Vinod Vaikuntanathan -- {U of Toronto}Hoeteck Wee -- {George Washington U}
Attribute-Based Encryption for Circuits
Sergey Gorbunov -- {U of Toronto}
SKPK
Alice BobπΆπ=πΈππ ππΎ (π)β
All or nothing access to the data
Public Key Encryption [Diffie-Hellman 76, Rivest Shamir Adleman 77]
SKPK
Alice BobπΆπ 1=πΈππ ππΎ (π1)β
πΆπ π=πΈππ ππΎ (ππ)
Charlie
JohnModern world
β’ Lots of data!β’ Lots of users!
SK
SK
SK
Public Key Encryption [Diffie-Hellman 76, Rivest Shamir Adleman 77]
Challenge: control who can read
which messages
πΆπ 1=πΈππ ππΎ (π1)β
πΆπ 2=πΈππ ππΎ (π2)SK
PK
Alice BobCharlie
John
Scenario:β’ m1 should be read only by Bob and Charlieβ’ m2 should be read only by Bob and John
SK
SK
SK
Public Key Encryption [Diffie-Hellman 76, Rivest Shamir Adleman 77]
Trivial Solution (establish many key pairs): completely
impractical!!
Attribute-Based Encryption [Sahai-Waters 05]
PK
Alice Bob
User holding SKP & learns
SKP
πΆπ π₯=πΈππ ππΎ (π₯ ,π)β
Public Attribute vector
Policy
if P() = 1 otherwise
PK
AliceSK
BobCharlie
John
Attribute-Based Encryption [Sahai-Waters 05]
πΆπ π₯1=πΈππ ππΎ (π₯1 ,π1)β
User holding key , learns if otherwise
SKP 1
SKP 2
SKP 3
Our Result [G., Vaikuntanathan and Wee] (informal):
There exists an Attribute-based Encryption scheme for all polynomial-size circuits
-- Assuming hardness of Learning With Errors (LWE) problem
Can we construct Attribute-based Encryption for all policies (represented by circuits)?
Our Result [G., Vaikuntanathan and Wee] (semi-formal): Under the sub-exponential hardness (modulo ) of LWE, for every depth , there is an Attribute-based Encryption scheme for poly size, depth circuits where:
size of ciphertext encrypting bits = , where is the security parameter
Can we construct Attribute-based Encryption for all policies (represented by circuits)?
Our Result [G., Vaikuntanathan and Wee] (semi-formal): Under the sub-exponential hardness (modulo ) of LWE, for every depth , there is an Attribute-based Encryption scheme for poly size, depth circuits where:
size of ciphertext encrypting bits = , where is the security parameter
Can we construct Attribute-based Encryption for all policies (represented by circuits)?Best algorithm:
time
Physical FiltersPenny Coin Filter
Pennies Other change
Physical FiltersPenny Coin Filter
Pennies Other change
Bob sees the pennies onlyβ¦
Computational Filters
Sat Messages Unsat Messages
AND
OR
(101, m1) (000, m2)
(001, m3)
m1
AND
OR
Enc(101,m1) Enc(000, m2)
Enc(001, m3)
Bob sees Sat messages onlyβ¦
m1
Computational Filters
m1Sat Messages Unsat Messages
Analogy: Computational FiltersDecryption algorithms outputs m if and only if P(x) = 1
x1=1 x2=0 x3=1
Circuit for policy PAttribute Vector x=101
Computational Filter for P
m
Ciphertext101 = EncPK(101,m)
P(101)=1
AND
OR
AND
OR
SKP =
SKP is a computational filter for the policy P! Constructing ABE = reusable computational filters!
m1
Enc(101,m1)
AND
OR
SKP =
Reusable computational filters:
Analogy: Computational Filters
m1,m2
Enc(101,m1)
SKP =
Enc(011,m2)Reusable computational filters:
OR
AND
Analogy: Computational FiltersSKP is a computational filter for the policy P! Constructing ABE = reusable computational filters!
Analogy: Computational Filters
m1,m2,
Enc(101,m1)
SKP =
Enc(011,m2)Enc(001,m3)
Reusable computational filters:
AND
OR
SKP is a computational filter for the policy P! Constructing ABE = reusable computational filters!
Constructing One Time Computational Filters[Yao 86]
AND filter
On input L1 AND L2, output L3
OR filter
On input L1 OR L2, output L3
(indexed by hidden stringsL1,L2 and L3)
(indexed by hidden strings L1,L2 and L3)
AND-filterL1 L2
L3
OR-filterL1 L2
L3
β’ Building Blocks
β’ One time filter for a policy P is a collection of filters for each gate
Constructing One Time Computational Filters[Yao 86]
AND filter OR filter
β’ Building Blocks
πΈπππ³π(πΈππ π³π
(π³π))
On input AND , and output
On input OR , and output
OWF
Enc(101,m) = L1, L3, Lout m
SKP = OR-filter & AND-filter
L1 L2 L3
OR-filterL1 L2L4
AND-filterL4 L3Lout
Constructing One Time Computational Filters[Yao 86]
One-time ABE
Enc(101,m) = L1, L3, Lout m
SKP = OR-filter & AND-filter
L1 L2 L3
OR-filterL1 L2L4
AND-filterL4 L3Lout
L4
Constructing One Time Computational Filters[Yao 86]
One-time ABE
Enc(101,m) = L1, L3, Lout m
SKP = OR-filter & AND-filter
L1 L2 L3
OR-filterL1 L2L4
AND-filterL4 L3Lout
Given SKP, Enc(101, m1), Enc(010, m2): β’ the user should not learn m2, β’ but he does!! β’ (the labels/strings are correlated)
Come up with reusable computational filters where β’ decrypting Enc(101, m1) does not help
to decrypt Enc(010, m2)
L4
Lout
Why one time?
Challenge
Constructing One Time Computational Filters[Yao 86]
One-time ABE
Constructing Reusable Computational Filters
strings: single-use functions: many-use
OUR KEY IDEA Replace strings L
by functions
One time computational filters
Yao 1986
Reusablecomputational filters
[This Work]
GorbunovVaikuntanathanWee 2013
[This Work]
AND filter
On input L1 AND L2, output L3
(indexed by hidden stringsL1,L2 and L3)
AND-filterL1 L2
L3
L1 L2
Constructing Reusable Computational Filters
On input L1 AND L2, output L3
(indexed by hidden stringsL1,L2 and L3)
AND-filterL1 L2
L3
Reusable AND filter
L1 L2
[This Work]
Constructing Reusable Computational Filters
On input L1 AND L2, output L3
AND-filterL1 L2
L3
Reusable AND filter
L1 L2
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
On input L1 AND L2, output L3
Reusable AND filter
R-AND-filter
L1 L2
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
On input L1 AND L2, output L3
Reusable AND filter
R-AND-filter
π 1(π ) π 2 (π )
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
Reusable AND filter
R-AND-filter
π 1(π ) π 2 (π )
On input AND , output
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
Reusable AND filter
On input AND , output
R-AND-filter
π 1(π ) π 2 (π )
(indexed by public functions )
π 2 (π β² )π 1(π β² )
[This Work]
Constructing Reusable Computational Filters
Reusable AND filter
On input AND , output
R-AND-filter
π 1(π ) π 2 (π )
(indexed by public functions )
π 2 (π β² )π 1(π β² )
[This Work]
Constructing Reusable Computational Filters
Reusable OR filter
R-OR-filter
On input OR , output
π 2 (π )π 1(π )
(indexed by public functions)
[This Work]
Constructing Reusable Computational FiltersReusable AND filter
On input AND , output
R-AND-filter
π 1(π ) π 2 (π )
(indexed by public functions )
π 2 (π β² )π 1(π β² )
Reusable OR filter
R-OR-filter
On input OR , output
(indexed by public functions)
π 1(π ) π 2 (π )π 2 (π β² )π 1(π β² )
[This Work]
Constructing Reusable Computational FiltersReusable AND filter
On input AND , output
R-AND-filter
π 1(π ) π 2 (π )
(indexed by public functions )
π 2 (π β² )π 1(π β² )
Reusable OR filter
R-OR-filter
On input OR , output ,
(indexed by public functions)
π 1(π ) π 2 (π )π 2 (π β² )π 1(π β² )
[This Work]
Constructing Reusable Computational FiltersReusable AND filter
On input AND , output
R-AND-filter
π 1(π ) π 2 (π )
(indexed by public functions )
π 2 (π β² )π 1(π β² )
β’ Reusable filter for a policy P is a collection of reusable filters for each gate
a11
a21
β¦am1
a1n
a2n
β¦amn
β¦
β¦
s1
s2
β¦sn
LWE assumption: Add βlow-weightβ noise vector e, then given A,
Given a matrix A,
Easy!Find
Hard!
s1
s2
β¦sn
Find
Turn LWE into a trapdoor function:Easy!
trapdoor TA &
[Regev 05]
[Ajtai 99]
[Gauss 1810]
Constructing Reusable Computational Filters
A s
A s e s
A s e Find s
(Generalization of Learning Parity with Noise [BFKL93])
Reusable AND filter
On input AND , output
β’ Function , where
Attempt 1: Publish a trapdoor for : recover , compute
Constructing Reusable Computational Filters
R-AND-filter
π π΄1(π )=π΄ 1π π +π1 π π΄2 (π )=π΄ 2π π +π 2
β’ Function , where
Attempt 2: Exploit Linearity! Publish βshortβ such that
On input AND , output
R-AND-filter
π π΄1(π )=π΄ 1π π +π1 π π΄2 (π )=π΄ 2π π +π 2
[GPV08, CHKP10][ABB10]
Correctness:
Constructing Reusable Computational Filters
Error grows
π 1π 2
Reusable AND filter
β’ Function , where
Attempt 2: Exploit Linearity! Publish βshortβ such that
see paperβ¦
On input AND , output
[GPV08, CHKP10][ABB10]
Security:
Constructing Reusable Computational Filters
Non-monotone circuits: define reusable NAND filter similarly
R-AND-filter
π π΄1(π )=π΄ 1π π +π1 π π΄2 (π )=π΄ 2π π +π 2
π 1π 2
Reusable AND filter
strings L:single-use
functions : many-use
One time comp. filters
Reusablecomputational filters
LWE functionπ π΄ (π )=π΄π π +π
ABE for all circuits
Applications
Input Secrecy, Functional Enc,Obfuscationβ¦
[Yao 86]
1980 1990 Now!
[This Work]
2000
β