fully key-homomorphic encryption and its applications · 2015-01-21 · fully key-homomorphic...
TRANSCRIPT
Fully Key-Homomorphic Encryptionand its Applications
D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko,G. Segev, V. Vaikuntanathan, D. Vinayagamurthy
Outline
• Background on PKE and IBE
• Functionality of FKHE
• Applications
• Future & current work
Based on “Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits”, EUROCRYPT 2014
Background: Public-Key Encryption (PKE)
m
Decrypts using ,gets m
Decrypts:Dec(sk, c) → m
KeyGen → (pk, sk) pk
c = Enc(pk, m)
Alice Bob
c
[Diffie and Hellman 1976; Rivest, Shamir, Adleman 1977]
Alice Bob
Background: Identity Based Encryption (IBE)
• IBE is a public key encryption scheme; public keys are identities
Decrypts:Dec(sk”Alice”, c) → m
c = Enc(“Alice”, m)c
Alice Bob
Proposed by Shamir 1984, constructed by Boneh, Franklin and Cocks in 2001
Bob does not need to know Alice’s public key pp
Functionality of FKHEIBE: Identities are x,y ∈ ℤk
𝑞 (attributes)
Decrypts:Dec(sky, cx) → m iff x == y
cx = Enc(x, m)cx
Alice Bob
Decrypts:Dec(sky,f, cx) → m iff f(x) == y
cx = Enc(x, m)cx
Alice Bob
FKHE: x ∈ ℤk𝑞, f ∈ ℤ𝑞
𝑘 → ℤ𝑞 , y ∈ ℤ𝑞
Functionality of FKHEIBE: Identities are x,y ∈ ℤk
𝑞 (attributes)
Decrypts:Dec(sky, cx) → m iff x == y
cx = Enc(x, m)cx
Alice Bob
cx = Enc(x, m)cx
Alice Bob
Evaluates:Enc(x, m) → Enc( <f(x), f>, m)
cx → cf(x), f
Decrypts:Dec(sky,f, cf(x),f) → m iff f(x) == y
Key Homomorphism
FKHE: x ∈ ℤk𝑞, f ∈ ℤ𝑞
𝑘 → ℤ𝑞 , y ∈ ℤ𝑞
Functionality of FKHE II
• Setup(1λ) → pp, msk
• KeyGen(msk, (y, f)) → sky, f
• Enc(pp, x, m) → cx
• Eval(pp, f, cx) → cf(x), f
• Dec(cf(x), f, sky, f) → m iff f(x) = y
• Secure under LWE• Unbounded number of collusions
∈ ℤ𝑞 ∈ {ℤ𝑞𝑘 → ℤ𝑞}
Secret key for pk = (y, f)
∈ ℤ𝑘𝑞
Encryption under pk = x
∈ {ℤ𝑞𝑘 → ℤ𝑞}
Encryption under pk = (f(x), f)
Applications:• Attribute Based Encryption: short secret keys, arithmetic circuits
• Compressed Garbled Circuits
Attribute Based Encryption (ABE) [SW05]
BobAlice
Policies:
skAliceskBob
Charlie
Attributes:
c ← Enc(m, “Attributes”)
Can decrypt if Policy(Attributes) = 1
AND
“PhD student” “ComputerScience”
OR
“PhD student” “GS Business”
“PhD student”“Electrical Engineering”
Attribute Based EncryptionPolices Attributes Security Key size
SW05 Single threshold gates In ciphertext BDH
GPSW06, HW13 Monotone formulas In key BDH O(size)
BSW07 Monotone formulas In ciphertext Non-standard assumption O(size)
GJPS08 Bounded size threshold gts In ciphertext DBDH
LOSTW10 Monotone formulas In ciphertext Non-standard assumption O(size)
OT10 Span programs In key DLIN
ABVVW12 Single threshold In cipher LWE
Wat12 DFA In key l-Expanded BDHE
OSW12 Any formula In key DBDH O(size)
SW12, GGH12, GGHSW13 Boolean circuits In key, in cipher Multi-linear maps O(size)
Boy13 Boolean formulas In key LWE O(size)
GVW13 Boolean circuits In key LWE O(size)
This Arithmetic circuits In key LWE O(depth)
ABE from FKHE
BobAlicePolicy: f
skAlice = sk1,f skBob = sk1,g
CharlieAttribute: xMessage: m
Policy: g
KeyGen(msk, 1, f) → sk1,f
KeyGen(msk, 1, g) → sk1,g
Ciphertext: cx ← Enc(pp, x, m)
ABE from FKHE (decryption)
Alice (has sk1,f)Charlie
cx⟵ Enc(x, m)Eval(f, cx)
cf(x),f = Enc((f(x), f), m)
If f(x) = 1 can decrypt with sk1,f
Thm: FKHE is secure ⇒ ABE is secure
Our new ABE (key policy)
• Arithmetic circuits, not just boolean
• Key size depends on depth, not on size
• Arbitrary fan-in gates
• Delegatable
Delegation
Alice
Policy:
fDelegate
Alicia
f g
ANDMore restrictedpolicy:
Our scheme supports delegation:Alice can create a custom restricted secret key herself.
skf skfΛg
Garbled Circuits
Bob (y)Alice (x)garbled circuit: O(|f|)
OT: O(|x| + |y|)For new y’, repeat
f(x, y)
[GKPVZ’13]: reusable garbled circuit
Bob (y)Alice (x)garbled circuit: O(|f|)
For new y’, repeat
f(x, y)
O(|x| + |y|)
[Yao’86]:
Using our ABE:becomes short O(depth)
Want to compute f(x, y), not revealing x or y
Garbled Circuits
ABE
FHE
Garbled circuits
Reusablegarbled circuits
with short keys
compressed
O(depth)[GKPVZ’13] [This]
⟹
Future & current work
FKHE hides neither x nor f
Hiding xFunctional Encryption Hiding f Program Obfuscation
Alice Bobskf
cx = Enc(x)
Dec(cx, skf) -> f(x)
In FHE Bob gets cf(x) = Enc( f(x) )
Alice Bob
Ɵ(f) = skf
- Can compute f(x) for any x- Learns “nothing” about f
Thank [email protected]