Functional Encryption: An Introduction and Survey Brent Waters

2 Pre-Public Key Cryptography  Established mutual secrets  Small networks SK

3 The world gets bigger  Internet – Billions of users  Unsustainable

4 Public Key Cryptography  Public Key Encryption [DH76,M78,RSA78,GM84]  Avoid Secret Exchange SK PubK

5 Data in the Cloud : Another Turning Point?  Cloud is growing  Encryption a must LA Times 7/17: City of LA weighs outsourcing IT to Google  LAPD: Arrest Information Sensitive

6 Rethinking Encryption OR Internal Affairs AND Undercover Central  Who matches this? Am I allowed to know?  What if they join later?  Should they see everything?  Process data before decryption? Problem: Disconnect between policy and mechanism

7 Attribute-Based Encryption [SW05] PK MSK “Undercover” “Central” “Undercover” “Valley” OR Int. Affairs AND UndercoverCentral     OR Int. Affairs AND Undercover Central SK Key Authority Á =

8 First Approach & Collusion Attacks SK Sarah : “A” SK Kevin : “B” AND A B PK A SK B PK B SK A E A (R)E B (M © R) R ? M © R M Collusion Attack!  Allowed Collusion [S03, MS03, J04,BMC06]

9 Collusion Attacks: The Key Threat Kevin: “Undercover” “Valley” OR Int. Affairs AND Undercover Central James: “Central” “Parking” Need: Key “Personalization” Tension: Functionality vs. Personalization

10 Key Personalization (Intuition) SK Kevin: “Undercover” … James: “Central” … Random t Random t’

11 Making it work (sketch) OR Internal Affairs AND UndercoverCentral Personalized Randomization  Secret Share in Exponent  Pairing 1 st Step  Combine “Personalized” Shares  Final: “Unpersonalize”

12 Is this what we need?  Descriptive Encryption  T.M. is more powerful  “All or nothing” decryption (no processing)

13 Functional Encryption Functionality: f( ¢, ¢ ) Public Params Authority MSK Key: y 2 {0,1}* X SK y CT: x 2 {0,1} * f(x,y) Security: Simulation Def.

14 What can I do? SK

15 What could F.E. do? SK

16 IBE : Where it started Key: y 2 {0,1}* X SK Y CT: x = (M,ID) f( x=(M,ID), y) =  S84, BF01, C01… M, ID if y = ID ID if y  ID “Annotated”

17 Attribute-Based Encryption Key: y 2 {0,1} n (boolean variables) X SK Y CT: x = (M, Á ) f( x=(M, Á ), y) =  SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 M, Á if Á (y) = true Á if Á (y) = false “Annotated”

18 Attribute-Based Encryption Key: y 2 {0,1} n (boolean variables) X SK Y CT: x = (M, Á ) f( x=(M, Á ), y) =  SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 M, Á if Á (y) = true Á if Á (y) = false “Annotated” “Ciphertext Policy”

19 Attribute-Based Encryption Key: y = Á X SK Y CT: x = (M, X 2 {0,1} n ) f( x=(M,X ), y) =  SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 M, Á if Á (X) = true X if Á (X) = false “Annotated” “Key Policy”

20 Anonymous IBE & Searching on Encrypted Data Key: y 2 {0,1}* X SK Y CT: x 2 {0,1} * f( x, y) =  BDOP04: Boneh-Franklin is anonymous  ABCKKLMNPS05 : defs.  BW06 : Standard Model 1if y = x 0 otherwise

21 Conjunctive Search [BW07, SBCSP07] Key: y = (y 1, …, y n ), y i 2 {0,1} * [ ? X SK Y f( x=, y) =  Cancellation techniques -> AND  Must not learn intermediated result! 1if 8 y i  ?, y i = x i 0 otherwise CT: x = (x 1, …, x n ), x i 2 {0,1} *

22 Inner Product & ORs [KSW08] Key: y = (y 1, …, y n ) 2 Z N n X SK Y f( x, y) =  OR –- Bob OR Alice -- p(z)=(A-z)(B-z)  Increased Malleability!  Subgroups 1If x ¢ y =0 0 otherwise CT: x = (x 1, …, x n ) 2 Z N n

23 Three Directions

Functionality  Current: Inner Product  Natural Limits?  Fully Homomorphic Enc? --- Can’t do IBE  Annotated: Hide What (Message), Not Why  Expect more progress

Proofs of Security  “Partitioning” [BF01, C01, CHK03, BB04, W05] Simulator ID Space Priv. Key Space Challenge Space ID 1 ID 2 … … ID Q ID * (challenge ID)  Balance: Challenge Space 1/Q => 1/Q of no abort

Structure gives problems!  2-level HIBE Balance: Depth d HIBE=> 1/Q d.edu.gov  ABE, … similar problems  “Selective Security”  Declare X * before params

Moving Past Partitioning  G06, GH09  Simulator 1-key per identity – always looks good  Augmented n-BDHE  W09  Dual System Encryption  Hybrid over keys  “Simple” Decision Linear  LSW09 ABE solution

28 Multiple Authorities Á = :Friend :Student AND Problem: Disparate organizations Central Authority + Certs?  Central Trust+ Bottleneck C07: C.A. (no order), GlobalID, AND formulas

Summary  Rethink Encryption  Describe Target  “Evaluate” vs. “Decrypt” a Ciphertext  Functional Encryption  Ideal: Any Functionality  “Lens” or common framework  Progress, but still much to do

30 Thank you