Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018

Transcription

1 Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric)

2 Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f Alice pk Encrypted Data C ' Carol g(x) message x sk g 2

3 Inner Product Functional Encryption (IPFE)[ABDP15] msk Bob x, y sk y Alice pk Encrypted Data C x Carol x, z message x sk z 3

4 Application of IPFE (DNA Sequence Similarity) pk msk Vector for (A, C, T) y = (1,0,0,0,0,0,1,0,0,0,0,1) Encoding A = 1,0,0,0 G = (0,1,0,0) C = (0,0,1,0) T = (0,0,0,1) Encrypted Data C x sk y Vector for (A, T, T) x = (1,0,0,0,0,0,0,1,0,0,0,1) x, y = 2 4

5 Motivation of This Work All known IPFE schemes require to determine the vector length at the deployment phase. What kind of data will be handled? DNA sequences for the first chromosome? For humans? Or for all Species? Difficult to determine the length at the deployment phase. Too large: efficiency loss Too small: redeployment 5

6 Main Results of This Work üunbounded IPFE for both private-key and public-key setting. Can handle any lengths of vectors for encryption and key generation. Secure under the standard model and a standard assumption. The former has function privacy. sk y hides the information of y. How to define the decryption? There are ciphertexts and secret keys of various lengths. 6

7 Main Results of This Work üallowing partial decryption. A ciphertext for indexed vector x Z 7 8 can be decrypted with a secret key for indexed vector y Z 7 9 iff S ; S =. It seems inconvenient if decryption is possible only when the lengths of a ciphertext and a secret key are the same. C x for indices (1,2,3,4) sk y for indices (2,3,4) sk z for indices (3,4,5) 7

8 Why Partial Decryption?: S ; S = Encrypted DNA sequence Part A Part B ATTCTCTTATCTGGGATC ACTTCTGGATGCTTTTT ATTATCTTATCTGAGATAT A CTTGGATCCGTCAAAAT Alice Bob sk for part A sk for part B 8

9 Roadmap Function hiding technique [TAO16] +PRF Private-key unbounded IPFE Public-key partially decryptable IPFE Entropy amplification [OT12] Public-key unbounded IPFE 9

10 Roadmap Function hiding technique [TAO16] +PRF Private-key unbounded IPFE Public-key partially decryptable IPFE Entropy amplification [OT12] Public-key unbounded IPFE 10

11 Partially Decryptable IPFE Setup 1 C, 1 D pk, msk Enc pk, x ct KeyGen msk, y sk Dec ct, sk d or Normal IPFE x, y Z D d = x, y over Z Partially decryptable IPFE x Z 7 8, y Z 7 9 for any S ;, S = m = {1,, m} d = Y 79 x Y y Y over Z iff S ; S =. 11

12 Extension of Function Class Normal IPFE f y : Z D Z s.t. f y x = x, y Partially decryptable IPFE f y,79 : 7 D Z 7 Y 7 x Z s.t. f y,79 x, S ; = ^ 9 Y y Y if S ; S = otherwise 12

13 Security of Partially Decryptable IPFE pk Adversary (y Y, S =,Y ) sk = KeyGen(msk, y Y ) (x g, x h, S ; ) b {0,1} Challenger b C i = Enc(pk, x i ) Condition For x g, x h Z 7 8, y Y Z 7 9,l, i, o 79,l x g,o y o = o 79,l x h,o y o when S ; S =,Y. Colluded illegitimate keys (i,.e. S ; S =,Y ) are useless for decryption. 13

14 Construction of Partially Decryptable IPFE Normal IPFE scheme (not secure). Setup pk = B h, msk = B = (B t ) uh, where B ZD D v Enc pk, x xb h KeyGen msk, y yb y Dec ct, sk e xb h, yb y = x, y { M Y = g Y M = g Y D ~,l o D,l [ ] 14

15 Construction of Partially Decryptable IPFE Setup 1 D (pk h, msk h ) (pk y, msk y ) (pk D, msk D ) Normal IPFE scheme for 2 dimensions Enc x, S ; (x h, z) (x y, z) (x D, z) For i [S ; ] KeyGen y, S = (y h, r Y ) (y D, r D ) For i S =, r Y = 0 Y 7 9 Dec d = ƒ Dec ct Y, sk Y = ƒ x Y y Y + zr Y = ƒ x Y y Y Y 7 9 Y 7 9 Y 7 9 This part seems pseudorandom by SXDH when S ; S =, preventing collusion attack. But what the adversary obtains are ct and sk... 15

16 Comparison with Bounded Schemes (Function-Hiding) Private-Key IPFE Reference msk ct sk Pairing Assumption DDM16 (8m y + 12m + 28) Z v 4m + 8 G h 4m + 8 G y Yes SXDH TAO16 (4m y + 18m + 20) Z v (2m + 5) G h (2m + 5) G y Yes XDLIN KKS17 (6m + 8) Z v (2m + 8) G h (2m + 8) G y Yes SXDH Ours PRF key 4m G h 4m G y Yes SXDH Public-Key IPFE Reference pk msk ct sk Pairing Assumption ALS16 m + 1 G m + 1 Z v 2m + 1 G 2 Z v No DDH Ours 28 G h 28 Z v 7m G h 7m G y Yes SXDH m: vector length 16

17 Remark In our paper, we directly construct unbounded IPFE schemes essentially utilizing properties of bilinear groups. The notion, Partial decryptable IPFE, does not appear in our paper. 17

18 Conclusion Construction of unbounded IPFE schemes for both public and private-key setting. Secure under the SXDH assumption in the standard model. Almost the same efficiency as previous private-key IPFE schemes. It provides flexible decryption (partial decryption). Decryptable iff S ; S =. 18

19 Thank you for your attention 19