Functional Encryption: Beyond Public Key Cryptography Brent Waters SRI International test
Protect Private Data Payment Card Industry (PCI) Health Care Web Services
Access Control OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?
Security Breaches Intrusion: 45 Million Cards Stolen (Dec. 2006) Physical Media Loss: 25 million U.K. citizens (Nov. 2007)
Access Control by Encryption Idea: Need secret key to access data e.g. PCI Standards SK OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?
Realistic Data Sharing Problem: Disconnect between policy and mechanism ? Burden on provider OR Professor AND CS255-TA PhD OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? Sarah: “CS255-TA” “PhD” Kelly: “Professor” “Admissions”
A Fundamental Gap Online-Service Key Lookup Complex Several Keys Key Lookup Group Key Management OR Professor AND CS255-TA PhD OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? Complex Infrastructure
Functional Encryption A New Vision Functional Encryption OR Professor AND CS255-TA PhD OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? OR Professor AND CS255-TA PhD Complex Infrastructure
Functional Encryption: A New Perspective Public Parameters SK Cred.=X Access Predicate: f( ) OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? If f(X)=1 f( )
Why Functional Encryption? Late Binding Access Control: e.g. Network Logs
Why Functional Encryption? Late Binding Access Control: SK e.g. Network Logs Src:123.3.4.77 AND Date: 12/5/07 2ef92a295cbb 98bc39dea94c ... SRC IP=123.12.6.8 Date=12/5/07 Encrypt packet payload, tag with metadata Distribute capabilities later
Why Functional Encryption? Scalability and Robustness: Availability vs. Security Personal Storage Devices
Why Functional Encryption? Efficiency: Scales with policy complexity OR Dean Eng. AND Professor C.S. vs.
Why Functional Encryption? Receiver Privacy: ? AND ACLU Salary > 1M OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?
A New Vision for Encryption Systems Retrospect: Public vs. Secret Key Cryptography Secure Internet Connections (Public Key Exchange) Online Software Updates (Digital Signatures) The next step forward
Functional Encryption for Formulas [SW05] Line of Research: [SW05, GPSW06,PTMW06, BSW07, BW07, OSW07,KSW08] MSK OR Professor AND CS255-TA PhD PK Key Authority OR Professor AND CS255-TA PhD (point out that attributes of secret key are mathematically incorporated into the key itself) (after file is encrypted, say we put it on the server) (explain that now, the policy checking happens “inside the crypto”. that is, nobody explicitly evaluates the policies and makes an access decision. instead, if the policy is satisfied, decryption will just work, otherwise it won’t.) SK SK “CS255-TA” “PhD” “CS255-TA” “Undergrad”
Functional Encryption for Formulas PK MSK Setup: “CS255-TA” “PhD” SK KeyGen(MSK, Attrs.): Encrypt(PK ,M, f() ): OR Professor AND CS255-TA PhD “CS255-TA” “PhD” SK Decrypt(SK, CT): OR Professor. AND CS255-TA PhD
A First Approach Question: Can we build functional encryption from standard techniques? Attempt: Public Key Encryption + Secret Sharing
Secret Sharing [S78,B78,BL86] s s ¸A = s A B C ¸B = r ¸C = s-r Use finite field e.g. Zp ¸A = s OR A AND B C ¸B = r ¸C = s-r Ideas extend to more complex sharing
? A First Approach A EA(R) EB(M-R) PKA PKB SKA SKB R M-R Combine S.S. and PKE AND A B EA(R) EB(M-R) PKA PKB ? SKA SKB R SKKevin: “B” M-R SKSarah: “A” Collusion Attack! M
Collusion Attacks: The Key Threat OR Professor AND CS255-TA PhD Need: Key “Personalization” Tension: Functionality vs. Personalization Kevin: “CS255-TA” “Undergrad” James: “PhD” “Graphics”
Elliptic Curve Techniques G : multiplicative of prime order p. (Analogy: Zq*) Intuitive Hardness Discrete Log: Given: g, ga Hard to get: a Bilinear map e: GG GT e(ga, gb) = e(g,g)ab a,bZp, gG High Level: Single Multiplication Key for satisfying functionality + personalization
System Setup
Key Generation Personalization! SK ‘t’ ties components together
Key Personalization (Intuition) Kevin: “CS255-TA” … SK Random t James: “PhD” … SK Components are incompatible (Formal security proofs in papers) Random t’
Encryption s y1 y2 y3 f ( ) = M ¸1=s ¸2=r ¸3=s-r CT: OR AND y1, ... yn n leaf nodes y1, ... yn f ( ) = M ¸1=s ¸2=r ¸3=s-r CT:
Making it work CT: Goal: Compute and cancel to get M “CS255-TA” “PhD” Message Randomization Goal: Compute and cancel to get M
Making it work CT: SK: Use Bilinear Map for Decryption “CS255-TA” “PhD” Message Randomization Personalized Randomization Use Bilinear Map for Decryption New goal: Personalized to user
Making it work OR AND Shares are personalized (Use Bilinear-Map) “CS255-TA” “PhD” Personalized Randomization OR Professor AND CS255-TA PhD Shares are personalized (Use Bilinear-Map) Linearly Combine
Security Theorem: System is (semantically) secure under chosen key attack Number Theoretic Assumption: Bilinear Diffie-Hellman Exponent [BBG05]
Impact Line of Research: [SW05, GPSW06,PTMW06, BSW07, BW07, OSW07,KSW08] Other Functional Encryption Work: [ACDMS06,C07,CCKN07,CN07,SBCDP07, TBEM08] IBE: [S84,BF01,C01] OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?
Impact Advanced Crypto Software Collection $ cpabe-setup $ cpabe-keygen -o sarah_priv_key pub_key master_key \ sysadmin it_dept 'office = 1431' 'hire_date = 2002' Advanced Crypto Software Collection Attribute-Based Messaging (UIUC) Group Key Management [CCKN07] Large Scale Content Distribution [TBEM08] Future NIST Standardization
Beyond Access Control Bigger Idea: Functions over encrypted data Only learn function’s output Access Control: All or nothing access OR Professor AND CS255-TA PhD Compute Average 15th highest score Challenge: Oblivious Evaluation Only single keyword predicates [SWP00, BDOP04, BW06]
Beyond Access Control Complex Predicates over data [KSW08] : From = bob@yahoo.com OR From = alice@yahoo.com Can’t tell why matched! Idea: Inner Product Functionality (Multiplication of Bilinear Map) SK CT: Functionality: Polynomial Equations
Medical Studies Collect DNA + medical information Future: Database of sequenced genome AGTACCA... Limit Privacy Loss Gene:TCF2 = AT AND Prostate Cancer
Functional Encryption Summary OR Professor AND CS255TA PhD Complex Infrastructure Tension: Functionality vs. Personalization [SW05, GPSW06,PTMW06, BSW07, OSW07] Going Beyond Access Control [BW06,BW07,KSW08] Fundamental Change: Public Key Cryptography
Thank you