Practical Fully Secure Inner Product Functional Encryption modulo p - - PowerPoint PPT Presentation

Practical Fully Secure Inner Product Functional Encryption modulo p

Guilhem Castagnos1 Fabien Laguillaumie2 Ida Tucker2

1Université de Bordeaux, INRIA, CNRS, IMB UMR 5251,

F-33405 Talence, France.

2Univ Lyon, CNRS, Université Claude Bernard Lyon 1, ENS de Lyon,

INRIA, LIP UMR 5668, F-69007, LYON Cedex 07, France.

Table of contents

• 1. Functional Encryption (FE)
• 2. The Inner Product Functionality
• 3. Framework
• 4. Inner Product Functional Encryption mod p from HSM

1

Functional Encryption (FE)

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C Enc mpk m F skF skF KeyDer msk F skF C Dec skF C F m

Bob only learns F m .

2

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C = Enc (mpk, m) F skF skF KeyDer msk F skF C Dec skF C F m

Bob only learns F m .

2

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C = Enc (mpk, m) F skF skF =KeyDer(msk,F) skF C Dec skF C F m

Bob only learns F m .

2

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C = Enc (mpk, m) F skF skF =KeyDer(msk,F) skF C Dec(skF,C) → F(m)

Bob only learns F m .

2

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C = Enc (mpk, m) F skF skF =KeyDer(msk,F) skF C Dec(skF,C) → F(m)

Bob only learns F(m).

2

FE Security – Indistinguishability

Challenger FE Scheme A Setup Enc(mpk, mb∗) mpk, msk C∗ mpk m0, m1 C∗ b b∗

$

← − {0, 1} b = b∗ KeyDer Oracle F1 F2 skF1 skF2 Fq Fq

1

skFq skFq

1

i Fi m0 Fi m1 and b b

3

FE Security – Indistinguishability

Challenger FE Scheme A Setup Enc(mpk, mb∗) mpk, msk C∗ mpk m0, m1 C∗ b b∗

$

← − {0, 1} b b KeyDer Oracle F1, F2 . . . skF1, skF2 . . . Fq, Fq+1 . . . skFq, skFq+1 . . . ∀i, Fi(m0) = Fi(m1) and b = b∗

3

Limits of General Functional Encryption

Constructions of FE for general functions exist, but are not practical

[SS10, GVW12, GKP+13a, GKP+13b, ABSV15, Wat15, BGJS16, GGHZ16]

Linear Functions: simple with many applications

• Understand general FE
• Statistical analysis on encrypted data
• Evaluation of polynomials over encrypted data

[KSW08]

• Constructing trace-and-revoke systems

[ABP 17]

• etc.

4

Limits of General Functional Encryption

Constructions of FE for general functions exists, but are not practical

[SS10, GVW12, GKP+13a, GKP+13b, ABSV15, Wat15, BGJS16, GGHZ16]

⇒ Linear Functions: simple with many applications

• Understand general FE
• Statistical analysis on encrypted data
• Evaluation of polynomials over encrypted data

[KSW08]

• Constructing trace-and-revoke systems

[ABP 17]

• etc.

4

Limits of General Functional Encryption

Constructions of FE for general functions exists, but are not practical

[SS10, GVW12, GKP+13a, GKP+13b, ABSV15, Wat15, BGJS16, GGHZ16]

⇒ Linear Functions: simple with many applications

• Understand general FE
• Statistical analysis on encrypted data
• Evaluation of polynomials over encrypted data

[KSW08]

• Constructing trace-and-revoke systems

[ABP+17]

• etc.

4

The Inner Product Functionality

The inner product functionality

Bob

• x, sk

x

Auth. Setup (mpk, msk) Alice

• y

C = Enc (mpk, y) C

• x,

y = Dec(sk

x,C)

Fx : Rℓ → R

y → x, y

5

Previous work

PKC 2015

[ABDP15]

First IPFE schemes, from LWE and DDH,

• nly selectively secure.

Crypto 2016

[ALS16]

Full security, from LWE, DDH and DCR.

2016

[ABCP16]

Full security, less effjcient than [ALS16].

PKC 2017

[BBL17]

Generic constructions from HPS.

Schemes mod p do not recover large inner products

• r are ineffjcient.

Asiacrypt 2018

This work:

IPFE mod p adaptive security no restriction on size and effjcient!

6

Previous work

PKC 2015

[ABDP15]

First IPFE schemes, from LWE and DDH,

• nly selectively secure.

Crypto 2016

[ALS16]

Full security, from LWE, DDH and DCR.

2016

[ABCP16]

Full security, less effjcient than [ALS16].

PKC 2017

[BBL17]

Generic constructions from HPS.

Schemes mod p do not recover large inner products

• r are ineffjcient.

Asiacrypt 2018

This work:

IPFE mod p adaptive security no restriction on size and effjcient!

6

Framework

Framework (sketch) [CL15]

Group with an easy discrete logarithm (DL) subgroup

• G = g cyclic group of order p · s such that gcd(p, s) = 1.
• p large prime
• s unknown
• F = f subgroup of G of order p.
• Gp = gp = {xp, x ∈ G} subgroup of G of order s,

G = F × Gp.

• DL is easy in F

(DL: given f and h = f x, fjnd x ∈ Z/pZ)

7

New Assumption

Hard Subgroup Membership problem HSM: Hard to distinguish p-th powers in G {x

$

← − G} ≈c {x

$

← − Gp}.

7

Analogy to Paillier’s cryptosystem

Paillier’s framework

• Message space Z/NZ with N RSA modulus
• Relies on Paillier’s DCR assumption
• e.g. distinguishing Nth powers in Z/N2Z

Our framework

• Messages encoded in Z/pZ with p prime
• Size of p independent of security parameter
• Relies on HSM assumption
• e.g. distinguishing pth powers in G of order p · s
• Instantiation: class groups of an imaginary quadratic fjeld

[CL15]

8

Sampling exponents

Problem s unknown, so orders of Gp and G unknown ⇒ Cannot sample uniformly from G or Gp! Solution Use upper bound s of s to instantiate distributions and

p s.t.

gx x G and gx

p x p

Gp In practice: Folded gaussian distributions with large standard deviation better effjciency (shorter exponents) than folded uniforms

9

Sampling exponents

Problem s unknown, so orders of Gp and G unknown ⇒ Cannot sample uniformly from G or Gp! Solution Use upper bound ˜ s of s to instantiate distributions D and Dp s.t. {gx, x ← ֓ D} ≈ U(G) and {gx

p, x ←

֓ Dp} ≈ U(Gp) In practice: Folded gaussian distributions with large standard deviation ⇒ better effjciency (shorter exponents) than folded uniforms

9

Inner Product Functional Encryption mod p from HSM

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y y1 y Z pZ Sample r

p

Ciphertext: C C0 gr

p C1

f y1 hr

1

C f y hr KeyDer Input: x x1 x Z pZ Output key: skx t x Dec From C x and skx : x y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x x1 x Z pZ Output key: skx t x Dec From C x and skx : x y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C x and skx : x y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

• x,

y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = (f yi · hr i )xi

• x,

y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f yixi · gr· tixi p

• x,

y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f y, x · gr·

• t,

x p

• x,

y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f y, x · gr·

• t,

x p

and Csk

• x

=gr·

• t,

x p

• x,

y mod p

10

IPFE scheme mod p from HSM (simplifjed)

Setup For i = 1, . . . , ℓ do ti ← ֓ D and hi = gti

p

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample r ← ֓ Dp Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f y, x · gr·

• t,

x p

and Csk

• x

=gr·

• t,

x p

Such that: ℓ

i=1 Cxi i /Csk

• x

= f

x, y

DL

• x,

y mod p

10

Security

This scheme is secure under the HSM assumption.

10

Proof overview – inspired by [ALS16]

• C = (C0 = gr

p, C1 = f yb∗,1 · hr 1, . . . , Cℓ = f yb∗,ℓ · hr ℓ)

C C0 gr

p C1

f yb

1

Ct1 C f yb Ct C C0 gr

pf u C1

f yb

1

Ct1 C f yb Ct

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext [CS02]
• Game 2 indistinguishable from Game 1 under the HSM assumption.

In Game 2, from ’s view b is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

11

Proof overview – inspired by [ALS16]

C C0 gr

p C1

f yb

1

hr

1

C f yb hr

• C = (C0 = gr

p, C1 = f yb∗,1 · Ct1 0 , . . . , Cℓ = f yb∗,ℓ · Ctℓ 0 )

C C0 gr

pf u C1

f yb

1

Ct1 C f yb Ct

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext [CS02]
• Game 2 indistinguishable from Game 1 under the HSM assumption.

In Game 2, from ’s view b is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

11

Proof overview – inspired by [ALS16]

C C0 gr

p C1

f yb

1

hr

1

C f yb hr C C0 gr

p C1

f yb

1

Ct1 C f yb Ct

• C = (C0 = gr

pf u, C1 = f yb∗,1 · Ct1 0 , . . . , Cℓ = f yb∗,ℓ · Ctℓ 0 )

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext [CS02]
• Game 2 indistinguishable from Game 1 under the HSM assumption.

In Game 2, from ’s view b is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

11

Proof overview – inspired by [ALS16]

C C0 gr

p C1

f yb

1

hr

1

C f yb hr C C0 gr

p C1

f yb

1

Ct1 C f yb Ct

• C = (C0 = gr

pf u, C1 = f yb∗,1 · Ct1 0 , . . . , Cℓ = f yb∗,ℓ · Ctℓ 0 )

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext [CS02]
• Game 2 indistinguishable from Game 1 under the HSM assumption.

In Game 2, from A’s view b∗ is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

11

Information fjxed by public key

mpk = {hi = gti mod s

p

}i∈[ℓ] Fixes (t1, . . . , tℓ) mod s (t1, . . . , tℓ) mod p is still uniformly distributed to A.

12

Information fjxed by challenge ciphertext

• C∗ = (C0 = gr

p · f u, {Ci = f yb∗,i · C0ti}i∈[ℓ])

For i 1

Ci gr ti

s p

f yb

i

u ti p

Fixes

yb

i

u ti mod p

13

Information fjxed by challenge ciphertext

• C∗ = (C0 = gr

p · f u, {Ci = f yb∗,i · C0ti}i∈[ℓ])

For i = 1 . . . , ℓ

Ci = gr·ti

mod s p

· f yb∗,i+u·ti

mod p

Fixes

yb

i

u ti mod p

13

Information fjxed by challenge ciphertext

• C∗ = (C0 = gr

p · f u, {Ci = f yb∗,i · C0ti}i∈[ℓ])

For i = 1 . . . , ℓ

Ci = gr·ti

mod s p

· f yb∗,i+u·ti

mod p

Fixes

• yb∗,i + u · ti mod p

13

Information fjxed by key derivation oracle

Because of restriction on secret key queries, all queries x satisfy x, y0 = x, y1 mod p

• y1 −

y0

• t
• x

∀ x s.t. x, y0 − y1 = 0 mod p, A can learn sk

x =

t, x Remaining entropy on t contained in t y0 y1 p

14

Information fjxed by key derivation oracle

Because of restriction on secret key queries, all queries x satisfy x, y0 = x, y1 mod p

• y1 −

y0

• t
• x

∀ x s.t. x, y0 − y1 = 0 mod p, A can learn sk

x =

t, x Remaining entropy on t contained in t, y0 − y1 mod p

14

Information fjxed by key derivation oracle

Given info from mpk and C∗, the distribution D0 of t is over 1-dim lattice Λ0 proportional to y0 − y1 Reduce

0 mod sub-lattice p 0 s.t. 0 p

y0 y1 Z pZ Choosing large enough standard deviation ensures t p follows a distribution

0 p

[GPV08]

t y0 y1 p follows a distribution Z pZ

15

Information fjxed by key derivation oracle

Given info from mpk and C∗, the distribution D0 of t is over 1-dim lattice Λ0 proportional to y0 − y1 Reduce D0 mod sub-lattice pΛ0 s.t. Λ0/pΛ0 ≃ ( y0 − y1)Z/pZ Choosing large enough standard deviation ensures

• t mod p follows a distribution ≈ U(Λ0/pΛ0)

[GPV08]

t y0 y1 p follows a distribution Z pZ

15

Information fjxed by key derivation oracle

Given info from mpk and C∗, the distribution D0 of t is over 1-dim lattice Λ0 proportional to y0 − y1 Reduce D0 mod sub-lattice pΛ0 s.t. Λ0/pΛ0 ≃ ( y0 − y1)Z/pZ Choosing large enough standard deviation ensures

• t mod p follows a distribution ≈ U(Λ0/pΛ0)

[GPV08]

• t,

y0 − y1 mod p follows a distribution ≈ U(Z/pZ)

15

A’s success probability

From A’s view, t, y0 − y1 mod p follows a distribution ≈ U(Z/pZ). The ciphertext reveals: yb ut mod p The information on b is contained in: yb y0 y1 u t y0 y1 mod p

cannot guess b with proba 1 2 negl

16

A’s success probability

From A’s view, t, y0 − y1 mod p follows a distribution ≈ U(Z/pZ). The ciphertext reveals:

• yb∗ + u

t mod p The information on b is contained in: yb y0 y1 u t y0 y1 mod p

cannot guess b with proba 1 2 negl

16

A’s success probability

From A’s view, t, y0 − y1 mod p follows a distribution ≈ U(Z/pZ). The ciphertext reveals:

• yb∗ + u

t mod p The information on b∗ is contained in:

• yb∗,

y0 − y1 + u t, y0 − y1 mod p

cannot guess b with proba 1 2 negl

16

A’s success probability

From A’s view, t, y0 − y1 mod p follows a distribution ≈ U(Z/pZ). The ciphertext reveals:

• yb∗ + u

t mod p The information on b∗ is contained in:

• yb∗,

y0 − y1 + u t, y0 − y1 mod p

A cannot guess b∗ with proba > 1/2 + negl

16

Conclusion

• Many details hidden in this talk (stateful KeyDer)
• IPFE from weaker assumption DDH-f
• Instantiation using class groups of an imaginary quadratic fjeld
• Best known algorithms for underlying problems in L(1/2)
• Shorter keys!
• Effjciency comparison for 128-bit security, ℓ = 100
• Enc ≈ 0.7s; Dec ≈ 1.9s

vs. 0.8s and 9.6s in [ALS16]

• sk
• x of 13852 bits

vs. 313344 bits in [ALS16]

• Dependency in ℓ is linear
• Ongoing work
• CCA secure schemes
• Applying framework to other cryptographic primitives

17

Questions?

17

References i

• M. Abdalla, F. Bourse, A. D. Caro, and D. Pointcheval.

Better security for functional encryption for inner product evaluations. Cryptology ePrint Archive, Report 2016/011, 2016.

http://eprint.iacr.org/2016/011.

• M. Abdalla, F. Bourse, A. De Caro, and D. Pointcheval.

Simple functional encryption schemes for inner products. In PKC 2015, LNCS 9020, pages 733–751. Springer, Heidelberg, March / April 2015.

• S. Agrawal, S. Bhattacherjee, D. H. Phan, D. Stehlé, and S. Yamada.

Effjcient public trace and revoke from standard assumptions: Extended abstract. In ACM CCS 17, pages 2277–2293. ACM Press, October / November 2017.

18

References ii

• P. Ananth, Z. Brakerski, G. Segev, and V. Vaikuntanathan.

From selective to adaptive security in functional encryption. In CRYPTO 2015, Part II, LNCS 9216, pages 657–677. Springer, Heidelberg, August 2015.

• S. Agrawal, B. Libert, and D. Stehlé.

Fully secure functional encryption for inner products, from standard assumptions. In CRYPTO 2016, Part III, LNCS 9816, pages 333–362. Springer, Heidelberg, August 2016.

• F. Benhamouda, F. Bourse, and H. Lipmaa.

CCA-secure inner-product functional encryption from projective hash functions. In PKC 2017, Part II, LNCS 10175, pages 36–66. Springer, Heidelberg, March 2017.

19

References iii

• S. Badrinarayanan, V. Goyal, A. Jain, and A. Sahai.

Verifjable functional encryption. In ASIACRYPT 2016, Part II, LNCS 10032, pages 557–587. Springer, Heidelberg, December 2016.

• D. Boneh, A. Sahai, and B. Waters.

Functional encryption: Defjnitions and challenges. In TCC 2011, LNCS 6597, pages 253–273. Springer, Heidelberg, March 2011.

• G. Castagnos and F. Laguillaumie.

Linearly homomorphic encryption from DDH. In CT-RSA 2015, LNCS 9048, pages 487–505. Springer, Heidelberg, April 2015.

20

References iv

• R. Cramer and V. Shoup.

Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In EUROCRYPT 2002, LNCS 2332, pages 45–64. Springer, Heidelberg, April / May 2002.

• S. Garg, C. Gentry, S. Halevi, and M. Zhandry.

Functional encryption without obfuscation. In TCC 2016-A, Part II, LNCS 9563, pages 480–511. Springer, Heidelberg, January 2016.

• S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich.

How to run turing machines on encrypted data. In CRYPTO 2013, Part II, LNCS 8043, pages 536–553. Springer, Heidelberg, August 2013.

21

References v

• S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich.

Reusable garbled circuits and succinct functional encryption. In 45th ACM STOC, pages 555–564. ACM Press, June 2013.

• C. Gentry, C. Peikert, and V. Vaikuntanathan.

Trapdoors for hard lattices and new cryptographic constructions. In 40th ACM STOC, pages 197–206. ACM Press, May 2008.

• S. Gorbunov, V. Vaikuntanathan, and H. Wee.

Functional encryption with bounded collusions via multi-party computation. In CRYPTO 2012, LNCS 7417, pages 162–179. Springer, Heidelberg, August 2012.

22

References vi

• J. Katz, A. Sahai, and B. Waters.

Predicate encryption supporting disjunctions, polynomial equations, and inner products. In EUROCRYPT 2008, LNCS 4965, pages 146–162. Springer, Heidelberg, April 2008.

• A. Sahai and H. Seyalioglu.

Worry-free encryption: functional encryption with public keys. In ACM CCS 10, pages 463–472. ACM Press, October 2010.

• B. Waters.

A punctured programming approach to adaptively secure functional encryption. In CRYPTO 2015, Part II, LNCS 9216, pages 678–697. Springer, Heidelberg, August 2015.

23