Functional encryption

Functional encryption
General
Designers	Amit Sahai Brent Waters, Dan Boneh, Shafi Goldwasser, Yael Kalai
Derived from	Public-key encryption
Related to	Homomorphic encryption

Last updated September 05, 2023

Functional encryption (FE) is a generalization of public-key encryption in which possessing a secret key allows one to learn a function of what the ciphertext is encrypting.

Formal definition

More precisely, a functional encryption scheme for a given functionality $f$ consists of the following four algorithms:

$({\text{pk}},{\text{msk}})\leftarrow {\textsf {Setup}}(1^{\lambda })$ : creates a public key ${\text{pk}}$ and a master secret key ${\text{msk}}$ .
${\text{sk}}\leftarrow {\textsf {Keygen}}({\text{msk}},f)$ : uses the master secret key to generate a new secret key ${\text{sk}}$ for the function $f$ .
$c\leftarrow {\textsf {Enc}}({\text{pk}},x)$ : uses the public key to encrypt a message $x$ .
$y\leftarrow {\textsf {Dec}}({\text{sk}},c)$ : uses secret key to calculate $y=f(x)$ where $x$ is the value that $c$ encrypts.

The security of FE requires that any information an adversary learns from an encryption of $x$ is revealed by $f(x)$ . Formally, this is defined by simulation.^[1]

Applications

Functional encryption generalizes several existing primitives including Identity-based encryption (IBE) and attribute-based encryption (ABE). In the IBE case, define $F(k,x)$ to be equal to $x$ when $k$ corresponds to an identity that is allowed to decrypt, and $\perp$ otherwise. Similarly, in the ABE case, define $F(k,x)=x$ when $k$ encodes attributes with permission to decrypt and $\perp$ otherwise.

History

Functional encryption was proposed by Amit Sahai and Brent Waters in 2005^[2] and formalized by Dan Boneh, Amit Sahai and Brent Waters in 2010.^[3] Until recently, however, most instantiations of Functional Encryption supported only limited function classes such as boolean formulae. In 2012, several researchers developed Functional Encryption schemes that support arbitrary functions.^[1]^[4]^[5]^[6]

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest, that is widely used for secure data transmission. The acronym "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ) by the English mathematician Clifford Cocks. That system was declassified in 1997.

ID-based encryption, or identity-based encryption (IBE), is an important primitive of ID-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user. This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message $, and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length. This concept is the computational complexity analogue to Shannon's concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.$

Ciphertext indistinguishability is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message they encrypt. The property of indistinguishability under chosen plaintext attack is considered a basic requirement for most provably secure public key cryptosystems, though some schemes also provide indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack. Indistinguishability under chosen plaintext attack is equivalent to the property of semantic security, and many cryptographic proofs use these definitions interchangeably.

Hidden Fields Equations (HFE), also known as HFE trapdoor function, is a public key cryptosystem which was introduced at Eurocrypt in 1996 and proposed by (in French)Jacques Patarin following the idea of the Matsumoto and Imai system. It is based on polynomials over finite fields $of different size to disguise the relationship between the private key and public key. HFE is in fact a family which consists of basic HFE and combinatorial versions of HFE. The HFE family of cryptosystems is based on the hardness of the problem of finding solutions to a system of multivariate quadratic equations since it uses private affine transformations to hide the extension field and the private polynomials. Hidden Field Equations also have been used to construct digital signature schemes, e.g. Quartz and Sflash.$

Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.

Integrated Encryption Scheme (IES) is a hybrid encryption scheme which provides semantic security against an adversary who is able to use chosen-plaintext or chosen-ciphertext attacks. The security of the scheme is based on the computational Diffie–Hellman problem.
Two variants of IES are specified: Discrete Logarithm Integrated Encryption Scheme (DLIES) and Elliptic Curve Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted.

Secure two-party computation (2PC) a.k.a. Secure function evaluation is sub-problem of secure multi-party computation (MPC) that has received special attention by researchers because of its close relation to many cryptographic tasks. The goal of 2PC is to create a generic protocol that allows two parties to jointly compute an arbitrary function on their inputs without sharing the value of their inputs with the opposing party. One of the most well known examples of 2PC is Yao's Millionaires' problem, in which two parties, Alice and Bob, are millionaires who wish to determine who is wealthier without revealing their wealth. Formally, Alice has wealth $, Bob has wealth, and they wish to compute without revealing the values or .$

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

ACE is the collection of units, implementing both a public key encryption scheme and a digital signature scheme. Corresponding names for these schemes — «ACE Encrypt» and «ACE Sign». Schemes are based on Cramer-Shoup public key encryption scheme and Cramer-Shoup signature scheme. Introduced variants of these schemes are intended to achieve a good balance between performance and security of the whole encryption system.

Attribute-based encryption is a generalisation of public-key encryption which enables fine grained access control of encrypted data using authorisation policies. The secret key of a user and the ciphertext are dependent upon attributes. In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.

Amit Sahai is an American computer scientist. He is a professor of computer science at UCLA and the director of the Center for Encrypted Functionalities.

Shai Halevi is a computer scientist who works on cryptography research at Amazon Web Services.

In cryptography, indistinguishability obfuscation is a type of software obfuscation with the defining property that obfuscating any two programs that compute the same mathematical function results in programs that cannot be distinguished from each other. Informally, such obfuscation hides the implementation of a program while still allowing users to run it. Formally, IO satisfies the property that obfuscations of two circuits of the same size which implement the same function are computationally indistinguishable.

HEAAN is an open source homomorphic encryption (HE) library which implements an approximate HE scheme proposed by Cheon, Kim, Kim and Song (CKKS). The first version of HEAAN was published on GitHub on 15 May 2016, and later a new version of HEAAN with a bootstrapping algorithm was released. Currently, the latest version is Version 2.1.

Brent R. Waters is an American computer scientist, specializing in cryptography and computer security. He is currently a professor of Computer Science at the University of Texas at Austin.

The Lightweight Encryption Algorithm is a 128-bit block cipher developed by South Korea in 2013 to provide confidentiality in high-speed environments such as big data and cloud computing, as well as lightweight environments such as IoT devices and mobile devices. LEA has three different key lengths: 128, 192, and 256 bits. LEA encrypts data about 1.5 to 2 times faster than AES, the most widely used block cipher in various software environments.

References

1 2 Goldwasser, Shafi; Kalai, Yael; Ada Popa, Raluca; Vaikuntanathan, Vinod; Zeldovich, Nickolai (2013). Reusable garbled circuits and succinct functional encryption - Stoc 13 Proceedings of the 2013 ACM Symposium on Theory of Computing. New York, NY, USA: ACM. pp. 555–564. ISBN 978-1-4503-2029-0.
↑ EUROCRYPT (2005-05-09). Fuzzy Identity-Based Encryption - Advances in Cryptology - EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Springer Science & Business Media. ISBN 978-3-540-25910-7.
↑ Boneh, Dan; Amit Sahai; Brent Waters (2011). "Functional Encryption: Definitions and Challenges" (PDF). Proceedings of Theory of Cryptography Conference (TCC) 2011.
↑ Gorbunov, Sergey; Hoeteck Wee; Vinod Vaikuntanathan (2013). "Attribute-Based Encryption for Circuits". Proceedings of STOC.
↑ Sahai, Amit; Brent Waters (2012). "Attribute-Based Encryption for Circuits from Multilinear Maps" (PDF). arXiv: 1210.5287 .{{cite journal}}: Cite journal requires |journal= (help)
↑ Goldwasser, Shafi; Yael Kalai; Raluca Ada Popa; Vinod Vaikuntanathan; Nickolai Zeldovich (2013). "How to Run Turing Machines on Encrypted Data" (PDF). Advances in Cryptology – CRYPTO 2013. pp. 536–553. doi: 10.1007/978-3-642-40084-1_30 . ISBN 978-3-642-40083-4.{{cite book}}: |journal= ignored (help)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 Goldwasser, Shafi; Kalai, Yael; Ada Popa, Raluca; Vaikuntanathan, Vinod; Zeldovich, Nickolai (2013). Reusable garbled circuits and succinct functional encryption - Stoc 13 Proceedings of the 2013 ACM Symposium on Theory of Computing. New York, NY, USA: ACM. pp. 555–564. ISBN 978-1-4503-2029-0.

[2] EUROCRYPT (2005-05-09). Fuzzy Identity-Based Encryption - Advances in Cryptology - EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Springer Science & Business Media. ISBN 978-3-540-25910-7.

[3] Boneh, Dan; Amit Sahai; Brent Waters (2011). "Functional Encryption: Definitions and Challenges" (PDF). Proceedings of Theory of Cryptography Conference (TCC) 2011.

[4] Gorbunov, Sergey; Hoeteck Wee; Vinod Vaikuntanathan (2013). "Attribute-Based Encryption for Circuits". Proceedings of STOC.

[5] Sahai, Amit; Brent Waters (2012). "Attribute-Based Encryption for Circuits from Multilinear Maps" (PDF). arXiv: 1210.5287 .{{cite journal}}: Cite journal requires |journal= (help)

[6] Goldwasser, Shafi; Yael Kalai; Raluca Ada Popa; Vinod Vaikuntanathan; Nickolai Zeldovich (2013). "How to Run Turing Machines on Encrypted Data" (PDF). Advances in Cryptology – CRYPTO 2013. pp. 536–553. doi: 10.1007/978-3-642-40084-1_30 . ISBN 978-3-642-40083-4.{{cite book}}: |journal= ignored (help)

[1]

[2]

[3]

[4]

[5]

[6]