π + poly π, β, π= poly(π, β, π)
skπ₯ = β β poly π, π = poly(π, β, π)
Width = π€
β―
ctπΉ =BGG+. skπΉ
BGG+.mpkβ―
mpk =
β
β―
Circuit class supported
We want width independentefficiency.
Width independent compact parameters?
14
ctπΉ= β β poly π, π + poly π, β, π= poly(π, β, π)
Checking the Efficiency of the Scheme
Circuit
Input length = β
Depth = π
mpk =
β
ctπΉ =BGG+. skπΉ
BGG+.mpkβ―
skπ₯ =
mpk = β β poly π = poly(π, β)
skπ₯ = β β poly π, π = poly(π, β, π)
Width = π€
β―
β―
Circuit class supported
We want width independentefficiency.
Width independent compact parameters?
How about the security?Collusion of only 2 users breaks the secrurity:
E.g., 00000000 and 11111111
15
Our Approach for Adding Collusion Resistance (1)
β’ Our Idea:To prevent collusion using the power of pairing groups.
Pairings. π: πΎ1 Γ πΎ2 β πΎπ
(π1π , π2
π) β¦ π π1π , π2
π = π π1, π2ππ
π1π β π 1
π2π β π 2
πππ β π π
Bracket Notation.
16
Our Approach for Adding Collusion Resistance (2)
β’ In our first attempt, decryptor recovers {ππ,π₯π} in the clear.
β’ Instead, what if the decryptor learns them only on the exponent?
ππ,π₯π π π
β’ Collusion of two users still can obtain
ππ,π π π,πand break the scheme.
17
β’ The problem is that the adversary can combine the partial decryption results by two different users.
β’ To prevent this, change the scheme so that decryptorrecovers
Adding Collusion Resistance
User specific randomness
πΉππ,π₯π π π
18
β’ The problem is that the adversary can combine the partial decryption results by two different users.
β’ To prevent this, change the scheme so that decryptorrecovers
πΉ π ππ,π₯π
π
π π
Adding Collusion Resistance
No meaningful way to combine them!
πΉ π ππ,π₯π
π
π π
π, π: index for different users
19
Challenge 1:BGG+ ciphertext is on the exponent and even randomized. Is decryption still possible on DL-hard group?
Challenge 2: If a decryptor (adverasary) only learns
πΏ π ππ,π₯π π π,π,
the construction may indeed be secure.How do we make sure that the adversary does not obtain any other information?
Two Challenges with the Approach
20
β’ Decryption algorithm of BGG+ β From mpk, π₯, skπΉ , one can compute a linear function πΏπΉ
such that
πΏπΉ ππ,π₯π πβ β= π
π
2+ ππππ π
On the exponent:
πΏπΉ [πΏππ,π₯π]π πβ β= πΏ π
π
2+ ππππ π
π
β Remove the noise to retrieve message π β {0,1}
On the exponent:
πΏ ππ
2+ ππππ π is exponentially large.
How do we manage this? (Next slide)
Challenge 1:Decryption on Exponent (1)
Assume that π β {0,1}
21
Challenge 1:Decryption on Exponent (2)
β’ Let decryptor learn
πΏ ππ
2+ ππππ π
πand πΏ π
β’ If ππππ π is polynomially small, one can learn π by brute force search:
β Check all possible π β 0,1 , ππππ π β [βpoly, poly]
β’ How do we have polynomially small noise?
β Use the careful evaluation algorithm of [BV15,GV15]
β Limits the circuit class to be NC1, but suffices for BE (Recall that our circuit is very small except for the width)
22
Challenge 2:Avoid Leaking Additional information (1)
β’ We want to let decryptor learn
πβ β ,but nothing else.
β’ This allows us to prove the security while keeping the correctness.
β’ How do we realize that?
πΏππ,π₯π ππΏ π
23
Challenge 2:Avoid Leaking Additional information (2)
πΏ 2
π1,0 1β―
π1,1 1
ππ,0 1
ππ,1 1
πβ,0 1
πβ,1 1
β―ctπΉ =
skπ₯ =
How do we set CT and SK? (NaΓ―ve Idea)
BGG+. skπΉ
BGG+.mpk
Lesson learned from failure: The secret keys should be tied to π₯!
πΏ π
β Can recover πΏππ,π₯π π πβ β, πΏ π .
βBut can recover πΏππ,π π πβ β ,πβ{0,1}for all π β β , π β {0,1} as well.
24
π€1,0 1mpk =
π€1,1 1
π€π,0 1
π€π,1 1
π€β,0 1
π€β,1 1
β― β―
ctπΉ =π€1,0π1,0 1
β―π€1,1π1,1 1
π€π,0ππ,0 1
π€π,1ππ,1 1
π€β,0πβ,0 1
π€β,1πβ,1 1
β― Other terms
Idea: Introduce position-wise randomness so that pairing productbetween only matching positions yields useful terms
skπ₯ = πΏ/π€1,π₯1 2πΏ/π€β,π₯β 2
πΏ/π€π,π₯π 2β― β― πΏ π
Can recover = π( , )π€π,π₯πππ,π₯π 1πΏ/π€π,π₯π 2
πΏππ,π₯π π
Challenge 2:Avoid Leaking Additional information (3)
25
π π€π,π ππ,π 1, πΏ/π€π,πβ² 2
= πΏππ,ππ€π,π/π€π,πβ² π
Challenge 2:Avoid Leaking Additional information (4)
How about the security? What if an adversary takes pairings of unmatching positions of components?
Due to this part, this term is βuselessβ.
For π, π β π, πβ² ,
Security Intuition:From skπ₯ = πβ[β], one cannot obtain
no more useful information than πΏππ,π₯π π πβ[β]as desired
πΏ/π€π,π₯π 2
26
Final Scheme (1)
Encrypt(mpk, πΉ,π β {0,1})
β’ Run BGG+. Setup 1π β BGG+.mpk, BGG+.msk
β’ Run BGG+. KeyGen(BGG.msk, πΉ) β BGG+. skπΉβ’ Run first part of BGG+. Enc to obtain ππ,π πβ β ,πβ{0,1}
β’ Output:
ctπΉ =π€1,0π1,0 1
β―BGG+. skπΉπ€1,1π1,1 1
π€π,0ππ,0 1
π€π,1ππ,1 1
π€β,0πβ,0 1
π€β,1πβ,1 1
β―BGG+.mpk
Setup 1π
π€1,0 1mpk =
π€1,1 1
π€π,0 1
π€π,1 1
π€β,0 1
π€β,1 1
β― β―
mπ k = π€π,π πβ β ,πβ{0,1}
β’ Generate:
β =length of the input to circuits
27
Final Scheme (2)
Decrypt(mpk, skπ₯ , ctπΉ , πΉ)
KeyGen msk, π₯
β’ Sample πΏ β β€πβ’ Output
π€π,π₯πππ,π₯π 1πΏ/π€π,π₯π 2
ctπΉ =π€1,0π1,0 1
β―BGG+. skπΉπ€1,1π1,1 1
π€π,0ππ,0 1
π€π,1ππ,1 1
π€β,0πβ,0 1
π€β,1πβ,1 1
β―BGG+.mpk
β’ Parse
skπ₯ = πΏ/π€1,π₯1 2πΏ/π€β,π₯β 2
πΏ/π€π,π₯π 2β― β―πΏ π
β’ Recover πΏππ,π₯π π= π( , ) for all π β β
β’ Compute the linear function πΏπΉ fromBGG+.mpk , BGG+. skπΉ.
β’ Compute πΏπΉ πΏππ,π₯π π πβ β= πΏ π
π
2+ ππππ π
π
β’ Recover π β 0,1 by bruteforce over π β {0,1} and ππππ π β [βpoly, poly]28
Checking the Efficiency of the Scheme
Circuit
Input length = β
Depth = π
mpk =
β
ctπΉ =BGG+. skπΉ
BGG+.mpkβ―
skπ₯ =
mpk = β β poly π, π = poly(π, β, π)
ctπΉ = β β poly π, π + poly π, π= poly(π, β, π)
skπ₯ = β β poly π, π = poly(π, β, π)
Width = π€
β―
β―
Circuit class supported
We want width independentefficiency.
Width independent compact parameters?
29
Bilinear Generic Group Modelβ’ The security is proven in the bilinear generic group model
(GGM).
β’ Intuition on bilinear GGM:
β The only thing an adversary can do with group elements is to take pairings, then take linear combinations, and see if it equals to zero. If it doesnβt equal to zero, the adversary learns nothing about the encoded value.
30
π , =
π , =
π , =
π π π= 0?
ctπΉ =π€1,0π1,0 1
β―BGG+. skπΉπ€1,1π1,1 1
π€π,0ππ,0 1
π€π,1ππ,1 1
π€β,0πβ,0 1
π€β,1πβ,1 1
β―BGG+.mpk
What can the adversary do? To take pairings between above components to obtain:
skπ₯(π) =πΏ(π)/π€
1,π₯1(π)
2β― β―πΏ(π)/π€
π,π₯π(π)
2
πΏ(π)/π€β,π₯β
(π)
2πΏ(π)
π
where π β π , π = # of key queries, πΉ π₯ π = 0
(πΏ π π€π,π/π€πβ²,πβ²)ππ,π ππΏ π π
π,π₯π(π)
πwhere π, π β πβ², πβ²
and take linear combination among the terms.
What can the adversary see? The challenge ciphertext
The secret keys
Security Proof (1)
31
Claim 1If the adversary put a term from (A) into the linear combination, the result is not 0 with overwhelming probability.
(Proof intuition) The term πΏ π π€π,π/π€πβ²,πβ² appears only when pairing
πΏ(π)/π€πβ²,πβ² 2π€π,1ππ,1 1
and
Other terms are multiplied by πΏ π π€π,π/π€πβ²,πβ² with different π, π, πβ², π, πβ² .
Different monomials cannot cancel each other by linear combination.
What can the adversary do? To take linear combination among the following terms
(πΏ π π€π,π/π€πβ²,πβ²)ππ,π ππΏ π π
π,π₯π(π)
ππ, π, π β πβ², πβ²(A)= (B)=
given BGG+. skπΉ, BGG+.mpk
Security Proof (2)
32
π, π
Security Proof (3)
Claim 2
If the adversary puts terms from (B) with different πΏ(π) into the linear combination, the result is not 0 with overwhelming probability.
(Proof intuition) Different monomials cannot cancel each other by linear combination.
Recall that πΏ(π) is user specific randomness.β’ Collusion of different users is not useful.β’ We can focus on single-key setting.
What can the adversary do? To take linear combination among the following terms
given BGG+. skπΉ, BGG+.mpk
33
(πΏ π π€π,π/π€πβ²,πβ²)ππ,π ππΏ π π
π,π₯π(π)
ππ, π, π β πβ², πβ²(A)= (B)=
π, π
Security Proof (4)What can the adversary do? To take linear combination among the following terms
given BGG+. skπΉ, BGG+.mpk
( BGG+. skπΉ, BGG+.mpk, ππ,π₯π π)
βπ ( BGG+. skπΉ, BGG+.mpk, random )
From single key and single ciphertext security of BGG+:
= BGG+. ctπ₯
34
(πΏ π π€π,π/π€πβ²,πβ²)ππ,π ππΏ π π
π,π₯π(π)
ππ, π, π β πβ², πβ²(A)= (B)=
π, π
( BGG+. skπΉ, BGG+.mpk, π )
βπ ( BGG+. skπΉ, BGG+.mpk, )
Security Proof (4)
From single key and single ciphertext security of BGG+:
No information on message revealed!
What can the adversary do? To take linear combination among the following terms
given BGG+. skπΉ, BGG+.mpk
πΏππ,π₯π π
random π
35
(πΏ π π€π,π/π€πβ²,πβ²)ππ,π ππΏ π π
π,π₯π(π)
ππ, π, π β πβ², πβ²(A)= (B)=
π, π
Comparison with [Brakerski-Vaikuntanathanβ20]
β’ Both construct CP-ABE with special efficiency and then optimal BE.
β’ How to add collusion resistance?
β Ours: Introducing pairings
β BV20: Introducing novel variant of IBE/ABE from lattices
β’ Security&Functionality
β Ours: Provably secure in GGM Broken by quantum attackers, Only for NC1
β BV20: Without security proof (Maybe) Quantumly secure, For all circuits
36
Summary
β’ We construct CP-ABE for NC1 circuits with width independent compact parameter from lattices in blinear GGM.
β’ This implies the first optimal BE w.o. MLM/iO.
β’ In the paper, we show that the CP-ABE implies IBBE with similar efficiency property.
37
Open Problems
β’ Optimal BE from standard assumptions(hopefully from DLIN + LWE)
β More ambitious goal is BE solely from LWE.
β’ CP-ABE with width independent compact parameters for all circuits (with security proof).
β’ Application of our technique for other problems.
38
39