Access Control Encryption Enforcing Information Flow with Cryptography Ivan Damgård, Helene Haagh, and Claudio Orlandi http://eprint.iacr.org/2016/106
Outline Access Control Encryption Motivation Definition Polylog ACE from io Sanitizable Functional Encryption ACE construction from sanfe Security 2
Motivation S3 e3 R3 d3 S2 e 2 c San rk c R2 d2 S1 e1 R1 d1 3
Access Control Encryption Senders: Receivers: SS 1, SS 2,, SS nn RR 1, RR 2,, RR nn Predicate PP: nn nn 0,1 PP xx, yy = 1 : flow from SS xx to RR yy is allowed PP 0, yy = PP xx, 0 = 0 for all xx, yy PP XX, YY = 0 iff PP xx, yy = 0 for all xx XX, yy YY Sanitizer: Special party that routes trafic from senders to receivers Should learn as little as possible Assumed to be honest-but-curious San 4
Access Control Encryption SSSSSSSSSS PP (mmmmmm, pppp) GGGGGG GGGGGG mmmmmm, SSSSSS, xx eeee xx S3 e 3 R3 d 3 GGGGGG mmmmmm, RRRRRR, yy ddkk yy GGGGGG mmmmmm, SSSSSS rrrr S2 c San c R2 EEEEEE eeee xx, mm cc SSSSSS rrrr, cc ccc S1 e 2 e 1 rk R1 d 2 d 1 DDDDDD dddd yy, cc = mm iiii PP xx, yy = 1 5
Outline Access Control Encryption Motivation Definition Polylog ACE from io Sanitizable Functional Encryption ACE construction from sanfe Security 6
Sanitizable Functional Encryption SSSSSSSSSS 1 κ (mmmmmm, pppp) GGGGGG mmmmmm, ff SSSS ff EEEEEE pppp, mm cc SSSSSS pppp, cc ccc DDDDDD SSSS ff, cc = ff(mm) EEEEEE pppp, mm SSSSSS pppp, cc R2 SSSSff ff(mm) S pppp pppp R1 gg(mm) San SSSS gg 7
Sanitizable FE based on GGHRSW13 SSSSSSSSSS: pppp = pppp 1 PPPPPP, pppp 2 PPPPPP, mmmmmm = sskk 1 PPPPPP, sskk 2 PPPPPP GGGGGG mmmmmm, ff : SSSS ff = iiii FF EEEEEE pppp, mm : cc 1 PPPPPP. EEEEEE pppp PPPPPP 1, mm, cc 2 PPPPPP. EEEEEE pppp PPPPPP 2, mm π EE : proof that cc 1 and cc 2 encrypt the same message Output cc = cc 1, cc 2, π EE SSSSSS pppp, cc : If VVVVVVVVVVVV cc 1, cc 2, π EE = 1 cc 1 PPPPPP. SSSSSS pppp PPPPPP 1, cc 1, ccc 2 PPPPPP. SSSSSS pppp PPPPPP 2, cc 2 π SS : proof of proof Output ccc = ccc 1, ccc 2, π SS Correctness follows from the correctness of the io, PKE and SSS-NIZK schemes. DDDDDD SSSS ff, cc : Run the obfuscated program SSSS ff (cc ) Program F If VVVVVVVVVVVV cc 1, cc 2, π SS = 1 ff PPPPPP. DDDDDD sskk 1 PPPPPP, cc 1 8
Indistinguishability Security EEEEEE pppp, mm 0 EEEEEE pppp, mm 1 when given SSSS ff s.t ff mm 0 = ff(mm 1 ) Theorem. The sanfe construction is IND-CPA secure The proof follows closely the proof of the FE scheme presented by GGHRSW13 with a minor change. cc = cc 1, cc 2, π EE, SSSS ff = iiii FF ssss 1 Simulate the proof Change the message in the PKE encryption cc 2 Change SSSS ff to use the PKE secret key ssss 2 Change the message in the other PKE encryption Change SSSS ff to use the PKE secret key ssss 1 Create the proof honestly 9
Sanitation Property SSSSSS pppp, cc SSSSSS pppp, EEEEEE pppp, DDDDDD mmmmmm, cc where cc AA(pppp, mmmmmm) Theorem. The sanfe construction fulfils the sanitation property Proof Ideas. cc = cc 1, cc 2, ππ SS SSSSSS(pppp, cc) Need to be able to simlutate ππ SS Thus, need to know the adversarial chosen ciphertext cc when creating the system parameters Complexity leveraging Guess the message mm MM that cc encrypts Upon receiving cc from the adversary, check that DDDDDD mmmmmm, cc = mm, if not then abort. 10
Proof SSSSSS pppp, cc SSSSSS pppp, EEEEEE pppp, DDDDDD mmmmmm, cc Hybrid 0: pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc mm RR MM pppp, mmmmmm SSSSSSSSSS 1 κ Check DDDDDD mmmmmm, cc = mm cc SSSSSS(pppp, cc) Hybrid 1: = pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc Follows directly from the PKE sanitation property: rr, ss, rr sss s.t SSSSSS pppp, EEEEEE pppp, mm; rr ; ss = SSSSSS pppp, EEEEEE pppp, mm; rr ; ss mm RR MM pppp, mmmmmm SSSSSSSSSS 1 κ Check DDDDDD mmmmmm, cc = mm ccc ii = PPPPPP. EEEEEE(pppp ii, mm ) cc SSSSSS(pppp, (cc 1, cc 2, ππ EE )) 11
Proof SSSSSS pppp, cc SSSSSS pppp, EEEEEE pppp, DDDDDD mmmmmm, cc Hybrid 1: pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc mm RR MM pppp, mmmmmm SSSSSSSSSS 1 κ Check DDDDDD mmmmmm, cc = mm ccc ii = PPPPPP. EEEEEE(pppp ii, mm ) cc SSSSSS(pppp, (cc 1, cc 2, ππ EE )) Hybrid 2: pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc Computational Zero-Knowledge property of the Statistical Simulation-Sound NIZK mm RR MM cc ii = PPPPPP. SSSSSS pppp ii, PPPPPP. EEEEEE pppp ii, mm pppp, mmmmmm, ππ SS SSSSSSSSSSSSSSSS cc = (cc 1, cc 2, ππ SS ) Check DDDDDD mmmmmm, cc = mm 12
Proof SSSSSS pppp, cc SSSSSS pppp, EEEEEE pppp, DDDDDD mmmmmm, cc Hybrid 2: pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc mm RR MM cc ii = PPPPPP. SSSSSS pppp ii, PPPPPP. EEEEEE pppp ii, mm pppp, mmmmmm, ππ SS SSSSSSSSSSSSSSSS cc = (cc 1, cc 2, ππ SS ) Check DDDDDD mmmmmm, cc = mm Hybrid 3: pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc Computational Zero-Knowledge property of the Statistical Simulation-Sound NIZK mm RR MM pppp, mmmmmm SSSSSSSSSS 1 κ cc SSSSSS pppp, EEEEEE pppp, mm Check DDDDDD mmmmmm, cc = mm 13
Proof SSSSSS pppp, cc SSSSSS pppp, EEEEEE pppp, DDDDDD mmmmmm, cc Hybrid 3: Hybrid 4: pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc = pppp, mmmmmm cc = (cc 1, cc 2, ππ EE ) cc mm RR MM pppp, mmmmmm SSSSSSSSSS 1 κ cc = SSSSSS pppp, EEEEEE pppp, mm Check DDDDDD mmmmmm, cc = mm mm RR MM pppp, mmmmmm SSSSSSSSSS 1 κ Check DDDDDD mmmmmm, cc = mm cc = SSSSSS pppp, EEEEEE pppp, DDDDDD(mmmmmm, cc) 14
ACE from sanfe SSSSSSSSSS: pppp = pppp FFFF, mmmmmm = mmmmmm FFEE, KK GGGGGG: eeee ii FF KK ii Function: ff jj (mm, ii, tt) If P i, j = 1: output mm dddd jj FFFF. GGGGGG ff jj rrrr FFFF. GGGGGG(ff rrrr ) EEEEEE eeee ii, mm : cc FFFF. EEEEEE pppp FFFF, mm, ii, FF eeeeii mm SSSSSS rrrr, cc : cc FFFF. SSSSSS pppp FFFF, cc If FFFF. DDDDDD rrrr, cc = 1 output ccc Else output SSSSSS(rrrr, EEEEEE eeee 0, ) DDDDDD dddd jj, cc : mm FFFF. DDDDDD(dddd jj, cc ) Function: ff rrrr (mm, ii, tt) eeee ii FF KK (ii) If t = FF eeeeii mm : output 1 Else output 0 Correctness follows directly from the correctness of sanfe 15
No-Read Rule pppp xx eeee xx yy ddkk yy SSSSSS rrrr xx 0, mm 0, xx 1, mm 1 Chall cc EEEEEE eeee xxbb, mm bb Win if bb = and is not allowed to decrypt or is allowed and mm 0 = mm 1 (payload privacy) (anonymity) 16
No-Read Rule B pppp sanfe IND-CPA game pppp xx eeee xx eeee xx = FF KK (xx) ACE No-Read yy SSSSSS ddkk yy rrrr xx 0, mm 0, xx 1, mm 1 ff SSSS ff mmm 0 = mm 0, xx 0, FF eeeexxx mm 0 Chall mmm 1 = mm 1, xx 1, FF eeeexx1 mm 1 cc cc = FFFF. EEEEEE pppp, mm bb 17
No-Write Rule pppp xx eeee xx yy ddkk yy xx, cc SSSSSS(rrrr, cc )/SSSSSS(EEEEEE eeee xx, rr ) Chall Win if bb = bb and xx XX, and PP XX, YY = 0 18
No-Write Rule SSSSSS(rrrr, cc ) SSSSSS EEEEEE eeee xx, rr xx, cc AA XX,YY (pppp) xx XX, and PP XX, YY = 0 FFFF. SSSSSS cc mm, xx, tt DDDDDD mmmmmm, cc EEEEEE eeee xx, mm = FFFF. EEEEEE mm, xx, tt SSSSSS rrrr, cc = FFFF. SSSSSS cc if valid MAC sanfe sanitizable FFFF. SSSSSS EEEEEE mm, xx, tt sanfe IND-CPA FFFF. SSSSSS EEEEEE rr, xx, ttt MAC valid xx XX XX 19 MAC invalid MAC invalid FFFF. SSSSSS EEEEEE FFFF. SSSSSS EEEEEE MAC valid PRF security FFFF. SSSSSS EEEEEE FFFF. SSSSSS EEEEEE rr, xx, ttt Function: ff jj (mm, ii, tt) If P i, j = 1: output mm