title | filename | chapternum |
---|---|---|
Obfuscation II: applications |
lec_22_obfuscation_part2 |
21 |
Fully homomorphic encryption is an extremely powerful notion, but it does not allow us to obtain fine control over the access to information. With the public key you can do all sorts of computation on the encrypted data, but you still do not learn it, while with the private key you learn everything. But in many situations we want fine grained access control: some people should get access to some of the information for some of the time. This makes the "all or nothing" nature of traditional encryptions problematic. While one could still implement such access control by interacting with the holder(s) of the secret key, this is not always possible.
The most general notion of an encryption scheme allowing fine control is known as functional encryption, as was described in the previous lecture.
This can be viewed as an object dual to Fully Homomorphic Encryption, and incomparable to it.
For every function
In this lecture we will focus on a weaker notion known as identity based encryption (IBE). Unlike the case of full fledged functional encryption, there are fairly efficient constructions known for IBE.
In a sense, functional encryption or IBE is all about selective leaking of information. That is, in some sense we want to modify an encryption scheme so that it actually is "less secure" in some very precise sense, so that it would be possible to learn something about the plaintext even without knowing the (full) decryption key.
There is actually a history of cryptographic technique meant to support such operations.
Perhaps the "mother" of all such "quasi encryption" schemes is the modular exponentiation operation
More generally, even in the private key setting, people have studied encryption schemes such as
-
Deterministic encryption : an encryption scheme that maps
$x$ to$E(x)$ in a deterministic way. This cannot be semantically secure in general but can be good enough if the message$x$ has high enough entropy or doesn't repeat and allows to check if two encryptions encrypt the same object. (We can also do this by publishing a hash of$x$ under some secret salt.) -
Order preserving encryption: is an encryption scheme mapping numbers in some range
${1,\ldots, N }$ to ciphertexts so that given$E(x)$ and$E(y)$ one can efficiently compare whether$x<y$ . This is quite problematic for security. For example, given$poly(t)$ random such encryptions you can more or less know where they lie in the interval up to$(1 \pm 1/t)$ multiplicative factor.. -
Searchable encryption: is a generalization of deterministic encryption that allows some more sophisticated searchers (such as not only exact match).
Some of these constructions can be quite efficient. In particular the system CryptDB developed by Popa et al uses these kinds of encryptions to automatically turn a SQL database into one that works on encrypted data and still supports the required queries. However, the issue of how dangerous the "leakage" can be is somewhat subtle. See this paper and blog post claiming weaknesses in practical use cases for CryptDB, as well as this response by the CryptDB authors.
While the constructions of IBE and functional encryption often use maps such as
The standard exponentiation mapping
Pairing based cryptography begins with the observation that in some elliptic curve groups we can use a map based on the so called Weil or Tate pairings.
The idea is that we have an efficiently computable isomorphism from a group
The Pairing Diffie Hellman Assumption is that we can find two such groups
We now show an IBE construction due to Boneh and Franklin1 how we can obtain from the pairing diffie hellman assumption an identity based encryption:
-
Master key generation: We generate
$\mathbb{G}_1,\mathbb{G}_2,g$ as above, choose$a$ at random in${0,\ldots,|\mathbb{G}|-1}$ . The master private key is$a$ and the master public key is$\mathbb{G}_1,\mathbb{G}_2,g,h=g^a$ . We let$H:{0,1}^*\rightarrow\mathbb{G}_1$ and$H':\mathbb{G}_2\mapsto{0,1}^\ell$ be two hash functions modeled as random oracles. -
Key distribution: Given an arbitrary string
$id\in{0,1}^*$ , we generate the decryption key corresponding to$id$ , as$d_{id} = H(id)^a$ . -
Encryption: To encrypt a message
$m\in{0,1}^\ell$ given the public paramters and some id$id$ , we choose$c\in {0,\ldots,|\mathbb{G}|-1}$ , and output$g^c,H'(id|\varphi(h,H(id))^c) \oplus m$ -
Decryption: Given the secret key
$d_{id}$ and a ciphertext$h',y$ , we output$H'(id|\varphi(d_{id},h'))\oplus x$
Correctness: We claim that
Security: To prove security we need to first present a definition of IBE security. The definition allows the adversary to request keys corresponding to arbitrary identities, as long as it does not ask for keys corresponding to the target identity it wants to attack. There are several variants, including CCA type of security definitions, but we stick to a simple one here:
Definition: An IBE scheme is said to be CPA secure if every efficient adversary Eve wins the following game with probability at most
- The keys are generated and Eve gets the master public key.
- For
$i=1,\ldots,T=poly(n)$ , Eve chooses an identity$id_i \in {0,1}^*$ and gets the key$d_{id}$ . - Eve chooses an identity
$id^* \not\in {id_1,\ldots,id_T}$ and two messages$m_0,m_1$ . - We choose
$b\leftarrow_R{0,1}$ and Eve gets the encryption of$m_b$ with respect to the identity$id^*$ . - Eve outputs
$b'$ and wins if$b'=b$ .
Theorem: If the pairing Diffie Hellman assumption holds and
Proof: Suppose for the sake of contradiction that there exists some time
We will build an algorithm
The algorithm
-
When
$A$ makes a query to$H$ with$id$ , then for all but the$i_0^{th}$ queries,$B$ will chooose a random$b_{id} \in {0,\ldots, |\mathbb{G}|}$ (as usual we'll assume$|\mathbb{G}|$ is prime), choose$e_{id}=g^{b_{id}}$ and define$H(id)=e_{id}$ . Let$id_0$ be the$i_0^{th}$ query$A$ made to the oracle. We define$H(i_0)=g^b$ (where$g^b$ is the input to$B$ - recall that$B$ does not know$b$ .) -
When
$A$ makes a query to the key distribution oracle with$id$ then if$id\neq id_0$ then$B$ will then respond with$d_{id}=(g^a)^{b_{id}}$ . If$id = id_0$ then$B$ aborts and fails. -
When
$A$ makes a query to the$H'$ oracle with input$id'|\hat{h}$ then for all but the$j_0^{th}$ query$B$ answers with a random string in${0,1}^\ell$ . In the$j_0^{th}$ query, if$id' \neq id_0$ then$B$ stops and fails. Otherwise, it outputs$\hat{h}$ . -
$B$ does stops the simulation and fails if we get to the challenge part.
It might seem weird that we stop the simulation before we reach the challenge part, but the correctness of this reduction follows from the following claim:
Claim: In the actual attack game, with probability at least
Proof: If
Given this claim, to prove the theorem we just need to observe that, assuming it does not fail,
Boneh and Silverberg asked the question of whether we could go beyond quadratic polynomials and get schemes that allow us to compute higher degree.
The idea is to get a multilinear map which would be a set of isomorphic groups $\mathbb{G}_1,\ldots,\mathbb{G}d$ with generators $g_1,\ldots,g_d$ such that we can map $g_i^a$ and $g_j^b$ to $g{i+j}^{ab}$.
This way we would be able to compute any degree
We will now show how using such a multilinear map we can get a construction for a witness encryption scheme. We will only show the construction, without talking about the security definition, the assumption, or security reductions.
Given some circuit Exact Cover
problem is NP complete to map
The first candidate construction for a multilinear map was given by Garg, Gentry and Halevi.
It is based on computational questions on lattices and so (perhaps not surprisingly) it involves significant complications due to noise.
At a very high level, the idea is to use a fully homomorphic encryption scheme that can evaluate polynomials up to some degree
Footnotes
-
The construction we show was first published in the CRYPTO 2001 conference. The Weil and Tate pairings were used before for cryptographic attacks, but were used for a positive cryptographic result by Antoine Joux in his 2000 paper getting a three-party Diffie Hellman protocol and then Boneh and Franklin used this to obtain an identity based encryption scheme, answering an open question of Shamir. At approximately the same time as these papers, Sakai, Ohgishi and Kasahara presented a paper in the SCIS 2000 conference in Japan showing an identity-based key exchange protocol from pairing. Also Clifford Cocks (who as we mentioned above in the 1970's invented the RSA scheme at GCHQ before R,S, and A did), also came up in 2001 with a different identity-based encryption scheme using the quadratic residuosity assumption. ↩