Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}
description
Transcript of Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}
![Page 1: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/1.jpg)
Vinod Vaikuntanathan -- {U of Toronto}Hoeteck Wee -- {George Washington U}
Attribute-Based Encryption for Circuits
Sergey Gorbunov -- {U of Toronto}
![Page 2: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/2.jpg)
SKPK
Alice Bob𝐶𝑇=𝐸𝑛𝑐 𝑃𝐾 (𝑚)❑
All or nothing access to the data
Public Key Encryption [Diffie-Hellman 76, Rivest Shamir Adleman 77]
![Page 3: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/3.jpg)
SKPK
Alice Bob𝐶𝑇 1=𝐸𝑛𝑐 𝑃𝐾 (𝑚1)❑
𝐶𝑇 𝑞=𝐸𝑛𝑐 𝑃𝐾 (𝑚𝑞)
Charlie
JohnModern world
• Lots of data!• Lots of users!
SK
SK
SK
Public Key Encryption [Diffie-Hellman 76, Rivest Shamir Adleman 77]
Challenge: control who can read
which messages
![Page 4: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/4.jpg)
𝐶𝑇 1=𝐸𝑛𝑐 𝑃𝐾 (𝑚1)❑
𝐶𝑇 2=𝐸𝑛𝑐 𝑃𝐾 (𝑚2)SK
PK
Alice BobCharlie
John
Scenario:• m1 should be read only by Bob and Charlie• m2 should be read only by Bob and John
SK
SK
SK
Public Key Encryption [Diffie-Hellman 76, Rivest Shamir Adleman 77]
Trivial Solution (establish many key pairs): completely
impractical!!
![Page 5: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/5.jpg)
Attribute-Based Encryption [Sahai-Waters 05]
PK
Alice Bob
User holding SKP & learns
SKP
𝐶𝑇 𝑥=𝐸𝑛𝑐 𝑃𝐾 (𝑥 ,𝑚)❑
Public Attribute vector
Policy
if P() = 1 otherwise
![Page 6: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/6.jpg)
PK
AliceSK
BobCharlie
John
Attribute-Based Encryption [Sahai-Waters 05]
𝐶𝑇 𝑥1=𝐸𝑛𝑐 𝑃𝐾 (𝑥1 ,𝑚1)❑
User holding key , learns if otherwise
SKP 1
SKP 2
SKP 3
![Page 7: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/7.jpg)
Our Result [G., Vaikuntanathan and Wee] (informal):
There exists an Attribute-based Encryption scheme for all polynomial-size circuits
-- Assuming hardness of Learning With Errors (LWE) problem
Can we construct Attribute-based Encryption for all policies (represented by circuits)?
![Page 8: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/8.jpg)
Our Result [G., Vaikuntanathan and Wee] (semi-formal): Under the sub-exponential hardness (modulo ) of LWE, for every depth , there is an Attribute-based Encryption scheme for poly size, depth circuits where:
size of ciphertext encrypting bits = , where is the security parameter
Can we construct Attribute-based Encryption for all policies (represented by circuits)?
![Page 9: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/9.jpg)
Our Result [G., Vaikuntanathan and Wee] (semi-formal): Under the sub-exponential hardness (modulo ) of LWE, for every depth , there is an Attribute-based Encryption scheme for poly size, depth circuits where:
size of ciphertext encrypting bits = , where is the security parameter
Can we construct Attribute-based Encryption for all policies (represented by circuits)?Best algorithm:
time
![Page 10: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/10.jpg)
Physical FiltersPenny Coin Filter
Pennies Other change
![Page 11: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/11.jpg)
Physical FiltersPenny Coin Filter
Pennies Other change
Bob sees the pennies only…
![Page 12: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/12.jpg)
Computational Filters
Sat Messages Unsat Messages
AND
OR
(101, m1) (000, m2)
(001, m3)
m1
![Page 13: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/13.jpg)
AND
OR
Enc(101,m1) Enc(000, m2)
Enc(001, m3)
Bob sees Sat messages only…
m1
Computational Filters
m1Sat Messages Unsat Messages
![Page 14: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/14.jpg)
Analogy: Computational FiltersDecryption algorithms outputs m if and only if P(x) = 1
x1=1 x2=0 x3=1
Circuit for policy PAttribute Vector x=101
Computational Filter for P
m
Ciphertext101 = EncPK(101,m)
P(101)=1
AND
OR
AND
OR
SKP =
![Page 15: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/15.jpg)
SKP is a computational filter for the policy P! Constructing ABE = reusable computational filters!
m1
Enc(101,m1)
AND
OR
SKP =
Reusable computational filters:
Analogy: Computational Filters
![Page 16: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/16.jpg)
m1,m2
Enc(101,m1)
SKP =
Enc(011,m2)Reusable computational filters:
OR
AND
Analogy: Computational FiltersSKP is a computational filter for the policy P! Constructing ABE = reusable computational filters!
![Page 17: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/17.jpg)
Analogy: Computational Filters
m1,m2,
Enc(101,m1)
SKP =
Enc(011,m2)Enc(001,m3)
Reusable computational filters:
AND
OR
SKP is a computational filter for the policy P! Constructing ABE = reusable computational filters!
![Page 18: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/18.jpg)
Constructing One Time Computational Filters[Yao 86]
AND filter
On input L1 AND L2, output L3
OR filter
On input L1 OR L2, output L3
(indexed by hidden stringsL1,L2 and L3)
(indexed by hidden strings L1,L2 and L3)
AND-filterL1 L2
L3
OR-filterL1 L2
L3
• Building Blocks
• One time filter for a policy P is a collection of filters for each gate
![Page 19: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/19.jpg)
Constructing One Time Computational Filters[Yao 86]
AND filter OR filter
• Building Blocks
𝐸𝑛𝑐𝑳𝟏(𝐸𝑛𝑐 𝑳𝟐
(𝑳𝟑))
On input AND , and output
On input OR , and output
OWF
![Page 20: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/20.jpg)
Enc(101,m) = L1, L3, Lout m
SKP = OR-filter & AND-filter
L1 L2 L3
OR-filterL1 L2L4
AND-filterL4 L3Lout
Constructing One Time Computational Filters[Yao 86]
One-time ABE
![Page 21: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/21.jpg)
Enc(101,m) = L1, L3, Lout m
SKP = OR-filter & AND-filter
L1 L2 L3
OR-filterL1 L2L4
AND-filterL4 L3Lout
L4
Constructing One Time Computational Filters[Yao 86]
One-time ABE
![Page 22: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/22.jpg)
Enc(101,m) = L1, L3, Lout m
SKP = OR-filter & AND-filter
L1 L2 L3
OR-filterL1 L2L4
AND-filterL4 L3Lout
Given SKP, Enc(101, m1), Enc(010, m2): • the user should not learn m2, • but he does!! • (the labels/strings are correlated)
Come up with reusable computational filters where • decrypting Enc(101, m1) does not help
to decrypt Enc(010, m2)
L4
Lout
Why one time?
Challenge
Constructing One Time Computational Filters[Yao 86]
One-time ABE
![Page 23: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/23.jpg)
Constructing Reusable Computational Filters
strings: single-use functions: many-use
OUR KEY IDEA Replace strings L
by functions
One time computational filters
Yao 1986
Reusablecomputational filters
[This Work]
GorbunovVaikuntanathanWee 2013
![Page 24: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/24.jpg)
[This Work]
AND filter
On input L1 AND L2, output L3
(indexed by hidden stringsL1,L2 and L3)
AND-filterL1 L2
L3
L1 L2
Constructing Reusable Computational Filters
![Page 25: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/25.jpg)
On input L1 AND L2, output L3
(indexed by hidden stringsL1,L2 and L3)
AND-filterL1 L2
L3
Reusable AND filter
L1 L2
[This Work]
Constructing Reusable Computational Filters
![Page 26: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/26.jpg)
On input L1 AND L2, output L3
AND-filterL1 L2
L3
Reusable AND filter
L1 L2
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
![Page 27: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/27.jpg)
On input L1 AND L2, output L3
Reusable AND filter
R-AND-filter
L1 L2
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
![Page 28: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/28.jpg)
On input L1 AND L2, output L3
Reusable AND filter
R-AND-filter
𝜓 1(𝑠) 𝜓 2 (𝑠)
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
![Page 29: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/29.jpg)
Reusable AND filter
R-AND-filter
𝜓 1(𝑠) 𝜓 2 (𝑠)
On input AND , output
(indexed by public functions )
[This Work]
Constructing Reusable Computational Filters
![Page 30: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/30.jpg)
Reusable AND filter
On input AND , output
R-AND-filter
𝜓 1(𝑠) 𝜓 2 (𝑠)
(indexed by public functions )
𝜓 2 (𝑠 ′ )𝜓 1(𝑠 ′ )
[This Work]
Constructing Reusable Computational Filters
![Page 31: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/31.jpg)
Reusable AND filter
On input AND , output
R-AND-filter
𝜓 1(𝑠) 𝜓 2 (𝑠)
(indexed by public functions )
𝜓 2 (𝑠 ′ )𝜓 1(𝑠 ′ )
[This Work]
Constructing Reusable Computational Filters
![Page 32: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/32.jpg)
Reusable OR filter
R-OR-filter
On input OR , output
𝜓 2 (𝑠)𝜓 1(𝑠)
(indexed by public functions)
[This Work]
Constructing Reusable Computational FiltersReusable AND filter
On input AND , output
R-AND-filter
𝜓 1(𝑠) 𝜓 2 (𝑠)
(indexed by public functions )
𝜓 2 (𝑠 ′ )𝜓 1(𝑠 ′ )
![Page 33: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/33.jpg)
Reusable OR filter
R-OR-filter
On input OR , output
(indexed by public functions)
𝜓 1(𝑠) 𝜓 2 (𝑠)𝜓 2 (𝑠 ′ )𝜓 1(𝑠 ′ )
[This Work]
Constructing Reusable Computational FiltersReusable AND filter
On input AND , output
R-AND-filter
𝜓 1(𝑠) 𝜓 2 (𝑠)
(indexed by public functions )
𝜓 2 (𝑠 ′ )𝜓 1(𝑠 ′ )
![Page 34: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/34.jpg)
Reusable OR filter
R-OR-filter
On input OR , output ,
(indexed by public functions)
𝜓 1(𝑠) 𝜓 2 (𝑠)𝜓 2 (𝑠 ′ )𝜓 1(𝑠 ′ )
[This Work]
Constructing Reusable Computational FiltersReusable AND filter
On input AND , output
R-AND-filter
𝜓 1(𝑠) 𝜓 2 (𝑠)
(indexed by public functions )
𝜓 2 (𝑠 ′ )𝜓 1(𝑠 ′ )
• Reusable filter for a policy P is a collection of reusable filters for each gate
![Page 35: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/35.jpg)
a11
a21
…am1
a1n
a2n
…amn
…
…
s1
s2
…sn
LWE assumption: Add “low-weight” noise vector e, then given A,
Given a matrix A,
Easy!Find
Hard!
s1
s2
…sn
Find
Turn LWE into a trapdoor function:Easy!
trapdoor TA &
[Regev 05]
[Ajtai 99]
[Gauss 1810]
Constructing Reusable Computational Filters
A s
A s e s
A s e Find s
(Generalization of Learning Parity with Noise [BFKL93])
![Page 36: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/36.jpg)
Reusable AND filter
On input AND , output
• Function , where
Attempt 1: Publish a trapdoor for : recover , compute
Constructing Reusable Computational Filters
R-AND-filter
𝜓 𝐴1(𝑠 )=𝐴 1𝑇 𝑠+𝑒1 𝜓 𝐴2 (𝑠 )=𝐴 2𝑇 𝑠+𝑒 2
![Page 37: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/37.jpg)
• Function , where
Attempt 2: Exploit Linearity! Publish “short” such that
On input AND , output
R-AND-filter
𝜓 𝐴1(𝑠 )=𝐴 1𝑇 𝑠+𝑒1 𝜓 𝐴2 (𝑠 )=𝐴 2𝑇 𝑠+𝑒 2
[GPV08, CHKP10][ABB10]
Correctness:
Constructing Reusable Computational Filters
Error grows
𝑅1𝑅2
Reusable AND filter
![Page 38: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/38.jpg)
• Function , where
Attempt 2: Exploit Linearity! Publish “short” such that
see paper…
On input AND , output
[GPV08, CHKP10][ABB10]
Security:
Constructing Reusable Computational Filters
Non-monotone circuits: define reusable NAND filter similarly
R-AND-filter
𝜓 𝐴1(𝑠 )=𝐴 1𝑇 𝑠+𝑒1 𝜓 𝐴2 (𝑠 )=𝐴 2𝑇 𝑠+𝑒 2
𝑅1𝑅2
Reusable AND filter
![Page 39: Vinod Vaikuntanathan -- {U of Toronto} Hoeteck Wee -- {George Washington U}](https://reader036.fdocuments.net/reader036/viewer/2022062323/568163ac550346895dd4c068/html5/thumbnails/39.jpg)
strings L:single-use
functions : many-use
One time comp. filters
Reusablecomputational filters
LWE function𝜓 𝐴 (𝑠 )=𝐴𝑇 𝑠+𝑒
ABE for all circuits
Applications
Input Secrecy, Functional Enc,Obfuscation…
[Yao 86]
1980 1990 Now!
[This Work]
2000
≈