From Minicrypt to Obfustopia via Private-Key Functional Encryption
|
|
- Miles Isaac Hutchinson
- 5 years ago
- Views:
Transcription
1 From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University)
2 Functional Encryption [Sahai-Waters 05] Enc pk m f Alice Public key pk Server Learns f m and nothing else about m sk f Bob Master secret key msk 2
3 Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m k 0 and Enc msk m, server can learn whether m 0, but nothing else! 3
4 Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m 0 k 0 and Enc msk Enc Enc msk mmsskk Enc msk m mm m, server can learn whether mm 0, but nothing else! Positivity-Revealing Encryption: Given s k 0 0 and Enc msk m, server can 4
5 Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m Security (Ind-based): Server sees keys for f 1,, f l and encryptions of m 1,, m k. 0 k 0 and Enc msk Enc Enc msk mmsskk Enc msk m mm m, server can learn whether mm 0, but nothing else! Can learn f i m j but nothing else. Positivity-Revealing Encryption: Given s k 0 0 and Enc msk m, server can 5
6 Known Constructions of Functional Encryption Schemes (Highlights) # keys Bounded Bounded Unbounded Ciphertext Long Short Short Assumption OWF/PKE [GVW12] LWE [GKPVZ13] io [GGHRSW13, W15] [GVW12] Gorbunov, Vaikuntanathan, Wee: Functional Encryption with Bounded Collusions via Multi-party Computation. CRYPTO 2012 [GKPVZ13] Goldwasser, Kalai, Popa, Vaikuntanathan, Zeldovich. Reusable garbled circuits and succinct functional encryption. STOC 2013 [GGHRSW13] Garg, Gentry, Halevi, Raykova, Sahai, Waters: Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. FOCS 2013 [W14] Waters: A Punctured Programming Approach to Adaptively Secure Functional Encryption. CRYPTO
7 Known Constructions of Functional Encryption Schemes (Highlights) # keys Bounded Bounded Unbounded Ciphertext Long Short Short Assumption OWF/PKE [GVW12] LWE [GKPVZ13] io [GGHRSW13, W15] [GVW12] Gorbunov, Vaikuntanathan, Wee: Functional Encryption with Bounded Collusions via Multi-party Computation. CRYPTO Main 2012 question: [GKPVZ13] Goldwasser, Kalai, Is Popa, io Vaikuntanathan, necessary Zeldovich. for FE Reusable garbled circuits and succinct functional encryption. STOC 2013 [GGHRSW13] Garg, Gentry, with Halevi, unbounded Raykova, Sahai, Waters: keys? Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. FOCS 2013 [W14] Waters: A Punctured Programming Approach to Adaptively Secure Functional Encryption. CRYPTO
8 Does FE imply io? 8
9 Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. 9
10 Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. 10
11 Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. 11
12 Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE 12
13 Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE sub-exp-secure private-key FE & sub-exp-secure PKE imply io 13
14 Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE sub-exp-secure private-key FE & sub-exp-secure PKE imply io Non black-box component of [BKS16] 14
15 Does FE imply io? 15
16 Does FE imply io? # inputs Assumption Applications 16
17 Does FE imply io? # inputs Assumption O log n Trivial Applications 17
18 Does FE imply io? # inputs Assumption O log n Trivial O n Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications All applications of io 18
19 Does FE imply io? # inputs O log n O log n loglog n O n Assumption Trivial Sub-exp-secure Private-key FE [BKS16] Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications +nearly-exp OWF => PKE w. slight super-polynomial security [BNPW16] All applications of io 19
20 Does FE imply io? # inputs O log n O log n loglog n O log 1+δ n O n Assumption Trivial Sub-exp-secure Private-key FE [BKS16] Quasi-polysecure Privatekey FE [ThisWork] Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications +nearly-exp OWF => PKE w. slight super-polynomial security [BNPW16] +sub-exp OWF => Public-key FE, PPAD hardness w. quasi-poly security All applications of io 20
21 Our Results xp(log ε n) with inputs of length log 1+δ n. xp(log ε n) with inputs of length log 1+δ n. 21
22 Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. xp(log ε n) with inputs of length log 1+δ n. 22
23 Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Theorem: Quasi-poly-secure private-key FE implies io for circuits of Observation: size exp(log ε Such an io is sufficient for many n) with inputs of length log 1+δ applications! n. xp(log ε n) with inputs of length log 1+δ n. 23
24 Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Quasi-poly-secure private-key FE & sub-exp-secure OWF imply public-key FE for circuits of size exp(log ε n) with inputs of length log 1+δ n. 24
25 Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Quasi-poly-secure private-key FE & sub-exp-secure OWF imply public-key FE for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 2: 25
26 Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Recently: ]Kitagawa-Nishimaki- Quasi-poly-secure private-key Tanaka] FE & showed sub-exp-secure that secure of size private-key exp(log FE ε implies n) with io OWF imply public-key FE for circuits inputs of length log 1+δ n. Example Corollary 2: 26
27 PPAD-Hardness Summary [AKV04] [BPR15] The strong assumption VBB io Hardness Super-Poly [GPS16] Public-key FE Poly This Work Private-key FE Quasi-poly
28 PPAD-Hardness Summary [AKV04] [BPR15] The strong assumption VBB io Hardness Super-Poly [GPS16] Public-key FE Poly This Work Private-key FE Quasi-poly Open: Can be based on weaker/other assumptions? LWE, DDH TDF/PKE (impossible via SVL hardness [RSS17]).
29 2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k,enc msk m 1 and Enc msk m 2, server can learn whether m 1 m 2, but nothing else! 29
30 2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k, Enc msk Enc Enc msk mmsskk Enc msk m 1 m 1 mm m 1 1 m 1 m 1 and Enc msk Enc Enc ms k mmsskk Enc msk m 2 m 2 mm m 2 2 m 2 m 2, server can learn whether m 1 mm m 1 1 m 1 30
31 2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k, Enc msk Enc Enc msk mmsskk Enc msk m 1 m 1 mm m 1 1 m 1 m 1 and Enc msk Enc Enc ms k mmsskk Enc msk m 2 m 2 mm m 2 2 m 2 m 2, server can learn whether m 1 mm m 1 1 m 1 t-input defined analogously. 31
32 Constructions of t-input FE Schemes [GGG+14] [BLR+15] [AJ15,BV15] [BKS16] This work Assumption io Multilinear Maps (idealized model) Sub-exp-secure single-input public-key FE Sub-exp-secure single-input private-key FE Quasi-poly-secure single-input private-key FE t - # of inputs Poly Poly Poly O(loglog n) log δ n 32
33 Constructions of t-input FE Schemes Assumption t - # of inputs [GGG+14] io Poly [BLR+15] Multilinear Maps (idealized model) Poly [AJ15,BV15] [BKS16] Sub-exp-secure single-input public-key FE Sub-exp-secure single-input private-key FE Poly O(loglog n) Remark: All of the schemes are selectively secure. ]BKS16] is adaptively secure. This work Quasi-poly-secure single-input private-key FE log δ n 33
34 Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs -input FE scheme 34
35 Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs tt-input FE We show a new generic transformation of any private-key t-input FE scheme into a private-key 2tinput FE 35
36 Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme tt-input FE We apply the transformation δ loglog n times and get a log δ n-input FE scheme 36
37 Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs og log 1+δ 1+δδ log 1+δ nn. loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme tt-input FE Apply the [GGG+14,BNPW16] transformation to get io for inputs of length log 1 + δ n. 37
38 Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs og log 1+δ 1+δδ log 1+δ nn. og log 1+δ 1+δδ log 1+δ nn. loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme Apply the [GGG+14,BNPW16] transformation to get io for inputs of length log 1 + δ n. Apply the [GGG+14,BNPW16] transformation to get io 38
39 Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). 39
40 Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t Proof: The obfuscation of a circuit C contains {sk C } {ct i,j } i {0,1} log n,j t 40
41 Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t Proof: Key for the Encryption of the function C string i w.r.t input j The obfuscation of a circuit C contains {sk C } {ct i,j } i {0,1} log n,j t 41
42 Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) ( x 1 xx x 1 Key 1 for x 1 the,, x t Encryption xx x t tt of the x t ) {0,1 } t log(n) } } t function C string i w.r.t input j log(n) tt log(nn) } t log(n), return sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t 42
43 Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) ( x 1 xx x 1 Key 1 for x 1 the,, x t Encryption xx x t tt of the x t ) {0,1 t-input } t log(n) scheme is } } t function C string i w.r.t input j function private log(n) tt log(nn) } t log(n), return sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t 43
44 From t-input FE to 2t-Input FE 44
45 From t-input FE to 2t-Input FE )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) 45
46 From t-input FE to 2t-Input FE msk t msk msk t tt msk t,kk) t-input scheme PRF key )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret key is (msk t, K) 46
47 From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1 t-input,, xscheme t, y 1,, PRF ykey t, msk t msk msk t tt msk t,kk) )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret key is (msk t, K) To generate a key for f x x 1,, x t, y 1,, y t, 47
48 From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1 t-input,, xscheme t, y 1,, PRF ykey t, msk t msk msk t tt msk t,kk) )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret sk f key Keygen is (msk msk t, K) t, Gen f,k To generate a key for f x x 1,, x t, y 1,, y t, Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) 48
49 From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t f x 1,, x t f x 1,, x t ( y 1 yy y 1 1 y 1,, y tt-input yy yscheme t tt y t )=ff( PRF key x 1 xx x 1 1 x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t ). x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1,, x t, y 1,, y t, msk t msk msk t tt msk t,kk) sk f Keygen msk t, Gen f,k )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) Gen The master secret f,k (x key 1,, x is (msk t ): t, K) msk x1,,x To generate a key for t = Setup(F K (x 1,, x t )) f x x 1,, x t, y 1,, y t, Output Keygen(msk x1,,x t, f x1,,x t ) 49
50 From t-input FE to 2t-Input FE jj jj ii To encrypt an input x, i To encrypt an input y, j To encrypt an input y, j To encrypt an input y, j 50
51 From t-input FE to 2t-Input FE jj jj ct x,i Enc msk t, x, i ii To encrypt an input x, i To encrypt an input y, j To encrypt an input y, j To encrypt an input y, j 51
52 From t-input FE to 2t-Input FE jj jj ct x,i Enc msk t, x, i ii To encrypt an input x, i To encrypt an input y, j To encrypt an Encryption input y, jof y, j: To encrypt an ct input y,j y, Keygen j msk t, AGG y,j,k AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 52
53 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i ct x,i Enc msk t, x, i To encrypt an input y, j Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 53
54 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 54
55 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 55
56 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 56
57 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 57
58 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t ct y,1 Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 58
59 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k ct ct y,1 y,t To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 59
60 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t ct ct y,1 y,t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: f(x 1,, x t, y 1,, y t ) ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 60
61 From t-input FE to 2t-Input FE The master secret key is (msk t, K) To Proof generate of security a key overview: for f x 1,, x t, y 1,, y t, sk 1. Make f Keygen AGG and t msk Gen t, Gen indep. of K f,k Using punctured PRFs + function privacy Dec(sk To encrypt f, ct(à x,1 la, an [BS15,KSY15,BKS16]), ct input x,t, ct y,1 x,, i, ct y,t ): ct x,i Enc t msk t, x, i 1. sk fx 2. Attack Dec(sk 1,,x t each x f, ct x,1,, ct x,t ) 1,, x t separately 2. To 3. j: encrypt Embed ct y,j an Dec(ct in every input y,j, ct y, x,1 j,, ct x,t ) y,j ahead of time the 3. Ret Dec(f encryption x1,,xencryption t, of ct y,1, w.r.t, ct msk of y,t ) y, x1 j:,,x t 4. Embed in sk ct fy,j ahead Keygen of time t msk the t key, AGG for y,j,k f x1,,x t To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 61
62 Questions? The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen t msk t, Gen f,k To encrypt an input x, i ct x,i Enc t msk t, x, i To encrypt an input y, j Encryption of y, j: ct y,j Keygen t msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 62
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp
More informationFully Key-Homomorphic Encryption and its Applications
Fully Key-Homomorphic Encryption and its Applications D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko, G. Segev, V. Vaikuntanathan, D. Vinayagamurthy Outline Background on PKE and IBE Functionality
More informationRiding on Asymmetry: Efficient ABE for Branching Programs
Riding on Asymmetry: Efficient ABE for Branching Programs Sergey Gorbunov and Dhinakaran Vinayagamurthy Abstract. In an Attribute-Based Encryption ABE scheme the ciphertext encrypting a message µ, is associated
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationHierarchical Functional Encryption
Hierarchical Functional Encryption Zvika Brakerski Gil Segev Abstract Functional encryption provides fine-grained access control for encrypted data, allowing each user to learn only specific functions
More informationFunction-Hiding Inner Product Encryption
Function-Hiding Inner Product Encryption Allison Bishop Columbia University allison@cs.columbia.edu Abhishek Jain Johns Hopkins University abhishek@cs.jhu.edu Lucas Kowalczyk Columbia University luke@cs.columbia.edu
More informationHuijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro
Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro Circuit
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationOn the Achievability of Simulation-Based Security for Functional Encryption
On the Achievability of Simulation-Based Security for Functional Encryption Angelo De Caro 1, Vincenzo Iovino 2, Abhishek Jain 3, Adam O Neill 4, Omer Paneth 5, and Giuseppe Persiano 6 1 IBM Research Zurich,
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationMulti-Input Functional Encryption
Multi-Input Functional Encryption S. Dov Gordon Jonathan Katz Feng-Hao Liu Elaine Shi Hong-Sheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling fine-grained access to encrypted
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationFully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits Dan Boneh Craig Gentry Sergey Gorbunov Shai Halevi Valeria Nikolaenko Gil Segev Vinod Vaikuntanathan Dhinakaran Vinayagamurthy
More informationReusable Garbled Circuits and Succinct Functional Encryption
Reusable Garbled Circuits and Succinct Functional Encryption Shafi Goldwasser Yael Kalai Raluca Ada Popa Vinod Vaikuntanathan Nickolai Zeldovich MIT CSAIL Microsoft Research University of Toronto March
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationOn the Complexity of Compressing Obfuscation
On the Complexity of Compressing Obfuscation Gilad Asharov Naomi Ephraim Ilan Komargodski Rafael Pass Abstract Indistinguishability obfuscation has become one of the most exciting cryptographic primitives
More informationWhen does Functional Encryption Imply Obfuscation?
When does Functional Encryption Imply Obfuscation? Sanjam Garg, Mohammad Mahmoody, and Ameer Mohammed 1 UC Berkeley, sanjamg@berkeley.edu 2 University of Virginia, {mohammad,ameer}@virginia.edu Abstract.
More informationAPPLICATIONS OF (INDISTINGUISHABILITY) OBFUSCATION
APPLICATIONS OF (INDISTINGUISHABILITY) OBFUSCATION Craig Gentry, IBM Research May 20, 2015 Cryptography Boot Camp, Simons Institute Definition of io [B + 01] An indistinguishability obfuscator is a PPT
More informationOn i-hop Homomorphic Encryption
No relation to On i-hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research 2 This Work is About Connections between: Homomorphic encryption (HE) Secure function evaluation
More informationNon-Interactive Secure Multiparty Computation
Non-Interactive Secure Multiparty Computation Amos Beimel 1, Ariel Gabizon 2, Yuval Ishai 2, Eyal Kushilevitz 2, Sigurd Meldgaard 3, and Anat Paskin-Cherniavsky 4 1 Dept. of Computer Science, Ben Gurion
More informationMulti-Input Functional Encryption for Unbounded Arity Functions
Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationQUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS
QUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS Florian Speelman (joint work with Yfke Dulek and Christian Schaffner) http://arxiv.org/abs/1603.09717 QIP 2017, Seattle, Washington, Monday
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationSimulation-Based Secure Functional Encryption in the Random Oracle Model
Simulation-Based Secure Functional Encryption in the Random Oracle Model Vincenzo Iovino 1 Karol Żebrowski2 1 University of Warsaw, vincenzo.iovino@crypto.edu.pl 2 University of Warsaw, kz277580@students.mimuw.edu.pl
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationThe Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator
The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator Nir Bitansky 1,, Ran Canetti 1,2,,HenryCohn 3, Shafi Goldwasser 4,5, Yael Tauman Kalai 3,OmerPaneth 2,,andAlonRosen 6, 1 Tel
More informationDuality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings
Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Shota Yamada AIST, Japan
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationOutput-Compressing Randomized Encodings and Applications
Output-Compressing Randomized Encodings and Applications Huijia Lin Rafael Pass Karn Seth Sidharth Telang December 18, 2015 Abstract We consider randomized encodings (RE) that enable encoding a Turing
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationBounded Key-Dependent Message Security
Bounded Key-Dependent Message Security Boaz Barak Iftach Haitner Dennis Hofheinz Yuval Ishai October 21, 2009 Abstract We construct the first public-key encryption scheme that is proven secure (in the
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationDual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits
Dual System Framework in Multilinear Settings and pplications to Fully Secure Compact BE for Unbounded-Size Circuits Nuttapong ttrapadung National Institute of dvanced Industrial Science and Technology
More informationSuccinct Functional Encryption and Applications: Reusable Garbled Circuits and Beyond
Succinct Functional Encryption and Applications: Reusable Garbled Circuits and Beyond Shafi Goldwasser Yael Kalai Raluca Ada Popa Vinod Vaikuntanathan Nickolai Zeldovich MIT CSAIL Microsoft Research University
More informationAdaptively Secure Constrained Pseudorandom Functions
Adaptively Secure Constrained Pseudorandom Functions Dennis Hofheinz dennis.hofheinz@kit.edu Venkata Koppula University of Texas at Austin kvenkata@cs.utexas.edu Akshay Kamath University of Texas at Austin
More informationBounded KDM Security from io and OWF
Bounded KDM Security from io and OWF Antonio Marcedone 1, Rafael Pass 1, and abhi shelat 2 1 Cornell University, {marcedone,rafael}@cs.cornell.edu 2 University of Virginia, abhi@virginia.edu July 5, 2016
More informationOn the Communication Complexity of Secure Function Evaluation with Long Output
On the Communication Complexity of Secure Function Evaluation with Long Output Pavel Hubáček Daniel Wichs Abstract We study the communication complexity of secure function evaluation (SFE). Consider a
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationWatermarking Cryptographic Functionalities from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationFunctional Encryption: Decentralized and Delegatable
Functional Encryption: Decentralized and Delegatable Nishanth Chandran Vipul Goyal Aayush Jain Amit Sahai Abstract Recent advances in encryption schemes have allowed us to go far beyond point to point
More informationCompact Reusable Garbled Circuits. Dhinakaran Vinayagamurthy
Compact Reusable Garbled Circuits by Dhinakaran Vinayagamurthy A thesis submitted in conformity with the requirements for the degree of Master of Science Graduate Department of Computer Science University
More informationConstructing Witness PRF and Offline Witness Encryption Without Multilinear Maps
Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps Tapas Pal, Ratna Dutta Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur-721302, India tapas.pal@iitkgp.ac.in,ratna@maths.iitkgp.ernet.in
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationReducing Depth in Constrained PRFs: From Bit-Fixing to NC 1
Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Nishanth Chandran Srinivasan Raghuraman Dhinakaran Vinayagamurthy Abstract The candidate construction of multilinear maps by Garg, Gentry, and
More informationSpooky Encryption and its Applications
Spooky Encryption and its Applications Yevgeniy Dodis NYU Shai Halevi IBM Research Ron D. Rothblum MIT Daniel Wichs Northeastern University March 10, 2016 Abstract Consider a setting where inputs x 1,...,
More informationLeakage-Resilient Public-Key Encryption from Obfuscation
Leakage-Resilient Public-Key Encryption from Obfuscation Dana Dachman-Soled S. Dov Gordon Feng-Hao Liu Adam O Neill Hong-Sheng Zhou July 25, 2016 Abstract The literature on leakage-resilient cryptography
More informationDiffering-Inputs Obfuscation and Applications
Differing-Inputs Obfuscation and Applications Prabhanjan Ananth Dan Boneh Sanjam Garg Amit Sahai Mark Zhandry Abstract In this paper, we study of the notion of differing-input obfuscation, introduced by
More informationMachine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser
Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser Classification (Machine Learning) Supervised learning (training) Classification data set
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationIndistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes
Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes Huijia Lin University of California, Santa Barbara Abstract. We construct an indistinguishability obfuscation (IO) scheme for
More informationObfuscation and Weak Multilinear Maps
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationReusable Garbled Deterministic Finite Automata from Learning With Errors
Reusable Garbled Deterministic Finite Automata from Learning With Errors Shweta Agrawal 1 and Ishaan Preet Singh 2 1 IIT Madras, Chennai, India shweta@iitm.ac.in 2 IIT Delhi, New Delhi, India ishaanps92@gmail.com
More informationDecentralizing Inner-Product Functional Encryption
Decentralizing Inner-Product Functional Encryption Michel bdalla 1,2, Fabrice Benhamouda 3, Markulf Kohlweiss 4, and Hendrik Waldner 4 1 DIENS, École normale supérieure, CNRS, PSL University, Paris, France
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationExploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness
Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness Qipeng Liu Mark Zhandry Princeton University {qipengl, mzhandry}@princeton.edu Abstract There is some
More informationNon- browser TLS Woes
Non- browser TLS Woes Dan Boneh Joint work with M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, and V. Shma?kov Proc. ACM CCS 2012 30 second summary Lots of non- browser systems using TLS: Payment gateway
More informationConstrained PRFs for Unbounded Inputs with Short Keys
Constrained PRFs for Unbounded Inputs with Short Keys Hamza busalah 1, Georg Fuchsbauer 2 1 IST ustria habusalah@ist.ac.at 2 ENS, CNRS, INRI and PSL Research University, Paris, France georg.fuchsbauer@ens.fr
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationConstrained PRFs for NC 1 in Traditional Groups
Constrained PFs for NC 1 in Traditional Groups Nuttapong Attrapadung 1, Takahiro Matsuda 1, yo Nishimaki 2, Shota Yamada 1, Takashi Yamakawa 2 1 National Institute of Advanced Industrial Science and Technology
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More informationObfuscating Compute-and-Compare Programs under LWE
Obfuscating Compute-and-Compare Programs under LWE Daniel Wichs Giorgos Zirdelis August 15, 2017 Abstract We show how to obfuscate a large and expressive class of programs, which we call compute-andcompare
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationfrom Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationFunction-Private Subspace-Membership Encryption and Its Applications
Function-Private Subspace-Membership Encryption and Its Applications Dan Boneh 1, Ananth Raghunathan 1, and Gil Segev 2, 1 Stanford University {dabo,ananthr}@cs.stanford.edu 2 Hebrew University segev@cs.huji.ac.il
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationTargeted Homomorphic Attribute Based Encryption
Targeted Homomorphic Attribute Based Encryption Zvika Brakerski David Cash Rotem Tsabary Hoeteck Wee Abstract In (key-policy) attribute based encryption (ABE), messages are encrypted respective to attributes
More informationFully Bideniable Interactive Encryption
Fully Bideniable Interactive Encryption Ran Canetti Sunoo Park Oxana Poburinnaya January 1, 19 Abstract While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker
More informationRobust Non-Interactive Multiparty Computation Against Constant-Size Collusion
Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin IBM Research, Yorktown Heights, US Abstract. Non-Interactive Multiparty Computations
More informationDelegating RAM Computations with Adaptive Soundness and Privacy
Delegating RAM Computations with Adaptive Soundness and Privacy Prabhanjan Ananth Yu-Chi Chen Kai-Min Chung Huijia Lin Wei-Kai Lin October 18, 2016 Abstract We consider the problem of delegating RAM computations
More information