Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu

Transcription

1 Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu

2 Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic functions f sk f m sk f Decrypt(sk f, ct m ) f(m)

3 Public-Key Functional Encryption [BSW11, O N10] Setup 1 λ : Outputs (msk, mpk) KeyGen(msk, f): Outputs decryption key sk f Encrypt mpk, m : Outputs ciphertext ct m Decrypt(sk f, ct m ): Outputs f m

4 Public-Key Functional Encryption [BSW11, O N10] Setup 1 λ : Outputs (msk, mpk) KeyGen(msk, f): Outputs decryption key sk f Encrypt mpk, m : Outputs ciphertext ct m Deterministic function f Decrypt(sk f, ct m ): Outputs f m

5 Functional Encryption for Randomized Functionalities (rfe) [GJKS15] r x f(x ; r) But what if f is randomized? Many interesting functions are randomized

6 Application 1: Proxy Re-Encryption personal Alice Alice work Mail server has functional key to re-encrypt message under secretary s public key Secretary

7 Application 2: Auditing an Encrypted Database Encrypted database of records r 1 r 2 r 3 r 4 r 5 r 6 r 2 r 6 Sample a random subset to audit

8 Does Public-Key rfe Exist? io [GJKS15] General- Purpose rfe (selectively secure)

9 Public-Key Functional Encryption [BSW11, O N10] Can be instantiated from a wide range of assumptions PKE / LWE [SS10, GVW12,GKPVZ13, ] Bounded- Collusion FE Multilinear Maps / io [GGHRSW13, GGHZ16, Wat15, ] General- Purpose FE

10 The State of (Public-Key) Functional Encryption Deterministic functionalities [SS10, GVW12, ] Randomized functionalities PKE [GGHRSW13, GGHZ16, ] Multilinear Maps / io Bounded- Collusion FE General- Purpose FE io [GJKS15] General- Purpose rfe Generally adaptively secure Selectively secure

11 The State of (Public-Key) Functional Encryption Deterministic functionalities Randomized functionalities Bounded- PKEDoes extending FE to support Collusion FE randomized functionalities GeneraliO Purpose rfe Multilinear General- Maps / io Purpose FE require much stronger tools? Adaptively secure Selectively secure

12 Our Main Result General-purpose FE for deterministic functionalities Number Theory (e.g., DDH, RSA) General-purpose FE for randomized functionalities Implication: randomized FE is not much more difficult to construct than standard FE.

13 Defining rfe

14 Deterministic functionalities Defining Correctness for FE m Decrypt(sk f, ct m ) f(m) sk f

15 Defining Correctness for rfe [GJKS15] Randomized functionalities m Decrypt(sk f, ct m ) f(m; r) sk f m Decrypt(sk f, ct m ) f(m ; r ) sk f Different ciphertexts Same function key Independent draws from output distribution

16 Defining Correctness for rfe [GJKS15] Randomized functionalities m Decrypt(sk f, ct m ) f(m; r) sk f m Decrypt(sk f, ct m ) f (m; r ) sk f Same ciphertexts Different function keys Independent draws from output distribution

17 Simulation-Based Security (Informally) f m msk sk f m Real World: honestly generated ciphertexts and secret keys f f(m) m sk f Ideal World: simulated ciphertexts and secret keys

18 Public-Key Functional Encryption [BSW11, O N10] Simulation-based notion of security: msk mpk f??? mpk f f KeyGen(msk, f) sk f m m f 1 m,, f q1 (m) Encrypt(mpk, m) ct m f f f, f(m) Real World KeyGen(msk, f) sk f Ideal World

19 Public-Key Functional Encryption [BSW11, O N10] Selective security: adversary first commits to challenge msk m??? m ε mpk mpk Encrypt(mpk, m) ct m f f f, f(m) KeyGen(msk, f) sk f Real World Ideal World

20 msk Simulation-based notion of security: mpk f KeyGen(msk, f) m Security for rfe Function f is a randomized function mpk f f sk f m f 1 m,, f q1 (m) Encrypt(mpk, m) ct m Real World f KeyGen(msk, f) Each function evaluated using freshly sampled randomness f f, f(m) sk f Ideal World

21 The Case for Malicious Encrypters Encrypted database of records r 1 r 2 r 3 r 4 r 5 r 6 What if encrypter (bank) is adversarial? r 2 r 6 Sample a random subset to audit

22 The Case for Malicious Encrypters Randomized functionalities m Decrypt(sk f, ct m ) f(m; r) sk f m Decrypt(sk f, ct m ) f(m ; r) sk f Dishonest encrypters can construct bad ciphertexts such that decryption produces correlated outputs

23 Capturing Dishonest Encrypters Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f sk f KeyGen(msk, f) m Decrypt(sk f, ct) m ct, f ct

24 Capturing Dishonest Encrypters Simulator sees ciphertext and can make a single query to an ideal evaluation oracle O f Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f sk f KeyGen(msk, f) m Decrypt(sk f, ct) m ct, f ct

25 Capturing Dishonest Encrypters Simulator sees ciphertext and can make a single query to an ideal evaluation oracle O f Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) m f(x) x

26 Capturing Dishonest Encrypters Simulator sees ciphertext and can make a single query to an ideal evaluation oracle O f Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) Ideal evaluation oracle O m f takes an input x and outputs random draw from output distribution f(x) f(x) x

27 Capturing Dishonest Encrypters Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) m f(x) x Note: in ideal world, distinguisher always sees a function evaluation using uniform randomness

28 Capturing Dishonest Encrypters Give the adversary access to a decryption oracle (a CCA like definition) [GJKS15] msk ct, f ct, f ct sk f KeyGen(msk, f) m Decrypt(sk f, ct) m f(x) x Notion also well-defined in deterministic setting and is easily achieved by attaching a NIZK to ciphertext

29 Capturing Dishonest Encrypters This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) msk ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n

30 Capturing Dishonest Encrypters This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) msk ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Same decryption key used for all decryptions in real distribution

31 Capturing Dishonest Encrypters This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) msk ct i i [n], f ct i i [n], f ct i i [n] sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Same decryption key used for all decryptions in real distribution f x i i [n] x i i [n]

32 Capturing Dishonest Encrypters msk This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Same decryption key used for all decryptions in real distribution Ideal evaluation oracle O f takes vector of inputs x i and for each input, outputs random draw ct i i [n], f ct i i [n] f x i from f(x i ) i [n] x i i [n]

33 Capturing Dishonest Encrypters msk This work: Extend security model to allow adversary to submit multiple ciphertexts (rules out adversary s ability to construct correlated ciphertexts) ct i i [n], f sk f KeyGen(msk, f) m i Decrypt(sk f, ct i ) m 1,, m n Impose admissibility criterion to rule out cases where adversary submits same ct i i [n], f ct i i [n] f x i ciphertext twice i [n] x i i [n]

34 Our Generic Transformation

35 Starting Point: Derandomization x r Randomized functionality x Derandomized functionality f(x ; r) f x; PRF k, x k Starting point: construct derandomized function where randomness for f derived from outputs of a PRF

36 Starting Point: Derandomization x r Randomized functionality x Derandomized functionality f(x ; r) f x; PRF k, x k Randomized function f Derandomized function g k : g k x = f x, PRF k, x

37 Starting Point: Derandomization x r Randomized functionality x Derandomized functionality f(x ; r) f x; PRF k, x Randomized function f k PRF key embedded inside g k Derandomized function g k : g k x = f x, PRF k, x

38 Starting Point: Derandomization rfe. KeyGen(msk, f) k R K But in publickey setting, keys do not hide the function! FE. KeyGen(msk, g k ) sk gk g k x = f x, PRF k, x

39 Starting Point: Derandomization rfe. KeyGen(msk, f) k R K Given sk gk, adversary can learn the PRF key k FE. KeyGen(msk, g k ) sk gk g k x = f x, PRF k, x

40 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext PRF key k Secret-share the PRF key k 1 k 2 Key share in ciphertext Key share in function key

41 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext rfe. Encrypt(mpk, m) k 1 R K FE. Encrypt mpk, m, k 1 (m, k 1 )

42 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext rfe. KeyGen(msk, f) k 2 R K Some operation to combine shares of key g k2 m, k 1 = f(m ; PRF(k 1 k 2, m) FE. KeyGen msk, g k2 sk gk 2

43 How to Hide the Key? Key idea: functional encryption provides message-hiding, so place part of the key in the ciphertext rfe. KeyGen(msk, f) Security now relies on related-key security for PRFs k 2 R K g k2 m, k 1 = f(m ; PRF(k 1 k 2, m) FE. KeyGen msk, g k2 sk gk 2

44 Why Related-Key Security? Challenge ciphertext: Secret key queries: sk gk 2 Chosen by adversary sk gk2 (m, k 1 ) Chosen by challenger Adversary sees and Adversary knows m, k 2 and k 2 and outputs still look random! f m ; PRF k 1 k 2, m f(m ; PRF k 1 k 2, m )

45 Security Against Dishonest Encrypters Encrypter has a lot of flexibility in constructing ciphertexts: rfe. Encrypt(mpk, m) k 1 R K Encrypter can choose the keyshare Cannot influence output distribution due to RKA-security FE. Encrypt mpk, m, k 1 (m, k 1 ) Encrypter can choose the randomness Potentially problematic

46 Security Against Dishonest Encrypters Encrypter has a lot of flexibility in constructing ciphertexts: FE. Encrypt mpk, m, k 1 (m, k 1 ) (m, k 1 ) Run encryption algorithm twice with different randomness Two distinct FE ciphertexts encrypting the same message

47 Security Against Dishonest Encrypters Encrypter has a lot of flexibility in constructing ciphertexts: (m, k 1 ) (m, k 1 ) Decryption in real world: always produces same output Decryption in ideal world: always produces independent outputs Encrypter has too much freedom in constructing ciphertexts

48 Applying Deterministic Encryption Key observation: honestly generated ciphertexts have high entropy Should be random PRF key high entropy! (m, k 1 ) Derive encryption randomness from k 1 and include a NIZK argument that ciphertext is well-formed

49 Putting the Pieces Together rfe. Encrypt(mpk, m) k 1 R K FE. Encrypt mpk, m, k 1 ; h(k 1 ) NIZK argument of knowledge of (m, k 1 ) that explains ciphertext π Randomness for FE encryption derived from deterministic function on k 1 (e.g., a PRG)

50 Putting the Pieces Together rfe. Encrypt(mpk, m) k 1 R K Ciphertext is a deterministic function of m, k 1 so for any distinct pairs (m, k 1 ), (m, k 1 ), outputs of PRF uniform and independently distributed by RKA-security FE. Encrypt mpk, m, k 1 ; h(k 1 ) π

51 Our Transformation in a Nutshell Simulationsecure FE NIZK arguments DDH + RSA RKAsecure PRF deterministic encryption Security properties of underlying FE scheme is preserved (e.g., adaptive security) Simulationsecure rfe

52 The State of (Public-Key) Functional Encryption Deterministic functionalities [SS10, GVW12, ] Randomized functionalities PKE [GGHRSW13, GGHZ16, ] Multilinear Maps / io Bounded- Collusion FE General- Purpose FE io [GJKS15] General- Purpose rfe Generally adaptively secure Selectively secure

53 The State of (Public-Key) Functional Encryption [SS10, GVW12, ] Number-theoretic assumptions PKE [GGHRSW13, GGHZ16, ] Multilinear Maps / io Bounded- Collusion FE General- Purpose FE Bounded- Collusion rfe General- Purpose rfe Adaptively secure against malicious encrypters! This work

54 Open Questions More direct / efficient constructions of rfe for simpler classes of functionalities (e.g., sampling from a database)? Generic construction of rfe from FE without making additional assumptions? Connections between rfe and other primitives (e.g., various flavors of obfuscation)?

55 Questions?