OUTLINE Various encryption schemes: Public-key functional encryption, Private-key functional encryption, Property Preserving encryption. Fairly new ideas, spend some time on each one. What they are? Our results. Come back and discuss Public-key functional encryption in detail.
PUBLIC KEY FUNCTIONAL ENC. MSK, MPK Alice MPK ENC (m) Julie Bob Trusted Authority
PUBLIC KEY FUNCTIONAL ENC. First formally studied by Boneh, Sahai and Waters in Encompasses well-known notions of encryption: Public-key encryption [DH76, RSA77, …], Identity-based encryption [Sha84, BF01, Coc01, BW06, GPV08], Attribute-based encryption [SW05, GPSW06, GVW13, GGH+13], Predicate encryption [KSW08, LOS+10, AFV11], Searchable encryption [BCOP04], etc. Has been the subject of intense study in the recent past.
OUR CONTRIBUTION A new definition for Functional Encryption: Simulation based (real-ideal world), Provides both function and message hiding, Simple and intuitive. First definition with the above features. Construct a secure protocol in the generic group model. Practice: Security against a large class of attacks. Function family F: inner-product predicates.
PRIVATE KEY FUNCTIONAL ENC. SK ENC (m1, SK) ENC (m2, SK) ENC (m3, SK) Client Server
PRIVATE KEY FUNCTIONAL ENC. First studied by Shen, Shi and Waters in 2009 [SSW09]. SSW09 construct a secure protocol for inner-product predicates. A new protocol that is better in several ways.
AN IMPROVED PROTOCOL SSW09 protocolOur protocol Selective securityFull security Composite-order groupsPrime-order groups Non-standard assumptionsStandard assumption
OUR PROTOCOL Derived from Okamoto and Takashima [OT12]. Symmetric nature of inner-product predicates. Ways to transform a protocol with weaker properties into one with stronger properties [Fre10, Lew12]. No method can simultaneously solve all the three problems.
PROPERTY PRESERVING ENCRYPTION SK ENC (m1, SK) ENC (m2, SK) Client Server TEST(ENC(m1), ENC(m2)) = P(m1, m2)
PROPERTY PRESERVING ENCRYPTION Introduced by Pandey and Rouselakis in 2012 [PR12]. PR12 gives a protocol for the inner-product property. We improve their protocol in two crucial ways. Exploit connection b/n Private-key FE and PPE. PR12Our protocol Composite-order groupsPrime order groups Generic group model Standard model (DLIN assumption)
SIMULATION BASED DEF. A new definition for Functional Encryption: Simulation based (real-ideal world), Provides both function and message hiding, Simple and intuitive. Real world execution of a protocol is compared with an “Ideal” world. Ideal world: Security requirements we want from our protocol.
Real WorldIdeal World Environment MSK, MPK MPK Adversary Trusted Authority Oracle Simulator
OUR SET-UP Strong security definition. Cannot be realized in the standard model [BSW11, O’N11, BO12]. Adversary doesn’t exploit structure of the group. Generic group model: captures most real-world attacks. Function family F: inner product predicates. Looking at some special cases of Functional Encryption. Inner-product predicates capture those cases.
IDENTITY BASED ENCRYPTION
OUR PROTOCOL A protocol for inner-product predicates in the Generic group model, which is secure under a strong simulation- based definition. Two constructions Dual Pairing Vector Spaces (Okamoto and Takashima in 2008). Secret Sharing. The constructions have comparable efficiency. For vectors of length n, ciphertext and key of length 3n.
CONCLUSION A new powerful definition for Public-Key Functional Encryption. Protocol in the Generic group model. Another definition Relax-SIM. Protocol in the standard model. Improve protocols for Private-Key Functional Encryption and Property Preserving Encryption in various ways. First protocols under standard assumptions/model.
THANK YOU Paper will soon be available on Eprint.