Optimal Broadcast Encryption from Pairings and LWE - AIST

Optimal Broadcast Encryption from Pairings and LWE

@Simons Institute

Shweta Agrawal (IITM) Shota Yamada (AIST)

Based on the work that will appear at EUROCRYPT 2020

https://eprint.iacr.org/2020/228

1

Our Results in Short

• Construct the optimal broadcast encryption (BE) from LWE and pairings.

– Optimal parameter size:|mpk|, |ct|, |sk| = poly( log N, λ) = poly(λ) where N = # of users in the system

– The first construction without MLM or iO

– Proven secure under LWE in the bilinear generic group model (GGM)

• More generally, we construct CP-ABE with special efficiency properties that implies optimal BE

2

Broadcast Encryption

All users in the system ( # of users = N )

Collusion resistance

3

Broadcast Encryption

All users in the system ( # of users = N )

Collusion resistance

Trivial solution:Prepare public key for each user by PKE.

Encrypt the message by each PK.O(N) ciphertext!

⇒Shorter ciphertext possible?

4

Previous Work on Broadcast Encryption

5

|𝐦𝐩𝐤| |𝐜𝐭| |𝐬𝐤| Ingredient(s)

Trivial 𝑂(𝑁) 𝑂(𝑁) 𝑂(1) Plain PKE

[BGW05] 𝑂(𝑁) 𝑂(1) 𝑂(1) Bilinear map

[BGW05] 𝑂(√𝑁) 𝑂(√𝑁) 𝑂(1) Bilinear map

[BZW14] 𝑂(1) 𝑂(1) 𝑂(1) log N-linear map

Ours 𝑂(1) 𝑂(1) 𝑂(1) Bilinear map & LWE

• We ignore poly(𝜆) factors. In particular, poly(log𝑁) factor is ignored.• We discount earlier constructions that do not provide full collusion

resistance and short ciphertext in the table.

Master secret key (msk)

sk𝑌

Decryption

If 𝑅 𝑋, 𝑌 = 1Can retrieve 𝑚𝑠𝑔

Master public key (mpk)

ct𝑋 for message 𝑚𝑠𝑔

Attribute-Based Encryption (ABE)

If 𝑅 𝑋, 𝑌 = 0

Decryption not possible

CP-ABE for (NC1) circuits: X = (NC1) circuit, Y= string KP-ABE for (NC1) circuits: X = string, Y = (NC1) circuit

6

• SK attribute = 𝑗 ∈ 𝑁 where 𝑗 = user index

• CT attribute = 𝐹𝑆 ⋅ where 𝑆 ⊆ 𝑁 , recipients

BE as CP-ABE for NC1 Circuit (1)

𝐹𝑆 𝑗 =1 if 𝑗 ∈ 𝑆

0 if 𝑗 ∉ 𝑆

𝑗 ∈ 0,1 log 𝑁

0/1

𝑗 = 𝑠2?

𝑗 = 𝑠|𝑆|?

𝑗 = 𝑠1?

…

𝑆 = 𝑠1, 𝑠2, … , 𝑠|𝑆|

7

BE as CP-ABE for NC1 Circuit (2)

• Short input (≈ 𝑂(log 𝑁))• Shallow depth (≈ 𝑂(log 𝑁))• But, wide width (≈ 𝑂(𝑁))

CP-ABE with width-independent compact parameters is enough for optimal BE!

𝑗 ∈ 0,1 log 𝑁

0/1

𝑗 = 𝑠2?

𝑗 = 𝑠|𝑆|?

𝑗 = 𝑠1?

…

𝐹𝑆 has

8

Starting Point: BGG+• Every existing CP-ABE scheme does not satisfy width-

independent efficiency.

• BGG+ does satisfy width-independent efficiency, but it is KP-ABE.

Convert BGG+ KP-ABE into CP-ABE!(while keeping the efficiency)

mpk = poly(𝜆, ℓ, 𝑑)

ct𝒙 = poly(𝜆, ℓ, 𝑑)

sk𝑭 = poly(𝜆, 𝑑)

Circuit

Input length = ℓ

Depth = 𝑑 F

Width = 𝑤

9

Simple Ideas that Don’t Work

We want to convert BGG+ into a CP-ABE.• Simply swapping CT and SK?

Secret key can be generated publicly. Secret key will be associated with message.

• Using universal circuit? 𝐹 ⇒ Description of 𝐹,𝑥 ⇒ 𝑈𝑥 ⋅ , where 𝑈𝑥 𝐹 = 𝐹(𝑥)then use BGG+

The input length is 𝐹BGG+ parameters depend

on the input length 10

Decomposability of BGG+

⋯

⋯

Decomposability:BGG+. Enc(𝑥,𝑚𝑠𝑔) can be divided into the following 2 steps:

1. First generate encodings

𝐜1,0

𝐜1,1

𝐜𝑖,0

𝐜𝑖,1

⋯

⋯

𝐜ℓ,0

𝐜ℓ,1 Where ℓ = length of 𝑥

2. To generate a ciphertext for attribute 𝑥 ∈ 0,1 ℓ, output

BGG+. ct𝑥 = 𝐜𝑖,𝑥𝑖 𝑖∈ ℓ

Can be generated without knowing 𝑥

Using BGG+. sk𝐹 with 𝐹 𝑥 = 1, one can

retrieve msg11

First Attempt: Combining [SS10] and [BGG+14]

𝑃𝐾1,0mpk = ⋯ ⋯

𝑃𝐾1,1

⋯ ⋯BGG+. sk𝐹

BGG+.mpkct𝐹 =

Encryption for 𝑭 :

m𝑠k = corresponding secret keys 𝑆𝐾𝑖,𝑏 𝑖,𝑏

𝑃𝐾𝑖,0

𝑃𝐾𝑖,1

𝑃𝐾ℓ,0

𝑃𝐾ℓ,1

𝐜1,0𝐜1,1

𝐜𝑖,0𝐜𝑖,1

𝐜ℓ,0𝐜ℓ,1

Generate BGG+.mpk, BGG+.msk , BGG+. sk𝐹 , and

12

First Attempt: Combining [SS10] and [BGG+14]

𝑃𝐾1,0mpk = ⋯ ⋯

𝑃𝐾1,1

⋯ ⋯

Generate BGG+.mpk, BGG+.msk , BGG+. sk𝐹 , and

BGG+. sk𝐹

BGG+.mpkct𝐹 =

Enc𝑃𝐾1,0(𝐜1,0)

Enc𝑃𝐾1,1(𝐜1,1)

sk𝑥 = S𝐾1,𝑥1 ⋯ ⋯

Enc𝑃𝐾𝑖,0(𝐜𝑖,0)

Enc𝑃𝐾𝑖,1(𝐜𝑖,1)

Enc𝑃𝐾ℓ,0(𝐜ℓ,0)

Enc𝑃𝐾ℓ,1(𝐜ℓ,1)

Decryption:

Recover BGG+. ct𝑥 = 𝐜𝑖,𝑥𝑖 𝑖∈ ℓand use BGG+. sk𝐹 to retrieve msg

S𝐾𝑖,𝑥𝑖 S𝐾ℓ,𝑥ℓ

KeyGen for 𝒙 :

Encryption for 𝑭 :

m𝑠k = corresponding secret keys 𝑆𝐾𝑖,𝑏 𝑖,𝑏

𝑃𝐾𝑖,0

𝑃𝐾𝑖,1

𝑃𝐾ℓ,0

𝑃𝐾ℓ,1

13

Checking the Efficiency of the Scheme

Circuit

Input length = ℓ

Depth = 𝑑

sk𝑥 =

mpk = ℓ ⋅ poly 𝜆 = poly(𝜆, ℓ)

ct𝐹= ℓ ⋅ poly 𝜆, 𝑑 + poly 𝜆, ℓ, 𝑑= poly(𝜆, ℓ, 𝑑)

sk𝑥 = ℓ ⋅ poly 𝜆, 𝑑 = poly(𝜆, ℓ, 𝑑)

Width = 𝑤

⋯

ct𝐹 =BGG+. sk𝐹

BGG+.mpk⋯

mpk =

ℓ

⋯

Circuit class supported

We want width independentefficiency.

Width independent compact parameters?

14

ct𝐹= ℓ ⋅ poly 𝜆, 𝑑 + poly 𝜆, ℓ, 𝑑= poly(𝜆, ℓ, 𝑑)


Circuit

Input length = ℓ

Depth = 𝑑

mpk =

ℓ


BGG+.mpk⋯

sk𝑥 =

mpk = ℓ ⋅ poly 𝜆 = poly(𝜆, ℓ)


Width = 𝑤

⋯

⋯




How about the security?Collusion of only 2 users breaks the secrurity:

E.g., 00000000 and 11111111

15

Our Approach for Adding Collusion Resistance (1)

• Our Idea:To prevent collusion using the power of pairing groups.

Pairings. 𝑒: 𝔾1 × 𝔾2 → 𝔾𝑇

(𝑔1𝑎 , 𝑔2

𝑏) ↦ 𝑒 𝑔1𝑎 , 𝑔2

𝑏 = 𝑒 𝑔1, 𝑔2𝑎𝑏

𝑔1𝑎 ↔ 𝑎 1

𝑔2𝑏 ↔ 𝑏 2

𝑔𝑇𝑐 ↔ 𝑐 𝑇

Bracket Notation.

16

Our Approach for Adding Collusion Resistance (2)

• In our first attempt, decryptor recovers {𝐜𝑖,𝑥𝑖} in the clear.

• Instead, what if the decryptor learns them only on the exponent?

𝐜𝑖,𝑥𝑖 𝑇 𝑖

• Collusion of two users still can obtain

𝐜𝑖,𝑏 𝑇 𝑖,𝑏and break the scheme.

17

• The problem is that the adversary can combine the partial decryption results by two different users.

• To prevent this, change the scheme so that decryptorrecovers

Adding Collusion Resistance

User specific randomness

𝜹𝐜𝑖,𝑥𝑖 𝑇 𝑖

18

• The problem is that the adversary can combine the partial decryption results by two different users.

• To prevent this, change the scheme so that decryptorrecovers

𝜹 𝒌 𝐜𝑖,𝑥𝑖

𝑘

𝑇 𝑖

Adding Collusion Resistance

No meaningful way to combine them!

𝜹 𝒋 𝐜𝑖,𝑥𝑖

𝑗

𝑇 𝑖

𝑗, 𝑘: index for different users

19

Challenge 1:BGG+ ciphertext is on the exponent and even randomized. Is decryption still possible on DL-hard group?

Challenge 2: If a decryptor (adverasary) only learns

𝛿 𝑗 𝒄𝑖,𝑥𝑖 𝑇 𝑖,𝑗,

the construction may indeed be secure.How do we make sure that the adversary does not obtain any other information?

Two Challenges with the Approach

20

• Decryption algorithm of BGG+ – From mpk, 𝑥, sk𝐹 , one can compute a linear function 𝐿𝐹

such that

𝐿𝐹 𝐜𝑖,𝑥𝑖 𝑖∈ ℓ= 𝑚

𝑞

2+ 𝑛𝑜𝑖𝑠𝑒

On the exponent:

𝐿𝐹 [𝛿𝐜𝑖,𝑥𝑖]𝑇 𝑖∈ ℓ= 𝛿 𝑚

𝑞


𝑇

– Remove the noise to retrieve message 𝑚 ∈ {0,1}

On the exponent:

𝛿 𝑚𝑞

2+ 𝑛𝑜𝑖𝑠𝑒 is exponentially large.

How do we manage this? (Next slide)

Challenge 1:Decryption on Exponent (1)

Assume that 𝑚 ∈ {0,1}

21

Challenge 1:Decryption on Exponent (2)

• Let decryptor learn

𝛿 𝑚𝑞


𝑇and 𝛿 𝑇

• If 𝑛𝑜𝑖𝑠𝑒 is polynomially small, one can learn 𝑚 by brute force search:

– Check all possible 𝑚 ∈ 0,1 , 𝑛𝑜𝑖𝑠𝑒 ∈ [−poly, poly]

• How do we have polynomially small noise?

– Use the careful evaluation algorithm of [BV15,GV15]

– Limits the circuit class to be NC1, but suffices for BE (Recall that our circuit is very small except for the width)

22

Challenge 2:Avoid Leaking Additional information (1)

• We want to let decryptor learn

𝑖∈ ℓ ,but nothing else.

• This allows us to prove the security while keeping the correctness.

• How do we realize that?

𝛿𝐜𝑖,𝑥𝑖 𝑇𝛿 𝑇

23


𝛿 2

𝐜1,0 1⋯

𝐜1,1 1

𝐜𝑖,0 1

𝐜𝑖,1 1

𝐜ℓ,0 1

𝐜ℓ,1 1

⋯ct𝐹 =

sk𝑥 =

How do we set CT and SK? (Naïve Idea)

BGG+. sk𝐹

BGG+.mpk

Lesson learned from failure: The secret keys should be tied to 𝑥!

𝛿 𝑇

⇒ Can recover 𝛿𝐜𝑖,𝑥𝑖 𝑇 𝑖∈ ℓ, 𝛿 𝑇 .

⇒But can recover 𝛿𝐜𝑖,𝑏 𝑇 𝑖∈ ℓ ,𝑏∈{0,1}for all 𝑖 ∈ ℓ , 𝑏 ∈ {0,1} as well.

24

𝑤1,0 1mpk =

𝑤1,1 1

𝑤𝑖,0 1

𝑤𝑖,1 1

𝑤ℓ,0 1

𝑤ℓ,1 1

⋯ ⋯

ct𝐹 =𝑤1,0𝐜1,0 1

⋯𝑤1,1𝐜1,1 1

𝑤𝑖,0𝐜𝑖,0 1


𝑤ℓ,0𝐜ℓ,0 1


⋯ Other terms

Idea: Introduce position-wise randomness so that pairing productbetween only matching positions yields useful terms

sk𝑥 = 𝛿/𝑤1,𝑥1 2𝛿/𝑤ℓ,𝑥ℓ 2

𝛿/𝑤𝑖,𝑥𝑖 2⋯ ⋯ 𝛿 𝑇

Can recover = 𝑒( , )𝑤𝑖,𝑥𝑖𝐜𝑖,𝑥𝑖 1𝛿/𝑤𝑖,𝑥𝑖 2

𝛿𝐜𝑖,𝑥𝑖 𝑇


25

𝑒 𝑤𝑖,𝑏 𝐜𝑖,𝑏 1, 𝛿/𝑤𝑗,𝑏′ 2

= 𝛿𝐜𝑖,𝑏𝑤𝑖,𝑏/𝑤𝑗,𝑏′ 𝑇


How about the security? What if an adversary takes pairings of unmatching positions of components?

Due to this part, this term is “useless”.

For 𝑖, 𝑏 ≠ 𝑗, 𝑏′ ,

Security Intuition:From sk𝑥 = 𝑖∈[ℓ], one cannot obtain

no more useful information than 𝛿𝐜𝑖,𝑥𝑖 𝑇 𝑖∈[ℓ]as desired

𝛿/𝑤𝑖,𝑥𝑖 2

26

Final Scheme (1)

Encrypt(mpk, 𝐹,𝑚 ∈ {0,1})

• Run BGG+. Setup 1𝜆 → BGG+.mpk, BGG+.msk

• Run BGG+. KeyGen(BGG.msk, 𝐹) → BGG+. sk𝐹• Run first part of BGG+. Enc to obtain 𝐜𝑖,𝑏 𝑖∈ ℓ ,𝑏∈{0,1}

• Output:

ct𝐹 =𝑤1,0𝐜1,0 1

⋯BGG+. sk𝐹𝑤1,1𝐜1,1 1





⋯BGG+.mpk

Setup 1𝜆

𝑤1,0 1mpk =

𝑤1,1 1

𝑤𝑖,0 1

𝑤𝑖,1 1

𝑤ℓ,0 1

𝑤ℓ,1 1

⋯ ⋯

m𝑠k = 𝑤𝑖,𝑏 𝑖∈ ℓ ,𝑏∈{0,1}

• Generate:

ℓ =length of the input to circuits

27

Final Scheme (2)

Decrypt(mpk, sk𝑥 , ct𝐹 , 𝐹)

KeyGen msk, 𝑥

• Sample 𝛿 ← ℤ𝑝• Output

𝑤𝑖,𝑥𝑖𝐜𝑖,𝑥𝑖 1𝛿/𝑤𝑖,𝑥𝑖 2

ct𝐹 =𝑤1,0𝐜1,0 1






⋯BGG+.mpk

• Parse

sk𝑥 = 𝛿/𝑤1,𝑥1 2𝛿/𝑤ℓ,𝑥ℓ 2

𝛿/𝑤𝑖,𝑥𝑖 2⋯ ⋯𝛿 𝑇

• Recover 𝛿𝐜𝑖,𝑥𝑖 𝑇= 𝑒( , ) for all 𝑖 ∈ ℓ

• Compute the linear function 𝐿𝐹 fromBGG+.mpk , BGG+. sk𝐹.

• Compute 𝐿𝐹 𝛿𝐜𝑖,𝑥𝑖 𝑇 𝑖∈ ℓ= 𝛿 𝑚

𝑞


𝑇

• Recover 𝑚 ∈ 0,1 by bruteforce over 𝑚 ∈ {0,1} and 𝑛𝑜𝑖𝑠𝑒 ∈ [−poly, poly]28


Circuit

Input length = ℓ

Depth = 𝑑

mpk =

ℓ


BGG+.mpk⋯

sk𝑥 =

mpk = ℓ ⋅ poly 𝜆, 𝑑 = poly(𝜆, ℓ, 𝑑)

ct𝐹 = ℓ ⋅ poly 𝜆, 𝑑 + poly 𝜆, 𝑑= poly(𝜆, ℓ, 𝑑)


Width = 𝑤

⋯

⋯




29

Bilinear Generic Group Model• The security is proven in the bilinear generic group model

(GGM).

• Intuition on bilinear GGM:

– The only thing an adversary can do with group elements is to take pairings, then take linear combinations, and see if it equals to zero. If it doesn’t equal to zero, the adversary learns nothing about the encoded value.

30

𝑒 , =

𝑒 , =

𝑒 , =

𝑎 𝑏 𝑐= 0?

ct𝐹 =𝑤1,0𝐜1,0 1






⋯BGG+.mpk

What can the adversary do? To take pairings between above components to obtain:

sk𝑥(𝑗) =𝛿(𝑗)/𝑤

1,𝑥1(𝑗)

2⋯ ⋯𝛿(𝑗)/𝑤

𝑖,𝑥𝑖(𝑗)

2

𝛿(𝑗)/𝑤ℓ,𝑥ℓ

(𝑗)

2𝛿(𝑗)

𝑇

where 𝑗 ∈ 𝑄 , 𝑄 = # of key queries, 𝐹 𝑥 𝑗 = 0

(𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′)𝐜𝑖,𝑏 𝑇𝛿 𝑗 𝐜

𝑖,𝑥𝑖(𝑗)

𝑇where 𝑖, 𝑏 ≠ 𝑖′, 𝑏′

and take linear combination among the terms.

What can the adversary see? The challenge ciphertext

The secret keys

Security Proof (1)

31

Claim 1If the adversary put a term from (A) into the linear combination, the result is not 0 with overwhelming probability.

(Proof intuition) The term 𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′ appears only when pairing

𝛿(𝑗)/𝑤𝑖′,𝑏′ 2𝑤𝑖,1𝐜𝑖,1 1

and

Other terms are multiplied by 𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′ with different 𝑗, 𝑖, 𝑖′, 𝑏, 𝑏′ .

Different monomials cannot cancel each other by linear combination.

What can the adversary do? To take linear combination among the following terms


𝑖,𝑥𝑖(𝑗)

𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=

given BGG+. sk𝐹, BGG+.mpk

Security Proof (2)

32

𝑖, 𝑗

Security Proof (3)

Claim 2

If the adversary puts terms from (B) with different 𝛿(𝑗) into the linear combination, the result is not 0 with overwhelming probability.

(Proof intuition) Different monomials cannot cancel each other by linear combination.

Recall that 𝛿(𝑗) is user specific randomness.➢ Collusion of different users is not useful.➢ We can focus on single-key setting.



33


𝑖,𝑥𝑖(𝑗)

𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=

𝑖, 𝑗

Security Proof (4)What can the adversary do? To take linear combination among the following terms


( BGG+. sk𝐹, BGG+.mpk, 𝐜𝑖,𝑥𝑖 𝑖)

≈𝑐 ( BGG+. sk𝐹, BGG+.mpk, random )

From single key and single ciphertext security of BGG+:

= BGG+. ct𝑥

34


𝑖,𝑥𝑖(𝑗)

𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=

𝑖, 𝑗

( BGG+. sk𝐹, BGG+.mpk, 𝑖 )

≈𝑐 ( BGG+. sk𝐹, BGG+.mpk, )

Security Proof (4)

From single key and single ciphertext security of BGG+:

No information on message revealed!



𝛿𝐜𝑖,𝑥𝑖 𝑇

random 𝑇

35


𝑖,𝑥𝑖(𝑗)

𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=

𝑖, 𝑗

Comparison with [Brakerski-Vaikuntanathan’20]

• Both construct CP-ABE with special efficiency and then optimal BE.

• How to add collusion resistance?

– Ours: Introducing pairings

– BV20: Introducing novel variant of IBE/ABE from lattices

• Security&Functionality

– Ours: Provably secure in GGM Broken by quantum attackers, Only for NC1

– BV20: Without security proof (Maybe) Quantumly secure, For all circuits

36

Summary

• We construct CP-ABE for NC1 circuits with width independent compact parameter from lattices in blinear GGM.

• This implies the first optimal BE w.o. MLM/iO.

• In the paper, we show that the CP-ABE implies IBBE with similar efficiency property.

37

Open Problems

• Optimal BE from standard assumptions(hopefully from DLIN + LWE)

– More ambitious goal is BE solely from LWE.

• CP-ABE with width independent compact parameters for all circuits (with security proof).

• Application of our technique for other problems.

38

Optimal Broadcast Encryption from Pairings and LWE - AIST

Documents

Transcript of Optimal Broadcast Encryption from Pairings and LWE - AIST