Definitions for Predicate Encryption

Definitions for Predicate Encryption

Giuseppe Persiano

Dipartimento di Informatica,

Universit`

a di Salerno, Italy

[email protected]

Thursday 12

th

April, 2012

Content

Results on simulation-based definitions for Secure Predicate

Encryption.

Work in progress

Joint with

Manuel Barbosa, Angelo De Caro, Pooya Farshim,

Vincenzo Iovino

Secure Encryption Scheme

Informal:

An encryption scheme is

secure:

An adversary, who knows the encryption algorithm and is

given the cyphertext, cannot obtain any information

about the cleartext.

S. Goldwasser and S. Micali:

Probabilistic Encryption and How To Play Mental Poker, STOC ’82

Probabilistic Encryption, JCSS ’84

Formalization – Syntax

An

Encryption Scheme

is a tuple of 3 efficient and probabilistic

algorithms:

(Gen,

E,

D)

1

Gen(1

λ

)

outputs public and secret keys (pk,

sk) with security

parameter

λ;

2

E(pk,

m)

outputs

ciphertext

ct for

plaintext m;

D(pk,

ct,

sk)

outputs plaintext for ciphertext ct;

Correctness:

except with probability negligible in

λ,

if (pk,

sk)

←

Gen(1

λ

)

then

Formalization

Game-based:

(IND-Secure)

A game between

Adversary and

C

hallenger:

Security Game with security parameter

λ

1

C

generates

(pk,

sk)

←

Gen(1

λ

)

and sends

pk

to

A;

2

A(pk)

returns two messages

m

₀

and

m

1

of the

same length;

C

picks

b

∈ {0,

1}

at random,

computes

ct = E(pk,

m

b

)

sends

ct

to

A;

A(pk,

ct)

outputs

b

′

;

Formalization

Game-based:

(IND-Secure)

Definitions

1

A

wins

if

b

=

b

′

2

A

breaks

(Gen,

E,

D)

if

A

wins with probability

1/2 + 1/poly(λ);

Formalization

Simulation-based:

(Semantic Security)

Real world

(pk

,

sk)

←

Gen(1

λ

);

(m

,

aux)

←

A

₀

(pk);

ct

←

E(pk,

m);

α

←

A

1

(pk

,

ct

,

aux);

Output:

(pk

,

m

,

aux

, α

)

Ideal world

(pk

,

sk)

←

Gen(1

λ

);

(m

,

aux)

←

A

₀

(pk);

ct

′

←

Sim(pk,

|

m

|

);

α

←

A

1

(pk

,

ct

′

,

aux);

Output:

(pk

,

m

,

aux

, α

)

Equivalence of the two notions

Theorem (Goldwasser-Micali)

(Gen,

E,

D)

is

Semantic-Secure

iff it is

IND-Secure.

IND Security implies Semantic Security:

Proof’s sketch:

Simulator computes

ct

′

= E(pk,

m

′

)

for an

arbitrary

message

m

′

of length

|m|.

The original goal:

An adversary, who knows the encryption algorithm and is

given the cyphertext, cannot obtain any information

about the cleartext

(except for its length).

New questions:

Q:

Can we control amount of information released by the

ciphertexts?

Q:

Can we give different adversaries the ability to extract different

bits of the plaintext?

Application scenario

Reading emails

Alice keeps her email on a public server.

For privacy, messages are sent in encrypted form.

Alice dowloads a message, decrypts it, and reads it.

Searching emails – 1st try

Alice wants to download all messages with

subject=ProjectX.

Alice dowloads

all

the messages, decrypts

all

of them, and

selects the ones related to

ProjectX.

Predicate Encryption – Syntax

Functionality

F

:

K

×

M

→ {0,

1}

A

Predicate Encryption

scheme for

F

is a tuple of 4 efficient and

probabilistic algorithms:

(Setup,

KeyGen,

Encrypt,

Eval)

Predicate Encryption Scheme

1

Setup(1

λ

)

outputs

public

and

master secret

keys

(Pk

,

Msk)

for

security parameter

λ

2

KeyGen(Msk,

k

)

outputs

token

Tok

k

for

k

∈

K

3

Encrypt(Pk,

m)

outputs

ciphertexts

Ct

for

plaintext

m

∈

M

Eval(Pk,

Ct,

Tok

k

)

outputs

F

(k

,

m)

Game-based Security Notion

Security Game with security parameter

λ

1

C

generates

(Pk,

Sk)

←

Gen(1

λ

)

and sends

Pk

to

A;

A

asks for tokens

Tok

k1

,

Tok

k2

, . . . ,

Tok

k

q₁

for

F

(k

1

,

·), . . . ,

F

(k

q1

,

·).

3

A

outputs two messages

m

₀

and

m

1

of the

same length;

C

picks

b

∈ {0,

1}

at random,

computes

Ct = Encrypt(Pk,

m

b

)

sends

Ct

to

A;

5

A

asks for tokens

Tok

k

q₁₊₁

, . . . ,

Tok

k

for

F

(k

q

,

·), . . . ,

F

(k

q

,

·).

Game-based Security Notion

Definitions

1

A

wins

if

b

=

b

′

and

F

(k

i

,

m

₀

) =

F

(k

i

,

m

1

),

i

= 1, . . . ,

q

A

breaks

(Setup,

KeyGen,

Encrypt,

Eval)

if

A

wins with

probability

1

/

2 + 1

/

poly(

λ

)

3

(Setup,

KeyGen,

Encrypt,

Eval)

is

IND-Secure

if no PPT

A

breaks it

Secure Encryption and Secure Predicate Encryption

Observation

Game-Based Secure Encryption

[GM] is

Game-Based Secure

Predicate Encryption

with

K

=

{

ǫ

}

and

F

(

ǫ,

m) =

|

m

|

.

Some functionalities

Equality

K

=

M

=

{0,

1}

ℓ

F

(k

,

m) = 1 iff

k

=

m

[Boneh, Di Crescenzo, Ostrovsky, P – Eurocrypt 2004]

Hidden Vector Encryption

M

=

{0,

1}

ℓ

,

K

=

{0,

1, ⋆}

ℓ

F

(k

,

m) = 1

iff

k

i

=

⋆

or

k

i

=

m

i

,

i

= 1, . . . , ℓ.

[Boneh, Waters – TCC 2007]

[Okamoto, Takashima – Eurocrypt 2012]

[De Caro, Iovino, P – Pairing 2012]

Obs:

HVE implies Equality

Some functionalities

Inner Product (Orthogonality)

K

=

M

=

Z

ℓ

n

F

(k

,

m) = 1

iff

P

i

k

i

·

m

i

= 0 (that is,

hk,

mi

= 0).

[Katz, Sahai, Waters – Eurocrypt 2008]

[Okamoto, Takashima – Eurocrypt 2012]

Weakness of Game-Based Security

[Boneh, Sahai, Waters – TCC 11]

Simple scheme for predicate encryption that was

clearly insecure

and nonetheless

satisfied

the Game-based security notion

Formalization

Simulation-based:

(Semantic Security)

Informal

Real world

Ideal world

(Pk

,

Sk)

←

Setup(1

λ

);

(Pk

,

Sk)

←

Setup(1

λ

);

(m

,

aux)

←

A

KeyGen(Sk

₀

,

·

)

(Pk);

(m

,

aux)

←

A

KeyGen(Sk

₀

,

·

)

(Pk);

Ct

←

Encrypt(Pk,

m);

Ct

′

←

Sim(Pk,

|m|,

(k

i

,

F

(k

i

,

m))

q

i=1

);

α

←

A

1

(Pk

,

Ct

,

aux);

α

←

A

1

(Pk

,

Ct

′

,

aux);

Output:

(Pk

,

m

, α

)

Output:

(Pk

,

m

, α

)

Our Formalization is different from [BSW]

Some differences

In the [BSW] definition:

Pk of Ideal world generated by Simulator

Adversary outputs several messages

Proof of equivalence breaks down

Simulator computes

Ct

′

= Encrypt(Pk,

m

′

)

for an

arbitrary

message

m

′

of length

|m|.

Adversary

A

0

:

aux

includes

(

Tok

k

,

F

(k

i

,

m)), for

i

= 1, . . . ,

q.

Adversary

A

1

:

Real world:

Eval(Pk,

Ct,

Tok

k

) =

F

(ki

,

m),

i

= 1, . . . ,

q

Ideal world:

Eval(Pk,

Ct

′

,

Tok

k

) =

F

(k

i

,

m

′

),

i

= 1, . . . ,

q

Pre-image samplability

Functionality

F

:

K

×

M

→ {

0

,

1

}

is

PS

if there exists an efficient

sampler

Sam

such that for all efficient adversaries

A:

Adversary

A

:

output:

ℓ,

(ki

,

bi

)

q

i

=1

, with

k

i

∈

K

,

i

= 1, . . . ,

q

Sampler Sam:

input:

ℓ,

(k

i

,

b

i

)

q

i

=1

output:

Message

m

∈

M

s.t.

F

(k

i

,

m) =

b

i

,

i

= 1, . . . ,

q

and

|m|

=

ℓ

Pre-image samplability

The simulator Sim

input:

(Pk,

|

m

|

,

(k

i

,

F

(k

i

,

m))

q

i

=1

)

run

Sam

on input

|

m

|

,

(k

i

,

F

(k

i

,

m))

q

i

=1

)

receive

m

′

output

ct

′

= Encrypt(Pk,

m

′

)

Proposition:

If a functionality

F

is PS then Semantic and

Game-Based security coincide.

Proof from [O’Neil]

Inner-Product is PS

Sampler Sam:

input:

(~

y

i

,

b

i

)

i

q

=1

,

~

y

i

∈

Z

ℓ

n

solve:

h

~

y

i

, ~

x

i

=

b

i

i

= 1, . . . ,

q

for

~

x

∈

Z

ℓ

n

Corollary:

The Okamato-Takashima construction for Inner Product is

Semantically Secure.

Hidden Vector Encryption

K

=

{0,

1, ⋆}

ℓ

and

M

=

{0,

1}

ℓ

For

~

y

∈

K

and

~

x

∈

M

Match(~

y

, ~

x) =

(

1,

if for each

i,

yi

=

⋆

or

xi

=

yi

;

0,

otherwise;

Examples

~

y

= (1,

0,

∗

,

0,

1)

~

x

= (0,

1,

0,

0,

1)

Match(~

y, ~

x) = 0

~

y

does not match

~

x

~

y

= (0,

1,

∗,

1,

0)

~

x

= (0,

1,

0,

1,

0)

Match(~

y, ~

x) = 1

~

y

matches

~

x

If HVE is PS then 3SAT can be efficiently decided

Let

Sam

be a sampler for HVE.

Given

Φ,

m-clause

n-variable formula in 3CNF, we can construct

((~

y

1

,

b

1

), . . . ,

(~

y

m

,

b

m

))

such that

~

x

= Sam((~

y

1

,

b

1

), . . . ,

(~

y

m

,

b

m

))

is a satisfying truth assignment for Φ

If HVE is PS then 3SAT can be efficiently decided

Φ = (x

1

∨

x

2

∨

x

3

)

∧

( ¯

x

1

∨

x

¯

3

∨

x

5

)

∧ · · ·

(x

13

∨

x

¯

21

∨

x

34

)

C

1

C

2

C

m

~

y

1

=

0 0 0

⋆ ⋆ ⋆

· · ·

⋆

1 2 3 4 5 6

· · ·

n

b

1

= 0

~

y

2

=

1

⋆

1

⋆

0

⋆

· · ·

⋆

1 2 3 4 5 6

· · ·

n

b

2

= 0

..

.

~

y

m

=

⋆ ⋆ ⋆ ⋆ ⋆ ⋆

· · ·

⋆

b

m

= 0

If HVE is PS then 3SAT can be efficiently decided

Let

~

x

= (

x

1

, . . . ,

x

n

)

be the output of

Sam.

Match(~

y

1

, ~

x

) = 0

⇒

(x

1

,

x

2

,

x

3

)

6= (0,

0,

0)

⇒

C

1

is satisfied

Match(~

y

2

, ~

x

) = 0

⇒

(x

1

,

x

3

,

x

5

)

6= (1,

1,

0)

⇒

C

2

is satisfied

· · ·

· · ·

· · ·

· · ·

· · ·

· · ·

· · ·

· · ·

Match(~

y

m

, ~

x

) = 0

⇒

(x

13

,

x

21

,

x

34

)

6= (0,

1,

0)

⇒

C

m

is satisfied

IP implies HVE [KSW]

There exist two poly-time reductions

RMess,

RTok:

for all

~

x

∈ {

0,

1

}

ℓ

and

~

y

∈ {

0,

1, ⋆

}

ℓ

Match(

~

y, ~

x

) = 1 iff

hRMess(

~

x

)

,

RTok(

yy

~

)i

= 0

Semantically Secure HVE

HVE.Setup(1

λ

) := IP.Setup(1

λ

)

HVE.Encrypt(Pk, ~

x) := IP.Encrypt(Pk,

RMess(~

x))

HVE.KeyGen(Pk, ~

y) := IP.KeyGen(Pk,

RTok(~

y))

HVE.Test(Pk,

Ct,

Tok

) := IP.Test(Pk,

Ct,

Tok

)

Simulator

input:

(Pk,

|

m

|

,

(

yy

~

i

,

b

i

)

q

i

=1

)

run

Sam

for IP and obtain

xx

~

IP.Encrypt(Pk, ~

xx

)

Robust Predicate Encryption

Informal:

A

Robust

Predicate Encryption

scheme for

F

:

K

×

M

→ {0,

1}

is

a tuple of 5 efficient and probabilistic algorithms:

(Setup,

KeyGen,

Encrypt,

Eval,

Validate)

s.t.

Validate(Pk

,

Ct) = 1

implies

∃

m

∈

M

s.t.

Ct = Encrypt(Pk

,

m

)

2

for all

k

∈

K

,

Test(Ct

,

Tok

k

) =

F

(

k,

m

)

Robust Predicate Encryption

Theorem

If there exists a

Semantically Secure

Robust Predicate Encryption

scheme for

F

:

K

×

M

→ {0,

1}

then F is PS.

Ideal world

(Pk,

Sk)

←

Setup(1

λ

);

(

m

,

aux

)

←

A

KeyGen(Sk

0

,

·

)

(Pk);

Ct

′

←

Sim(Pk

,

|

m

|

,

(

k

i

,

F

(

k

i

,

m

))

q

i

=1

)

;

α

←

A

1

(Pk,

Ct

′

,

aux

);

Output:

(Pk,

m

, α)

Ct

′

= Encrypt(Pk

,

m

′

)

Test(

Tokki

,

Ct

′

) =

F

(

k

i

,

m

′

)

A

0

keeps tokens in

aux

Test(

Tokk

,

Ct

′

) =

F

(

k

i

,

m

)

F

(

k

i

,

m

) =

F

(

k

i

,

m

′

)

Corollary

If HVE has a

Semantically Secure

Robust Predicate Encryption

scheme then 3SAT can be decided efficiently

Notice: even for

single

message and

token non-adaptive adversaries

(A

1

does not ask for tokens).

What now?

What now?

1

weaken the adversary

HVE is

1-PS

Sam((~

y

1

,

1), . . . ,

(~

y

q

,

1))

Observation:

if

y

i1

,

j

,

y

i2

,

j

6=

⋆

then

y

i1

,

j

=

y

i2

,

j

Corollary:

Semantically Secure and Robust HVE for adversaries

A

0

restricted to output

~

x

s.t.

F

(

~

y

i

, ~

x) = 1,

i

= 1

, . . . ,

q

q

-bounded adversaries

(Setup,

KeyGen,

Encrypt,

Eval)

game-based secure w.r.t. to

q-bounded adevrsaries for

functionality:

K

set of

n-input circuits,

M

=

{0,

1}

n

New functionality

M

′

= ({0

,

1}

n

∪ {⊥})

× {0

,

1}

n

×

. . .

× {0

,

1}

n

|

{z

}

q

times

K

′

=

K

× {0

,

1}

n

F

′

((C

,

r),

(m,

m

1

, . . . ,

m

q

))

=











1,

if

m

i

=

r

for some

i

0,

if

m

=

⊥

C

(m),

otherwise

For randomly chosen

r,

m

1

, . . . ,

m

q

,

F

′

((C

,

r),

(m,

m

1

, . . . ,

m

q

)) =

F

(C

,

m)

F

′

is PS

The sampler

Sam

input:

((C

1

,

r

1

),

b

1

), . . . ,

((C

q

,

r

q

),

b

q

)

output:

m

= (⊥,

m

1

, . . . ,

m

q

)

m

i

=

(

r

i

,

if

bi

= 1

⊥,

if

b

i

= 0

Notice:

F

′

((C

i

,

r

i

),

m) =

b

i

i

= 1, . . . ,

q.

Giving more power to the Simulator

Simulator gets the secret key

No problem in [GM]

Real world

Ideal world

(Pk

,

Sk)

←

Setup(1

λ

);

(Pk

,

Sk)

←

Setup(1

λ

);

(m

,

aux)

←

A

KeyGen(Sk

₀

,

·

)

(Pk);

(m

,

aux)

←

A

KeyGen(Sk

₀

,

·

)

(Pk);

ct

←

E(Pk,

m);

ct

′

←

Sim(Pk,

Sk,

|

m

|

,

(ki

,

F

(ki

,

m))

q

i

=1

);

α

←

A

1

(pk

,

ct

,

aux);

α

←

A

1

(Pk

,

ct

′

,

aux);

Simulator gets the secret key

Robust Semantic Security for

F

does not imply

F

is PS

Robust Semantically Secure HVE

Pk has a CRS

2

IP + NIZK that plaintext is from reduction on input

~

x

∈ {0,

1}

ℓ

3

Secret key has trapdoor for CRS

Giving more power to the Simulator

Simulator gets the tokens

Real world

Ideal world

(Pk

,

Sk)

←

Setup(1

λ

);

(Pk

,

Sk)

←

Setup(1

λ

);

(m

,

aux)

←

A

KeyGen(Sk

₀

,·

)

(Pk);

(m

,

aux)

←

A

KeyGen(Sk

₀

,·

)

(Pk);

ct

←

E(Pk,

m);

ct

′

←

Sim(Pk,

|

m

|

,

(F

(ki

,

m),

Tok

i

)

q

i

=1

);

α

←

A

1

(pk

,

ct

,

aux);

α

←

A

1

(Pk

,

ct

′

,

aux);

Giving too much power to the Simulator

F

(k

,

m) =

f

k

(m) where

{f

k

}

be a family of one-way trapdoor

permutations.

Setup(1

λ

)

(k, τ

k

)

←

TPD.Gen(1

λ

)

(pk,

sk)

←

PKE.Setup(1

λ

)

Pk = (pk,

k)

Msk = (sk, τ

k

)

return

(Pk,

Msk)

Encrypt(pk,

m)

return

PKE.Encrypt(pk)

KeyGen(k,

Msk)

return

Msk

Eval(Ct,

Tok

k

):

(sk, τ

k

)

←

Tok

k

m

= PKE.Decrypt(Ct,

sk)

return

f

k

(m)

The simulator

ct

′

←

Sim(Pk,

|

m

|

,

(F

(ki

,

m),

Tok

i

)

q

i

=1

)

q

= 0,

1

if

q

= 0

Easy

encrypt any message

if

q

= 1

F

(

k,

m

) =

f

k

(

m

) and

Tok

1

= (sk

, τ

k

)

References:

Boneh, Sahai, Waters:

Functional Encryption: Definitions and

Challenges, TCC 2011

Unconditional impossibility results for multimessage and token

adaptive

O’Neil:

Definitional Issues in Functional Encryption, Cryptology

ePrint 2010/556

Pre-image Samplability

Work in progress:

Manuel Barbosa, Angelo De Caro, Pooya Farshim, Vincenzo

Iovino, GP.