(ppt)

Download Report

Transcript (ppt) 

Functional Encryption:
An Introduction and Survey
Brent Waters
Pre-Public Key Cryptography
Established mutual secrets
Small networks
SK
SK
2
The world gets bigger
Internet – Billions of users
Unsustainable
3
Public Key Cryptography
Public Key Encryption
[DH76,M78,RSA78,GM84]
Avoid Secret Exchange
PubK
SK
4
Data in the Cloud: Another Turning Point?
Cloud is growing
Encryption a must
LA Times 7/17: City of LA weighs outsourcing IT to Google
 LAPD: Arrest Information Sensitive
5
Rethinking Encryption
OR
AND
Internal
Affairs
Undercover Central
Problem: Disconnect between policy
and mechanism
Who matches this? Am I allowed to know?
What if they join later?
 Should they see everything?
Process data before decryption?
6
Attribute-Based Encryption
Á
=


 

 
MSK
OR
Int. Affairs
SK
“Undercover”
“Central”
PK
AND
Undercover
[SW05]
Key Authority
OR
Central
Int. Affairs
AND
Undercover
Central
SK
“Undercover”
“Valley”
7
First Approach & Collusion Attacks
 Allowed Collusion
[S03, MS03, J04,BMC06]
AND
EA(R)
PKA
PKB
SKA
SKB
R
?
A
B
M©R
SKSarah:
“A”
Collusion Attack!
EB(M © R)
SKKevin:
“B”
M
8
Collusion Attacks: The Key Threat
OR
Need: Key “Personalization”
Int. Affairs
AND
Undercover
Central
Tension: Functionality vs. Personalization
Kevin:
“Undercover”
“Valley”
James:
“Central”
“Parking”
9
Key Personalization (Intuition)
Kevin:
“Undercover”
…
SK
Random t
James:
SK
“Central”
…
Random t’
10
Making it work (sketch)
Secret Share in Exponent
Pairing 1st Step
Personalized Randomization
Combine “Personalized” Shares
Final: “Unpersonalize”
OR
Internal Affairs
Undercover
AND
Central
11
Is this what we need?
Descriptive Encryption
T.M. is more powerful
“All or nothing” decryption
(no processing)
12
Functional Encryption
Functionality: f(¢ , ¢ )
MSK
Authority
Key: y 2 {0,1}*
SK y
CT: x 2 {0,1}*
Public Params Security: Simulation Def.
X
f(x,y)
13
What can I do?
SK
14
What could F.E. do?
SK
15
IBE : Where it started
S84, BF01, C01…
Key: y 2 {0,1}*
CT: x = (M,ID)
f( x=(M,ID), y) =
M , ID if y = ID
ID
“Annotated”
if y ID
SK Y
X
16
Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08
Key: y 2 {0,1}n (boolean variables)
CT: x = (M, Á )
f( x=(M, Á ), y) =
M , Á if Á(y) = true
Á
“Annotated”
if Á(y) = false
SK Y
X
17
Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08
Key: y 2 {0,1}n (boolean variables)
CT: x = (M, Á )
f( x=(M, Á ), y) =
M , Á if Á(y) = true
Á
“Annotated”
“Ciphertext Policy”
if Á(y) = false
SK Y
X
18
Attribute-Based Encryption
SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08
Key: y = Á
CT: x = (M, X 2
f( x=(M,X ), y) =
{0,1}n
M , Á if Á(X) = true
X
“Annotated”
)
“Key Policy”
if Á(X) = false
SK Y
X
19
Anonymous IBE &
Searching on Encrypted Data
Key: y 2 {0,1}*
CT: x 2 {0,1}*
f( x, y) =
1
if y = x
0 otherwise
BDOP04: Boneh-Franklin is anonymous
ABCKKLMNPS05 : defs.
BW06 : Standard Model
SK Y
X
20
Conjunctive Search
[BW07, SBCSP07]
Key: y = (y1, …, yn) , yi 2 {0,1}* [ ?
CT: x = (x1, …, xn) , xi 2 {0,1}*
f( x=, y) =
1
if 8 yi  ? , yi = xi
0 otherwise
Cancellation techniques -> AND
Must not learn intermediated result!
SK Y
X
21
Inner Product & ORs
[KSW08]
Key: y = (y1, …, yn) 2 ZN n
CT: x = (x1, …, xn) 2 ZN n
f( x, y) =
1
If x ¢ y =0
0 otherwise
 OR –- Bob OR Alice -- p(z)=(A-z)(B-z)
 Increased Malleability!
 Subgroups
SK Y
X
22
Three Directions
23
Functionality
Current: Inner Product
Natural Limits?
Fully Homomorphic Enc? --- Can’t do IBE
Annotated: Hide What (Message), Not Why
Expect more progress
Proofs of Security
“Partitioning”
Simulator
[BF01, C01, CHK03, BB04, W05]
ID Space
ID1
ID2…

Priv. Key
Space
Challenge
Space
…
IDQ
ID* (challenge ID)
Balance: Challenge Space
1/Q => 1/Q of no abort
Structure gives problems!
2-level HIBE
Balance: Depth d HIBE=> 1/Qd
ABE, … similar problems
.gov
“Selective Security”
.edu
Declare X* before params
Moving Past Partitioning
G06, GH09
Simulator 1-key per identity – always looks good
Augmented n-BDHE
W09
Dual System Encryption
Hybrid over keys
“Simple” Decision Linear
LSW09 ABE solution
Multiple Authorities
Á
=
:Student
AND
:Friend
Problem: Disparate organizations
Central Authority + Certs?
Central Trust+ Bottleneck
C07: C.A. (no order), GlobalID, AND formulas
28
Summary

Rethink Encryption
Describe Target
“Evaluate” vs. “Decrypt” a Ciphertext
Functional Encryption
Ideal: Any Functionality
“Lens” or common framework
Progress, but still much to do
Thank you
30