*Author: Kimmo Järvinen*

Functional encryption is a powerful new paradigm for encryption. Traditional encryption schemes are all-or-nothing in the sense that having the decryption key gives full access to the corresponding plaintext. Without this key, it is impossible to obtain any information about the contents of the plaintext. Functional encryption, however, allows generating decryption keys that give a limited access to the plaintext. Namely, they allow computing a function f(x) from an encrypted “x” without providing any other information about “x” except the result of this function. Having this sort of fine-grained granularity gives huge advantages compared to traditional encryption, for example, in mitigating risks related to key leakage or improving the privacy of users' data. Unfortunately, such additional power does not come for free.

Functional encryption is orders of magnitude more complex compared to traditional encryption (for example, AES). This means that encrypting large amounts of data or computing functions (decryptions) over large encrypted data sets (potentially from many users) are demanding tasks. Even functional encryption schemes that support only simple functions such as inner products are very expensive. For example, operations comparable to public-key encryptions are required for each value in a vector of data to be encrypted or decrypted. Furthermore, if more complicated functions (for example, quadratic functions) are needed, then even more expensive computations (for example, cryptographic pairings) are required. Therefore, there exists an evident need for accelerating functional encryption computations and tailoring the solutions optimally to different types of computing platforms. To overcome this challenge, FENTEC is developing techniques for accelerating functional encryption with hardware accelerators.

Functional encryption schemes include a lot of inherent parallelism making them well suited for hardware where this parallelism can be exploited with multi-core architectures. Each core should be optimized for the basic operations of a functional encryption scheme (for example, modular exponentiation) and then, the multi-core architecture can compute these basic operations in parallel. FENTEC will focuson FPGA-based HW/SW codesign accelerators where the heavy computations are accelerated with hardware (that is, in FPGA) and the control and interfacing are handled by software.

Already for a long time, it has been understood that side-channel attacks that exploit weaknesses of implementations pose a serious risk for cryptosystems in practice. As mentioned above, functional encryption may mitigate the risks of key leakage because even finding out the key for computing f(x) does not give full access to the plaintext. Nevertheless, implementation security is still a major aspect even for functional encryption and strong protections against side-channel attacks are required in many cases. One big challenge is that side-channel protections typically come with hefty performance overheads which are added on top of the already high computational requirements. FENTEC has defined three different trust models for the computing platforms in order to structure research on implementation security:

- The first model is the fully trusted model where the entire computing platform is assumed trusted. This assumption implies that the computing platform is in a protected environment which cannot be accessed by the adversary. Because implementation attacks are not considered a threat in this model, the research focuses purely on performance issues and relates to the long research tradition of accelerating cryptographic computations.

- The second model is the partly trusted model where a trusted component called the Trust Anchor in an otherwise untrusted system is used. The trust anchor may, for example, be a separate security chip which supports a fixed set of well-protected cryptographic operations and key storage. An implementation of functional encryption should be such that the security-critical parts are executed in the trust anchor whereas other parts can be computed in the untrusted system. The research questions are how to distribute computations between the untrusted part and the trust anchor and how to minimize the requirements for the trust anchor.

- The third model is the fully untrusted model where the entire computing platform is assumed untrusted in the sense that it can be a target for various implementation attacks. This means that the whole implementation of functional encryption must be protected against different types of implementation attacks. In this model, the research focuses on developing strong protections against implementation attacks and validating their strength on real hardware.

To conclude, FENTEC makes research on various aspects around hardware implementation of functional encryption. The objectives of this branch of research are to improve the efficiency of practical instantiations of functional encryption and to protect them against implementation related attacks.