Fully Key-Homomorphic Encryptionand its Applications

D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko,G. Segev, V. Vaikuntanathan, D. Vinayagamurthy

Outline

• Background on PKE and IBE

• Functionality of FKHE

• Applications

• Future & current work

Based on “Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits”, EUROCRYPT 2014

Background: Public-Key Encryption (PKE)

m

Decrypts using ,gets m

Decrypts:Dec(sk, c) → m

KeyGen → (pk, sk) pk

c = Enc(pk, m)

Alice Bob

c

[Diffie and Hellman 1976; Rivest, Shamir, Adleman 1977]

Alice Bob

Background: Identity Based Encryption (IBE)

• IBE is a public key encryption scheme; public keys are identities

Decrypts:Dec(sk”Alice”, c) → m

c = Enc(“Alice”, m)c

Alice Bob

Proposed by Shamir 1984, constructed by Boneh, Franklin and Cocks in 2001

Bob does not need to know Alice’s public key pp

Functionality of FKHEIBE: Identities are x,y ∈ ℤk

𝑞 (attributes)

Decrypts:Dec(sky, cx) → m iff x == y

cx = Enc(x, m)cx

Alice Bob

Decrypts:Dec(sky,f, cx) → m iff f(x) == y

cx = Enc(x, m)cx

Alice Bob

FKHE: x ∈ ℤk𝑞, f ∈ ℤ𝑞

𝑘 → ℤ𝑞 , y ∈ ℤ𝑞

Functionality of FKHEIBE: Identities are x,y ∈ ℤk

𝑞 (attributes)

Decrypts:Dec(sky, cx) → m iff x == y

cx = Enc(x, m)cx

Alice Bob

cx = Enc(x, m)cx

Alice Bob

Evaluates:Enc(x, m) → Enc( <f(x), f>, m)

cx → cf(x), f

Decrypts:Dec(sky,f, cf(x),f) → m iff f(x) == y

Key Homomorphism

FKHE: x ∈ ℤk𝑞, f ∈ ℤ𝑞

𝑘 → ℤ𝑞 , y ∈ ℤ𝑞

Functionality of FKHE II

• Setup(1λ) → pp, msk

• KeyGen(msk, (y, f)) → sky, f

• Enc(pp, x, m) → cx

• Eval(pp, f, cx) → cf(x), f

• Dec(cf(x), f, sky, f) → m iff f(x) = y

• Secure under LWE• Unbounded number of collusions

∈ ℤ𝑞 ∈ {ℤ𝑞𝑘 → ℤ𝑞}

Secret key for pk = (y, f)

∈ ℤ𝑘𝑞

Encryption under pk = x

∈ {ℤ𝑞𝑘 → ℤ𝑞}

Encryption under pk = (f(x), f)

Applications:• Attribute Based Encryption: short secret keys, arithmetic circuits

• Compressed Garbled Circuits

Attribute Based Encryption (ABE) [SW05]

BobAlice

Policies:

skAliceskBob

Charlie

Attributes:

c ← Enc(m, “Attributes”)

Can decrypt if Policy(Attributes) = 1

AND

“PhD student” “ComputerScience”

OR

“PhD student” “GS Business”

“PhD student”“Electrical Engineering”

Attribute Based EncryptionPolices Attributes Security Key size

SW05 Single threshold gates In ciphertext BDH

GPSW06, HW13 Monotone formulas In key BDH O(size)

BSW07 Monotone formulas In ciphertext Non-standard assumption O(size)

GJPS08 Bounded size threshold gts In ciphertext DBDH

LOSTW10 Monotone formulas In ciphertext Non-standard assumption O(size)

OT10 Span programs In key DLIN

ABVVW12 Single threshold In cipher LWE

Wat12 DFA In key l-Expanded BDHE

OSW12 Any formula In key DBDH O(size)

SW12, GGH12, GGHSW13 Boolean circuits In key, in cipher Multi-linear maps O(size)

Boy13 Boolean formulas In key LWE O(size)

GVW13 Boolean circuits In key LWE O(size)

This Arithmetic circuits In key LWE O(depth)

ABE from FKHE

BobAlicePolicy: f

skAlice = sk1,f skBob = sk1,g

CharlieAttribute: xMessage: m

Policy: g

KeyGen(msk, 1, f) → sk1,f

KeyGen(msk, 1, g) → sk1,g

Ciphertext: cx ← Enc(pp, x, m)

ABE from FKHE (decryption)

Alice (has sk1,f)Charlie

cx⟵ Enc(x, m)Eval(f, cx)

cf(x),f = Enc((f(x), f), m)

If f(x) = 1 can decrypt with sk1,f

Thm: FKHE is secure ⇒ ABE is secure

Our new ABE (key policy)

• Arithmetic circuits, not just boolean

• Key size depends on depth, not on size

• Arbitrary fan-in gates

• Delegatable

Delegation

Alice

Policy:

fDelegate

Alicia

f g

ANDMore restrictedpolicy:

Our scheme supports delegation:Alice can create a custom restricted secret key herself.

skf skfΛg

Garbled Circuits

Bob (y)Alice (x)garbled circuit: O(|f|)

OT: O(|x| + |y|)For new y’, repeat

f(x, y)

[GKPVZ’13]: reusable garbled circuit

Bob (y)Alice (x)garbled circuit: O(|f|)

For new y’, repeat

f(x, y)

O(|x| + |y|)

[Yao’86]:

Using our ABE:becomes short O(depth)

Want to compute f(x, y), not revealing x or y

Garbled Circuits

ABE

FHE

Garbled circuits

Reusablegarbled circuits

with short keys

compressed

O(depth)[GKPVZ’13] [This]

⟹

Future & current work

FKHE hides neither x nor f

Hiding xFunctional Encryption Hiding f Program Obfuscation

Alice Bobskf

cx = Enc(x)

Dec(cx, skf) -> f(x)

In FHE Bob gets cf(x) = Enc( f(x) )

Alice Bob

Ɵ(f) = skf

- Can compute f(x) for any x- Learns “nothing” about f

Thank youvalerini@stanford.edu