Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Encryption: An Introduction and Survey

Published byEsmond Hamilton Modified over 6 years ago

Similar presentations

Presentation on theme: "Functional Encryption: An Introduction and Survey"— Presentation transcript:

1 Functional Encryption: An Introduction and Survey
Brent Waters test

2 Pre-Public Key Cryptography
Established mutual secrets Small networks SK SK

3 The world gets bigger Internet – Billions of users Unsustainable

4 Public Key Cryptography
Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Secret Exchange PubK SK

5 Data in the Cloud: Another Turning Point?
Cloud is growing Encryption a must LA Times 7/17: City of LA weighs outsourcing IT to Google LAPD: Arrest Information Sensitive

6 Rethinking Encryption
OR Internal Affairs AND Undercover Central Problem: Disconnect between policy and mechanism Who matches this? Am I allowed to know? What if they join later? Should they see everything? Process data before decryption?

7 Attribute-Based Encryption [SW05]
MSK OR Int. Affairs AND Undercover Central Á = PK Key Authority OR Int. Affairs AND Undercover Central (point out that attributes of secret key are mathematically incorporated into the key itself) (after file is encrypted, say we put it on the server) (explain that now, the policy checking happens “inside the crypto”. that is, nobody explicitly evaluates the policies and makes an access decision. instead, if the policy is satisfied, decryption will just work, otherwise it won’t.) SK SK “Undercover” “Central” “Undercover” “Valley”

8 First Approach & Collusion Attacks
Allowed Collusion [S03, MS03, J04,BMC06] AND A B EA(R) EB(M © R) PKA PKB ? SKA SKB R M © R SKKevin: “B” SKSarah: “A” M Collusion Attack!

9 Collusion Attacks: The Key Threat
OR Int. Affairs AND Undercover Central Need: Key “Personalization” Tension: Functionality vs. Personalization Kevin: “Undercover” “Valley” James: “Central” “Parking”

10 Key Personalization (Intuition)
Kevin: “Undercover” SK Random t James: “Central” SK Random t’ 10

11 Making it work (sketch)
Secret Share in Exponent Pairing 1st Step Combine “Personalized” Shares Final: “Unpersonalize” Personalized Randomization OR Internal Affairs AND Undercover Central 11

12 Is this what we need? Descriptive Encryption T.M. is more powerful
“All or nothing” decryption (no processing) 12

13 Functional Encryption
Functionality: f(¢ , ¢ ) MSK Authority Key: y 2 {0,1}* SK y CT: x 2 {0,1}* Security: Simulation Def. Public Params X f(x,y) 13

14 What can I do? SK 14

15 What could F.E. do? SK 15

16 IBE : Where it started S84, BF01, C01… SK Key: y 2 {0,1}*
CT: x = (M,ID) f( x=(M,ID), y) = M , ID if y = ID ID if y ID “Annotated” SK Y X 16

17 Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 Key: y 2 {0,1}n (boolean variables) CT: x = (M, Á ) f( x=(M, Á ), y) = M , Á if Á(y) = true Á if Á(y) = false “Annotated” SK Y X 17

18 Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 Key: y 2 {0,1}n (boolean variables) “Ciphertext Policy” CT: x = (M, Á ) f( x=(M, Á ), y) = M , Á if Á(y) = true Á if Á(y) = false “Annotated” SK Y X 18

19 Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 Key: y = Á “Key Policy” CT: x = (M, X 2 {0,1}n ) f( x=(M,X ), y) = M , Á if Á(X) = true X if Á(X) = false “Annotated” SK Y X 19

20 Anonymous IBE & Searching on Encrypted Data
Key: y 2 {0,1}* CT: x 2 {0,1}* f( x, y) = if y = x 0 otherwise BDOP04: Boneh-Franklin is anonymous ABCKKLMNPS05 : defs. BW06 : Standard Model SK Y X 20

21 Conjunctive Search [BW07, SBCSP07]
Key: y = (y1, …, yn) , yi 2 {0,1}* [ ? CT: x = (x1, …, xn) , xi 2 {0,1}* f( x=, y) = if 8 yi  ? , yi = xi 0 otherwise Cancellation techniques -> AND Must not learn intermediated result! SK Y X 21

22 Inner Product & ORs [KSW08]
Key: y = (y1, …, yn) 2 ZN n CT: x = (x1, …, xn) 2 ZN n f( x, y) = If x ¢ y =0 0 otherwise OR –- Bob OR Alice -- p(z)=(A-z)(B-z) Increased Malleability! Subgroups SK Y X 22

23 Three Directions 23

24 Functionality Current: Inner Product
Natural Limits? Fully Homomorphic Enc? --- Can’t do IBE Annotated: Hide What (Message), Not Why Expect more progress

25  Proofs of Security “Partitioning” [BF01, C01, CHK03, BB04, W05]
ID Space Priv. Key Space Challenge Space ID1 ID2… IDQ ID* (challenge ID) Simulator Balance: Challenge Space 1/Q => 1/Q of no abort

26 Structure gives problems!
2-level HIBE Balance: Depth d HIBE=> 1/Qd ABE, … similar problems “Selective Security” Declare X* before params .gov .edu

27 Moving Past Partitioning
G06, GH09 Simulator 1-key per identity – always looks good Augmented n-BDHE W09 Dual System Encryption Hybrid over keys “Simple” Decision Linear LSW09 ABE solution

28 Á = Multiple Authorities AND Problem: Disparate organizations
:Friend :Student AND Á = Problem: Disparate organizations Central Authority + Certs? Central Trust+ Bottleneck (point out that attributes of secret key are mathematically incorporated into the key itself) (after file is encrypted, say we put it on the server) (explain that now, the policy checking happens “inside the crypto”. that is, nobody explicitly evaluates the policies and makes an access decision. instead, if the policy is satisfied, decryption will just work, otherwise it won’t.) C07: C.A. (no order), GlobalID, AND formulas 28

29 Summary Describe Target “Evaluate” vs. “Decrypt” a Ciphertext
Rethink Encryption Describe Target “Evaluate” vs. “Decrypt” a Ciphertext Functional Encryption Ideal: Any Functionality “Lens” or common framework Progress, but still much to do

30 Thank you

Download ppt "Functional Encryption: An Introduction and Survey"

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Allison Lewko TexPoint fonts used in EMF.

Allison Lewko TexPoint fonts used in EMF.
Functional Encryption & Property Preserving Encryption

Functional Encryption & Property Preserving Encryption
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
2 Your data is anywhere but not in your control Security breaches are recurrent – Weakest link: hardware, software, technicians, … You may trust the science.

2 Your data is anywhere but not in your control Security breaches are recurrent – Weakest link: hardware, software, technicians, … You may trust the science.
Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.

Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.

Similar presentations

Ads by Google