Special Encryption- Functional /Attribute-based/ID-based

Special Encryption- Functional /Attribute-based/ID-based

Functional encryption

Functional encryption is a type of public-key encryption in which possessing a secret key allows one to learn a function of what the ciphertext is encrypting.

More precisely, a functional encryption scheme for a given functionality F consists of the following four algorithms:

-(pk,msk)←Setup(1λ): creates a public key pk and a master secret key msk.

-sk←Keygen(msk,k): uses the master secret key to generate a new secret key sk for value k.

-c←Enc(pk,x): uses the public key to encrypt a message x.

-F(k,x)←Dec(sk,c): uses secret key to calculate a function of the value c encrypts.

Functional encryption generalizes several existing primitives including Identity-based encryption (IBE) and Attribute-based encryption (ABE). In the IBE case, define F(k,x) to be equal to when corresponds to an identity that is allowed to decrypt, and \perp otherwise. Similarly, in the ABE case, define F(k, x) = x when encodes attributes with permission to decrypt and otherwise.

Attribute-based encryption

Attribute-based encryption is a type of public-key encryption in which the secret key of a user and the ciphertext are dependent upon attributes (e.g. the country he lives, or the kind of subscription he has). In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.[1] A crucial security aspect of Attribute-Based Encryption is collusion-resistance: An adversary that holds multiple keys should only be able to access data if at least one individual key grants access.

The concept of attribute-based encryption was first proposed by Amit Sahai and Brent Waters [2] and later by Vipul Goyal, Omkant Pandey, Amit Sahai and Brent Waters.[3] Recently, several researchers have further proposed Attribute-based encryption with multiple authorities who jointly generate users’ private keys.[4][5][6][7][8][9]

Usage

Attribute-based encryption (ABE) can be used for log encryption.[10] Instead of encrypting each part of a log with the keys of all recipients, it is possible to encrypt the log only with attributes which match recipients’ attributes. This primitive can also be used for broadcast encryption in order to decrease the number of keys used.[11]

Challenges

Although ABE concept is very powerful and a promising mechanism, ABE systems suffer mainly from two drawbacks: non-efficiency and non-existence of attribute revocation mechanism.

Other main challenges are: Key coordination Key escrow key revocation

ID-based encryption

ID-based encryption, or identity-based encryption (IBE), is an important primitive of ID-based cryptography. As such it is a type of public-key encryption in whichthe public key of a user is some unique information about the identity of the user (e.g. a user’s email address). This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver’s name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

ID-based encryption was proposed by Adi Shamir in 1984.[1] He was however only able to give an instantiation of identity-based signatures. Identity-based encryption remained an open problem for many years. The pairing-based Boneh–Franklin scheme[2] and Cocks’s encryption scheme[3] based on quadratic residues both solved the IBE problem in 2001.

Advantages

One of the major advantages of any identity-based encryption scheme is that if there are only a finite number of users, after all users have been issued with keys the third party’s secret can be destroyed. This can take place because this system assumes that, once issued, keys are always valid (as this basic system lacks a method of key revocation). The majority of derivatives of this system which have key revocation lose this advantage.

Moreover, as public keys are derived from identifiers, IBE eliminates the need for a public key distribution infrastructure. The authenticity of the public keys is guaranteed implicitly as long as the transport of the private keys to the corresponding user is kept secure (Authenticity, Integrity, Confidentiality).

Apart from these aspects, IBE offers interesting features emanating from the possibility to encode additional information into the identifier. For instance, a sender might specify an expiration date for a message. He appends this timestamp to the actual recipient’s identity (possibly using some binary format like X.509). When the receiver contacts the PKG to retrieve the private key for this public key, the PKG can evaluate the identifier and decline the extraction if the expiration date has passed. Generally, embedding data in the ID corresponds to opening an additional channel between sender and PKG with authenticity guaranteed through the dependency of the private key on the identifier.

Drawbacks

If a Private Key Generator (PKG) is compromised, all messages protected over the entire lifetime of the public-private key pair used by that server are also compromised. This makes the PKG a high-value target to adversaries. To limit the exposure due to a compromised server, the master private-public key pair could be updated with a new independent key pair. However, this introduces a key-management problem where all users must have the most recent public key for the server.

Because the Private Key Generator (PKG) generates private keys for users, it may decrypt and/or sign any message without authorization. This implies that IBE systems cannot be used for non-repudiation. This may not be an issue for organizations that host their own PKG and are willing to trust their system administrators and do not require non-repudiation.

The issue of implicit key escrow does not exist with the current PKI system, wherein private keys are usually generated on the user’s computer. Depending on the context key escrow can be seen as a positive feature (e.g., within Enterprises). A number of variant systems have been proposed which remove the escrow including certificate-based encryption, secret sharing, secure key issuing cryptographyand certificateless cryptography.

A secure channel between a user and the Private Key Generator (PKG) is required for transmitting the private key on joining the system. Here, a SSL-like connection is a common solution for a large-scale system. It is important to observe that users that hold accounts with the PKG must be able to authenticate themselves. In principle, this may be achieved through username, password or through public key pairs managed on smart cards.

IBE solutions may rely on cryptographic techniques that are insecure against code breaking quantum computer attacks (see Shor’s algorithm)

Ref

wiki