Top Banner
Functional Encryption: Beyond Public Key Cryptograph Brent Waters SRI International
36

Functional Encryption: Beyond Public Key Cryptography

Nov 13, 2014

Download

Documents

techdude

 
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Functional Encryption: Beyond Public Key Cryptography

Functional Encryption:Beyond Public Key Cryptography

Brent WatersSRI International

Page 2: Functional Encryption: Beyond Public Key Cryptography

2

Protect Private Data

•Payment Card Industry (PCI)

•Health Care

•Web Services

Page 3: Functional Encryption: Beyond Public Key Cryptography

3

Access Control

Page 4: Functional Encryption: Beyond Public Key Cryptography

4

Security Breaches

Physical Media Loss:

•25 million U.K. citizens (Nov. 2007)

Intrusion:

•45 Million Cards Stolen (Dec. 2006)

Page 5: Functional Encryption: Beyond Public Key Cryptography

5

Access Control by Encryption

Idea: Need secret key to access data

e.g. PCI Standards

SK

Page 6: Functional Encryption: Beyond Public Key Cryptography

6

Realistic Data Sharing

Problem: Disconnect between policy and mechanism

OR

Professor AND

CS255-TA PhD

?Kelly:“Professor”“Admissions”

Sarah:“CS255-TA”“PhD”

•Burden on provider

Page 7: Functional Encryption: Beyond Public Key Cryptography

7

A Fundamental Gap

OR

ProfessorAND

CS255-TA PhD

ComplexInfrastructure

•Key Lookup

•Group Key Management

•Online-Service

•Complex

•Several Keys

Page 8: Functional Encryption: Beyond Public Key Cryptography

8

A New Vision

OR

ProfessorAND

CS255-TA PhD

Functional Encryption

ComplexInfrastructure

OR

ProfessorAND

CS255-TA PhD

Page 9: Functional Encryption: Beyond Public Key Cryptography

9

Functional Encryption: A New Perspective

Public Parameters

Access Predicate: f( )

f( )

SKCred.=X

If f(X)=1

Page 10: Functional Encryption: Beyond Public Key Cryptography

10

Why Functional Encryption?

Late Binding Access Control:

e.g. Network Logs

Page 11: Functional Encryption: Beyond Public Key Cryptography

11

Why Functional Encryption?

Late Binding Access Control:

e.g. Network Logs

2ef92a295cbb

98bc39dea94c

...

SRC IP=123.12.6.8

Date=12/5/07

•Encrypt packet payload, tag with metadata

SK

Src:123.3.4.77 AND

Date: 12/5/07

•Distribute capabilities later

Page 12: Functional Encryption: Beyond Public Key Cryptography

12

Why Functional Encryption?

Scalability and Robustness:

Personal Storage Devices

Availability vs. Security

Page 13: Functional Encryption: Beyond Public Key Cryptography

13

Why Functional Encryption?

Efficiency:

OR

Dean Eng.AND

Professor C.S.vs.

Scales with policy complexity

Page 14: Functional Encryption: Beyond Public Key Cryptography

14

Why Functional Encryption?

AND

ACLU

?Receiver Privacy:

Salary > 1M

Page 15: Functional Encryption: Beyond Public Key Cryptography

15

A New Vision for Encryption Systems

•Secure Internet Connections (Public Key Exchange)

•Online Software Updates (Digital Signatures)

•Retrospect: Public vs. Secret Key Cryptography

•The next step forward

Page 16: Functional Encryption: Beyond Public Key Cryptography

16

Functional Encryption for Formulas [SW05]

PK

MSK

“CS255-TA”“PhD”

“CS255-TA”“Undergrad”

OR

Professor AND

CS255-TA PhD

OR

ProfessorAND

CS255-TA PhD

SKSK

Key Authority

Line of Research: [SW05, GPSW06,PTMW06, BSW07, BW07, OSW07,KSW08]

Page 17: Functional Encryption: Beyond Public Key Cryptography

18

A First Approach

Question: Can we build functional encryption from standard techniques?

Attempt: Public Key Encryption + Secret Sharing

Page 18: Functional Encryption: Beyond Public Key Cryptography

19

Secret Sharing [S78,B78,BL86]

OR

A AND

B C

•Ideas extend to more complex sharing

s s¸A = s

¸B = r¸C = s-r

•Use finite field e.g. Zp

Page 19: Functional Encryption: Beyond Public Key Cryptography

20

A First Approach

Combine S.S. and PKE

SKSarah:“A”

SKKevin:“B”

AND

A BPKA

SKB

PKB

SKA

EA(R) EB(M-R)

R?

M-R

MCollusion Attack!

Page 20: Functional Encryption: Beyond Public Key Cryptography

21

Collusion Attacks: The Key Threat

Kevin:“CS255-TA”“Undergrad”

OR

Professor AND

CS255-TA PhD

James:“PhD”“Graphics”

Need: Key “Personalization”

Tension: Functionality vs. Personalization

Page 21: Functional Encryption: Beyond Public Key Cryptography

22

Elliptic Curve Techniques

G : multiplicative of prime order p. (Analogy: Zq*)

High Level: Single Multiplication

Key for satisfying functionality + personalization

Bilinear map e: GG GT

e(ga, gb) = e(g,g)ab a,bZp, gG

Intuitive Hardness Discrete Log:

Given: g, ga Hard to get: a

Page 22: Functional Encryption: Beyond Public Key Cryptography

23

System Setup

Page 23: Functional Encryption: Beyond Public Key Cryptography

24

Key Generation

SK

‘t’ ties components together

Personalization!

Page 24: Functional Encryption: Beyond Public Key Cryptography

25

Key Personalization (Intuition)

SK

SK

Kevin:“CS255-TA”…

James:“PhD”…

Random t

Random t’

Components are incompatible

(Formal security proofs in papers)

Page 25: Functional Encryption: Beyond Public Key Cryptography

26

Encryption

MOR

y1 AND

y2 y3

n leaf nodes

y1, ... ynf ( ) =

¸1=s

¸2=r ¸3=s-r

s

CT:

Page 26: Functional Encryption: Beyond Public Key Cryptography

27

Making it work

CT:

Goal: Compute and cancel to get M

“CS255-TA”“PhD”

Message Randomization

Page 27: Functional Encryption: Beyond Public Key Cryptography

28

Making it work

CT:

“CS255-TA”“PhD”

SK:

Message Randomization Personalized Randomization

New goal: Personalized to userUse Bilinear Map for Decryption

Page 28: Functional Encryption: Beyond Public Key Cryptography

29

Making it work

OR

Professor AND

CS255-TA PhD

“CS255-TA”“PhD”

•Shares are personalized (Use Bilinear-Map)

•Linearly Combine

Personalized Randomization

Page 29: Functional Encryption: Beyond Public Key Cryptography

30

Security

Theorem: System is (semantically) secure under chosen key attack

Number Theoretic Assumption:

Bilinear Diffie-Hellman Exponent [BBG05]

Page 30: Functional Encryption: Beyond Public Key Cryptography

31

Impact

Line of Research: [SW05, GPSW06,PTMW06, BSW07, BW07, OSW07,KSW08]

IBE: [S84,BF01,C01]

Other Functional Encryption Work: [ACDMS06,C07,CCKN07,CN07,SBCDP07, TBEM08]

Page 31: Functional Encryption: Beyond Public Key Cryptography

32

Impact

•Advanced Crypto

Software Collection $ cpabe-setup

$ cpabe-keygen -o sarah_priv_key pub_key master_key \

sysadmin it_dept 'office = 1431' 'hire_date = 2002'

•Attribute-Based

Messaging (UIUC) •Group Key

Management [CCKN07]

•Large Scale Content

Distribution [TBEM08]

•Future NIST

Standardization

Page 32: Functional Encryption: Beyond Public Key Cryptography

33

Beyond Access Control

Access Control: All or nothing access

OR

ProfessorAND

CS255-TA PhD

Bigger Idea: Functions over encrypted data

•Only learn function’s output

Compute Average

15th highest score

Challenge: Oblivious Evaluation

Only single keyword predicates [SWP00, BDOP04, BW06]

Page 33: Functional Encryption: Beyond Public Key Cryptography

34

Beyond Access Control

Complex Predicates over data [KSW08] :

SK

Idea: Inner Product Functionality (Multiplication of Bilinear Map)

CT:

Functionality: Polynomial Equations

From = [email protected] OR From = [email protected]

Can’t tell why matched!

Page 34: Functional Encryption: Beyond Public Key Cryptography

35

Medical Studies

Collect DNA + medical information

AGTACCA...

Future: Database of sequenced genome

Gene:TCF2 = AT AND Prostate Cancer

Limit Privacy Loss

Page 35: Functional Encryption: Beyond Public Key Cryptography

36

Functional Encryption Summary

ComplexInfrastructure

OR

ProfessorAND

CS255TA PhD

•Tension: Functionality vs. Personalization[SW05, GPSW06,PTMW06, BSW07, OSW07]

•Going Beyond Access Control [BW06,BW07,KSW08]

•Fundamental Change: Public Key Cryptography

Page 36: Functional Encryption: Beyond Public Key Cryptography

37

Thank you