S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown University Joint with Mihir Bellare, UCSD

O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

F UNCTIONAL E NCRYPTION (FE) Main Idea: Users decrypt one ciphertext to different values, depending on their secret keys. Concept developed in a series of works starting with [SW’05], [BW’07], [KSW’08]… General syntax and security definitions given independently by [O’10] and [BSW’11].

S YNTAX A functionality F takes security parameter 1 k, index a, and input x to return output y or. A functional encryption scheme for F is a tuple FE = ( Setup, KDer, Enc, Dec ) of algorithms that work as follows…

Authority SenderReceiver sk a S YNTAX Setup ( mpk, msk ) 1k1k Enc x c Dec F (1 k, a, x ) KDer sk a msk mpk a

M ANY RECEIVERS sk a 1 SenderReceiver 1 Enc x c Dec F (1 k, a 1, x ) Receiver 2 Dec F (1 k, a 2, x ) Receiver 3 Dec F (1 k, a 3, x ) sk a 2 sk a 3 mpk

The IBE functionality F ibe regards a as an identity and parses x as a pair ( a ’, m ), returning m if a = a ’ and otherwise. E XAMPLE : IBE Authority Setup ( mpk, msk ) KDer sk a (a’,m)(a’,m) 1k1k msk m if a = a ’ a sk a SenderReceiver 1 Enc c Dec mpk

O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

IND DEFINITION [O’10,BSW’11] ( mpk, msk )  Setup (1 k ) b  {0,1} sk a 1  Kder ( msk,a 1 ) a1a1 sk a 1 c  Enc ( mpk, x b ) c x 1 = ( x 1,1,…,x 1,n ) x 0 = ( x 0,1,…,x 0,n ) A wins if b = b ’ mp k We ask that any efficient adversary A wins the following game with probability about ½ A C Repeats many times sk a 2 sk a 3 a4a4 sk a 4  Kder ( msk,a 4 ) sk a 4 Repeats many times sk a 5 sk a 6 Every query a i must satisfy F (1 k,a i, x 0 ) = F (1 k,a i, x 1 ) b’ b’

SS DEFINITION [O UR REFINEMENT ] For any efficient adversary A, message-sampler Msg and relation R in the following “real world” game… ( mpk, msk )  Setup (1 k ) sk a 1  Kder ( msk,a 1 ) Qlist.add ( a 1 ) a1a1 sk a 1 x  Msg ( z ) c  Enc ( mpk, x ) c mp k A C Repeats many times sk a 2 sk a 3 a4a4 sk a 4  Kder ( msk,a 4 ) Qlist.add ( a 4 ) sk a 4 Repeats many times sk a 5 sk a 6 w z A wins if R ( w, x, Qlist, z ) = 1

SS DEFINITION : IDEAL WORLD S wins if R ( w, x, Qlist, z ) = 1 There is an efficient simulator S that wins the following “ideal world” game with similar probability Qlist.add ( a 1 ) a1a1 x  Msg ( z ) y  F (1 k,Qlist, x ) y S C Repeats many times a4a4 y 4  F (1 k,a 4, x ) Qlist.add ( a 4 ) y4y4 Repeats many times y5y5 y6y6 w z

O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

R ELATIONS AMONG THE NOTIONS [O’10,BSW’11]: IND is not equivalent to SS, indeed there exist clearly insecure schemes meeting IND. [BSW’11]: Even for the simple case of IBE the SS notion is impossible to achieve! The second claim seems especially strong and disappointing (compare to usual public-key case [GM’84]); let’s take a closer look…

W HAT ’ S GOING ON HERE ?.Observation: SS implicitly allows, and [BSW’11] implicitly exploits, presence of key-revealing selective-opening attacks (SOA-K) [DNRS’99].

W HAT IS SOA - K ? Adversary sees some ciphertexts encrypted under different keys and can then request to see some subset of the decryption keys. This is a non-standard security notion and well- known to be hard to achieve. Observation: If you write down a definition of SOA- K secure IBE what you get is exactly the definition of SS-secure IBE.

[BSW’11] I MPOSSIBILITY RESULT Main idea: Adversary hashes its ciphertexts to determine for which identities to request keys; these keys then decrypt some of the ciphertexts. Intuitively, any simulator finds out the messages it should encrypt only it when queries identities that already determine its ciphertexts. Observation: [BSW’11] require modeling the hash as a random oracle to prove their result.

O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observation Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

O UR IMPOSSIBILITY RESULT FOR SS Theorem: SS-secure IBE is impossible even in the standard model (without long keys). Proof adapts idea of [BDWY’11] by assuming H only is collision resistant and rewinding the simulator to when it makes some query. We also generalize this to rule out SS security for any non-trivial functionality.

O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observation Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]. Restriction on adaptive queries to maintain equivalence Other results and open questions

O UR POSSIBILITY RESULTS We consider relaxations of SS and show their equivalence to IND for certain functionalities. Main idea: Find ways to disallow SOA-K type attacks in the definition of SS.

N ON - ADAPTIVE SECURITY FOR FE [O’10] Adversary only allowed key derivation queries before seeing challenge ciphertexts. E.g. non- adaptive IND: ( mpk, msk )  Setup (1 k ) b  {0,1} sk a 1  Kder ( msk,a 1 ) a1a1 sk a 1 c  Enc ( mpk, x b ) c x 1 = ( x 1,1,…,x 1,n ) x 0 = ( x 0,1,…,x 0,n ) mp k A C Repeats many times sk a 2 sk a 3 b’ b’ [O’10] shows equivalence to non-adaptive SS for preimage sampleable functionalities.

O UR WORK : A LLOWING RESTRICTED ADAPTIVE QUERIES In real-world SS game: o Say that query a is F -predictable if (all but a negligible fraction) of x in adversary’s message space Msg have same value of F (1 k,a,x ). o Say that adversary is a-posteriori F -predictable if all its queries after seeing challenge ciphertext are F - predictable. Theorem: For any functionality with polynomial- size range, IND is equivalent to SS wrt a- posteriori F -predictable adversaries.

M ORE RESULTS AND OPEN QUESTIONS Theorem: If all queries all (both non-adaptive and adaptive) made by adversary are F -predictable then SS is equivalent to IND for all functionalities. So, what is the right security definition for FE? Can we tweak the SS definition to get an equivalence for exactly those functionalities for which IND is “good”?

T HANK YOU !