Predicate Encryption for Multi-Dimensional Range Queries ...gay/GMW15.pdf · École Normale Supérieure, CNRS, INRIA, PSL, Paris, France R E S E A R C H U N I V E R S I T Y PKC 2015

Predicate Encryptionfor Multi-Dimensional Range Queries

from Lattices

Romain GAY , Pierrick MÉAUX , Hoeteck WEE

École Normale Supérieure, CNRS, INRIA, PSL, Paris, France

R E S E A R C H

U N I V E R S I T Y

PKC 2015 — Maryland, USATuesday, March 31

GMW (ENS, Paris) PE for Multi-Dimensional Range Queries from Lattices Tuesday, March 31 1 / 13

Multi-Dimensional Range Queries

Online Dating Configuration

Profile

AliceHeaderHobbiesPictures




Profile


Preferences

N pictures:

Children:

Age:

Salary:

x1 > 0

x2 = 0

24 ≤ x3 ≤ 36

$$$$ ≤ x4 ≤ max




Profile


Preferences

N pictures:

Children:

Age:

Salary:

x1 > 0

x2 = 0

24 ≤ x3 ≤ 36

$$$$ ≤ x4 ≤ max

Online dating using Attribute-Based Encryption [GVW13, BGG+14]




Profile


Preferences

N pictures:

Children:

Age:

Salary:

ABE does not ensure attribute hiding

? ≤ x1 ≤?

? ≤ x2 ≤?

? ≤ x3 ≤?

? ≤ x4 ≤?




Profile


Preferences

N pictures:

Children:

Age:

Salary:

? ≤ x1 ≤?

? ≤ x2 ≤?

? ≤ x3 ≤?

? ≤ x4 ≤?

Online dating using Predicate Encryption [BW07, SBC+07,KSW08]



Online Dating Encryption Scheme

CT: Encrypted Profile

Plaintext

Preferences(Attribute)





Plaintext


User Bob

N Picture : 3

Children : 0

Age : 32

Salary : $$$$$

User Carol

N Picture : 3

Children : 1

Age : 29

Salary : $$$$$$





Plaintext


User Bob

SKBob

User Carol

SKCarol





Plaintext


User Bob

SKBob

Decryption




User Bob

SKBob

m : Decrypted Profile


Successful decryption and learning the matches





Plaintext


User Carol

SKCarol

Decryption





Plaintext


User Carol

SKCarol

Incorrect decryption, no more information



Result

TheoremPredicate Encryption

for

MDRQfrom

LWE

Prior worksfrom pairings

[BW07,SBC+07]

LWE

And-Or-Eq Predicate

MDRQ



Result

TheoremPredicate Encryption

for

MDRQfrom

LWE

Prior worksfrom pairings

[BW07,SBC+07]

LWE

And-Or-Eq Predicate

MDRQ


And Or Eq Predicate

And Or Eq Predicate

Disjunction of conjunction of equality queries

PAND-OR-EQ : ZD×`q × ZD×`

q → {0, 1}PAND-OR-EQ(X , Y ) =

∧Di=1∨`

j=1

(Xi,j = Yi,j

)Matrix X Matrix Y


And Or Eq Predicate

And Or Eq Predicate



q → {0, 1}PAND-OR-EQ(X , Y ) =

∧Di=1∨`

j=1

(Xi,j = Yi,j

)PAND-OR-EQ(X , Y ) = 1


And Or Eq Predicate

And Or Eq Predicate



q → {0, 1}PAND-OR-EQ(X , Y ) =

∧Di=1∨`

j=1

(Xi,j = Yi,j

)Matrix X Matrix Y ′


And Or Eq Predicate

And Or Eq Predicate



q → {0, 1}PAND-OR-EQ(X , Y ) =

∧Di=1∨`

j=1

(Xi,j = Yi,j

)PAND-OR-EQ(X , Y ′) = 0


And Or Eq Predicate

From Range Query to And Or Eq

Range X Point Y

X = [3, 13] Y = 8

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

PAND OR EQ(X , Y ) =?


And Or Eq Predicate


Range X Point Y

X = [3, 13] Y = 8

? ? ? ? ? ? ? ?

? ? ? ? ? ? ? ?



And Or Eq Predicate


Range X Point Y

X = [3, 13] Y = 8

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?



And Or Eq Predicate

From Range to Vector

Query over [0, 2` − 1]


And Or Eq Predicate


Query over [0, 2` − 1] ; example: ` = 4, range = [3, 13]

3 13


And Or Eq Predicate



3 13

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

000 001 010 011 100 101 110 111

00 01 10 11

0 1


And Or Eq Predicate



3 13

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

000 001 010 011 100 101 110 111

00 01 10 11

0 1

0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101


And Or Eq Predicate



3 13

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

000 001 010 011 100 101 110 111

00 01 10 11

0 1

0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101

010 011 100 101 110


And Or Eq Predicate



3 13

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

000 001 010 011 100 101 110 111

00 01 10 11

0 1

0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101

010 011 100 101 110

01 10


And Or Eq Predicate



3 13

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

000 001 010 011 100 101 110 111

00 01 10 11

0 1

0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101

010 011 100 101 110

01 10

0011

110

01 10


And Or Eq Predicate



3 13

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

000 001 010 011 100 101 110 111

00 01 10 11

0 1

0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101

010 011 100 101 110

01 10

0011

110

01 10

ε ε 01 10 110 ε 0011 ε


And Or Eq Predicate

From Range Query to And Or Eq (2)

Range X Point Y

X = [3, 13] Y = 8

ε ε 01 10 110 ε 0011 ε ? ? ? ? ? ? ? ?



And Or Eq Predicate

From Point to Vector

Point in [0, 2` − 1]


And Or Eq Predicate


Point in [0, 2` − 1] ; example: ` = 4, point = 8

8

binary: 1000


And Or Eq Predicate


Point in [0, 2` − 1] ; example: ` = 4, point = 8

8

binary: 1000

1 1 10 10 100 100 1000 1000


And Or Eq Predicate


Range X Point Y

X = [3, 13] Y = 8

ε ε 01 10 110 ε 0011 ε 1 1 10 10 100 10010001000



And Or Eq Predicate


Range X Point Y

X = [3, 13] Y = 8

ε ε 01 10 110 ε 0011 ε 1 1 10 10 100 10010001000

PAND OR EQ(X , Y ) = 1

10


And Or Eq LWE-based Scheme

One-dimensional Scheme

MDRQ based on standard LWEPredicate Encryption scheme using anonymous IBE [ABB10,CHKP10]

MPK:

A, A1, A2, · · · , A`, P , G





Attribute: x ∈ Z`q

A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P






A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





Predicate: y ∈ Z`q

SK:

U1, U2

, · · · , U`

Ui s.t. [A | Ai +yiG ] Ui = P


A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





Decryption:

if x1 = y1


SK:

U1, U2

, · · · , U`



A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





Decryption:

Attribute hiding property

Run over 1, · · · , `


SK:

U1, U2

, · · · , U`



A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





Decryption:


Run over 1, · · · , `


SK:

U1, U2

, · · · , U`



A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





Decryption:


Run over 1, · · · , `


SK:

U1, U2

, · · · , U`



A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





Decryption:

Correctness: which part ?x1 = y1

redondants zeros : DEC→ (0, · · · , 0, m )


SK:

U1, U2

, · · · , U`



A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





Decryption:

Correctness: which part ?x` 6= y`

random value : DEC→ (0, 1, 1, · · · , 1, 0 )


SK:

U1, U2

, · · · , U`



A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample





D-Dimensional set:

Use additive secret sharing [ABV12+]

Share P in P1 + P2 + · · · +PD ; Uji gives Pi


SK:

U1, U2

, · · · , U`



A|A1 + x1G|A2 + x2G|· · · |A` + x`G|P

CT:LWE sample



Attribute-Hiding

CT := s>[A, A1 + x1G, · · · , A` + x`G, P] + [0>, · · · , 0>, b′>bq/2c] + noise

MPK CT

s>A + noise

A, A1, G

s> (A1+x1G︸︷︷︸A′

1

) + noise

≡s>A + noise

≈LWE

A, A′1 −x1G, G

random



Attribute-Hiding


MPK CT

s>A + noise

A, A1, G

s> (A1+x1G︸︷︷︸A′

1

) + noise ≡s>A + noise

A, A′1 −x1G, G

s>A′1 + noise

≈LWE

A, A′1 −x1G, G

random



Attribute-Hiding


MPK CT

s>A + noise

A, A1, G

s> (A1+x1G︸︷︷︸A′

1

) + noise ≡s>A + noise

A, A′1 −x1G, G

s>A′1 + noise≈

LWE

A, A′1 −x1G, G

random

A, A′1 −x1G, G

random



Summary

Lattice-based predicate encryption scheme for multi-dimensional range query

Selectively secure, weakly attribute hiding

Reference Size Time Attribute basedPK and CT SK ENC DEC hiding on

[BW07] (KP) O(D · T ) O(D) O(D · T ) O(D) fully pairings[SBCSP07](KP,CP) O(D log T ) O(D log T ) O(D log T ) O((log T )D) weakly pairingsthis paper (KP,CP) O(D log T ) O(D log T ) O(D log T ) O((log T )D) weakly lattices

Thanks for your attention !



Summary

Lattice-based predicate encryption scheme for multi-dimensional range query

Selectively secure, weakly attribute hiding

Reference Size Time Attribute basedPK and CT SK ENC DEC hiding on

[BW07] (KP) O(D · T ) O(D) O(D · T ) O(D) fully pairings[SBCSP07](KP,CP) O(D log T ) O(D log T ) O(D log T ) O((log T )D) weakly pairingsthis paper (KP,CP) O(D log T ) O(D log T ) O(D log T ) O((log T )D) weakly lattices

Thanks for your attention !


Documents

Predicate Encryption for Multi-Dimensional Range Queries ...gay/GMW15.pdf · École Normale Supérieure, CNRS, INRIA, PSL, Paris, France R E S E A R C H U N I V E R S I T Y PKC 2015