Graded Encoding Schemes from Obfuscation. Interactively Secure Groups from Obfuscation
Size: px
Start display at page:

Download "Graded Encoding Schemes from Obfuscation. Interactively Secure Groups from Obfuscation"

Transcription

1 Graded Encoding Schemes from Obfuscation Interactively Secure Groups from Obfuscation P. Farshim 1,2 J. Hesse 1 D. Hofheinz 3 E. Larraia 4 T. Agrikola 1 D. Hofheinz 1 1 École normale supérieure (ENS), Paris, France 2 INRIA 1 Karlsruhe Institute of Technology (KIT), Germany 3 Karlsruhe Institute of Technology (KIT), Germany 4 Royal Holloway, University of London, United Kingdom March 28, 218

2 Introduction Indistinguishability obfuscation (IO) is a method to transform a program into an unintelligible one maintaining the original functionality. P 1 P 2 io io io(p 1 ) io(p 2 ) Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 1/14

3 Overview Implications of IO [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 2/14

4 Overview Implications of IO [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF io + GROUP Groups w/ strong assumptions Graded encoding schemes [AH18] [FHHL18] Fully homomorphic encryption Multilinear maps [AFHLP16] [CLTV15] OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 2/14

5 Overview Implications of IO [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF io + GROUP Groups w/ strong assumptions Graded encoding schemes [AH18] [FHHL18] Fully homomorphic encryption Multilinear maps [AFHLP16] [CLTV15] OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 2/14

6 Overview Implications of IO [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF io + GROUP Groups w/ strong assumptions Graded encoding schemes [AH18] [FHHL18] Fully homomorphic encryption Multilinear maps [AFHLP16] [CLTV15] OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 2/14

7 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

8 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M G := M/ Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

9 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M Interface: G := M/ Equality test Group operation n-mmap : G G {, 1} +: G G G e : G G G t n times Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

10 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M Interface: G := M/ Equality test Group operation n-mmap : G G {, 1} +: G G G e : G G G t Encodings: bitstrings of the form ( ) [a] := g a, Enc(a), π n times Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

11 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M Interface: G := M/ Equality test Group operation n-mmap : G G {, 1} +: G G G e : G G G t Encodings: bitstrings of the form ( ) [a] := g a, Enc(a), π n times group element in G t Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

12 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M Interface: G := M/ Equality test Group operation n-mmap : G G {, 1} +: G G G e : G G G t Encodings: bitstrings of the form ( ) [a] := g a, Enc(a), π n times encryption of exponent Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

13 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M Interface: G := M/ Equality test Group operation n-mmap : G G {, 1} +: G G G e : G G G t Encodings: bitstrings of the form ( ) [a] := g a, Enc(a), π consistency proof n times Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

14 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M Interface: G := M/ Equality test Group operation n-mmap : G G {, 1} + +: G G G ee : G G G t Encodings: bitstrings of the form ( ) [a] := g a, Enc(a), π n times Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

15 Recap: Approach of [AFHLP16] I Group: Set of encodings M equipped with equivalence relation M G := M/ Interface: Equality test Group operation n-mmap : G G {, 1} + +: G G G ee : G G G t n times Encodings: bitstrings of the form ( ) [a] := g a, Enc(a), π n-mmap: input: n encodings decrypt exponents a 1,..., a n output: g a1a2 an Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 3/14

16 Recap: Approach of [AFHLP16] II Goal: n-mddh assumption Given [a 1 ],..., [a n+1 ] G, the group element g (a1 anan+1) G t looks like an independently sampled group element. Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 4/14

17 Recap: Approach of [AFHLP16] II Goal: n-mddh assumption Given [a 1 ],..., [a n+1 ] G, the group element g (a1 anan+1) G t looks like an independently sampled group element. Proof technique: Switching Instead of encrypting exponents a i directly... a i ( ) g a i, Enc(a i ), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 4/14

18 Recap: Approach of [AFHLP16] II Goal: n-mddh assumption Given [a 1 ],..., [a n+1 ] G, the group element g (a1 anan+1) G t looks like an independently sampled group element. Proof technique: Switching Instead of encrypting exponents a i directly... encrypt linear polynomial that equals a i f i evaluated at ω a i Switching a i ω ( ) ( ) g a i, Enc(a i ), π g a i, Enc(f i ), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 4/14

19 Recap: Approach of [AFHLP16] II Goal: n-mddh assumption Given [a 1 ],..., [a n+1 ] G, the group element g (a1 anan+1) G t looks like an independently sampled group element. Proof technique: Switching Instead of encrypting exponents a i directly... encrypt linear polynomial that equals a i evaluated at ω a i Switching ω ( ) ( ) g a i, Enc(a i ), π g a i, Enc(f i ), π a i f i change n-mmap: don t use ω explicitly (only g ω,..., g (ωn) ) Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 4/14

20 Recap: Approach of [AFHLP16] II Goal: n-mddh assumption Given [a 1 ],..., [a n+1 ] G, the group element g (a1 anan+1) G t looks like an independently sampled group element. Proof technique: Switching Instead of encrypting exponents a i directly... encrypt linear polynomial that equals a i evaluated at ω a i Switching ω ( ) ( ) g a i, Enc(a i ), π g a i, Enc(f i ), π a i f i change n-mmap: don t use ω explicitly (only g ω,..., g (ωn) ) enables to reduce to problem in G t (to (n + 1)-SDDH) Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 4/14

21 Overview [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF io + GROUP Groups w/ strong assumptions Graded encoding schemes [AH18] [FHHL18] Fully homomorphic encryption Multilinear maps [AFHLP16] [CLTV15] OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 5/14

22 Overview [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF io + GROUP Groups w/ strong assumptions Graded encoding schemes [AH18] [FHHL18] Fully homomorphic encryption Multilinear maps [CLTV15] [AFHLP16] OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 5/14

23 Graded Encoding Schemes [FHHL18] I Central question: Can we further generalize the MMap? Multilinear map: G [a 1 ], [a 2 ],..., [a n] e G T [a 1 a 2 a n] T Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 6/14

24 Graded Encoding Schemes [FHHL18] I Central question: Can we further generalize the MMap? [FHHL18]: MMap allows for graded (i.e., partial) evaluation Multilinear map: Graded encoding scheme: levels: G [a 1 ], [a 2 ],..., [a n] G 1 [a 1 ] 1, [a 2 ] 1, [a 3 ] 1,..., [a n] 1 e G 2 [a 1 a 2 ] 2 e e G 3 [a 1 a 2 a 3 ] 3 e G T [a 1 a 2 a n] T G n [a 1 a 2 a 3 a n] n Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 6/14

25 Graded Encoding Schemes [FHHL18] II How to implement the partially evaluable map e? Problem: e needs to extract exponents (also on intermediate levels) Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 7/14

26 Graded Encoding Schemes [FHHL18] II How to implement the partially evaluable map e? Problem: e needs to extract exponents (also on intermediate levels) [a] i := ( ) g a, Enc(a), π ) [a ] j := (g a, Enc(a ), π e : G i G j G i+j decrypt exponents a, a output encoding for a a ) [aa ] i+j := (g aa, Enc(aa ), π e : G i+j... Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 7/14

27 Graded Encoding Schemes [FHHL18] III Recap: n-mddh assumption Given [a 1 ] 1,..., [a n+1 ] 1, the group element [a 1 a n a n+1 ] n looks like an independently sampled group element. Main result: n-mddh assumption holds even in the presence of graded MMap Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 8/14

28 Graded Encoding Schemes [FHHL18] III Recap: n-mddh assumption Given [a 1 ] 1,..., [a n+1 ] 1, the group element [a 1 a n a n+1 ] n looks like an independently sampled group element. Main result: n-mddh assumption holds even in the presence of graded MMap Proof idea: Switching as in [AFHLP16] f i a i Switching a i ω ( ) ( ) g a i, Enc(a i ), π g a i, Enc(f i ), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 8/14

29 Graded Encoding Schemes [FHHL18] III Recap: n-mddh assumption Given [a 1 ] 1,..., [a n+1 ] 1, the group element [a 1 a n a n+1 ] n looks like an independently sampled group element. Main result: n-mddh assumption holds even in the presence of graded MMap Proof idea: Switching as in [AFHLP16] f i a i Switching ω ( ) ( ) g a i, Enc(a i ), π g a i, Enc(f i ), π a i change graded MMap: don t use ω explicitly Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 8/14

30 Graded Encoding Schemes [FHHL18] III Recap: n-mddh assumption Given [a 1 ] 1,..., [a n+1 ] 1, the group element [a 1 a n a n+1 ] n looks like an independently sampled group element. Main result: n-mddh assumption holds even in the presence of graded MMap Proof idea: Switching as in [AFHLP16] f i a i Switching ω ( ) ( ) g a i, Enc(a i ), π g a i, Enc(f i ), π a i change graded MMap: don t use ω explicitly Difficulty: e produces encodings Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 8/14

31 Overview [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF io + GROUP Groups w/ strong assumptions Graded encoding schemes [AH18] [FHHL18] Fully homomorphic encryption Multilinear maps [CLTV15] [AFHLP16] OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 9/14

32 Overview [SW14] [GGHR14] Tworound MPC Deniable encryption [GGHOSW16] Functional encryption io + OWF Fully homomorphic encryption io + GROUP Multilinear maps Groups w/ strong assumptions Graded encoding schemes [AH18] [FHHL18] [CLTV15] [AFHLP16] OWF : assumptions w/o inherent structure GROUP: assumptions w/ inherent structure Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 9/14

33 Interactively Secure Groups [AH18] I Central question: How close can we get to implementing the generic group model? More precisely: Can we prove stronger assumptions? Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 1/14

34 Interactively Secure Groups [AH18] I Central question: How close can we get to implementing the generic group model? More precisely: Can we prove stronger assumptions? Goal: (univariate) Interactive Uber assumption ω Z p adversary challenger Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 1/14

35 Interactively Secure Groups [AH18] I Central question: How close can we get to implementing the generic group model? More precisely: Can we prove stronger assumptions? Goal: (univariate) Interactive Uber assumption ω Z p f [f (ω)] adversary challenger Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 1/14

36 Interactively Secure Groups [AH18] I Central question: How close can we get to implementing the generic group model? More precisely: Can we prove stronger assumptions? Goal: (univariate) Interactive Uber assumption ω Z p f [f (ω)] adversary challenger f [f (ω)] Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 1/14

37 Interactively Secure Groups [AH18] I Central question: How close can we get to implementing the generic group model? More precisely: Can we prove stronger assumptions? Goal: (univariate) Interactive Uber assumption ω Z p f [f (ω)] adversary f [f (ω)] or random challenger f [f (ω)] guess Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 1/14

38 Interactively Secure Groups [AH18] II Generic group model: (Z p, +) Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 11/14

39 Interactively Secure Groups [AH18] II Generic group model: (Z p, +) (Z p[x ], +) answers from Uber challenger: non-constant polynomials Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 11/14

40 Interactively Secure Groups [AH18] II Generic group model: (Z p, +) (Z p[x ], +) answers from Uber challenger: non-constant polynomials Goal: implement this proof strategy ( ) Change encodings: [a] := g a, Enc(a), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 11/14

41 Interactively Secure Groups [AH18] II Generic group model: (Z p, +) (Z p[x ], +) answers from Uber challenger: non-constant polynomials Goal: implement this proof strategy ( ) Change encodings: [a] := g a, Enc(a), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 11/14

42 Interactively Secure Groups [AH18] II Generic group model: (Z p, +) (Z p[x ], +) answers from Uber challenger: non-constant polynomials Goal: implement this proof strategy ( ) Change encodings: [a] := Enc(a), π Interface: Equality test Group operation : G G {, 1} + +: G G G Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 11/14

43 Interactively Secure Groups [AH18] III Proof idea: a ( ) Enc(a = f (ω)), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 12/14

44 Interactively Secure Groups [AH18] III Proof idea: Switching approach with high-degree polynomials a a f ω ( ) ( ) Enc(a = f (ω)), π Enc(f ), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 12/14

45 Interactively Secure Groups [AH18] III Proof idea: remove ω a a f a f ω ω ( ) ( ) ( ) Enc(a = f (ω)), π Enc(f ), π Enc(f ), π Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 12/14

46 Interactively Secure Groups [AH18] III Proof idea: remove ω a a f a f ω ω ( ) ( ) ( ) Enc(a = f (ω)), π Enc(f ), π Enc(f ), π Assumption holds for information theoretic reason! Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 12/14

47 Interactively Secure Groups [AH18] III Proof idea: remove ω a a f a f ω ω ( ) ( ) ( ) Enc(a = f (ω)), π Enc(f ), π Enc(f ), π Assumption holds for information theoretic reason! Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 12/14

48 How to remove ω? Testing for identity element: input: ( ) C, π stop no π valid? yes f Dec(sk, C) not_identity no f (ω) =? yes is_identity Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 13/14

49 How to remove ω? Testing for identity element: input: ( ) C, π stop no π valid? not_identity yes f Dec(sk, C) f (ω) =? no Z := zero set of f z Z : pfo ω (z) = 1 OR f point function obfuscation no z { 1, if z = ω, else yes is_identity yes Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 13/14

50 How to remove ω? Testing for identity element: input: ( ) C, π stop no π valid? not_identity yes f Dec(sk, C) f (ω) =? no Z := zero set of f z Z : pfo ω (z) = 1 OR f point function obfuscation no z { 1, if z = ω, else yes is_identity yes probabilistic io Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 13/14

51 How to remove ω? Testing for identity element: input: ( ) C, π stop no π valid? not_identity yes f Dec(sk, C) f (ω) =? no Z := zero set of f z Z : pfo ω (z) = 1 OR f point function obfuscation no z { 1, if z = ω, else yes is_identity yes probabilistic io Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 13/14

52 Summary Provided structure Security guarantees [AFHLP16] n-mmap n-mddh assumption [FHHL18] graded n-mmap n-mddh assumption [AH18] interactive Uber assumption Introduction Recap Graded Encoding Schemes Interactively Secure Groups Summary 14/14

Similar documents

Obfuscation and Weak Multilinear Maps

Obfuscation and Weak Multilinear Maps Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation

More information

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are

More information

Multilinear Maps from Obfuscation

Multilinear Maps from Obfuscation Multilinear Maps from Obfuscation Martin R. Albrecht (RHUL) Pooya Farshim (QUB) Shuai Han (SJTU) Dennis Hofheinz (KIT) Enrique Larraia (RHUL) Kenneth G. Paterson (RHUL) December 18, 2017 Abstract We provide

More information

Graded Encoding Schemes from Obfuscation

Graded Encoding Schemes from Obfuscation Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research

More information

Graded Encoding Schemes from Obfuscation

Graded Encoding Schemes from Obfuscation Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA

More information

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions

More information

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7 COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to

More information

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,

More information

Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)

Adaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe) Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security

More information

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry Allison ewko Amit Sahai Brent Waters November 4, 2014 Abstract We revisit the question of constructing

More information

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015 Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear

More information

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable

More information

Lattice Based Crypto: Answering Questions You Don't Understand

Lattice Based Crypto: Answering Questions You Don't Understand Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key

More information

Private Puncturable PRFs from Standard Lattice Assumptions

Private Puncturable PRFs from Standard Lattice Assumptions Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,

More information

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication

More information

All-But-Many Lossy Trapdoor Functions. Dennis Hofheinz (Karlsruhe Institute of Technology)

All-But-Many Lossy Trapdoor Functions. Dennis Hofheinz (Karlsruhe Institute of Technology) All-But-Many Lossy Trapdoor Functions Dennis Hofheinz (Karlsruhe Institute of Technology) Overview over this talk All-But-Many Lossy Trapdoor Functions (ABM-LTFs) A technical tool specifically designed

More information

Cryptology. Scribe: Fabrice Mouhartem M2IF

Cryptology. Scribe: Fabrice Mouhartem M2IF Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description

More information

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob

More information

Math.3336: Discrete Mathematics. Mathematical Induction

Math.3336: Discrete Mathematics. Mathematical Induction Math.3336: Discrete Mathematics Mathematical Induction Instructor: Dr. Blerina Xhabli Department of Mathematics, University of Houston https://www.math.uh.edu/ blerina Email: blerina@math.uh.edu Fall 2018

More information

ADVERTISING AGGREGATIONARCHITECTURE

ADVERTISING AGGREGATIONARCHITECTURE SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED

More information

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to

More information

ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation

ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation Nir Bitansky Omer Paneth February 12, 2015 Abstract We present new constructions of two-message and one-message

More information

Spooky Encryption and its Applications

Spooky Encryption and its Applications Spooky Encryption and its Applications Yevgeniy Dodis NYU Shai Halevi IBM Research Ron D. Rothblum MIT Daniel Wichs Northeastern University March 10, 2016 Abstract Consider a setting where inputs x 1,...,

More information

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.

More information

APPLICATIONS OF (INDISTINGUISHABILITY) OBFUSCATION

APPLICATIONS OF (INDISTINGUISHABILITY) OBFUSCATION APPLICATIONS OF (INDISTINGUISHABILITY) OBFUSCATION Craig Gentry, IBM Research May 20, 2015 Cryptography Boot Camp, Simons Institute Definition of io [B + 01] An indistinguishability obfuscator is a PPT

More information

From Minicrypt to Obfustopia via Private-Key Functional Encryption

From Minicrypt to Obfustopia via Private-Key Functional Encryption From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc

More information

Semantic Security and Indistinguishability in the Quantum World

Semantic Security and Indistinguishability in the Quantum World Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands

More information

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without

More information

Computational security & Private key encryption

Computational security & Private key encryption Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability

More information

RSA RSA public key cryptosystem

RSA RSA public key cryptosystem RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.

More information

Section 4.3. Polynomial Division; The Remainder Theorem and the Factor Theorem

Section 4.3. Polynomial Division; The Remainder Theorem and the Factor Theorem Section 4.3 Polynomial Division; The Remainder Theorem and the Factor Theorem Polynomial Long Division Let s compute 823 5 : Example of Long Division of Numbers Example of Long Division of Numbers Let

More information

6.892 Computing on Encrypted Data September 16, Lecture 2

6.892 Computing on Encrypted Data September 16, Lecture 2 6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between

More information

Fully Bideniable Interactive Encryption

Fully Bideniable Interactive Encryption Fully Bideniable Interactive Encryption Ran Canetti Sunoo Park Oxana Poburinnaya January 1, 19 Abstract While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker

More information

8 Security against Chosen Plaintext

8 Security against Chosen Plaintext 8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly

More information

CTR mode of operation

CTR mode of operation CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext

More information

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March

More information

Linear Multi-Prover Interactive Proofs

Linear Multi-Prover Interactive Proofs Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject

More information

Provable Security for Program Obfuscation

Provable Security for Program Obfuscation for Program Obfuscation Black-box Mathematics & Mechanics Faculty Saint Petersburg State University Spring 2005 SETLab Outline 1 Black-box Outline 1 2 Black-box Outline Black-box 1 2 3 Black-box Perfect

More information

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m] Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of

More information

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:

More information

III. Pseudorandom functions & encryption

III. Pseudorandom functions & encryption III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:

More information

Robust Password- Protected Secret Sharing

Robust Password- Protected Secret Sharing Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY PPSS: Motivation

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

More information

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction

More information

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

6.080 / Great Ideas in Theoretical Computer Science Spring 2008 MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

More information

Modern symmetric-key Encryption

Modern symmetric-key Encryption Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his

More information

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Susan Hohenberger 1, Venkata Koppula 2, and Brent Waters 2 1 Johns Hopkins University, Baltimore, USA susan@cs.jhu.edu 2 University

More information

Cryptographic Solutions for Data Integrity in the Cloud

Cryptographic Solutions for Data Integrity in the Cloud Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic

More information

Classical hardness of the Learning with Errors problem

Classical hardness of the Learning with Errors problem Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness

More information

Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness

Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness Qipeng Liu Mark Zhandry Princeton University {qipengl, mzhandry}@princeton.edu Abstract There is some

More information

Lecture 7: CPA Security, MACs, OWFs

Lecture 7: CPA Security, MACs, OWFs CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)

More information

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation Shweta Agrawal Abstract Constructing indistinguishability obfuscation io [BGI + 01] is a central open question in cryptography.

More information

Lecture 17: Constructions of Public-Key Encryption

Lecture 17: Constructions of Public-Key Encryption COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,

More information

Strong Security Models for Public-Key Encryption Schemes

Strong Security Models for Public-Key Encryption Schemes Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.

More information

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model

Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Adaptively Secure Puncturable Pseudorandom Functions in the Standard Model Susan Hohenberger Johns Hopkins University susan@cs.hu.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu November

More information

Notes for Lecture 17

Notes for Lecture 17 U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,

More information

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Nishanth Chandran Srinivasan Raghuraman Dhinakaran Vinayagamurthy Abstract The candidate construction of multilinear maps by Garg, Gentry, and

More information

Solutions to homework 2

Solutions to homework 2 ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme

More information

Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts

Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts Dennis Hofheinz 1, Tibor Jager 2, and Andy Rupp 1 1 Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu

More information

Advanced Cryptography 03/06/2007. Lecture 8

Advanced Cryptography 03/06/2007. Lecture 8 Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion

More information

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of

More information

Non-malleability under Selective Opening Attacks: Implication and Separation

Non-malleability under Selective Opening Attacks: Implication and Separation Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

Standard versus Selective Opening Security: Separation and Equivalence Results

Standard versus Selective Opening Security: Separation and Equivalence Results Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by

More information

Cryptanalysis of a homomorphic public-key cryptosystem over a finite group

Cryptanalysis of a homomorphic public-key cryptosystem over a finite group Cryptanalysis of a homomorphic public-key cryptosystem over a finite group Su-Jeong Choi Simon R. Blackburn and Peter R. Wild Department of Mathematics Royal Holloway, University of London Egham, Surrey

More information

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions

More information

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding

Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Virtual Black-Box Obfuscation for All Circuits via Generic Graded Encoding Zvika Brakerski 1 and Guy N. Rothblum 2 1 Weizmann Institute of Science 2 Microsoft Research Abstract. We present a new general-purpose

More information

Disjunctions for Hash Proof Systems: New Constructions and Applications

Disjunctions for Hash Proof Systems: New Constructions and Applications Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by

More information

Overview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy

Overview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping

More information

Benny Pinkas Bar Ilan University

Benny Pinkas Bar Ilan University Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption

More information

Multiparty Computation (MPC) Arpita Patra

Multiparty Computation (MPC) Arpita Patra Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability

More information

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n + Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(

More information

Securely Obfuscating Re-Encryption

Securely Obfuscating Re-Encryption Securely Obfuscating Re-Encryption Susan Hohenberger Guy N. Rothblum abhi shelat Vinod Vaikuntanathan June 25, 2007 Abstract We present a positive obfuscation result for a traditional cryptographic functionality.

More information

6.080/6.089 GITCS Apr 15, Lecture 17

6.080/6.089 GITCS Apr 15, Lecture 17 6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before

More information

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp

More information

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

GGHLite: More Efficient Multilinear Maps from Ideal Lattices GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease

More information

Dual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits

Dual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits Dual System Framework in Multilinear Settings and pplications to Fully Secure Compact BE for Unbounded-Size Circuits Nuttapong ttrapadung National Institute of dvanced Industrial Science and Technology

More information

Notes on Alekhnovich s cryptosystems

Notes on Alekhnovich s cryptosystems Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given

More information

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08: CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande

More information

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Bootstrapping Obfuscators via Fast Pseudorandom Functions Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator

More information

A new security notion for asymmetric encryption Draft #10

A new security notion for asymmetric encryption Draft #10 A new security notion for asymmetric encryption Draft #10 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,

More information

Lattice-Based Non-Interactive Arugment Systems

Lattice-Based Non-Interactive Arugment Systems Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover

More information

General Impossibility of Group Homomorphic Encryption in the Quantum World

General Impossibility of Group Homomorphic Encryption in the Quantum World General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example

More information

Cryptography CS 555. Topic 4: Computational Security

Cryptography CS 555. Topic 4: Computational Security Cryptography CS 555 Topic 4: Computational Security 1 Recap Perfect Secrecy, One-time-Pads Theorem: If (Gen,Enc,Dec) is a perfectly secret encryption scheme then KK M 2 What if we want to send a longer

More information

Standard Security Does Not Imply Indistinguishability Under Selective Opening

Standard Security Does Not Imply Indistinguishability Under Selective Opening Standard Security Does Not Imply Indistinguishability Under Selective Opening Dennis Hofheinz 1, Vanishree Rao 2, and Daniel Wichs 3 1 Karlsruhe Institute of Technology, Germany, dennis.hofheinz@kit.edu

More information

Hunting and Gathering Verifiable Random Functions from Standard Assumptions with Short Proofs

Hunting and Gathering Verifiable Random Functions from Standard Assumptions with Short Proofs Hunting and Gathering Verifiable Random Functions from Standard Assumptions with Short Proofs Lisa Kohl Karlsruhe Institute of Technology, Karlsruhe, Germany Lisa.Kohl@kit.edu Abstract. A verifiable random

More information

Lattice Cryptography

Lattice Cryptography CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard

More information

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1, Celine Chevalier 2, Mark Manulis 3, David Pointcheval 1 1 École Normale Supérieure CNRS INRIA, Paris, France 2

More information

On the CCA1-Security of Elgamal and Damgård s Elgamal

On the CCA1-Security of Elgamal and Damgård s Elgamal On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

A new security notion for asymmetric encryption Draft #12

A new security notion for asymmetric encryption Draft #12 A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,

More information

Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro Circuit

More information

On Tightly Secure Non-Interactive Key Exchange

On Tightly Secure Non-Interactive Key Exchange On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universität Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1 Non-Interactive

More information

Lecture 2: Perfect Secrecy and its Limitations

Lecture 2: Perfect Secrecy and its Limitations CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption

More information

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08: CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande

More information

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),

More information

Automatic, computational proof of EKE using CryptoVerif

Automatic, computational proof of EKE using CryptoVerif Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno

More information

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT

More information

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are

More information

Lecture 2: Program Obfuscation - II April 1, 2009

Lecture 2: Program Obfuscation - II April 1, 2009 Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback