functional encryption: an introduction and survey brent waters
TRANSCRIPT
Functional Encryption:An Introduction and Survey
Brent Waters
2
Pre-Public Key Cryptography
Established mutual secrets
Small networks
SK SK
3
The world gets bigger
Internet – Billions of users
Unsustainable
4
Public Key Cryptography
Public Key Encryption [DH76,M78,RSA78,GM84]
Avoid Secret Exchange
SKPubK
5
Data in the Cloud: Another Turning Point?
Cloud is growing
Encryption a must
LA Times 7/17: City of LA weighs outsourcing IT to Google LAPD: Arrest Information Sensitive
6
Rethinking Encryption
OR
Internal Affairs
AND
Undercover Central
Who matches this? Am I allowed to know?
What if they join later?
Should they see everything?
Process data before decryption?
Problem: Disconnect between policy
and mechanism
7
Attribute-Based Encryption [SW05]
PK
MSK
“Undercover”“Central”
“Undercover”“Valley”
OR
Int. Affairs AND
Undercover Central
OR
Int. AffairsAND
Undercover Central
SKSK
Key AuthorityÁ =
8
First Approach & Collusion Attacks
SKSarah:“A”
SKKevin:“B”
AND
A BPKA
SKB
PKB
SKA
EA(R) EB(M © R)
R?
M © R
MCollusion Attack!
Allowed Collusion [S03, MS03, J04,BMC06]
9
Collusion Attacks: The Key Threat
Kevin:“Undercover”“Valley”
OR
Int. Affairs AND
Undercover Central
James:“Central”“Parking”
Need: Key “Personalization”
Tension: Functionality vs. Personalization
10
Key Personalization (Intuition)
SK
SK
Kevin:“Undercover”…
James:“Central”…
Random t
Random t’
11
Making it work (sketch)
OR
Internal Affairs AND
Undercover Central
Personalized Randomization
Secret Share in Exponent
Pairing 1st Step
Combine “Personalized” Shares
Final: “Unpersonalize”
12
Is this what we need?
Descriptive Encryption
T.M. is more powerful
“All or nothing” decryption (no processing)
13
Functional Encryption
Functionality: f(¢ , ¢ )
Public Params
Authority
MSK
Key: y 2 {0,1}*
X
SK y
CT: x 2 {0,1}*
f(x,y)
Security: Simulation Def.
14
What can I do?
SK
15
What could F.E. do?
SK
16
IBE : Where it started
Key: y 2 {0,1}*
X
SK Y
CT: x = (M,ID)
f( x=(M,ID), y) =
S84, BF01, C01…
M , ID if y = ID
ID if y ID“Annotated”
17
Attribute-Based Encryption
Key: y 2 {0,1}n (boolean variables)
X
SK Y
CT: x = (M, Á )
f( x=(M, Á ), y) =
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08
M , Á if Á(y) = true
Á if Á(y) = false“Annotated”
18
Attribute-Based Encryption
Key: y 2 {0,1}n (boolean variables)
X
SK Y
CT: x = (M, Á )
f( x=(M, Á ), y) =
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08
M , Á if Á(y) = true
Á if Á(y) = false“Annotated”
“Ciphertext Policy”
19
Attribute-Based Encryption
Key: y = Á
X
SK Y
CT: x = (M, X 2 {0,1}n )
f( x=(M,X ), y) =
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08
M , Á if Á(X) = true
X if Á(X) = false“Annotated”
“Key Policy”
20
Anonymous IBE & Searching on Encrypted Data
Key: y 2 {0,1}*
X
SK Y
CT: x 2 {0,1}*
f( x, y) =
BDOP04: Boneh-Franklin is anonymous
ABCKKLMNPS05 : defs.
BW06 : Standard Model
1 if y = x
0 otherwise
21
Conjunctive Search [BW07, SBCSP07]
Key: y = (y1, …, yn) , yi 2 {0,1}* [ ?
X
SK Y
f( x=, y) =
Cancellation techniques -> AND
Must not learn intermediated result!
1 if 8 yi ? , yi = xi
0 otherwise
CT: x = (x1, …, xn) , xi 2 {0,1}*
22
Inner Product & ORs [KSW08]
Key: y = (y1, …, yn) 2 ZN n
X
SK Y
f( x, y) =
OR –- Bob OR Alice -- p(z)=(A-z)(B-z)
Increased Malleability!
Subgroups
1 If x ¢ y =0
0 otherwise
CT: x = (x1, …, xn) 2 ZN n
23
Three Directions
Functionality
Current: Inner ProductNatural Limits?
Fully Homomorphic Enc? --- Can’t do IBE
Annotated: Hide What (Message), Not WhyExpect more progress
Proofs of Security
“Partitioning” [BF01, C01, CHK03, BB04, W05]
SimulatorID Space
Priv. Key Space Challenge
Space
ID1
ID2…
…
IDQ
ID* (challenge ID)
Balance: Challenge Space 1/Q => 1/Q of no abort
Structure gives problems!
2-level HIBEBalance: Depth d HIBE=> 1/Qd
.edu
.gov
ABE, … similar problems
“Selective Security”Declare X* before params
Moving Past Partitioning
G06, GH09Simulator 1-key per identity – always looks good
Augmented n-BDHE
W09Dual System Encryption
Hybrid over keys
“Simple” Decision Linear
LSW09 ABE solution
28
Multiple Authorities
Á =
:Friend:Student
AND
Problem: Disparate organizations
Central Authority + Certs?
Central Trust+ Bottleneck
C07: C.A. (no order), GlobalID, AND formulas
Summary
Rethink Encryption
Describe Target
“Evaluate” vs. “Decrypt” a Ciphertext
Functional Encryption
Ideal: Any Functionality
“Lens” or common framework
Progress, but still much to do
30
Thank you