SLIDE 1
Unbounded Inner Product Functional Encryption, with Succinct Keys - - PowerPoint PPT Presentation
Unbounded Inner Product Functional Encryption, with Succinct Keys - - PowerPoint PPT Presentation
Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David Pointcheval Ecole Normale Sup erieure INRIA June 6, 2019 Table of Contents Background Functional Encryption ABDP Applications of Inner
SLIDE 2
SLIDE 3
Functional Encryption
Traditional PKE: all or nothing.
SLIDE 4
Functional Encryption
Traditional PKE: all or nothing. ◮ Have the key? Get the plaintext. ◮ Don’t have the key? Get nothing.
SLIDE 5
Functional Encryption
Traditional PKE: all or nothing. ◮ Have the key? Get the plaintext. ◮ Don’t have the key? Get nothing. Functional Encryption: A new paradigm.
SLIDE 6
Functional Encryption
Traditional PKE: all or nothing. ◮ Have the key? Get the plaintext. ◮ Don’t have the key? Get nothing. Functional Encryption: A new paradigm. Get a function of the cleartext.
SLIDE 7
Functional Encryption
Traditional PKE: all or nothing. ◮ Have the key? Get the plaintext. ◮ Don’t have the key? Get nothing. Functional Encryption: A new paradigm. Get a function of the cleartext. Function depends on the key.
SLIDE 8
Functional Encryption: Formal definition
Four algorithms: ◮ Setup(λ): Returns (pk, msk). ◮ Encrypt(pk,x): Returns c. ◮ KeyGen(msk,f ): Returns skf . ◮ Decrypt(skf ,c): Returns f (x).
SLIDE 9
FE example
msk
I want to receive encrypted emails. I don’t want to be bothered with spam. Decrypt and send to my colleague if urgent.
skfspam, skfurgent pk
SLIDE 10
FE example
msk pk skfspam, skfurgent
I don’t know what it is but it’s spam!
Encpk(”Cheap RayBans!!!”)
SLIDE 11
Security definitions
Oracles: Setup() LeftOrRight(·,·) KeyDer(·) Finalize(·)
LoR(x0,x1) Enc(xb) KeyDer(f ) skf
SLIDE 12
Security definitions
Oracles: Setup() LeftOrRight(·,·) KeyDer(·) Finalize(·) No cheating! f (x0) = f (x1)
LoR(x0,x1) Enc(xb) KeyDer(f ) skf
SLIDE 13
The First Inner Product Functional Encryption
ABDP15
Fixed n. F ≈ Zn
p, f y ≈
y. ◮ Setup(λ): Pick s
$
← Zn
- p. Return g
s,
s. ◮ Encrypt(g
s,
x): Pick r
$
← Zp. Return gr, g
x ·
- g
sr = gr, g x+r· s.
◮ KeyGen( s, y): Return s, y. ◮ Decrypt( s, y, (gr, g
x+r· s)): Compute
gγ = g
x+r· s,
y/ (gr)
s, y
and solve the discrete logarithm to return γ.
SLIDE 14
Application: Descriptive statistics
◮ Averages. ◮ Weighted averages.
SLIDE 15
Application: Descriptive statistics
◮ Averages. ◮ Weighted averages. ◮ Standard deviation.
SLIDE 16
Application: Descriptive statistics
◮ Averages. ◮ Weighted averages. ◮ Standard deviation (if we encrypt the squares).
SLIDE 17
Application: Descriptive statistics
◮ Averages. ◮ Weighted averages. ◮ Standard deviation (if we encrypt the squares). ◮ Machine Learning Inference via Linear Regression.
SLIDE 18
Leakage
Say you have a ciphertext for vector x. The key for y lets you compute x, y = ⇒ one projection.
SLIDE 19
Leakage
Say you have a ciphertext for vector x. The key for y lets you compute x, y = ⇒ one projection. m independent keys = ⇒ m projections.
SLIDE 20
Leakage
Say you have a ciphertext for vector x. The key for y lets you compute x, y = ⇒ one projection. m independent keys = ⇒ m projections. Actual number of keys you can give?
SLIDE 21
Leakage
Say you have a ciphertext for vector x. The key for y lets you compute x, y = ⇒ one projection. m independent keys = ⇒ m projections. Actual number of keys you can give depends on plaintext distribution.
SLIDE 22
Table of Contents
Background Functional Encryption ABDP Applications of Inner Product Functional Encryption Security of Inner Product Functional Encryption Unbounded Inner Product Functional Encryption Issues with Standard Inner Product Functional Encryption Unbounded Inner Product Functional Encryption Our construction Technical Difficulties Concurrent and Independent Work Open problems
SLIDE 23
Limitations of Inner Product Functional Encryption
What if you want to receive vectors of various lengths?
SLIDE 24
Limitations of Inner Product Functional Encryption
What if you want to receive vectors of various lengths? You need multiple public keys.
SLIDE 25
Limitations of Inner Product Functional Encryption
What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors?
SLIDE 26
Limitations of Inner Product Functional Encryption
What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors? More keys.
SLIDE 27
Limitations of Inner Product Functional Encryption
What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors? More keys. What if you don’t know the size of the vector ahead of time?
SLIDE 28
Limitations of Inner Product Functional Encryption
What if you want to receive vectors of various lengths? You need multiple public keys. What if you want to create subcategories between vectors? More keys. What if you don’t know the size of the vector ahead of time? No great solutions.
SLIDE 29
Solution: Unbounded Inner Product Functional Encryption
◮ No fixed size for vectors (ciphertexts or keys). ◮ One constant-size public-key. ◮ Vectors are maps from indices to scalars. ◮ Identity-based version allows for categorization.
SLIDE 30
UIPFE Variants
We introduce two unbounded functionalities:
SLIDE 31
UIPFE Variants
We introduce two unbounded functionalities: ◮ Strict UIPFE: Indices of ciphertext must match those of key.
SLIDE 32
UIPFE Variants
We introduce two unbounded functionalities: ◮ Strict UIPFE: Indices of ciphertext must match those of key. ◮ Permissive UIPFE: Indices of ciphertext must contain those of key.
SLIDE 33
Technical overview
ABDP builds on El Gamal. Want n coordinates? Instantiate n El Gamal schemes you control.
SLIDE 34
Technical overview
ABDP builds on El Gamal. Want n coordinates? Instantiate n El Gamal schemes you control. How do we go to Unbounded?
SLIDE 35
Technical overview
ABDP builds on El Gamal. Want n coordinates? Instantiate n El Gamal schemes you control. How do we go to Unbounded? Boneh-Franklin Identity-Based Encryption is ElGamal-like.
SLIDE 36
Our construction
Permissive UIPFE: Setup
Choose a pairing group (G1, G2, GT, g1, g2, e) and a hash function H into G2. Pick a single scalar s
$
← Zp. Return gs
1, s.
SLIDE 37
Our construction
Permissive UIPFE: Encrypt
◮ Setup(λ): Pick s
$
← Zp. Return gs
1, s.
You have an unbounded vector (xi)i∈D and pk = gs
1.
Pick r
$
← Zp. Return (gr
1, (ci)i∈D) where
ci = gxi
T · e(gs 1, H(i)r) ≈ gxi+rsi T
SLIDE 38
Our construction
Permissive UIPFE: KeyGen
◮ Setup(λ): Pick s
$
← Zp. Return gs
1, s.
◮ Encrypt(gs, (xi)i∈D): Pick r
$
← Zp. Return (gr
1, (ci)i∈D)
where ci = gxi
T · e(gs 1, H(i)r) ≈ gxi+rsi T
You have an unbounded vector (yi)i∈D′ and sk = s. Return
- i∈D′
H(i)−syi ≈ g−
s, y 2
SLIDE 39
Our construction
Permissive UIPFE: Decrypt
◮ Setup(λ): Pick s
$
← Zp. Return gs
1, s.
◮ Encrypt(gs, (xi)i∈D): Pick r
$
← Zp. Return (gr
1, (ci)i∈D)
where ci = gxi
T · e(gs 1, H(i)r) ≈ gxi+rsi T
◮ KeyGen(s, (yi)i∈D′): Return
- i∈D′
H(i)−syi ≈ g−
s, y 2
You have a ciphertext (gr
1, (ci)i∈D) and a key i∈D′ H(i)−syi
Compute gγ
T = e
- gr
1,
- i∈D′
H(i)−syi
- ·
- i∈D′
cyi
i
and recover γ.
SLIDE 40
Our construction
Permissive UIPFE
◮ Setup(λ): Pick s
$
← Zp. Return gs
1, s.
◮ Encrypt(gs, (xi)i∈D): Pick r
$
← Zp. Return (gr
1, (ci)i∈D)
where ci = gxi
T · e(gs 1, H(i)r) ≈ gxi+rsi T
◮ KeyGen(s, (yi)i∈D′): Return
- i∈D′
H(i)−syi ≈ g−
s, y 2
◮ Decrypt(
i∈D′ H(i)−syi ≈ g− s, y 2
, (gr
1, (ci)i∈D)): Compute
gγ
T = e
- gr
1,
- i∈D′
H(i)−syi
- ·
- i∈D′
cyi
i
and recover γ.
SLIDE 41
Technical Difficulties: Norms
||x0 − x1|| = 0 mod p
- =
⇒ x0 = x1 mod p Other UIPFE works bypass this by bounding individual components. This doesn’t work here. We define a pseudonorm and impose an upper bound on it.
SLIDE 42
Technical Difficulties: Key Homomorphism
In most (all?) IPFE schemes, keys are homomorphic: f (α, sky, β, sky′) = skαy+βy′ This is typically fine by functionality.
SLIDE 43
Technical Difficulties: Key Homomorphism
In most (all?) IPFE schemes, keys are homomorphic: f (α, sky, β, sky′) = skαy+βy′ This is typically fine by functionality. But it becomes an issue in permissive UIPFE. Need to adjust security definitions.
SLIDE 44
Concurrent and Independent Work
Tomida and Takashima proposed UIPFE at ASIACRYPT18.
SLIDE 45
Concurrent and Independent Work
Tomida and Takashima proposed UIPFE at ASIACRYPT18. ◮ No Random Oracles. ◮ Adaptive security. ◮ Only standard assumptions.
SLIDE 46
Concurrent and Independent Work
Tomida and Takashima proposed UIPFE at ASIACRYPT18. ◮ No Random Oracles. ◮ Adaptive security. ◮ Only standard assumptions. ◮ Requires contiguous indices. ◮ No access control. ◮ Bigger keys, slower
- perations.
Public Key Ciphertext Functional Key TT18 28|G1| 7n|G1| 7n|G2| + α Ours |G1| |G1| + n|GT| |G2|
SLIDE 47
Open problems
◮ Better security with efficiency.
SLIDE 48
Open problems
◮ Better security with efficiency. ◮ Different UIPFE functionalities.
SLIDE 49
Open problems
◮ Better security with efficiency. ◮ Different UIPFE functionalities. ◮ More functionalities.
SLIDE 50
Open problems
◮ Better security with efficiency. ◮ Different UIPFE functionalities. ◮ More functionalities.
SLIDE 51
References
- 1. Abdalla, Michel, et al. ”Simple functional encryption schemes
for inner products.” IACR International Workshop on Public Key Cryptography. Springer, Berlin, Heidelberg, 2015.
- 2. Boneh, Dan, and Matt Franklin. ”Identity-based encryption
from the Weil pairing.” Annual international cryptology
- conference. Springer, Berlin, Heidelberg, 2001.
- 3. Boneh, Dan, Amit Sahai, and Brent Waters. ”Functional
encryption: Definitions and challenges.” Theory of Cryptography Conference. Springer, Berlin, Heidelberg, 2011.
- 4. O’Neill, Adam. ”Definitional Issues in Functional Encryption.”
IACR Cryptology ePrint Archive 2010 (2010): 556.
- 5. Tomida, Junichi, and Katsuyuki Takashima. ”Unbounded