Final Report Summary - LRC (Leakage-Resilient Cryptography)
Cryptography aims at designing schemes that are resilient to adversarial behavior, and research in the foundations of cryptography deals with rigorous analysis of the security of such schemes. Such an analysis typically includes two main ingredients: (1) an adversarial model specifying the adversarial
access to the system and the adversary’s computational capabilities, and (2) a notion of security specifying what constitutes a breach of the system’s security. Whereas notions of security have significantly evolved over the years, the vast majority of cryptographic schemes are still analyzed in
rather traditional adversarial models. In these models the parties are typically viewed as completely isolated entities, each having its own computational resources, secret memory, private source of random bits, and so on.
In real life, however, almost any physical implementation of a system unintendedly leaks various forms of information, under which the assumptions above might not always be valid. Any such information that is not captured by the underlying model is referred to as a side channel. Typical examples include electromagnetic measurements, timing information, detection of internal faults, and many more.
Over the years side-channel attacks exposed crucial vulnerabilities in a large number of schemes that are in fact considered secure in the traditional models. In light of such findings, extensive research has been devoted in recent years to protecting against side-channel attacks. Traditionally, countermeasures aimed at making the physical world as similar as possible to the traditional, abstract, models by preventing unintended leakage of information (e.g. building "tamper-proof" devices, minimizing electromagnetic noise, and more). This approach, however, is typically rather inefficient, expensive, and even impossible to realize in many cases. Quite recently, research in the foundations of cryptography has put forward a complementing approach, arguing that all aspects of security should be taken into consideration, as much as possible, already in the initial design of systems and not only during their implementation.
Our project focused on tackling new, realistic, and challenging problems in leakage-resilient cryptography. Specifically, we studied the drawbacks and limitations of the previous models and systems that have been developed prior to our work, and proposed new approaches, techniques, and tools for realizing better, more realistic, ones.
DESCRIPTION OF THE WORK PERFORMED DURING THE PROJECT:
Towards achieving our goals we have extended the study of leakage-resilient cryptography to the setting of functional encryption schemes. Such schemes reveal a new form of information leakage that is in fact inherent to the functionality. In general, the traditional view of encryption schemes
guarantees the secrecy of the encrypted data via an "all-or-nothing" approach: The encrypted data can be fully recovered using the decryption key, but it is completely useless without it. In a wide variety of modern scenarios, however, a more fine-grained approach is needed. Consider, for example, a user who wishes to leverage a partially-trusted server to filter out all encrypted email messages identified as spam. The user would clearly not like to reveal her decryption key to the server, and thus enabling server-side spam filtering while preserving the secrecy of her email messages seems very challenging.
Starting with the seminal notion of identity-based encryption, the cryptography community has put forward a vision of functional encryption, allowing utmost ability in accessing encrypted data, but resulting in significant leakage of sensitive information. Functional encryption supports restricted decryption keys that allow users to learn specific functions of the encrypted data and nothing else. Specifically, in a functional encryption scheme, the holder of the (master) secret key can generate a functional key sk(f) for any given function f. Now, anyone holding sk(f) and an encryption of any
message m, can compute f(m) but cannot learn any additional information about m. Extensive research has recently been devoted to the study of functional encryption, with the goal of mitigating the amount of leakage due to such functional keys.
Despite this recent effort, the existing general-purpose functional encryption schemes are somewhat unsatisfactory both theoretically and in terms of usability. Specifically, these schemes are either based on insufficiently explored cryptographic assumptions (related to recent breakthroughs in program obfuscation), or offer only weak notions of security, and in both cases provide rather poor performance.
Within the general context of leakage-resilient cryptography, and while focusing on the extremely versatile field of functional encryption, we have made significant progress towards achieving our main objectives, as described in the project's proposal: Exploring the feasibility and efficiency of leakage-resilient cryptographic systems, exploring cloud-enabled side channels, exploring leakage of information in the algorithmic setting, and more.
DESCRIPTION OF THE PROJECT’S MAIN RESULTS:
The following is a high-level description of the project’s main results, partitioned into its different areas of research.
1. Function privacy in functional encryption and its applications. In a sequence of three papers we have introduced the notion of ``function privacy'' in private-key functional encryption. This notion bounds the amount of information that a functional key sk(f) leaks on its underlying function f. We showed how to construct function-private schemes, and how to use function privacy for enhancing the security and functional of the existing schemes without relying on any additional cryptographic assumptions. Specifically, as applications of function privacy we constructed a functional encryption scheme for randomized functionalities and a multi-input functional encryption scheme based on minimal assumptions in the private-key setting.
2. The security of public-key functional encryption. In a sequence of four papers we have significantly enhanced both the security and the functionality of public-key functional encryption schemes. Specifically, we showed a generic transformation from selective security to adaptive security, we constructed a fully key-homomorphic encryption scheme (with applications to arithmetic circuit attribute-based encryption and to compact garbled circuits), we constructed a function-private subspace-membership encryption scheme, and we constructed a hierarchical functional encryption scheme.
3. Limits on the power of functional encryption and indistinguishability obfuscation. In two papers we proved the first impossibility results on the power of functional encryption (and the tightly related notion of indistinguishability obfuscation) as a building block in cryptographic construction. Our results are obtained within a novel framework that we developed for capturing non-black-box techniques in cryptographic constructions.
4. Algorithmic aspects of leakage-resilient cryptography. In two papers we have extended our knowledge on techniques for securely outsourcing the storage of sensitive data. Specifically, we developed extremely efficient and secure protocols for the set-intersection of two large databases and
for searching over encrypted data.
CONCLUSIONS AND POTENTIAL IMPACT:
Accomplishing our main objectives helped minimize the gap between theory and practice in modeling and combatting side-channel attacks, and as a result, increased the deployment and further study of newly-developed leakage-resilient systems. Our results clearly demonstrate that there is essentially no need to compromise on security when it comes to leakage-resilient cryptography. Specifically, our productive line of research has repeatedly showed that one can simultaneously offer strong notions of security and fine-grained functionality -- even when various sensitive information may be leaked to an adversary.
Contact information:
Dr. Gil Segev, School of Computer Science and Engineering, Hebrew University
www.cs.huji.ac.il/~segev
segev@cs.huji.ac.il
access to the system and the adversary’s computational capabilities, and (2) a notion of security specifying what constitutes a breach of the system’s security. Whereas notions of security have significantly evolved over the years, the vast majority of cryptographic schemes are still analyzed in
rather traditional adversarial models. In these models the parties are typically viewed as completely isolated entities, each having its own computational resources, secret memory, private source of random bits, and so on.
In real life, however, almost any physical implementation of a system unintendedly leaks various forms of information, under which the assumptions above might not always be valid. Any such information that is not captured by the underlying model is referred to as a side channel. Typical examples include electromagnetic measurements, timing information, detection of internal faults, and many more.
Over the years side-channel attacks exposed crucial vulnerabilities in a large number of schemes that are in fact considered secure in the traditional models. In light of such findings, extensive research has been devoted in recent years to protecting against side-channel attacks. Traditionally, countermeasures aimed at making the physical world as similar as possible to the traditional, abstract, models by preventing unintended leakage of information (e.g. building "tamper-proof" devices, minimizing electromagnetic noise, and more). This approach, however, is typically rather inefficient, expensive, and even impossible to realize in many cases. Quite recently, research in the foundations of cryptography has put forward a complementing approach, arguing that all aspects of security should be taken into consideration, as much as possible, already in the initial design of systems and not only during their implementation.
Our project focused on tackling new, realistic, and challenging problems in leakage-resilient cryptography. Specifically, we studied the drawbacks and limitations of the previous models and systems that have been developed prior to our work, and proposed new approaches, techniques, and tools for realizing better, more realistic, ones.
DESCRIPTION OF THE WORK PERFORMED DURING THE PROJECT:
Towards achieving our goals we have extended the study of leakage-resilient cryptography to the setting of functional encryption schemes. Such schemes reveal a new form of information leakage that is in fact inherent to the functionality. In general, the traditional view of encryption schemes
guarantees the secrecy of the encrypted data via an "all-or-nothing" approach: The encrypted data can be fully recovered using the decryption key, but it is completely useless without it. In a wide variety of modern scenarios, however, a more fine-grained approach is needed. Consider, for example, a user who wishes to leverage a partially-trusted server to filter out all encrypted email messages identified as spam. The user would clearly not like to reveal her decryption key to the server, and thus enabling server-side spam filtering while preserving the secrecy of her email messages seems very challenging.
Starting with the seminal notion of identity-based encryption, the cryptography community has put forward a vision of functional encryption, allowing utmost ability in accessing encrypted data, but resulting in significant leakage of sensitive information. Functional encryption supports restricted decryption keys that allow users to learn specific functions of the encrypted data and nothing else. Specifically, in a functional encryption scheme, the holder of the (master) secret key can generate a functional key sk(f) for any given function f. Now, anyone holding sk(f) and an encryption of any
message m, can compute f(m) but cannot learn any additional information about m. Extensive research has recently been devoted to the study of functional encryption, with the goal of mitigating the amount of leakage due to such functional keys.
Despite this recent effort, the existing general-purpose functional encryption schemes are somewhat unsatisfactory both theoretically and in terms of usability. Specifically, these schemes are either based on insufficiently explored cryptographic assumptions (related to recent breakthroughs in program obfuscation), or offer only weak notions of security, and in both cases provide rather poor performance.
Within the general context of leakage-resilient cryptography, and while focusing on the extremely versatile field of functional encryption, we have made significant progress towards achieving our main objectives, as described in the project's proposal: Exploring the feasibility and efficiency of leakage-resilient cryptographic systems, exploring cloud-enabled side channels, exploring leakage of information in the algorithmic setting, and more.
DESCRIPTION OF THE PROJECT’S MAIN RESULTS:
The following is a high-level description of the project’s main results, partitioned into its different areas of research.
1. Function privacy in functional encryption and its applications. In a sequence of three papers we have introduced the notion of ``function privacy'' in private-key functional encryption. This notion bounds the amount of information that a functional key sk(f) leaks on its underlying function f. We showed how to construct function-private schemes, and how to use function privacy for enhancing the security and functional of the existing schemes without relying on any additional cryptographic assumptions. Specifically, as applications of function privacy we constructed a functional encryption scheme for randomized functionalities and a multi-input functional encryption scheme based on minimal assumptions in the private-key setting.
2. The security of public-key functional encryption. In a sequence of four papers we have significantly enhanced both the security and the functionality of public-key functional encryption schemes. Specifically, we showed a generic transformation from selective security to adaptive security, we constructed a fully key-homomorphic encryption scheme (with applications to arithmetic circuit attribute-based encryption and to compact garbled circuits), we constructed a function-private subspace-membership encryption scheme, and we constructed a hierarchical functional encryption scheme.
3. Limits on the power of functional encryption and indistinguishability obfuscation. In two papers we proved the first impossibility results on the power of functional encryption (and the tightly related notion of indistinguishability obfuscation) as a building block in cryptographic construction. Our results are obtained within a novel framework that we developed for capturing non-black-box techniques in cryptographic constructions.
4. Algorithmic aspects of leakage-resilient cryptography. In two papers we have extended our knowledge on techniques for securely outsourcing the storage of sensitive data. Specifically, we developed extremely efficient and secure protocols for the set-intersection of two large databases and
for searching over encrypted data.
CONCLUSIONS AND POTENTIAL IMPACT:
Accomplishing our main objectives helped minimize the gap between theory and practice in modeling and combatting side-channel attacks, and as a result, increased the deployment and further study of newly-developed leakage-resilient systems. Our results clearly demonstrate that there is essentially no need to compromise on security when it comes to leakage-resilient cryptography. Specifically, our productive line of research has repeatedly showed that one can simultaneously offer strong notions of security and fine-grained functionality -- even when various sensitive information may be leaked to an adversary.
Contact information:
Dr. Gil Segev, School of Computer Science and Engineering, Hebrew University
www.cs.huji.ac.il/~segev
segev@cs.huji.ac.il