FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal...
-
Upload
damion-hinsley -
Category
Documents
-
view
217 -
download
0
Transcript of FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal...
![Page 1: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/1.jpg)
FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION
Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian (UCLA), Manoj Prabhakaran (UIUC), Amit Sahai (UCLA).
![Page 2: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/2.jpg)
OUTLINE
Various encryption schemes: Public-key functional encryption, Private-key functional encryption, Property Preserving encryption.
Fairly new ideas, spend some time on each one. What they are? Our results.
Come back and discuss Public-key functional encryption in detail.
![Page 3: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/3.jpg)
PUBLIC KEY FUNCTIONAL ENC.
MSK, MPKAlice
MPK
MPK
MPK
ENC (m)
Julie
Bob
𝑓 ∈𝐹𝑆𝐾 𝑓 DEC ( ENC(m) )
= f(m)
𝑚∈𝑀
Trusted Authority
![Page 4: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/4.jpg)
PUBLIC KEY FUNCTIONAL ENC.First formally studied by Boneh, Sahai and Waters in 2011.
Encompasses well-known notions of encryption: Public-key encryption [DH76, RSA77, …], Identity-based encryption [Sha84, BF01, Coc01, BW06, GPV08],
Attribute-based encryption [SW05, GPSW06, GVW13, GGH+13],
Predicate encryption [KSW08, LOS+10, AFV11], Searchable encryption [BCOP04], etc .
Has been the subject of intense study in the recent past.
![Page 5: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/5.jpg)
OUR CONTRIBUTION
A new definition for Functional Encryption: Simulation based (real-ideal world), Provides both function and message hiding, Simple and intuitive.
First definition with the above features.
Construct a secure protocol in the generic group model. Practice: Security against a large class of attacks. Function family F: inner-product predicates.
![Page 6: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/6.jpg)
PRIVATE KEY FUNCTIONAL ENC.
SK
ENC (m1, SK)
ENC (m2, SK)
ENC (m3, SK)
𝑚1 ,𝑚2 ,𝑚3∈𝑀
for an
𝑓 (𝑚1 ) , 𝑓 (𝑚2 ) , 𝑓 (𝑚3)
Client
Server
![Page 7: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/7.jpg)
USE CASE
Client stores files on server by encrypting them.
Later the client wants all files with the keyword ‘urgent’. Client sends a key to the server.
Server applies decryption function to each file. Returns files for which output is 1 to the client.
Dec (, Enc. file) = 1 iff file contains the word ‘urgent’.
![Page 8: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/8.jpg)
PRIVATE KEY FUNCTIONAL ENC.
First studied by Shen, Shi and Waters in 2009 [SSW09].
SSW09 construct a secure protocol for inner-product predicates.
A new protocol that is better in several ways.
![Page 9: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/9.jpg)
AN IMPROVED PROTOCOL
SSW09 protocol Our protocol
Selective security Full security
Composite-order groups
Prime-order groups
Non-standard assumptions
Standard assumption
![Page 10: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/10.jpg)
OUR PROTOCOL
Derived from Okamoto and Takashima [OT12]. Symmetric nature of inner-product predicates.
Ways to transform a protocol with weaker properties into one with stronger properties [Fre10, Lew12]. No method can simultaneously solve all the three problems.
![Page 11: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/11.jpg)
PROPERTY PRESERVING ENCRYPTION
SKENC (m1, SK)
ENC (m2, SK)
Client
Server
Property :𝑀×𝑀→ {0,1}TEST(ENC(m1), ENC(m2))= P(m1, m2)
![Page 12: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/12.jpg)
USE CASE
Property: Given two files, which one comes before in alphabetical order.
Client stores files on server by encrypting them.
Later client wants to retrieve the file which comes first in alphabetical order. Server uses to compare encrypted files. Sorts the files in alphabetical order.
![Page 13: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/13.jpg)
PROPERTY PRESERVING ENCRYPTIONIntroduced by Pandey and Rouselakis in 2012 [PR12].
PR12 gives a protocol for the inner-product property.
We improve their protocol in two crucial ways.
Exploit connection b/n Private-key FE and PPE.
PR12 Our protocol
Composite-order groups Prime order groups
Generic group modelStandard model (DLIN assumption)
![Page 14: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/14.jpg)
PUBLIC-KEY FUNCTIONAL ENCRYPTION
![Page 15: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/15.jpg)
MSK, MPKAlice
MPK
MPK
MPK
ENC (m, MPK)
Julie
Adversary
𝑓 ∈𝐹𝑆𝐾 𝑓 DEC ( ENC(m) )
= f(m)
𝑚∈𝑀
Trusted Authority
![Page 16: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/16.jpg)
INDISTINGUISHABILITY BASED DEF.Message hiding: and s.t.
indistinguishable from .
Function hiding: and s.t. . indistinguishable from . By creating , , ,… compute or Could distinguish between and .
![Page 17: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/17.jpg)
SIMULATION BASED DEF.A new definition for Functional Encryption:Simulation based (real-ideal world),Provides both function and message hiding,Simple and intuitive.
Real world execution of a protocol is compared with an “Ideal” world.
Ideal world: Security requirements we want from our protocol.
![Page 18: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/18.jpg)
Real World Ideal World
Environment
Environment
MSK, MPKMPK
𝐸𝑛𝑐 (𝑚1)
𝑓 1
𝑆𝐾 𝑓 1
𝑚1𝑓 𝑘∈𝐹
𝑚𝑖∈𝑀
𝑚1 ,𝑚2 ,… ,𝑚𝑖− 1
𝑓 1 , 𝑓 2 ,…, 𝑓 𝑘−1,𝑚𝑖, 𝑓 𝑘
AdversaryTrusted Authority Oracle Simulator
…,𝑚𝑖
…, 𝑓 𝑘
…,𝐸𝑛𝑐 (𝑚𝑖)
…,𝑆𝐾 𝑓 𝑘
∀ 𝐴𝑑𝑣∃𝑆𝑖𝑚𝑅𝑒𝑎𝑙≈ 𝐼𝑑𝑒𝑎𝑙
![Page 19: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/19.jpg)
OUR SET-UP
Strong security definition.Cannot be realized in the standard model [BSW11, O’N11, BO12].
Adversary doesn’t exploit structure of the group. Generic group model: captures most real-world attacks.
Function family F: inner product predicates.Looking at some special cases of Functional Encryption.
Inner-product predicates capture those cases.
![Page 20: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/20.jpg)
IDENTITY BASED ENCRYPTIONID = {Bob, Alice, Mary, …} and .
.. if , and otherwise.
Authority gives secret key according to id Ex: Alice gets a SK for
Bob sends to Alice.Only Alice can obtain , using SK for .
![Page 21: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/21.jpg)
COMPLEX POLICIES
Complex policies like Head of Dept. OR (Faculty AND Security).
iff and satisfy the Boolean Expression .
![Page 22: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/22.jpg)
INNER-PRODUCT PREDICATES Powerful primitive:
Identity Based Encryption Complex Policies like Boolean Expressions
. .
if , and otherwise.
Given a key for we would be able to recover from an encryption only if .
![Page 23: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/23.jpg)
OUR PROTOCOL
A protocol for inner-product predicates in the Generic group model, which is secure under a strong simulation-based definition.
Two constructions Dual Pairing Vector Spaces (Okamoto and Takashima in 2008).
Secret Sharing.
The constructions have comparable efficiency. For vectors of length n, ciphertext and key of length 3n.
![Page 24: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/24.jpg)
CONCLUSION
A new powerful definition for Public-Key Functional Encryption. Protocol in the Generic group model.
Another definition Relax-SIM. Protocol in the standard model.
Improve protocols for Private-Key Functional Encryption and Property Preserving Encryption in various ways. First protocols under standard assumptions/model.
![Page 25: FUNCTIONAL ENCRYPTION & PROPERTY PRESERVING ENCRYPTION Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian.](https://reader037.fdocuments.net/reader037/viewer/2022103112/551a9c9c55034643688b6230/html5/thumbnails/25.jpg)
THANK YOU
Paper will soon be available on Eprint.