SEMANTICALLY-SECURE FUNCTIONAL ENCRYPTION: POSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION
Adam O’Neill, Georgetown UniversityJoint with Mihir Bellare, UCSD
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
FUNCTIONAL ENCRYPTION (FE)Main Idea: Users decrypt one ciphertext to
different values, depending on their secret keys.
Concept developed in a series of works starting with [SW’05], [BW’07], [KSW’08]…
General syntax and security definitions given independently by [O’10] and [BSW’11].
SYNTAXA functionality F takes security parameter 1k,
index a, and input x to return output y or .
T
A functional encryption scheme for F is a tuple FE = (Setup,KDer,Enc,Dec) of algorithms that work as follows…
Authority
Sender Receiver
ska
SYNTAX
Setup (mpk,msk)
1k
Encx
c Dec F(1k,a,x)
KDer skamskmpk
a
MANY RECEIVERS
ska1
Sender Receiver 1
Encx
c Dec F(1k,a1,x)Receiver 2
Dec F(1k,a2,x)Receiver 3
Dec F(1k,a3,x)
ska2
ska3
mpk
The IBE functionality Fibe regards a as an identity and parses x as a pair (a’,m), returning m if a = a’ and otherwise .
EXAMPLE: IBE
T
Authority
Setup (mpk,msk)
KDer ska
(a’,m)
1k msk
m if a = a’
a
ska
Sender Receiver 1
Enc c Decmpk
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
IND DEFINITION [O’10,BSW’11]
(mpk,msk)Setup(1k
)b{0,1}ska1
Kder(msk,a1)
a1
ska1cEnc(mpk,xb)c
x1 = (x1,1,…,x1,n)
x0 = (x0,1,…,x0,n)
A wins if b = b’
mpk
We ask that any efficient adversary A wins the following game with probability about ½
A C
Repeats many timesska2ska3 a4
ska4Kder(msk,a4)ska4
Repeats many times
ska5ska6
Every query ai must satisfy F(1k,ai,x0) = F(1k,ai,x1)
b’
SS DEFINITION [OUR REFINEMENT]For any efficient adversary A, message-sampler Msg
and relation R in the following “real world” game…(mpk,msk)Setup(1k
)ska1Kder(msk,a1)
Qlist.add(a1)
a1
ska1xMsg(z)cEnc(mpk,x)c
mpk
A C
Repeats many timesska2
ska3a4
ska4Kder(msk,a4)
Qlist.add(a4)ska4
Repeats many times
ska5
ska6
w
z
A wins if R(w,x,Qlist,z) = 1
SS DEFINITION: IDEAL WORLD
S wins if R(w,x,Qlist,z) = 1
There is an efficient simulator S that wins the following “ideal world” game with similar probability
Qlist.add(a1)
a1
xMsg(z)yF(1k,Qlist,x)y
S C
Repeats many times
a4
y4F(1k,a4,x) Qlist.add(a4)y4
Repeats many times
y5y6
w
z
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
RELATIONS AMONG THE NOTIONS
[O’10,BSW’11]: IND is not equivalent to SS, indeed there exist clearly insecure schemes meeting IND.
[BSW’11]: Even for the simple case of IBE the SS notion is impossible to achieve!
The second claim seems especially strong and disappointing (compare to usual public-key case [GM’84]); let’s take a closer look…
WHAT’S GOING ON HERE?
.Observation: SS implicitly allows, and [BSW’11] implicitly exploits, presence of key-revealing selective-opening attacks (SOA-K) [DNRS’99].
WHAT IS SOA-K?Adversary sees some ciphertexts encrypted
under different keys and can then request to see some subset of the decryption keys.
This is a non-standard security notion and well-known to be hard to achieve.
Observation: If you write down a definition of SOA-K secure IBE what you get is exactly the definition of SS-secure IBE.
[BSW’11] IMPOSSIBILITY RESULTMain idea: Adversary hashes its ciphertexts to
determine for which identities to request keys; these keys then decrypt some of the ciphertexts.
Intuitively, any simulator finds out the messages it should encrypt only it when queries identities that already determine its ciphertexts.
Observation: [BSW’11] require modeling the hash as a random oracle to prove their result.
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]
Restriction on adaptive queries to maintain equivalence
Other results and open questions
OUR IMPOSSIBILITY RESULT FOR SSTheorem: SS-secure IBE is impossible even in
the standard model (without long keys).
Proof adapts idea of [BDWY’11] by assuming H only is collision resistant and rewinding the simulator to when it makes some query.
We also generalize this to rule out SS security for any non-trivial functionality.
OUTLINE OF TALKWhat is functional encryption (FE)?Two security notions:
Indistinguishability (IND) notionSemantic security (SS) notion
What’s Known and our Guiding ObservationImpossibility Result: SS is not achievable in the
standard model (without long keys)Possibility Results:
Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10].
Restriction on adaptive queries to maintain equivalence
Other results and open questions
OUR POSSIBILITY RESULTSWe consider relaxations of SS and show their
equivalence to IND for certain functionalities.
Main idea: Find ways to disallow SOA-K type attacks in the definition of SS.
NON-ADAPTIVE SECURITY FOR FE [O’10]Adversary only allowed key derivation queries
before seeing challenge ciphertexts. E.g. non-adaptive IND: (mpk,msk)Setup(1k
)b{0,1}ska1
Kder(msk,a1)
a1
ska1cEnc(mpk,xb)c
x1 = (x1,1,…,x1,n)
x0 = (x0,1,…,x0,n)
mpk
A C
Repeats many timesska2
ska3 b’
[O’10] shows equivalence to non-adaptive SS for preimage sampleable functionalities.
OUR WORK: ALLOWING RESTRICTED ADAPTIVE QUERIESIn real-world SS game:
o Say that query a is F-predictable if (all but a negligible fraction) of x in adversary’s message space Msg have same value of F(1k,a,x).
o Say that adversary is a-posteriori F-predictable if all its queries after seeing challenge ciphertext are F-predictable.
Theorem: For any functionality with polynomial-size range, IND is equivalent to SS wrt a-posteriori F-predictable adversaries.
MORE RESULTS AND OPEN QUESTIONSTheorem: If all queries all (both non-adaptive and
adaptive) made by adversary are F-predictable then SS is equivalent to IND for all functionalities.
So, what is the right security definition for FE? Can we tweak the SS definition to get an equivalence for exactly those functionalities for which IND is “good”?
THANK YOU!Email: [email protected]