Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro
|
|
- Rose Warner
- 6 years ago
- Views:
Transcription
1 Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro
2 Circuit Obfuscation Compile a circuit C into Ĉ that preserves functionality, and is unintelligible (resistant to reverse engineering) x C Obfuscator O x Ĉ y = C(x) y = C(x)
3 Indistinguishability Obfuscator io [BGI+01] Which one of two equivalent circuits C 1 C 2 is obfuscated? C 1 C 2, meaning Same size C 1 = C 2 Same truth table TB(C 1 ) = TB(C 2 ) { } { } io (C1) io (C2)
4 Balancing at the border of (in)security Candidate io [GGHRSW13,BR14,BGKPS14,PST14,GLSW14,AGIS14,Zim15, AB15,GMMSSZ16,DGGMM16,Lin16,LV16,AS16,Lin16b,LT17] Graded Encodings [GGH13] Direct Attack [MSZ16,ADGM1 7,CGH17] Candidates [GGH13,CLT13, GGH15,CLT15] Zeroizing Attacks [GGH13,CHL15, GHMS14,BWZ14, CGH15]
5 What objects and assumptions imply IO? Beefing Up Security Reduction Heavy GES Local PRG Light GES
6 Degree-L of GES Support evaluation of degree-l polynomials More secure Potentially easier to find algebraic instantiation High-deg GES Low-deg GES What power do low-deg GES have? Also, weaker functionality and security
7 Deg-poly GES [GGHRSW13.] Ideal model ~ Uber assump [PST14] MSEA [GLSW14,GGHZ16 + AJ15/BV15] Deg-O(1) GES [Lin16] DDH-like joint-sxdh [LV16] Deg-5 GES [AS16] Close to ideal model security Deg-5 MMap [Lin16b] SXDH Deg-3 MMap [LT17] SXDH Bilinear Map Locality O(1) PRG Locality 5 PRG Locality 4 PRG Impossible [MST03] Block Locality 3 PRG Block Locality 2 PRG Impossible [LV17,BBKK17]
8 (Asymmetric) Multilinear Maps [BS03,Rot13] Encode in group G L : [a] L = g a L Multiply: [a 1 ] [a i ] 1 i [a j ] j [a D ] D [a 1 a D ] D+1 Degree d (d = 2, Bilinear map ) Add/Sub: [a i ] L [a j ] L [a i + a j ] L Zero-Test (ZT): ZT( [a] L ) = 1 iff a = 0
9 Deg-d Mmap vs Deg-d GES [a 1 ] 1 Pairable [a i ] i [a j ] j [a n ] d [a 1 ] [a i ] Li [a j ] L1 Lj [a n ] Ln GES is stronger Functionality-wise: Support evaluation of more polynomials Security-wise: More control on what polynomials are prohibited label
10 [a 1 a 5 ] 6 [a 1 ] 1 [a 2 ] 2 [a 3 ] 3 [a 4 ] 4 [a 5 ] 5 SXDH: Classical DDH on EACH label source group { [a] L [b] L [ab] L } { } [a] L [b] L [r] L a, b, r ß R given { [1] } L L [5]
11 * In the rest of the talk, implicitly assume sub-exp security Main Theorem [Lin16b]: a construction of (sub-exp secure) IO from d-linear MMaps assuming sub-exp SXDH on d-linear MMaps sub-exp locality-d PRG sub-exp LWE Block Locality d PRG [LT17]
12 Blockwise Local PRGs Locality L [CEMT09, BQ12, OW14, AL16] L = 5 [Gol00,MST03,OW14] L < 5 impossible [MST03] Polynomial stretch y = s 234 y s Blockwise Locality BL y Block size b log(λ) s Input Blocks
13 Preliminary Study on Blockwise Local PRGs Goldreich s local functions with input bits replaced by blocks F 6,8,9 : y : = P : (s 6(:) ) y s BL When BL 3, G: graph a deg-bl G with bipartite good expansion graph, (unique P : 0,1 neighbor 9 JK expansion) {0,1} Do Not Exist :( * 1. Blockwise locality-3 Small-Bias Generators 2. For large b, a good expander G, and suitable P, F 6,8,9 is a high-locality Cool Attacks, function with next good Talk expansion, assumed to be OW and pseudorandom by [AR16] * Small window of expansion, not known to be sufficient for IO 3. Hardness amplification
14 io Construction Step 1 + Block-locality-dPRG SK Functional Encryption Deg-d (SK) FE for Deg-d Polynomial with linear efficiency with linear efficiency Step 2 Deg-d MMap w/ SXDH Degree Preserving Bootstrapping [LT17] Key Idea: Preprocessing! [Lin16b,AS16,LT17] Degree Preserving FE Construction [Lin16b] Key Idea: Recursively Compose IPE [ABDP15]
15 Functional Encryption --- Encryption with partial decryption keys msk ß Setup(1 n ) Enc(msk, m): Dec( sk C, ct ): Keygen(msk, C): ct(m) sk(c) ct(m) sk(c) y = C(m) Semantic Security:, m 2, m P C, s.t. C V (m 2 : ) = C V (m P : ) 2 ct m : : sk C V V P ct m : sk C V V :
16 Functional Encryption msk ß Setup(1 n ) Enc(msk, m): ct(m) Keygen(msk, C): Non-Compact: T Enc = poly(λ, m, C ) (Weakly) Compact T Enc = poly(λ, m ) C 1-ε Linear efficiency T Enc = poly(λ) m sk(c)
17 io Bootstrapping [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17]
18 Randomized Encodings (RE) [AIK04] Represent a complex computation, by a simpler computation f x = y NC 2 RE ] x; r = Π NC c d Deg RE g = 4 Importantly, deg 1 in x and deg 3 in r s.t., Π encodes y, and reveals nothing else
19 Use RE for Low-Deg Computation [Lin16, LV16] Goal: 1-key FE for NC 1 compact CT(x) SK(f) Tool: Deg-d FE linearly efficient CT(x, r) SK(RE ] ) Compact? T Enc = poly λ x, r poly λ f 2op Deg(FE) = Deg RE g = 4 Need, Randomness Efficient RE r < f 1oε
20 Use PRG for Randomness Efficiency [Lin16, LV16] r = PRG s g(x, s) = RE ] x ; PRG s Compact s = r } }~ w.l.o.g. RE has r = O f è T Enc = x, s = f 2op Tool: deg-d FE linearly efficient CT(x, s) SK g Deg(FE) = Deg g = 3Deg PRG L + 1
21 io Bootstrapping [LT17] [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] Preprocessing at Encryption time deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17]
22 Preprocessing [Lin16,LV16] Goal: Decompose g into A, B s.t. g(x, s) = RE ] x ; PRG s = B( A x, s ) CT(A(x, s)) SK B Compact T Enc = A(x, s) f 2op Deg(FE) = Deg B L
23 Pro-process Multiplication with x [Lin16,LV16] Recall: RE has deg 1 in x & deg 3 in r g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Compact T Enc = A(x, s) x, s, x s poly(λ) f 2op A(x, s) = CT( x, s, x s ) SK B s.t. B A x, s Deg(FE) = Deg B Deg g 1 = g(x, s) &
24 Pro-process Multiplication between s [Lin16,LV16] Recall: RE has deg 1 in x & deg 3 in r g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Compact T Enc = A(x, s) x, s, s s f 2op f 2op CT( ) SK B s.t. B A x, s A(x, s) = x, s, s s Deg(FE) = Deg B Deg g 1 = g(x, s) &
25 g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Multiplication b/w random edges Hard to pre-compute compactly j k l L s } s Š s s Œ s sˆ}sˆšsˆ sˆœsˆ s } s Š s s Œ s s
26 g(x, s) = RE ] x ; PRG s Massage g into this form What can we pre-compute? Pre-Compute Multiplication b/w the same (random) edge, compactly L s s } s Š s s Œ s Ž Ž Ž Ž Ž s Š s s Œ s ŽŽ ŽŽ ŽŽ ŽŽ ŽŽ s Š s s Œ s s } s } s s
27 g(x, s) = RE ] x ; PRG s f x = {f : (x)} w.l.o.g f : = poly(λ) o.w. f = Yao(f, x; PRF(k)) m f {RE ] x; r i } = {RE } m f Then r i = poly λ & multiplication within r : r :V r : r :
28 RE ] x; r i = {RE } m f r i = poly λ multiplication within r : r :V r : r : So far, r i = i th portion of PRG s Multiplication b/w random edges r 1 r i r m s
29 RE ] x; r i = {RE } m f r i = poly λ multiplication within r : r :V r : r : j k l Now, r 1j r ij r mj = PRG s j j Multiplication b/w same edges s j s k s l Poly(λ)
30 Pre-compute deg-3 monomials over each column So that, r :V r : r : can be computed in degree L è Deg(FE) = L # monomials = column s V = poly(λ)f 2op è Compactness Multiplication b/w same edges s j s k s l Poly(λ)
31 io Bootstrapping [LT17] [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] Preprocessing at Encryption time deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17] Extend Preprocessing to Block Locality
32 Pre-compute Mult b/w blocks in each column [LT17] Pre-compute all monomials over each block, 2 ( ) = λ, many Pre-compute deg-3 mnmls over mnmls in each column poly λ, many s j s k log(λ) Poly(λ) s l
33 io Construction Step 1 + Block-locality-dPRG SK Functional Encryption Deg-d (SK) FE for Deg-d Polynomial with linear efficiency with linear efficiency Step 2 Degree Preserving Bootstrapping [LT17] Key Idea: Preprocessing! [Lin16b,AS16,LT17] Degree Preserving FE Construction [Lin16b] Key Idea: Compose IPE [ABDP15] Deg-d MMap w/ SXDH
34 Bird s Eye View: Deg-d FE ç Deg-d Mmap Suppose we only want to compute x 1 x d while hiding x [x 1 x d ] d+1 [x d ] d Functionality Security How to hide x? [x 1 ] 1 [x 2 ] 2 [x 3 ] 3
35 Bird s Eye View: Deg-d FE ç Deg-d Mmap Suppose we only want to compute x 1 x d, while hiding x [LV16] Security ç RE [AIK14] + Function Hiding IPE [x 1 x d ] d+1 RE.Decode [Lin16b] Security ç Recursively composing IPE [x 1 x d ] d+1 IPE: FE for inner products ç SXDH on Bilinear maps ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) [ RE (x 1 x d ; r) ] d ict(x 1 ) isk(x 2 ) ict(x r ) isk(r ) No Waste of Degree
36 FE Construction 4. Security Challenge 3. Deg-d FE from d-linear maps [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
37 isk(u) ict(v) Inner Product Encryption Dec <u,v> Weak Functionality: Test if <u,v> is zero Public-key IPE ç DDH or LWE or Paillier [ABDP15,ALS16] Secret-key IPE, function hiding (i.e, hide both u, v) ç Bilinear map [KSW08,BJK15+LV16,DDM16] csk (u) = [ U ] cct(v) = [ V ] 1 0 Dec [<u,v>] 2 target group different source groups Canonical Form FH SK-IPE [This work]
38 The ABDP PK-IPE Scheme from DDH imsk : s ß Z ª impk : [s] = g s isk(y) : <s, y> y ict(x) : [-r] = g -r [rs + x] = g r s + x Dec < ict(x), isk(y) > = [-r <s, y>] + [<rs, y> + <x, y>] = [<x, y>]
39 FE Construction 4. Security Challenge 3. Deg-d FE [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
40 qfe: SK-FE for Quadratic Poly Starting Point: Compute quadratic polynomials using inner products f(x) = Σ C ij x i x j = < C, x x > qmsk : S ß Z ª Š But, qct = n 2 qsk(f) = isk(c) : <S, C> C qct(x) = ict(x x) : [-r] [rs + x x]
41 qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > Idea: Compress Ciphertext qmsk : S ß Z ª Š qsk(f) = isk(c) : <S, C> C But, S = n 2 qct is imcompressble qct(x) = ict(x x) : [-r] [rs + x x]
42 qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > qmsk : s 1 s 2 ß Z ª Idea: Compress Ciphertext 1. Replace S with s 1 s 2 Now, ict depends on (r, s 1, s 2, x) = O(n) qsk(f) = isk(c) : <s 1 s 2, C> C qct(x) = ict(x x) : [-r] [r s 1 s 2 + x x]
43 qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > qmsk : s 1 s 2 ß Z ª Idea: Compress Ciphertext 1. Replace S with s 1 s 2 2. Generate ict using canonical FH IPE ict[i,j] = [rs : 2 s V P + x : x V ] = [< x : s : 2, x V rs V P >] qsk(f) = isk(c) : <s 1 s 2, C> C qct(x) = ict(x x) : [-r] [r s 1 s 2 + x x] Dec cct(x : s : 2 ) csk(x V rs V P )
44 qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > Idea: Compress Ciphertext 1. Replace S with s 1 s 2 2. Generate ict using canonical FH IPE qmsk : s 1 s 2 ß Z ª qsk(f) = isk(c) : <s 1 s 2, C> C Linear Efficiency qct = n( cct + csk )=O(n) Security Hope FH IPE reveals only ict PK IPE Sec è ict hides x qct(x) : [-r] [r s 1 s 2 + x x] Dec cct(x : s : 2 ) csk(x V rs V P )
45 FE Construction 4. Security Challenge 3. Deg-d FE Generalizing IPE to high degree, deg-d HIPE Use HIPE to compress N d -size ABDP CT [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
46 dfe: SK-FE for Deg-d Poly Starting Point: Compute deg-d polynomials using inner products f(x) = Σ C } x } x = < C, x d > MSK : S ß Z ª = x x SK(f) = isk(c) : <S, C> C But, FH IPE only compresses CT to n d/2 CT(x) = ict( x d ) : [-r] [rs + x d ]
47 New Tool: High-degree IPE (HIPE) --- Multi-input FE for computing high-degree inner product Deg-d HIPE hct 1 (x 1 ) hct d-1 (x d-1 ) hsk(x d ) Deg-d Inner Product Dec <x 1, x 2,, x d-1, x d V > = : [ª] V [ ] x : Weak Functionality: Test if inner product is zero Function hiding: Hide x 1, x 2,, x d-1, x d
48 New Tool: High-degree IPE (HIPE) --- Multi-input FE for computing high-degree inner product Canonical Deg-d HIPE hct 1 (x 1 ) hct d-1 (x d-1 ) hsk(x d ) = = = [X 1 ] 1 [X d-1 ] d-1 [X d ] d Deg-d Inner Product Dec [ ] : [ª] V [ ] d+1 <x 1, x 2,, x d-1, x d > = x : V This Work: Canonical Deg-d HIPE ç SXDH on Deg-d Mmaps
49 dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d MSK : s 1, s 2,, s d ß {0,1} ª SK(f) = isk(c) : < s d, C> C ict depends on (r, s 1,, s d, x) = O(n) CT(x) = ict( x d ) : [-r] [r s d + x d ]
50 dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d 2. Generate ict using canonical FH HIPE MSK : s 1, s 2,, s d ß {0,1} ª SK(f) ict[i 1,,i d ] = [ rs 2 :} s o2 : ¹} s : + x :} x : ¹} x : ] = [ < x :} s 2 :} x : ¹} s o2 : ¹}, x : rs : > ] = isk(c) : < s d, C> C CT(x) = ict( x d ) : [-r] [r s d + x d ]
51 dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d 2. Generate ict using canonical FH HIPE MSK : s 1, s 2,, s d ß {0,1} ª SK(f) ict[i 1,,i d ] = [ rs 2 :} s o2 : ¹} s : + x :} x : ¹} x : ] = [ < x :} s 2 :} x : ¹} s o2 : ¹}, x : rs : > ] = isk(c) : < s d, C> C Dec CT(x) : [-r] hct 1 (x :} s 2 :} ) hct d-1 (x : ¹} rs o2 : ¹} ) hsk(x : rs : )
52 This work: Canonical FH Deg-d HIPE ç SXDH on Deg-d MMaps Canonical Canonical Canonical Recursion: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Deg-d Inner Product <x 1, x 2,, x d-1, x d V > = : [ª] V [ ] x : = < x 1 x 2 x d-1, x d > coordinate-wise multiplication Compute using Deg-(d-1) HIPE Compute using FH IPE
53 Canonical Canonical Canonical Idea: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Use deg-d-1 HIPE to compute deg-d-1 product hct 1 (x 2 2 ) hct d-2 (x 2 op ) hsk(x 2 o2 ) Dec [x 2 2 x 2 o2 ] hct 1 (x 2 : ) hct d-2 (x : op ) hsk(x : o2 ) Dec [x : 2 x : o2 ] hct 1 (x 2 ª ) hct d-2 (x ª op ) hsk(x ª o2 ) Dec [x ª 2 x ª o2 ] Encrypt x 1, x d-2, x d-1 one by one using deg-d HIPE Each row i with an independent hmsk i = [x 1 x 2 xd 1 ]
54 Canonical Canonical Canonical Idea: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Use deg-d-1 HIPE to compute cct(deg-d-1 product) hct 1 (X 2 2 ) hct d-2 (X 2 op ) hsk(x 2 o2 ) Dec cct 1 hct 1 (X 2 : ) hct d-2 (X : op ) hsk(x : o2 ) Dec cct i hct 1 (X 2» ) hct d-2 (X» op ) hsk(x» o2 ) Dec cct l = j Each X cct(x 1 x 2 xd 1 i depends only on xj and cmsk ) CT 1 (x 1 ) CT d-1 (x d-2 ) CT d-1 (x d-1 ) SK(x d ) csk(x d ) [ <x 1, x 2,, x d-1, x d > ]
55 FE Construction 4. Security Challenge 3. Deg-d FE Generalizing IPE to high degree, deg-d HIPE Use HIPE to compress N d -size ABDP CT [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )
56 Want: qct(u) qct(v), if f i (u) = f i (v) for all i qsk(f 1 ) = isk(c 1 ) qsk(f i ) = isk(c i ) qsk(f l ) = isk(c l ) 2. Sec of PK-IPE è ict hides x = or v ict(x x) : [-r] [r s 1 s 2 + x x] Need sec to hold for imsk = s 1 s 2 qct(x) : Dec [-r] cct(x : s : 2 ) csk(x V rs V P ) 1. FH of SK-IPE è only ict is revealed Need Simu Sec
57 Want: qct(u) qct(v), if f i (u) = f i (v) for all i qsk(f 1 ) = isk(c 1 ) qsk(f i ) = isk(c i ) qsk(f l ) = isk(c l ) 1. Change matrix x x row by row ict(x x) : [-r] [r s 2 ¼: s 2 + v ¼: v] [r s 2 : s 2 + u : u / v : v ] [r s 2 Á: s 2 + u Á: u ] qct(x) : [-r] Dec cct(x : s : 2 ) csk(x V rs V P ) 2. Use Ind-FH to emulate Sim-FH 3. Add offset in qsk to keep outputs same 4. SXDH è s : 2 s 2 U n
58 Lin16b: IO ç SXDH on DEG-5 Multi-linear Maps + locality-5 PRG + LWE LT17: IO ç SXDH on Trilinear Maps + Block-locality-3 PRG + LWE Bilinear Map
59 Thank you!
Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More informationNew Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation
New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation Shweta Agrawal Abstract Constructing indistinguishability obfuscation io [BGI + 01] is a central open question in cryptography.
More informationIndistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationWatermarking Cryptographic Functionalities from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable
More informationA Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group
More informationObfuscation and Weak Multilinear Maps
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationOutput-Compressing Randomized Encodings and Applications
Output-Compressing Randomized Encodings and Applications Huijia Lin Rafael Pass Karn Seth Sidharth Telang December 18, 2015 Abstract We consider randomized encodings (RE) that enable encoding a Turing
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationIndistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes
Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes Huijia Lin University of California, Santa Barbara Abstract. We construct an indistinguishability obfuscation (IO) scheme for
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationLimits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)
Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation) Boaz Barak Zvika Brakerski Ilan Komargodski Pravesh K. Kothari Abstract An m output pseudorandom generator G
More informationFoundations of Homomorphic Secret Sharing
Foundations of Homomorphic Secret Sharing Elette Boyle 1, Niv Gilboa 2, Yuval Ishai 3, Huijia Lin 4, and Stefano Tessaro 4 1 IDC Herzliya, Herzliya, Israel eboyle@alum.mit.edu 2 Ben Gurion University,
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27 Previously on COS 433 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationReducing Depth in Constrained PRFs: From Bit-Fixing to NC 1
Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1 Nishanth Chandran Srinivasan Raghuraman Dhinakaran Vinayagamurthy Abstract The candidate construction of multilinear maps by Garg, Gentry, and
More informationConstructing Witness PRF and Offline Witness Encryption Without Multilinear Maps
Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps Tapas Pal, Ratna Dutta Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur-721302, India tapas.pal@iitkgp.ac.in,ratna@maths.iitkgp.ernet.in
More informationMulti-Input Functional Encryption
Multi-Input Functional Encryption S. Dov Gordon Jonathan Katz Feng-Hao Liu Elaine Shi Hong-Sheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling fine-grained access to encrypted
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationLimits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)
Electronic Colloquium on Computational Complexity, Report No. 60 (2017) Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation) Boaz Barak Zvika Brakerski Ilan Komargodski
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationOn the Communication Complexity of Secure Function Evaluation with Long Output
On the Communication Complexity of Secure Function Evaluation with Long Output Pavel Hubáček Daniel Wichs Abstract We study the communication complexity of secure function evaluation (SFE). Consider a
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationDual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits
Dual System Framework in Multilinear Settings and pplications to Fully Secure Compact BE for Unbounded-Size Circuits Nuttapong ttrapadung National Institute of dvanced Industrial Science and Technology
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationSuccinct Garbling Schemes from Functional Encryption through a Local Simulation Paradigm
Succinct Garbling Schemes from Functional Encryption through a Local Simulation Paradigm Prabhanjan Ananth MIT Alex Lombardi MIT August 17, 2018 Abstract We study a simulation paradigm, referred to as
More informationOn the Complexity of Compressing Obfuscation
On the Complexity of Compressing Obfuscation Gilad Asharov Naomi Ephraim Ilan Komargodski Rafael Pass Abstract Indistinguishability obfuscation has become one of the most exciting cryptographic primitives
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationFully Key-Homomorphic Encryption and its Applications
Fully Key-Homomorphic Encryption and its Applications D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko, G. Segev, V. Vaikuntanathan, D. Vinayagamurthy Outline Background on PKE and IBE Functionality
More informationAlex Lombardi. at the. June 2018
Low Complexity Pseudorandom Generators and Indistinguishability Obfuscation by Alex Lombardi A.B., Harvard University (2016) A.M., Harvard University (2016) Submitted to the Department of Electrical Engineering
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More informationConstrained Keys for Invertible Pseudorandom Functions
Constrained Keys or Invertible Pseudorandom Functions Dan Boneh, Sam Kim, and David J. Wu Stanord University {dabo,skim13,dwu4}@cs.stanord.edu Abstract A constrained pseudorandom unction (PRF) is a secure
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationHow Fast Can We Obfuscate Using Ideal Graded Encoding Schemes
How Fast Can We Obfuscate Using Ideal Graded Encoding Schemes Dingfeng Ye 1,2,3, Peng Liu 4, and Jun Xu 1,2,3 1 School of Cyber Security, University of Chinese Academy of Sciences, China 2 State Key Laboratory
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationBetter Security for Functional Encryption for Inner Product Evaluations
Better Security for Functional Encryption for Inner Product Evaluations Michel Abdalla, Florian Bourse, Angelo De Caro, and David Pointcheval Département d Informatique, École normale supérieure {michel.abdalla,florian.bourse,angelo.decaro,david.pointcheval}@ens.fr
More informationfrom Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps
nbounded Inner Product Functional Encryption from Bilinear Maps Junichi Tomida and Katsuyuki Takashima 2 NTT tomida.junichi@lab.ntt.co.jp 2 Mitubishi Electric Takashima.Katsuyuki@aj.MitsubishiElectric.co.jp
More informationHomomorphic Secret Sharing for Low Degree Polynomials
Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta, and Dominique Schröder Friedrich-Alexander-Universität Erlangen-Nürnberg Abstract. Homomorphic secret sharing
More informationDecentralizing Inner-Product Functional Encryption
Decentralizing Inner-Product Functional Encryption Michel bdalla 1,2, Fabrice Benhamouda 3, Markulf Kohlweiss 4, and Hendrik Waldner 4 1 DIENS, École normale supérieure, CNRS, PSL University, Paris, France
More informationDisjunctions for Hash Proof Systems: New Constructions and Applications
Disjunctions for Hash Proof Systems: New Constructions and Applications Michel Abdalla, Fabrice Benhamouda, and David Pointcheval ENS, Paris, France Abstract. Hash Proof Systems were first introduced by
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationWhen does Functional Encryption Imply Obfuscation?
When does Functional Encryption Imply Obfuscation? Sanjam Garg, Mohammad Mahmoody, and Ameer Mohammed 1 UC Berkeley, sanjamg@berkeley.edu 2 University of Virginia, {mohammad,ameer}@virginia.edu Abstract.
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationCryptanalysis of branching program obfuscators
Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary
More informationNew Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption
New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationDoubly half-injective PRGs for incompressible white-box cryptography
SESSION ID: CRYP-W02 Doubly half-injective PRGs for incompressible white-box cryptography Estuardo Alpirez Bock Aalto University, Finland Alessandro Amadori, Joppe W. Bos, Chris Brzuska, Wil Michiels White-box
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationPublic-seed Pseudorandom Permutations EUROCRYPT 2017
Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017 Cryptographic schemes often built from generic building blocks Cryptographic schemes often
More informationObfuscating Compute-and-Compare Programs under LWE
Obfuscating Compute-and-Compare Programs under LWE Daniel Wichs Giorgos Zirdelis August 15, 2017 Abstract We show how to obfuscate a large and expressive class of programs, which we call compute-andcompare
More informationk-round MPC from k-round OT via Garbled Interactive Circuits
k-round MPC from k-round OT via Garbled Interactive Circuits Fabrice Benhamouda Huijia Lin Abstract We present new constructions of round-efficient, or even round-optimal, Multi- Party Computation (MPC)
More informationLightweight Symmetric-Key Hidden Vector Encryption without Pairings
Lightweight Symmetric-Key Hidden Vector Encryption without Pairings Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology Kharagpur sikhar.patranabis@iitkgp.ac.in,
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationStandard versus Selective Opening Security: Separation and Equivalence Results
Standard versus Selective Opening Security: Separation and Equivalence Results Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu Supported by
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationFoundations of Homomorphic Secret Sharing
Foundations of Homomorphic Secret Sharing Elette Boyle IDC Herzliya Niv Gilboa Ben-Gurion University Stefano Tessaro UC Santa Barbara December 27, 2017 Yuval Ishai Technion Huijia Lin UC Santa Barbara
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationHierarchical Functional Encryption
Hierarchical Functional Encryption Zvika Brakerski Gil Segev Abstract Functional encryption provides fine-grained access control for encrypted data, allowing each user to learn only specific functions
More informationMultilinear Maps from Obfuscation
Multilinear Maps from Obfuscation Martin R. Albrecht (RHUL) Pooya Farshim (QUB) Shuai Han (SJTU) Dennis Hofheinz (KIT) Enrique Larraia (RHUL) Kenneth G. Paterson (RHUL) December 18, 2017 Abstract We provide
More informationSimulation-Based Secure Functional Encryption in the Random Oracle Model
Simulation-Based Secure Functional Encryption in the Random Oracle Model Vincenzo Iovino 1 Karol Żebrowski2 1 University of Warsaw, vincenzo.iovino@crypto.edu.pl 2 University of Warsaw, kz277580@students.mimuw.edu.pl
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationPublic-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts
Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts Dennis Hofheinz 1, Tibor Jager 2, and Andy Rupp 1 1 Karlsruhe Institute of Technology, Germany {dennis.hofheinz,andy.rupp}@kit.edu
More information