New method for protecting private data

of security speak for themselves. According to a 2007 FBI analysis, Internet crime costs U.S. businesses some $67 billion annually, including the indirect expense of repairing hacked systems. TJX, the parent company of discount clothing chains T. J. Maxx and Marshalls, revealed that during a recent eighteen-month period, hackers had stolen 45.6 million credit card numbers and other sensitive customer information. For every two Americans, one private record has been stolen through computer data breaches alone.

Cryptography, the practice and study of hiding information, is considered to be a branch of both mathematics and computer science and is closely tied to information theory, computer security and engineering. And while the technology of encryption has been around a long time, encrypting data and then deciding how to allow access to hundreds or even thousands of people has been a dilemma, Sahai said. “Imagine current encryption technology as a lock and key — the data is locked, and to allow different people access, many copies of the key need to be made,” he said. “One record might need to be accessed by 10,000 people, so you make 10,000 copies of that key. With millions of documents and thousands of keys per document, you can imagine how very, very complicated it gets. It becomes much too complicated to manage. So even though we’ve had very strong encryption technology now for decades, it’s just not used, or it is used incorrectly.”
The study authors’ new functional encryption method allows a programmer simply to plug in his criteria for the information. The mathematical system will then produce an encrypted record that only people matching the criteria can decrypt. The complex system of managing many keys is now simplified, and servers hold encrypted data that the servers themselves can not read. The information looks like gibberish to hackers. In addition, the new mathematical system allows for keys to be personalized - only one key is needed to unlock all the information that is available to that person. “This is the key innovation in our system,” Sahai said. “We have this mathematical method for randomization of personalizing keys so that your key doesn’t just depend on what attributes you have, like what your name is. Further, there is some mathematical hardening that is personalized to you, so that you can’t combine it with anyone else’s keys to do anything meaningful.”

The system severely restricts what a hacker can do. If he is an insider, he is limited by what access he legitimately has, and since keys are personalized, it becomes much easier to trace who accessed and released the information in the first place. Sahai and Waters are considered the founders of the area of functional encryption. Sahai recently won a prestigious 2007 Okawa Research Grant Award from Japan’s Okawa Foundation for his work in this area. “Some of this work is already being implemented and is actually being incorporated into some research systems,” Sahai said. “It’s making its way closer to practice. Brent and I were able to apply for a patent on the very initial work we did, which was bought by a company called Voltage Security. There certainly is interest from the U.S. military and the U.S. Department of Homeland Security as well.” Waters added: “Our goal is to rethink what encryption is. Over the years, people have taken on a somewhat rigid view of what encryption is. What we’re hoping to do is show that we can build simpler and more powerful systems by changing the way we think. Eventually, we hope to get rid of complex infrastructures and do things in a simpler manner that is also more secure and cost-effective.”

In addition to being presented at the Eurocrypt conference, the study, “Predicate Encryption Supporting Disjunctions, Polynomial Equations and Inner Products,” will appear in a forthcoming edition of the Journal of Cryptography.