Functional Encryption An Introduction and Survey Brent Waters
Functional Encryption: An Introduction and Survey Brent Waters
Pre-Public Key Cryptography q. Established mutual secrets q. Small networks SK SK 2
The world gets bigger q. Internet – Billions of users q. Unsustainable 3
Public Key Cryptography q. Public Key Encryption [DH 76, M 78, RSA 78, GM 84] q. Avoid Secret Exchange Pub. K SK 4
Data in the Cloud: Another Turning Point? q. Cloud is growing q. Encryption a must LA Times 7/17: City of LA weighs outsourcing IT to Google q LAPD: Arrest Information Sensitive 5
Rethinking Encryption OR AND Internal Affairs Undercover Central Problem: Disconnect between policy and mechanism q. Who matches this? Am I allowed to know? q. What if they join later? q Should they see everything? q. Process data before decryption? 6
Attribute-Based Encryption Á = MSK PK OR Int. Affairs AND Undercover SK “Undercover” “Central” [SW 05] Key Authority OR Central Int. Affairs AND Undercover Central SK “Undercover” “Valley” 7
First Approach & Collusion Attacks q Allowed Collusion [S 03, MS 03, J 04, BMC 06] AND EA(R) PKA SKA PKB SKB R ? A B M©R SKSarah: “A” Collusion Attack! EB(M © R) SKKevin: “B” M 8
Collusion Attacks: The Key Threat OR Need: Key “Personalization” Int. Affairs AND Undercover Central Tension: Functionality vs. Personalization Kevin: “Undercover” “Valley” James: “Central” “Parking” 9
Key Personalization (Intuition) Kevin: “Undercover” … SK Random t James: “Central” SK … Random t’ 10
Making it work (sketch) q. Secret Share in Exponent q. Pairing 1 st Step Personalized Randomization q. Combine “Personalized” Shares q. Final: “Unpersonalize” OR Internal Affairs Undercover AND Central 11
Is this what we need? q. Descriptive Encryption q. T. M. is more powerful q“All or nothing” decryption (no processing) 12
Functional Encryption Functionality: f(¢ , ¢ ) MSK Authority Key: y 2 {0, 1}* SK y CT: x 2 {0, 1}* Public Params Security: Simulation Def. X f(x, y) 13
What can I do? SK 14
What could F. E. do? SK 15
IBE : Where it started q. S 84, BF 01, C 01… Key: y 2 {0, 1}* CT: x = (M, ID) f( x=(M, ID), y) = M , ID if y = ID ID “Annotated” if y ID SK Y X 16
Attribute-Based Encryption q. SW 05, GPSW 06, C 07, BSW 07, OSW 07, GJPS 08, W 08 Key: y 2 {0, 1}n (boolean variables) CT: x = (M, Á ) f( x=(M, Á ), y) = M , Á if Á(y) = true Á “Annotated” if Á(y) = false SK Y X 17
Attribute-Based Encryption q. SW 05, GPSW 06, C 07, BSW 07, OSW 07, GJPS 08, W 08 Key: y 2 {0, 1}n (boolean variables) CT: x = (M, Á ) f( x=(M, Á ), y) = M , Á if Á(y) = true Á “Annotated” “Ciphertext Policy” if Á(y) = false SK Y X 18
Attribute-Based Encryption q. SW 05, GPSW 06, C 07, BSW 07, OSW 07, GJPS 08, W 08 Key: y = Á CT: x = (M, X 2 f( x=(M, X ), y) = {0, 1}n M , Á if Á(X) = true X “Annotated” ) “Key Policy” if Á(X) = false SK Y X 19
Anonymous IBE & Searching on Encrypted Data Key: y 2 {0, 1}* CT: x 2 {0, 1}* f( x, y) = 1 if y = x 0 otherwise q. BDOP 04: Boneh-Franklin is anonymous q. ABCKKLMNPS 05 : defs. q. BW 06 : Standard Model SK Y X 20
![Conjunctive Search [BW 07, SBCSP 07] Key: y = (y 1, …, yn) ,](http://slidetodoc.com/presentation_image_h/90a143907ff7cffc16dd7aa75604270a/image-21.jpg "Conjunctive Search [BW 07, SBCSP 07] Key: y = (y 1, …, yn) ,")
Conjunctive Search [BW 07, SBCSP 07] Key: y = (y 1, …, yn) , yi 2 {0, 1}* [ ? CT: x = (x 1, …, xn) , xi 2 {0, 1}* f( x=, y) = 1 if 8 yi ? , yi = xi 0 otherwise q. Cancellation techniques -> AND q. Must not learn intermediated result! SK Y X 21
![Inner Product & ORs [KSW 08] Key: y = (y 1, …, yn) 2](http://slidetodoc.com/presentation_image_h/90a143907ff7cffc16dd7aa75604270a/image-22.jpg "Inner Product & ORs [KSW 08] Key: y = (y 1, …, yn) 2")
Inner Product & ORs [KSW 08] Key: y = (y 1, …, yn) 2 ZN n CT: x = (x 1, …, xn) 2 ZN n f( x, y) = 1 If x ¢ y =0 0 otherwise q OR –- Bob OR Alice -- p(z)=(A-z)(B-z) q Increased Malleability! q Subgroups SK Y X 22
Three Directions 23
Functionality q. Current: Inner Product q. Natural Limits? q. Fully Homomorphic Enc? --- Can’t do IBE q. Annotated: Hide What (Message), Not Why q. Expect more progress
![Proofs of Security q“Partitioning” [BF 01, CHK 03, BB 04, W 05] Simulator ID](http://slidetodoc.com/presentation_image_h/90a143907ff7cffc16dd7aa75604270a/image-25.jpg "Proofs of Security q“Partitioning” [BF 01, CHK 03, BB 04, W 05] Simulator ID")
Proofs of Security q“Partitioning” [BF 01, CHK 03, BB 04, W 05] Simulator ID Space ID 1 ID 2… Priv. Key Space Challenge Space … IDQ ID* (challenge ID) Balance: Challenge Space 1/Q => 1/Q of no abort
Structure gives problems! q 2 -level HIBE Balance: Depth d HIBE=> 1/Qd q. ABE, … similar problems. gov q“Selective Security”. edu q. Declare X* before params
Moving Past Partitioning q. G 06, GH 09 q. Simulator 1 -key per identity – always looks good q. Augmented n-BDHE q. W 09 q. Dual System Encryption q. Hybrid over keys q“Simple” Decision Linear q. LSW 09 ABE solution
Multiple Authorities Á = : Student AND : Friend Problem: Disparate organizations Central Authority + Certs? q. Central Trust+ Bottleneck C 07: C. A. (no order), Global. ID, AND formulas 28
Summary q Rethink Encryption q. Describe Target q“Evaluate” vs. “Decrypt” a Ciphertext q. Functional Encryption q. Ideal: Any Functionality q“Lens” or common framework q. Progress, but still much to do
Thank you 30
- Slides: 30