Unbounded Inner Product Functional Encryption, with Succinct Keys - PowerPoint PPT Presentation

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David Pointcheval ´ Ecole Normale Sup´ erieure INRIA June 6, 2019

Table of Contents Background Functional Encryption ABDP Applications of Inner Product Functional Encryption Security of Inner Product Functional Encryption Unbounded Inner Product Functional Encryption Issues with Standard Inner Product Functional Encryption Unbounded Inner Product Functional Encryption Our construction Technical Difficulties Concurrent and Independent Work Open problems

Functional Encryption Traditional PKE: all or nothing.

Functional Encryption Traditional PKE: all or nothing. ◮ Have the key? Get the plaintext. ◮ Don’t have the key? Get nothing.

Functional Encryption Traditional PKE: all or nothing. Functional Encryption: A new ◮ Have the key? paradigm . Get the plaintext. ◮ Don’t have the key? Get nothing.

Functional Encryption Traditional PKE: all or nothing. Functional Encryption: A new ◮ Have the key? paradigm . Get the plaintext. Get a function of the cleartext. ◮ Don’t have the key? Get nothing.

Functional Encryption Traditional PKE: all or nothing. Functional Encryption: A new ◮ Have the key? paradigm . Get the plaintext. Get a function of the cleartext. ◮ Don’t have the key? Function depends on the key . Get nothing.

Functional Encryption: Formal definition Four algorithms: ◮ Setup( λ ): Returns ( pk , msk ). ◮ Encrypt( pk , x ): Returns c . ◮ KeyGen( msk , f ): Returns sk f . ◮ Decrypt( sk f , c ): Returns f ( x ).

FE example sk f spam , sk f urgent pk I want to receive encrypted emails. I don’t want to be bothered with spam. Decrypt and send to my colleague if urgent. msk

FE example Enc pk (”Cheap RayBans!!!”) sk f spam , sk f urgent pk I don’t know what it is but it’s spam! msk

Security definitions Oracles: Setup() LeftOrRight( · , · ) KeyDer( · ) Finalize( · ) Enc( x b ) sk f LoR( x 0 , x 1 ) KeyDer( f )

Security definitions Oracles: Setup() No cheating! LeftOrRight( · , · ) f ( x 0 ) � = f ( x 1 ) KeyDer( · ) Finalize( · ) Enc( x b ) sk f LoR( x 0 , x 1 ) KeyDer( f )

The First Inner Product Functional Encryption ABDP15 Fixed n . F ≈ Z n y ≈ � p , f � y . ← Z n $ p . Return g � s ,� ◮ Setup( λ ): Pick � s s . $ ◮ Encrypt( g � s , � x ): Pick r ← Z p . Return s � r = g r , g � x · g r , g � g � x + r · � s . � ◮ KeyGen( � s , � y ): Return � � s , � y � . y � , ( g r , g � x + r · � s )): Compute ◮ Decrypt( � � s , � g γ = y � / ( g r ) � � s ,� y � � g � x + r · � s , � and solve the discrete logarithm to return γ .

Application: Descriptive statistics ◮ Averages. ◮ Weighted averages.

Application: Descriptive statistics ◮ Averages. ◮ Weighted averages. ◮ Standard deviation.

Application: Descriptive statistics ◮ Averages. ◮ Weighted averages. ◮ Standard deviation (if we encrypt the squares).

Application: Descriptive statistics ◮ Averages. ◮ Weighted averages. ◮ Standard deviation (if we encrypt the squares). ◮ Machine Learning Inference via Linear Regression.

Leakage Say you have a ciphertext for vector x . The key for y lets you compute � x , y � = ⇒ one projection.

Leakage Say you have a ciphertext for vector x . The key for y lets you compute � x , y � = ⇒ one projection. m independent keys = ⇒ m projections.

Leakage Say you have a ciphertext for vector x . The key for y lets you compute � x , y � = ⇒ one projection. m independent keys = ⇒ m projections. Actual number of keys you can give?

Leakage Say you have a ciphertext for vector x . The key for y lets you compute � x , y � = ⇒ one projection. m independent keys = ⇒ m projections. Actual number of keys you can give depends on plaintext distribution.

Table of Contents Background Functional Encryption ABDP Applications of Inner Product Functional Encryption Security of Inner Product Functional Encryption Unbounded Inner Product Functional Encryption Issues with Standard Inner Product Functional Encryption Unbounded Inner Product Functional Encryption Our construction Technical Difficulties Concurrent and Independent Work Open problems

Limitations of Inner Product Functional Encryption What if you want to receive vectors of various lengths?

Limitations of Inner Product Functional Encryption What if you want to receive vectors of various lengths? You need multiple public keys.

Limitations of Inner Product Functional Encryption What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors?

Limitations of Inner Product Functional Encryption What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors? More keys.

Limitations of Inner Product Functional Encryption What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors? More keys. What if you don’t know the size of the vector ahead of time?

Limitations of Inner Product Functional Encryption What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors? More keys. What if you don’t know the size of the vector ahead of time? No great solutions.

Solution: Unbounded Inner Product Functional Encryption ◮ No fixed size for vectors (ciphertexts or keys). ◮ One constant-size public-key. ◮ Vectors are maps from indices to scalars. ◮ Identity-based version allows for categorization.

UIPFE Variants We introduce two unbounded functionalities:

UIPFE Variants We introduce two unbounded functionalities: ◮ Strict UIPFE: Indices of ciphertext must match those of key.

UIPFE Variants We introduce two unbounded functionalities: ◮ Strict UIPFE: Indices of ciphertext must match those of key. ◮ Permissive UIPFE: Indices of ciphertext must contain those of key.

Technical overview ABDP builds on El Gamal. Want n coordinates? Instantiate n El Gamal schemes you control.

Technical overview ABDP builds on El Gamal. Want n coordinates? Instantiate n El Gamal schemes you control. How do we go to Unbounded?

Technical overview ABDP builds on El Gamal. Want n coordinates? Instantiate n El Gamal schemes you control. How do we go to Unbounded? Boneh-Franklin Identity-Based Encryption is ElGamal-like.

Our construction Permissive UIPFE: Setup Choose a pairing group ( G 1 , G 2 , G T , g 1 , g 2 , e ) and a hash function H into G 2 . $ Pick a single scalar s ← Z p . Return g s 1 , s .

Our construction Permissive UIPFE: Encrypt $ ◮ Setup( λ ): Pick s ← Z p . Return g s 1 , s . You have an unbounded vector ( x i ) i ∈D and pk = g s 1 . $ ← Z p . Return ( g r Pick r 1 , ( c i ) i ∈D ) where c i = g x i 1 , H ( i ) r ) ≈ g x i + rs i T · e ( g s T

Our construction Permissive UIPFE: KeyGen $ ◮ Setup( λ ): Pick s ← Z p . Return g s 1 , s . $ ◮ Encrypt( g s , ( x i ) i ∈D ): Pick r ← Z p . Return ( g r 1 , ( c i ) i ∈D ) where 1 , H ( i ) r ) ≈ g x i + rs i c i = g x i T · e ( g s T You have an unbounded vector ( y i ) i ∈D ′ and sk = s . Return H ( i ) − sy i ≈ g −� � y � � s ,� 2 i ∈D ′

Our construction Permissive UIPFE: Decrypt ◮ Setup( λ ): Pick s ← Z p . Return g s $ 1 , s . ◮ Encrypt( g s , ( x i ) i ∈D ): Pick r ← Z p . Return ( g r $ 1 , ( c i ) i ∈D ) where c i = g x i 1 , H ( i ) r ) ≈ g x i + rs i T · e ( g s T ◮ KeyGen( s , ( y i ) i ∈D ′ ): Return H ( i ) − sy i ≈ g −� � s ,� y � � 2 i ∈D ′ i ∈D ′ H ( i ) − sy i You have a ciphertext ( g r 1 , ( c i ) i ∈D ) and a key � Compute � � g γ � � c y i g r H ( i ) − sy i T = e 1 , · i i ∈D ′ i ∈D ′ and recover γ .

Our construction Permissive UIPFE $ ◮ Setup( λ ): Pick s ← Z p . Return g s 1 , s . $ ◮ Encrypt( g s , ( x i ) i ∈D ): Pick r ← Z p . Return ( g r 1 , ( c i ) i ∈D ) where 1 , H ( i ) r ) ≈ g x i + rs i c i = g x i T · e ( g s T ◮ KeyGen( s , ( y i ) i ∈D ′ ): Return H ( i ) − sy i ≈ g −� � s ,� y � � 2 i ∈D ′ i ∈D ′ H ( i ) − sy i ≈ g −� � s ,� y � ◮ Decrypt( � , ( g r 1 , ( c i ) i ∈D )): Compute 2 � � g γ g r � H ( i ) − sy i � c y i T = e 1 , · i i ∈D ′ i ∈D ′ and recover γ .

� Technical Difficulties: Norms || x 0 − x 1 || = 0 mod p = ⇒ x 0 = x 1 mod p Other UIPFE works bypass this by bounding individual components. This doesn’t work here. We define a pseudonorm and impose an upper bound on it.

Technical Difficulties: Key Homomorphism In most (all?) IPFE schemes, keys are homomorphic: f ( α, sk y , β, sk y ′ ) = sk α y + β y ′ This is typically fine by functionality.

Technical Difficulties: Key Homomorphism In most (all?) IPFE schemes, keys are homomorphic: f ( α, sk y , β, sk y ′ ) = sk α y + β y ′ This is typically fine by functionality. But it becomes an issue in permissive UIPFE. Need to adjust security definitions.