SEMANTICALLY-SECURE FUNCTIONAL ENCRYPTION: POSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION

Adam O’Neill, Georgetown University

Joint with Mihir Bellare, UCSD

OUTLINE OF TALK

What is functional encryption (FE)?Two security notions:

Indistinguishability (IND) notionSemantic security (SS) notion

What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the

standard model (without long keys)Possibility Results:

Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]

Restriction on adaptive queries to maintain equivalence

Other results and open questions

OUTLINE OF TALK

What is functional encryption (FE)?Two security notions:

Indistinguishability (IND) notionSemantic security (SS) notion

What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the

standard model (without long keys)Possibility Results:

Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]

Restriction on adaptive queries to maintain equivalence

Other results and open questions

FUNCTIONAL ENCRYPTION (FE)

Main Idea: Users decrypt one ciphertext to different values, depending on their secret keys.

Concept developed in a series of works starting with [SW’05], [BW’07], [KSW’08]…

General syntax and security definitions given independently by [O’10] and [BSW’11].

SYNTAX

A functionality F takes security parameter 1k, index a, and input x to return output y or .

T

A functional encryption scheme for F is a tuple FE = (Setup,KDer,Enc,Dec) of algorithms that work as follows…

Authority

Sender Receiver

ska

SYNTAX

Setup (mpk,msk)

1k

Encx

c Dec F(1k,a,x)

KDer skamskmpk

a

MANY RECEIVERS

ska1

Sender Receiver 1

Encx

c Dec F(1k,a1,x)Receiver 2

Dec F(1k,a2,x)Receiver 3

Dec F(1k,a3,x)

ska2

ska3

mpk

The IBE functionality Fibe regards a as an identity and parses x as a pair (a’,m), returning m if a = a’ and otherwise .

EXAMPLE: IBE

T

Authority

Setup (mpk,msk)

KDer ska

(a’,m)

1kmsk

m if a = a’

a

ska

Sender Receiver 1

Enc c Decmpk

OUTLINE OF TALK

What is functional encryption (FE)?Two security notions:

Indistinguishability (IND) notionSemantic security (SS) notion

What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the

standard model (without long keys)Possibility Results:

Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]

Restriction on adaptive queries to maintain equivalence

Other results and open questions

IND DEFINITION [O’10,BSW’11]

(mpk,msk)Setup(1k

)b{0,1}ska1

Kder(msk,a1)

a1

ska1cEnc(mpk,xb)c

x1 = (x1,1,…,x1,n)

x0 = (x0,1,…,x0,n)

A wins if b = b’

mpk

We ask that any efficient adversary A wins the following game with probability about ½

A C

Repeats many timesska2

ska3a4

ska4Kder(msk,a4)ska4

Repeats many times

ska5

ska6

Every query ai must satisfy F(1k,ai,x0) = F(1k,ai,x1)

b’

SS DEFINITION [OUR REFINEMENT]

For any efficient adversary A, message-sampler Msg and relation R in the following “real world” game…

(mpk,msk)Setup(1k

)ska1Kder(msk,a1)

Qlist.add(a1)

a1

ska1xMsg(z)cEnc(mpk,x)c

mpk

A C

Repeats many timesska2

ska3

a4

ska4Kder(msk,a4)

Qlist.add(a4)

ska4

Repeats many times

ska5

ska6

w

z

A wins if R(w,x,Qlist,z) = 1

SS DEFINITION: IDEAL WORLD

S wins if R(w,x,Qlist,z) = 1

There is an efficient simulator S that wins the following “ideal world” game with similar probability

Qlist.add(a1)

a1

xMsg(z)yF(1k,Qlist,x)y

S C

Repeats many times

a4

y4F(1k,a4,x) Qlist.add(a4)y4

Repeats many times

y5y6

w

z

OUTLINE OF TALK

What is functional encryption (FE)?Two security notions:

Indistinguishability (IND) notionSemantic security (SS) notion

What’s Known and our Guiding ObservationsImpossibility Result: SS is not achievable in the

standard model (without long keys)Possibility Results:

Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]

Restriction on adaptive queries to maintain equivalence

Other results and open questions

RELATIONS AMONG THE NOTIONS

[O’10,BSW’11]: IND is not equivalent to SS, indeed there exist clearly insecure schemes meeting IND.

[BSW’11]: Even for the simple case of IBE the SS notion is impossible to achieve!

The second claim seems especially strong and disappointing (compare to usual public-key case [GM’84]); let’s take a closer look…

WHAT’S GOING ON HERE?

.Observation: SS implicitly allows, and [BSW’11] implicitly exploits, presence of key-revealing selective-opening attacks (SOA-K) [DNRS’99].

WHAT IS SOA-K?

Adversary sees some ciphertexts encrypted under different keys and can then request to see some subset of the decryption keys.

This is a non-standard security notion and well-known to be hard to achieve.

Observation: If you write down a definition of SOA-K secure IBE what you get is exactly the definition of SS-secure IBE.

[BSW’11] IMPOSSIBILITY RESULT

Main idea: Adversary hashes its ciphertexts to determine for which identities to request keys; these keys then decrypt some of the ciphertexts.

Intuitively, any simulator finds out the messages it should encrypt only it when queries identities that already determine its ciphertexts.

Observation: [BSW’11] require modeling the hash as a random oracle to prove their result.

OUTLINE OF TALK

What is functional encryption (FE)?Two security notions:

Indistinguishability (IND) notionSemantic security (SS) notion

What’s Known and our Guiding ObservationImpossibility Result: SS is not achievable in the

standard model (without long keys)Possibility Results:

Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10]

Restriction on adaptive queries to maintain equivalence

Other results and open questions

OUR IMPOSSIBILITY RESULT FOR SS

Theorem: SS-secure IBE is impossible even in the standard model (without long keys).

Proof adapts idea of [BDWY’11] by assuming H only is collision resistant and rewinding the simulator to when it makes some query.

We also generalize this to rule out SS security for any non-trivial functionality.

OUTLINE OF TALK

What is functional encryption (FE)?Two security notions:

Indistinguishability (IND) notionSemantic security (SS) notion

What’s Known and our Guiding ObservationImpossibility Result: SS is not achievable in the

standard model (without long keys)Possibility Results:

Equivalence of SS and IND under non-adaptive security for preimage sampleable functionalities from [O’10].

Restriction on adaptive queries to maintain equivalence

Other results and open questions

OUR POSSIBILITY RESULTS

We consider relaxations of SS and show their equivalence to IND for certain functionalities.

Main idea: Find ways to disallow SOA-K type attacks in the definition of SS.

NON-ADAPTIVE SECURITY FOR FE [O’10]

Adversary only allowed key derivation queries before seeing challenge ciphertexts. E.g. non-adaptive IND:

(mpk,msk)Setup(1k

)b{0,1}ska1

Kder(msk,a1)

a1

ska1cEnc(mpk,xb)c

x1 = (x1,1,…,x1,n)

x0 = (x0,1,…,x0,n)

mpk

A C

Repeats many timesska2

ska3 b’

[O’10] shows equivalence to non-adaptive SS for preimage sampleable functionalities.

OUR WORK: ALLOWING RESTRICTED ADAPTIVE QUERIES

In real-world SS game: o Say that query a is F-predictable if (all but a

negligible fraction) of x in adversary’s message space Msg have same value of F(1k,a,x).

o Say that adversary is a-posteriori F-predictable if all its queries after seeing challenge ciphertext are F-predictable.

Theorem: For any functionality with polynomial-size range, IND is equivalent to SS wrt a-posteriori F-predictable adversaries.

MORE RESULTS AND OPEN QUESTIONS

Theorem: If all queries all (both non-adaptive and adaptive) made by adversary are F-predictable then SS is equivalent to IND for all functionalities.

So, what is the right security definition for FE? Can we tweak the SS definition to get an equivalence for exactly those functionalities for which IND is “good”?

THANK YOU!Email: adam@cs.georgetown.edu