Functional Encryption & Property Preserving Encryption

1. Functional Encryption & Property Preserving Encryption Shashank Agrawal (UIUC), Shweta Agrawal (IIT-D), Saikrishna Badrinarayanan (IIT-M), Abisekh Kumarasubramanian (UCLA), Manoj Prabhakaran (UIUC), Amit Sahai (UCLA).

2. Outline • Various encryption schemes: • Public-key functional encryption, • Private-key functional encryption, • Property Preserving encryption. • Fairly new ideas, spend some time on each one. • What they are? • Our results. • Come back and discuss Public-key functional encryption in detail.

3. Public key Functional enc. MPK ENC (m) MSK, MPK MPK Alice Bob MPK Trusted Authority DEC ( ENC(m) ) = f(m) Julie

4. Public key Functional enc. • First formally studied by Boneh, Sahai and Waters in 2011. • Encompasses well-known notions of encryption: • Public-key encryption [DH76, RSA77, …], • Identity-based encryption [Sha84, BF01, Coc01, BW06, GPV08], • Attribute-based encryption [SW05, GPSW06, GVW13, GGH+13], • Predicate encryption [KSW08, LOS+10, AFV11], • Searchable encryption [BCOP04], etc . • Has been the subject of intense study in the recent past.

5. Our contribution • A new definition for Functional Encryption: • Simulation based (real-ideal world), • Provides bothfunction and message hiding, • Simple and intuitive. • First definition with the above features. • Construct a secure protocol in the generic group model. • Practice: Security against a large class of attacks. • Function family F: inner-product predicates.

6. Private key functional Enc. ENC (m1, SK) SK ENC (m2, SK) ENC (m3, SK) for an Client Server

7. USE CASE • Client stores files on server by encrypting them. • Later the client wants all files with the keyword ‘urgent’. • Client sends a key to the server. • Server applies decryption function to each file. • Returns files for which output is 1 to the client. • Dec (, Enc. file) = 1 • ifffile contains the word ‘urgent’.

8. Private key functional Enc. • First studied by Shen, Shi and Waters in 2009 [SSW09]. • SSW09 construct a secure protocol for inner-product predicates. • A new protocol that is better in several ways.

9. An improved protocol

10. Our protocol • Derived from Okamoto and Takashima [OT12]. • Symmetric nature of inner-product predicates. • Ways to transform a protocol with weaker properties into one with stronger properties [Fre10, Lew12]. • No method can simultaneously solve all the three problems.

11. Property preserving encryption Property TEST(ENC(m1), ENC(m2)) = P(m1, m2) SK ENC (m1, SK) ENC (m2, SK) Client Server

12. USE case • Property: Given two files, which one comes before in alphabetical order. • Client stores files on server by encrypting them. • Later client wants to retrieve the file which comes first in alphabetical order. • Server uses to compare encrypted files. • Sorts the files in alphabetical order.

13. Property preserving encryption • Introduced by Pandey and Rouselakis in 2012 [PR12]. • PR12 gives a protocol for the inner-product property. • We improve their protocol in two crucial ways. • Exploit connection b/n Private-key FE and PPE.

14. Public-key functional encryption

15. MPK ENC (m, MPK) MSK, MPK MPK Alice Adversary MPK Trusted Authority DEC ( ENC(m) ) = f(m) Julie

16. Indistinguishability based def. • Message hiding: and s.t. • indistinguishable from . • Function hiding: and s.t.. • indistinguishable from . • By creating , , ,… compute or • Could distinguish between and .

17. Simulation based def. • A new definition for Functional Encryption: • Simulation based (real-ideal world), • Provides both function and message hiding, • Simple and intuitive. • Real world execution of a protocol is compared with an “Ideal” world. • Ideal world: Security requirements we want from our protocol.

18. Real World Ideal World MSK, MPK MPK Adversary Simulator Trusted Authority Oracle Environment Environment

19. Our set-up • Strong security definition. • Cannot be realized in the standard model [BSW11, O’N11, BO12]. • Adversary doesn’t exploit structure of the group. • Generic group model: captures most real-world attacks. • Function family F: inner product predicates. • Looking at some special cases of Functional Encryption. • Inner-product predicates capture those cases.

20. Identity based encryption • ID = {Bob, Alice, Mary, …} and . • . • . • if , and otherwise. • Authority gives secret key according to id • Ex: Alice gets a SK for • Bob sends to Alice. • Only Alice can obtain , using SK for .

21. Complex policies • Complex policies like Head of Dept. OR (Faculty AND Security). • iff and satisfy the Boolean Expression .

22. Inner-product Predicates • Powerful primitive: • Identity Based Encryption • Complex Policies like Boolean Expressions • . • . if , and otherwise. • Given a key for we would be able to recover from an encryption only if .

23. Our protocol • A protocol for inner-product predicates in the Generic group model, which is secure under a strong simulation-based definition. • Two constructions • Dual Pairing Vector Spaces (Okamoto and Takashima in 2008). • Secret Sharing. • The constructions have comparable efficiency. • For vectors of length n, ciphertextand key of length 3n.

24. Conclusion • A new powerful definition for Public-Key Functional Encryption. • Protocol in the Generic group model. • Another definition Relax-SIM. • Protocol in the standard model. • Improve protocols for Private-Key Functional Encryption and Property Preserving Encryption in various ways. • First protocols under standard assumptions/model.

25. Thank You • Paper will soon be available on Eprint.