Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD
description
Transcript of Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD
![Page 1: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/1.jpg)
SEMANTICALLY-SECURE FUNCTIONAL ENCRYPTION: POSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION
Adam O’Neill, Georgetown UniversityJoint with Mihir Bellare, UCSD
![Page 2: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/2.jpg)
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
![Page 3: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/3.jpg)
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
![Page 4: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/4.jpg)
FUNCTIONAL ENCRYPTION (FE)Main Idea: Users decrypt one ciphertext to
different values, depending on their secret keys.
Concept developed in a series of works starting with [SW’05], [BW’07], [KSW’08]…
General syntax and security definitions given independently by [O’10] and [BSW’11].
![Page 5: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/5.jpg)
SYNTAXA functionality F takes security parameter 1k,
index a, and input x to return output y or .
T
A functional encryption scheme for F is a tuple FE = (Setup,KDer,Enc,Dec) of algorithms that work as follows…
![Page 6: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/6.jpg)
Authority
Sender Receiver
ska
SYNTAX
Setup (mpk,msk)
1k
Encx
c Dec F(1k,a,x)
KDer skamskmpk
a
![Page 7: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/7.jpg)
MANY RECEIVERS
ska1
Sender Receiver 1
Encx
c Dec F(1k,a1,x)Receiver 2
Dec F(1k,a2,x)Receiver 3
Dec F(1k,a3,x)
ska2
ska3
mpk
![Page 8: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/8.jpg)
The IBE functionality Fibe regards a as an identity and parses x as a pair (a’,m), returning m if a = a’ and otherwise .
EXAMPLE: IBE
T
Authority
Setup (mpk,msk)
KDer ska
(a’,m)
1k msk
m if a = a’
a
ska
Sender Receiver 1
Enc c Decmpk
![Page 9: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/9.jpg)
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
![Page 10: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/10.jpg)
IND DEFINITION [O’10,BSW’11]
(mpk,msk)Setup(1k
)b{0,1}ska1
Kder(msk,a1)
a1
ska1cEnc(mpk,xb)c
x1 = (x1,1,…,x1,n)
x0 = (x0,1,…,x0,n)
A wins if b = b’
mpk
We ask that any efficient adversary A wins the following game with probability about ½
A C
Repeats many timesska2ska3 a4
ska4Kder(msk,a4)ska4
Repeats many times
ska5ska6
Every query ai must satisfy F(1k,ai,x0) = F(1k,ai,x1)
b’
![Page 11: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/11.jpg)
SS DEFINITION [OUR REFINEMENT]For any efficient adversary A, message-sampler Msg
and relation R in the following “real world” game…(mpk,msk)Setup(1k
)ska1Kder(msk,a1)
Qlist.add(a1)
a1
ska1xMsg(z)cEnc(mpk,x)c
mpk
A C
Repeats many timesska2
ska3a4
ska4Kder(msk,a4)
Qlist.add(a4)ska4
Repeats many times
ska5
ska6
w
z
A wins if R(w,x,Qlist,z) = 1
![Page 12: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/12.jpg)
SS DEFINITION: IDEAL WORLD
S wins if R(w,x,Qlist,z) = 1
There is an efficient simulator S that wins the following “ideal world” game with similar probability
Qlist.add(a1)
a1
xMsg(z)yF(1k,Qlist,x)y
S C
Repeats many times
a4
y4F(1k,a4,x) Qlist.add(a4)y4
Repeats many times
y5y6
w
z
![Page 13: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/13.jpg)
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
![Page 14: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/14.jpg)
RELATIONS AMONG THE NOTIONS
[O’10,BSW’11]: IND is not equivalent to SS, indeed there exist clearly insecure schemes meeting IND.
[BSW’11]: Even for the simple case of IBE the SS notion is impossible to achieve!
The second claim seems especially strong and disappointing (compare to usual public-key case [GM’84]); let’s take a closer look…
![Page 15: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/15.jpg)
WHAT’S GOING ON HERE?
.Observation: SS implicitly allows, and [BSW’11] implicitly exploits, presence of key-revealing selective-opening attacks (SOA-K) [DNRS’99].
![Page 16: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/16.jpg)
WHAT IS SOA-K?Adversary sees some ciphertexts encrypted
under different keys and can then request to see some subset of the decryption keys.
This is a non-standard security notion and well-known to be hard to achieve.
Observation: If you write down a definition of SOA-K secure IBE what you get is exactly the definition of SS-secure IBE.
![Page 17: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/17.jpg)
[BSW’11] IMPOSSIBILITY RESULTMain idea: Adversary hashes its ciphertexts to
determine for which identities to request keys; these keys then decrypt some of the ciphertexts.
Intuitively, any simulator finds out the messages it should encrypt only it when queries identities that already determine its ciphertexts.
Observation: [BSW’11] require modeling the hash as a random oracle to prove their result.
![Page 18: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/18.jpg)
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
![Page 19: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/19.jpg)
OUR IMPOSSIBILITY RESULT FOR SSTheorem: SS-secure IBE is impossible even in
the standard model (without long keys).
Proof adapts idea of [BDWY’11] by assuming H only is collision resistant and rewinding the simulator to when it makes some query.
We also generalize this to rule out SS security for any non-trivial functionality.
![Page 20: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/20.jpg)
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10].
Restriction on adaptive queries to maintain equivalence
Other results and open questions
![Page 21: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/21.jpg)
OUR POSSIBILITY RESULTSWe consider relaxations of SS and show their
equivalence to IND for certain functionalities.
Main idea: Find ways to disallow SOA-K type attacks in the definition of SS.
![Page 22: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/22.jpg)
NON-ADAPTIVE SECURITY FOR FE [O’10]Adversary only allowed key derivation queries
before seeing challenge ciphertexts. E.g. non-adaptive IND: (mpk,msk)Setup(1k
)b{0,1}ska1
Kder(msk,a1)
a1
ska1cEnc(mpk,xb)c
x1 = (x1,1,…,x1,n)
x0 = (x0,1,…,x0,n)
mpk
A C
Repeats many timesska2
ska3 b’
[O’10] shows equivalence to non-adaptive SS for preimage sampleable functionalities.
![Page 23: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/23.jpg)
OUR WORK: ALLOWING RESTRICTED ADAPTIVE QUERIESIn real-world SS game:
o Say that query a is F-predictable if (all but a negligible fraction) of x in adversary’s message space Msg have same value of F(1k,a,x).
o Say that adversary is a-posteriori F-predictable if all its queries after seeing challenge ciphertext are F-predictable.
Theorem: For any functionality with polynomial-size range, IND is equivalent to SS wrt a-posteriori F-predictable adversaries.
![Page 24: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/24.jpg)
MORE RESULTS AND OPEN QUESTIONSTheorem: If all queries all (both non-adaptive and
adaptive) made by adversary are F-predictable then SS is equivalent to IND for all functionalities.
So, what is the right security definition for FE? Can we tweak the SS definition to get an equivalence for exactly those functionalities for which IND is “good”?
![Page 25: Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD](https://reader035.fdocuments.in/reader035/viewer/2022062520/568161d3550346895dd1cd9c/html5/thumbnails/25.jpg)
THANK YOU!Email: [email protected]