FunctionalEncryption:BeyondPublicKeyCryptographyBrentWatersSRIInternational2ProtectPrivateData•PaymentCardIndustry(PCI)•HealthCare•WebServices3AccessControl4SecurityBreachesPhysicalMediaLoss:•25millionU.K.citizens(Nov.2007)Intrusion:•45MillionCardsStolen(Dec.2006)5AccessControlbyEncryptionIdea:Needsecretkeytoaccessdatae.g.PCIStandardsSK6RealisticDataSharingProblem:DisconnectbetweenpolicyandmechanismORProfessorANDCS255-TAPhD?Kelly:“Professor”“Admissions”Sarah:“CS255-TA”“PhD”•Burdenonprovider7AFundamentalGapORProfessorANDCS255-TAPhDComplexInfrastructure•KeyLookup•GroupKeyManagement•Online-Service•Complex•SeveralKeys8ANewVisionORProfessorANDCS255-TAPhDFunctionalEncryptionComplexInfrastructureORProfessorANDCS255-TAPhD9FunctionalEncryption:ANewPerspectivePublicParametersAccessPredicate:f()f()SKCred.=XIff(X)=110WhyFunctionalEncryption?LateBindingAccessControl:e.g.NetworkLogs11WhyFunctionalEncryption?LateBindingAccessControl:e.g.NetworkLogs2ef92a295cbb98bc39dea94c...SRCIP=123.12.6.8Date=12/5/07•Encryptpacketpayload,tagwithmetadataSKSrc:123.3.4.77ANDDate:12/5/07•Distributecapabilitieslater12WhyFunctionalEncryption?ScalabilityandRobustness:PersonalStorageDevicesAvailabilityvs.Security13WhyFunctionalEncryption?Efficiency:ORDeanEng.ANDProfessorC.S.vs.Scaleswithpolicycomplexity14WhyFunctionalEncryption?ANDACLU?ReceiverPrivacy:Salary1M15ANewVisionforEncryptionSystems•SecureInternetConnections(PublicKeyExchange)•OnlineSoftwareUpdates(DigitalSignatures)•Retrospect:Publicvs.SecretKeyCryptography•Thenextstepforward16FunctionalEncryptionforFormulas[SW05]PKMSK“CS255-TA”“PhD”“CS255-TA”“Undergrad”ORProfessorANDCS255-TAPhDORProfessorANDCS255-TAPhDSKSKKeyAuthorityLineofResearch:[SW05,GPSW06,PTMW06,BSW07,BW07,OSW07,KSW08]18AFirstApproachQuestion:Canwebuildfunctionalencryptionfromstandardtechniques?Attempt:PublicKeyEncryption+SecretSharing19SecretSharing[S78,B78,BL86]ORAANDBC•Ideasextendtomorecomplexsharingss¸A=s¸B=r¸C=s-r•Usefinitefielde.g.Zp20AFirstApproachCombineS.S.andPKESKSarah:“A”SKKevin:“B”ANDABPKASKBPKBSKAEA(R)EB(M-R)R?M-RMCollusionAttack!21CollusionAttacks:TheKeyThreatKevin:“CS255-TA”“Undergrad”ORProfessorANDCS255-TAPhDJames:“PhD”“Graphics”Need:Key“Personalization”Tension:Functionalityvs.Personalization22EllipticCurveTechniquesG:multiplicativeofprimeorderp.(Analogy:Zq*)HighLevel:SingleMultiplicationKeyforsatisfyingfunctionality+personalizationBilinearmape:GGGTe(ga,gb)=e(g,g)aba,bZp,gGIntuitiveHardnessDiscreteLog:Given:g,gaHardtoget:a23SystemSetup24KeyGenerationSK‘t’tiescomponentstogetherPersonalization!25KeyPersonalization(Intuition)SKSKKevin:“CS255-TA”…James:“PhD”…RandomtRandomt’Componentsareincompatible(Formalsecurityproofsinpapers)26EncryptionMORy1ANDy2y3nleafnodesy1,...ynf()=¸1=s¸2=r¸3=s-rsCT:27MakingitworkCT:Goal:ComputeandcanceltogetM“CS255-TA”“PhD”MessageRandomization28MakingitworkCT:“CS255-TA”“PhD”SK:MessageRandomizationPersonalizedRandomizationNewgoal:PersonalizedtouserUseBilinearMapforDecryption29MakingitworkORProfessorANDCS255-TAPhD“CS255-TA”“PhD”•Sharesarepersonalized(UseBilinear-Map)•LinearlyCombinePersonalizedRandomization30SecurityTheorem:Systemis(semantically)secureunderchosenkeyattackNumberTheoreticAssumption:BilinearDiffie-HellmanExponent[BBG05]31ImpactLineofResearch:[SW05,GPSW06,PTMW06,BSW07,BW07,OSW07,KSW08]IBE:[S84,BF01,C01]OtherFunctionalEncryptionWork:[ACDMS06,C07,CCKN07,CN07,SBCDP07,TBEM08]32Impact•AdvancedCryptoSoftwareCollection$cpabe-setup$cpabe-keygen-osarah_priv_keypub_keymaster_key\sysadminit_dept'office=1431''hire_date=2002'•Attribute-BasedMessaging(UIUC)•GroupKeyManagement[CCKN07]•LargeScaleContentDistribution[TBEM08]•FutureNISTStandardization33BeyondAccessControlAccessControl:AllornothingaccessORProfessorANDCS255-TAPhDBiggerIdea:Functionsoverencrypteddata•Onlylearnfunction’soutputComputeAverage15thhighestscoreChallenge:ObliviousEvaluationOnlysinglekeywordpredicates[SWP00,BDOP04,BW06]34BeyondAccessControlComplexPredicatesoverdata[KSW08]:SKIdea:InnerProductFunctionality(MultiplicationofBilinearMap)CT:Functionality:PolynomialEquationsFrom=bob@yahoo.comORFrom=alice@yahoo.comCan’ttellwhymatched!35MedicalStudiesCollectDNA+medicalinformationAGTACCA...Future:DatabaseofsequencedgenomeGene:TCF2=ATANDProstateCancerLimitPrivacyLoss36FunctionalEncryptionSummaryComplexInfrastructureORProfessorANDCS255TAPhD•Tension:Functionalityvs.Personalization[SW05,GPSW06,PTMW06,BSW07,OSW07]•GoingBeyondAccessControl[BW06,BW07,KSW08]•FundamentalChange:PublicKeyCryptography37Thankyou