Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Encryption: An Introduction and Survey

Similar presentations


Presentation on theme: "Functional Encryption: An Introduction and Survey"— Presentation transcript:

1 Functional Encryption: An Introduction and Survey
Brent Waters test

2 Pre-Public Key Cryptography
Established mutual secrets Small networks SK SK

3 The world gets bigger Internet – Billions of users Unsustainable

4 Public Key Cryptography
Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Secret Exchange PubK SK

5 Data in the Cloud: Another Turning Point?
Cloud is growing Encryption a must LA Times 7/17: City of LA weighs outsourcing IT to Google LAPD: Arrest Information Sensitive

6 Rethinking Encryption
OR Internal Affairs AND Undercover Central Problem: Disconnect between policy and mechanism Who matches this? Am I allowed to know? What if they join later? Should they see everything? Process data before decryption?

7 Attribute-Based Encryption [SW05]
MSK OR Int. Affairs AND Undercover Central Á = PK Key Authority OR Int. Affairs AND Undercover Central (point out that attributes of secret key are mathematically incorporated into the key itself) (after file is encrypted, say we put it on the server) (explain that now, the policy checking happens “inside the crypto”. that is, nobody explicitly evaluates the policies and makes an access decision. instead, if the policy is satisfied, decryption will just work, otherwise it won’t.) SK SK “Undercover” “Central” “Undercover” “Valley”

8 First Approach & Collusion Attacks
Allowed Collusion [S03, MS03, J04,BMC06] AND A B EA(R) EB(M © R) PKA PKB ? SKA SKB R M © R SKKevin: “B” SKSarah: “A” M Collusion Attack!

9 Collusion Attacks: The Key Threat
OR Int. Affairs AND Undercover Central Need: Key “Personalization” Tension: Functionality vs. Personalization Kevin: “Undercover” “Valley” James: “Central” “Parking”

10 Key Personalization (Intuition)
Kevin: “Undercover” SK Random t James: “Central” SK Random t’ 10

11 Making it work (sketch)
Secret Share in Exponent Pairing 1st Step Combine “Personalized” Shares Final: “Unpersonalize” Personalized Randomization OR Internal Affairs AND Undercover Central 11

12 Is this what we need? Descriptive Encryption T.M. is more powerful
“All or nothing” decryption (no processing) 12

13 Functional Encryption
Functionality: f(¢ , ¢ ) MSK Authority Key: y 2 {0,1}* SK y CT: x 2 {0,1}* Security: Simulation Def. Public Params X f(x,y) 13

14 What can I do? SK 14

15 What could F.E. do? SK 15

16 IBE : Where it started S84, BF01, C01… SK Key: y 2 {0,1}*
CT: x = (M,ID) f( x=(M,ID), y) = M , ID if y = ID ID if y ID “Annotated” SK Y X 16

17 Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 Key: y 2 {0,1}n (boolean variables) CT: x = (M, Á ) f( x=(M, Á ), y) = M , Á if Á(y) = true Á if Á(y) = false “Annotated” SK Y X 17

18 Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 Key: y 2 {0,1}n (boolean variables) “Ciphertext Policy” CT: x = (M, Á ) f( x=(M, Á ), y) = M , Á if Á(y) = true Á if Á(y) = false “Annotated” SK Y X 18

19 Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 Key: y = Á “Key Policy” CT: x = (M, X 2 {0,1}n ) f( x=(M,X ), y) = M , Á if Á(X) = true X if Á(X) = false “Annotated” SK Y X 19

20 Anonymous IBE & Searching on Encrypted Data
Key: y 2 {0,1}* CT: x 2 {0,1}* f( x, y) = if y = x 0 otherwise BDOP04: Boneh-Franklin is anonymous ABCKKLMNPS05 : defs. BW06 : Standard Model SK Y X 20

21 Conjunctive Search [BW07, SBCSP07]
Key: y = (y1, …, yn) , yi 2 {0,1}* [ ? CT: x = (x1, …, xn) , xi 2 {0,1}* f( x=, y) = if 8 yi  ? , yi = xi 0 otherwise Cancellation techniques -> AND Must not learn intermediated result! SK Y X 21

22 Inner Product & ORs [KSW08]
Key: y = (y1, …, yn) 2 ZN n CT: x = (x1, …, xn) 2 ZN n f( x, y) = If x ¢ y =0 0 otherwise OR –- Bob OR Alice -- p(z)=(A-z)(B-z) Increased Malleability! Subgroups SK Y X 22

23 Three Directions 23

24 Functionality Current: Inner Product
Natural Limits? Fully Homomorphic Enc? --- Can’t do IBE Annotated: Hide What (Message), Not Why Expect more progress

25  Proofs of Security “Partitioning” [BF01, C01, CHK03, BB04, W05]
ID Space Priv. Key Space Challenge Space ID1 ID2… IDQ ID* (challenge ID) Simulator Balance: Challenge Space 1/Q => 1/Q of no abort

26 Structure gives problems!
2-level HIBE Balance: Depth d HIBE=> 1/Qd ABE, … similar problems “Selective Security” Declare X* before params .gov .edu

27 Moving Past Partitioning
G06, GH09 Simulator 1-key per identity – always looks good Augmented n-BDHE W09 Dual System Encryption Hybrid over keys “Simple” Decision Linear LSW09 ABE solution

28 Á = Multiple Authorities AND Problem: Disparate organizations
:Friend :Student AND Á = Problem: Disparate organizations Central Authority + Certs? Central Trust+ Bottleneck (point out that attributes of secret key are mathematically incorporated into the key itself) (after file is encrypted, say we put it on the server) (explain that now, the policy checking happens “inside the crypto”. that is, nobody explicitly evaluates the policies and makes an access decision. instead, if the policy is satisfied, decryption will just work, otherwise it won’t.) C07: C.A. (no order), GlobalID, AND formulas 28

29 Summary Describe Target “Evaluate” vs. “Decrypt” a Ciphertext
Rethink Encryption Describe Target “Evaluate” vs. “Decrypt” a Ciphertext Functional Encryption Ideal: Any Functionality “Lens” or common framework Progress, but still much to do

30 Thank you


Download ppt "Functional Encryption: An Introduction and Survey"

Similar presentations


Ads by Google