Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deniable Functional Encryption PKC 2016 Academia Sinica, Taipei, TAIWAN March 6-9, 2016 Angelo de Caro 1, Vincenzo Iovino 2, Adam O’Neill 3 1 IBM Research,

Published byJewel Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Deniable Functional Encryption PKC 2016 Academia Sinica, Taipei, TAIWAN March 6-9, 2016 Angelo de Caro 1, Vincenzo Iovino 2, Adam O’Neill 3 1 IBM Research,"— Presentation transcript:

1 Deniable Functional Encryption PKC 2016 Academia Sinica, Taipei, TAIWAN March 6-9, 2016 Angelo de Caro 1, Vincenzo Iovino 2, Adam O’Neill 3 1 IBM Research, Zurich 2 University of Luxembourg 3 Georgetown University, USA

2 Ohhh… I am so sorry, will you ever forgive me? See you tonight. Adam Your husband’s suit is ready. The Laundress Deniable Encryption (explained to kids) See you tonight. Adam Grrr… Is there a man in the middle?!? I intercepted this encrypted msg, show me what is inside! = Setup(1 λ ) How can you doubt my fidelity?! This is my SK, see with your own eyes… We will see tonight…

3 (during the night…)

4 msg Enc(msg) MSK Token(f)=KeyGen(MSK,f) f(msg) Functional Encryption f PK If From=‘’Adam’’ return Priority, If From=‘’Bob’’ return Discard, Else …. { msg=‘’From XXX To XXX Body XXX’’ f(msg)= Example: Email Filter

5 5 Encrypted package goes from Alice to Adam Motivating Deniability for FE: Secure Routing Each router has a token for its routing table With tokens routers can compute next hop Routers can not leak other information, e.g. final or previous hops in the path Router, I suspect that my wife is cheating on me. Can you tell me what is the next destination of this msg of hers that I intercepted? Router has 6 possible next hops for the package Adam’s message followed the pink one but the router gives to Bob a FSK that shows as next hop the green one

6 Our Results Receiver-deniable FE for general functions BB from any FE Receiver-deniable FE in the multi-distributional model Relations between Sim-Security and Deniability Efficient constructions

7 Functional Encryption: IND-Security Challenger Adversary PK f Token(f)=KeyGen(MSK,f) m 0, m 1 Ct = Enc(m b )b←$ f Token(f)=KeyGen(MSK,f) MSK PK b’ Wins if b’=b

8 Receiver-deniable FE Receiver Deniability Games: RealRecDenExp and FakeRecDenExp Challenger Adv O1,O2,K PK (x*,y*) Real: Ct* = Enc(x*;r) Fake: Ct*=Enc(y*;r) view Adversary’s view in RealExp with K=K 1 RealRecDenExp K 1 (f, Ct*, x*): Sk f = KeyGen(Msk, f); Output: Sk f Adversary’s view in FakeExp with K=K 2 ~ ~ FakeRecDenExp K 2 (f, Ct*, x*): Sk f = RecFake(Msk, Ct,* x*); Output: Sk f O 1 (f,x,y): Ct = Enc(PK,x;r); Sk f = KeyGen(Msk, f); Output: (Ct,Sk f ) O 2 (f,x,y): Ct = Enc(PK, y; r); Sk f = RecFake(Msk, f, Ct, x); Output: (Ct, Sk f ) Ct = Enc(PK, x; r); Sk f = RecFake(Msk,Ct,y); f(y) = Dec(Ct,Sk f ); Ct = Enc(PK,x’; r); f(x’) = Dec(Ct’, Sk f ); Note: Adv has access to K(·,Ct*,x*) only after seeing Ct Constraints 1. No query (f, x, y) issued to O 1 /O 2 and at same time a query (f, Ct*, x) to K 1 /K 2 ; 2. For any query to oracle K 1 /K 2 for f*, there is no query f* to O 1 /O 2 ; 3. For each f different from any of the f* queried to O 1 /O 2, it holds that f(x*)=f(y*). Msk

9 Ct = Enc(PK, x; r); (Sk f, Fk f ) = DenKeyGen(Msk, f); Sk f ’ = RecFake(Sk f, Fk f, Ct, y); f(y) = Dec(Ct, Sk f ’) O 1 (f,x,y) Ct = Enc(PK,x;r); Sk f = KeyGen(Msk, f); Output: (Ct,Sk f ) Multidistributional Receiver-deniable FE MultiDist RecDen Games: ReadMDRecExp and FakeMDRecExp Challenger Adversary O1,O2,K PK (x*,y*) Real: Ct* = Enc(x*;r) Fake: Ct*=Enc(y*;r) view Adversary’s view in RealMDRecExp with K=K 1 RealMDRecExp K 1 (f, Ct*, x*) Sk f = KeyGen(Msk, f); Output: Sk f Adversary’s view in FakeMDRecExp with K=K 2 ~ ~ FakeMDRecExp K 2 (f, Ct*, x*) (Sk f, Fk f ) = DenKeyGen(Msk, f); Sk f = RecFake(Msk, Ct*, x*); Output: Sk f O 2 (f,x,y) Ct = Enc(PK, y; r); (Sk f, Fk f ) = DenKeyGen(Msk, f); Sk f = RecFake(Sk f, Fk f, Ct, x); Output: (Ct, Sk f ) Note: Adv has access to K(·,Ct*,x*) only after seeing Ct Constraints 1. No query (f, x, y) issued to O 1 /O 2 and at same time a query (f, Ct*, x) to K 1 /K 2 ; 2. For any query to oracle K 1 /K 2 for f*, there is no query f* to O 1 /O 2 ; 3. For each f different from any of the f* queried to O 1 /O 2, it holds that f(x*)=f(y*).

10 Functionality in Normal Mode:Functionality in Trapdoor Mode: Enc(m)Token(C) Decryption f(m) Simulated ciphertext Simulated Token Decryption f(m) Starting point: DIJOPP13’s transform

11 DIJOPP13’s transform (simplified) IND-secure scheme: SIM-secure scheme: CiphertextToken msgf CiphertextToken [msg, flag, encryption key][f, encrypted output] Normal mode[msg,0,$][f,$] Trapdoor mode[0 n,1,key][f, Enc key (f(msg))]

12 C(x) Decryption 1 if F s (t)=z 0 if F s (t’)=z’ Trapdoor circuit for RecDen (simplified) Target Ciphertext Ct*=Enc(x,s) Other Ciphertexts Decryption Circuit Trap[C,t,z,t’,z’](x’): (x,s)  x’; If F(s,t)=z return 1; Else if F(s,t’)=z’ return 0; Else return C(x);

13 MultiDistRecDen (General Idea) Token=(Trap2Tok, TCt), where Trap2Tok is a Token for a trapdoor circuit for a 2-FE Link Trap2Tok and TCt: TCt encrypts z and trapdoor circuit embeds value t s.t. f(z)=t Using Fake key = z compute fake TCt=Enc(z,Ct*,y) for target ciphertext Ct*=Enc(x) and feed Trap2Tok with (Ct*, TCt)  Decrypt(Trap2Tok, Ct*,TCt)=C(y)

14 Tok(C)=(Trap2Tok[t], TCt=Enc(z, Ct, x’)) Ct =Enc(x) Tok(C)=(Trap2Tok[t], TCt=Enc(z, c, x’)) C(x’) MultiDistRecDen Construction (simplified) C(x) c=Ct  Trapdoor mode

15 Trapdoor circuit for MultiDistRecDen

16 Negative implications and Optimality of our results (n c,n k )-receiver deniability  (0,n c,n k )-Sim-security  Impossible Receiver deniability stronger: equivocable ciphertexts and tokens must decrypt correctly in the real system SIM-secure FE impossibility  (n c, poly)-deniability is in fact optimal  we achieve optimal parameters (n c,n k )-receiver deniability = deny n c ciphertexts and n k tokens

17 Efficient construction for Boolean Formulae Implement Boolean Formulae with Inner-Product Encryption Implement equality with bitwise comparison  To avoid exponential blowup we must bound the length of the variables s, r 0 and r 1 to be a constant t  Decryption error non-negligible Use parallel repetition to fix the issue RecDen IBE  lattice-based assumptions [OPW11] RecDen Boolean Formulae Encryption  Inner-Product Encryption [This work]

18 & Vincenzo thanks FNR (Luxembourg) to fund his research and Gabriele Lenzini for the drawings in the 3 rd slide

Download ppt "Deniable Functional Encryption PKC 2016 Academia Sinica, Taipei, TAIWAN March 6-9, 2016 Angelo de Caro 1, Vincenzo Iovino 2, Adam O’Neill 3 1 IBM Research,"

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption

Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.

On Minimal Assumptions for Sender-Deniable Public Key Encryption Dana Dachman-Soled University of Maryland.
On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),

On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

Similar presentations

Ads by Google