1 / 25

Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD

Semantically -secure functional encryption: Possibility results, impossibility results and the quest for a general definition . Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD. Outline of Talk. What is functional encryption (FE)? Two security notions:

lobo
Download Presentation

Adam O’Neill, Georgetown University Joint with Mihir Bellare , UCSD

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Semantically-secure functional encryption: Possibility results, impossibility results and the quest for a general definition Adam O’Neill, Georgetown University Joint with MihirBellare, UCSD

  2. Outline of Talk • What is functional encryption (FE)? • Two security notions: • Indistinguishability(IND) notion • Semantic security (SS) notion • What’s Known and our Guiding Observations • Impossibility Result:SS is not achievable in the standard model (without long keys) • Possibility Results: • Equivalence of SS and IND under non-adaptive security for preimagesampleable functionalities from [O’10] • Restriction on adaptive queries to maintain equivalence • Other results and open questions

  3. Outline of Talk • What is functional encryption (FE)? • Two security notions: • Indistinguishability (IND) notion • Semantic security (SS) notion • What’s Known and our Guiding Observations • Impossibility Result: SS is not achievable in the standard model (without long keys) • Possibility Results: • Equivalence of SS and IND under non-adaptive security for preimagesampleable functionalities from [O’10] • Restriction on adaptive queries to maintain equivalence • Other results and open questions

  4. Functional Encryption (FE) • Main Idea: Users decrypt one ciphertextto different values, depending on their secret keys. • Concept developed in a series of works starting with [SW’05], [BW’07], [KSW’08]… • General syntax and security definitions given independently by [O’10] and [BSW’11].

  5. Syntax • A functionality F takes security parameter 1k, index a, and input x to return output y or . T A functional encryption scheme for F is a tupleFE = (Setup,KDer,Enc,Dec) of algorithms that work as follows…

  6. Syntax msk (mpk,msk) mpk ska ska KDer Setup 1k Authority F(1k,a,x) a Dec c Enc x Sender Receiver

  7. ska3 Many receivers Receiver 3 ska2 Receiver 2 mpk ska1 F(1k,a1,x) F(1k,a3,x) F(1k,a2,x) Dec Dec Dec c Enc x Sender Receiver 1

  8. Example: IBE • The IBE functionality Fibe regards a as an identity and parses x as a pair (a’,m), returning m if a = a’ and otherwise . T msk ska KDer (mpk,msk) Setup 1k a Authority mpk ska mif a = a’ Dec c Enc (a’,m) Sender Receiver 1

  9. Outline of Talk • What is functional encryption (FE)? • Two security notions: • Indistinguishability(IND) notion • Semantic security (SS) notion • What’s Known and our Guiding Observations • Impossibility Result: SS is not achievable in the standard model (without long keys) • Possibility Results: • Equivalence of SS and IND under non-adaptive security for preimagesampleable functionalities from [O’10] • Restriction on adaptive queries to maintain equivalence • Other results and open questions

  10. IND definition [O’10,BSW’11] • We ask that any efficient adversary A wins the following game with probability about ½ (mpk,msk)Setup(1k) b{0,1} mpk ska1 ska4 ska4Kder(msk,a4) ska1Kder(msk,a1) cEnc(mpk,xb) c Repeats many times Repeats many times ska2 a1 ska3 a4 b’ C A ska5 x0 = (x0,1,…,x0,n) ska6 x1 = (x1,1,…,x1,n) Every query aimust satisfy F(1k,ai,x0) = F(1k,ai,x1) Awins if b = b’

  11. SS definition[Our refinement] • For any efficient adversary A, message-sampler Msgand relation Rin the following “real world” game… (mpk,msk)Setup(1k) mpk ska4 ska1Kder(msk,a1) Qlist.add(a1) ska4Kder(msk,a4)Qlist.add(a4) ska1 xMsg(z) cEnc(mpk,x) c Repeats many times Repeats many times ska2 z a4 a1 ska3 w C A ska5 ska6 A wins if R(w,x,Qlist,z) = 1

  12. SS definition: ideal world • There is an efficient simulator Sthat wins the following “ideal world” game with similar probability y4 y4F(1k,a4,x)Qlist.add(a4) xMsg(z) yF(1k,Qlist,x) Qlist.add(a1) y Repeats many times Repeats many times z a1 w C S y5 a4 y6 S wins if R(w,x,Qlist,z) = 1

  13. Outline of Talk • What is functional encryption (FE)? • Two security notions: • Indistinguishability (IND) notion • Semantic security (SS) notion • What’s Known and our Guiding Observations • Impossibility Result: SS is not achievable in the standard model (without long keys) • Possibility Results: • Equivalence of SS and IND under non-adaptive security for preimagesampleable functionalities from [O’10] • Restriction on adaptive queries to maintain equivalence • Other results and open questions

  14. Relations among the notions • [O’10,BSW’11]: IND is not equivalent to SS, indeed there exist clearly insecure schemes meeting IND. • [BSW’11]: Even for the simple case of IBE the SSnotion is impossible to achieve! • The second claim seems especially strong and disappointing (compare to usual public-key case [GM’84]); let’s take a closer look…

  15. What’s going on here? • .Observation: SS implicitly allows, and [BSW’11] implicitly exploits, presence of key-revealing selective-opening attacks (SOA-K) [DNRS’99].

  16. What is soa-k? • Adversary sees some ciphertexts encrypted under different keys and can then request to see some subset of the decryption keys. • This is a non-standard security notion and well-known to be hard to achieve. • Observation: If you write down a definition of SOA-K secure IBE what you get is exactly the definition of SS-secure IBE.

  17. [BSW’11] Impossibility result • Main idea: Adversary hashes its ciphertextsto determine for which identities to request keys; these keys then decrypt some of the ciphertexts. • Intuitively, any simulator finds out the messages it should encrypt only it when queries identities that already determine its ciphertexts. • Observation: [BSW’11] require modeling the hash as a random oracle to prove their result.

  18. Outline of Talk • What is functional encryption (FE)? • Two security notions: • Indistinguishability (IND) notion • Semantic security (SS) notion • What’s Known and our Guiding Observation • Impossibility Result:SS is not achievable in the standard model (without long keys) • Possibility Results: • Equivalence of SS and IND under non-adaptive security for preimagesampleable functionalities from [O’10] • Restriction on adaptive queries to maintain equivalence • Other results and open questions

  19. Our impossibility result for SS • Theorem:SS-secure IBE is impossible even in the standard model (without long keys). • Proof adapts idea of [BDWY’11] by assuming H only is collision resistant and rewinding the simulator to when it makes some query. • We also generalize this to rule out SS security for any non-trivial functionality.

  20. Outline of Talk • What is functional encryption (FE)? • Two security notions: • Indistinguishability (IND) notion • Semantic security (SS) notion • What’s Known and our Guiding Observation • Impossibility Result: SS is not achievable in the standard model (without long keys) • Possibility Results: • Equivalence of SS and IND under non-adaptive security for preimagesampleable functionalities from [O’10]. • Restriction on adaptive queries to maintain equivalence • Other results and open questions

  21. Our possibility results • We consider relaxations of SS and show their equivalence to IND for certain functionalities. • Main idea: Find ways to disallow SOA-K type attacks in the definition of SS.

  22. Non-adaptive security for FE [O’10] • Adversary only allowed key derivation queries before seeing challenge ciphertexts. E.g. non-adaptive IND: (mpk,msk)Setup(1k) b{0,1} mpk ska1 cEnc(mpk,xb) ska1Kder(msk,a1) c Repeats many times ska2 C A a1 ska3 b’ x0 = (x0,1,…,x0,n) x1 = (x1,1,…,x1,n) [O’10] shows equivalence to non-adaptive SS for preimagesampleablefunctionalities.

  23. Our work: Allowing restricted adaptive queries • In real-world SS game: • Say that query a is F-predictable if (all but a negligible fraction) of x in adversary’s message space Msghave same value of F(1k,a,x). • Say that adversary isa-posteriori F-predictable if all its queries after seeing challenge ciphertext are F-predictable. • Theorem: For any functionality with polynomial-size range, INDis equivalent toSS wrta-posteriori F-predictable adversaries.

  24. More results and open questions • Theorem: If all queries all (both non-adaptive and adaptive) made by adversary are F-predictable then SS is equivalent to IND for all functionalities. • So, what is the right security definition for FE? Can we tweak the SS definition to get an equivalence for exactly those functionalities for which IND is “good”?

  25. Thank you! Email: adam@cs.georgetown.edu

More Related