Practical Fully Secure Inner Product Functional Encryption modulo p - - PowerPoint PPT Presentation

Practical Fully Secure Inner Product Functional Encryption modulo p

Guilhem Castagnos1 Fabien Laguillaumie2 Ida Tucker2

1Université de Bordeaux, INRIA, CNRS, IMB UMR 5251,

F-33405 Talence, France.

2Univ Lyon, CNRS, Université Claude Bernard Lyon 1, ENS de Lyon,

INRIA, LIP UMR 5668, F-69007, LYON Cedex 07, France.

Table of contents

• 1. Functional Encryption (FE)
• 2. The Inner Product Functionality
• 3. The Hard Subgroup Membership (HSM) Assumption
• 4. Linearly Homomorphic Public Key Encryption mod p from HSM
• 5. Inner Product Functional Encryption mod p from HSM

1

Functional Encryption (FE)

Traditional Encryption: All or Nothing

Bob (pkBob, skBob) Alice m pkBob C Enc pkBob m C m Dec skBob C

Bob gets all the information in m.

2

Traditional Encryption: All or Nothing

Bob (pkBob, skBob) Alice m pkBob C Enc pkBob m C m Dec skBob C

Bob gets all the information in m.

2

Traditional Encryption: All or Nothing

Bob (pkBob, skBob) Alice m pkBob C = Enc(pkBob, m) C m Dec skBob C

Bob gets all the information in m.

2

Traditional Encryption: All or Nothing

Bob (pkBob, skBob) Alice m pkBob C = Enc(pkBob, m) C m = Dec(skBob, C)

Bob gets all the information in m.

2

Traditional Encryption: All or Nothing

Bob (pkBob, skBob) Alice m pkBob C = Enc(pkBob, m) C m = Dec(skBob, C)

Bob gets all the information in m.

2

Fine Grained Access to Info with Traditional Encryption

pk1, sk1 pk2, sk2 pk3, sk3 pk4, sk4 m m1 m2 m3 m4 C1 Enc pk1 m1 C2 Enc pk2 m2 C3 Enc pk3 m3 C4 Enc pk4 m4 C5 Enc pk4 m2 C1 C2 C3 C4 C5

3

Fine Grained Access to Info with Traditional Encryption

pk1, sk1 pk2, sk2 pk3, sk3 pk4, sk4 m m1 m2 m3 m4 C1 Enc pk1 m1 C2 Enc pk2 m2 C3 Enc pk3 m3 C4 Enc pk4 m4 C5 Enc pk4 m2 C1 C2 C3 C4 C5

3

Fine Grained Access to Info with Traditional Encryption

pk1, sk1 pk2, sk2 pk3, sk3 pk4, sk4 m m1 m2 m3 m4 C1 = Enc(pk1, m1) C2 = Enc(pk2, m2) C3 = Enc(pk3, m3) C4 = Enc(pk4, m4) C5 = Enc(pk4, m2) C1 C2 C3 C4, C5

3

Ideal Fine Grained Access to Information

sk1 sk2 sk3 sk4, sk2 pk, m C = Enc(pk, m) m1 = Dec(sk1, C) m2 = Dec(sk2, C) m3 = Dec(sk3, C) m4 = Dec(sk4, C) m2 = Dec(sk2, C)

4

Functional Encryption

skF1 skF2 skF3 skF4, skF2 m m1 = F1(m) m2 = F2(m) m3 = F3(m) m4 = F4(m) C Enc pk m F1 m Dec skF1 C F2 m Dec skF2 C F3 m Dec skF3 C F4 m Dec skF4 C F2 m Dec skF2 C

5

Functional Encryption

skF1 skF2 skF3 skF4, skF2 m m1 F1 m m2 F2 m m3 F3 m m4 F4 m C = Enc(pk, m) F1(m) = Dec(skF1, C) F2(m) = Dec(skF2, C) F3(m) = Dec(skF3, C) F4(m) = Dec(skF4, C) F2(m) = Dec(skF2, C)

5

Application: Spam fjltering for encrypted emails

e-mail server F Recipient mpk, msk F(m) = 1 if m is spam 0 otherwise skF F e-mail server F, skF m m C Enc mpk m C Enc mpk m C C Dec skF C Dec skF C 1 inbox C quarantine C

e-mail server learns one bit of information

6

Application: Spam fjltering for encrypted emails

e-mail server F Recipient mpk, msk F(m) = 1 if m is spam 0 otherwise skF F e-mail server F, skF m m C Enc mpk m C Enc mpk m C C Dec skF C Dec skF C 1 inbox C quarantine C

e-mail server learns one bit of information

6

Application: Spam fjltering for encrypted emails

e-mail server F Recipient mpk msk F m 1 if m is spam 0 otherwise skF F e-mail server F, skF m m∗ C Enc mpk m C Enc mpk m C C Dec skF C Dec skF C 1 inbox C quarantine C

e-mail server learns one bit of information

6

Application: Spam fjltering for encrypted emails

e-mail server F Recipient mpk msk F m 1 if m is spam 0 otherwise skF F e-mail server F, skF m m C = Enc(mpk, m) C∗ = Enc(mpk, m∗) C C Dec skF C Dec skF C 1 inbox C quarantine C

e-mail server learns one bit of information

6

Application: Spam fjltering for encrypted emails

e-mail server F Recipient mpk msk F m 1 if m is spam 0 otherwise skF F e-mail server F, skF m m C Enc mpk m C Enc mpk m C C∗ Dec skF C Dec skF C 1 inbox C quarantine C

e-mail server learns one bit of information

6

Application: Spam fjltering for encrypted emails

e-mail server F Recipient mpk msk F m 1 if m is spam 0 otherwise skF F e-mail server F, skF m m C Enc mpk m C Enc mpk m C C∗ Dec(skF, C) = 0 Dec(skF, C∗) = 1 inbox C quarantine C

e-mail server learns one bit of information

6

Application: Spam fjltering for encrypted emails

e-mail server F Recipient mpk msk F m 1 if m is spam 0 otherwise skF F e-mail server F, skF m m C Enc mpk m C Enc mpk m C C∗ Dec(skF, C) = 0 Dec(skF, C∗) = 1 inbox C quarantine C∗

e-mail server learns one bit of information

6

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C Enc mpk m F skF KeyDer msk F skF skF C F m Dec skF C

Bob only learns F m .

7

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C = Enc (mpk, m) F skF KeyDer msk F skF skF C F m Dec skF C

Bob only learns F m .

7

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C = Enc (mpk, m) F skF =KeyDer(msk,F) skF skF C F m Dec skF C

Bob only learns F m .

7

Functional Encryption [BSW11]

Bob Function F Auth. Setup (mpk, msk) Alice m mpk C = Enc (mpk, m) F skF =KeyDer(msk,F) skF skF C F(m) = Dec(skF,C)

Bob only learns F(m).

7

FE Security – Indistinguishability

Challenger FE Scheme Adv Setup Enc(mpk, Mb∗) mpk, msk C∗ mpk M0, M1 C∗ b b∗

$

← − {0, 1} b = b∗ KeyDer Oracle F1 F2 skF1 skF2 Fq Fq

1

skFq skFq

1

i Fi M0 Fi M1 and b b

8

FE Security – Indistinguishability

Challenger FE Scheme Adv Setup Enc(mpk, Mb∗) mpk, msk C∗ mpk M0, M1 C∗ b b∗

$

← − {0, 1} b b KeyDer Oracle F1, F2 . . . skF1, skF2 . . . Fq, Fq+1 . . . skFq, skFq+1 . . . ∀i, Fi(M0) = Fi(M1) and b = b∗

8

Limits of General Functional Encryption

We don’t know how to build practical FE for general functions

• Understand general FE
• Statistical analysis on encrypted data
• Evaluation of polynomials over encrypted data
• Constructing trace-and-revoke system
• etc.

9

Limits of General Functional Encryption

We don’t know how to build practical FE for general functions ⇒ Linear Functions: simple with many applications

• Understand general FE
• Statistical analysis on encrypted data
• Evaluation of polynomials over encrypted data
• Constructing trace-and-revoke system
• etc.

9

Limits of General Functional Encryption

We don’t know how to build practical FE for general functions ⇒ Linear Functions: simple with many applications

• Understand general FE
• Statistical analysis on encrypted data
• Evaluation of polynomials over encrypted data
• Constructing trace-and-revoke system
• etc.

9

The Inner Product Functionality

The inner product functionality

Bob

• x, sk

x

Auth. Setup (mpk, msk) Alice

• y

C = Enc (mpk, y) C

• x,

y = Dec(sk

x,C)

Fx : Rℓ → R

y → x, y

10

Previous work

PKC 2015

[ABDP15]

First IPFE schemes, from LWE and DDH,

• nly selectively secure.

Crypto 2016

[ALS16]

Full security, from LWE, DDH and DCR.

2016

[ABCP16]

Full security, less effjcient than [ALS16].

PKC 2017

[BBL17]

Generic constructions from HPS.

Schemes mod p do not recover large inner products

• r are ineffjcient.

Asiacrypt 2018

This work:

IPFE mod p adaptive security no restriction on size and effjcient!

11

Previous work

PKC 2015

[ABDP15]

First IPFE schemes, from LWE and DDH,

• nly selectively secure.

Crypto 2016

[ALS16]

Full security, from LWE, DDH and DCR.

2016

[ABCP16]

Full security, less effjcient than [ALS16].

PKC 2017

[BBL17]

Generic constructions from HPS.

Schemes mod p do not recover large inner products

• r are ineffjcient.

Asiacrypt 2018

This work:

IPFE mod p adaptive security no restriction on size and effjcient!

11

The Hard Subgroup Membership (HSM) Assumption

Framework (sketch) [CL15]

Group with an easy discrete logarithm (DL) subgroup

• G = g cyclic group of order p · s such that gcd(p, s) = 1.
• p large prime
• F = f subgroup of G of order p.
• Gp = gp = {xp, x ∈ G} subgroup of G of order s,

G = F × Gp.

• DL is easy in F

(DL: given f and h = f x, fjnd x ∈ Z/pZ)

12

New Assumption

Hard Subgroup Membership problem HSM: Hard to distinguish p-th powers in G {x

$

← − G} ≈c {x

$

← − Gp}.

12

Instantiation in class groups of an imaginary quadratic fjeld

• K = Q(√∆K), ∆K < 0 and ∆K ≡ 1 mod 4
• K and

p s.t.

K

pq,

p

qp3 with p q primes

• p

C

p

C

K surjection where Ker

p of order p.

• Implies h

p

p h

K

• ideal of

can be written as aZ

b 2

Z and represented by a b ; for a N b Z b2 4a

13

Instantiation in class groups of an imaginary quadratic fjeld

• K = Q(√∆K), ∆K < 0 and ∆K ≡ 1 mod 4
• O∆K and O∆p s.t. ∆K = −pq, ∆p = −qp3 with p, q primes
• p

C

p

C

K surjection where Ker

p of order p.

• Implies h

p

p h

K

• ideal of

can be written as aZ

b 2

Z and represented by a b ; for a N b Z b2 4a

13

Instantiation in class groups of an imaginary quadratic fjeld

• K = Q(√∆K), ∆K < 0 and ∆K ≡ 1 mod 4
• O∆K and O∆p s.t. ∆K = −pq, ∆p = −qp3 with p, q primes
• φp : C(O∆p) → C(O∆K) surjection where Ker(φp) of order p.
• Implies h(O∆p) = p × h(O∆K)
• ideal of

can be written as aZ

b 2

Z and represented by a b ; for a N b Z b2 4a

13

Instantiation in class groups of an imaginary quadratic fjeld

• K = Q(√∆K), ∆K < 0 and ∆K ≡ 1 mod 4
• O∆K and O∆p s.t. ∆K = −pq, ∆p = −qp3 with p, q primes
• φp : C(O∆p) → C(O∆K) surjection where Ker(φp) of order p.
• Implies h(O∆p) = p × h(O∆K)
• a ideal of O∆ can be written as a = (aZ + −b+

√ ∆ 2

Z) and represented by (a, b); for a ∈ N, b ∈ Z, b2 ≡ ∆ mod 4a

13

Instantiation in class groups of an imaginary quadratic fjeld

• t = (p2, p) ∈ O∆p, set f = [t]

⇒ f generates Ker(φp) (subgroup of order p of C(O∆p)), and f m =

• p2Z + −L(m)p +
• ∆p

2 Z

• L(m): odd integer in [−p, p] s.t. L(m) = 1/m mod p

F =< f > cyclic group of order p, and DL easy

• To build Gp:
• g

C

K

• f order s h

K .

• p h

K

1 p s 1

• gp

1 p

g

p

C

p

• Set g

gp f and G g

• f order ps

14

Instantiation in class groups of an imaginary quadratic fjeld

• t = (p2, p) ∈ O∆p, set f = [t]

⇒ f generates Ker(φp) (subgroup of order p of C(O∆p)), and f m =

• p2Z + −L(m)p +
• ∆p

2 Z

• L(m): odd integer in [−p, p] s.t. L(m) = 1/m mod p

F =< f > cyclic group of order p, and DL easy

• To build Gp:
• ˆ

g

$

← − C(O∆K) of order s|h(O∆K).

• gcd(p, h(O∆K)) = 1 ⇒ gcd(p, s) = 1
• gp = (φ−1

p (ˆ

g))p ∈ C(O∆p)

• Set g

gp f and G g

• f order ps

14

Instantiation in class groups of an imaginary quadratic fjeld

• t = (p2, p) ∈ O∆p, set f = [t]

⇒ f generates Ker(φp) (subgroup of order p of C(O∆p)), and f m =

• p2Z + −L(m)p +
• ∆p

2 Z

• L(m): odd integer in [−p, p] s.t. L(m) = 1/m mod p

F =< f > cyclic group of order p, and DL easy

• To build Gp:
• ˆ

g

$

← − C(O∆K) of order s|h(O∆K).

• gcd(p, h(O∆K)) = 1 ⇒ gcd(p, s) = 1
• gp = (φ−1

p (ˆ

g))p ∈ C(O∆p)

• Set g = gp · f and G =< g > of order ps

14

Security in class groups of an imaginary quadratic fjeld

• Security from hardness of class number computation and DL

problem in C(O∆K).

• Best known algos use index calculus method

⇒ L(1/2) complexity

• Shorter keys!

λ = 112 λ = 128 size this work DCR this work DCR (p,˜ s) (112, 684) (1024, 2046) (128, 924) (1536, 3070) elt of G 1572 4096 2084 6144 secret key 112(ℓ + 1) + 684 2048(ℓ + 2) 128(ℓ + 1) + 924 3072(ℓ + 2)

15

Sampling exponents

Problem s unknown, so orders of Gp and G unknown ⇒ Cannot sample uniformly from G or Gp! Solution

• Bound on h

K

upper bound s for s

• Use s to instantiate distributions

and

p s.t.

gx x G and gx

p x p

Gp

• In practice:

and

p folded gaussian distributions with large

standard deviation.

16

Sampling exponents

Problem s unknown, so orders of Gp and G unknown ⇒ Cannot sample uniformly from G or Gp! Solution

• Bound on h(O∆K) ⇒ upper bound ˜

s for s

• Use ˜

s to instantiate distributions D and Dp s.t. {gx, x ← ֓ D} ≈ U(G), and {gx

p, x ←

֓ Dp} ≈ U(Gp)

• In practice: D and Dp folded gaussian distributions with large

standard deviation.

16

Linearly Homomorphic Public Key Encryption mod p from HSM

Homomorphic PKE scheme mod p from HSM

KeyGen Sample t ← ֓ Dp and compute h = gt

p

sk = t and pk = h Enc Plaintext: m Z pZ Sample randomness r

p

Ciphertext: C0 C1 gr

p f m hr

Dec From C0 C1 and sk t : C0 Ct

1

DL m p

17

Homomorphic PKE scheme mod p from HSM

KeyGen Sample t ← ֓ Dp and compute h = gt

p

sk = t and pk = h Enc Plaintext: m ∈ Z/pZ Sample randomness r ← ֓ Dp Ciphertext: (C0, C1) = (gr

p, f m · hr)

Dec From C0 C1 and sk t : C0 Ct

1

DL m p

17

Homomorphic PKE scheme mod p from HSM

KeyGen Sample t ← ֓ Dp and compute h = gt

p

sk = t and pk = h Enc Plaintext: m ∈ Z/pZ Sample randomness r ← ֓ Dp Ciphertext: (C0, C1) = (gr

p, f m · hr)

Dec From (C0, C1) and sk = t : C0/Ct

1

DL m mod p

17

Security

This scheme is semantically secure under the HSM assumption.

17

Game 0: the original security experiment

Adv Challenger Setup sk = t ← ֓ Dp pk = h = gt

p

b∗

$

← − {0, 1} r ← ֓ Dp (C0, C1)= (gr

p, C1 = f mb∗ · hr)

Output (b = b∗) pk m0, m1 (C0, C1) b

Game 0 is the original security experiment.

18

Game 1: sample t from D

Adv Challenger sk = t ← ֓D pk = h = gt

p

b∗

$

← − {0, 1} r ← ֓ Dp (C0, C1)= (gr

p, C1 = f mb∗ · hr)

Output (b = b∗) pk m0, m1 (C0, C1) b

From A’s view, Games 0 and 1 are identical.

19

Game 2: use sk to compute (C0, C1)

Adv Challenger sk = t ← ֓D pk = h = gt

p

b∗

$

← − {0, 1} r ← ֓ Dp (C0, C1)= (gr

p, f mb∗ · Ct 0 )

Output (b = b∗) pk m0, m1 (C0, C1) b

From A’s view, Games 1 and 2 are identical.

20

Game 3: compute C0 ∈ G\Gp

Adv Challenger sk = t ← ֓ D pk = h = gt

p

fjxes t s b∗

$

← − {0, 1} r ← ֓ Dp and u ← ֓ Z/pZ (C0, C1) = ( gr

p · f u, f mb∗ · Ct 0)

fjxes r s and u p C0 C1 gr

p f u f mb u t hr

reveals mb u t p Output (b = b∗) pk m0, m1 (C0, C1) b

Games 2 and 3 are undistinguishable to A under the HSM assumption.

21

Game 3: compute C0 ∈ G\Gp

Adv Challenger sk = t ← ֓ D pk = h = gt

p

fjxes t mod s b∗

$

← − {0, 1} r ← ֓ Dp and u ← ֓ Z/pZ (C0, C1) = ( gr

p · f u, f mb∗ · Ct 0)

fjxes r s and u p C0 C1 gr

p f u f mb u t hr

reveals mb u t p Output (b = b∗) pk m0, m1 (C0, C1) b

Games 2 and 3 are undistinguishable to A under the HSM assumption.

21

Game 3: compute C0 ∈ G\Gp

Adv Challenger sk = t ← ֓ D pk = h = gt

p

fjxes t mod s b∗

$

← − {0, 1} r ← ֓ Dp and u ← ֓ Z/pZ (C0, C1) = ( gr

p · f u, f mb∗ · Ct 0)

fjxes r mod s and u mod p C0 C1 gr

p f u f mb u t hr

reveals mb u t p Output (b = b∗) pk m0, m1 (C0, C1) b

Games 2 and 3 are undistinguishable to A under the HSM assumption.

21

Game 3: compute C0 ∈ G\Gp

Adv Challenger sk = t ← ֓ D pk = h = gt

p

fjxes t mod s b∗

$

← − {0, 1} r ← ֓ Dp and u ← ֓ Z/pZ C0 C1 gr

p f u f mb

Ct fjxes r mod s and u mod p (C0, C1)= ( gr

p · f u, f mb∗+u·t · hr)

reveals mb∗ + u · t mod p Output (b = b∗) pk m0, m1 (C0, C1) b

Games 2 and 3 are undistinguishable to A under the HSM assumption.

21

Inner Product Functional Encryption mod p from HSM

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y y1 y Z pZ Sample randomness r Ciphertext: C C0 gr

p C1

f y1 hr

1

C f y hr KeyDer Input: x x1 x Z pZ Output key: skx t x Dec From C x and skx : x y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x x1 x Z pZ Output key: skx t x Dec From C x and skx : x y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C x and skx : x y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

• x,

y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i

• x,

y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = (f yi · hr i )xi

• x,

y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f yixi · gr· tixi p

• x,

y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f y, x · gr·

• t,

x p

• x,

y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f y, x · gr·

• t,

x p

and Csk

• x

=gr·

• t,

x p

• x,

y mod p

22

IPFE scheme mod p from HSM (simplifjed)

Setup Sample t = (t1, . . . , tℓ) compute hi = gti

p for i = 1, . . . , ℓ

msk = t and mpk = (h1, . . . , hℓ) Enc Plaintext: y = (y1, . . . , yℓ) ∈ (Z/pZ)ℓ Sample randomness r Ciphertext:

• C = (C0 = gr

p, C1 = f y1 · hr 1, . . . , Cℓ = f yℓ · hr ℓ)

KeyDer Input: x = (x1, . . . , xℓ) ∈ (Z/pZ)ℓ Output key: sk

x =

t, x Dec From C, x and sk

x :

ℓ

i=1 Cxi i = f y, x · gr·

• t,

x p

and Csk

• x

=gr·

• t,

x p

Such that: ℓ

i=1 Cxi i /Csk

• x

= f

x, y

DL

• x,

y mod p

22

Security

This scheme is secure under the HSM assumption.

22

Proof technique

• C = (C0 = gr

p, C1 = f yb∗,1 · hr 1, . . . , Cℓ = f yb∗,ℓ · hr ℓ)

C C0 gr

p C1

f yb

1

Ct1 C f yb Ct C C0 gr

pf u C1

f yb

1

Ct1 C f yb Ct

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext
• Game 2 indistinguishable from Game 1 under the HSM

assumption. In Game 2, from ’s view b is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

23

Proof technique

C C0 gr

p C1

f yb

1

hr

1

C f yb hr

• C = (C0 = gr

p, C1 = f yb∗,1 · Ct1 0 , . . . , Cℓ = f yb∗,ℓ · Ctℓ 0 )

C C0 gr

pf u C1

f yb

1

Ct1 C f yb Ct

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext
• Game 2 indistinguishable from Game 1 under the HSM

assumption. In Game 2, from ’s view b is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

23

Proof technique

C C0 gr

p C1

f yb

1

hr

1

C f yb hr C C0 gr

p C1

f yb

1

Ct1 C f yb Ct

• C = (C0 = gr

pf u, C1 = f yb∗,1 · Ct1 0 , . . . , Cℓ = f yb∗,ℓ · Ctℓ 0 )

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext
• Game 2 indistinguishable from Game 1 under the HSM

assumption. In Game 2, from ’s view b is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

23

Proof technique

C C0 gr

p C1

f yb

1

hr

1

C f yb hr C C0 gr

p C1

f yb

1

Ct1 C f yb Ct

• C = (C0 = gr

pf u, C1 = f yb∗,1 · Ct1 0 , . . . , Cℓ = f yb∗,ℓ · Ctℓ 0 )

• Game 0 original security game
• Game 1 use secret key to compute challenge ciphertext
• Game 2 indistinguishable from Game 1 under the HSM

assumption. In Game 2, from A’s view b∗ is statistically hidden, given

• the public key
• the challenge ciphertext
• key derivation queries

23

Effjciency comparison

λ = 112, ℓ = 10 λ = 128, ℓ = 10 this work [ALS16] this work [ALS16] skF bitsize 1920 24592 2340 36876 Enc time 40ms 27ms 78ms 85ms Dec time 110ms 301ms 193ms 964ms Dependency in ℓ is linear.

24

Last slide!

Conclusion

• Most effjcient IPFE schemes to date
• First IPFE mod a prime that recover the result whatever its size.
• Interesting framework, can be applied to other primitives.

Ongoing work

• Chosen Ciphertext Attack Secure schemes
• Threshold ECDSA using our underlying framework

25

Questions?

25

• M. Abdalla, F. Bourse, A. D. Caro, and D. Pointcheval.

Better security for functional encryption for inner product evaluations. Cryptology ePrint Archive, Report 2016/011, 2016.

http://eprint.iacr.org/2016/011.

• M. Abdalla, F. Bourse, A. De Caro, and D. Pointcheval.

Simple functional encryption schemes for inner products. In PKC 2015, LNCS 9020, pages 733–751. Springer, Heidelberg, March / April 2015.

• S. Agrawal, B. Libert, and D. Stehlé.

Fully secure functional encryption for inner products, from standard assumptions. In CRYPTO 2016, Part III, LNCS 9816, pages 333–362. Springer, Heidelberg, August 2016.

• F. Benhamouda, F. Bourse, and H. Lipmaa.

CCA-secure inner-product functional encryption from projective hash functions. In PKC 2017, Part II, LNCS 10175, pages 36–66. Springer, Heidelberg, March 2017.

• D. Boneh, A. Sahai, and B. Waters.

Functional encryption: Defjnitions and challenges. In TCC 2011, LNCS 6597, pages 253–273. Springer, Heidelberg, March 2011.

• G. Castagnos and F. Laguillaumie.

Linearly homomorphic encryption from DDH. In CT-RSA 2015, LNCS 9048, pages 487–505. Springer, Heidelberg, April 2015.

26

Information A gets on b∗ in PKE

mb∗ + u · t mod p Where: (1) u p with proba p

1 p

1 Where: (1) u p with proba p

1 p

1 and (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s Where: (1) u p with proba p

1 p

1 and (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s u t perfectly masks mb mod p

27

Information A gets on b∗ in PKE

mb∗ + u · t mod p Where: (1) u = 0 mod p with proba p−1

p

≈ 1 Where: (1) u p with proba p

1 p

1 and (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s Where: (1) u p with proba p

1 p

1 and (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s u t perfectly masks mb mod p

27

Information A gets on b∗ in PKE

mb∗ + u · t mod p Where: (1) u p with proba p

1 p

1 Where: (1) u = 0 mod p with proba p−1

p

≈ 1 and (2) t sampled from D, folded gaussian, (almost) uniform mod s · p Distribution of t (almost) uniform mod p and mod s and t p independent of t s Where: (1) u p with proba p

1 p

1 and (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s u t perfectly masks mb mod p

27

Information A gets on b∗ in PKE

mb∗ + u · t mod p Where: (1) u p with proba p

1 p

1 Where: (1) u = 0 mod p with proba p−1

p

≈ 1 and (2) t sampled from D, folded gaussian, (almost) uniform mod s · p Distribution of t (almost) uniform mod p and mod s and (t mod p) independent of (t mod s) Where: (1) u p with proba p

1 p

1 and (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s u t perfectly masks mb mod p

27

Information A gets on b∗ in PKE

mb∗ + u · t mod p Where: (1) u p with proba p

1 p

1 Where: (1) u p with proba p

1 p

1 and (2) t sampled from , folded gaussian, (almost) uniform mod s p Distribution of t (almost) uniform mod p and mod s and t p independent of t s Where: (1) u = 0 mod p with proba p−1

p

≈ 1 and (2) t sampled from D, folded gaussian, (almost) uniform mod s · p Distribution of t (almost) uniform mod p and mod s and (t mod p) independent of (t mod s) u · t perfectly masks mb∗ mod p

27

Game 0: the original security experiment

KeyDer Oracle Adv Challenger Setup msk = t mpk = (h1, . . . , hℓ) b∗

$

← − {0, 1} r ← ֓ Dp

• C∗ = (C0 = gr

p, C1 = f y1 · hr 1,

. . . , Cℓ = f yℓ · hr

ℓ)

Output (b = b∗) mpk

• y0,

y1

• C∗

b

• x1,

x2 . . . sk

x1, sk x2 . . .

• xi,

xi+1 . . . sk

xi, sk xi+1 . . .

Game 0 is the original security experiment.

28

Game 1: use msk to compute C∗

KeyDer Oracle Adv Challenger msk = t mpk = (h1, . . . , hℓ) hi = gti

p

b∗

$

← − {0, 1} r ← ֓ Dp

• C∗ = (C0 = gr

p, C1 = f y1 · Ct1 0 ,

. . . , Cℓ = f yℓ · Ctℓ

0 )

Output (b = b∗) mpk

• y0,

y1

• C∗

b

• x1,

x2 . . . sk

x1, sk x2 . . .

• xi,

xi+1 . . . sk

xi, sk xi+1 . . .

From A’s view, Games 0 and 1 are identical.

29

Game 2: compute C0 ∈ G\Gp

KeyDer Oracle Adv Challenger msk = t mpk = (h1, . . . , hℓ) hi = gti

p

b∗

$

← − {0, 1} r ← ֓ Dp and u ← ֓ Z/pZ

• C∗ = (C0 = gr

p · f u , C1 = f y1 · Ct1 0 ,

. . . , Cℓ = f yℓ · Ctℓ

0 )

Output (b = b∗) mpk

• y0,

y1

• C∗

b

• x1,

x2 . . . sk

x1, sk x2 . . .

• xi,

xi+1 . . . sk

xi, sk xi+1 . . .

Games 1 and 2 are undistinguishable to A under the HSM assumption.

30

Leaked Information in Game 2

We consider the information leaked on b∗ by:

• the public key
• the challenge ciphertext
• key derivation queries

31

Information fjxed by public key

mpk = {hi = gti mod s

p

}i∈[ℓ] Fixes t1 t mod s t1 t mod p is still uniformly distributed to .

32

Information fjxed by public key

mpk = {hi = gti mod s

p

}i∈[ℓ] Fixes (t1, . . . , tℓ) mod s t1 t mod p is still uniformly distributed to .

32

Information fjxed by public key

mpk = {hi = gti mod s

p

}i∈[ℓ] Fixes (t1, . . . , tℓ) mod s (t1, . . . , tℓ) mod p is still uniformly distributed to A.

32

Information fjxed by challenge ciphertext

• C∗ = (C0 = gr

p · f u, {Ci = f yb∗,i · C0ti}i∈[ℓ])

Reveals Ci gr ti

s p

f yb

i

u ti p

Fixes yb ut mod p

33

Information fjxed by challenge ciphertext

• C∗ = (C0 = gr

p · f u, {Ci = f yb∗,i · C0ti}i∈[ℓ])

Reveals Ci = gr·ti

mod s p

· f yb∗,i+u·ti

mod p

Fixes yb ut mod p

33

Information fjxed by challenge ciphertext

• C∗ = (C0 = gr

p · f u, {Ci = f yb∗,i · C0ti}i∈[ℓ])

Reveals Ci = gr·ti

mod s p

· f yb∗,i+u·ti

mod p

Fixes

• yb∗ + u

t mod p

33

Information fjxed by key derivation oracle

For x such that x, y0 = x, y1 mod p: sk

x =

t, x mod p Reveals all the information on t for directions to y0 y1. y1 y0 t xi Remaining entropy on t contained in t y0 y1

34

Information fjxed by key derivation oracle

For x such that x, y0 = x, y1 mod p: sk

x =

t, x mod p Reveals all the information on t for directions ⊥ to y0 − y1.

• y1 −

y0

• t
• xi

Remaining entropy on t contained in t y0 y1

34

Information fjxed by key derivation oracle

For x such that x, y0 = x, y1 mod p: sk

x =

t, x mod p Reveals all the information on t for directions ⊥ to y0 − y1.

• y1 −

y0

• t
• xi

Remaining entropy on t contained in t, y0 − y1

34

A’s success probability

From A’s view, t, y0 − y1 follows a distribution ≈ U(Z/pZ). The ciphertext reveals: yb ut mod p The information on b is contained in: yb y0 y1 u t y0 y1 mod p

cannot guess b with proba 1 2 negl

35

A’s success probability

From A’s view, t, y0 − y1 follows a distribution ≈ U(Z/pZ). The ciphertext reveals:

• yb∗ + u

t mod p The information on b is contained in: yb y0 y1 u t y0 y1 mod p

cannot guess b with proba 1 2 negl

35

A’s success probability

From A’s view, t, y0 − y1 follows a distribution ≈ U(Z/pZ). The ciphertext reveals:

• yb∗ + u

t mod p The information on b∗ is contained in:

• yb∗,

y0 − y1 + u t, y0 − y1 mod p

cannot guess b with proba 1 2 negl

35

A’s success probability

From A’s view, t, y0 − y1 follows a distribution ≈ U(Z/pZ). The ciphertext reveals:

• yb∗ + u

t mod p The information on b∗ is contained in:

• yb∗,

y0 − y1 + u t, y0 − y1 mod p

A cannot guess b∗ with proba > 1/2 + negl

35