Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Encryption & Property Preserving Encryption

Published byDamion Hinsley Modified over 10 years ago

Similar presentations

Presentation on theme: "Functional Encryption & Property Preserving Encryption"β€” Presentation transcript:

1 Functional Encryption & Property Preserving Encryption
Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian (UCLA), Manoj Prabhakaran (UIUC), Amit Sahai (UCLA).

2 Outline Various encryption schemes:
Public-key functional encryption, Private-key functional encryption, Property Preserving encryption. Fairly new ideas, spend some time on each one. What they are? Our results. Come back and discuss Public-key functional encryption in detail.

3 Public key Functional enc.
MPK π‘šβˆˆπ‘€ ENC (m) MSK, MPK MPK Alice Note that there are two parameters – message space, and the more important one, the function family – the more . Providing function hiding is not easy in this setting. Bob π‘“βˆˆπΉ MPK Trusted Authority 𝑆 𝐾 𝑓 DEC ( ENC(m),𝑆 𝐾 𝑓 ) = f(m) Julie

4 Public key Functional enc.
First formally studied by Boneh, Sahai and Waters in Encompasses well-known notions of encryption: Public-key encryption [DH76, RSA77, …], Identity-based encryption [Sha84, BF01, Coc01, BW06, GPV08], Attribute-based encryption [SW05, GPSW06, GVW13, GGH+13], Predicate encryption [KSW08, LOS+10, AFV11], Searchable encryption [BCOP04], etc . Has been the subject of intense study in the recent past.

5 Our contribution A new definition for Functional Encryption:
Simulation based (real-ideal world), Provides both function and message hiding, Simple and intuitive. First definition with the above features. Construct a secure protocol in the generic group model. Practice: Security against a large class of attacks. Function family F: inner-product predicates. A weaker simulation-based definition that can be realized under a weaker assumption.

6 Private key functional Enc.
π‘š1, π‘š2, π‘š3βˆˆπ‘€ ENC (m1, SK) SK ENC (m2, SK) ENC (m3, SK) 𝑆 𝐾 𝑓 for an π‘“βˆˆπΉ Client could be backing up files on the server. Later the client wants to access files which contain a particular keyword. 𝑓 π‘š1 , 𝑓 π‘š2 , 𝑓(π‘š3) Client Server

7 USE CASE Client stores files on server by encrypting them.
Later the client wants all files with the keyword β€˜urgent’. Client sends a key 𝑆𝐾 π‘’π‘Ÿπ‘”π‘’π‘›π‘‘ to the server. Server applies decryption function to each file. Returns files for which output is 1 to the client. Dec ( 𝑆𝐾 π‘’π‘Ÿπ‘”π‘’π‘›π‘‘ , Enc. file) = 1 iff file contains the word β€˜urgent’.

8 Private key functional Enc.
First studied by Shen, Shi and Waters in [SSW09]. SSW09 construct a secure protocol for inner-product predicates. A new protocol that is better in several ways.

9 An improved protocol SSW09 protocol Our protocol Selective security
Full security Composite-order groups Prime-order groups Non-standard assumptions Standard assumption

10 Our protocol Derived from Okamoto and Takashima [OT12].
Symmetric nature of inner-product predicates. Ways to transform a protocol with weaker properties into one with stronger properties [Fre10, Lew12]. No method can simultaneously solve all the three problems.

11 Property preserving encryption
:𝑀×𝑀→{0,1} TEST(ENC(m1), ENC(m2)) = P(m1, m2) SK ENC (m1, SK) ENC (m2, SK) Client Server

12 USE case Property: Given two files, which one comes before in alphabetical order. Client stores files on server by encrypting them. Later client wants to retrieve the file which comes first in alphabetical order. Server uses 𝑇𝐸𝑆𝑇 to compare encrypted files. Sorts the files in alphabetical order.

13 Property preserving encryption
Introduced by Pandey and Rouselakis in 2012 [PR12]. PR12 gives a protocol for the inner-product property. We improve their protocol in two crucial ways. Exploit connection b/n Private-key FE and PPE. PR12 Our protocol Composite-order groups Prime order groups Generic group model Standard model (DLIN assumption)

14 Public-key functional encryption

15 Alice π‘“βˆˆπΉ MPK π‘šβˆˆπ‘€ ENC (m, MPK) MSK, MPK MPK Adversary MPK 𝑆 𝐾 𝑓
Trusted Authority 𝑆 𝐾 𝑓 DEC ( ENC(m),𝑆 𝐾 𝑓 ) = f(m) Julie

16 Indistinguishability based def.
Message hiding: π‘š 1 and π‘š 2 s.t. 𝑓( π‘š 1 ) = 𝑓( π‘š 2 ). 𝐸𝑛𝑐( π‘š 1 ) indistinguishable from 𝐸𝑛𝑐( π‘š 2 ). Function hiding: 𝑓1 and 𝑓2 s.t. 𝑓1(π‘š) = 𝑓2(π‘š). 𝑆 𝐾 𝑓1 indistinguishable from 𝑆 𝐾 𝑓2 . By creating 𝐸𝑛𝑐( π‘š 1 ), 𝐸𝑛𝑐 π‘š 2 , 𝐸𝑛𝑐( π‘š 3 ),… compute 𝑓1 π‘š 1 , 𝑓1 π‘š 2 , 𝑓1( π‘š 3 ) or 𝑓2 π‘š 1 , 𝑓2 π‘š 2 , 𝑓2 π‘š 3 . Could distinguish between 𝑓1 and 𝑓2. Intuitively, given 𝐸𝑛𝑐(π‘š) and SK for 𝑓, the only information Bob learns is 𝑓(π‘š).

17 Simulation based def. A new definition for Functional Encryption:
Simulation based (real-ideal world), Provides both function and message hiding, Simple and intuitive. Real world execution of a protocol is compared with an β€œIdeal” world. Ideal world: Security requirements we want from our protocol.

18 Real World Ideal World MSK, MPK MPK Environment Environment
π‘š 1 , π‘š 2 ,…, π‘š π‘–βˆ’1 , π‘š 𝑖 MSK, MPK 𝑓 1 , 𝑓 2 ,…, 𝑓 π‘˜βˆ’1 ,𝑓 π‘˜ MPK 𝐸𝑛𝑐 ( π‘š 1 ) 𝑓 1 π‘š 1 , 𝑓 2 π‘š 2 , …, 𝑓 π‘˜βˆ’1 ( π‘š 𝑖 ) …, 𝐸𝑛𝑐( π‘š 𝑖 ) 𝑓 π‘˜ π‘š 1 , 𝑓 π‘˜ π‘š 2 , …, 𝑓 π‘˜ ( π‘š 𝑖 ) 𝑆 𝐾 𝑓 1 …,𝑆 𝐾 𝑓 π‘˜ Trusted Authority Adversary Oracle Simulator 𝑓 1 …,𝑓 π‘˜ 𝑓 π‘˜ ∈𝐹 π‘š 1 …, π‘š 𝑖 π‘š 𝑖 βˆˆπ‘€ Environment Environment βˆ€ 𝐴𝑑𝑣 βˆƒ π‘†π‘–π‘š π‘…π‘’π‘Žπ‘™β‰ˆπΌπ‘‘π‘’π‘Žπ‘™

19 Our set-up Strong security definition.
Cannot be realized in the standard model [BSW11, O’N11, BO12]. Adversary doesn’t exploit structure of the group. Generic group model: captures most real-world attacks. Function family F: inner product predicates. Looking at some special cases of Functional Encryption. Inner-product predicates capture those cases.

20 Identity based encryption
ID = {Bob, Alice, Mary, …} and 𝑆={ π‘š 1 , π‘š 2 , π‘š 3 ,…}. 𝐹= 𝑓 𝑖𝑑 π‘–π‘‘βˆˆπΌπ·}. 𝑀={(π‘š,𝑖 𝑑 β€² )|π‘šβˆˆπ‘†, 𝑖 𝑑 β€² ∈𝐼𝐷}. 𝑓 𝑖𝑑 π‘š, 𝑖 𝑑 β€² =π‘š if 𝑖𝑑=𝑖𝑑′, and βŠ₯ otherwise. Authority gives secret key according to id Ex: Alice gets a SK for 𝑓 𝐴𝑙𝑖𝑐𝑒 Bob sends 𝐸𝑛𝑐( π‘š βˆ— , 𝐴𝑙𝑖𝑐𝑒) to Alice. Only Alice can obtain π‘š βˆ— , using SK for 𝑓 𝐴𝑙𝑖𝑐𝑒 .

21 Complex policies Complex policies like Head of Dept. OR (Faculty AND Security). 𝐼 𝐷 π‘π‘œπ‘  ={π»π‘’π‘Žπ‘‘ π‘œπ‘“ 𝐷𝑒𝑝𝑑., πΉπ‘Žπ‘π‘’π‘™π‘‘π‘¦, 𝑆𝑑𝑒𝑑𝑒𝑛𝑑𝑠, …} 𝐼 𝐷 π‘Žπ‘Ÿπ‘’π‘Ž ={π‘†π‘’π‘π‘’π‘Ÿπ‘–π‘‘π‘¦,π΄π‘™π‘”π‘œπ‘Ÿπ‘–π‘‘β„Žπ‘šπ‘ , 𝐴𝐼,…} 𝐡𝐸π‘₯𝑝= π΅π‘œπ‘œπ‘™π‘’π‘Žπ‘› 𝑒π‘₯π‘π‘Ÿπ‘’π‘ π‘ π‘–π‘œπ‘›π‘  π‘œπ‘£π‘’π‘Ÿ 𝐼 𝐷 π‘π‘œπ‘  π‘Žπ‘›π‘‘ 𝐼 𝐷 π‘Žπ‘Ÿπ‘’π‘Ž 𝐹= 𝑓 𝑖𝑑1, 𝑖𝑑2 𝑖𝑑1∈𝐼 𝐷 π‘π‘œπ‘  , 𝑖𝑑2∈𝐼 𝐷 π‘Žπ‘Ÿπ‘’π‘Ž } 𝑀= π‘š, 𝑏𝑒π‘₯𝑝 π‘šβˆˆπ‘†, 𝑏𝑒π‘₯π‘βˆˆπ΅π‘’π‘₯𝑝} 𝑓 𝑖𝑑1, 𝑖𝑑2 π‘š, 𝑏𝑒π‘₯𝑝 =π‘š iff 𝐼 𝐷 1 and 𝐼 𝐷 2 satisfy the Boolean Expression 𝑏𝑒π‘₯𝑝.

22 Inner-product Predicates
Powerful primitive: Identity Based Encryption Complex Policies like Boolean Expressions 𝐹= 𝑓 𝑣 𝑣 =( 𝑣 1 , 𝑣 2 ,…, 𝑣 𝑛 )}. 𝑀= π‘š, π‘₯ π‘₯ =( π‘₯ 1 , π‘₯ 2 ,…, π‘₯ 𝑛 )}. 𝑓 𝑣 π‘š, π‘₯ =π‘š if 𝑣 . π‘₯ =βˆ‘ 𝑣 𝑖 . π‘₯ 𝑖 =0, and βŠ₯ otherwise. Given a key for 𝑓 𝑣 we would be able to recover π‘š from an encryption (π‘š, π‘₯ ) only if 𝑣 . π‘₯ =0.

23 Our protocol A protocol for inner-product predicates in the Generic group model, which is secure under a strong simulation- based definition. Two constructions Dual Pairing Vector Spaces (Okamoto and Takashima in 2008). Secret Sharing. The constructions have comparable efficiency. For vectors of length n, ciphertext and key of length 3n.

24 Conclusion A new powerful definition for Public-Key Functional Encryption. Protocol in the Generic group model. Another definition Relax-SIM. Protocol in the standard model. Improve protocols for Private-Key Functional Encryption and Property Preserving Encryption in various ways. First protocols under standard assumptions/model.

25 Thank You Paper will soon be available on Eprint.

Download ppt "Functional Encryption & Property Preserving Encryption"

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = Γ‘gΓ±, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = Γ‘gΓ±, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.

EXPLICIT NON-MALLEABLE CODES RESISTANT TO PERMUTATIONS Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta Maji (UCLA), Omkant Pandey (UIUC), Manoj Prabhakaran.
Allison Lewko TexPoint fonts used in EMF.

Allison Lewko TexPoint fonts used in EMF.
I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.

Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.

Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, BjΓΆrn Tackmann, and Daniele Venturi PETS 2013.

Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, BjΓΆrn Tackmann, and Daniele Venturi PETS 2013.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.

A Rate-Optimizing Compiler for Non- malleable Codes against Bit-wise Tampering and Permutations Shashank Agrawal (UIUC), Divya Gupta (UCLA), Hemanta K.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

Similar presentations

Ads by Google