Presentation is loading. Please wait.

Presentation is loading. Please wait.

Functional Encryption: An Introduction and Survey Brent Waters.

Published byJean May Modified over 8 years ago

Similar presentations

Presentation on theme: "Functional Encryption: An Introduction and Survey Brent Waters."— Presentation transcript:

1 Functional Encryption: An Introduction and Survey Brent Waters

2 2 Pre-Public Key Cryptography  Established mutual secrets  Small networks SK

3 3 The world gets bigger  Internet – Billions of users  Unsustainable

4 4 Public Key Cryptography  Public Key Encryption [DH76,M78,RSA78,GM84]  Avoid Secret Exchange SK PubK

5 5 Data in the Cloud : Another Turning Point?  Cloud is growing  Encryption a must LA Times 7/17: City of LA weighs outsourcing IT to Google  LAPD: Arrest Information Sensitive

6 6 Rethinking Encryption OR Internal Affairs AND Undercover Central  Who matches this? Am I allowed to know?  What if they join later?  Should they see everything?  Process data before decryption? Problem: Disconnect between policy and mechanism

7 7 Attribute-Based Encryption [SW05] PK MSK “Undercover” “Central” “Undercover” “Valley” OR Int. Affairs AND UndercoverCentral     OR Int. Affairs AND Undercover Central SK Key Authority Á =

8 8 First Approach & Collusion Attacks SK Sarah : “A” SK Kevin : “B” AND A B PK A SK B PK B SK A E A (R)E B (M © R) R ? M © R M Collusion Attack!  Allowed Collusion [S03, MS03, J04,BMC06]

9 9 Collusion Attacks: The Key Threat Kevin: “Undercover” “Valley” OR Int. Affairs AND Undercover Central James: “Central” “Parking” Need: Key “Personalization” Tension: Functionality vs. Personalization

10 10 Key Personalization (Intuition) SK Kevin: “Undercover” … James: “Central” … Random t Random t’

11 11 Making it work (sketch) OR Internal Affairs AND UndercoverCentral Personalized Randomization  Secret Share in Exponent  Pairing 1 st Step  Combine “Personalized” Shares  Final: “Unpersonalize”

12 12 Is this what we need?  Descriptive Encryption  T.M. is more powerful  “All or nothing” decryption (no processing)

13 13 Functional Encryption Functionality: f( ¢, ¢ ) Public Params Authority MSK Key: y 2 {0,1}* X SK y CT: x 2 {0,1} * f(x,y) Security: Simulation Def.

14 14 What can I do? SK

15 15 What could F.E. do? SK

16 16 IBE : Where it started Key: y 2 {0,1}* X SK Y CT: x = (M,ID) f( x=(M,ID), y) =  S84, BF01, C01… M, ID if y = ID ID if y  ID “Annotated”

17 17 Attribute-Based Encryption Key: y 2 {0,1} n (boolean variables) X SK Y CT: x = (M, Á ) f( x=(M, Á ), y) =  SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 M, Á if Á (y) = true Á if Á (y) = false “Annotated”

18 18 Attribute-Based Encryption Key: y 2 {0,1} n (boolean variables) X SK Y CT: x = (M, Á ) f( x=(M, Á ), y) =  SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 M, Á if Á (y) = true Á if Á (y) = false “Annotated” “Ciphertext Policy”

19 19 Attribute-Based Encryption Key: y = Á X SK Y CT: x = (M, X 2 {0,1} n ) f( x=(M,X ), y) =  SW05, GPSW06, C07, BSW07, OSW07, GJPS08, W08 M, Á if Á (X) = true X if Á (X) = false “Annotated” “Key Policy”

20 20 Anonymous IBE & Searching on Encrypted Data Key: y 2 {0,1}* X SK Y CT: x 2 {0,1} * f( x, y) =  BDOP04: Boneh-Franklin is anonymous  ABCKKLMNPS05 : defs.  BW06 : Standard Model 1if y = x 0 otherwise

21 21 Conjunctive Search [BW07, SBCSP07] Key: y = (y 1, …, y n ), y i 2 {0,1} * [ ? X SK Y f( x=, y) =  Cancellation techniques -> AND  Must not learn intermediated result! 1if 8 y i  ?, y i = x i 0 otherwise CT: x = (x 1, …, x n ), x i 2 {0,1} *

22 22 Inner Product & ORs [KSW08] Key: y = (y 1, …, y n ) 2 Z N n X SK Y f( x, y) =  OR –- Bob OR Alice -- p(z)=(A-z)(B-z)  Increased Malleability!  Subgroups 1If x ¢ y =0 0 otherwise CT: x = (x 1, …, x n ) 2 Z N n

23 23 Three Directions

24 Functionality  Current: Inner Product  Natural Limits?  Fully Homomorphic Enc? --- Can’t do IBE  Annotated: Hide What (Message), Not Why  Expect more progress

25 Proofs of Security  “Partitioning” [BF01, C01, CHK03, BB04, W05] Simulator ID Space Priv. Key Space Challenge Space ID 1 ID 2 … … ID Q ID * (challenge ID)  Balance: Challenge Space 1/Q => 1/Q of no abort

26 Structure gives problems!  2-level HIBE Balance: Depth d HIBE=> 1/Q d.edu.gov  ABE, … similar problems  “Selective Security”  Declare X * before params

27 Moving Past Partitioning  G06, GH09  Simulator 1-key per identity – always looks good  Augmented n-BDHE  W09  Dual System Encryption  Hybrid over keys  “Simple” Decision Linear  LSW09 ABE solution

28 28 Multiple Authorities Á = :Friend :Student AND Problem: Disparate organizations Central Authority + Certs?  Central Trust+ Bottleneck C07: C.A. (no order), GlobalID, AND formulas

29 Summary  Rethink Encryption  Describe Target  “Evaluate” vs. “Decrypt” a Ciphertext  Functional Encryption  Ideal: Any Functionality  “Lens” or common framework  Progress, but still much to do

30 30 Thank you

Download ppt "Functional Encryption: An Introduction and Survey Brent Waters."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Allison Lewko TexPoint fonts used in EMF.

Allison Lewko TexPoint fonts used in EMF.
Functional Encryption & Property Preserving Encryption

Functional Encryption & Property Preserving Encryption
Attribute-based Encryption

Attribute-based Encryption
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),

On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

Similar presentations

Ads by Google