Encry ryption for Quadratic Functions wit ith Applications to - PowerPoint PPT Presentation

Practical Functional Encry ryption for Quadratic Functions wit ith Applications to Predicate Encry ryption Carmen Elisabetta Zaira Baltico Università di Catania Dario Catalano Università di Catania Dario Fiore IMDEA Romain Gay (speaker) ENS

FE [Boneh, , Sahai, Waters 11] Alice Bob f(m) m

FE [Boneh, , Sahai, Waters 11] Setup msk KeyGen pk sk f Alice Bob sk f → f(m) m

FE [Boneh, , Sahai, Waters 11] Setup msk KeyGen pk sk f , sk g Alice Bob sk f → f(m) m Carl sk g → g(m)

FE [Boneh, , Sahai, Waters 11] Setup msk KeyGen pk sk f , sk g Alice Bob sk f → f(m) m Carl sk g → g(m) Collusion Adv Only learns f m , g(m)

FE [Boneh, , Sahai, Waters 11] Setup msk KeyGen pk sk f , sk g Alice Bob sk f → f(m) m 0 ≈ 𝑑 Carl m 1 sk g → g(m) f m 0 = f m 1 Collusion Adv g m 0 = g m 1

Pri rior works on FE Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH 𝑜 𝑛 = Ԧ 𝑦 ∈ ℤ 𝑞 𝑜 ct size = 𝑃(𝑜) 𝑔 = Ԧ 𝑧 ∈ ℤ 𝑞 𝑦 𝑈 Ԧ 𝑔 𝑛 = Ԧ 𝑧 ∈ ℤ 𝑞

Our work on FE Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings 𝑜 × ℤ 𝑞 𝑛 𝑛 = 𝑦, Ԧ Ԧ 𝑧 ∈ ℤ 𝑞 ct size = 𝑃(𝑜 + 𝑛) 𝑜×𝑛 𝑔 = 𝑔 𝑗,𝑘 𝑗∈ 𝑜 ,𝑘∈[𝑛] ∈ ℤ 𝑞 𝑦 𝑈 𝑔 Ԧ 𝑔 𝑛 = Ԧ 𝑧 = ෍ 𝑦 𝑗 𝑔 𝑗,𝑘 𝑧 𝑘 ∈ ℤ 𝑞 𝑗∈ 𝑜 ,𝑘∈[𝑛]

Our work on FE Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings 𝑜 × ℤ 𝑞 𝑛 𝑛 = 𝑦, Ԧ Ԧ 𝑧 ∈ ℤ 𝑞 ct size = 𝑃(𝑜 + 𝑛) 𝑜×𝑛 𝑔 = 𝑔 𝑗,𝑘 𝑗∈ 𝑜 ,𝑘∈[𝑛] ∈ ℤ 𝑞 vs ct size = 𝑃(𝑜 ⋅ 𝑛) 𝑦 𝑈 𝑔 Ԧ 𝑔 𝑛 = Ԧ 𝑧 = ෍ 𝑦 𝑗 𝑔 𝑗,𝑘 𝑧 𝑘 ∈ ℤ 𝑞 with [ABDP 15] 𝑗∈ 𝑜 ,𝑘∈[𝑛]

In Independent works on FE Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Quadratic: Private/public key: [AS 17] private [Lin 17] private Our work public

In Independent works on FE Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Quadratic: Private/public Function- key: hiding: [AS 17] private [Lin 17] private Our work public -

In Independent works on FE Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Quadratic: Private/public Function- Assumption: key: hiding: [AS 17] private GGM [Lin 17] private SXDH Our work public - SXDH & 3-PDDH Our work public - GGM

In Independent works on FE Construction: Functions: Assumption: [GGHRSW 13,…] any circuit iO [ABDP 15] inner product DDH Our work quadratic pairings Quadratic: Private/public Function- Assumption: Security: key: hiding: [AS 17] private GGM SEL-IND [Lin 17] private SXDH SEL-IND Our work public - SXDH & 3-PDDH SEL-IND Our work public - GGM AD-IND

Application to Predicate Encry ryption 𝑜 × ℤ 𝑞 𝑛 𝑛 = plaintext, Ԧ 𝑦, Ԧ 𝑧 ∈ ℤ 𝑞 𝑦 𝑈 𝑔 Ԧ 𝑔 𝑛 = plaintext iff Ԧ 𝑧 = 0 Our work: ct size = 𝑃(𝑜 + 𝑛) vs ct size = 𝑃(𝑜 ⋅ 𝑛) [KSW 08]:

FE for quadratic fu functions 𝑜 × ℤ 𝑞 𝑛 → Ԧ 𝑦 𝑈 𝑔 Ԧ FE 𝑔: 𝑦, Ԧ Ԧ 𝑧 ∈ ℤ 𝑞 𝑧 ∈ ℤ 𝑞 Enc 𝑞𝑙, ( Ԧ 𝑦, Ԧ 𝑧) Enc(𝑞𝑙, Ԧ 𝑧) Enc(𝑞𝑙, Ԧ 𝑦) = , size 𝑃(𝑜) size 𝑃(𝑛) 𝑔 in 𝔿 in 𝔿 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 Enc(𝑞𝑙 𝑔 , 𝑔( Ԧ 𝑦, Ԧ 𝑧)) 𝑓 𝑕 𝑏 , 𝑕 𝑐 = 𝑓 𝑕, 𝑕 𝑏𝑐 in 𝔿 𝑈

Outline 1 Private-key FE, GGM 2 Public-key FE, GGM 3 Public-key FE, from standard assumptions

Pri rivate-key FE, , GGM GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑛𝑡𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2

Pri rivate-key FE, , GGM GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑛𝑡𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 𝑦 𝑗 𝑧 𝑘 + 𝑠 𝑗 𝑡 𝑘 T

Pri rivate-key FE, , GGM GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑛𝑡𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 𝑜×𝑛 ∀𝑔 ∈ ℤ 𝑞 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝑔(Ԧ 𝑠, Ԧ 𝑡) T = 𝑡𝑙 𝑔

Pri rivate-key FE, , GGM GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑛𝑡𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 𝑜×𝑛 ∀𝑔 ∈ ℤ 𝑞 𝑡𝑙 𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡 𝑈 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝑔(Ԧ 𝑠, Ԧ 𝑡) T = 𝑡𝑙 𝑔

Pri rivate-key FE, , GGM GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑛𝑡𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 𝐹𝑜𝑑(𝑛𝑡𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 𝑜×𝑛 ∀𝑔 ∈ ℤ 𝑞 𝑡𝑙 𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡 𝑈 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝑔(Ԧ 𝑠, Ԧ 𝑡) T ∀𝑔 ∈ Collusion = 𝑡𝑙 𝑔

Public-key FE, , GGM GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑞𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 𝑡𝑙 𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡 𝑈

Public-key FE, , GGM GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑞𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 𝑡𝑙 𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡

Public-key FE, , GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑞𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 [𝜏] 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝜏𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 , 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 , 𝜏 ← 𝑆 ℤ 𝑞 𝑜×𝑛 ∀𝑔 ∈ ℤ 𝑞 𝑡𝑙 𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝜏𝑔(Ԧ 𝑠, Ԧ 𝑡) T = 𝑓( 𝜏 , 𝑡𝑙 𝑔 )

Public-key FE, , GGM 𝑓: 𝔿 × 𝔿 → 𝔿 𝑈 of order 𝑞 . 𝑏 = 𝑕 𝑏 𝑞𝑙 = 𝑠 𝑗 , 𝑡 for 𝑗 ∈ 𝑜 , 𝑘 ∈ [𝑛] 𝑘 𝑗 𝑋 , 𝑋 −1 𝑧 𝑘 [𝜏] 𝐹𝑜𝑑(𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 ) = 𝑦 𝑗 , 𝜏𝑠 for 𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 , 𝑡 𝑘 for 𝑋 ← 𝑆 𝐻𝑀 2 , 𝜏 ← 𝑆 ℤ 𝑞 𝑜×𝑛 ∀𝑔 ∈ ℤ 𝑞 𝑡𝑙 𝑔 = 𝑔 Ԧ 𝑠, Ԧ 𝑡 𝑔( Ԧ 𝑦, Ԧ 𝑧) + 𝜏𝑔(Ԧ 𝑠, Ԧ 𝑡) T ∀𝑔 ∈ Collusion = 𝑓( 𝜏 , 𝑡𝑙 𝑔 )

Public-key FE, , standard DPVS [OT 08] 𝑡 Ԧ 𝑘 𝑈 , 0 𝑊], 𝑊 −1 𝑠 𝑗 , 𝑡 𝑘 ⇒ (Ԧ 𝑠 𝑗 0 𝑈 Ԧ 𝑡𝑙 𝑔 = ෍ 𝑔 𝑗,𝑘 𝑠 𝑗 𝑡 𝑘 ⇒ ෍ 𝑔 𝑗,𝑘 Ԧ 𝑠 𝑡 𝑗 𝑘 𝑗,𝑘 𝑗,𝑘

Public-key FE, , standard DPVS [OT 08] 𝑡 𝑘 Ԧ 𝑈 , 𝑦 𝑗 𝑊], 𝑊 −1 𝑠 𝑗 , 𝑡 𝑘 ⇒ (Ԧ 𝑠 𝑗 𝑧 𝑘 𝑈 Ԧ 𝑡𝑙 𝑔 = ෍ 𝑔 𝑗,𝑘 𝑠 𝑗 𝑡 𝑘 ⇒ ෍ 𝑔 𝑗,𝑘 Ԧ 𝑠 𝑡 𝑘 + 𝑔( Ԧ 𝑦, Ԧ 𝑧) 𝑗 𝑗,𝑘 𝑗,𝑘 DLIN assumption

Public-key FE, , standard 𝑡 Ԧ 𝑘 𝑈 , 0 𝑊], 𝑊 −1 𝑞𝑙 = (Ԧ 𝑠 ∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 𝑗 0 𝑧 𝑘 𝑈 , 0) 𝑋 , 𝑋 −1 𝐹𝑜𝑑 𝑞𝑙, Ԧ 𝑦, Ԧ 𝑧 = 𝑦 𝑗 , 𝜏(Ԧ 𝑠 , [𝜏] ∀𝑗 ∈ 𝑜 , 𝑘 ∈ 𝑛 𝑡 𝑘 Ԧ 𝑗 0 for 𝑋 ← 𝑆 𝐻𝑀 4 , 𝜏 ← 𝑆 ℤ 𝑞 𝑈 Ԧ 𝑡𝑙 𝑔 = ෍ 𝑔 𝑗,𝑘 Ԧ 𝑠 𝑡 𝑗 𝑘 𝑗,𝑘