Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Encryption: Beyond Public Key Cryptography

Published byRolf Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Functional Encryption: Beyond Public Key Cryptography"— Presentation transcript:

1 Functional Encryption: Beyond Public Key Cryptography
Brent Waters SRI International test

2 Protect Private Data Payment Card Industry (PCI) Health Care
Web Services

3 Access Control OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?

4 Security Breaches Intrusion: 45 Million Cards Stolen (Dec. 2006)
Physical Media Loss: 25 million U.K. citizens (Nov. 2007)

5 Access Control by Encryption
Idea: Need secret key to access data e.g. PCI Standards SK OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?

6 Realistic Data Sharing
Problem: Disconnect between policy and mechanism ? Burden on provider OR Professor AND CS255-TA PhD OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? Sarah: “CS255-TA” “PhD” Kelly: “Professor” “Admissions”

7 A Fundamental Gap Online-Service Key Lookup Complex
Several Keys Key Lookup Group Key Management OR Professor AND CS255-TA PhD OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? Complex Infrastructure

8 Functional Encryption
A New Vision Functional Encryption OR Professor AND CS255-TA PhD OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? OR Professor AND CS255-TA PhD Complex Infrastructure

9 Functional Encryption: A New Perspective
Public Parameters SK Cred.=X Access Predicate: f( ) OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control? If f(X)=1 f( )

10 Why Functional Encryption?
Late Binding Access Control: e.g. Network Logs

11 Why Functional Encryption?
Late Binding Access Control: SK e.g. Network Logs Src: AND Date: 12/5/07 2ef92a295cbb 98bc39dea94c ... SRC IP= Date=12/5/07 Encrypt packet payload, tag with metadata Distribute capabilities later

12 Why Functional Encryption?
Scalability and Robustness: Availability vs. Security Personal Storage Devices

13 Why Functional Encryption?
Efficiency: Scales with policy complexity OR Dean Eng. AND Professor C.S. vs.

14 Why Functional Encryption?
Receiver Privacy: ? AND ACLU Salary > 1M OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?

15 A New Vision for Encryption Systems
Retrospect: Public vs. Secret Key Cryptography Secure Internet Connections (Public Key Exchange) Online Software Updates (Digital Signatures) The next step forward

16 Functional Encryption for Formulas [SW05]
Line of Research: [SW05, GPSW06,PTMW06, BSW07, BW07, OSW07,KSW08] MSK OR Professor AND CS255-TA PhD PK Key Authority OR Professor AND CS255-TA PhD (point out that attributes of secret key are mathematically incorporated into the key itself) (after file is encrypted, say we put it on the server) (explain that now, the policy checking happens “inside the crypto”. that is, nobody explicitly evaluates the policies and makes an access decision. instead, if the policy is satisfied, decryption will just work, otherwise it won’t.) SK SK “CS255-TA” “PhD” “CS255-TA” “Undergrad”

17 Functional Encryption for Formulas
PK MSK Setup: “CS255-TA” “PhD” SK KeyGen(MSK, Attrs.): Encrypt(PK ,M, f() ): OR Professor AND CS255-TA PhD “CS255-TA” “PhD” SK Decrypt(SK, CT): OR Professor. AND CS255-TA PhD

18 A First Approach Question: Can we build functional encryption from standard techniques? Attempt: Public Key Encryption + Secret Sharing

19 Secret Sharing [S78,B78,BL86] s s ¸A = s A B C ¸B = r ¸C = s-r
Use finite field e.g. Zp ¸A = s OR A AND B C ¸B = r ¸C = s-r Ideas extend to more complex sharing

20 ? A First Approach A EA(R) EB(M-R) PKA PKB SKA SKB R M-R
Combine S.S. and PKE AND A B EA(R) EB(M-R) PKA PKB ? SKA SKB R SKKevin: “B” M-R SKSarah: “A” Collusion Attack! M

21 Collusion Attacks: The Key Threat
OR Professor AND CS255-TA PhD Need: Key “Personalization” Tension: Functionality vs. Personalization Kevin: “CS255-TA” “Undergrad” James: “PhD” “Graphics”

22 Elliptic Curve Techniques
G : multiplicative of prime order p. (Analogy: Zq*) Intuitive Hardness Discrete Log: Given: g, ga Hard to get: a Bilinear map e: GG  GT e(ga, gb) = e(g,g)ab a,bZp, gG High Level: Single Multiplication Key for satisfying functionality + personalization

23 System Setup

24 Key Generation Personalization! SK ‘t’ ties components together

25 Key Personalization (Intuition)
Kevin: “CS255-TA” SK Random t James: “PhD” SK Components are incompatible (Formal security proofs in papers) Random t’

26 Encryption s y1 y2 y3 f ( ) = M ¸1=s ¸2=r ¸3=s-r CT: OR AND y1, ... yn
n leaf nodes y1, ... yn f ( ) = M ¸1=s ¸2=r ¸3=s-r CT:

27 Making it work CT: Goal: Compute and cancel to get M
“CS255-TA” “PhD” Message Randomization Goal: Compute and cancel to get M

28 Making it work CT: SK: Use Bilinear Map for Decryption
“CS255-TA” “PhD” Message Randomization Personalized Randomization Use Bilinear Map for Decryption New goal: Personalized to user

29 Making it work OR AND Shares are personalized (Use Bilinear-Map)
“CS255-TA” “PhD” Personalized Randomization OR Professor AND CS255-TA PhD Shares are personalized (Use Bilinear-Map) Linearly Combine

30 Security Theorem: System is (semantically) secure under chosen key attack Number Theoretic Assumption: Bilinear Diffie-Hellman Exponent [BBG05]

31 Impact Line of Research: [SW05, GPSW06,PTMW06, BSW07, BW07, OSW07,KSW08] Other Functional Encryption Work: [ACDMS06,C07,CCKN07,CN07,SBCDP07, TBEM08] IBE: [S84,BF01,C01] OK, so, moving on, let’s look out how people control access to remotely stored files. One general way you might handle this is to have a server decide for you. -- So in this case, when we upload a file, we also provide a policy specifying who should be permitted to access the file. -- Now when another user comes along and authenticates herself to the server somehow, the server can evaluate the policy -- along with metadata the server may have about the user in order to -- make a decision about whether allow access. -- So what are the pros and cons of this general class of approaches to access control?

32 Impact Advanced Crypto Software Collection
$ cpabe-setup $ cpabe-keygen -o sarah_priv_key pub_key master_key \ sysadmin it_dept 'office = 1431' 'hire_date = 2002' Advanced Crypto Software Collection Attribute-Based Messaging (UIUC) Group Key Management [CCKN07] Large Scale Content Distribution [TBEM08] Future NIST Standardization

33 Beyond Access Control Bigger Idea: Functions over encrypted data
Only learn function’s output Access Control: All or nothing access OR Professor AND CS255-TA PhD Compute Average 15th highest score Challenge: Oblivious Evaluation Only single keyword predicates [SWP00, BDOP04, BW06]

34 Beyond Access Control Complex Predicates over data [KSW08] :
From = OR From = Can’t tell why matched! Idea: Inner Product Functionality (Multiplication of Bilinear Map) SK CT: Functionality: Polynomial Equations

35 Medical Studies Collect DNA + medical information
Future: Database of sequenced genome AGTACCA... Limit Privacy Loss Gene:TCF2 = AT AND Prostate Cancer

36 Functional Encryption Summary
OR Professor AND CS255TA PhD Complex Infrastructure Tension: Functionality vs. Personalization [SW05, GPSW06,PTMW06, BSW07, OSW07] Going Beyond Access Control [BW06,BW07,KSW08] Fundamental Change: Public Key Cryptography

37 Thank you

Download ppt "Functional Encryption: Beyond Public Key Cryptography"

Similar presentations

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Access Control & Digital Rights Management KAIST KSE Uichin Lee.

Access Control & Digital Rights Management KAIST KSE Uichin Lee.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Similar presentations

Ads by Google