secure functional encryption Possibility results impossibility results and the quest for a general definition Adam ONeill Georgetown University Joint with Mihir Bellare UCSD ID: 313748
Download Presentation The PPT/PDF document "Semantically" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Semantically-secure functional encryption: Possibility results, impossibility results and the quest for a general definition
Adam O’Neill, Georgetown University
Joint with
Mihir
Bellare
, UCSDSlide2
Outline of TalkWhat is functional encryption (FE)?Two security notions:
Indistinguishability
(
IND
) notion
Semantic security
(
SS
) notion
What’s Known and our Guiding Observations
Impossibility Result:
SS
is not achievable in the standard model (without long keys)
Possibility Results:
Equivalence of
SS
and
IND
under
non-adaptive security
for
preimage
sampleable
functionalities from [O’10]
Restriction on
adaptive queries
to maintain
equivalence
Other results and open questionsSlide3
Outline of TalkWhat is functional encryption (FE)?Two security notions:
Indistinguishability
(IND) notion
Semantic security (SS) notion
What’s Known and our Guiding Observations
Impossibility Result:
SS is not achievable in the standard model (without long keys)
Possibility Results:
Equivalence of SS and IND under non-adaptive security for
preimage
sampleable
functionalities from [O’10]
Restriction on adaptive queries to maintain
equivalence
Other results and open questionsSlide4
Functional Encryption (FE)Main Idea: Users decrypt one
ciphertext
to
different values
, depending on their secret keys.
Concept developed in a series of works starting with [SW’05], [BW’07], [KSW’08]…
General syntax and security definitions
given independently by [O’10] and [BSW’11].Slide5
SyntaxA functionality F
takes security parameter 1
k
, index
a
, and input
x
to return output
y
or .
T
A
functional encryption scheme
for F is a
tuple
FE
= (
Setup
,
KDer
,
Enc
,
Dec
) of algorithms
that work as follows…Slide6
Authority
Sender
Receiver
sk
a
Syntax
Setup
(
mpk
,
msk
)
1
k
Enc
x
c
Dec
F
(1
k
,
a
,
x
)
KDer
sk
a
msk
mpk
aSlide7
Many receiversska
1
Sender
Receiver 1
Enc
x
c
Dec
F
(1
k
,
a
1
,
x
)
Receiver 2
Dec
F
(1
k
,
a
2
,
x
)
Receiver 3
Dec
F
(1
k
,
a
3
,
x
)
sk
a
2
sk
a
3
mpkSlide8
The IBE functionality Fibe regards a
as an identity and parses
x
as a pair (
a
’
,
m
), returning
m if a = a
’ and otherwise . Example: IBE
T
Authority
Setup
(
mpk
,
msk
)
KDer
sk
a
(
a
’
,
m
)
1
k
msk
m
if a = a’
a
sk
a
Sender
Receiver 1
Enc
c
Dec
mpkSlide9
Outline of TalkWhat is functional encryption (FE)?Two security notions:
Indistinguishability
(
IND
) notion
Semantic security
(
SS
) notion
What’s Known and our Guiding ObservationsImpossibility Result:
SS is not achievable in the standard model (without long keys)
Possibility Results:
Equivalence of SS and IND under non-adaptive security for
preimage
sampleable
functionalities from [O’10]
Restriction on adaptive queries to maintain
equivalence
Other results and open questionsSlide10
IND definition [O’10,BSW’11](mpk,
msk
)
Setup
(1
k
)
b
{0,1}sk
a
1
Kder
(
msk,a
1
)
a
1
ska1
c
Enc(mpk,xb)
c
x1
= (x1,1,…,x1
,n)
x0
= (x
0,1,…,x0
,n)
A
wins if b = b’
mpk
We ask that any efficient adversary
A wins the following game with probability about ½
A
C
Repeats many times
sk
a
2
sk
a
3
a
4
sk
a
4
Kder
(
msk,a
4
)
sk
a
4
Repeats many times
sk
a
5
sk
a
6
Every query
a
i
must satisfy
F
(1
k
,
a
i
,
x
0
) =
F
(1
k
,a
i
,
x
1
)
b
’Slide11
SS definition [Our refinement]For any efficient adversary
A
, message-sampler
Msg
and relation
R
in the following “real world” game…
(
mpk
,
msk
)
Setup
(1
k
)
sk
a1
Kder(msk,a1)
Qlist.add(a1)
a1
ska1
xMsg(
z)cEnc
(mpk,x
)c
mpk
A
C
Repeats many times
sk
a
2
sk
a
3
a
4
sk
a
4
Kder(msk,a
4)Qlist.add(a
4)sk
a4
Repeats many times
sk
a
5
sk
a
6
w
z
A wins if
R
(
w
,
x
,
Qlist
,
z
) = 1 Slide12
SS definition: ideal world
S
wins if
R
(
w
,
x
,
Qlist
,
z
) = 1
There is an efficient simulator
S
that wins the following “ideal world” game with similar probability
Qlist.add
(
a
1
)
a1
xMsg(z
)yF
(1k,Qlist,x)
y
S
C
Repeats many times
a
4
y
4
F
(1
k
,a4,x) Qlist.add
(a4)
y4
Repeats many times
y
5
y
6
w
zSlide13
Outline of TalkWhat is functional encryption (FE)?Two security notions:
Indistinguishability
(IND) notion
Semantic security (SS) notion
What’s Known and our Guiding Observations
Impossibility Result:
SS is not achievable in the standard model (without long keys)
Possibility Results:
Equivalence of SS and IND under non-adaptive security for
preimage
sampleable
functionalities from [O’10]
Restriction on adaptive queries to maintain
equivalence
Other results and open questionsSlide14
Relations among the notions[O’10,BSW’11]:
IND
is
not equivalent
to
SS
, indeed there exist
clearly insecure
schemes meeting
IND
.[BSW’11]: Even for the simple case of IBE the SS
notion is
impossible
to achieve!
The second claim seems especially strong and disappointing (compare to
usual public-key case
[GM’84]); let’s take a closer look…Slide15
What’s going on here?.Observation: SS implicitly allows, and [BSW’11] implicitly exploits, presence of
key-revealing selective-opening attacks (SOA-K)
[DNRS’99].Slide16
What is soa-k?Adversary sees some ciphertexts
encrypted under
different keys
and can then request to see some
subset of the decryption keys
.
This is a non-standard security notion and well-known to be hard to achieve.
O
bservation:
If you write down a definition of
SOA-K secure IBE what you get is exactly the definition of
SS-secure IBE
.Slide17
[BSW’11] Impossibility resultMain idea: Adversary hashes its
ciphertexts
to determine for which identities to request keys;
these keys then decrypt
some of the
ciphertexts
.
Intuitively, any simulator finds out the messages it should encrypt only it when queries identities that
already determine its
ciphertexts.
Observation
:
[BSW’11] require modeling the hash as a
random oracle
to prove their result
.Slide18
Outline of TalkWhat is functional encryption (FE)?Two security notions:
Indistinguishability
(IND) notion
Semantic security (SS) notion
What’s Known and our Guiding Observation
Impossibility Result:
SS
is not achievable in the standard model (without long keys)
Possibility Results:
Equivalence of SS and IND under non-adaptive security for
preimage
sampleable
functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questionsSlide19
Our impossibility result for SSTheorem:
SS
-secure IBE is impossible even in the
standard model
(without long keys).
Proof adapts idea of [BDWY’11] by assuming
H
only is
collision resistant
and
rewinding the simulator to when it makes some query.We also generalize this to rule out SS security for
any non-trivial functionality
.Slide20
Outline of TalkWhat is functional encryption (FE)?Two security notions:
Indistinguishability
(IND) notion
Semantic security (SS) notion
What’s Known and our Guiding Observation
Impossibility Result:
SS is not achievable in the standard model (without long keys)
Possibility Results:
Equivalence of
SS
and
IND
under
non-adaptive security
for
preimage
sampleable
functionalities from [O’10].
Restriction on adaptive queries to maintain equivalence
Other results and open questionsSlide21
Our possibility resultsWe consider relaxations of SS
and show their equivalence to
IND
for certain
functionalities.
Main idea:
Find ways to disallow
SOA-K type attacks
in the
definition of
SS.Slide22
Non-adaptive security for FE [O’10]Adversary only allowed key derivation queries before
seeing challenge
ciphertexts
.
E.g.
non-adaptive IND
:
(
mpk
,
msk)
Setup
(1
k
)
b
{0,1}
sk
a
1
Kder(msk,a1)
a1
ska1
cEnc(
mpk,xb)
c
x
1 = (x1,1
,…,x1,n)
x
0 = (
x0,1,…,x
0,n)
mpk
A
C
Repeats many times
sk
a
2
sk
a
3
b
’
[O’10] shows equivalence to
non-adaptive SS
for
preimage
sampleable
functionalities.Slide23
Our work: Allowing restricted adaptive queriesIn real-world SS game:
Say that query
a
is
F
-predictable
if (all but a negligible fraction) of
x
in adversary’s message space
Msg
have same value of F(1
k
,
a
,
x
).
Say that adversary
is
a-posteriori F
-predictable if all its queries after seeing challenge ciphertext are
F-predictable.Theorem:
For any functionality with polynomial-size range, IND is equivalent to
SS wrt a-posteriori F
-predictable adversaries.Slide24
More results and open questionsTheorem: If
all queries
all (both non-adaptive and adaptive) made by adversary are
F
-predictable
then
SS
is equivalent to
IND
for
all functionalities.So, what is the
right security definition for FE
? Can we tweak the
SS
definition to get an equivalence for
exactly
those functionalities for which IND is “good”
?Slide25
Thank you!Email: adam@cs.georgetown.edu