《F01_01_Consensus-from-Signatures-of-Work【密码学2020】》由会员分享,可在线阅读,更多相关《F01_01_Consensus-from-Signatures-of-Work【密码学2020】(12页珍藏版)》请在金锄头文库上搜索。
1、#RSAC SESSION ID: #RSAC SESSION ID: Xuan Thanh Do 1,2, Duong Hieu Phan 2, David Pointcheval 3 Traceable Inner Product Funconal Encrypon CRYP-F01 1 Vietnam Na1onal University, Vietnam 2 XLIM, University of Limoges, France 3 Ecole normale suprieure / PSL, Paris, France #RSAC Funconal Encrypon SW05,BSW
2、11 ?2 fskf =fDecryptskf, Exemplesoffunctionf Averagevalue Statisticalvalue #RSAC Funconal Encrypon in Mul-user seNng ?3 =fDecryptskf, Problemwiththesamekey: UntraceablePirateDecoder Personalfunctionalkey Remark: When ClassicalTraitorTracing f(x) = x #RSAC Traceable Funconal Encrypon ?4 Traceability:
3、 From a pirate decoder for a func1on ? , fi nd out a traitor. f #RSAC Traceable IPFE ?5 Functional encryption for general circuit: based on iO Efficient Construction for inner product functions (IPFE) ABCP15 For a vector ?, user is given a key ? For a vector ?: This work: Efficient construction for
4、Traceable IPFE Tools: Combining ElGamal-based IPFE and Traitor Tracing x = (x1,xk) skx y = (y1,yk) Decrypt(skx,Encrypt( y ) = = k i=1xiyi #RSAC ElGamal Encrypon ?6 y=g g Setup: of order Secret key: Public key: Ciphertext: , where Decryption: Compute and recover G = q g,y = g (gr,yrm)r q (gr)= yrm q
5、#RSAC Elgamal Encryp Mul-user (Boneh-Franklin 01) ?7 y=g g Public key: User key: a representation of in the basis : Ciphertext: , where Decryption: Each user can compute from and recover (y,h1,hk) Gk+1 (1,k)y(h1,hk) (yrm,hr 1,h r k) r q yr(hr 1,h r k) m y = h 1 1 h k k #RSAC Elgamal Encryp IPFE ABCP
6、 15 ?8 Master secret key Public key: User key for vector : , where Decryption: remove ElGamal s mask , thus: MSK = s = (s1,sk) pk = (h1= gs1,hk= gsk) Gk x = (x1,xk) skx= = k i=1sixi Enc(pk, y = (y1,yk) = (gr,hr 1g y 1 ,hr k g y k )r q (gr) = k i=1(g r i )si)xi= k i=1(h r i )xi (hr 1g y1)x1 (hr kg y
7、k) xk (gr)skx = (hr 1)x1 (hr k)xk (gr)(s1x1+skxk) g = g Problem: one key for each function! Idea: randomized keys for computing ?(gr) #RSAC ?9 Public key: User is associated to a public codeword : for vector , users secret key . is a representation of in the basis , where Decryption: remove from wit
8、h pk = (b1= gt1,bk= gtk,h1= gs1,hk= gsk) G2k = (1,k) x = (x1,xk) tk x , = s, x / t, (tk x ,i) k i=1 g (b1,bk) Enc(pk, y = (y1,yk) = (br 1,b r k,h r 1g y 1 ,hr k g y k )r q gr br 1,b r k (tk x ,i) k i=1 g b1b2b3b3bk Our technique: Adding BF tracing to IPFE #RSAC ?10 The use of pairings When the secre
9、t keys are scalars: from one can compute Corrupting keys then break the master secret key Solution: put in the exponent decryption will then be performed in the target group of the pairing. tk x 1,1 = s, x 1 t, 1 andtk x 2,1 = s, x 2 t, 1 andtk x 1,2 = s, x 1 t, 2 . tk x 2,2 = tk x 2,1 tk x 1,2 tk x
10、 1,1 2k t x , sk x , = gtk x , #RSAC Security ?11 Confidentiality: selective security under the BDDH assumption Tracing: Black-box confirmation from the linear tracing technique , , for a fixed vector := tk1,tkt t k x = (x1,xk) i= (H a 1G y1,Ha k Gyk,g z1 1 ,g zk 1) a q, z k q, z,tkj j = a s, x ,j i
11、 i) Without the key ?: ? and ? are indistinguishable ii) ? is indistinguishable from Random iii) ? is indistinguishable from Normal ciphertexts that the Pirate can decrypt There exists ? : gap in probability of decrypting ? and ? ? is a traitor. tkiii1 0 t iii1 i #RSAC Conclusion ?12 Open technical problems: Stronger security (with more general security, adaptive security, unbounded collusion) More general functions (e.g., quadratic function). Perspectives: Decentralized setting: Multi-client setting for traceable IPFE Integrating revocation.