Pratish Datta: Math, Multi-Authority ABE and More

Pratish Datta joined NTT Research as a scientist in the Cryptography & Information Security (CIS) Lab in December 2019. He was previously a post-doctoral fellow at the NTT Secure Platform Laboratories in Japan under the supervision of Dr. Tatsuaki Okamoto (who became the founding director of the CIS Lab). Dr. Datta received his M.Sc. in Mathematics and Ph.D. in cryptography from the Indian Institute of Technology Kharagpur in 2012 and 2017, respectively. Mathematics laid the foundation for his expertise in a wide range of hybrid strategies of provable security. His research is focused on designing cryptographic algorithms that offer advanced functionalities, feature practical efficiency, and guarantee strong mathematical security at the same time. Specifically, he is interested in the design and analysis of functional encryption, attribute-based encryption (ABE), signatures and pseudorandom functions. 

For more about Dr. Datta, take a look at this related video on the CIS Lab home page, and for more details on his background and research, especially his recent work on post-quantum, multi-authority ABE, please read the following Q&A: 

What aspects of mathematics most interested you in your undergraduate and initial graduate studies?

During my undergraduate and graduate studies on mathematics, I became deeply fascinated with algebra, especially linear algebra, field theory, and number theory. I also became interested in discrete mathematics and combinatorics. 

How did you make the transition from math to cryptography for your Ph.D.? What was your dissertation about?

During my graduate studies, I took one course on advanced number theory and cryptography, where I learned how number theory is being applied to devise solutions for data confidentiality and authentication. I always wanted to do research on applying the power of mathematics to resolve the most demanding problems of modern times. After completing that course, I found cryptography a very good application of mathematics towards the betterment of humanity. As we all know, with the growing reliance on digital communication and infrastructures in everyday life, the question of data confidentiality and integrity has become a central concern. I decided to utilize my mathematical knowledge towards devising advanced solutions for data security.

My dissertation, titled “Design and analysis of Functional Encryption, Signcryption, and Constrained Pseudorandom Functions,” develops new functional encryption and authentication schemes with advanced properties. More precisely, my dissertation presents the following inventions: 

  • The first functional encryption scheme for inner product functionality that provides confidentiality not only for the encrypted data, but also for the functions embedded within the secret keys in the strongest sense from the widely used machineries of bilinear groups and under the well-studied k-Linear assumption. This advanced form of security is desirable in several application scenarios, e.g., while conducting studies on sensitive medical records. 
  • The first attribute-based encryption scheme for general polynomial-sized access policies that additionally supports revoking malicious or compromised user keys while incurring very small overhead for the added revocation functionality. In fact, the proposed scheme features compact public parameters and very few revocation controlling elements within ciphertexts. 
  • The formulation and instantiation of the notion of functional signcryption that enables encryption and authentication in a single cost-effective primitive. Functional signcryption not only controls the decryption rights of individuals but also their signing rights, and it avoids the overhead of using two separate primitives for the two purposes. 
  • The first constrained pseudorandom function for unbounded length inputs and constraints expressed as Turing machines secure against adaptive secret key queries for non-satisfying constraints. 

What was it like working with the Secure Platform Laboratories in Japan and how did that work influence your research agenda? Did that experience draw you to NTT Research? 

Working at NTT Secure Platform Laboratories under the supervision of Dr. Tatsuaki Okamoto was a very rewarding and wonderful learning experience for me. Dr. Okamoto is one of the prominent researchers in cryptography, in particular, functional encryption. During my post-doc tenure, I collaborated with Dr. Okamoto on three research projects related to functional encryption and signatures. I learned several design ideas and proof techniques for working with dual pairing vector spaces, a mathematical structure he invented for designing efficient functional encryption schemes with very strong security guarantees in bilinear group settings. This knowledge has helped me a lot in my subsequent research endeavors. Indeed, I have built on and extended those techniques in my recent works on compact functional encryption schemes for the attribute-weighted sum functionality. 

Dr. Okamoto also helped me learn the foundational aspects of post-quantum cryptography, especially post-quantum functional encryption, which is one of my main research interests at present. In fact, Dr. Okamoto and I have collaborated on a project to design a post-quantum version of the dual pairing vector space structure based on lattice assumptions, which in turn can be utilized to design attribute-based and functional encryption schemes with the strongest adaptive security guarantees against quantum adversaries, a long-standing open problem in the field of functional encryption. 

Besides enjoying the collaboration and mentorship of Dr. Okamoto, I found the environment and work culture of NTT Secure Platform Laboratories very dynamic and flexible. One thing that I really liked about NTT Secure Platform Laboratories was the freedom to work on problems that interested me most and enabled the most effective utilization of my knowledge and expertise. Besides, I have been provided with all the necessary research tools and facilities. These are very important for any researcher to produce good research outcomes. Moreover, I found the environment in the lab very calm and focused. All these things made my tenure at NTT Secure Platform Laboratories a memorable one, and I decided to pursue my career further at NTT Research. 

When did you begin to look at attribute-based encryption and its opportunities and challenges, such as securing it from quantum attacks?

I started looking at ABE at a relatively early stage of my research career. I came across the paper entitled “Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions,” by Dr. Brent Waters during the initial years of my Ph.D., and I was fascinated by the potential and scope of ABE, as well as the techniques employed to design this primitive. As I started working on ABE and exploring the literature more, I eventually realized that the existing techniques for building ABE are no longer sufficient for designing a post-quantum candidate of the primitive. Indeed, most ABE schemes today are built in the bilinear group setting and rely on source group assumptions such as subgroup decision or k-Lin for their security. The nice thing about the bilinear group structure and source group assumptions is the symmetry that one can utilize to design the ciphertext in one source group and secret keys in the other and apply the source group assumptions in symmetrical fashion on both groups in order to change ciphertext and secret keys during the security proof. However, such symmetry is not present in lattice-based structures, which is viewed as the most promising structure for post-quantum cryptography. This motivated me to devise new techniques to develop post-quantum ABE candidates.

In terms of the paper that you wrote with Drs. Waters and Komargodski on ABE for DNFs from LWE, is using decentralized multi-authority (MA) the best way to implement ABE – as opposed to a centralized approach? If so, why is that?

In a standard ABE scheme, there is one central authority that is responsible for issuing keys to users. This means, the central authority is tasked with maintaining all the attributes present in the system. However, in reality, this is often not the case. For instance, the DMV is responsible for managing drivers’ licenses, universities are responsible for managing academic degrees, the board of election is responsible for managing voting eligibility, and so on. So, if we consider a standard ABE system, where the attributes are drivers’ licenses, academic degrees, and voting eligibility, then we should have the DMV, the universities, and the board of election share all their information with one trusted authority who would be responsible for issuing keys to users. This clearly limits the flexibility and involves the sharing of a lot of sensitive data. Moreover, this central authority should remain uncorrupted throughout the lifetime of the system because once the central authority gets corrupted, all the sensitive credentials will be leaked, and the system would be completely broken. 

In contrast, if the DMV, universities, and board of election can independently manage the attributes under their control and issue secret keys to users corresponding to those attributes as is the case in decentralized multi-authority ABE, then there would be no risk of sharing sensitive credentials with some third party and trusting it for the proper enforcement of decryption rights. Even if some of the authorities get corrupted, we can still hope to have security with respect to the attributes controlled by honest authorities. Furthermore, the individual authorities can issue secret keys to users independently and without ever knowing who the other authorities are in the system, which is very important when implementing ABE in a large-scale environment. Additionally, new authorities can join the system at any point of time, and there remains no upper bound on the number of authorities or attributes that can ever exist in the system. This dynamism is usually not supported in a centralized ABE system, since once the system is set up with a certain number of attributes, it is usually hard to expand the attribute universe without setting up a completely new system. Thus, multi-authority ABE is the desirable version of ABE for most real-life deployment. 

What’s so important about creating LWE-based ABE schemes that are designed in the ciphertext policy (CP) setting, as opposed to the key policy (KP) setting? 

In KP-ABE, ciphertexts are associated with sets of descriptive attributes, and users’ keys are associated with policies. Thus, in KP-ABE, the encryptor exerts no control over who has access to the data that he or she encrypts, except by his or her choice of descriptive attributes for the data. Rather, he or she must trust that the key-issuer issues the appropriate keys to grant or deny access to the appropriate users. In other words, in KP-ABE, the “intelligence” is assumed to be with the key issuer, and not the encryptor. This may not be desirable in several applications. On the other hand, in CP-ABE, the encryptor is able to intelligently decide who should or should not have access to the data that he or she encrypts. Thus, in CP-ABE, the encryptor has more control on granting access to his or her data. One typical scenario could be the social networking platforms, where the users sharing their data should have the flexibility to control with whom the data is shared and not the platform. 

Could you summarize the significance of the contributions in this paper to establishing a more quantum-secure implementation of ABE and briefly describe how you built it?

In this work, we designed the first collusion-resistant post-quantum decentralized MA-ABE scheme. In our scheme, any party can become an authority at any point of time, and there is no bound on the number of attribute authorities that can join the system or need for any global coordination among authorities. We prove the security of our scheme under the Learning with Errors (LWE) assumption, the most widely believed post-quantum, computationally hard problem against quantum adversaries. Our MA-ABE scheme supports access policies expressed by linear secret sharing schemes (LSSS) with two special properties required for integration into the LWE setting, namely, small reconstruction coefficients and linear independence for unauthorized rows of the access matrix. In particular, our MA-ABE scheme supports access policies captured by disjunctive normal form (DNF) formulas. We thus resolve a long-standing open problem in the field of MA-ABE and thereby moved the state of the art one step closer towards a large-scale, post-quantum ABE deployment in practice. 

In order to build our MA-ABE scheme, we took a modular approach. We start by designing the first direct construction of a post-quantum CP-ABE scheme under the LWE assumption. Prior to our work, the only known avenue for constructing CP-ABE under the LWE assumption was via a folklore generic transformation from KP-ABE using the machinery of universal circuits. As opposed to that universal circuit-based CP-ABE scheme, our direct construction enjoys interesting properties, namely, public randomness and modularized structure for users’ secret keys. Leveraging these important properties in a crucial way, we then extended our CP-ABE scheme into the decentralized multi-authority setting.  At a technical level, our work made important conceptual contributions in developing new tools and proof techniques. All existing LWE-based ABE schemes are based on techniques inspired from those in the field of fully homomorphic encryption (FHE). In contrast, we devise a new pathway towards LWE-based ABE by developing techniques to import the bilinear map-based counterparts into the LWE setting.

Is there any other ongoing research you’d like to mention?

Currently, I am working on both enhancing the post-quantum security for expressive multi-authority ABE schemes, as well as designing multi-authority ABE schemes with stronger security guarantees. In particular, one long standing open problem in the field of multi-authority ABE has been to support adaptive corruption of attribute authorities. This is very important for deploying multi-authority ABE in a decentralized environment where authorities are completely independent of one another and can join the system at any point of time. In another collaboration with Dr. Brent Waters and Dr. Ilan Komargodski, I developed the first multi-authority ABE scheme that supports both adaptive user key queries and adaptive corruption of authorities at the same time. The scheme is built in bilinear groups under well-studied computational assumptions. The paper, titled “Fully Adaptive Decentralized Multi-Authority ABE,” is already out on ePrint. 

I am also working on enhancing the functionality of multi-authority ABE schemes. More precisely, I am engaged in designing decentralized multi-authority attribute-based inner-product functional encryption scheme, where each authority can control an arbitrary number of attributes while an arbitrary length data can be processed during decryption upon a successful access right validation. Note that in a multi-authority ABE, a successful access right validation enables the recovery of the encrypted data in the clear, whereas in a multi-authority attribute-based inner-product functional encryption a successful access right validation only allows validating inner products on encrypted data. Thus, we are moving towards an even more fine-grained access control in the multi-authority setting and offering even greater flexibility over encrypted data processing.