Practical Fully Secure Inner Product Functional Encryption modulo p - PowerPoint PPT Presentation

Practical Fully Secure Inner Product Functional Encryption modulo p Guilhem Castagnos 1 Fabien Laguillaumie 2 Ida Tucker 2 1 Université de Bordeaux, INRIA, CNRS, IMB UMR 5251, F-33405 Talence, France. 2 Univ Lyon, CNRS, Université Claude Bernard Lyon 1, ENS de Lyon, INRIA, LIP UMR 5668, F-69007, LYON Cedex 07, France.

Table of contents 1. Functional Encryption (FE) 2. The Inner Product Functionality 3. Framework 4. Inner Product Functional Encryption mod p from HSM 1

Functional Encryption (FE)

KeyDer msk F Dec sk F C Functional Encryption [BSW11] F Bob only learns F m . F m C sk F sk F sk F Enc mpk m Bob C mpk m Alice Setup Auth. Function F 2 ( mpk , msk )

KeyDer msk F Dec sk F C Functional Encryption [BSW11] sk F Bob only learns F m . F m C sk F sk F F Bob mpk m Alice Setup Auth. Function F 2 ( mpk , msk ) C = Enc ( mpk , m )

Dec sk F C Functional Encryption [BSW11] F Bob only learns F m . F m C sk F sk F 2 Bob mpk m Alice Setup Auth. Function F ( mpk , msk ) C = Enc ( mpk , m ) sk F = KeyDer ( msk , F )

Functional Encryption [BSW11] Bob Bob only learns F m . C sk F sk F F 2 mpk m Alice Setup Auth. Function F ( mpk , msk ) C = Enc ( mpk , m ) sk F = KeyDer ( msk , F ) Dec ( sk F , C ) → F ( m )

Functional Encryption [BSW11] mpk C sk F sk F F Bob 2 m Alice Setup Auth. Function F ( mpk , msk ) C = Enc ( mpk , m ) sk F = KeyDer ( msk , F ) Dec ( sk F , C ) → F ( m ) Bob only learns F ( m ) .

F 1 F 2 sk F 1 sk F 2 F q F q sk F q sk F q F i m 0 F i m 1 FE Security – Indistinguishability KeyDer b b and i 1 1 Oracle 3 Challenger b mpk Setup FE Scheme A mpk , msk m 0 , m 1 $ b ∗ ← − { 0 , 1 } C ∗ C ∗ Enc ( mpk , m b ∗ ) b = b ∗

FE Security – Indistinguishability b and Oracle KeyDer b b Challenger 3 mpk FE Scheme Setup A mpk , msk F 1 , F 2 . . . sk F 1 , sk F 2 . . . m 0 , m 1 $ b ∗ ← − { 0 , 1 } C ∗ C ∗ Enc ( mpk , m b ∗ ) F q , F q + 1 . . . sk F q , sk F q + 1 . . . ∀ i , F i ( m 0 ) = F i ( m 1 ) b = b ∗

Limits of General Functional Encryption Constructions of FE for general functions exist, but are not practical Linear Functions: simple with many applications • Understand general FE • Statistical analysis on encrypted data • Evaluation of polynomials over encrypted data [KSW08] • Constructing trace-and-revoke systems [ABP 17] • etc. 4 [SS10, GVW12, GKP + 13a, GKP + 13b, ABSV15, Wat15, BGJS16, GGHZ16]

Limits of General Functional Encryption Constructions of FE for general functions exists, but are not practical • Understand general FE • Statistical analysis on encrypted data • Evaluation of polynomials over encrypted data [KSW08] • Constructing trace-and-revoke systems [ABP 17] • etc. 4 [SS10, GVW12, GKP + 13a, GKP + 13b, ABSV15, Wat15, BGJS16, GGHZ16] ⇒ Linear Functions: simple with many applications

Limits of General Functional Encryption Constructions of FE for general functions exists, but are not practical • Understand general FE • Statistical analysis on encrypted data • Evaluation of polynomials over encrypted data [KSW08] • Constructing trace-and-revoke systems • etc. 4 [SS10, GVW12, GKP + 13a, GKP + 13b, ABSV15, Wat15, BGJS16, GGHZ16] ⇒ Linear Functions: simple with many applications [ABP + 17]

The Inner Product Functionality

The inner product functionality Alice y C Bob y 5 Auth. x Setup ( mpk , msk ) � � x , sk � C = Enc ( mpk ,� � � x ,� y ) y � = Dec ( sk � x , C ) F x : R ℓ �→ R �→ � � x ,� y �

Previous work PKC 2017 and effjcient! no restriction on size adaptive security IPFE mod p This work: Asiacrypt 2018 or are ineffjcient. large inner products Schemes mod p do not recover from HPS. constructions Generic [BBL17] than [ALS16]. PKC 2015 less effjcient Full security, [ABCP16] 2016 DDH and DCR. from LWE, Full security, [ALS16] Crypto 2016 only selectively secure. from LWE and DDH, First IPFE schemes, [ABDP15] 6

Previous work PKC 2017 and effjcient! no restriction on size adaptive security IPFE mod p This work: Asiacrypt 2018 or are ineffjcient. large inner products Schemes mod p do not recover from HPS. constructions Generic [BBL17] than [ALS16]. PKC 2015 less effjcient Full security, [ABCP16] 2016 DDH and DCR. from LWE, Full security, [ALS16] Crypto 2016 only selectively secure. from LWE and DDH, First IPFE schemes, [ABDP15] 6

Framework

Framework (sketch) [CL15] Group with an easy discrete logarithm ( DL ) subgroup 7 • G = � g � cyclic group of order p · s such that gcd( p , s ) = 1. • p large prime • s unknown • F = � f � subgroup of G of order p . • G p = � g p � = { x p , x ∈ G } subgroup of G of order s , G = F × G p . (DL: given f and h = f x , fjnd x ∈ Z / p Z ) • DL is easy in F

New Assumption Hard Subgroup Membership problem HSM : Hard to distinguish p -th powers in G 7 $ $ { x ← − G } ≈ c { x ← − G p } .

Analogy to Paillier’s cryptosystem Paillier’s framework Our framework • Size of p independent of security parameter • Instantiation: class groups of an imaginary quadratic fjeld [CL15] 8 • Message space Z / N Z with N RSA modulus • Relies on Paillier’s DCR assumption • e.g. distinguishing N th powers in Z / N 2 Z • Messages encoded in Z / p Z with p prime • Relies on HSM assumption • e.g. distinguishing p th powers in G of order p · s

p s.t. g x x p x Sampling exponents g x better effjciency (shorter exponents) than folded uniforms In practice: Folded gaussian distributions with large standard deviation G p p G and Problem and Use upper bound s of s to instantiate distributions Solution 9 s unknown, so orders of G p and G unknown ⇒ Cannot sample uniformly from G or G p !

Sampling exponents Problem Solution In practice: Folded gaussian distributions with large standard deviation 9 s unknown, so orders of G p and G unknown ⇒ Cannot sample uniformly from G or G p ! Use upper bound ˜ s of s to instantiate distributions D and D p s.t. { g x , x ← ֓ D} ≈ U ( G ) and { g x p , x ← ֓ D p } ≈ U ( G p ) ⇒ better effjciency (shorter exponents) than folded uniforms

Inner Product Functional Encryption mod p from HSM

f y 1 f y p C 1 Dec From C x and sk x : KeyDer h r 1 C h r IPFE scheme mod p from HSM (simplifjed) Input: x x Z p Z Output key: sk x t x x y mod p x 1 g r 10 y p Enc Plaintext: y C 0 y 1 Z p Z Sample r p Ciphertext: C Setup For i = 1 , . . . , ℓ do t i ← ֓ D and h i = g t i msk = � t and mpk = ( h 1 , . . . , h ℓ )

Dec From C x and sk x : IPFE scheme mod p from HSM (simplifjed) Ciphertext: x y mod p t x Output key: sk x Z p Z x x 1 Input: x KeyDer 10 p Enc Setup For i = 1 , . . . , ℓ do t i ← ֓ D and h i = g t i msk = � t and mpk = ( h 1 , . . . , h ℓ ) Plaintext: � y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Sample r ← ֓ D p � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ )

Dec From C x and sk x : IPFE scheme mod p from HSM (simplifjed) Enc x y mod p KeyDer Ciphertext: 10 p Setup For i = 1 , . . . , ℓ do t i ← ֓ D and h i = g t i msk = � t and mpk = ( h 1 , . . . , h ℓ ) Plaintext: � y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Sample r ← ֓ D p � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk �

IPFE scheme mod p from HSM (simplifjed) Enc KeyDer Ciphertext: 10 p Setup For i = 1 , . . . , ℓ do t i ← ֓ D and h i = g t i msk = � t and mpk = ( h 1 , . . . , h ℓ ) Plaintext: � y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Sample r ← ֓ D p � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � Dec From � C ,� x and sk � x : � � x ,� y � mod p

IPFE scheme mod p from HSM (simplifjed) Enc Ciphertext: KeyDer p 10 Setup For i = 1 , . . . , ℓ do t i ← ֓ D and h i = g t i msk = � t and mpk = ( h 1 , . . . , h ℓ ) Plaintext: � y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Sample r ← ֓ D p � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � Dec From � � ℓ i = � ( f y i · h r C ,� i ) x i x and sk � i = 1 C x i x : � � x ,� y � mod p

IPFE scheme mod p from HSM (simplifjed) Enc p KeyDer Ciphertext: 10 p Setup For i = 1 , . . . , ℓ do t i ← ֓ D and h i = g t i msk = � t and mpk = ( h 1 , . . . , h ℓ ) Plaintext: � y = ( y 1 , . . . , y ℓ ) ∈ ( Z / p Z ) ℓ Sample r ← ֓ D p � p , C 1 = f y 1 · h r 1 , . . . , C ℓ = f y ℓ · h r C = ( C 0 = g r ℓ ) Input: � x = ( x 1 , . . . , x ℓ ) ∈ ( Z / p Z ) ℓ x = � � t ,� x � Output key: sk � Dec From � � ℓ � y i x i · g r · � t i x i C ,� i = f x and sk � i = 1 C x i x : � � x ,� y � mod p