Registered Attribute-Based Encryption
Susan Hohenberger George Lu Brent Waters David Wu
Public Key Encryption
pk
sk
ct
Attribute Based Encryption [SW05, GPSW06]
pk
skfaculty + CS
skfaculty + math
skstudent + CS
ctCS AND faculty
Key Exfiltration Problem
pk
skfaculty + CS
skfaculty + math
skstudent + CS
msk
Registration Based Encryption [GHMR18]
mpk’’
mpk
mpk'
pk1
pk2
pk3
sk1
sk2
sk3
id1
id3
id2
ctid1
No Master Secret!
“Trivial” RBE
mpk’’
mpk
mpk'
pk1
pk2
pk3
sk1
sk2
sk3
id1
id3
id2
ctid1
mpk independent of number of users!
Central Authority vs Key Curator
Registered Attribute Based Encryption
mpk
faculty + CS
faculty + math
student + CS
ctCS AND faculty
Results
Improvement from Prior Work
[GHMR18, GHM+19, GV20, CES21]
Construction 1
Limitations
Construction 1
[GHMR18, GHM+19, GV20, CES21]
Background
Slotted Aggregation
mpk’’
mpk
mpk'
mpk
| | |
| | |
Slotted Aggregation
mpk
|
| |
| | | |
…
|
|
|
| |
Roadmap
Attribute Based Encryption
1-User Registered ABE
Semihonest L-User Registered ABE
Malicious L-User Registered ABE
ABE in Bilinear Groups [GPSW06,LOS+10]
Encryption:
Ciphertext:
e(g,g)αs
e(g,h)ts
e(g,Uρ(x))ts
gαht
gt
Uwt : w ∈ S
μ⋅ e(g,g)αs
gs
hsxUwxs
h
e(g,g)α
Uw = guw : w ∈ U
Decryption:
g
Conjunction Policies ∧ wx : x ∈ [N]
*Replace additive secret sharing with linear secret sharing to support monotone Boolean formula
e(g,h)ts
ABE in Bilinear Groups [GPSW06,LOS+10]
Encryption:
Ciphertext:
e(g,g)αs
e(g,h)ts
e(g,Uρ(x))ts
gαht
gt
Uwt : w ∈ S
μ⋅ e(g,g)αs
gs
hsxUwxs
h
e(g,g)α
Uw = guw : w ∈ U
Decryption:
g
Conjunction Policies ∧ wx : x ∈ [N]
*Replace additive secret sharing with linear secret sharing to support monotone Boolean formula
e(g,h)ts
gs
e(g,Uρ(x))ts
ABE in Bilinear Groups [GPSW06,LOS+10]
Encryption:
pk
Ciphertext:
e(g,g)αs
gαht
gt
Uwt : w ∈ S
μ⋅ e(g,g)αs
gs
hsxUwxs
gs
h
e(g,g)α
Uw = guw : w ∈ U
Decryption:
sk
g
Conjunction Policies ∧ wx : x ∈ [N]
*Replace additive secret sharing with linear secret sharing to support monotone Boolean formula
1-User Registered ABE
sk
skfaculty + math
msk
pk
pk
hsk
crs
faculty +
math
mpk
ctfaculty OR CS
ctfaculty AND CS
1-User Registered ABE
Uwt =1
guw : w ∈ U
ABE.pk
Uw = guw
Uw = 1
R = gr
mpk
R = gr
w1 ∧ w2 ∧ w3 ∧ …
∧ R
Extending to L-User (Key Aggregation)
pki = ({Ui,w },Ri )
Compact
Deterministic
Cross-Term Cancellation
e( , )
e( , ) =
|
|
|
e(g,R2 )vt
R2 t
User 2
gv
e(g,R1 )vt
e(g,R3 )vt
gt
gt3
gt1
R1 t2
R3 t2
2
2
e( , )
·
2
2
2
Conceptually similar to techniques used for constructing vector commitments [CF11] or batch arguments [WW22]
Rt = g rt= (gt)r
Cross Term Cancellation
R3 t2 = g r3t2= (gt2)r3
U3,w t2 = g u3,w t2
crs
Key Validation
Ri =
mpk
???
gri
mpk'
Qi = Piri
crs
Pi
Key Validation
Ti =
mpk
???
gri
mpk'
Registered ABE Security
mpk
faculty + CS
faculty + math
student + CS
ctCS AND faculty
|
|
|
m0, m1
mb
crs
Security Proof
|
|
|
“Normal” Slot
“Semi-Functional” Slot
“Semi-Functional” Ciphertext
“Normal” Ciphertext
Security Proof
|
|
|
|
|
|
|
|
|
|
|
|
??
Security Proof
ctCS AND faculty
faculty + CS
student + CS
Conclusion
Upcoming Work
Ui tj = g ui tj : i ≠ j ∈ [n]
Uk tk = g uk tk : k ∈ [n]
ui ,ti = a di
= g adi+dj
= g a2dk
di + dj ≠ 2dk
O(n1+o(1))
Thank you!
Read our paper on eprint 2022/1500