Functional Encryption: Deterministic to Randomized Functions from - - PowerPoint PPT Presentation

β–Ά
functional encryption deterministic
SMART_READER_LITE
LIVE PREVIEW

Functional Encryption: Deterministic to Randomized Functions from - - PowerPoint PPT Presentation

Sep 13, 2023 472 likes β€’1.47k views

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal David J. Wu Public-Key Functional Encryption [BSW11, ON10] () Keys are associated with deterministic functions sk

slide-1
SLIDE 1

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions

Shashank Agrawal David J. Wu

slide-2
SLIDE 2

Public-Key Functional Encryption [BSW11, O’N10]

Keys are associated with deterministic functions 𝑔

𝑦 𝑔(𝑦) sk𝑔

slide-3
SLIDE 3

Public-Key Functional Encryption [BSW11, O’N10]

Keys are associated with deterministic functions 𝑔

𝑛

𝑦 𝑔(𝑦) sk𝑔 sk𝑔

slide-4
SLIDE 4

Public-Key Functional Encryption [BSW11, O’N10]

Keys are associated with deterministic functions 𝑔

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛) 𝑦 𝑔(𝑦) sk𝑔 sk𝑔

slide-5
SLIDE 5

Public-Key Functional Encryption [BSW11, O’N10] Setup 1πœ‡ : Outputs (msk, mpk)

  • eyGen(msk, 𝑔): Outputs decryption key sk𝑔
  • Encrypt mpk, 𝑛 : Outputs ciphertext ct𝑛
  • Decrypt(sk𝑔, ct𝑛): Outputs 𝑔 𝑛
slide-6
SLIDE 6

Public-Key Functional Encryption [BSW11, O’N10] k 𝑔 𝑔𝑔 k 𝑔 k 𝑔 𝑙𝑑 𝑧𝑓𝑙 π‘œπ‘π‘—π‘’π‘žπ‘§π‘ π‘‘π‘“π‘’ π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ ∢ 𝑔𝑔) , ksm(neGyeSetup 1πœ‡ : Outputs (msk, mpk)

  • KeyGen(msk, 𝑔): Outputs decryption key sk𝑔
  • Encrypt mpk, 𝑛 : Outputs ciphertext ct𝑛
  • Decrypt(sk𝑔, ct𝑛): Outputs 𝑔 𝑛
slide-7
SLIDE 7

Public-Key Functional Encryption [BSW11, O’N10] ct 𝑛 ct 𝑛 𝑛𝑛𝑒 ct 𝑛 𝑑 π‘’π‘¦π‘“π‘’π‘ π‘“β„Žπ‘žπ‘—π‘‘ π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ 𝑛𝑛 mpk, 𝑛 ∢ , π‘™π‘ž mpk, 𝑛 π‘›π‘’π‘žπ‘§π‘ π‘‘π‘œ k 𝑔 𝑔𝑔 k 𝑔 k 𝑔 𝑙𝑑 𝑧𝑓𝑙 π‘œπ‘π‘—π‘’π‘žπ‘§π‘ π‘‘π‘“π‘’ π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ ∢ 𝑔𝑔) , ksm(neGyeSetup 1πœ‡ : Outputs (msk, mpk)

  • KeyGen(msk, 𝑔): Outputs decryption key sk𝑔
  • Encrypt mpk, 𝑛 : Outputs ciphertext ct𝑛
  • Encrypt mpk, 𝑛 : Outputs ciphertext ct𝑛
slide-8
SLIDE 8

Public-Key Functional Encryption [BSW11, O’N10] 𝑔𝑔 𝑛 𝑛𝑛 𝑛 π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ ∢ t 𝑛 𝑛𝑛 t 𝑛 ) t 𝑛 𝑒𝑑 k 𝑔 𝑔𝑔 k 𝑔 , k 𝑔 𝑙𝑑(π‘’π‘žπ‘§π‘ π‘‘π‘“ ct 𝑛 ct 𝑛 𝑛𝑛𝑒 ct 𝑛 𝑑 π‘’π‘¦π‘“π‘’π‘ π‘“β„Žπ‘žπ‘—π‘‘ π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ 𝑛𝑛 mpk, 𝑛 ∢ , π‘™π‘ž mpk, 𝑛 π‘›π‘’π‘žπ‘§π‘ π‘‘π‘œ k 𝑔 𝑔𝑔 k 𝑔 k 𝑔 𝑙𝑑 𝑧𝑓𝑙 π‘œπ‘π‘—π‘’π‘žπ‘§π‘ π‘‘π‘“π‘’ π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ ∢ 𝑔𝑔) , ksm(neGyeSetup 1πœ‡ : Outputs (msk, mpk)

  • KeyGen(msk, 𝑔): Outputs decryption key sk𝑔
  • Encrypt mpk 𝑛 : Outputs ciphertext ct
slide-9
SLIDE 9

Public-Key Functional Encryption [BSW11, O’N10] 𝑔𝑔 𝑛 𝑛𝑛 𝑛 π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ ∢ t 𝑛 𝑛𝑛 t 𝑛 ) t 𝑛 𝑒𝑑 k 𝑔 𝑔𝑔 k 𝑔 , k 𝑔 𝑙𝑑(π‘’π‘žπ‘§π‘ π‘‘π‘“π‘”π‘” 𝑛 𝑛𝑛 𝑛 π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ ∢ t 𝑛 𝑛𝑛 t 𝑛 ) t 𝑛 𝑒𝑑 k 𝑔 𝑔𝑔 k 𝑔 , k 𝑔 𝑙𝑑(π‘’π‘žπ‘§π‘ π‘‘π‘“ ct 𝑛 ct 𝑛 𝑛𝑛𝑒 ct 𝑛 𝑑 π‘’π‘¦π‘“π‘’π‘ π‘“β„Žπ‘žπ‘—π‘‘ π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ 𝑛𝑛 mpk, 𝑛 ∢ , π‘™π‘ž mpk, 𝑛 π‘›π‘’π‘žπ‘§π‘ π‘‘π‘œ k 𝑔 𝑔𝑔 k 𝑔 k 𝑔 𝑙𝑑 𝑧𝑓𝑙 π‘œπ‘π‘—π‘’π‘žπ‘§π‘ π‘‘π‘“π‘’ π‘‘π‘’π‘£π‘žπ‘’π‘£π‘ƒ ∢ 𝑔𝑔) , ksm(neGyeSetup 1πœ‡ : Outputs (msk, mpk)

slide-10
SLIDE 10

Public-Key Functional Encryption [BSW11, O’N10]

  • Setup 1πœ‡ : Outputs (msk, mpk)
  • KeyGen(msk, 𝑔): Outputs decryption key sk𝑔
  • Encrypt mpk, 𝑛 : Outputs ciphertext ct𝑛
  • Decrypt(sk𝑔, ct𝑛): Outputs 𝑔 𝑛

Deterministic function 𝑔

slide-11
SLIDE 11

Functional Encryption for Randomized Functionalities (rFE) [ABFGGTW13, GJKS15]

But what if 𝑔 is randomized? Many interesting functions are randomized

𝑦 𝑔(𝑦 ; 𝑠) 𝑠

slide-12
SLIDE 12

Application 1: Proxy Re-Encryption

Alice

slide-13
SLIDE 13

Application 1: Proxy Re-Encryption

Alice

slide-14
SLIDE 14

Application 1: Proxy Re-Encryption

Alice Alice

personal email

slide-15
SLIDE 15

Application 1: Proxy Re-Encryption

Alice Alice

personal email work email

Secretary

slide-16
SLIDE 16

Application 1: Proxy Re-Encryption

Alice Alice

personal email work email

Secretary

Mail server has functional key to re-encrypt message under secretary’s public key

slide-17
SLIDE 17

Application 2: Auditing an Encrypted Database

slide-18
SLIDE 18

Application 2: Auditing an Encrypted Database

Encrypted database of records

𝑠

1

𝑠2 𝑠3 𝑠

4

𝑠5 𝑠6

slide-19
SLIDE 19

Application 2: Auditing an Encrypted Database

Encrypted database of records

𝑠

1

𝑠2 𝑠3 𝑠

4

𝑠5 𝑠6

Sample a random subset to audit

slide-20
SLIDE 20

Application 2: Auditing an Encrypted Database

Encrypted database of records

𝑠

1

𝑠2 𝑠3 𝑠

4

𝑠5 𝑠6

Sample a random subset to audit

𝑠2 𝑠6

slide-21
SLIDE 21

Does Public-Key rFE Exist?

slide-22
SLIDE 22

Does Public-Key rFE Exist?

iO General- Purpose rFE

[GJKS15] (selectively secure)

slide-23
SLIDE 23

Public-Key Functional Encryption [BSW11, O’N10]

Can be instantiated from a wide range of assumptions

slide-24
SLIDE 24

Public-Key Functional Encryption [BSW11, O’N10]

PKE / LWE Bounded- Collusion FE

[SS10, GVW12, GKPVZ13, …]

Can be instantiated from a wide range of assumptions

slide-25
SLIDE 25

Public-Key Functional Encryption [BSW11, O’N10]

PKE / LWE Bounded- Collusion FE Multilinear Maps / iO General- Purpose FE

[SS10, GVW12, GKPVZ13, …] [GGHRSW13, Wat15, GGHZ16, …]

Can be instantiated from a wide range of assumptions

slide-26
SLIDE 26

The Landscape of (Public-Key) Functional Encryption

PKE / LWE Bounded- Collusion FE Multilinear Maps / iO General- Purpose FE Generally adaptively secure Deterministic functionalities

[SS10, GVW12, …] [GGHRSW13, GGHZ16, … ]

slide-27
SLIDE 27

The Landscape of (Public-Key) Functional Encryption

PKE / LWE Bounded- Collusion FE Multilinear Maps / iO General- Purpose FE Generally adaptively secure iO General- Purpose rFE Selectively secure Deterministic functionalities Randomized functionalities

[SS10, GVW12, …] [GGHRSW13, GGHZ16, … ] [GJKS15]

slide-28
SLIDE 28

PKE / LWE Multilinear Maps / iO General- Purpose rFE

The Landscape of (Public-Key) Functional Encryption Does extending FE to support randomized functionalities require much stronger tools?

slide-29
SLIDE 29

Our Main Result

General-purpose FE for deterministic functionalities

slide-30
SLIDE 30

Our Main Result

General-purpose FE for deterministic functionalities

Number Theory

(e.g., DDH, RSA)

General-purpose FE for randomized functionalities

slide-31
SLIDE 31

Our Main Result

General-purpose FE for deterministic functionalities

Number Theory

(e.g., DDH, RSA)

General-purpose FE for randomized functionalities Implication: randomized FE is not much more difficult to construct than standard FE.

slide-32
SLIDE 32

Defining rFE

slide-33
SLIDE 33

Correctness for FE

Deterministic functions

slide-34
SLIDE 34

Correctness for FE

Deterministic functions

𝑛

sk𝑔

slide-35
SLIDE 35

Correctness for FE

Deterministic functions

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛) sk𝑔

slide-36
SLIDE 36

Correctness for rFE [ABFGGTW13, GJKS15]

Randomized functions

slide-37
SLIDE 37

Correctness for rFE [ABFGGTW13, GJKS15]

Randomized functions

𝑛

sk𝑔

slide-38
SLIDE 38

Correctness for rFE [ABFGGTW13, GJKS15]

Randomized functions

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛 ; 𝑠) sk𝑔

slide-39
SLIDE 39

Correctness for rFE [ABFGGTW13, GJKS15]

Randomized functions

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛 ; 𝑠) sk𝑔

𝑛′

Different ciphertexts

slide-40
SLIDE 40

Correctness for rFE [ABFGGTW13, GJKS15]

Randomized functions

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛 ; 𝑠) sk𝑔

𝑛′

sk𝑔 Same function key Different ciphertexts

slide-41
SLIDE 41

Correctness for rFE [ABFGGTW13, GJKS15]

Randomized functions

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛 ; 𝑠) sk𝑔

𝑛′

Decrypt(sk𝑔, ct𝑛′)

𝑔(𝑛′; 𝑠′) sk𝑔 Same function key Different ciphertexts

Independent draws from output distribution

slide-42
SLIDE 42

Correctness for rFE [ABFGGTW13, GJKS15]

Randomized functions

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛 ; 𝑠) sk𝑔

𝑛

Decrypt(sk𝑔′, ct𝑛)

𝑔′(𝑛 ; 𝑠′) sk𝑔′ Different function keys Same ciphertexts

Independent draws from output distribution

slide-43
SLIDE 43

Simulation-Based Security (Informally)

Real World: honestly generated ciphertexts and secret keys

𝑛

msk

𝑔 𝑛 sk𝑔

slide-44
SLIDE 44

Simulation-Based Security (Informally)

Real World: honestly generated ciphertexts and secret keys Ideal World: simulated ciphertexts and secret keys

𝑛

sk𝑔 𝑔 𝑔(𝑛)

𝑛

msk

𝑔 𝑛 sk𝑔

slide-45
SLIDE 45

Encrypted database of records

𝑠

1

𝑠2 𝑠3 𝑠

4

𝑠5 𝑠6

Sample a random subset to audit

𝑠2 𝑠6

The Case for Malicious Encrypters [GJKS15]

slide-46
SLIDE 46

Encrypted database of records

𝑠

1

𝑠2 𝑠3 𝑠

4

𝑠5 𝑠6

Sample a random subset to audit

𝑠2 𝑠6

What if encrypter (bank) is adversarial? The Case for Malicious Encrypters [GJKS15]

slide-47
SLIDE 47

Randomized functionalities

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛 ; 𝑠) sk𝑔

𝑛′

Decrypt(sk𝑔, ct𝑛′)

𝑔(𝑛′; 𝑠) sk𝑔

Dishonest encrypters can construct β€œbad” ciphertexts such that decryption produces correlated outputs

The Case for Malicious Encrypters [GJKS15]

slide-48
SLIDE 48

Randomized functionalities

𝑛

Decrypt(sk𝑔, ct𝑛)

𝑔(𝑛 ; 𝑠) sk𝑔

𝑛′

Decrypt(sk𝑔, ct𝑛′)

𝑔(𝑛′; 𝑠) sk𝑔

Formally captured by giving adversary access to a decryption

  • racle (like in the CCA-security

game). [See paper for details.]

The Case for Malicious Encrypters [GJKS15]

slide-49
SLIDE 49

Our Generic Transformation

slide-50
SLIDE 50

Starting Point: Derandomization

Starting point: construct β€œderandomized function” where randomness for 𝑔 derived from outputs of a PRF

Randomized functionality

𝑦 𝑔(𝑦 ; 𝑠) 𝑠

slide-51
SLIDE 51

Starting Point: Derandomization

𝑦 𝑔 𝑦 ; PRF 𝑙, 𝑦 𝑙

Randomized functionality Derandomized functionality

𝑦 𝑔(𝑦 ; 𝑠) 𝑠

Randomized function 𝑔 Derandomized function 𝑕𝑙: 𝑕𝑙 𝑦 = 𝑔 𝑦 ; PRF 𝑙, 𝑦

slide-52
SLIDE 52

Starting Point: Derandomization

  • rFE. KeyGen(msk, 𝑔)
slide-53
SLIDE 53

Starting Point: Derandomization

  • rFE. KeyGen(msk, 𝑔)
  • FE. KeyGen(msk, 𝑕𝑙)

𝑙

R 𝒧

𝑕𝑙 𝑦 = 𝑔 𝑦 ; PRF 𝑙, 𝑦

slide-54
SLIDE 54

Starting Point: Derandomization

sk𝑕𝑙

  • rFE. KeyGen(msk, 𝑔)
  • FE. KeyGen(msk, 𝑕𝑙)

𝑙

R 𝒧

𝑕𝑙 𝑦 = 𝑔 𝑦 ; PRF 𝑙, 𝑦

slide-55
SLIDE 55

Starting Point: Derandomization

sk𝑕𝑙

  • rFE. KeyGen(msk, 𝑔)
  • FE. KeyGen(msk, 𝑕𝑙)

But in public- key setting, keys do not hide the function! 𝑙

R 𝒧

𝑕𝑙 𝑦 = 𝑔 𝑦 ; PRF 𝑙, 𝑦

slide-56
SLIDE 56

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

slide-57
SLIDE 57

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext PRF key 𝑙

slide-58
SLIDE 58

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext PRF key 𝑙

𝑙1 𝑙2

Secret-share the PRF key

slide-59
SLIDE 59

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext PRF key 𝑙

𝑙1 𝑙2

Key share in ciphertext Secret-share the PRF key

slide-60
SLIDE 60

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext PRF key 𝑙

𝑙1 𝑙2

Key share in ciphertext Secret-share the PRF key Key share in function key

slide-61
SLIDE 61

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. Encrypt(mpk, 𝑛)
slide-62
SLIDE 62

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1

𝑙1

R 𝒧

slide-63
SLIDE 63

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1

𝑙1

R 𝒧

(𝑛, 𝑙1)

slide-64
SLIDE 64

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. KeyGen(msk, 𝑔)
slide-65
SLIDE 65

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. KeyGen(msk, 𝑔)

𝑙2

R 𝒧

slide-66
SLIDE 66

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. KeyGen(msk, 𝑔)
  • FE. KeyGen msk, 𝑕𝑙2

𝑙2

R 𝒧

sk𝑕𝑙2

𝑕𝑙2 𝑛, 𝑙1 = 𝑔(𝑛 ; PRF(𝑙1 β‹„ 𝑙2, 𝑛)

slide-67
SLIDE 67

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. KeyGen(msk, 𝑔)
  • FE. KeyGen msk, 𝑕𝑙2

𝑙2

R 𝒧

sk𝑕𝑙2

𝑕𝑙2 𝑛, 𝑙1 = 𝑔(𝑛 ; PRF(𝑙1 β‹„ 𝑙2, 𝑛) Some operation to combine shares of key

slide-68
SLIDE 68

How to Hide the Key?

Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext

  • rFE. KeyGen(msk, 𝑔)
  • FE. KeyGen msk, 𝑕𝑙2

𝑙2

R 𝒧

sk𝑕𝑙2

𝑕𝑙2 𝑛, 𝑙1 = 𝑔(𝑛 ; PRF(𝑙1 β‹„ 𝑙2, 𝑛) Encrypter controls 𝑙1 so we need related- key security

slide-69
SLIDE 69

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1

𝑙1

R 𝒧

(𝑛, 𝑙1)

slide-70
SLIDE 70

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1

𝑙1

R 𝒧

(𝑛, 𝑙1)

Encrypter can choose the key- share

slide-71
SLIDE 71

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1

𝑙1

R 𝒧

(𝑛, 𝑙1)

Encrypter can choose the key- share

Cannot influence

  • utput distribution

due to RKA-security

slide-72
SLIDE 72

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1

𝑙1

R 𝒧

(𝑛, 𝑙1)

Encrypter can choose the key- share Encrypter can choose the randomness

Cannot influence

  • utput distribution

due to RKA-security

slide-73
SLIDE 73

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1

𝑙1

R 𝒧

(𝑛, 𝑙1)

Encrypter can choose the key- share Encrypter can choose the randomness

Cannot influence

  • utput distribution

due to RKA-security Potentially problematic

slide-74
SLIDE 74

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

slide-75
SLIDE 75

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • FE. Encrypt mpk, 𝑛, 𝑙1
slide-76
SLIDE 76

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • FE. Encrypt mpk, 𝑛, 𝑙1

(𝑛, 𝑙1) (𝑛, 𝑙1)

Run encryption algorithm twice with different randomness

slide-77
SLIDE 77

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

  • FE. Encrypt mpk, 𝑛, 𝑙1

(𝑛, 𝑙1) (𝑛, 𝑙1)

Two distinct FE ciphertexts encrypting the same message Run encryption algorithm twice with different randomness

slide-78
SLIDE 78

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

(𝑛, 𝑙1) (𝑛, 𝑙1)

slide-79
SLIDE 79

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

(𝑛, 𝑙1) (𝑛, 𝑙1)

Reality: Decryption always produces same output

slide-80
SLIDE 80

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

(𝑛, 𝑙1) (𝑛, 𝑙1)

Reality: Decryption always produces same output Desired: Two different ciphertexts, so should produces independent outputs

slide-81
SLIDE 81

Security Against Dishonest Encrypters

Encrypter has a lot of flexibility in constructing ciphertexts:

(𝑛, 𝑙1) (𝑛, 𝑙1)

Reality: Decryption always produces same output Desired: Two different ciphertexts, so should produces independent outputs Encrypter has too much freedom in constructing ciphertexts

slide-82
SLIDE 82

Applying Deterministic Encryption

Key observation: honestly generated ciphertexts have high entropy

slide-83
SLIDE 83

Applying Deterministic Encryption

Key observation: honestly generated ciphertexts have high entropy

(𝑛, 𝑙1)

Should be random PRF key – high entropy!

slide-84
SLIDE 84

Applying Deterministic Encryption

Key observation: honestly generated ciphertexts have high entropy

(𝑛, 𝑙1)

Derive encryption randomness from 𝑙1 and include a NIZK argument that ciphertext is well-formed

Should be random PRF key – high entropy!

slide-85
SLIDE 85

Putting the Pieces Together

  • rFE. Encrypt(mpk, 𝑛)
slide-86
SLIDE 86

Putting the Pieces Together

  • rFE. Encrypt(mpk, 𝑛)

𝑙1

R 𝒧

slide-87
SLIDE 87

Putting the Pieces Together

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1 ; β„Ž(𝑙1)

𝑙1

R 𝒧

Randomness for FE encryption derived from deterministic function on 𝑙1

slide-88
SLIDE 88

Putting the Pieces Together

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1 ; β„Ž(𝑙1)

𝑙1

R 𝒧

𝜌

NIZK argument of knowledge of (𝑛, 𝑙1) that explains ciphertext Randomness for FE encryption derived from deterministic function on 𝑙1

[See paper for full details.]

slide-89
SLIDE 89

Putting the Pieces Together

  • rFE. Encrypt(mpk, 𝑛)
  • FE. Encrypt mpk, 𝑛, 𝑙1 ; β„Ž(𝑙1)

𝑙1

R 𝒧

𝜌 Ciphertext is a deterministic function

  • f 𝑛, 𝑙1 so for any distinct pairs

(𝑛, 𝑙1), (𝑛′, 𝑙1

β€²), outputs of PRF

uniform and independently distributed by RKA-security

[See paper for full details.]

slide-90
SLIDE 90

Our Transformation in a Nutshell

Simulation- secure FE

slide-91
SLIDE 91

Our Transformation in a Nutshell

Simulation- secure FE DDH + RSA

NIZK arguments RKA- secure PRF deterministic encryption

slide-92
SLIDE 92

Our Transformation in a Nutshell

Simulation- secure FE DDH + RSA

NIZK arguments RKA- secure PRF deterministic encryption

Simulation- secure rFE

slide-93
SLIDE 93

Our Transformation in a Nutshell

Simulation- secure FE DDH + RSA

NIZK arguments RKA- secure PRF deterministic encryption

Simulation- secure rFE

Security properties of underlying FE scheme is preserved (e.g., adaptive security)

slide-94
SLIDE 94

The State of (Public-Key) Functional Encryption

PKE / LWE Bounded- Collusion FE Multilinear Maps / iO General- Purpose FE Generally adaptively secure iO General- Purpose rFE Selectively secure Deterministic functionalities Randomized functionalities

[SS10, GVW12, …] [GGHRSW13, GGHZ16, … ] [GJKS15]

slide-95
SLIDE 95

The State of (Public-Key) Functional Encryption

PKE / LWE Bounded- Collusion FE Multilinear Maps / iO General- Purpose FE

[SS10, GVW12, …] [GGHRSW13, GGHZ16, … ]

Bounded- Collusion rFE General- Purpose rFE

Number-theoretic assumptions

Adaptively secure against malicious encrypters! This work

slide-96
SLIDE 96

Open Questions

More direct / efficient constructions of rFE for simpler classes of functionalities (e.g., sampling random entries from a vector)?

slide-97
SLIDE 97

Open Questions

More direct / efficient constructions of rFE for simpler classes of functionalities (e.g., sampling random entries from a vector)? Generic construction of rFE from FE without making additional assumptions?

slide-98
SLIDE 98

Open Questions

More direct / efficient constructions of rFE for simpler classes of functionalities (e.g., sampling random entries from a vector)? Generic construction of rFE from FE without making additional assumptions? Generic transformation for indistinguishability-based notions of security?

slide-99
SLIDE 99

Open Questions

More direct / efficient constructions of rFE for simpler classes of functionalities (e.g., sampling random entries from a vector)? Generic construction of rFE from FE without making additional assumptions? Generic transformation for indistinguishability-based notions of security?

Thank you!

http://eprint.iacr.org/2016/482