Presentation is loading. Please wait.

Presentation is loading. Please wait.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

Published byMagdalen Boyd Modified over 9 years ago

Similar presentations

Presentation on theme: "S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown."— Presentation transcript:

1 S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown University Joint with Mihir Bellare, UCSD

2 O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

3 O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

4 F UNCTIONAL E NCRYPTION (FE) Main Idea: Users decrypt one ciphertext to different values, depending on their secret keys. Concept developed in a series of works starting with [SW’05], [BW’07], [KSW’08]… General syntax and security definitions given independently by [O’10] and [BSW’11].

5 S YNTAX A functionality F takes security parameter 1 k, index a, and input x to return output y or. A functional encryption scheme for F is a tuple FE = ( Setup, KDer, Enc, Dec ) of algorithms that work as follows…

6 Authority SenderReceiver sk a S YNTAX Setup ( mpk, msk ) 1k1k Enc x c Dec F (1 k, a, x ) KDer sk a msk mpk a

7 M ANY RECEIVERS sk a 1 SenderReceiver 1 Enc x c Dec F (1 k, a 1, x ) Receiver 2 Dec F (1 k, a 2, x ) Receiver 3 Dec F (1 k, a 3, x ) sk a 2 sk a 3 mpk

8 The IBE functionality F ibe regards a as an identity and parses x as a pair ( a ’, m ), returning m if a = a ’ and otherwise. E XAMPLE : IBE Authority Setup ( mpk, msk ) KDer sk a (a’,m)(a’,m) 1k1k msk m if a = a ’ a sk a SenderReceiver 1 Enc c Dec mpk

9 O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

10 IND DEFINITION [O’10,BSW’11] ( mpk, msk )  Setup (1 k ) b  {0,1} sk a 1  Kder ( msk,a 1 ) a1a1 sk a 1 c  Enc ( mpk, x b ) c x 1 = ( x 1,1,…,x 1,n ) x 0 = ( x 0,1,…,x 0,n ) A wins if b = b ’ mp k We ask that any efficient adversary A wins the following game with probability about ½ A C Repeats many times sk a 2 sk a 3 a4a4 sk a 4  Kder ( msk,a 4 ) sk a 4 Repeats many times sk a 5 sk a 6 Every query a i must satisfy F (1 k,a i, x 0 ) = F (1 k,a i, x 1 ) b’ b’

11 SS DEFINITION [O UR REFINEMENT ] For any efficient adversary A, message-sampler Msg and relation R in the following “real world” game… ( mpk, msk )  Setup (1 k ) sk a 1  Kder ( msk,a 1 ) Qlist.add ( a 1 ) a1a1 sk a 1 x  Msg ( z ) c  Enc ( mpk, x ) c mp k A C Repeats many times sk a 2 sk a 3 a4a4 sk a 4  Kder ( msk,a 4 ) Qlist.add ( a 4 ) sk a 4 Repeats many times sk a 5 sk a 6 w z A wins if R ( w, x, Qlist, z ) = 1

12 SS DEFINITION : IDEAL WORLD S wins if R ( w, x, Qlist, z ) = 1 There is an efficient simulator S that wins the following “ideal world” game with similar probability Qlist.add ( a 1 ) a1a1 x  Msg ( z ) y  F (1 k,Qlist, x ) y S C Repeats many times a4a4 y 4  F (1 k,a 4, x ) Qlist.add ( a 4 ) y4y4 Repeats many times y5y5 y6y6 w z

13 O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observations Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

14 R ELATIONS AMONG THE NOTIONS [O’10,BSW’11]: IND is not equivalent to SS, indeed there exist clearly insecure schemes meeting IND. [BSW’11]: Even for the simple case of IBE the SS notion is impossible to achieve! The second claim seems especially strong and disappointing (compare to usual public-key case [GM’84]); let’s take a closer look…

15 W HAT ’ S GOING ON HERE ?.Observation: SS implicitly allows, and [BSW’11] implicitly exploits, presence of key-revealing selective-opening attacks (SOA-K) [DNRS’99].

16 W HAT IS SOA - K ? Adversary sees some ciphertexts encrypted under different keys and can then request to see some subset of the decryption keys. This is a non-standard security notion and well- known to be hard to achieve. Observation: If you write down a definition of SOA- K secure IBE what you get is exactly the definition of SS-secure IBE.

17 [BSW’11] I MPOSSIBILITY RESULT Main idea: Adversary hashes its ciphertexts to determine for which identities to request keys; these keys then decrypt some of the ciphertexts. Intuitively, any simulator finds out the messages it should encrypt only it when queries identities that already determine its ciphertexts. Observation: [BSW’11] require modeling the hash as a random oracle to prove their result.

18 O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observation Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10] Restriction on adaptive queries to maintain equivalence Other results and open questions

19 O UR IMPOSSIBILITY RESULT FOR SS Theorem: SS-secure IBE is impossible even in the standard model (without long keys). Proof adapts idea of [BDWY’11] by assuming H only is collision resistant and rewinding the simulator to when it makes some query. We also generalize this to rule out SS security for any non-trivial functionality.

20 O UTLINE OF T ALK What is functional encryption (FE)? Two security notions: Indistinguishability (IND) notion Semantic security (SS) notion What’s Known and our Guiding Observation Impossibility Result: SS is not achievable in the standard model (without long keys) Possibility Results: Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]. Restriction on adaptive queries to maintain equivalence Other results and open questions

21 O UR POSSIBILITY RESULTS We consider relaxations of SS and show their equivalence to IND for certain functionalities. Main idea: Find ways to disallow SOA-K type attacks in the definition of SS.

22 N ON - ADAPTIVE SECURITY FOR FE [O’10] Adversary only allowed key derivation queries before seeing challenge ciphertexts. E.g. non- adaptive IND: ( mpk, msk )  Setup (1 k ) b  {0,1} sk a 1  Kder ( msk,a 1 ) a1a1 sk a 1 c  Enc ( mpk, x b ) c x 1 = ( x 1,1,…,x 1,n ) x 0 = ( x 0,1,…,x 0,n ) mp k A C Repeats many times sk a 2 sk a 3 b’ b’ [O’10] shows equivalence to non-adaptive SS for preimage sampleable functionalities.

23 O UR WORK : A LLOWING RESTRICTED ADAPTIVE QUERIES In real-world SS game: o Say that query a is F -predictable if (all but a negligible fraction) of x in adversary’s message space Msg have same value of F (1 k,a,x ). o Say that adversary is a-posteriori F -predictable if all its queries after seeing challenge ciphertext are F - predictable. Theorem: For any functionality with polynomial- size range, IND is equivalent to SS wrt a- posteriori F -predictable adversaries.

24 M ORE RESULTS AND OPEN QUESTIONS Theorem: If all queries all (both non-adaptive and adaptive) made by adversary are F -predictable then SS is equivalent to IND for all functionalities. So, what is the right security definition for FE? Can we tweak the SS definition to get an equivalence for exactly those functionalities for which IND is “good”?

25 T HANK YOU ! Email: adam@cs.georgetown.edu

Download ppt "S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown."

Similar presentations

Functional Encryption & Property Preserving Encryption

Functional Encryption & Property Preserving Encryption
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),

On the Practical Security of Inner Product Functional Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT Delhi), Saikrishna Badrinarayanan (UCLA),
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :

Similar presentations

Ads by Google