The disclosure relates to a decentralized multi-authority functional encryption system making use of prime-order groups for improved efficiency.
Functional encryption (FE), a generalization of public-key encryption (PKE), enables applications that involve computing on large-scale encrypted data while maintaining their privacy. Since its inception, building FE has mainly been about theoretical (and inefficient) schemes for general functions or efficient constructions for specific functions of practical interest.
Inner-product FE (IPFE) is a specific class of FE that facilitates linear computation on encrypted data. In IPFE, a ciphertext CT(x) encodes a vector x of length ℓ (say) and a secret key SKy is tied to a vector y of length ℓ. Decrypting CT(x) with SKy reveals the inner-product x • y. The linear functionality, although simple, has potential applications both in theory and practice, such as computing weighted sums of data sets, evaluating conjunctions, disjunctions, and polynomials, building trace-and-revoke systems, non-interactive hidden-weight coin-flipping protocols, deep learning and privacy-preserving machine learning.
However, IPFE suffers from an inherent limitation. A set of secret keys for ℓ linearly independent vectors {yi}i∈[ℓ] may divulge the entire x! Thus, releasing enough keys requires an extra care since it may result in a direct attack to the IPFE system. A natural choice to restrict this leakage is to employ an attribute-based encryption (ABE) (a subclass of FE) as an access control on IPFE. In particular, each secret key and ciphertext may now additionally be associated to the user’s attributes att and a policy P respectively. This work focuses on ciphertext-policy ABE and not on its dual, i.e., key-policy ABE. Decryption yields x • y as before, but only when att satisfies P. With this extra layer, data may get breached only when enough keys satisfying P in CT are provided.
Though ABIPFE offers more expressive functionality than normal ABE/IPFE, it possesses a drawback similar to those primitives - one single authority is responsible for generating secret keys for all the attributes in the system. Most of the existing ABIPFEs have been explored in such single authority setting which is not only a disadvantage from the point of view of trust but also a limitation for several practical applications. An unavoidable phenomenon in reality is that different authorities control different attributes, for example, academic degrees are in control of universities, job titles are handled by companies, etc.
MA-ABE composition IPFE. To address this issue, inspired from the notion of multi-authority ABE (MA-ABE) which allows different authorities to control different attributes in the system independently, prior work introduced multi-authority ABIPFE (MA-ABIPFE) which is an extension of ABIPFE in the sense of combining MA-ABE with IPFE. More precisely, a secret key of MA-ABIPFE consists of several ABIPFE secret keys generated by independent authorities which are in control of different set of attributes. The policy associated with a ciphertext is now a function of all the attributes related to the keys and a successful decryption occurs (i.e. the inner product is recovered) only if the set of attributes satisfies the policy. The fact that the trust is now distributed to several independent authorities enriches the application arena of MA-ABIPFE, which includes computing average salary of a group of employees holding a specific job titles and a certain set of academic degrees, statistics determining mental health of the students from different departments of a university, average tax paid by the employees working in different sectors of a specific organization, and so on.
In spite of facilitating an enormous field of applications, the notion of MA-ABIPFE has not been explored much in the literature. In fact the only existing construction of MA-ABIPFE is due to prior work and that too suffers from several efficiency drawbacks. The MA-ABIPFE of prior work captures policies realized by linear secret sharing scheme (LSSS) and is built in the composite-order pairing groups. The security is based on variants of subgroup decision assumptions which are composite-order group-based assumptions related to the source groups. The MA-ABIPFE of prior work is not an exception as it can be seen that decrypting a ciphertext requires an unacceptable time of around five days. One possible solution to address this efficiency bottleneck is to explore constructions of the primitive in prime-order pairing groups which delivers much better performance and parameters than the one designed in composite-order groups.
Another limitation of the MA-ABIPFE of prior work is that the number of attributes controlled by each authority has to be fixed during the global setup, that is, it only supports small universe of attributes. This is clearly an essential barrier towards practical deployment of the protocol since it may not be possible to predict or foresee the future attributes that will join the system, for example, new academic degrees might be added to a university program or new departments could be founded within a company, which result in an unknown number of growth to the list of attributes that already exists in the system. To mitigate this issue, we need a large universe MA-ABIPFE, similar to large universe MA-ABE, that provides the flexibility to add an exponential number of attributes to the system at any point of time, and more importantly those attributes need not be enumerated at the system setup. Along with small-universe constraint, the MA-ABIPFE of prior work also suffers from the so called “one-use” restriction meaning that the number of times a particular attribute can appear within a given policy is bounded, leaving a negative impact concerning the efficiency of the scheme.
Finally, building any cryptographic primitive under different assumptions is important from other aspects. It grows confidence in the existence of the primitive and motivates us to work further towards its use in practice. Further, instantiating a primitive only under one particular class of assumptions (e.g., MA-ABIPFE from source group assumptions) is not desirable since in future any kind of attack on such assumptions might threaten the security provided by that particular class of assumptions (e.g., the source group assumptions), making the instantiation perilous.
We disclose a small-universe MA-ABIPFE scheme based on the DBDH assumption. Next, we upgrade our small-universe scheme to the first large-universe MA-ABIPFE scheme whose security is established under the L-DBDH assumption. We justify our L-DBDH assumption in the generic bilinear group model. The MA-ABIPFEs are built in the prime-order pairing groups and delivers a significant boost regarding the efficiency in comparison with the prior work MA-ABIPFE.
We present new decentralized multi-authority attribute-based inner-product FE (MA-ABIPFE) schemes in the prime-order bilinear groups under target-group-based assumptions. More precisely, our results are as follows:
1. We build the first small universe MA-ABIPFE supporting access structures captured by linear secret sharing schemes (LSSS) in prime-order bilinear groups under the Decisional Bilinear Diffie-Hellman (DBDH) assumption. Compared to the prior work, the disclosed scheme excels in the following grounds:
Its security is based solely on a target-group assumption which is qualitatively weaker and simpler than the source-group based ones used by Agrawal et al. The scheme enjoys a significantly improved concrete performance since prime-order groups are known to provide smaller sizes and faster computations compared to their composite-order analogues. It also provides the first FE scheme beyond MA-ABE or IPFE under a target-group assumption.
2. We build the first large universe MA-ABIPFE scheme under any assumption. Our scheme relies on a parametrized variant of the DBDH (called the L-DBDH) assumption in prime-order bilinear groups in the random oracle model. The secret key and ciphertext sizes in the scheme are comparable to our small universe MA-ABIPFE. We justify the intractability of the L-DBDH assumption in the generic bilinear group model.
Our schemes are proven secure in the static security model adapted to the MA-ABIPFE functionality, where the adversary is asked to submit all its challenge ciphertext, secret key and authority corruption queries immediately after seeing the global public parameters.
Some embodiments of the invention include systems, methods, network devices, and machine-readable media for a multi-authority functional encryption scheme, the scheme comprising:
Further embodiments can include distributing the secret key over a communications network by only one authority. In furthr embodiments, each user is identified by a set of attributes and a decryption ability for each encrypted message is based on a function of the attributes. Further embodiments include distributing the secret key k over a communications network by any polynomial number of independent authorities.
The accompanying drawings, which are included to provide further understanding and are incorporated in and constitute a part of this specification, illustrate disclosed embodiments, and together with the description, serve to explain the principles of the disclosed embodiments. In the drawings:
In this work, we provide two new MA-ABIPFE constructions from bilinear maps supporting LSSS access policies in the significantly faster prime-order groups. Our schemes are secure under target-group-based computational assumptions which are known to be qualitatively weaker compared to the source-group-based ones. More precisely, the disclosed MA-ABIPFE schemes enjoy several salient features, namely, the disclosed schemes have significantly reduced communication and computation costs, a large universe of attributes can be added to the system without being enumerated at the time of setup, the one-use restriction is avoided by allowing appearance of an attribute in the policies arbitrarily many times, and the security is based on target-group-based assumptions.
Small-Universe MA-ABIPFE from DBDH: We construct a small-universe MA-ABIPFE scheme where each authority can control a single (or a bounded number of) attribute(s), but any number of authorities can join the system at any point of time. Our scheme is proven secure under the decisional bilinear Diffie-Hellman (DBDH) assumption which is a very well-studied computational target-group-based assumption. Along the way, we also build a single authority ABIPFE scheme under the DBDH assumption. It is worth mentioning that previously known all group-based ABIPFE schemes are secure under source-group-based computational assumptions. Note that, classical ABE schemes have already been proven secure under the DBDH assumption. We emphasize that constructing MA-ABIPFE is more challenging than MA-ABE since MA-ABIPFE provides richer functionality and stronger security as discussed earlier. In particular, we handle more powerful adversaries who is allowed to query secret keys that can decrypt the challenge ciphertext in contrast to only non-decryptable key queries allowed in case of MA-ABE. The key queries for a vector y and a set of attributes satisfying the challenge policy must ensure that x0 • y = x1 • y where (x0, x1) are the pair of challenge message vectors. On another note, our MA-ABIPFE scheme exhibits the possibility of building a primitive with richer functionality than MA-ABE based on the DBDH assumption.
Large-Universe MA-ABIPFE from L-DBDH: Inspired from the large-universe MA-ABE of prior work, we construct the first MA-ABIPFE scheme that supports large attribute universe and allows each authority to control any number of attributes. Just like previous large-universe MA-ABE scheme of prior work, we prove the security of our scheme under a parameterized version of the DBDH assumption which we call the L-DBDH assumption. We show the validity of this new assumption in the generic bilinear group model. Note that, all widely known pairing-based computational assumptions such as DDH, DBDH, k-Lin, so on are justified only in the generic group model. Our disclosed large-universe scheme is well comparable to the small-universe one with respect to computational and communication aspects of efficiency.
Static Security and Our Motivation: Our MA-ABIPFE schemes are proven secure in the random oracle model (ROM) in the static security model adapted to the MA-ABIPFE setting, where the adversary must declare all the challenge ciphertext, secret key, and authority corruption queries upfront. We emphasize that all previous constructions of MA-ABE from concrete assumptions are in ROM. Prior work proved security of their MA-ABIPFE in a slightly stronger model where only the secret keys can be queried adaptively but all the other queries must be submitted upfront. Their proof uses dual system encryption in composite-order groups to rely on variants of subgroup decision (and thus, source group) assumptions. On the contrary, our motivation is to build MA-ABIPFE schemes from weaker target group assumptions, while supporting the large universe feature additionally.
Although the static security may not be the dream security model for MA-ABIPFE, our motivation is to build the primitive with greater performance and versatility. It is often observed that schemes with better performance but weaker security are more suitable in various practical deployments. Further, weaker security notions have often been a major stepping stone towards a more advanced security, e.g., adaptive security, for the same primitive. In this context, it is worth mentioning that we could not find any vulnerability of our schemes against stronger adversaries, e.g., selective adversaries as considered in prior work, even though we are not able to mathematically prove its security based on the computational assumptions we considered in this paper. Please note that many primitives of prior works were first built only with selective/static security before being upgraded to adaptive security based on the same assumptions. Moreover, from a sustainability point of view, it is always important to have a portfolio of candidates for a primitive under various computational assumptions so that if one of the assumptions gets broken, candidates under a different assumption can be deployed. Another motivation for designing a DBDH or related assumption-based scheme is to innovate new techniques that could possibly be translated to the LWE setting, as has previously been done for other FE primitives.
Efficiency Analysis: We compare the efficiency metrics for our MA-ABI PFEs with that of prior work. The efficiency of our scheme is boosted significantly due to the use of prime-order groups. This improvement crucially stems from two aspects: (1) for the same security level (e.g., 128-bit), the groups of prime-order (e.g., with bit-length log2q = 256) are significantly smaller than that of the composite-order ones (e.g., with bit-length log2 N = 3072), and (2) time to compute pairings (e.g., Pq = 5.05 ms) and exponentiation (e.g., Eq,T = 108 ms) in prime-order groups are significantly smaller than that of (e.g., PN = 1270 ms and EN,T = 204 ms respectively) in composite-order groups. This manifests in terms of the public key and ciphertext sizes, and the runtimes of encryption and decryption algorithms.
We will denote the underlying security parameter by λ throughout the paper. A function negl : ℕ → ℝ is said to be a negligible function of λ, if for every c ∈ ℕ, there exists a λc ∈ ℕ such that ∀λ > λc, negl(λ) < λ-c. We denote the set of positive integers {1, ..., n} as [n]. We use the abbreviation PPT for probabilistic polynomial-time. For a set X, we write x ← X to denote that x is sampled according to the uniform distribution over the elements of X. Also for any set X, we denote by |X| and 2x the cardinality and the power set of the set X respectively. We use bold lower case letters, such as v, to denote vectors and upper-case, such as M, for matrices. We assume all vectors, by default, are row vectors. The ith row of a matrix is denoted by Mi and analogously for a set of row indices I, we denote MI for the sub-matrix of M that consists of the rows Mi, ∀i ∈ I. By rowspan(M), we denote the linear span of the rows of a matrix M.
For an integer q ≥ 2, we let ℤq denote the ring of integers modulo q. We represent ℤq as integers in the range (-q/2, q/2]. The set of matrices of size m × n with elements in ℤq is denoted by
The operation (·)T denotes the transpose of vectors/matrices. Let u = (u1, ..., un),
then the inner product between the vectors is denoted as v · u = uTu = Σi∈[n] uivi ∈ ℤq. Moreover, we denote v ⊙ u = (v1u1, ..., vnun, ..., vnun), i.e., a vector whose elements are component-wise product of the corresponding elements in v and u.
Assume a pairing group generator algorithm
that takes as input 1λ and outputs a tuple
where
is a group of prime order q = q(λ) with generator g. The map
satisfies the following properties:
For any a ∈ ℤq, we define
We use pairing groups of prime order to build our MA-ABIPFE schemes. Section 2.1 provides the standard notations for bilinear maps that we will use throughout the paper.
Assumption 1 (Decisional Bilinear Diffie-Hellman (DBDH)) For a security parameter λ ∈ ℕ, let
be a bilinear group and let a, b, c ← ℤq. The DBDH assumption states that for any PPT adversary A, there exists a negligible function negl such that for any security parameter λ ∈ ℕ, given the distribution
has advantage
Assumption 2 (L-Decisional Bilinear Diffie-Hellman (DBDH)) For a security parameter λ ∈ ℕ, let
be a bilinear group and let a, b, c ← ℤq. The DBDH assumption states that for any PPT adversary
there exists a negligible function negl such that for any security parameter λ ∈ ℕ, given the distribution
has advantage
In this subsection, we present the formal definitions of access structures and linear secret-sharing schemes.
Definition 1 (Access Structures) Let
be the attribute universe. An access structure on
is a collection
of non-empty sets of attributes. The sets in
are called the authorized sets and the sets not in
are called the unauthorized sets. An access structure is called monotone if
if
and
then
Definition 2 (Linear Secret Sharing Schemes (LSSS)) Let q = q(λ) be a prime and
the attribute universe. A secret sharing scheme Π with domain of secrets ℤq for a monotone access structure
over
a.ka. a monotone secret sharing scheme, is a randomized algorithm that on input a secret z ∈ ℤq outputs
shares
such that for any set
the shares {shi}ies determine z and other sets of shares are independent of z (as random variables). A secret-sharing scheme Π realizing monotone access structures on
is linear over ℤq if
The correctness and security of a monotone LSSS are formalized in the following: Let S (resp. S′) denote an authorized (resp. unauthorized) set of attributes according to some monotone access structure
and let I (resp. I′) be the set of rows of the share generating matrix M of the LSSS policy pair (M, p) associated with
whose labels are in S (resp. S′). For correctness, there exist constants {wi}i∈I in ℤq such that for any valid shares {µi = (MυT)i}i∈I of a secret z ∈ ℤq according to Π, it is true that Σi∈I wiµi = z (equivalently,
where Mi is the ith row of M). For soundness, there are no such wi’s, as above. Additionally, we have that
such that its first component d1 = 1 and Mi · d = 0, ∀i ∈ I′.
Remark 1 (NC1 and Monotone LSSS) Consider an access structure
described by an NC1 circuit. There is a folklore transformation that can convert this circuit by a Boolean formula of logarithmic depth that consists of (fan-in 2) AND, OR, and (fan-in 1) NOT gates. We can further push the NOT gates to the leaves using De Morgan laws, and assume that internal nodes only constitute of OR and AND gates and leaves are labeled either by attributes or their negations. In other words, we can represent any NC1 policy over a set of attributes into one described by a monotone Boolean formula of logarithmic depth over the same attributes and their negations. Lewko and Waters presented a monotone LSSS for access structures described by monotone Boolean formulas. This implies that any NC1 access policy can be captured by a monotone LSSS. Therefore, in this paper, we will only focus on designing an MA-ABIPFE scheme for monotone LSSS similar to the MA-ABE scheme of Datta et al.
We will use the following information theoretic property of LSSS access policies in the security proof of our MA-ABIPFE scheme. Recently, Datta, Komargodski, and Waters observed a gap in the proof of Rouselakis and Waters and presented a corrected proof. The security reduction of the MA-ABE scheme of Datta, Komargodski, and Waters crucially utilize this lemma to isolate an unauthorized set of rows of the challenge LSSS matrix submitted by the adversary and essentially ignore it throughout the security reduction. Like these papers, in our case as well, the rows of the challenge LSSS matrix corresponding to the corrupt authorities will constitute the unauthorized set in the application of the lemma.
Lemma 1 Let (M, ρ) be an LSSS access policy, where
Let C ⊂ [ℓ] be a non-authorized subset of row indices of M. Let c ∈ ℕ be the dimension of the subspace spanned bythe rows of M corresponding to indices in
Then, there exists an access policy (M′, p) such that the following holds:
A (large universe) decentralized multi-authority attribute-based inner-product functional encryption (MA-ABIPFE) scheme MA-ABIPFE = (GlobalSetup, LocalSetup, KeyGen, Encrypt, Decrypt) for access structures captured by linear secret sharing schemes (LSSS) over some finite field ℤq with q = q(λ) and inner product message space
consists of five algorithms with the following syntax. We denote by
the authority universe and by
the universe of users’ global identifiers in the system. The attribute universe is denoted as Uatt which may be arbitrary. Further, an authority
may have any arbitrary number of attributes from Uatt under its control. We assume a publicly computable function
that maps each attribute t ∈ Uatt to a unique authority θ = T(t). The algorithm proceeds as follows:
GlobalSetup(1λ, 1n): It is the global setup algorithm which on input the security parameter λ and a vector length n in unary, outputs the global public parameters GP. We assume that GP includes the descriptions of n,
and
LocalSetup(GP, θ): The authority
runs the local setup algorithm during its initialization with the global parameters GP and generates its public parameters and a master secret key pair (PKθ, MSKθ).
KeyGen (GP, GID, MSKθ, t, u): The key generation algorithm takes input the global parameter GP, a user’s global identifier
a master secret key MSKθ for authority θ controlling an attribute t ∈ Uatt, and a vector
It outputs a secret key SKGID,t,u.
Encrypt(GP, (M, ρ), {PKθ}θ, v): The encryption algorithm takes input the global parameter GP, an LSSS access structure (M, δ) where M is a matrix over ℤq and δ is a row-labelling function that assigns to each row of M an attribute in Uatt. We define the function
as
which maps row indices of M to authorities
Accordingly, the encryption algorithm further takes a set {PKθ}θ of public keys for all the authorities in the range of ρ, and a message vector
It outputs a ciphertext CT. We assume that CT implicitly contains the description of (M, δ).
Decrypt (GP, GID, CT, {SKGID,t,u}t): The decryption algorithm takes in the global parameters GP, a ciphertext CT generated with respect to some LSSS access policy (M, δ), and a collection of keys {SKGID,t,u } t corresponding to user ID-attribute pairs (GID, S ⊆ Uatt) and a key vector u possessed by a user with global identifier GID. It outputs a message ζ when the collection of attributes associated with the secret keys {SKGID,t,u}t satisfies the LSSS access policy (M, δ), i.e., when the vector (1, 0,...,0) belongs to the linear span of those rows of M which are mapped by p to the set of attributes in S that corresponds to the secret keys {SKGID,t,u}t∈S possessed by the user with global identifier GID. Otherwise, decryption returns ⊥.
Correctness: An MA-ABIPFE scheme for LSSS-realizable access structures and inner product message space
is said to be correct if for every λ ∈ ℕ, every message vector
key vector
and
every LSSS access policy (M, δ), and every subset of authorities S ⊆ Uatt controlling attributes which satisfy the access structure it holds that
Static Security: We consider static security for our MA-ABIPFE schemes formalized by the following game between a challenger and an adversary. The adversary is allowed to corrupt any desired set of authorities chosen after seeing the global public parameters. Once chosen, this set is fixed during the security experiment. The adversary also submits a pair of challenge message vectors (υ0, υ1) after seeing the global public parameters. We emphasize that our security model allows the adversary to ask for secret keys which are capable of decrypting the challenge ciphertext.
Global Setup: The challenger runs GlobalSetup (1λ, 1n) to get and send the global public parameters GP to the attacker.
Adversary’s Queries: The adversary sends the following queries:
Challenger’s Replies: The challenger flips a random coin β ← {0, 1} and replies with the following:
Guess: The adversary outputs a guess β′ for β.
The advantage of the adversary
is
Definition 3 (Static Security for MA-ABIPFE for LSSS) An MA-ABIPFE scheme for LSSS-realizable access structures satisfies static security if for any PPT adversary
there exists negl(·) such that for all λ ∈ ℕ, we have
Remark 2 (Static Security in the Random Oracle Model.) We additionally consider the aforementioned notion of selective security with static corruption in the ROM. In this context, we assume a global hash function H published as part of the global public parameters and accessible by all the parties in the system.
Remark 3 (On Small Universe MA-ABIPFE.) The above MA-ABIPFE definitions capture the large universe scenario by default. There are some minor changes with the definitions above when considering the case for a small universe scheme. In particular, we assume in this case w.l.o.g. that exactly one single attribute is assigned to a particular authority, and hence we use the words “authority” and “attribute” interchangeably. This leads to the following syntactic and semantic changes in the definitions:
In this section, we describe the formal construction and proof for our ABIPFE scheme. The construction is in prime-order groups.
Setup(1λ, smax, 1n, Uatt): The setup algorithm takes input the security parameter λ, the maximum width of an LSSS matrix supported by the scheme smax = smax(λ), the vector length n in unary and the description of the attribute universe Uatt. It first generates
Then for each attribute t ∈ Uatt, it samples the vectors
and outputs
KeyGen(MSK, S, u): The key generation algorithm takes input master secret key MSK, a set of attributes S ⊆ Uatt and a vector
For each t ∈ S, it does the following:
as the secret key.
Encrypt(PK, (M, p), v): The encryption algorithm takes input the public key PK, an LSSS access structure (M, p) where
and
and a message vector
The function p maps the row indices of M to attributes. We assume that p is an injective function, that is, an attribute is associated with at most one row of M. The algorithm proceeds as follows:
Decrypt(PK, SKs,u, CT): The decryption algorithm takes input the public key PK, a secret key SKs,u for an attribute set
and a vector
and a ciphertext CT for an access structure (M, p) with
and an injective map
Parse
where
and
Denote
If (1, 0, ..., 0) is not in the span of MI (i.e., M restricted to the set of rows from I), decryption fails. Else, when S satisfies (M, p), the algorithm finds
such that
It then computes
and outputs
Theorem 1 If the DBDH assumption holds, then all PPT adversaries have a negligible advantage in breaking selective security of the proposed small universe ABIPFE scheme in the standard model.
In this section, we describe the formal construction for our MA-ABIPFE scheme. The construction is in prime-order groups and additionally uses a hash function that can be modelled as a random oracle in a security proof.
GlobalSetup(1λ, smax, 1n): The global setup algorithm takes input the security parameter λ, the maximum width of an LSSS matrix supported by the scheme smax = smax(λ) and the vector length n in unary. It generates
and specify a hash function
mapping strings
to elements in
It outputs a global parameter GP = (n, G, H).
LocalSetup(GP, t): The authority setup algorithm takes as input GP and an authority index/attribut
It samples vectors
and outputs
KeyGen(GP, GID, MSKt, u): The key generation algorithm takes input GP, the user’s global identifier GID, the authority’s secret key MSKt and a vector
It outputs
Encrypt(GP, (M, p), {PKt}, v): The encryption algorithm takes input the global parameter GP, an LSSS access structure (M, p) where
a set { PKt } of public keys for all the authorities in the range of p, and a message vector
The function maps the row indices of M to authorities or attributes. We assume p is an injective function, that is, an authority/attribute is associated with at most one row of M. The algorithm proceeds as follows:
1. Sample
2. Set the following matrices:
3. Compute the following terms:
and output the ciphertext,
Decrypt(GP, GID, CT, {SKGID,t,u}): The decryption algorithm takes input the global parameter GP, a ciphertext CT for an access structure (M, p) with
and
injective, and the secret keys {SKGID,
The algorithm computes
and outputs
Theorem 2 If the DBDH assumption holds, then all PPT adversaries have a negligible advantage in breaking the static security of the proposed small universe MA-ABIPFE scheme in the random oracle model.
In this section, we describe the construction of our large universe MA-ABIPFE (LMA-ABIPFE) scheme. The construction is in prime-order groups and additionally uses hash functions that are modelled as random oracles in the security proof.
GlobalSetup(1λ, 1n, smax): The global setup algorithm takes input the security parameter λ and a vector length n both in unary, and the maximum width of an LSSS matrix supported by the scheme smax = smax(λ). It generates
and specify hash functions
G mapping strings
to elements in
and
mapping strings
to elements in
It outputs a global parameter GP = (n, G, H, R).
LocalSetup(GP, θ): The authority setup algorithm takes input the global parameter GP and an authority index
It samples vectors
and outputs
and
KeyGen(GP, GID, MSKθ, t, u): The key generation algorithm takes input GP, the user’s global identifier GID, the authority’s secret key MSKθ, an attribute t controlled by the authority and a vector u ∈
It samples
and outputs
Encrypt(GP, (M, δ), {PKθ}, v): The encryption algorithm takes input the global parameter GP, an LSSS access structure (M, p) where
and
a set {PKθ} of public keys for all the relevant authorities, and a message vector
The function δ maps the row indices of M to attributes. We define the function
as p(·) = T(δ(·)) which maps row indices of M to authorities. The algorithm proceeds as follows:
Decrypt(GP, GID, CT, {SKGID,t,u}): The decryption algorithm takes input the global parameter GP, a ciphertext CT for an access structure (M, δ) with
and the secret keys {
corresponding to a global identity GID and a subset of rows of M with indices I ⊂ [ℓ]. If (1,0,...,0) is not in the span of these rows, MI, then decryption fails. Otherwise, the algorithm finds {wi}i∈I such that
Finally, it outputs
where
Theorem 3 If the L-DBDH assumption holds, then all PPT adversaries have a negligible advantage in breaking the static security of the proposed LMA-ABIPFE scheme in the random oracle model.
With reference to
With reference to
As non-limiting examples, additional applications include finance, blockchain, and smart contracts. An Internet of Medical Things (IoMT) embodiment is illustrated in
A privacy preserving mechanism in Virtual Reality (VR) and Augmented Reality (AR) embodiment is illustrated in
Augmented Reality: AR is an interactive experience of a real-world environment where the objects that reside in the real world are enhanced by computer-generated perceptual information, sometimes across multiple sensory modalities, including visual, auditory, haptic, somatosensory and olfactory. AR can be defined as a system that incorporates three basic features: a combination of real and virtual worlds, real-time interaction, and accurate 3D registration of virtual and real objects. This experience is seamlessly interwoven with the physical world such that it is perceived as an immersive aspect of the real environment. In this way, AR alters one’s ongoing perception of a real-world environment.
Virtual Reality: By contrast, VR creates its own simulated environment, that may (or may not) be entirely different from the real world. VR is usually experienced through an interface, such as a headset or goggles, instead of watching content on a screen. Standard VR systems use either VR headsets or multi-projected environments to generate realistic images, sounds and other sensations that simulate a user’s physical presence in a virtual environment. A person using VR equipment is able to look around the artificial world, move around in it, and interact with virtual features or items. VR typically incorporates auditory and video feedback, but may also allow other types of sensory and force feedback through haptic technology.
Both AR and VR embodiments can span an enormous number of application areas, including:
As is clear, its applications are going to grow only in all probability. VR and AR are transforming a lot of industries through software and hardware development, graphic design, research, and more. This has thus led to a massive number of job opportunities in the associated industry. In-demand careers developing and improving AR and VR technology include: software engineering and development, software maintenance, graphic design etc. With such a huge surge it its applicability, one of the primary concerns (if not the most important one) are that of privacy and security. For e.g., many VR systems involve features like finger tracking, eye tracking (among other things). Such features can actually lead to potential misuse of sensitive information victimizing the person using VR gadgets. Owing to its constructive applications in society, many front-line companies (e.g., Apple, Microsoft, Facebook) are now interested in it. There are also examples of companies that collaborate within themselves or with other agencies (e.g., European Space Agency) in order to develop more accurate and robust VR systems. Privacy-preserving techniques naturally has a great role to play in such endeavours.
Our application of MA-ABIPFE (and generally, MA-ABFE) is in such a scenario, where a particular section in the United States government needs VR technology for some dedicated purposes. This involves developing full-scale VR systems. Accordingly, the U.S. government fixes a global identifier for this project (say ProjID) and delegates its development and maintenance jointly to two companies CompanyA and CompanyB. Such distributed deployment of the sensitive VR system is necessary in order to prevent the individual companies from secretly storing any backdoors about the system in order to collect data which they are not intended to read. In other words, these two companies collaborate to build, test and maintain the VR platform jointly. For testing the accuracy of this system, they want to compute various statistics on large volumes of training data generated in real-time from end users who are willing to be volunteers from within or outside their organizations. In order to compute such collective data securely, CompanyA and CompanyB has employed people in their separate departments (e.g., Data Collection and Management, Quality Analysis, Testing, Software Development). The companies themselves are individual, independent authorities distributing secret keys to its respective employees corresponding to their attributes and certain (possibly statistical) functions under the same ProjID. The VR devices developed have policies embedded within them. These policies are decided jointly by the higher management of both the companies (comprising of the board of directors, CEOs etc.). Upon collecting data from end users in batches, the VR devices are programmed to encrypt them corresponding to their policies and upload it to a cloud server that is again jointly established by both the companies. The policies essentially dictate which employees with certain attributes from any of these companies can come together to pull a “joint” secret key in order to decrypt and learn functions of the encrypted data. Such a system would allow certain groups of employees from these companies holding individual authorized secret keys to come together and jointly learn only the intended functions of the original data.
Computer system 500 may include one or more processors (also called central processing units, processing devices, or CPUs), such as a processor 504. Processor 504 may be connected to a communication infrastructure 506 (e.g., such as a bus).
Computer system 500 may also include user input/output device(s) 503, such as monitors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 506 through user input/output interface(s) 502. One or more of processors 504 may be a graphics processing unit (GPU). In an embodiment, a GPU may be a processor that is a specialized electronic circuit designed to process mathematically intensive applications. The GPU may have a parallel structure that is efficient for parallel processing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc.
Computer system 500 may also include a main memory 508, such as random-access memory (RAM). Main memory 508 may include one or more levels of cache. Main memory 508 may have stored therein control logic (i.e., computer software, instructions, etc.) and/or data. Computer system 500 may also include one or more secondary storage devices or secondary memory 510. Secondary memory 510 may include, for example, a hard disk drive 512 and/or a removable storage device or removable storage drive 514. Removable storage drive 514 may interact with a removable storage unit 518. Removable storage unit 518 may include a computer-usable or readable storage device having stored thereon computer software (control logic) and/or data. Removable storage drive 514 may read from and/or write to removable storage unit 518.
Secondary memory 510 may include other means, devices, components, instrumentalities, or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 500. Such means, devices, components, instrumentalities, or other approaches may include, for example, a removable storage unit 522 and an interface 520. Examples of the removable storage unit 522 and the interface 520 may include a program cartridge and cartridge interface, a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface.
Computer system 500 may further include communications interface 524 (e.g., network interface). Communications interface 524 may enable computer system 500 to communicate and interact with any combination of external devices, external networks, external entities, etc. (individually and collectively referenced as remote device(s), network(s), entity(ies) 528). For example, communications interface 524 may allow computer system 500 to communicate with external or remote device(s), network(s), entity(ies) 528 over communications path 526, which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc. Control logic and/or data may be transmitted to and from computer system 500 via communications path 526.
Computer system 500 may also be any of a personal digital assistant (PDA), desktop workstation, laptop or notebook computer, netbook, tablet, smartphone, smartwatch or other wearable devices, appliance, part of the Internet-of-Things, and/or embedded system, to name a few non-limiting examples, or any combination thereof.
Computer system 500 may be a client or server computing device, accessing or hosting any applications and/or data through any delivery paradigm, including but not limited to remote or distributed cloud computing solutions; local or on-premises software (“on-premise” cloud-based solutions); “as a service” models (e.g., content as a service (CaaS), digital content as a service (DCaaS), software as a service (SaaS), managed software as a service (MSaaS), platform as a service (PaaS), desktop as a service (DaaS), framework as a service (FaaS), backend as a service (BaaS), mobile backend as a service (MBaaS), infrastructure as a service (IaaS), etc.); and/or a hybrid model including any combination of the foregoing examples or other services or delivery paradigms.
The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a specialized application or network security appliance or device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
The example computer system 900 includes a processing device 902, a main memory 904 (e.g., read-only memory (ROM), flash memory, dynamic random-access memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 906 (e.g., flash memory, static random-access memory (SRAM), etc.), and a data storage device 918, which communicate with each other via a bus 930.
Processing device 902 represents one or more processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 902 may also be one or more special-purpose processing devices such as an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 902 is configured to execute instructions 926 for performing the operations and steps discussed herein.
The computer system 900 may further include a network interface device 908 to communicate over the network 920. The computer system 900 also may include a video display unit 910, an alphanumeric input device 912 (e.g., a keyboard), a cursor control device 914 (e.g., a mouse), a graphics processing unit 922, a signal generation device 916 (e.g., a speaker), graphics processing unit 922, video processing unit 928, and audio processing unit 932.
The data storage device 918 may include a machine-readable medium 924 (also known as a computer-readable storage medium) on which is stored one or more sets of instructions 926 (e.g., software instructions) embodying any one or more of the operations described herein. The instructions 926 may also reside, completely or at least partially, within the main memory 904 and/or within the processing device 902 during execution thereof by the computer system 900, where the main memory 904 and the processing device 902 also constitute machine-readable storage media.
In an example, the instructions 926 include instructions to implement operations and functionality corresponding to the disclosed subject matter. While the machine-readable storage medium 924 is shown in an example implementation to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions 926. The term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions 926 for execution by the machine and that cause the machine to perform any one or more of the operations of the present disclosure. The term “machine-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media, and magnetic media.
Some portions of the detailed description have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as “identifying” or “determining” or “executing” or “performing” or “collecting” or “creating” or “sending” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system’s registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.
The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer-readable storage medium, such as but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEP-ROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
The operations and illustrations presented herein are not inherently related to any particular computer or other apparatus. Various types of systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the operations. The structure for a variety of these systems will appear as set forth in the description herein. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure as described herein.
The present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as read-only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.
In some embodiments, a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having control logic (software) stored thereon may also be referred to herein as a computer program product or program storage device. This includes, but is not limited to, computer system 500, main memory 508, secondary memory 510, and removable storage units 518 and 522, as well as tangible articles of manufacture embodying any combination of the foregoing. Such control logic, when executed by one or more data processing devices (such as computer system 500), may cause such data processing devices to operate as described herein.
Based on the teachings contained in this disclosure, it will be apparent to persons skilled in the relevant art(s) how to make and use embodiments of this disclosure using data processing devices, computer systems, and/or computer architectures other than that shown in
It is to be appreciated that the Detailed Description section, and not any other section, is intended to be used to interpret the claims. Other sections can set forth one or more but not all exemplary embodiments as contemplated by the inventor(s), and thus, are not intended to limit this disclosure or the appended claims in any way.
While this disclosure describes exemplary embodiments for exemplary fields and applications, it should be understood that the disclosure is not limited thereto. Other embodiments and modifications thereto are possible and are within the scope and spirit of this disclosure. For example, and without limiting the generality of this paragraph, embodiments are not limited to the software, hardware, firmware, and/or entities illustrated in the figures described herein. Further, embodiments (whether or not explicitly described herein) have significant utility to fields and applications beyond the examples described herein.
Embodiments have been described herein with the aid of functional building blocks illustrating the implementation of specified functions and relationships thereof. The boundaries of these functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternate boundaries can be defined as long as the specified functions and relationships (or equivalents thereof) are appropriately performed. Also, alternative embodiments can perform functional blocks, steps, operations, methods, etc. using orderings different than those described herein.
References herein to “one embodiment,” “an embodiment,” “an example embodiment,” or similar phrases, indicate that the embodiment described can include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it would be within the knowledge of persons skilled in the relevant art(s) to incorporate such feature, structure, or characteristic into other embodiments whether or not explicitly mentioned or described herein. Additionally, some embodiments can be described using the expression “coupled” and “connected” along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments can be described using the terms “connected” and/or “coupled” to indicate that two or more elements are in direct physical or electrical contact with each other. The term “coupled,” however, can also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.
The breadth and scope of this disclosure should not be limited by any of the above-described exemplary embodiments but should be defined only in accordance with the following claims and their equivalents. In the foregoing specification, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of implementations of the disclosure as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.
This application claims the benefit of U.S. Provisional Application No. 63/325,608, filed Mar. 30, 2022, the entire contents of which are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
63325608 | Mar 2022 | US |