Cryptanalysis of Boyen's Attribute-Based Encryption Scheme

Cryptanalysis of Boyen's Attribute-Based Encryption Scheme

Cryptanalysis of Boyen’s Attribute-Based Encryption Scheme in TCC 2013 Shweta Agrawal1, Rajarshi Biswas1, Ryo Nishimaki2, Keita Xagawa2, Xiang Xie3, and Shota Yamada4 1 IIT Madras, Chennai, India [email protected], [email protected] 2 NTT Secure Platform Laboratories, Tokyo, Japan [ryo.nishimaki.zk,keita.xagawa.zv]@hco.ntt.co.jp 3 Shanghai Key Laboratory of Privacy-Preserving Computation, China [email protected] 4 National Institute of Advanced Industrial Science and Technology (AIST), Tokyo [email protected] Abstract. In TCC 2013, Boyen suggested the first lattice based con- struction of attribute based encryption (ABE) for the circuit class NC1. Unfortunately, soon after, a flaw was found in the security proof of the scheme. However, it remained unclear whether the scheme is actually insecure, and if so, whether it can be repaired. Meanwhile, the construc- tion has been heavily cited and continues to be extensively studied due to its technical novelty. In particular, this is the first lattice based ABE which uses linear secret sharing schemes (LSSS) as a crucial tool to en- force access control. In this work, we show that the scheme is in fact insecure. To do so, we provide a polynomial-time attack that completely breaks the security of the scheme. We suggest a route to fix the security of the scheme, via the notion of admissible linear secret sharing schemes (LSSS) and instantiate these for the class of DNFs. Subsequent to our work, Datta, Komargodski and Waters (Eurocrypt 2021) provided a construction of admissible LSSS for NC1 and resurrected Boyen’s claimed result. 1 Introduction The long-standing problem of Attribute-Based Encryption (ABE) from Learning with Errors (LWE) was finally resolved in 2013 by two independent works: Gor- bunov, Vaikuntanathan and Wee [GVW13] provided an ABE for P, and Boyen + provided an ABE for NC1 [Boy13a]. Subsequently, Boneh et al. [BGG 14] also provided an ABE for arithmetic (rather than Boolean) circuits. These works marked important progress in the area of lattice based cryptography and have had many follow-ups and much impact. Moreover, the techniques used by these works are very different and have led to generalizations in diverse directions. Here, the construction of Boyen [Boy13a] was particularly unlike the others since it used linear secret sharing schemes (LSSS) as a crucial tool. While using LSSS in pairing-based ABE constructions is common [GPSW06, LOS+10, LW11b], this was the only lattice based ABE to leverage this tool until the very recent work of Datta, Komargodski and Waters [DKW21]. To this day, there are several outstanding open problems in lattice-based ABE that have solutions in the pairings world – notable examples are ciphertext policy ABE [BSW07, Wat11], adaptive security [LOS+10, OT10, LW12]. Since pairing-based solutions to these problems make crucial use of the tool of LSSS, there have been multiple attempts to generalize the construction by Boyen to resolve these problems. In this work, we show that Boyen’s ABE construction is insecure, if the scheme is instantiated by the linear secret sharing scheme specified in the paper. We provide a polynomial-time attack that completely breaks the security of the scheme. We examine possible directions to repair the scheme and discuss the technical challenges in instantiating these for circuit class NC1. Subsequent to our work, the very recent work of Datta, Komargodski and Waters [DKW21] instantiated this approach for NC1 and resurrected Boyen’s claimed result. Since our attack is quite simple, we provide the formal description directly. We refer the reader to Section2 for some preliminary definitions, to Section3 for a recap of Boyen’s scheme, to Section4 for a formal description of our attack, and Section5 for a discussion of possible approaches to fix the construction. 2 Preliminaries Notation: Let λ 2 N+ be the security parameter. For a positive integer n, [n] denotes f1; 2; : : : ; ng. A non negative function negl(λ) is negligible if for every polynomial p(λ), it holds that negl(λ) ≤ 1=p(λ) for sufficiently large λ 2 N. We use the notation x −X$ to denote the process of choosing a value x uniformly at random from distribution X . As usual, PPT stands for probabilistic polynomial- time. Statistical distance: The statistical distance between two random variables X and Y over a finite domain D is defined as 1 X SD(X; Y ) := Pr[X = α] − Pr[Y = α] : 2 α2D Two random variables are δ-close if SD(X; Y ) ≤ δ. Two distribution ensem- bles fXλgλ2N and fYλgλ2N are statistically indistinguishable if SD(Xλ;Yλ) is negligible in λ. We say that these random variables are computationally indis- tinguishable if for every PPT algorithm A it holds that Pr [A(1λ; x) = 1] − Pr [A(1λ; y) = 1] ≤ negl(λ): x Xλ y Yλ In the following, let SampZ(γ) be a sampling algorithm for the truncated discrete Gaussian distribution overpZ with parameter γ > 0 whose support is restricted to z 2 Z such that jzj ≤ nγ. 2 2.1 Lattice Preliminaries n For a vector v 2 R , let kvk, kvk1 denote the Euclidean and sup norm, respec- tively. For two matrices A and B, [A j B] denotes their vertical concatenation and [A; B] denotes their horizontal concatenation . m For any (ordered) set S = fs1; ··· ; skg ⊂ R of linearly independent vec- tors, let S~ = f~s1; ··· ; ~skg denote its Gram-Schmidt orthogonalization, defined iteratively as follows: ~s1 = s1, and for each i = 2; ··· ; k, the vector ~si is the component of si orthogonal to Span(s1;:::; si−1). A lattice L of Rn is a discrete subgroup of Rn. We will only consider full-rank integer lattices, i.e., L spans Rn with real coefficients and L ⊆ Zn. A basis of L is an ordered set B = (B1; :::; Bn) such that n n Pn o L = L(B) = B · Z = i=1 ci · Bi : ci 2 Z . By convention, Bi are column vectors and B · k = k1B1 + ··· + knBn, where k is a column vector. 2.2 Lattice Trapdoors We list all known results about lattice trapdoors in the following lemma. Lemma 2.1. Let n; m; q > 0 be integers with q prime. There exists polynomial time algorithms with the properties below: n m TrapGen(1 ; 1 ; q) ! (A; TA) [Ajt99, AP11, MP12]: A randomized algorithm n×m that outputs (A; TA) where A 2 Zq for some m = O(n log q), the distri- −n p bution of A is 2 close to uniform, and kT~ Ak ≤ τ0 = O( n log q). ExtBasis(A; TA; B) ! T[AjB] [CHKP12]: A deterministic algorithm that given n×m n×m¯ ? full-rank matrices A 2 Zq and B 2 Zq and a basis TA of Λq (A), ? ~ ~ outputs a basis T[AjB] of Λq ([A j B]) such that kTAk = kT[AjB]k. RndBasis(T; τ) ! S [CHKP12]: A randomizedp algorithm that given a basis m×m ~ T 2 Z and parameter τ ≥ kTpk · !( log n), outputs a new basis S such that L(T) = L(S) and kS~k ≤ τ · m. SamplePre(A, TA, U, σ) ! R [GPV08]: A randomized algorithm that given A 2 n×m, and a basis T 2 m×m of Λ?(A), U 2 n×k, and σ = Zq p A Z q Zq kT~ Ak · !( log n), outputs a random sample R whose row’s distributions are ? statistically close to Dσ(Λq (A)) conditioned on A · R ≡ U (mod q). 2.3 Key-Policy Attribute-Based Encryption Definition 2.1. A key-policy attribute-based encryption scheme kpABE for a class of policies F = fFλgλ2N where Fλ = ff : Xλ ! f0; 1gg is a tuple (Setup; Extract; Encrypt; Decrypt) of PPT algorithms with the following properties: Setup(1λ;U) ! (Pub; Msk): The setup algorithm takes the security parameter λ and the description of attribute universe U as input and outputs the public parameters Pub and a master secret key Msk. 3 Extract(Pub; Msk; Policy) ! KeyPolicy: The key-generation algorithm takes the pub- lic parameters Pub, the master secret key Msk, and an access policy Policy 2 Fλ as input. It outputs a private key KeyPolicy. Encrypt(Pub; Attrib; Msg) ! CtxAttrib: The encryption algorithm takes as input the public parameters Pub, a set of attributes Attrib 2 Xλ, and a message Msg. The algorithm outputs a ciphertext Ctxx which is an encryption of message Msg labelled with a set of attributes x. Decrypt(Pub; KeyPolicy; CtxAttrib) ! Msg=?: The decryption algorithm takes as in- put the public parameters Pub, a key KeyPolicy, a ciphertext CtxAttrib, and outputs a message Msg or a rejection symbol ?. Correctness: For correctness, we require that there exists a negligible function negl(λ) such that for all sufficiently large λ 2 N, for every policy Policy 2 Fλ, a set of attributes Attrib 2 Xλ where Attrib satisfies Policy, and message Msg, it holds that 2 λ 3 (Pub; Msk) Setup(1 ;U); 6 0 Key Extract(Pub; Msk; Policy); 7 Pr 6Msg = Msg Policy 7 ≥ 1 − negl(λ) 4 CtxAttrib Encrypt(Pub; Attrib; Msg); 5 0 Msg Decrypt(Pub; KeyPolicy; CtxAttrib) over the choice of the random coins used in the algorithms. Security model for key-policy ABE: We review a security model for key-policy ABE schemes [SW05, GPSW06]. The game-based security model allows the adversary to query policies for any private keys that cannot be used to decrypt the challenge ciphertext. The security definition guarantees that the adversary will choose to be challenged on an encryption to a set of attributes Attriby and can ask for any private key for access policy Policy such that Attriby does not satisfy Policy.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us