Functional Encryption for Inner Product with Full Function Privacy - PowerPoint PPT Presentation

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016 6–9th March, 2016

Outline Introduction 1 Preliminaries 2 Our PKFP-IPE Scheme 3 Security 4 Efficiency 5 Conclusion 6 6–9th March, 2016 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Functional Encryption and Secure Delegation of Computation In a functional encryption (FE) scheme for certain function family F , it is possible to derive functional keys sk f for any function f ∈ F from a master secret key. Any party given such a functional key sk f and a ciphertext ct z encrypt- ing some message z , should be able to learn f ( z ) and nothing beyond that about z . FE enables secure computation on private sensitive data outsourced to untrusted servers by remotely querying the server. 6–9th March, 2016 1 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Need of Function Privacy in Functional Encryption Assume that a health organization subscribes to a cloud service provider to store medical records of its patients. To ensure data confidentiality, the organization encrypts those records locally using an FE scheme prior to uploading them to the cloud server. Now, the health organization gives the cloud a functional key correspond- ing to the function that determines the names of the patients who are receiving treatment for some chronic disease. Say, after performing the assigned computation on the encrypted records using the given functional key, the cloud server obtains a list of patients that includes the name of a certain celebrity. If the cloud server also comes to know the functionality it has computed on the encrypted records yielding that list, it would at once understand that the particular celebrity is suffering from such a chronic disease and it might leak this information to the media, possibly for financial gain. 6–9th March, 2016 2 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Inner Product Functionality and its Applications y ∈ Z n A function ip # y ∈ IP p is associated with a vector # » p over the finite » field Z p , where p is a prime integer. On a message # x ∈ Z n » y ( # x ) = � # » x, # » » p , ip # y � modulo p . » Inner product is extremely useful functionality in the context of descrip- tive statistics, e.g., to compute the weighted mean of a collection of informations. Inner product enables computation of conjunctions, disjunctions, poly- nomial evaluations, and exact thresholds. 6–9th March, 2016 3 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Syntax of Private Key Function-Private Inner Product Encryption ( PKFP-IPE ) PKFP-IPE.Setup ( 1 λ , n ) → msk , pp p \{ # » x ∈ Z n PKFP-IPE.Encrypt ( msk , pp , # » 0 } ) → ct # » x p \{ # » y ∈ Z n PKFP-IPE.KeyGen ( msk , pp , # » 0 } ) → sk # » y y ) → � # x, # » » PKFP-IPE.Decrypt ( pp , ct # x , sk # y � » » 6–9th March, 2016 4 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Full-Hiding Security Model for PKFP-IPE Challenger ( C ) Adversary ( A ) Setup Runs PKFP-IPE.Setup pp Chooses c ∈ $ { 0 , 1 } Query Phase y ( j, 0) , � y ( j, 1) ) ( � sk � y ( j,c ) Runs PKFP-IPE.KeyGen x ( ℓ, 0) , � x ( ℓ, 1) ) ( � ct � x ( ℓ,c ) Runs PKFP-IPE.Encrypt x ( ℓ, 0) , � y ( j, 0) � = � � x ( ℓ, 1) , � y ( j, 1) �∀ j, ℓ � � Guess c ′ ∈ { 0 , 1 } AdvPKFP-IPE ( λ ) = | Pr [ c ′ = c ] − 1 / 2 | ≤ negl ( λ ) A 6–9th March, 2016 5 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Motivation y ( j, 0) , # y ( j, 1) ) The security framework of [BJK15] assumes that for all ( # » » x ( ℓ, 0) , # x ( ℓ, 1) ) with which the adversaries query the functional key and ( # » » generation and encryption oracles respectively, it holds that x ( ℓ, 0) , # y ( j, 0) � = � # x ( ℓ, 0) , # y ( j, 1) � = � # x ( ℓ, 1) , # y ( j, 0) � = � # x ( ℓ, 1) , # y ( j, 1) � � # » » » » » » » » which is a stronger requirement than the restriction imposed in full-hiding security model. Our goal is to develop function-private PKFP-IPE scheme whose security does not require any such extra restriction beyond that specified in the full-hiding security model. We attempt to build PKFP-IPE which is non-generic and uses efficient and standard primitives. [ BJK15 ] : Allison Bishop, Abhishek Jain, and Lucas Kowalczyk. ASIACRYPT 2015. 6–9th March, 2016 6 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Asymmetric Bilinear Pairing Group $ − G ABPG ( 1 λ ) An asymmetric bilinear pairing group ( p, G 1 , G 2 , G T , g 1 , g 2 , e ) ← is a tuple of a prime integer p ; cyclic multiplicative groups G 1 , G 2 , G T of order p each with polynomial- time computable group operations; generators g 1 ∈ G 1 , g 2 ∈ G 2 ; a polynomial-time computable pairing e : G 1 × G 2 → G T that satisfies s for all s, ˘ ( bilinearity ) e ( g s 1 , g ˘ 2 ) = e ( g 1 , g 2 ) s ˘ s s ∈ Z p and ( non-degeneracy ) e ( g 1 , g 2 ) � = 1 G T , where 1 G T denotes the identity element of the group G T . 6–9th March, 2016 7 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Dual Pairing Vector Spaces ( DPVS ) � n, ( p, G 1 , G 2 , G T , g 1 , g 2 , e ) � A DPVS ( p, V 1 , V 2 , G T , A 1 , A 2 , E ) ← G DPVS is a tuple of a prime integer p ; # » # » v + # # » w » n -dimensional vector space V h = G n v w h over Z p under g h ⊕ g h = g h h = g a # # » » v h , for h = 1 , 2 , where # v v , # » w ∈ Z n » and a ⊗ g p , and a ∈ Z p ; # » e i canonical bases A h = { g h } i =1 ,...,n of V h , for h = 1 , 2 , i − 1 n − i � �� � � �� � 0 , . . . , 0) ∈ Z n where # e i = ( » 0 , . . . , 0 , 1 , p ; a pairing E : V 1 × V 2 → G T defined by n � w � ∈ G T , # » # » e ( g v i 1 , g w i 2 ) = e ( g 1 , g 2 ) � # v , # » » v w E ( g 1 , g 2 ) = i =1 where # v , # » w ∈ Z n » p , that satisfies # v » 2 ) = E ( g s # # w » 1 , g ˘ v » s # w » v # » 2 ) s ˘ # w » s ( bilinearity ) E ( s ⊗ g 1 , ˘ s ⊗ g 2 ) = E ( g 1 , g w ∈ Z n for s, ˘ s ∈ Z p , # v , # » » p and # » # » v = # » v 2 ) = 1 G T for all # w w ∈ Z n » p , then # » ( non-degeneracy ) if E ( g 1 , g 0 . 6–9th March, 2016 8 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Dual orthonormal basis generator G OB ( Z n p ) $ 1 Choose B = ( b i,j ) i,j =1 ,...,n ← − GL ( n, Z p ) . 2 Compute B ∗ = ( b ∗ i,j ) i,j =1 ,...,n = ( B ⊺ ) − 1 . i represent the i -th rows of B and B ∗ respectively, for 3 Let, # » b i and # » b ∗ i = 1 , . . . , n . 4 Set B = { # b 1 , . . . , # » b n } and B ∗ = { # » » 1 , . . . , # » b ∗ b ∗ n } . 5 ( B , B ∗ ) are dual orthonormal in the sense that for i, i ′ = 1 , . . . , n , � if i = i ′ 1 , � # b i , # » » b ∗ i ′ � = 0 , otherwise 6 Return ( B , B ∗ ) . 6–9th March, 2016 9 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy

Introduction Preliminaries Our PKFP-IPE Scheme Security Efficiency Conclusion Construction PKFP-IPE.Setup ( 1 λ , n ) $ 1 ( p, G 1 , G 2 , G T , g 1 , g 2 , e ) − G ABPG ( 1 λ ) . ← � 4 n + 2 , ( p, G 1 , G 2 , G T , g 1 , g 2 , e ) � , 2 ( p, V 1 , V 2 , G T , A 1 , A 2 , E ) ← G DPVS � 6 , ( p, G 1 , G 2 , G T , g 1 , g 2 , e ) � . ( p, V ′ 1 , V ′ 2 , G T , A ′ 1 , A ′ 2 , E ′ ) ← G DPVS � B = { # � b 1 , . . . , # » b 4 n +2 } , B ∗ = { # » » 1 , . . . , # » $ b ∗ b ∗ − G OB ( Z 4 n +2 4 n +2 } ← ) , 3 p � D = { # � d 1 , . . . , # » d 6 } , D ∗ = { # » » 1 , . . . , # » $ d ∗ d ∗ − G OB ( Z 6 6 } ← p ) . B = { # b 1 , . . . , # » » b n , # » B ∗ = { # » 1 , . . . , # » n , # » 4 Define � b 4 n +2 } , � b ∗ b ∗ b ∗ 4 n +1 } , D = { # d 1 , # » » D ∗ = { # » 1 , # » � d 6 } , � d ∗ d ∗ 5 } . 5 Keep msk = ( � B , � B ∗ , � D , � D ∗ ) . � p, { V h , V ′ h } h =1 , 2 , E, E ′ � . h } h =1 , 2 , G T , { A h , A ′ Publish pp = 6–9th March, 2016 10 Sourav Mukhopadhyay FE for Inner Product with Full Function Privacy