Functional Encryptions and Cloudy Applications Function on a Cloudy - - PowerPoint PPT Presentation

Functional Encryptions and Cloudy Applications

Function on a Cloudy Day Giuseppe Persiano

Dipartimento di Informatica Universit` a di Salerno giuper@dia.unisa.it

Crypto for 2020 January, 23 2013 Tenerife, Spain

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 1 / 39

Functional Encryptions and Cloudy Applications

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 2 / 39

Function

• n a

Cloudy

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 2 / 39

Functional Encryptions and Cloudy Applications

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 2 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage;

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage; DOwner can assume:

◮ UStorage does not destroy the data Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage; DOwner can assume:

◮ UStorage does not destroy the data (enforce using Duplication ); Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage; DOwner can assume:

◮ UStorage does not destroy the data (enforce using Duplication ); ◮ UStorage does not modify data Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage; DOwner can assume:

◮ UStorage does not destroy the data (enforce using Duplication ); ◮ UStorage does not modify data (enforce using Authentication Code); Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage; DOwner can assume:

◮ UStorage does not destroy the data (enforce using Duplication ); ◮ UStorage does not modify data (enforce using Authentication Code); ◮ UStorage does not read the data Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage; DOwner can assume:

◮ UStorage does not destroy the data (enforce using Duplication ); ◮ UStorage does not modify data (enforce using Authentication Code); ◮ UStorage does not read the data (enforce using Encryption); Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

Secure Remote Storage The Cloud has huge storage capability and can be accessed from anywhere; We consider simple case of a Data Owner storing his data on an Untrusted Storage; DOwner can assume:

◮ UStorage does not destroy the data (enforce using Duplication ); ◮ UStorage does not modify data (enforce using Authentication Code); ◮ UStorage does not read the data (enforce using Encryption); Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 3 / 39

Secure Remote Storage

In the beginning is the Data First Name Last Name Affiliation Kenny Paterson RHUL Giuseppe Persiano SAL Fran¸ cois-Xavier Standaert UCL Joan Daeman STM Peter Roumbots NXP Bart Preneel KUL Dan Bernstein UIC

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 4 / 39

Secure Remote Storage

Encrypt and obtain First Name Last Name Affiliation E(PK,Kenny) E(PK,Paterson) E(PK,RHUL) E(PK,Giuseppe) E(PK,Persiano) E(PK,SAL ) E(PK,Fran¸ cois-Xavier) E(PK,Standaert) E(PK,UCL ) E(PK,Joan ) E(PK,Daeman) E(PK,STM ) E(PK,Peter) E(PK,Roumbots) E(PK,NXP) E(PK,Bart) E(PK,Preneel) E(PK,KUL) E(PK,Dan) E(PK,Bernstein) E(PK,UIC) Authenticate by using MAC.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 4 / 39

Secure Remote Storage

Encrypt and obtain First Name Last Name Affiliation E(PK,Kenny) E(PK,Paterson) E(PK,RHUL) E(PK,Giuseppe) E(PK,Persiano) E(PK,SAL ) E(PK,Fran¸ cois-Xavier) E(PK,Standaert) E(PK,UCL ) E(PK,Joan ) E(PK,Daeman) E(PK,STM ) E(PK,Peter) E(PK,Roumbots) E(PK,NXP) E(PK,Bart) E(PK,Preneel) E(PK,KUL) E(PK,Dan) E(PK,Bernstein) E(PK,UIC) Authenticate by using MAC. Disperse by using data replication algorithm.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 4 / 39

Secure Remote Storage

Encrypt and obtain First Name Last Name Affiliation E(PK,Kenny) E(PK,Paterson) E(PK,RHUL) E(PK,Giuseppe) E(PK,Persiano) E(PK,SAL ) E(PK,Fran¸ cois-Xavier) E(PK,Standaert) E(PK,UCL ) E(PK,Joan ) E(PK,Daeman) E(PK,STM ) E(PK,Peter) E(PK,Roumbots) E(PK,NXP) E(PK,Bart) E(PK,Preneel) E(PK,KUL) E(PK,Dan) E(PK,Bernstein) E(PK,UIC) Authenticate by using MAC. Disperse by using data replication algorithm.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 4 / 39

Searching for data on a UStorage

Want all persons from STM

1 Download the data using the retrieve algorithm; 2 Check it has not been modified; 3 Decrypt the whole table; 4 Execute the query; Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 5 / 39

Searching for data on a UStorage

Want all persons from STM

1 Download the data using the retrieve algorithm; 2 Check it has not been modified; 3 Decrypt the whole table; 4 Execute the query;

Not really what we want

1 We need to locally store the table. Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 5 / 39

Searching for data on a UStorage

Want all persons from STM

1 Download the data using the retrieve algorithm; 2 Check it has not been modified; 3 Decrypt the whole table; 4 Execute the query;

Not really what we want

1 We need to locally store the table. 2 We might not have enough local storage, that’s why we resorted to

the UStorage.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 5 / 39

Searching for data on a UStorage

Want all persons from STM

1 Download the data using the retrieve algorithm; 2 Check it has not been modified; 3 Decrypt the whole table; 4 Execute the query;

Not really what we want

1 We need to locally store the table. 2 We might not have enough local storage, that’s why we resorted to

the UStorage.

3 Question: can we ask the UStorage to perform the search for us? Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 5 / 39

Searching for data on a UStorage

Want all persons from STM

1 Download the data using the retrieve algorithm; 2 Check it has not been modified; 3 Decrypt the whole table; 4 Execute the query;

Not really what we want

1 We need to locally store the table. 2 We might not have enough local storage, that’s why we resorted to

the UStorage.

3 Question: can we ask the UStorage to perform the search for us? 4 Answer 1: give UStorage the decryption key. Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 5 / 39

Searching for data on a UStorage

Want all persons from STM

1 Download the data using the retrieve algorithm; 2 Check it has not been modified; 3 Decrypt the whole table; 4 Execute the query;

Not really what we want

1 We need to locally store the table. 2 We might not have enough local storage, that’s why we resorted to

the UStorage.

3 Question: can we ask the UStorage to perform the search for us? 4 Answer 1: give UStorage the decryption key. why did we encrypt? Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 5 / 39

Searching for data on a UStorage

Want all persons from STM

1 Download the data using the retrieve algorithm; 2 Check it has not been modified; 3 Decrypt the whole table; 4 Execute the query;

Not really what we want

1 We need to locally store the table. 2 We might not have enough local storage, that’s why we resorted to

the UStorage.

3 Question: can we ask the UStorage to perform the search for us? 4 Answer 1: give UStorage the decryption key. why did we encrypt? 5 Answer 2: not with the current encryption schemes. Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 5 / 39

Functional Encryption – Syntax

Functionality F : M × K → {0, 1} A Functional Encryption scheme for F is a tuple of 4 efficient and probabilistic algorithms: (Setup, KeyGen, Encrypt, Eval)

Functional Encryption Scheme

1 Setup(1λ) outputs public and master secret keys (fPK, fSK) for

security parameter λ

2 KeyGen(fSK, k) outputs token Tokk for k ∈ K 3 Encrypt(fPK, m) outputs ciphertexts CT for plaintext m ∈ M 4 Eval(fPK, CT, Tokk) outputs F(m, k) Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 6 / 39

Delegating decryption

1 Alice generates master secret key fSK and master public key fPK ; 2 Alice publishes fPK; 3 Bob has a private message m to Alice; ◮ Bob computes Encrypt(fPK, (m, private)); 4 Dean has a work message m′ to Alice; ◮ Dean computes Encrypt(fPK, (m′, work)); 5 Alice gives key for work to secretary (needs fSK for that); 6 Alice keeps key for private for herself (needs fSK for that). Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 7 / 39

Let F be the functionality defined as F((FN,LN,A), (FN’,LN’,A’)) = 1 iff (FN=FN’ ∨ FN’ = ⋆) ∧ (LN=LN’ ∨ LN’ = ⋆) ∧ (A=A’ ∨ A’ = ⋆)

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 8 / 39

The new encrypted table

First Name Last Name Affiliation Tag E(PK,Kenny) E(PK,Paterson) E(PK,RHUL) E(fPK,(K,P,R)) E(PK,Giuseppe) E(PK,Persiano) E(PK,SAL ) E(fPK,(G,P,S)) E(PK,Fran¸ cois-Xavier) E(PK,Standaert) E(PK,UCL ) E(fPK,(F,S,U)) E(PK,Joan ) E(PK,Daeman) E(PK,STM ) E(fPK,(J,D,S)) E(PK,Peter) E(PK,Roumbots) E(PK,NXP ) E(fPK,(P,R,N)) E(PK,Bart) E(PK,Preneel) E(PK,KUL ) E(fPK,(B,P,K)) E(PK,Dan) E(PK,Bernstein) E(PK,UIC ) E(fPK,(D,B,U))

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 9 / 39

Functional Encryption

The new SELECT procedure

1 DOwner computes key Tok with attribute

(⋆, ⋆, STM) and sends it to UStorage;

2 UStorage evals

Tag0 = E(fPK, (Kenny,Paterson,RHUL)) with Tok and obtains F((Kenny,Paterson,RHUL), (⋆, ⋆, STM)) = 0 Row is not selected.

3 Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 10 / 39

Functional Encryption

The new SELECT procedure

1 DOwner computes key Tok with attribute

(⋆, ⋆, STM) and sends it to UStorage;

2 UStorage evals 3 Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 10 / 39

Functional Encryption

The new SELECT procedure

1 DOwner computes key Tok with attribute

(⋆, ⋆, STM) and sends it to UStorage;

2 UStorage evals

Tag3 = E(fPK, (Joan,Daeman,STM)) with K and obtains F((Joan,Daeman,STM), (⋆, ⋆, STM)) = 1 Row is selected.

3 Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 10 / 39

Functional Encryption

The new SELECT procedure

1 DOwner computes key Tok with attribute

(⋆, ⋆, STM) and sends it to UStorage;

2 UStorage evals 3 Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 10 / 39

Functional Encryption

The new SELECT procedure

1 DOwner computes key Tok with attribute

(⋆, ⋆, STM) and sends it to UStorage;

2 UStorage evals

Tag6 = E(fPK, (Dan,Bernstein,UIC)) with K and obtains 0. F((Dan,Bernstein,UIC), (⋆, ⋆, STM)) = 0 Row is not selected.

3 Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 10 / 39

Functional Encryption

The new SELECT procedure

1 DOwner computes key Tok with attribute

(⋆, ⋆, STM) and sends it to UStorage;

2 UStorage evals

Tag0 = E(fPK, (Dan,Bernstein,UIC)) with K and obtains 0. F((Dan,Bernstein,UIC), (⋆, ⋆, STM)) = 0 Row is not selected.

3 UStorage sends selected rows to DOwner. 4 DOwner decrypts the received rows. Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 10 / 39

Hidden Vector Encryption

The Match functionality

Plaintexts are vectors x of length ℓ over alphabet Σ. Keys are vectors y of length ℓ over alphabet Σ⋆ = Σ ∪ {⋆}. Functionality Match( x, y) is true if and only if x = x1, . . . , xℓ and

• y = y1, . . . , yℓ agree in all positions i for which yi = ⋆.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 11 / 39

Hidden Vector Encryption

The Match functionality

Plaintexts are vectors x of length ℓ over alphabet Σ. Keys are vectors y of length ℓ over alphabet Σ⋆ = Σ ∪ {⋆}. Functionality Match( x, y) is true if and only if x = x1, . . . , xℓ and

• y = y1, . . . , yℓ agree in all positions i for which yi = ⋆.

If patterns vectors y ∈ Σℓ we have the original notion of searchable encryption.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 11 / 39

Known Constructions

Pairing (symmetric version)

multiplicative groups G and GT of order p; non-degenerate pairing function e : G × G → GT;

◮ for all x ∈ G, x = 1, and a, b ∈ Zp,

e(x, x) = 1 and e(xa, xb) = e(x, x)ab.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 12 / 39

Known Constructions

Pairing (symmetric version)

multiplicative groups G and GT of order p; non-degenerate pairing function e : G × G → GT;

◮ for all x ∈ G, x = 1, and a, b ∈ Zp,

e(x, x) = 1 and e(xa, xb) = e(x, x)ab.

Constructions

Boneh and Waters [TCC 07] gave a construction based on complexity assumption for pairing with composite order group; Iovino and P. [Pairing 08] gave a construction for prime order groups; BW needs about 1024-bit moduli. For IP we can use 160-bit moduli. Size of token linear in number of non-⋆ entries.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 12 / 39

Implementation

Implementation uses:

1 PBC: Pairing Based Cryptography Library

http://crypto.stanford.edu/pbc/ for basic pairing and elliptic curves computation. Written in C.

2 jPBC: Java Pairing Based Cryptography Library

http://gas.dia.unisa.it/projects/jpbc/

1

a Java Porting of the PBC library;

2

a Java Wrapper of the PBC library;

Three versions tested:

1 jPBC: uses the the Java porting of the PBC library; 2 jPBC+precomputation: uses the the Java porting of the PBC library

but with precomputation;

3 jPBC+PBC+precomputation: uses the Java Wrapper (low level

computation delegated to more efficient PBC C code) and precomputation.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 13 / 39

Parameters

Curve

Supersingular curve y2 = x3 + x over the field Fq for some prime q = 3 mod 4. (Type A symmetric pairings) The order p is a prime factor of q + 1. q = 1112516189738354695660623681779709216838322823798404116 198919708307485046800260086705221179856475399111425452 4050414866145727834858675222143950902758166111 512 bit r = 730750818665451459101842416358141509827966795777 160 bit

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 14 / 39

Experimental setup

Model Name: iMac Model Identifier: iMac8.1 Processor Name: Intel Core 2 Duo Processor Speed: 2.66 GHz Number Of Processors: 1 Total Number of Cores: 2 L2 Cache: 6 MB Memory: 4GB Bus Speed: 1.07 GHz

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 15 / 39

500 1000 1500 2000 2500 3000 3500 4000 10 20 30 40 50 60 70 80 90 100 Milliseconds # Attributes Time to compute an encryption. jPBC no pre-computation jPBC with pre-computation jPBC-PBC with pre-computation

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 16 / 39

50 100 150 200 10 20 30 40 50 60 70 80 90 100 Milliseconds # Attributes Time to generate a search key. jPBC no pre-computation jPBC with pre-computation jPBC-PBC with pre-computation

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 17 / 39

500 1000 1500 2000 2500 3000 10 20 30 40 50 60 70 80 90 100 Milliseconds # Attributes Time to test a ciphertext against a search key. jPBC no pre-computation jPBC with pre-computation jPBC-PBC with pre-computation

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 18 / 39

50 100 150 200 250 10 20 30 40 50 60 70 80 90 100 Milliseconds # Attributes jPBC-PBC with pre-processing. KeyGen Pre-Processing Test

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 19 / 39

The Pink Floyd experiment

Encrypting the Data

say you have the complete Pink Floyd discography in MP3 each of the 500+ songs has attribute song title, song album, year encrypt each file using AES tag each song with 47 bits

◮ 20 bits for hash of song title concatenated with a password ◮ 20 bits for hash of album title concatenated with a password ◮ 7 bits for year

encrypt tags using HVE

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 20 / 39

The Pink Floyd experiment

Searching the data

generating the HVE token for the search

◮ the attribute of the token needed for searching a song title has 160

non-⋆ entry

◮ the attribute of the token needed for searching an album title has 160

non-⋆ entry

◮ the attribute of the token needed for searching by year has 8 non-⋆

entry

implemented for Android 2.3 (Gingerbread) HTC Desire HD, 1GHz, 768MB, token generation about 2sec, 448 bytes search takes about 0.033 per file real bottleneck, linear time search on server

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 21 / 39

Future work

Current implementation by Angelo De Caro and Angelo Capo. more code optimization Dropbox-like user interface Map-Reduce to save time on search and to use current existing commercial cloud storage (hadoop) different types of pairings

◮ the scheme can be implemented with asymmetric pairing. Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 22 / 39

Recent related work

CryptDB project at MIT

SQL over encrypted data security against untrusted DB administrator 26% overhead for standard benchmarks

• nly exact searches (no ⋆)

uses also order preserving encryption and deterministic encryption

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 23 / 39

Let us do some Theory

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 24 / 39

Secure Encryption Scheme

Informal: An encryption scheme is secure: An adversary, who knows the encryption algorithm and is given the ciphertext, cannot obtain any information about the cleartext.

• S. Goldwasser and S. Micali:

Probabilistic Encryption and How To Play Mental Poker, STOC ’82 Probabilistic Encryption, JCSS ’84

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 25 / 39

Secure Functional Encryption Scheme

Informal: An encryption scheme is secure: An adversary, who knows the encryption algorithm, is given the ciphertext, and some tokens cannot obtain any information about the cleartext except what can be computed through the tokens.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 26 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring sometimes they do not and the world is very exciting

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring sometimes they do not and the world is very exciting in the exciting world,

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring sometimes they do not and the world is very exciting in the exciting world,

◮ Simulation is stronger than Games Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring sometimes they do not and the world is very exciting in the exciting world,

◮ Simulation is stronger than Games ◮ Game-based constructions are easier Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring sometimes they do not and the world is very exciting in the exciting world,

◮ Simulation is stronger than Games ◮ Game-based constructions are easier ◮ sometimes there is an unreasonable trick to turn Games-based secure

constructions into Simulation-based secure constructions

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring sometimes they do not and the world is very exciting in the exciting world,

◮ Simulation is stronger than Games ◮ Game-based constructions are easier ◮ sometimes there is an unreasonable trick to turn Games-based secure

constructions into Simulation-based secure constructions

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Security notions for Functional Encryption

in Crypto we have two ways of defining security: through Games or through Simulation sometimes the two notions coincide and the world is boring sometimes they do not and the world is very exciting in the exciting world,

◮ Simulation is stronger than Games ◮ Game-based constructions are easier ◮ sometimes there is an unreasonable trick to turn Games-based secure

constructions into Simulation-based secure constructions

The world of functional encryption is very exciting

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 27 / 39

Game-based Security Notion

Security Game with security parameter λ

1 C generates (pk, SK) ← Setup(1λ) and sends pk to A; 2 A asks for tokens Tokk1, Tokk2, . . . , Tokkq1 for F(k1, ·), . . . , F(kq1, ·). 3 A outputs two messages m0 and m1 of the same length; 4 C picks b ∈ {0, 1} at random,

computes CT = Encrypt(pk, mb) sends CT to A;

5 A asks for tokens Tokkq1+1, . . . , Tokkq for F(kq1+1, ·), . . . , F(kq, ·). 6 A outputs b′; Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 28 / 39

Game-based Security Notion

Definitions

1 A wins if b = b′ and F(ki, m0) = F(ki, m1), i = 1, . . . , q 2 A breaks (Setup, KeyGen, Encrypt, Eval) if A wins with probability

1/2 + 1/poly(λ)

3 (Setup, KeyGen, Encrypt, Eval) is IND-Secure if no PPT A breaks it Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 29 / 39

Formalization

Simulation-based: Non-Adaptive Semantic Security Based on [BSW11] Real world Ideal world (pk, SK) ← Setup(1λ); (pk, SK) ← Setup(1λ); (m, aux) ← AKeyGen(SK,·) (pk); (m, aux) ← AKeyGen(SK,·) (pk); CT ← Encrypt(pk, m); CT′ ← Sim0(pk, |m|, (ki, F(ki, m))q

i=1);

α ← A1(pk, CT, aux); α ← A1(pk, CT′, aux); Output: (pk, m, α) Output: (pk, m, α) A0 has asked and received tokens Tokki for ki, i = 1, . . . , q

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 30 / 39

Formalization

Simulation-based: Adaptive Semantic Security Based on [BSW11] Real world Ideal world (pk, SK) ← Setup(1λ); (pk, SK) ← Setup(1λ); (m, aux) ← AKeyGen(SK,·) (pk); (m, aux) ← AKeyGen(SK,·) (pk); CT ← Encrypt(pk, m); CT′ ← Sim0(pk, |m|, (ki, F(ki, m))q

i=1);

α ← AKeyGen(SK,·)

1

(pk, CT, aux); α ← ASim1(SK,aux′,·,F(m,·)

1

(pk, CT′, aux); Output: (pk, m, α) Output: (pk, m, α) A0 has asked and received tokens Tokki for ki, i = 1, . . . , q

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 30 / 39

The two formalizations do not coincide

This is unlike regular encryption

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 31 / 39

The two formalizations do not coincide

This is unlike regular encryption

Pathology from [BSW-TCC 11]

Show a functional encryption scheme: clearly insecure satisfies the game-based definition of security

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 31 / 39

State of the art

Good News: SS-CCS 11

There exists semantically secure functional encryption for all circuits

◮ Secure if only one token is released Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 32 / 39

State of the art

Good News: SS-CCS 11

There exists semantically secure functional encryption for all circuits

◮ Secure if only one token is released

Good News: [GVW-Crypto 12]

There exists semantically secure functional encryption for all circuits

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 32 / 39

State of the art

Good News: SS-CCS 11

There exists semantically secure functional encryption for all circuits

◮ Secure if only one token is released

Good News: [GVW-Crypto 12]

There exists semantically secure functional encryption for all circuits

◮ A bound q on the number of tokens seen by an adversary must be

known at setup time

◮ Secure for only one ciphertext ◮ Ciphertext grows with q Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 32 / 39

State of the art

Good News: SS-CCS 11

There exists semantically secure functional encryption for all circuits

◮ Secure if only one token is released

Good News: [GVW-Crypto 12]

There exists semantically secure functional encryption for all circuits

◮ A bound q on the number of tokens seen by an adversary must be

known at setup time

◮ Secure for only one ciphertext ◮ Ciphertext grows with q

Bad News: [BSW-TCC11] [Eprint 12-AGVW]

This is the best that can be done if you want all circuits

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 32 / 39

Pre-image samplability [O’Neil]

Functionality F : K × M → {0, 1} is PS if there exists an efficient sampler Sam such that for all efficient adversaries A:

Adversary A:

• utput: ℓ, (ki, bi)q

i=1, with ki ∈ K, i = 1, . . . , q

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 33 / 39

Pre-image samplability [O’Neil]

Functionality F : K × M → {0, 1} is PS if there exists an efficient sampler Sam such that for all efficient adversaries A:

Adversary A:

• utput: ℓ, (ki, bi)q

i=1, with ki ∈ K, i = 1, . . . , q

Sampler Sam:

input: ℓ, (ki, bi)q

i=1

• utput: Message m ∈ M s.t. F(ki, m) = bi, i = 1, . . . , q and |m| = ℓ

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 33 / 39

Pre-image samplability

The non-adaptive simulator Sim

input: (pk, |m|, (ki, F(ki, m))q

i=1)

run Sam on input |m|, (ki, F(ki, m))q

i=1)

receive m′

• utput Ct′ = Encrypt(pk, m′)

Proposition: If a functionality F is PS then Non-Adaptive Simulation-Based security and Game-Based security coincide. Proof from [O’Neil] Notice: converse does not seem to hold

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 34 / 39

Semantically Secure HVE through PS

Let Sam be an efficient sampler for HVE. Given Φ, m-clause n-variable formula in 3CNF, we can construct (( y1, b1), . . . , ( ym, bm)) such that

• x = Sam((

y1, b1), . . . , ( ym, bm)) is a satisfying truth assignment for Φ

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 35 / 39

Some recent results

A general construction

Any game-based secure functional encryption scheme for all circuits can be turned into a semantically secure one, if we know a bound on the number of tokens seen by adversary. This is the best that can be done [AGVW]

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 36 / 39

Some recent results

A general construction

Any game-based secure functional encryption scheme for all circuits can be turned into a semantically secure one, if we know a bound on the number of tokens seen by adversary. This is the best that can be done [AGVW]

A specific construction

There exists semantically secure construction of HVE (and thus IBE) based on bilinear mappings. Adversary can see any number of tokens.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 36 / 39

Some recent results

A general construction

Any game-based secure functional encryption scheme for all circuits can be turned into a semantically secure one, if we know a bound on the number of tokens seen by adversary. This is the best that can be done [AGVW]

A specific construction

There exists semantically secure construction of HVE (and thus IBE) based on bilinear mappings. Adversary can see any number of tokens. These results by De Caro, Iovino, P. [unpublished]

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 36 / 39

State of the art for HVE

A(1, 1) A(#ciphertexts,#tokens) A(∞, 1) A(1, ∞) A(∞, ∞)

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

State of the art for HVE

A(1, 1) A(∞, 1) A(1, ∞) A(∞, ∞) [BSW TCC11]

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

State of the art for HVE

A(1, 1) A(∞, 1) A(1, ∞) A(∞, ∞) [BSW TCC11] easy

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

State of the art for HVE

A(1, 1) A(∞, 1) A(1, ∞) NEW A(∞, ∞) [BSW TCC11] easy

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

State of the art for HVE

A(1, 1) A(∞, 1) A(1, ∞) NEW A(∞, ∞) [BSW TCC11] easy easy

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

State of the art for HVE

A(1, 1) A(∞, 1) A(1, ∞) A(∞, ∞) [BSW TCC11] NEW NA(1, 1) NA(∞, 1) NA(1, ∞) NA(∞, ∞) easy easy

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

State of the art for HVE

A(1, 1) A(∞, 1) A(1, ∞) A(∞, ∞) [BSW TCC11] NEW NA(1, 1) NA(∞, 1) NA(1, ∞) NA(∞, ∞) easy easy easy easy

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

State of the art for HVE

A(1, 1) A(∞, 1) A(1, ∞) A(∞, ∞) [BSW TCC11] NEW NA(1, 1) NA(∞, 1) NA(1, ∞) NA(∞, ∞) easy easy easy easy [GVW12] [GVW12]

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 37 / 39

Open question

Open question

What is the right notion of security for functional encryption?

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based: Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based:

you can never be sure no subtle pathology nests within your constructions.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based:

you can never be sure no subtle pathology nests within your constructions.

2 non-adaptive sim-based: Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based:

you can never be sure no subtle pathology nests within your constructions.

2 non-adaptive sim-based:

• nce you start encrypting, no new token can be issued.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based:

you can never be sure no subtle pathology nests within your constructions.

2 non-adaptive sim-based:

• nce you start encrypting, no new token can be issued.

3 selective sim-based: Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based:

you can never be sure no subtle pathology nests within your constructions.

2 non-adaptive sim-based:

• nce you start encrypting, no new token can be issued.

3 selective sim-based:

attacker does not see public key.

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based:

you can never be sure no subtle pathology nests within your constructions.

2 non-adaptive sim-based:

• nce you start encrypting, no new token can be issued.

3 selective sim-based:

attacker does not see public key.

4 non-efficient simulator: Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Open question

Open question

What is the right notion of security for functional encryption?

1 game-based:

you can never be sure no subtle pathology nests within your constructions.

2 non-adaptive sim-based:

• nce you start encrypting, no new token can be issued.

3 selective sim-based:

attacker does not see public key.

4 non-efficient simulator:

what does this maean?

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 38 / 39

Conclusions

Functional Encryption

natural concept with several important applications lots of theoretical questions still to be solved

Giuseppe Persiano (UNISA) Function on a Cloudy Day Tenerife, Spain 39 / 39